This podcast is dedicated to educate and help fellow BNI members grow their numbers so that they can be truly successful in their chapter. On the Business Boost Hour podcast, Eric and Crystal discuss various BNI related business topics. Their vision is to help BNI members become overall better business owners. On top of all this, they wanted to create a platform that served as a simple place to fulfill your CEU! Often times they host segments on the show, talking about Misner Moments, BNI Tech Tips, Mental Shifts, and more all centered around BNI and being successful in BNI. Join us today!
In today's day and age, are you maintaining your business's continuity? What does that really mean? In this episode, we have Gus Cervantes, a cybersecurity expert bringing to light on what you should be doing in your business. Hello, everyone. Welcome to the Business Boost Hour podcast.
Eric Beels:My name is Eric Fields. I'm the vice president of BNI Escondido.
Crystal Privett:And my name is Crystal Privett, president of BNI Escondido, and this is the single CEU podcast.
Eric Beels:And on this episode, so we have Gus Cervantes. Say hi, Gus.
Gus Cervantes:Good morning.
Eric Beels:And so on, Gus, I have Gus is actually so I kinda wanted to say say something about you, Gus. You have changed actually the way I kind of see a lot of, like, the digital space for, like, just in in my own business and and what I do on a regular basis. You've impacted me a lot, on that. You have some, phenomenal stories that I've I've I've heard and whatnot. But, so tell us a little bit about tell the audience like a little bit about like who you are, what you do, and and what, how you kind of got into what you do.
Gus Cervantes:Okay. So I've got into cybersecurity about, 23 years ago. I worked, most of my life for, defense contractors. I've worked for Hughes Aircraft, Raytheon, Scientific Atlanta, General Dynamics, Raytheon, and, Lockheed Missiles and Space Astronautics Division. I was a engineer and then a propulsion scientist for Lockheed Missiles and Space Astronautics Division.
Gus Cervantes:And, working in remote areas, very remote areas on very, proprietary programs, basically secret top secret programs. I, learned, computer technology, and I started learning cybersecurity because one of the challenges that we had in these remote areas was, getting systems built that were isolated. And it was very difficult to get people from what we called, MIS back in those days, from Mahogany Row or from corporate. And, so I took the challenge on myself to start learning IT systems so that we could move on with these projects because most of them were DARPA related defense advanced research project agency, which was driven by either the CIA or the National Reconnaissance Office. And so, I taught myself IT so we can get the projects moving because they were all had a very short fuse.
Gus Cervantes:A lot of them were, experimental and proof of concept. Mhmm. And so they really wanted them done in a hurry, and so we just didn't have the luxury of waiting for Mahogany Road, MIS, for those people to get their clearances for our programs.
Eric Beels:Mhmm. So
Gus Cervantes:that's how I first got into it.
Eric Beels:Okay. So I heard a lot of kind of big words there. I'm sure you probably heard heard the same thing. So in so someone, who's not as, I don't know, technical and stuff too. I kind of understood a lot of it.
Eric Beels:It kinda goes over my head as well too. How do how do how can we simplify that? Like, what what does all that kinda mean really?
Gus Cervantes:So what all that means in a nutshell is that, I have vast experience working on IBM mainframes, and PCs because I've been doing this before the PC was invented. And, I've had resources available to me that let me use the best possible infrastructure and most secure systems, and I've learned to bring that down to the micro business.
Eric Beels:Nice. So the what what I like about you, Gus, is you you really kind of bring the reality of a lot of this security.
Crystal Privett:Yep. Scaring us straight. Yeah.
Eric Beels:And and so, you know, for me, I have I I used to kind of, you know, be feel like I was kind of okay with, like, password managers and and things like that.
Crystal Privett:A little more lackadaisical.
Eric Beels:Yeah. And and but, like, there's there's there's so much that kind of, like, goes go goes into it, and I'm really grateful that I have been able to meet someone like yourself to kind of, like, really emphasize all these the the importance of of these things. And I know and what we what I think really we wanted to kinda really zero in on, like, what's the what on the the purpose of, like, security and cybersecurity and all that and which I I, you mentioned was, like, basically business continuity. Right?
Gus Cervantes:Correct.
Eric Beels:So what does that what does that mean a little bit?
Gus Cervantes:Well, what that means to, any business is, business continuity from a cybersecurity perspective means that, your name's not gonna be splattered all over the media and the newspaper because you were hacked. It means that, you're gonna be able to deliver the service that you promised on time to your to your customers, and the with the commitment you made because your system wasn't hacked. Mhmm. It also means that you're not gonna be held ransom, and you're not gonna be paying out money that could potentially put you out of business, because of a ransomware attack. So that's what I mean by business continuity from the cyber perspective.
Eric Beels:So it's kinda basically maintaining, like, what what what your your your your your day to day stuff because, like, you know, it's it's funny because a lot of people, I think that, you know, it's like, oh, I'm I'm a I'm a small business or I'm a small person. No one wants to hack hack me. And, you know, I have a interesting story on this. Like, I had a I had a friend who, and and, you know, she she was a it was a, a hairstylist and, you know, just a just a, you know, has her own
Crystal Privett:small business. Yeah.
Eric Beels:Just average average small business. And, she was she started getting death threats, on her as text messages and even showing, like, pictures of, like, her kids and stuff with her kids and all that. And I'm just, like, I'm just like, man. And and and she literally had money deposited into her account. Like, she saw it on, like, on a on a on a bank thing.
Eric Beels:And so they were, like, basically kind of trying to, like I I don't really know what was kind of going on exactly with that, but they were basically kind of trying to, like like, you know, use her, I guess.
Crystal Privett:Accounts. Yeah.
Eric Beels:Yeah. You probably know what they were kinda trying to do based off off of that, but it's like that was kind of like a wild, very kind of a scary situation. It's very you know, usually your people are expecting, oh, I'm gonna get like a Nigerian email or something like that, which kind of most people have heard of that stuff.
Crystal Privett:I think we've moved past that this point. No.
Eric Beels:I know. But that's kind of like, I think, you know, they'll be, oh, I just gotta look for that kind of stuff. But then you and and, like but then, the you know, when someone, you know, deposits money into your account, that's kind of like, wait a minute. You're supposed to be taking money from me, not giving you know, what are you trying to you know, what's happening here. Right?
Eric Beels:So, you know, I I guess one of the kind of questions I have, what, you know, what are some steps, I guess, that people can take to
Crystal Privett:Like entry level.
Eric Beels:Yeah. And like, I guess, entry level level things that I guess I guess probably applies to any any size business really, but I guess I suppose if it's bigger, maybe you have you have might have more more at stake, but what are some some starting points that I don't know maybe account for a lot of this stuff or help protect you against a lot of this stuff? What what would what would that?
Gus Cervantes:Yeah. So there's some fundamentals that every computer, whether you're a one person show or you're a million person company, the fundamentals are all the same. And it really starts with the computer hardware. So on your computer hardware, you should have encryption on your hard drives. Right?
Gus Cervantes:And so, if you have a Microsoft product, that option is built in, and it's called BitLocker. So that should be enabled so that if someone's not using your credentials, they can't read your data. So that's number 1. Number 2, you should have a password on your BIOS so that if someone does a, a hardware attack, they can't get into your BIOS and embed something that's then going to monitor your system. And if you format your hard drive, meaning if you use your your hard drive, put in a new hard drive or whatever to try and get rid of a virus.
Gus Cervantes:If they're in your motherboard BIOS, they're gonna get right back on your hard drive. So you wanna put a password on that as well. You also want to, use what we call least privileged access, and that's a big fancy word for saying that by default, when you set up your PC that you just bought at Costco because you're a really small company, you're going in and you're creating the default account, and that account has administrative privileges. So that's a big no no. You need to create a separate account that you and your users, your employees use from day to day that doesn't have administrative privileges.
Gus Cervantes:And then you elevate those privileges on demand when you need to install software or do something that requires those credentials. And then, of course, use a complex password for those. Don't write it down on a piece of paper. Use a password manager, to manage your passwords so that you can use very complex passwords that and passphrases that you're not going to remember, and they're gonna be very difficult to hack. So a password, phrase that has 8 characters or greater is gonna take about 200 years for someone to hack.
Gus Cervantes:If you got 12 characters or greater, it could take thousands of years to hack. So, and so what I like to do, because I'm multilingual, is I like to make passphrases. So, typically, my shortest password is 16 characters, and it'll be a passphrase that's in 3 different languages. And I will take the characters and change them. So where the a will turn to an at symbol, the I will turn to a one, and that type of thing.
Gus Cervantes:So it's not you're not gonna be able to do a dictionary attack in any language against it.
Eric Beels:And what's the difference between, like, a because I've I've heard the words password and passphrase before. Are there is there a difference between those at all? Or is there or
Gus Cervantes:Yes. And so so a passphrase is a sentence
Eric Beels:K.
Gus Cervantes:Or almost a sentence, something that's easy for you to remember. And so that way, when you change the characters, you'll Mhmm. Even if you don't remember the characters, it's it's gonna be very limited options, and you'll be able figure out your passphrase very quickly.
Eric Beels:Mhmm. Yeah. I I've started using passphrases myself actually because I found that they're kind of just I don't know. They're they're longer like you said, and they're they're they're just, they're also easy to, remember or
Crystal Privett:Associate with a certain account.
Eric Beels:Yeah. Yeah.
Gus Cervantes:You should also not use the same password for everything. Everything should have an independent password, and that's where password manager comes in. Because people like to use their birthday, their kid's birthday, their kid's nickname, that type of thing. Those are all no no's because that information could be, swiped. And when I say swipe, I guess, literally means steal.
Gus Cervantes:But in the technology term, it means it could be grabbed from a program in your emails, and sorted Mhmm. And then used in a in a in a dictionary attack on your Mhmm. On your password. Mhmm.
Crystal Privett:And when you say password manager, does that mean the one that's on the phone stores the passwords, or are you talking about something separate?
Gus Cervantes:So, yes, they can be on your phone. Google, everybody has their own passwords, and and those are certainly better than not using, any password manager. Those are pretty good. However, you typically wanna have one that can transcend multiple operating systems. You know?
Gus Cervantes:So something like, Keeper Security or Dashlane or LastPass or or 1Password, programs like that. They'll work on Mac. They'll work on Linux. They'll work on, iOS, and they'll work on, you know, your any mobile phone, any any laptop, any any tablet. And so you can use the same password manager to manage all those devices.
Eric Beels:Yeah. I just I just I should've cross cross my mind that we're not talking about a a password manager as in, like, I'm a general manager of a of a location. Right? We're not talking about that kind of manager. We're talking about a software program that saves your passwords onto Right.
Eric Beels:On on your phone. And then what Gus was talking about is, like, having one that's universal. Because that's been my problem actually with password managers in the past is like you know you have you know you see sometimes I'm sure a lot of audience will relate to this, they'll see you type in a password on you know a website, you fill up the sign up for a site, and then it said and then like Safari will ask you to save the save the password or Chrome or whatever browser you're using. The issue that I've ran into with those ones is like as soon as you need to like go to a different browser because there's some compatibility or something like that, suddenly you don't have your password anymore because they're not, they don't share passwords with each other. Right.
Eric Beels:Like Safari and Chrome, they don't get they don't get along with each other. And so and and that's what I I think I feel like is kind of like a big hurdle for kind of like going into this because it I have found over the last several years that it's become a pretty, like, core part of, like, my digital life where it's like my world revolves around, like, utilizing, my password manager. And, to the point where it's, like, I don't like, if you make a new account, you're you're you're tight you're going straight to your password manager and generating a new like random thing. And I found that like you know Safari and Chrome, you know I think they have good intentions and such, but the problem is as soon as you go to a different platform, which is inevitable to do at some point, it just becomes hard to kind of, use those passwords properly.
Crystal Privett:Plus, as entrepreneurs, we spend so much time focusing on how to build it, the steps I need to take to build it. Then once you finally get there and you've built what you're trying to build, people don't realize that there's a step in securing what you've built and and making sure that now that you have what you've been trying to achieve, how am I going to maintain this business continuity? What can I do to ensure that what I've now created is protected? Because like Essence said, you know, one one attack, and it could wipe out everything that you've built. So, do you have any stories that you wanna share?
Crystal Privett:Because we know you've got lots of stories, Gus, and some you can't share with us.
Gus Cervantes:I know. And, you know, you're talking about what we call IP in the IT world, and IP stands for intellectual property. So what you know, your business, your business processes, a lot of that's considered intellectual property. You don't want other people to know because a lot of it's your competitive edge. Right?
Gus Cervantes:But before I describe one of the stories, you had mentioned, browsers. And, that's one of the biggest security risks is your browser, by default, asks you to you you want me to save your password. And that password is saved in in the IT world, what we call clear text, which means that it's not encrypted. And there's these softwares that download, I don't care whose website it is. They constantly get attacked, and it might take them 3 minutes to solve the problem.
Gus Cervantes:But in that 3 minutes, they've downloaded what's called the scraper. That scraper grabs that clear text password and then puts it all over the dark web. And next thing you know, you're being compromised.
Eric Beels:Ah, so so your browsers are sounds like it's a terrible location to save your password.
Gus Cervantes:Absolutely. That that's you may as well write it in big letters on your computer and say, hey, everybody.
Eric Beels:No password. Yeah.
Gus Cervantes:Yeah. That that's just that's the biggest no no. Yep.
Crystal Privett:Oh, wow. Like writing password.
Gus Cervantes:Right. Right. So using password for password. Right? Or blank for no password.
Gus Cervantes:Right? I mean, those are the ones we always first try. And then, of course, we have software that
Eric Beels:So then those
Gus Cervantes:you can get into computers when we need to.
Eric Beels:So then that's what's really kind of doing an injustice, whereas making you feel like you're secure and, you know sense of security. Like, oh, it's gonna save your password. Yeah. Keep it secure, whatever dialogue, you know, fluff that they maybe say.
Crystal Privett:Meanwhile, it's a scarlet letter, like, walking around with you.
Eric Beels:Yeah. So, really, Safari and Chrome and whatever browser you're using is more like a hacker's dream than it sounds like.
Gus Cervantes:Absolutely. Yeah. Yeah. Especially Chrome. Chrome is like
Crystal Privett:Oh, no. Chrome is like 90 is like 95 I'm afraid.
Eric Beels:Chrome's like 95% of usages. They that's
Gus Cervantes:Yeah. And so you gotta understand from a hacker's perspective, Chrome, like Microsoft, Microsoft's the most common operating system out there, and so it's the largest attack surface. And the same thing with Chrome. It's the most popular browser. So they're gonna write programs or do malicious stuff towards Chrome because it's got the the most use.
Gus Cervantes:Right? So they're gonna get their most bang for their buck or their most, you know, return on investment with that. So, to talk about some, horror stories I've dealt with, I'll start with a small one, then I'll go on the more sophisticated one. A small one, a couple of years ago, a, office with about 23 employees. They do holistic medicine.
Gus Cervantes:I won't go into geographic detail because I don't wanna rat anybody out here. But anyway, they called us up, and, they hadn't engaged us yet as a service provider, but they called us up. They described their problem. They asked if we could help them. I told them we absolutely can.
Gus Cervantes:So I went over there, started doing some forensics, and, the problem they were having was somebody was emailing QuickBooks invoices to their clients and had changed the bank routing number. And so they were paying invoices to some bank in Central Africa.
Eric Beels:Woah. Oh my gosh.
Gus Cervantes:So they were alarmed, and, they were very concerned.
Crystal Privett:Talk about business continuity. Right.
Gus Cervantes:So and reputation, because now
Eric Beels:you gotta
Gus Cervantes:call your clients and say, hey. We got hacked and blah blah blah. And the person is not gonna pay you because they already paid. Right? And so now you now they talk to their insurance company and they didn't have, cyber insurance and blah blah blah.
Gus Cervantes:Right? So, anyway, so what had happened, it was, they had hacked, the back end of their Office 365, which is very common. And they were copying their templates and just editing the templates and then reforwarding them off.
Eric Beels:Keeping everything the same and just changing the link. Yeah.
Gus Cervantes:And then
Eric Beels:and the here's the crazy thing about that is the other side is expecting that too.
Gus Cervantes:Right.
Eric Beels:So they see it, and they're like, oh, yeah. It all checks out and subdue.
Gus Cervantes:And they just pay the invoice. So, we corrected that problem very quickly. Another one that, became a big problem for a while was escrow companies. So escrow companies, same thing. They were getting wire instructions.
Gus Cervantes:Another escrow company in North County, won't mention their name, but they lost several $100,000 before they called us. And then we sat down with Citibank and the FBI. We described the forensics that we found. I explained to the FBI how they were doing it. FBI sent out a bulletin.
Gus Cervantes:And, anyway, we corrected that too. So they were, changing the wiring instructions. So the escrow company was getting it. Everything looked legitimate. Their logo, everything, except for the wiring instructions, was going to some foreign bank.
Eric Beels:Mhmm. Oh, man. See, that's that that to me is kind of, like, one of like like the scariest ways almost because it's like you could be on hyper you could be well hyper alert actually. And, you know, the actually something kinda similar happened to me with my website hosting provider. And what actually queued me and so I actually I use a lot of email aliasing.
Eric Beels:So I'm sure you probably know know what that is. Email email aliasing is you can basically can put it could do like 123@diffmix.com somewhere else from for my for me or I could do and I could do my name, eric@diffmix.com, that sort of thing. I could do all different I could do it different places, but it's all gonna go to the same email address.
Gus Cervantes:Right.
Eric Beels:And I started implementing that a lot, and this actually helped me with this this situation. So my hosting provider, I was receiving emails for emails from them, and, and and I use Namecheap, for my hosting provider. And they and what keep me in email looked perfect. Everything looked looked right and has notified me of, like, you know, a domain's expiring or something like that. I get those.
Eric Beels:I'm like, okay. I get those. I'm like, okay. I didn't think anything to to to of it. And then, and it was actually around the right time too when it was expiring.
Eric Beels:And what queued me in though is I I I looked at the 2 who it went to, and it went to an email address that I know my web my domain provider does not have.
Gus Cervantes:Correct.
Eric Beels:And so I was like, wait a second. They don't have that email. I know what email I use for my hosting provider. That is not it. And I was like, hold up.
Eric Beels:And then I and then I went and then I so I just went straight to the website just to kind of verify and check. I was like, oh, it's not expired. I was like, this is a phishing email. And I forwarded it off to them, and then a few weeks later, I started receiving actual emails from them. They're like, hey.
Eric Beels:A lot of people are, are receiving this. It wasn't just me. It was a a lot of people on it too. And so in a similar vein, what you kind of you kind of talked about is is in that case, it wasn't like an invoice. It was like notification that something's expiring and then you, of course, click the button to, you know, oh, your credit card information needs updating or whatever it might be.
Eric Beels:Right?
Crystal Privett:And Gus is the guy you want to know, but you don't want to have to call him.
Eric Beels:Yeah. Basically. Yeah.
Crystal Privett:Preventative seems to be a much better approach than, some of the things that could be happening to us.
Gus Cervantes:And I think a lot of people have also gotten the Microsoft 365 email that says, you know, your password's expired. You need to reset it. Mhmm. And it's really just some third party criminal, you know, asking for your password, you know, but it looks legitimate. It's got a lot
Eric Beels:of people who want the same password that that they want it, like they already have. And then it goes, oh, it's accepted, you know, whatever. And then
Gus Cervantes:the next thing they do is they start hitting all your accounts because the majority of people use the same password for different accounts. And so you just, you know, you're super vulnerable that way. So you really gotta you really gotta straighten out your act on the cybersecurity side of that. Mhmm. But, anyway, so that that was a real common, one.
Gus Cervantes:Another one that's really common that we see a lot is, domain spoofing or email spoofing, where people will be getting emails. Someone will send, someone will respond to an email to somebody and saying, hey. We didn't really understand this question, or we already paid you for this, or where do you took care of this, whatever. And, what they've done is they've gotten a very similar domain that might have an extra character in it. Like like, your domain might have one r.
Gus Cervantes:It'll have 2 r's.
Eric Beels:Or or or a capital I versus a lowercase l or something like that.
Gus Cervantes:They'll just change it a tiny bit and spoof on your behalf. The other thing too is, what people should be doing is, setting up what's called DKIM and DMARC and SPF on their emails. And this, what this does is it validates the source of the email so that it verifies that it's actually coming from your domain, from your mail server, and not somebody else's so that somebody can't act as an intermediary, which is the way a lot of these attacks happen and a lot of these, cybercrimes happen.
Crystal Privett:And you mentioned cyber insurance, and I don't know. Do most businesses might not even know about what cyber insurance is. Could you maybe explain that to the audience?
Gus Cervantes:Yeah. So, so cyber insurance, it's evolved, and it's still somewhat easy to get. What's happened is the requirements have gotten stricter because several years ago, after a bunch of ransomware attacks, the insurance company started wising up, and now they don't just give everybody blanket insurance. So for example, 5 years ago, I have a client in North County in Carlsbad. They've got about 240 employees, 3 locations.
Gus Cervantes:5 years ago, they asked me to look at their insurance, cyber insurance application. And in a nutshell, it was, do you have do you have a backup, a daily backup? Yes. Do you have an antivirus? Yes.
Gus Cervantes:Okay. Here's your policy. So 3 years ago, that same insurance application had a 110 questions on it.
Crystal Privett:Wow.
Gus Cervantes:And, those 110 questions were part of a cybersecurity framework called the NIST 80171, which is something that we specialize in because the Department of Defense adopted that as part of their cybersecurity framework, and all every defense contractor has to meet all a 110 controls. So anyway so now the commercial insurance businesses have adopted it, and they're asking all those questions. And the other thing I've noticed is if you're a micro business I'm gonna say micro business, 20 people or less. They're more, liberal. They'll insure you, but it's a flatter rate, and it's a higher rate than if you have a bunch of controls implemented because you're a higher risk, but at the same time, a lower risk because of the size of your company.
Gus Cervantes:I see.
Eric Beels:It was saying. So you're higher risk because you probably aren't implementing the things that you should be.
Gus Cervantes:Right.
Eric Beels:But you're a lower risk because you are smaller.
Crystal Privett:The dollar amount. Right.
Eric Beels:Got it.
Gus Cervantes:Yeah. So they have, like, a blanket flat rate for those. But everybody should have cyber insurance. It's, it's not that expensive, especially if you're a smaller business. If you're a larger business, they get they get pretty granular.
Gus Cervantes:One insurance company that we've been working with a lot, is called Coalition, and they have their own SOC, which is a SOC, SOC, security operation center. And they scan the client's networks and look for vulnerabilities every month. And if you find a vulnerability, they have 45 days to remediate the vulnerability. Or if they get attacked and and it's based on or because of that vulnerability, then they won't honor the claim.
Crystal Privett:Wow.
Gus Cervantes:So they've gotten very sophisticated. All the big insurance guys are
Crystal Privett:now warning. You better resolve it or else you're out.
Gus Cervantes:Yeah.
Crystal Privett:Alright.
Eric Beels:Well, I mean, you know, I think on on the flip side of that too, you know, they're they're it sounds like they're taking the initiative to actually kind of, like, alert you of these things too, though. Right? I mean, I think, you know, usually insurance isn't really doing that sort of thing. Like like, actually, that sounds like they're doing proactive stuff, which is gonna be better
Gus Cervantes:for you
Eric Beels:in the long run anyway. I I
Gus Cervantes:I love it.
Eric Beels:Yeah. Yeah. So that's that's really good. And and I think, you know, it it's such a complicated thing because there's there's, you know, one, people don't know what they what what they don't know. There's plenty of things that I don't know that, you know, especially with the advent now of of AI.
Crystal Privett:Yeah. There's so much fraud that you have to be so hyper vigilant. I mean, like he said, the spoofing, I had to actually call Gus because I was dealing with something with I think they use reputable names as well because I was dealing with Amazon for a book that I had, and someone spoofed me on the phone, and I thought I was still talking to Amazon, and it was it was someone else, and they tricked me into purchasing a program that didn't even exist for my book, so it was a little bit tricky situation, because I really I literally thought I was still on the phone with someone reputable, because I was the one that called them, and little did I know that they could switch your phone line over. I didn't even know what spoofing was until I met Gus, but it there's there's a lot of things going on, and even one time, my mom my son called me from school. He goes, Mom, are you okay?
Crystal Privett:I said, Yeah. Why? He said, A man just called me and said, we have your mom. And so and he was like, just just glad to know you're at home. Like, you're good.
Crystal Privett:Okay. I'm going back to school.
Eric Beels:Well, you know what? So have you heard now that they're doing that they're doing AI spoofing on voices. Mhmm. And so what they'll do, you can look this up and type in on on on YouTube.
Crystal Privett:Gus knows all about it.
Eric Beels:Yeah. And and they and basically, there's all these kinds of, like
Crystal Privett:I used to record
Eric Beels:news articles and stuff or news videos where they kind of show this Mhmm. And, where they only need, like, you know, 10, 20 seconds of of, you know, your voice, which everybody has their recording, you know, somewhere. Like, you're just recording something. Voicemail. Yeah.
Eric Beels:Voicemail. They could just call and hope you don't answer. Call at 3 AM or whatever. You won't answer that sort of thing. Get your voice mail from that.
Eric Beels:And, and and what they'll do in a similar vein with you with what you just said was they'll go, oh, we have your mom. Here she is.
Crystal Privett:Mhmm. And
Eric Beels:then it'll be your voice Yep. As an AI Yep. Like, basically, to to the other person online be like, you know and they'll they'll say stuff like, yeah. So you need to send us 5,000, $10,000, whatever it is to this Venmo or whatever it is right now, or we're gonna or we're gonna kill kill them in
Crystal Privett:That's why we have a family password for those types of situations. So, if, like, someone says that, it's like, well, what's the password? If they can't provide that, then we know it's not real.
Eric Beels:Don't say it here.
Crystal Privett:Obviously, obviously not. Gus probably reread my mind or something.
Eric Beels:Yeah. Gus is like, I'll take it. I'll take it.
Gus Cervantes:Well, my response is, thank you for taking the time to talk to me. I've already geo fenced your IP, and I have a tactical team on the way.
Eric Beels:Oh, no. Yeah. We're gonna be done with this recording here. We're gonna have a
Crystal Privett:Is that what the helicopter is?
Eric Beels:Yeah. Is that what that is? Is that why I'm seeing SWAT people walk outside?
Gus Cervantes:Yeah. That's another problem because, phone systems, the majority have now moved over to what's called voice over IP and, IP being Internet protocol, which is with 99.9% of the computer systems on the planet now use. And, so, it can be hacked just like anything else. You know, if it's got bits and bytes going across, over a medium, then it can be hacked. You know?
Gus Cervantes:So, yeah. So that that's another big problem. Tell you a story that we ran across a a few years ago. This one was interesting, and this one from a was from a state actor. And when I say a state actor, that's DOD technobabble for, an adversarial country.
Gus Cervantes:And so there was a company in Mira Mesa that had 5 locations, about 700 employees. We used to do their IT. They outgrew us. They ended up have hiring their own IT staff, but we still provided high speed Internet and their voice over IP phone system for them. So I still had a relationship with them.
Gus Cervantes:So one day, it was on a weekend. It was a Saturday morning. I was getting ready to work with my youth program, and this person kept calling me. And I hadn't heard of him in a while, and I'm like, okay. Something's wrong.
Gus Cervantes:So I answered it. And, the gentleman was in Spain on vacation, and he said, hey. I Can you do me a favor? I said, yeah. What can I do for you?
Gus Cervantes:He said, I need you to go over to corporate and see what's going on. And, he described a little bit what was going on with their IT systems. And, basically, he you in his words, he said, I think my IT guys are BS ing me. I need you to go over there and tell me what's really going on. So, that evening, I called him back, and I said, so and so.
Gus Cervantes:I'm not gonna use any names here. I said, so and so, You've got 3 choices. You could do nothing. You can pay a almost half $1,000,000 ransom, or you can go out of business. And he said, what are you talking about?
Gus Cervantes:I said, this someone has hacked your network. They've encrypted all of your servers, all 23 of your servers. They've encrypted all of your backups, both locally and in the cloud, and you have no air gap backups.
Eric Beels:Oh, man. So they basically just locked them out at and of everything, it sounds like.
Gus Cervantes:Everything. And so, when we got done doing our forensics, we brought in the FBI, of course, because we started seeing signs, you know, esignatures that it was definitely a state actor. It turned out it was North Korea. And, the way they got on their network, which at the time of me, which fat was fascinating, they used a a printing protocol, or a or a file transfer protocol called SMB, SMB system message block 1 point o, which they had on an old copier of theirs. And so they came in through that old copier.
Gus Cervantes:And, and then once they got on the network, of course, they started downloading more and more information, and they were on their network for about 8 months. And studied the company, did the demographics, figured out what kind of revenue they had, figured out blah blah blah, figured out the best time to to lock them all down, and then they encrypted everything.
Eric Beels:Wow. So so there was a so so there was a printer, like, like like that was connected via Wi Fi or Ethernet or something like that. And they were to they were able to just bait and because that has access, they were able to kind of basically hack into the how did they get access to the printer in the first place then in that in that instance? Like, how did the
Gus Cervantes:Well, they they they came into the firewall.
Eric Beels:Okay. So
Gus Cervantes:And so, gosh, there's gonna be a little bit of technical babble, and I'm gonna try and break it down as simple as I can because this is important for people to understand about firewalls. So in the battle days, 3 years ago, firewalls, the the the way everybody puts in firewalls, and I'm willing to say most of your firewalls out there are still configured this way, so you need to pay real close attention to what I'm about to tell you because it's gonna scare you, and you need to act on it. Most firewalls out there, they block everything coming in. They trust everything going out. K?
Gus Cervantes:Okay. So all so all the ports except for a select few ports that come in are being blocked, because that was the old security model everybody used. Everything can go out. Nothing is blocked going out.
Eric Beels:The process assuming that, like, everything inside oh, it's it's going out. So if you're sending an email, it disappear or whatever. Right.
Gus Cervantes:Because it doesn't account for insider threat. Right? So what happens is a little payload comes down through port 80, which is your web browser, so you're cruising the web, and now this little payload comes down on that port. It then goes to your printer, starts infiltrating printers, finding another open protocol that it needs to download a larger program or a more sophisticated program, finds an open port, and starts to exploit it. Now it starts the phone home saying, okay.
Gus Cervantes:We need this now. We need this to take the next step, and it starts downloading more and more stuff. And so that's why, most people don't realize that ransomware, there isn't a zero day. It doesn't happen instantly. It takes months for ransomware to take effect because these little programs are downloading a little applet at a time until it builds up more and more sophistication, more and more capability, and then it strikes.
Gus Cervantes:So most firewalls out there today are are configured that way. They're configured to block most things coming in, not block anything going out.
Eric Beels:I see. You know, that actually kinda makes sense if if if I was even, like, kind of looking at that. I'd be like, well, I want everything going out. I'm okay. I'm not doing anything.
Eric Beels:Right? It kinda sounds like surface level. It sounds like, oh, no. I want everything going out. You know?
Eric Beels:Especially because I'm sure a lot of people have run into this issue before too where it's like, maybe someone did have it set up that way, and it's for security, and they try to do something, and then it's like just not working. And you're just like, why isn't it sending? Like, allow everything, you know, and they just kind of go into the hill, allow allow all things going out and stuff too because they just wanna send this thing or whatever too. So there's a I know I I've kind of been in similar I don't know about sending something out, but I've been in similar situations where it's just like, oh, they just disable it or whatever and such too. But, like, when you do that, you're kind of making yourself vulnerable.
Eric Beels:And so that happens so so a device or a software or something gets downloaded, like, maybe it sounds like a malware thing, like, maybe you download a a Sketchy software or something like that. And then because it's on because you approved it, you installed it on the computer, and because it's able to phone home, wherever home could be in North Korea or something. And now because it has full access, it's able to to so then how does that work? It phones home, but then there's still the receiving side of things. So it's able it's still able to because you give it permission, I guess, now, and this the computer, you're like, oh, well, you give this permission so I can download stuff now.
Gus Cervantes:So so it opens a port on the way out.
Eric Beels:Oh, I
Gus Cervantes:see. And now that port, we call it a pinhole. Now that pinhole is open. And so And it's bidirectional communication. So now that it's communicating to home, to the death star, if you will, it's now you know, bidirectionally sending bad information down, right, or bad actors down.
Gus Cervantes:And, again, it's using port 80. So port 80 is your web browser. So you could be you could be shopping on Amazon, and the applets could be downloading in the background you're not even aware of on port 8. Right? So the other problem is most people have obsolete firewalls.
Gus Cervantes:So if you're if your firewall's older than 3 years old, it's basically doing nothing for you. It's worthless.
Eric Beels:3 years?
Gus Cervantes:3 years old. It's doing absolutely nothing for you.
Eric Beels:Oh, wow.
Gus Cervantes:It's worthless.
Eric Beels:Is there
Gus Cervantes:Completely worthless.
Eric Beels:So is that is it a matter of just, like, updating software or something? Or It's updating to the to
Gus Cervantes:the next generation of firewalls. Mhmm. What are your what are some of your favorites? Depends
Crystal Privett:on the business, but the one that most small businesses
Gus Cervantes:and when I say small business, I'm gonna say a 100 people or less, and I'm gonna narrow that. I'm gonna say 50 people or less. It's gonna be like a sonic wall or a Fortinet. You get larger than that, then, then I like Palo Alto. Palo Alto, in my opinion, is the best firewall on the planet, And we use that with all our enterprise customers, and those things are they're extremely sophisticated, but they're not inexpensive.
Gus Cervantes:SonicWall's are fairly inexpensive. So the the challenge is this. Google pushed an initiative several years ago where everything had to be encrypted, which is why everything's HTTPS now. The problem with that is that firewalls can't read encrypted data. So your old firewall is worthless because everything that's coming in or out now is encrypted.
Gus Cervantes:So we can't inspect the packets that are coming down for malicious software signatures.
Eric Beels:I see. So, you know, that's kind of a misleading thing too because, I know h HTTPS. Well, I don't know h the HTTP part actually stands for, but the s stands for secure.
Gus Cervantes:Security. Right.
Eric Beels:Right. And so but it kinda sounds like, oh, it's secure. It's safe. And so too. Right?
Eric Beels:And so it's almost like there's all these, like, good intentions on things, but then it's like, oh, well, what you just said, everything's if everything's encrypted, I guess, on on your web activity, the fire like what you said, the firewall, your security system on your computer, whatever, can't, like, monitor that stuff now.
Gus Cervantes:Right.
Eric Beels:And so
Crystal Privett:It's almost like it's almost like going to the doctor where now you have to go and be your own advocate. You can't go to the doctor and, like, expect the doctor to figure out what's wrong with you. It's almost like, okay, here's the here's the bare minimum procedures that you should be doing, but really, if you listen to guests, it's like you really should step up a lot of these levels to to get to a point where we won't have to be scared straight on a personal level.
Eric Beels:Well, it also sounds kinda like that. It almost sounds like going to the doctor and then not telling them anything about what's going on and stuff too. Yeah.
Crystal Privett:Oh, I feel great and my leg's hanging off.
Eric Beels:Right. Exactly. And then they're just left to kinda, like, look at you and just kind of expect to kinda figure out what's going on.
Gus Cervantes:Yeah. Or I would liken it to going to a doctor and and, you go get a blood test and you can't read any of the results.
Eric Beels:Oh, yeah. It's all encrypt yeah. It's all it's all, like, numbers or whatever. You can't read anything.
Crystal Privett:You're sure you can't read the results. Yeah. What good is it if you can't decipher?
Gus Cervantes:So the next generation firewalls can break those, packets down. They still can't read the data because it's encrypted, but they can read the headers for signatures, for malicious, activity. You know, for so for things that have a malicious signature, they can see it, but they can't read the data. But they're far more sophisticated than the old firewalls.
Eric Beels:So so you mentioned that a new firewall that's, like, older than, like, like, 3 years. Is that, like, a hardware thing then or on a
Gus Cervantes:It's a hardware. Yeah.
Eric Beels:Oh, okay.
Gus Cervantes:Yeah. And you gotta see if they're using next gen or what they call next generation technology. Right. If it's able to read encrypted, you know, and so forth. Yeah.
Gus Cervantes:And so you're not going to find that with the low end consumer stuff, you're going to have to go to what I call prosumer, like the low end sonic walls, and then you get more sophisticated. You move to a to a more Mhmm. Beefier system, you know, but more cost.
Crystal Privett:Right? But if someone comes to you, an ITS team, you would probably help guide them to the right fit.
Gus Cervantes:Absolutely. Absolutely. Yeah. Because this
Crystal Privett:is a this is a lot for an average consumer to not know necessarily where to start. The firewall, yes. The password protection, yes. That's something that they could probably start on their own, But, what what does it look like when someone comes to you?
Gus Cervantes:So it depends. I'm, entertaining a prospect right now, and I've gotten pretty hardcore. I have requirements before I'll do business with them.
Eric Beels:Mhmm.
Gus Cervantes:And, you know, I'll see if they have a budget, and I'll see how they feel about security, and what their willingness is, you know, to implement security measures and stuff. Yeah. And, if they think it's just a giant waste of time or whatever, then, obviously, I just move on because I I'm not gonna waste my time nor am I gonna become part of their liability when they get hacked. So but, it really doesn't matter on the size of the client. It it really matters on the attitude of the client.
Gus Cervantes:Mhmm. You know?
Eric Beels:How serious are they? Not not really locked
Crystal Privett:Are you coachable? Yeah. Yeah.
Eric Beels:Yeah. Because it you know, there is kind of a learning process, I think, with with with with all of this. You know, I I there's kind of a it's funny because it's it's it's not kind of cracking down on these things. It's sort of like, you know, complaining that your car is locked, I guess. Mhmm.
Eric Beels:But we lock our cars all the time now, but, you know, there was a time period where locks weren't on cars and such. Right? And so it it's like, I think it's just like a learning process and kind of being open minded to whatever that, you know, it's unfortunate we have to do this in the first place. Right?
Crystal Privett:Fraud isn't going anywhere unfortunate. These people think that it's a career, and and we have to kind of make it a little bit of a career to combat it. Mhmm. I mean, we do wear lots of hats as entrepreneurs, but I'd be wet very much willing to give this hat to to Gus to wear because it's a heavy hat for you.
Gus Cervantes:It is. But one of the things that you know, when I think in terms of business continuity, I think of resiliency. Because if if you, let me rephrase this. If you haven't been hacked, it's only a matter of time before you're hacked. It's only a matter of time.
Gus Cervantes:Your number will come up. So how are you gonna survive that hack? How resilient are you? What what kind of systems do you have so you can bounce back quickly? Right?
Gus Cervantes:So so that's what I focus on a lot with my clients is is the resiliency. So we're gonna we're gonna try and bulletproof your network as best we can. We know there's sophisticated actors out there that if they really wanna get in, they're gonna get in. So what do we have in place to bounce you back to normal? Right?
Gus Cervantes:And so, we call that an RTO in our business, which is a recovery time objective. Right? And some people want a 2 hour recovery time objective. Some people want a 72 hour recovery time objective. Those that want a 72 hour recovery objective usually realize after they've been hit that they wanna close that window considerably.
Gus Cervantes:Right? Because 3 days is a long time to be completely out of business. Right?
Crystal Privett:Yeah.
Gus Cervantes:So one of the best ways you can do that is just by something really simple and having a backup. Okay? So the challenge with backups and again, I'm talking to you out there in the audience. You need to talk to your IT guys because I guarantee you, 9 9.9% of your IT guys aren't doing this or probably aren't even gonna know the word I'm gonna tell you. It's called immutable.
Gus Cervantes:So what does immutable mean? Immutable means that it can't be tampered with. It can't be changed. 99.9% of people out there are not doing immutable backups. So where it used to be, you could have a good backup you could just restore from.
Gus Cervantes:Well, hackers are encrypting that backup now. Mhmm. And so now you can't restore. Right? If it's immutable, they can't.
Gus Cervantes:They can't encrypt it. If it's air gapped, they can't encrypt it because they can't get to it. So air gapped means that it's detached from the system. Mhmm. It's not tethered by any electronic form.
Gus Cervantes:Okay? And so what we do with our all of our clients is we air gap their backups, and we do immutable backups, both locally into the cloud. And all data with our backups are encrypted in transit and at rest. Mhmm. So they can't they can't tamper it.
Gus Cervantes:So that's how we can guarantee a recovery time objective.
Eric Beels:So is the air gap is that basically, like, you know, plugging in a hard drive, letting it back up, and then just physically disconnecting it?
Gus Cervantes:Exactly. It's the old school magnetic tape. Right? You back up to a tape drive, and now you can't hack it because it's right? It's a standalone entity.
Gus Cervantes:Right?
Eric Beels:Well, you know, it's it's interesting because it's, you know, it's it's funny because it it it's such it it sounds such a,
Crystal Privett:like Like a step backwards?
Eric Beels:Yeah. Almost. It's like, well, I gotta, you know, disconnect it and such. Right? Because there's not because I and and but I kinda just thought of too.
Eric Beels:I've I've heard that, like, even in in the the military that I guess I think, like the like the nuclear stuff that they try to keep it on like old, really old tech that's like, I don't know, from seventies or eighties or something like that, that that's completely disconnected, but then it's not even like a regular computer. It's like running off of, like, I don't know, floppies or something like that. It's like or it's a analog or something. I don't really know. But for, like, the the purpose of that, okay, modern, like, you know, viruses can't infect this because it's it's different technology, basically.
Gus Cervantes:Right.
Eric Beels:It's in a similar vein as that. Mhmm. Wow. So how okay. So I have a few okay.
Eric Beels:A couple questions. I guess, what are some some of the key businesses if if there's any, that are like at most risk for for being hacked? Like, maybe what's what's who are the businesses that hackers are like, oh, I wanna really go after these guys because of don't know, some reason that if if I'm
Gus Cervantes:It would be hard to narrow down because it really depends on the intent of the hacker. So some hackers might be going after, companies that are politically persuaded because they disagree with their politics. Some may be going after financial institutions because they support things that they don't like. Other ones may just be doing it for monetary gain, and some might just be wanting to steal state secrets. And but but the biggest threat out there now is ransomware.
Gus Cervantes:And and ransomware, it's not your dad's ransomware. It's changed considerably. And now what's out there is called ransomware as a service. And what does that mean?
Eric Beels:As a service?
Gus Cervantes:Service. So let me describe what that means. I have $20,000 in Bitcoin, which can't be traced because it's, you know, it's, it's Bitcoin. So, cyber currency. So I go into the dark web, and I buy a ransomware as a service software.
Gus Cervantes:And I pay this company to host it and might be some East Block nation or whatever, one of our adversaries. They'll host this for me, or I can host it on my own server if I want. And what this ransomware as a service does is it starts sending out all these bots that starts hacking all these networks. And it's gonna get on networks because most small businesses don't have very sophisticated, you know, you know, technology to prevent it. And it just automatically starts sending them ransomware notices after they've been ransomed.
Gus Cervantes:And some will have a good backup and restore the data and say, forget you, and some will pay the ransom. And when they do, you're just cashing in.
Eric Beels:Wow. So you're just basically paying a hacking company to do the hacking for hacking as a service, actually.
Gus Cervantes:Yeah. That's right. They call it ransomware as a service.
Eric Beels:That's crazy. And because of, like, all the cryptocurrencies that have been untraceable, it's, like, makes it an easy way to pay them
Gus Cervantes:Exactly.
Eric Beels:Versus yeah.
Gus Cervantes:And this is where before, when really small clients would say, well, how big of a target are we? I'd say, well, you know, they're not really after you. But ransomware as a service doesn't discriminate. It's not intelligent. It doesn't know.
Gus Cervantes:It doesn't care what size you are.
Eric Beels:They just it's just a little more. Okay. We'll put it out there and do this thing or whatever, and that's it. And that's not And
Gus Cervantes:what they're finding is the smaller companies are the least sophisticated and the most likely to pay out.
Crystal Privett:Because they don't know what to do.
Gus Cervantes:So, yeah, that's ransomware as a service. That is the new ransomware out there.
Crystal Privett:And one last thing I know that we've talked about a lot, but what about what about people's cameras? Is there anything that you wanna, like, as far as, like, your cameras on your laptop and things like that? Is there any security measures that you would recommend on something like that?
Gus Cervantes:Yeah. So you should have, a really good endpoint protection. That's a fancy word for an antivirus. You should if you can, again, encryption, and you should have your camera disabled and you enable it on demand. Don't because most of the software will automatically enable it.
Gus Cervantes:You don't want it to do that. And one thing that a lot of small businesses, most of them don't do and should be doing now because it's affordable now. And that is having, what they call an XDR. What an XDR does is, it ties to a SIM and a SOC fancy IT terms. Or, basically, what it says is it's grabbing everything that's happening on your computer.
Gus Cervantes:Is sending it to a security operation center, and they're analyzing it. And then they send you an email alert if they see something suspicious. If it's on a threshold of 1 to 10, if it's greater than an 8, then they automatically triangulate it and shut it down. So you should be doing that on every computer now because it's affordable. For less than $10 a month, you can implement some of that technology now.
Eric Beels:So they're look and that's kind of, like, almost so that's kind of they're looking for, just certain things that might stand out as red flags. Like, hey. This could be a problem. So there's a certain awareness, I guess. It's like Yeah.
Eric Beels:Okay.
Gus Cervantes:And I'll tell you a story. I'm not gonna name names, but I I got a call from a BNI member a couple of years ago, and, they were being, blackmailed. And, what happened was, their kid was looking at pornography online, and they had another computer across the family room from it. And someone had hacked the camera and was videoing their kid watching pornography.
Eric Beels:Oh, wow.
Gus Cervantes:So then was telling them that we're gonna put this all over the Internet and on your social media if you don't pay us x amount of dollars or what have you. Right?
Eric Beels:So they're black back blackmailing them by by recording that. Oh, wow. So the other thing you do,
Gus Cervantes:of course, is you have those little camera covers Sure. And you can get them for your laptops or what have you. You should always have that covered until you're ready to, execute.
Eric Beels:What about microphones? The mic the audio side of things on that.
Gus Cervantes:Same exact thing. Yep. Same thing. Yeah. You gotta lock it down and enable it on to me.
Eric Beels:But it's like, how you know, the camera, okay, you can block it physically, but I don't know how how do you you know? Because it's so like, some of these laptops, you know, they're still built in. Right? Right.
Gus Cervantes:So
Eric Beels:if you're con if someone's, like, concerned about, like, you know, something being recorded that that shouldn't or whatever, how would you how would you prevent that on a laptop?
Gus Cervantes:You go to command line and type in services MSC and then shut off the audio service.
Eric Beels:I see. So you gotta go into Manually. DOS or That's what I do, man.
Crystal Privett:Take you 30 minutes to power up your computer in those markets.
Eric Beels:Mine has, Yeah. I know.
Gus Cervantes:It takes a little bit.
Crystal Privett:It takes scan of blood analysis.
Eric Beels:Yeah. It takes us a little bit. It it it takes Gus an hour and a half to log in to Zoom. Yeah. You gotta connect everything together.
Gus Cervantes:Yeah. It's a
Crystal Privett:And in 4 different languages.
Eric Beels:I know. Right?
Gus Cervantes:You know, there's, I was talking about firewalls earlier, and, I wanted to describe it a little bit. I think this is important for the audience and, for people to know. So the way, firewalls work is that they use a couple different technologies. One's called stateful packet inspection, which is when everything is TCP IP, it's little data packets that come down, transmit up and down through through the Internet or across a computer network. When these come down, a stable packet inspection, it tries to dissect the packet and look for malicious headers or those type of things that might give it an indication that something bad's happening.
Gus Cervantes:Right? So that's one way that's stateful packet inspection. The other thing that they do is all these firewall companies subscribe to the services that alert other security companies that they've found a, either a vulnerability or they found an exploit. Okay? And so some of the most higher end firewalls so for example, I, you know, I I talk about SonicWall a lot.
Gus Cervantes:They they subscribe to 2 of those services. So so they have a lot of information constantly updating these firewalls and letting me know what to block. The most expensive and sophisticated firewalls out there like Palo Alto, they subscribe to 5 of those services, so they have a greater chance that they're gonna find something. They're gonna be alerted sooner. Right?
Gus Cervantes:We deploy a product, called Dart Cubed, and it was developed by a friend of mine who used to be the head cybersecurity guy for the National Security Agency. And it has a 125 plus of those signature services coming in. And so we put that on our more sophisticated clients, and, it it does far more than any firewall is going to do. It will shut down things long before I mean, because these things we're using these for the DOD as well. So if the government sees a threat, you're aware of it.
Gus Cervantes:It's blocking it before it ever gets to you as well. So that's, and Dark Cubed, it's a service. It's an it's a cloud appliance, and we sell that for a $125 a month. And, again, it's far better than any firewall you can put your money into, and it's a super cheap way to really help lock down your system. And so when we first
Crystal Privett:great investment.
Gus Cervantes:It is. When we first meet clients, the 2 things we do immediately is we put dark cube on the front end, and then we do immutable backups on the back end. And then we work our way into the middle. Mhmm. Right?
Gus Cervantes:Hardening all the computers and all the services and setting up policies and procedures that they have to follow. Mhmm. Your procedures, Eric. Yeah. Policies and procedures that they have to follow.
Crystal Privett:Your procedures, Eric.
Eric Beels:Yeah. Seriously. Yeah.
Gus Cervantes:So it's, yeah. So those those are the 2 most important investments you can make immediately is getting a product like Dark Cubed and then an immutable backup system.
Crystal Privett:Sounds like everybody could use your help, guys.
Gus Cervantes:And the dark cube well, even like the MDR, XDRs, those type of things, those have gotten so inexpensive now. Literally, everybody in our BNI group should be using that to protect them. And if their IT company doesn't know what those what they are, then they need to go shop for another IT company because it's really elementary now.
Crystal Privett:Like an ounce of prevention could save you a half a $1,000,000 or more. I'm we never found out which option that guy chose, but Right. Right. I know you can only tell us so much, but, yeah, I hope I hope
Eric Beels:Well, that's, you know, that that's the that's the crazy thing that that like, because all the AI stuff is kind of making the hack stuff easier, so it's almost like because it's like what you said with the, you know, with the ransomware as a service and whatnot too, it's kind of like it's kinda getting to the point where, you know, the hackers, they're not really it sounds like they're not they're they're doing less actual hacking and just letting, like, bots do a lot of it. Exactly. It's all kind
Gus Cervantes:of automated
Eric Beels:at this point. So it's like it's it's it's like they're not necessarily targeting you directly, not going like, oh, I'm gonna go after Eric Beals or whatever and stuff too. Right? They're just, you know, you just kinda get become another number, a number target Yep. In the Right.
Gus Cervantes:There's automated. Yeah. But there's a I mean, there's so many security holes. And, what so what we'll typically do when we engage a client is, we have a software called Network Detective, and it goes through it does an analysis of their network. It does vulnerability scan, and then it shows us where all the holes are.
Gus Cervantes:It creates an executive summary. We show them the executive summary, like, on a scale of 0 to a 100, 0 being you're a 100% secure. Most new clients we run into, they'll be, like, 97, 98. I mean, you could drive a freight train through their security. There's it's almost nonexistent.
Gus Cervantes:Mhmm. And, a lot of it's just really simple stuff. You know, like, with all of our clients, nobody without elevated privileges can put a thumb drive into the computer and have it read data. Because one of the biggest problems, over 80% of the hacks, 87% of hacks last year, according to the FBI statistics, were insider threat. Mhmm.
Gus Cervantes:And insider threat doesn't mean you're intentionally being malicious. It means you download some app on a thumb drive somebody gave you or you download it from home and you go and plug it into the corporate network because you wanna use it at the office. And now you just infiltrated your system with the virus. Right?
Eric Beels:Yeah. Plugging it in. It's it almost sounds kind of like, oh, well, it's physically here, so it's okay. Kinda like the outgoing thing a little bit. Like, oh, it's going out, so it's must be safe or whatever.
Gus Cervantes:Right. So so we prevent all that. You know, you can't just plug a thumb drive in. We use PAM Solutions, which is a, a password access management solution. And so one of the things that especially in scientific companies, and we deal with a lot of engineering companies, You have, I I I say this with affection.
Gus Cervantes:I'm I'm a recovering engineer, so don't get offended when I say this, but we're the smartest people on the planet. Just ask us. And so we we seem to feel privileged. Like, well, I'm intelligent enough. I know what I'm doing.
Gus Cervantes:So I got you know, I need administrative privileges so I can install the software or whatever. And so they're one of our biggest, challenges is working with scientific people, analytical people because they're typically more sophisticated. They do understand technology, but they don't look at it from a from a threat perspective. Right? They're looking at it from, how do I leverage this technology to make a product better?
Gus Cervantes:I
Eric Beels:see. It's like it's like someone being, you know, familiar with electricity and, like, they like, oh, I can install this.
Gus Cervantes:You know?
Eric Beels:I can install this this this electric charging thing Yeah. For the car or whatever and stuff too.
Crystal Privett:Says a a handy friend is a dangerous blend.
Eric Beels:Right. It's almost kinda like that, but in a in a digital space. Yeah.
Gus Cervantes:So what a PAM solution allows us to do is it gives us a dashboard where we preauthorize certain individuals within the within the business to get elevated privileges on demand, but they never know the password. So what happens is a QR code will pop up on their, on their screen. They'll acknowledge it with their phone as an MFA, multifactor authentication, and then it'll give them access privileges, elevated privileges at that moment for that software so they can install that software. And then the password's constantly changing, so they never see the password nor do they ever know the password. And then it alerts us immediately that someone just used the PAM solution, and we could take a glance at it and go, okay.
Gus Cervantes:We're showing so installing solid works or whatever it was. It's legitimate. Right? Mhmm. You know?
Gus Cervantes:Mhmm. So it's constant vigilance, but it keeps them it keeps the prima donnas in check. Right? So because they you know, a lot of people just feel they gotta have that. The other problem that we run into a lot is, as the owner, well, I should have all the passwords because it's my company.
Gus Cervantes:I own the property. That's great. So we use password managers where we can share that information with the owners. And the other problem we're running into with owners is like, well, I should have admin privileges all the time so I can do whatever I need to do. Right?
Gus Cervantes:And that's a big mistake. You know, as I mentioned earlier. Right? You wanna have a lesser account that doesn't have those elevated privileges, and you escalate as you need them.
Eric Beels:So how do you I know we're going, like, a little bit longer here, but I have it but the how because I feel like, and I've kinda gone through this, but I was one who was really willing, I guess, to kind of, like, push push through this because it was definitely a learning curve for me when I kinda got into doing password managers. And the hurdle that I came across was it was, like, you know, either constantly asking for a password or something like that, or it's, you know, just not functioning properly. And I don't really know why necessarily. And maybe that's that's just kind of like for the IT guys in the area that kind of, help figure it out. But, like, I guess the question I have is, like, how what do you have any suggestions on helping someone kind of overcome, like, those hurdles?
Eric Beels:Like, that that kind of because it's like, because, oh, I just wanna be able to do it because I'm I'm the owner, I'm the admin or whatever, but it's like, those those might be the worst people because they're typically not the one that's, like, most mindful about security because they're the business owner. They're trying to run the business or whatever. Right? They're not something focused. Right?
Eric Beels:So it's so I I could see them being, like, the biggest culprit at times because they want those those things.
Crystal Privett:Unintentionally. Unintentionally. Right.
Eric Beels:Right. But do you have any suggestions on on, you know
Crystal Privett:The mindset behind it?
Eric Beels:Yeah. Maybe the mindsets or helping someone kind of, like, how do you push through
Gus Cervantes:that Overcoming that objection.
Eric Beels:Yeah. Overcoming, like, the the the The fear. The hurdles or the fears that Mhmm. Kinda come come along with getting through learning how to do it.
Gus Cervantes:So we do quite a bit of cyber training
Eric Beels:Yeah.
Gus Cervantes:With our clients. And and, typically, we'll do that too before we implement a particular solution, like password manager or any type of access control. We'll explain what the result's gonna be if they try and do certain things and some of the problems that they may run into and how to overcome them. One of the things that, one of my clients yesterday, the owner, at 4 in the morning, signaled me. And I say signal because we use signal because it's encrypted.
Gus Cervantes:And, he forgot his UB key at home, and his UB key is something they have to stick in the computer as part of the multifactor authentication process to be able to log in. Right? And so I can generate a code, a one time code that he can use to bypass that. But, you know, it's
Crystal Privett:You were his backup.
Eric Beels:Right.
Gus Cervantes:So I was backup. Right. And and there's a bunch of us that are his backup. Right? It's happened to be the 1 person on call, so I was able to answer that immediately.
Gus Cervantes:So I sent them a code. But, yeah, I mean, there's times when, you know, business owners get frustrated because but it's for their own good. And, and they understand it. And that's why I said when I'm vetting clients, I'm looking for that attitude. You know, do you see it as a strategic initiative that's going to make you more competitive?
Gus Cervantes:Or do you see it as overhead? Because you see it as overhead, you know, saying I rather right? And that's the LaVista. Right? I don't I don't got no time to deal with you because you don't have the right mindset.
Gus Cervantes:Mhmm. You know, and you're just a failure looking for a place to happen from a cyber perspective. Mhmm. So
Eric Beels:And do you so I'm I'm assuming it sounds like you do audits of our companies as well too to kinda see where they're currently at.
Gus Cervantes:Oh, all the time. So that's what ITS team specializes in. We specialize in compliance as a service, specifically for the defense industrial base. And so there's, different compliance requirements they have to meet. And so we have software that's constantly checking them real time and alerting us when someone comes out of compliance.
Gus Cervantes:Mhmm. And it's constantly scanning for, user accounts that haven't been logged into in 30 days. So why would that be important? So if an account hasn't been logged to in 3 days, either the person is no longer with the company or they're on extended leave and the account needs to be disabled because no one's monitoring that account. And that's a hacker's dream.
Gus Cervantes:Right? So we'll disable those accounts. Right? And we have onboarding and offboarding policies. You know?
Gus Cervantes:What happens to somebody's email that gets forwarded to so and so, blah blah blah. You know, shut down all their access, their voice mail, and all that other thing. Mhmm. So, yeah, a lot of compliance, a lot of auditing that goes on with the compliance. So we do CMMI compliance, we do CMMC compliance, ISO, the 27 1,001 ISO.
Eric Beels:Mhmm.
Gus Cervantes:Not too much HIPAA. Certainly, 853, the 171, any any of the big, cybersecurity frameworks, we we definitely deal with. So, yeah.
Crystal Privett:So people who should just send their referral slips in now.
Eric Beels:So, yeah. So like, if if, you know, I imagine, you know, a lot of our listeners are kind of, you know, this is a certain fear aspect on this, right, that's the natural of it. But I think it's a healthy fear though, if you're a little bit afraid after this. I think that's kind of a healthy fear because, you know, you you should have a little bit of fear on this. And so if someone wanted to, like, reach out to you, contact you maybe do an audit, have you do an audit or something like that, how would they contact you?
Gus Cervantes:They can email me, Gus@itssteamdot com or info at its team dot com. Or if they want to get everybody's attention, send it to support at its team. And we're more than happy that you bring in our network detector tool, put it on your network and and share with you, our discovery. And I think most of you will be shocked. And, it's also a good way to keep your current IT company honest.
Gus Cervantes:You know, we'll come in there and do a audit. We give you the executive summary, and we even give you the technical, what I call a punch list of everything that needs to be fixed, the actual computer needs to be fixed on. And you can share that with your IT company and say, hey. Go fix this for us. Yeah.
Crystal Privett:So good. So So important. Thank you, Gus. We appreciate you being here today and sharing your wisdom and scaring us
Eric Beels:straight. Yeah. Yeah. So, yeah, thanks so much, Gus. And so, yeah, if you guys if you got value from this episode, which I imagine pretty much everybody will to some extent, because most of us are not super tech savvy, especially on the security standpoint in this in this area.
Eric Beels:I think there's very few people like yourself. So we're very grateful to have someone like yourself, Gus, that, you know, is willing to kind of do all of this and kind of, you know, be this, this security knowledge database, I guess, and really kind of bringing to light all this. So if you know somebody who's who maybe has actually even been through a hack, I hope not. But, you know, if if somebody has and they just don't know what to do or Like
Crystal Privett:you said, if they haven't, then they probably will.
Eric Beels:So Yeah. Or that's the thing, you know, it's because we wanna kind of be preventative. Right? So if I would say if you know somebody that, maybe in particular deals with a lot of sensitive data in particular, but you can you just know they're like, I don't think they're really protecting them themselves that well.
Crystal Privett:Or someone that doesn't know where to start because a lot of people don't know where to start, and Gus has so much wisdom and knowledge that he can't guide them.
Eric Beels:Yeah. If you know someone like that, share this episode with them because, I think it sounds like that the particularly though those people will get a lot of value from this just to kind of bring a lot of this, to light. And we wanna be preventative. We wanna be proactive. You know, cybersecurity stuff is only hacking is only really I only see it getting worse personally.
Eric Beels:I don't really see it slowing down.
Crystal Privett:Protecting our friends and family by sharing this episode is, kind of a beautiful gift to give someone.
Eric Beels:Yep. Yep. And that's also how how we grow this show is is sharing it with with other folks, particularly in b and I. And, yeah. So thanks so much.
Gus Cervantes:Yeah. And, you know, I'd like to just say, feel free to contact me and pick my brain. I have clients, that have one computer working out of their home, and I have clients that have multiple locations that have over 1100 employees. And I mean this when I say this, I live in a constant state of paranoia, so you don't have to.
Eric Beels:I love that. Oh, man.
Crystal Privett:Don't forget to track your CEU, and we will see you on the next episode.
Eric Beels:Thanks so much, guys. Thank you.
Crystal Privett:Thank you for joining us for the Business Boost Hour. My name is Crystal Pravette, and this is Eric Beals. Thank you for joining us and don't forget to document your single CEU. See you next time.
Eric Beels:See you in the next episode.