June 27, 2024 • 26 mins
Unlock the secrets to safeguarding your small business from ever-evolving cybersecurity threats in our latest Build with BBB podcast episode. We sit down with Craig Cummings from OK Computer, a cybersecurity veteran with over 20 years of experience, to uncover the hidden vulnerabilities in your routers and email accounts. Craig shares his expert tips on identifying phishing attempts, using advanced email filters, and the importance of tools like Microsoft 365 add-ons to create a robust defense against hackers. Understand the critical differences between breaches and ransomware, and learn how stringent laws like Oklahoma's Security Breach Notification Act mandate timely responses to data compromises.
We also dive deep into practical, budget-friendly cybersecurity solutions tailored specifically for small businesses. Craig breaks down PCI Data Security Standard compliance, the significance of endpoint detection, and the necessity of password managers. We debunk the myths that small businesses are not prime targets, emphasizing the reality of indiscriminate cyberattacks and the severe risks of data breaches and identity theft. Elevate your employee training with simulated phishing attacks and ongoing awareness programs to create a human firewall against online threats. Tune in for an episode packed with invaluable insights to help you fortify your business's cybersecurity posture.
LINKS:
Craig Cummings
https://www.linkedin.com/in/craig-cummings-okcomputer/
https://www.okcomputer.llc/
Phone: (405) 252-9691
PCI: https://www.pcisecuritystandards.org/
Patch Tuesday: https://msrc.microsoft.com/update-guide
Microsoft Defender: https://www.microsoft.com/en-us/security/business/microsoft-defender-for-business-and-individuals-free-trial?ef_id=_k_CjwKCAjwm_SzBhAsEiwAXE2Cv84zfd0diQkqVf64UgXX8M-4VSFl4d_U2YmJaZ9hCLv0CgTjio0AzhoC5QQQAvD_BwE_k_&OCID=AIDcmmifpc6xqc_SEM__k_CjwKCAjwm_SzBhAsEiwAXE2Cv84zfd0diQkqVf64UgXX8M-4VSFl4d_U2YmJaZ9hCLv0CgTjio0AzhoC5QQQAvD_BwE_k_&gad_source=1&gclid=CjwKCAjwm_SzBhAsEiwAXE2Cv84zfd0diQkqVf64UgXX8M-4VSFl4d_U2YmJaZ9hCLv0CgTjio0AzhoC5QQQAvD_BwE
Follow BBB Serving Central Oklahoma on Facebook, Instagram and LinkedIn @BBBCentralOK
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:01):
So it's not always about your data, even if you
don't think you have somethingthat's of value.
They see value in your box,they see value in your router.
They see value in your network.
Speaker 2 (00:11):
They see value in your email accounts welcome back
(00:36):
to the build with bbb podcast.
I'm your host casey farmer herewith craig cummings of ok
computer.
Craig is an I professional, along-time accredited business
and very active in our community.
We're so excited to talk aboutsome cybersecurity information,
ransomware threats and someinformation about collecting
payments, which is entirely newinformation to me, and so I
(00:58):
think I'm going to learn rightalong with our audience today.
Craig, welcome to the podcast.
Speaker 1 (01:02):
Yeah, thank you for having me.
Speaker 2 (01:03):
Learn a little bit about your business, what you do
, how you started it.
Speaker 1 (01:06):
Yeah, so I'm a managed IT service provider, so
I provide managed IT services tosmall businesses and of course,
that includes a lot ofcybersecurity services as well.
I think you would be negligentif you're an IT professional
that didn't focus oncybersecurity these days.
So I've been in business forabout 10 years now and I've been
in IT for about 10 years now,and I've been in IT for
20-something years now.
Speaker 2 (01:27):
So, for a small business owner, what are some of
the most common threats thatthey might face today?
Speaker 1 (01:39):
So, according to the FBI, phishing is still the
number one attack vector, sothey're basically being tricked
into divulging their credentials.
They or tricked into clickingon a link or tricked into
opening some kind of maliciousattachment, but it is by far the
most common attack vector isstill email.
Some of them are really easy tospot because they have poor
English or poor grammar, andwe've all seen these emails from
the Nigerian prince needinghelp transferring money.
(02:02):
So those are pretty easy tospot.
But a lot of them will come inand they look like they're from
Microsoft and they're tellingyou that you need to click here
to reset your password beforeyou get locked out, and some of
them can actually be prettyconvincing.
I've almost fallen for a coupleof them and I'm constantly
reading about this stuff, sosome of them can be very
convincing.
(02:22):
I think you can teach your teamto look for the telltale signs.
Again, there's poor grammarmisspellings.
Sometimes the logo will lookweird because they've just
literally copied and pasted alogo off a legitimate website
and so it looks kind of blurry.
It doesn't look like a highresolution.
You can look in the headers ofthe email to see and the headers
of the email to see.
(02:43):
You know it might say it's fromMicrosoft support, but then if
you look at the from emailaddress, it'll be some random
name at Gmail.
Well, microsoft doesn't useGmail accounts, you know.
So there's a lot of things thatare real obvious.
And then you know, if they'renot sure, go ask somebody you
know.
Or you know you can go look upthe number for that company and
(03:04):
call them directly, instead ofcalling the number that's in the
email that you're suspicious of.
So a lot of it just comes downto awareness.
Speaker 2 (03:13):
And sharing that with your team and being transparent
about hey, it's going to happen, whether we want it to or not.
Speaker 1 (03:19):
Yeah, yeah, Unfortunately we can't stop it
yet.
I mean, we can mitigate some ofit.
But even with really advancedemail filters in place, phishing
emails still get throughbecause they're constantly
evolving their techniques aswell.
So there's a lot of third partyproducts out there.
Proofpoint is one thatMicrosoft 365 has a defender for
(03:41):
office add on product thatincorporates what they call safe
links and safe attachments intoyour email.
So all the links are rewrittento go through Microsoft sandbox
servers where they analyzeeverything before it actually
loads on your web page andsimilar kind of thing that they
(04:01):
do with attachments.
They essentially will open yourattachment in a sandbox on the
server before it's actuallydelivered to you to see if it's
going to do anything malicious.
If it's safe, then they forwardit on to you.
So that's a $2 a month per useradd-on for Microsoft.
So if you've already gotMicrosoft 365, I think that's a
no-brainer.
(04:21):
So a breach is typically whensomebody has gained unauthorized
access to some kind ofsensitive information.
So they've gained access tocredit card information or
personally identifiableinformation of some sort, and
now they have that informationthey can do whatever they want
with it, Whereas ransomware theyare going to encrypt your files
in place.
So you'll come in and try toaccess a file in your documents
(04:45):
folder and you'll findeverything is encrypted.
And typically, after theyencrypt your files, they'll pop
up a message saying we'veencrypted your files.
If you want them back, you haveto pay this ransom.
A breach is not necessarilygoing to lead to a ransomware
attack and vice versa.
Speaker 2 (04:59):
What can a small business owner do to recover
that information once you've hada data breach?
Speaker 1 (05:06):
Yeah.
So if you've had a data breach,unfortunately there may be
nothing you can do to recoverthat information, because the
criminals already have thisinformation in their hand and
even if they might say, well,we'll give it back if you pay us
.
But can you trust them?
They're criminals.
They can always retain a copy.
It's digital data Right.
Unfortunately, in the event of abreach, there is really nothing
(05:28):
you can do to get thatinformation back.
A lot of industries will havenotification requirements.
Oklahoma actually has aSecurity Breach Notification Act
.
If you suspect a breach, youare required by law to notify
those people that there has beena breach of their information
people that there has been abreach of their information.
I'm not a lawyer, I don't knowhow often that is enforced, but
(05:50):
that law exists.
And if you process credit cards, then you are subject to the
PCI data security standard andthat stipulates that you should
be notifying your paymentprocessor at the very least, and
if you suspect that credit cardinformation has been leaked,
you should be notifying thosecustomers as well.
And then if you're in likefinancial industry or government
(06:12):
, obviously they're going tohave different reporting
requirements as well.
So unfortunately, when it comesto a breach, about all you can
do is notify people and then, ofcourse, try to contain it as
well, if you can figure out.
I mean you want to make sureyou get them off your network or
off your system as well, butunfortunately there's just
nothing you can do to get thatdata back Once they have it.
You can't put that genie backin the bottle, unfortunately.
(06:34):
So the best thing you can dowhen it comes to ransomware is
have good offline backups,backups that are not accessible
from your main system undernormal circumstances, because
they have caught on.
They know that backups are away to recover from ransomware
attack without paying the ransom, and so a lot of times now they
(06:55):
will sit on your system untilthey can figure out how to gain
access to your backups as well,so you can encrypt your backup.
So you really need to have agood offline backup to recover
from ransomware.
And there's a new thing and I'mglad you brought this up,
because ransomware has beenaround for at least 13 years now
(07:15):
, I believe.
So I hope everybody's heard ofit.
But there's a new little twiston ransomware, now called
extortionware, because thecriminals have caught on to the
fact that everybody is backingup so they can recover from
ransomware, and so what they'lldo now is, if you refuse to pay
the ransom, you're like I'm justgoing to restore from backup, I
don't need your help, andthey'll say, okay, well, we're
(07:37):
just going to go ahead andpublish this information on the
internet.
And so, depending on you knowyour customer base and the type
of information they have, thatcan be devastating, obviously.
You can imagine if you're likea divorce attorney or something
like that, and they decided topublish all this information on
the internet.
Or if you're a CPA and you wakeup one morning and all your
(07:59):
customers' tax returns have beenpublished on the internet and
maybe they've all received anemail to notify them about it,
you know.
So that's a new little twist onransomware that is in response
to people getting better aboutbacking up.
So they have changed theirtactic.
Speaker 2 (08:19):
Terrifying.
Speaker 1 (08:20):
Yeah.
Speaker 2 (08:20):
So for if you're listening today, make sure to
back up that.
Speaker 1 (08:24):
Yeah, you definitely want to have backups, but then
when it comes to extortion,where you know the backup is not
going to help you in thatsituation, They've got that data
.
That is a breach really.
I mean, they've got thatinformation and there's nothing
you can do about it.
Speaker 2 (08:37):
Unfortunately, so if a client comes to you, what do
you do in that situation?
Truly just curious yeah.
Speaker 1 (08:45):
So I mean, if they come to me with a breach, I'm
going to say you know, I'mreally sorry that happened to
you.
You know we can.
You know, obviously we can takea look at their systems and try
to, you know, remove anyinfections that we find, but
there is nothing we can do aboutthat data that's already been
stolen, unfortunately.
Speaker 2 (09:05):
Gotcha.
So we talked earlier you teasedit a little bit about PCI,
which, for our listeners today,I had absolutely no idea In our
initial phone call when we weretalking about what we wanted to
chat about today.
You're like let's talk aboutPCI.
Do you know what that is?
I'm like no, tell me more.
Speaker 1 (09:22):
Yeah, so if you process credit card transactions
, then you are contractuallyobligated to be compliant with
the PCI data security standard.
It is not a law, unfortunatelyI think it should be a law, but
it is a.
It's a contractual agreementthat you enter into with your
payment processor processor, andso essentially, there is a data
(09:50):
security standard that you areexpected to be compliant with,
and this helps them preventcredit card theft and, because
so much of it comes down, sothey can design a secure
application.
But then if you go install itin your environment in an
insecure way and just leavedefault passwords in place, for
instance, it doesn't matter howwell they built that application
(10:13):
, because you've implemented itpoorly and now you've opened up
vulnerabilities that will allowattackers to get that
information, and so that's whythey have this data security
standard in place to giveguidance to small businesses, so
they know how to properlyimplement their payment solution
, so that they don't get hackedand so that information doesn't
(10:35):
get stolen.
And you did say, if you'recollecting any kind of payment,
whether it's online or in person, you need to If you're
processing even one credit carda year, you need to be compliant
with the PCI Data SecurityStandard and they got a great
length to spell that out andreiterate that on their website.
So there is a PCI securitystandards council that develops
(10:58):
this standard in conjunctionwith the payment card brands and
, yes, they go to great lengthsto stress that all merchants, no
matter how many credit cardsyou process, are expected to be
compliant with the PCI datasecurity standards.
Rog process are expected to becompliant with the PCI data
security standards.
Speaker 2 (11:15):
Okay, so down below in the description we'll have
linked to that website so thatour listeners can learn more.
Now, if somebody listeningtoday wants to learn more from
you, what does that look like?
How do you help in thatsituation?
Speaker 1 (11:28):
With the PCI compliance.
Yeah, so I mean they would justreach out to me and we'll sit
down and have a conversation.
We'll take a look at theirenvironment and see what kind of
solution they have.
Depending on the paymentsolution, there are a different
set of standards.
So if you're using somethinglike a square device that is
(11:48):
what they call a point to pointhardware encrypted solution, and
that is because it is one ofthe it is low risk compared to
other types of solutions.
You have a much shorter set ofquestions and standards that you
have to be compliant with,whereas if you have some kind of
payment solution that's sittingon a Windows machine that's
(12:09):
connected to the internet, youare at a much greater risk and
therefore you have a much longerassessment that you have to go
through to be compliant.
So there's a lot of what theycall scoping.
That happens in the beginning,where you are figuring out where
the boundaries of thecardholder data environment are
and figuring out exactly howthey're processing credit cards,
(12:32):
so you can figure out whichself-assessment questionnaire
they need to be compliant with.
It's all.
It gets pretty involved.
Speaker 2 (12:40):
Changing gears a little bit to talk more about
the cybersecurity realm, whichis vast, and there's lots and
lots of information that smallbusinesses need to know about
how to be cyber aware and cybersafe.
When a client reaches out toyou to say, hey, I need you to
handle my cybersecurity, whatdoes that look like?
Speaker 1 (12:57):
So I have several different services that I can
offer that help withcybersecurity.
So one of the services I haveis called what we call endpoint
detection and response, and thisis kind of like an antivirus
that's all grown up now and hasa lot more capabilities than
your traditional antivirus.
But the other thing is that itis monitored 24-7 by a security
(13:21):
operation center.
So even if I'm asleep at threeo'clock in the morning and there
is some kind of hacking attemptor a virus that lands on one of
your computers, these guys canbe notified of that and isolate
that machine on the network sothat it doesn't spread laterally
throughout your network.
So that's one of the services Ican offer when it comes to
(13:45):
endpoint security.
And then when it comes tonetwork security, I will install
a security appliance from CiscoMeraki that has a lot of
advanced network securityfeatures.
For instance, there is anantivirus engine built into the
(14:06):
network appliance that willanalyze packets of data as
they're coming across thenetwork, so they can detect a
virus at the network before itever lands on your desktop and
stop it there.
Another cool thing they can dois they have something called
retrospective malware analysis,so if they see something today
that they're not sure about.
(14:27):
But then, two or three dayslater, they get some new intel
that lets them know that, ohyeah, that was malicious.
They will let you know.
Hey, two days ago this file wasdownloaded on this machine and
we now believe that it may bemalicious, which is really cool
that they can do thatretrospectively.
So there's a lot of differentsolutions we can put in place
(14:48):
that help with cybersecurity and, honestly, a lot of small
businesses.
It might be something as simpleas a password manager too.
I still see a lot of smallbusinesses storing passwords in
spreadsheets or storing theirpasswords in their browser, and
if they click on one wrong link,all those passwords are going
to be captured.
You know, that's why we havepassword managers now, and
(15:09):
password managers are reallycheap.
You know.
You can get a decent passwordmanager for like $3 a month, you
know.
Speaker 2 (15:16):
Yeah.
So with all of these solutions,a small business might be
wondering.
You know I have a lot of budgetconstraints when it comes to my
cybersecurity needs.
How does that come into?
Speaker 1 (15:27):
play and I certainly get that.
You know I'm a small businessowner myself and so I realized
that there's only so much moneyto go around.
But we know, when it comes tocybersecurity there's really a
lot of things that people can dofor free.
You know password managers arefree or very cheap.
You know, like I said, passwordmanagers a lot of times do have
(15:47):
a free tier, but even the paidtier may only be $3 or $4 a
month per user.
That's really cheap.
You know the email protectionthat I mentioned that you get
with Microsoft Defender foroffice, the safe links and safe
attachments that's $2 per userper month.
That's really cheap.
You know there's a lot of thingsyou can do for free.
So, like a lot of people, whenthey go buy a computer, they go
(16:11):
to the Best Buy and they buy acomputer and they take it home
and they sit down and they login and they're logging in with a
full administrative account andthey don't even realize that
there is such a thing as astandard user account.
It doesn't have admin rightsand Microsoft has been telling
people for over a decade nowdon't use an administrative
account for your daily useaccount.
But most small business ownersare still doing that because
(16:34):
they don't know any better, andMicrosoft has previously stated
that Just using a standard useraccount instead of an admin
account would stop somethinglike 80% of targeted malware
attacks.
And that is free.
All you got to do is implementit.
There's a lot of other freethings that you can do.
(16:56):
Obviously, there's a lot ofawareness training out there.
That's free.
The FTC makes a lot ofinformation available.
The SBA has a lot ofinformation good information
that's free.
The FTC makes a lot ofinformation available.
The SBA has a lot ofinformation the good information
that's free.
So, yeah, there's a lot ofthings that can be done that are
really effective that don'treally cost that much.
(17:18):
Oh, patching as well.
You know Microsoft.
I read yesterday Microsoft oncea month.
Microsoft has Patch Tuesdaywhere they release most of their
patches.
They will release patches outof band as well, but yesterday
it was Patch Tuesday and theyhad a record.
They had 147 patches releasedyesterday.
And a patch is what A patch is?
(17:39):
An update for software of somesort.
So Windows has patches, officehas patches, and a lot of these
patches are security patches, sothey are fixing a known
security vulnerability.
Oftentimes it's something thatthey've seen being exploited in
the wild.
So it's really important toinstall these updates as soon as
they become available, and Istill see a lot of small
(18:02):
business owners that are notpatching.
Again, that's one of the mosteffective things you can do,
because it is literally shoringup that vulnerability.
It's eliminating avulnerability when you apply
that patch.
And it's free yeah, all you gotto do is install them.
Speaker 2 (18:17):
So check for those updates.
Speaker 1 (18:18):
Yeah, yeah.
Speaker 2 (18:20):
What are the consequences for a small
business if they neglect toimplement some of these things?
Speaker 1 (18:27):
Yeah, you know.
So the consequences can rangefrom just a nuisance to going
out of business.
You know, I was listening to astory on the radio the other day
.
They were interviewing thislady, I think.
She was in Nevada, she hadstarted some kind of business
where she was selling stuffonline and she kind of said it
all up herself in the beginning,the way most of us do.
(18:48):
She didn't get a lot of inputfrom any kind of cybersecurity
professionals and at some pointshe was doing very well and
somebody started DOSing herwebsite.
So DOS stands for denial ofservice.
So basically they're justsending an enormous amount of
traffic at her website and ittakes it down, it takes it
offline and while it's offline,of course she can't process any
(19:10):
sales.
Nobody can buy anything fromher because her website's
offline.
So she calls her web host andthey're like well, there's
really not much we can do aboutit, you just got to wait it out.
Well, this went on for monthsand she eventually went out of
business.
Speaker 2 (19:21):
She had to close, close shop and when we're
talking about those hits, we'renot talking about just like 10
or 20.
It's like thousands of hits onyour website.
It's like overloading itexactly, yeah, yeah so, in your
experience, what are the biggestmisconceptions that small
business owners have about cybersecurity?
Speaker 1 (19:40):
I think the biggest misconception I hear is that you
know that doesn't apply to usand they might convince them.
They might tell themselveswe're too small or we don't have
anything that's that valuable,and so that just doesn't apply
to us.
I think that is the number onemisconception.
Speaker 2 (19:55):
Yeah, I would say.
If you're online, it applies toyou.
Speaker 1 (19:57):
Yeah, if you got a computer that's connected to the
Internet, it all applies to you.
Speaker 2 (20:01):
Sure, and that goes for your.
I mean, we're talking aboutsmall business, but that goes
for your personal information.
Speaker 1 (20:07):
Exactly so.
You want to be very carefulabout who you share your
personal information with,because we're kind of veering
off into privacy, which isrelated to security, but not
quite the same thing.
I tell people.
You know, security is all aboutprotecting the information that
you have that's in yourpossession, where privacy is
(20:27):
really about trying to protectinformation that you've already
given somebody else.
It's really, once you give itaway, it's out of your hands,
right?
Really, when it comes toprivacy, the best thing you can
do is just be very careful aboutwho you give that information
to.
And unfortunately, there's areally famous security
(20:48):
researcher, a journalist, namedBrian Krebs.
He's previously stated that ifyou're an American citizen, your
social security number is onthe dark web period Because
there have been so manythird-party data breaches over
the years.
We hear about them all the time.
You may get a letteroccasionally saying that you've
been in a data breach.
It'll be some company you'venever even heard of no kidding,
because it's some B2B databroker, you know and so this
(21:11):
stuff is happening all the time.
So there's a good chance thatyour information is already out
there on the dark web.
And which brings me back aroundto something else that small
business owners and anybodyreally can do for free is
freezing your credit.
It's something people don'talways think about when it comes
to cybersecurity, but identitytheft is one of their goals of
(21:34):
these criminals and obviously ifyou're a small business owner
and somebody wrecks your credit,that can be problematic.
Speaker 2 (21:41):
No kidding, there goes your buying power, exactly
no-transcript.
Business life and credit areaffected.
Speaker 1 (21:45):
So you can actually freeze your credit, such so that
if some identity thief goes andtries to buy a car or something
like that in your name usingyour stolen identity, they will
not be able to check your creditscore.
Therefore, they're not going toissue credit.
So the credit freeze is reallyum, it's a really effective tool
(22:08):
and it is free.
It takes it takes about 20minutes to set it up, sure, and
it works very well yeah, sogoing back to, because I think I
pulled you off in that, on downthat yeah but um, employees
have a big role to play whenmaintaining cybersecurity.
Speaker 2 (22:24):
So how do you train your team?
How do you share informationwith them?
You just mentioned sharinginformation.
You need to be selective aboutwho you do that with, but you
have to share that kind ofinformation with your team.
Speaker 1 (22:35):
Yeah, I think there's cybersecurity awareness
training.
Obviously there's a lot ofcompanies out there that can
help with that.
I can help with that, obviously, if you're a customer of mine,
but there's a lot of free stuffavailable out there from, like I
said, the FTC, the FCC, the SBA, nist.
(22:56):
There's a long list oforganizations that provide free
cybersecurity awareness training.
You know, another thing you cando is what we call simulated
phishing attacks.
So we basically simulate aphishing email and see who
clicks on it and then you go andcounsel that person so that
you're not just beatingeverybody to death.
(23:17):
Some people get it a littlefaster than other employees are
going to get it right, and sothe simulated phishing can help
you target those people thatreally need more education.
You know, there's probably along list of tips I could
provide, but you know I wouldjust say take cybersecurity
seriously.
I don't care how small you areor how insignificant you think
(23:37):
your data is.
You will be targeted eventually.
And I should back up A lot ofthese are not really targeted
attacks per se.
They are.
You know, I like to use theanalogy of a car thief just
walking through a parking lotand checking for doors that are
unlocked.
You know they're notnecessarily targeting your car.
They just picked your carbecause it was vulnerable, and
(23:59):
that's how these hackers worktoo.
They're not necessarily goingout and targeting Joe's Plumbing
or whatever your business is.
They have tools thatautomatically scan the internet,
looking for vulnerable systemsand users and networks, and when
they find one, they're justgoing to exploit it.
And it's not always about yourdata.
(24:20):
Even just your box, yourcomputer, is valuable to them.
You know the FBI was on TV awhile back talking about a
massive botnet attack wherethese hackers have taken over
home routers and small officerouters and turned them into a
giant botnet that they're usingto attack US infrastructure and
they find a way to use it.
(24:41):
And they will find a way toleverage it and monetize it.
Sure.
Speaker 2 (24:44):
Exactly Well.
Thank you so much for beinghere today.
Speaker 1 (24:46):
Yeah.
Speaker 2 (24:47):
Linked down below.
We will have a plethora ofresources for anybody listening
today, all of the ones that youmentioned.
Anything we can Also linkedbelow.
We will have Craig's contactinformation If you want to
connect with Craig and learnmore about him.
You might also see him at afuture BBB event.
About it.
We might also see him at afuture BBB event?
Speaker 1 (25:04):
He attends those from time to time.
Yeah, maybe this evening.
Speaker 2 (25:06):
Yeah, oh yeah, maybe this evening.
Speaker 1 (25:07):
Well, it'll be too late before our listeners are
able to hear yeah, that's true,that's true.
Speaker 2 (25:11):
Anyway, Craig, thank you so much for being here.
Speaker 1 (25:13):
Yeah, thank you for having me and for all of your
tips.
Speaker 2 (25:16):
They really are so, so helpful and, I think, so
needed in the very cyber worldthat we live in today.
Thank you so much for listeningto the Build With BBB podcast.
Make sure to share this episodewith your fellow business
owners and friends, and we willsee you in the next one.
Bye, friends, bye.
So it's not always about your data, even if you
don't think you have somethingthat's of value.
They see value in your box,they see value in your router.
They see value in your network.
Speaker 2 (00:11):
They see value in your email accounts welcome back
(00:36):
to the build with bbb podcast.
I'm your host casey farmer herewith craig cummings of ok
computer.
Craig is an I professional, along-time accredited business
and very active in our community.
We're so excited to talk aboutsome cybersecurity information,
ransomware threats and someinformation about collecting
payments, which is entirely newinformation to me, and so I
(00:58):
think I'm going to learn rightalong with our audience today.
Craig, welcome to the podcast.
Speaker 1 (01:02):
Yeah, thank you for having me.
Speaker 2 (01:03):
Learn a little bit about your business, what you do
, how you started it.
Speaker 1 (01:06):
Yeah, so I'm a managed IT service provider, so
I provide managed IT services tosmall businesses and of course,
that includes a lot ofcybersecurity services as well.
I think you would be negligentif you're an IT professional
that didn't focus oncybersecurity these days.
So I've been in business forabout 10 years now and I've been
in IT for about 10 years now,and I've been in IT for
20-something years now.
Speaker 2 (01:27):
So, for a small business owner, what are some of
the most common threats thatthey might face today?
Speaker 1 (01:39):
So, according to the FBI, phishing is still the
number one attack vector, sothey're basically being tricked
into divulging their credentials.
They or tricked into clickingon a link or tricked into
opening some kind of maliciousattachment, but it is by far the
most common attack vector isstill email.
Some of them are really easy tospot because they have poor
English or poor grammar, andwe've all seen these emails from
the Nigerian prince needinghelp transferring money.
(02:02):
So those are pretty easy tospot.
But a lot of them will come inand they look like they're from
Microsoft and they're tellingyou that you need to click here
to reset your password beforeyou get locked out, and some of
them can actually be prettyconvincing.
I've almost fallen for a coupleof them and I'm constantly
reading about this stuff, sosome of them can be very
convincing.
(02:22):
I think you can teach your teamto look for the telltale signs.
Again, there's poor grammarmisspellings.
Sometimes the logo will lookweird because they've just
literally copied and pasted alogo off a legitimate website
and so it looks kind of blurry.
It doesn't look like a highresolution.
You can look in the headers ofthe email to see and the headers
of the email to see.
(02:43):
You know it might say it's fromMicrosoft support, but then if
you look at the from emailaddress, it'll be some random
name at Gmail.
Well, microsoft doesn't useGmail accounts, you know.
So there's a lot of things thatare real obvious.
And then you know, if they'renot sure, go ask somebody you
know.
Or you know you can go look upthe number for that company and
(03:04):
call them directly, instead ofcalling the number that's in the
email that you're suspicious of.
So a lot of it just comes downto awareness.
Speaker 2 (03:13):
And sharing that with your team and being transparent
about hey, it's going to happen, whether we want it to or not.
Speaker 1 (03:19):
Yeah, yeah, Unfortunately we can't stop it
yet.
I mean, we can mitigate some ofit.
But even with really advancedemail filters in place, phishing
emails still get throughbecause they're constantly
evolving their techniques aswell.
So there's a lot of third partyproducts out there.
Proofpoint is one thatMicrosoft 365 has a defender for
(03:41):
office add on product thatincorporates what they call safe
links and safe attachments intoyour email.
So all the links are rewrittento go through Microsoft sandbox
servers where they analyzeeverything before it actually
loads on your web page andsimilar kind of thing that they
(04:01):
do with attachments.
They essentially will open yourattachment in a sandbox on the
server before it's actuallydelivered to you to see if it's
going to do anything malicious.
If it's safe, then they forwardit on to you.
So that's a $2 a month per useradd-on for Microsoft.
So if you've already gotMicrosoft 365, I think that's a
no-brainer.
(04:21):
So a breach is typically whensomebody has gained unauthorized
access to some kind ofsensitive information.
So they've gained access tocredit card information or
personally identifiableinformation of some sort, and
now they have that informationthey can do whatever they want
with it, Whereas ransomware theyare going to encrypt your files
in place.
So you'll come in and try toaccess a file in your documents
(04:45):
folder and you'll findeverything is encrypted.
And typically, after theyencrypt your files, they'll pop
up a message saying we'veencrypted your files.
If you want them back, you haveto pay this ransom.
A breach is not necessarilygoing to lead to a ransomware
attack and vice versa.
Speaker 2 (04:59):
What can a small business owner do to recover
that information once you've hada data breach?
Speaker 1 (05:06):
Yeah.
So if you've had a data breach,unfortunately there may be
nothing you can do to recoverthat information, because the
criminals already have thisinformation in their hand and
even if they might say, well,we'll give it back if you pay us
.
But can you trust them?
They're criminals.
They can always retain a copy.
It's digital data Right.
Unfortunately, in the event of abreach, there is really nothing
(05:28):
you can do to get thatinformation back.
A lot of industries will havenotification requirements.
Oklahoma actually has aSecurity Breach Notification Act
.
If you suspect a breach, youare required by law to notify
those people that there has beena breach of their information
people that there has been abreach of their information.
I'm not a lawyer, I don't knowhow often that is enforced, but
(05:50):
that law exists.
And if you process credit cards, then you are subject to the
PCI data security standard andthat stipulates that you should
be notifying your paymentprocessor at the very least, and
if you suspect that credit cardinformation has been leaked,
you should be notifying thosecustomers as well.
And then if you're in likefinancial industry or government
(06:12):
, obviously they're going tohave different reporting
requirements as well.
So unfortunately, when it comesto a breach, about all you can
do is notify people and then, ofcourse, try to contain it as
well, if you can figure out.
I mean you want to make sureyou get them off your network or
off your system as well, butunfortunately there's just
nothing you can do to get thatdata back Once they have it.
You can't put that genie backin the bottle, unfortunately.
(06:34):
So the best thing you can dowhen it comes to ransomware is
have good offline backups,backups that are not accessible
from your main system undernormal circumstances, because
they have caught on.
They know that backups are away to recover from ransomware
attack without paying the ransom, and so a lot of times now they
(06:55):
will sit on your system untilthey can figure out how to gain
access to your backups as well,so you can encrypt your backup.
So you really need to have agood offline backup to recover
from ransomware.
And there's a new thing and I'mglad you brought this up,
because ransomware has beenaround for at least 13 years now
(07:15):
, I believe.
So I hope everybody's heard ofit.
But there's a new little twiston ransomware, now called
extortionware, because thecriminals have caught on to the
fact that everybody is backingup so they can recover from
ransomware, and so what they'lldo now is, if you refuse to pay
the ransom, you're like I'm justgoing to restore from backup, I
don't need your help, andthey'll say, okay, well, we're
(07:37):
just going to go ahead andpublish this information on the
internet.
And so, depending on you knowyour customer base and the type
of information they have, thatcan be devastating, obviously.
You can imagine if you're likea divorce attorney or something
like that, and they decided topublish all this information on
the internet.
Or if you're a CPA and you wakeup one morning and all your
(07:59):
customers' tax returns have beenpublished on the internet and
maybe they've all received anemail to notify them about it,
you know.
So that's a new little twist onransomware that is in response
to people getting better aboutbacking up.
So they have changed theirtactic.
Speaker 2 (08:19):
Terrifying.
Speaker 1 (08:20):
Yeah.
Speaker 2 (08:20):
So for if you're listening today, make sure to
back up that.
Speaker 1 (08:24):
Yeah, you definitely want to have backups, but then
when it comes to extortion,where you know the backup is not
going to help you in thatsituation, They've got that data
.
That is a breach really.
I mean, they've got thatinformation and there's nothing
you can do about it.
Speaker 2 (08:37):
Unfortunately, so if a client comes to you, what do
you do in that situation?
Truly just curious yeah.
Speaker 1 (08:45):
So I mean, if they come to me with a breach, I'm
going to say you know, I'mreally sorry that happened to
you.
You know we can.
You know, obviously we can takea look at their systems and try
to, you know, remove anyinfections that we find, but
there is nothing we can do aboutthat data that's already been
stolen, unfortunately.
Speaker 2 (09:05):
Gotcha.
So we talked earlier you teasedit a little bit about PCI,
which, for our listeners today,I had absolutely no idea In our
initial phone call when we weretalking about what we wanted to
chat about today.
You're like let's talk aboutPCI.
Do you know what that is?
I'm like no, tell me more.
Speaker 1 (09:22):
Yeah, so if you process credit card transactions
, then you are contractuallyobligated to be compliant with
the PCI data security standard.
It is not a law, unfortunatelyI think it should be a law, but
it is a.
It's a contractual agreementthat you enter into with your
payment processor processor, andso essentially, there is a data
(09:50):
security standard that you areexpected to be compliant with,
and this helps them preventcredit card theft and, because
so much of it comes down, sothey can design a secure
application.
But then if you go install itin your environment in an
insecure way and just leavedefault passwords in place, for
instance, it doesn't matter howwell they built that application
(10:13):
, because you've implemented itpoorly and now you've opened up
vulnerabilities that will allowattackers to get that
information, and so that's whythey have this data security
standard in place to giveguidance to small businesses, so
they know how to properlyimplement their payment solution
, so that they don't get hackedand so that information doesn't
(10:35):
get stolen.
And you did say, if you'recollecting any kind of payment,
whether it's online or in person, you need to If you're
processing even one credit carda year, you need to be compliant
with the PCI Data SecurityStandard and they got a great
length to spell that out andreiterate that on their website.
So there is a PCI securitystandards council that develops
(10:58):
this standard in conjunctionwith the payment card brands and
, yes, they go to great lengthsto stress that all merchants, no
matter how many credit cardsyou process, are expected to be
compliant with the PCI datasecurity standards.
Rog process are expected to becompliant with the PCI data
security standards.
Speaker 2 (11:15):
Okay, so down below in the description we'll have
linked to that website so thatour listeners can learn more.
Now, if somebody listeningtoday wants to learn more from
you, what does that look like?
How do you help in thatsituation?
Speaker 1 (11:28):
With the PCI compliance.
Yeah, so I mean they would justreach out to me and we'll sit
down and have a conversation.
We'll take a look at theirenvironment and see what kind of
solution they have.
Depending on the paymentsolution, there are a different
set of standards.
So if you're using somethinglike a square device that is
(11:48):
what they call a point to pointhardware encrypted solution, and
that is because it is one ofthe it is low risk compared to
other types of solutions.
You have a much shorter set ofquestions and standards that you
have to be compliant with,whereas if you have some kind of
payment solution that's sittingon a Windows machine that's
(12:09):
connected to the internet, youare at a much greater risk and
therefore you have a much longerassessment that you have to go
through to be compliant.
So there's a lot of what theycall scoping.
That happens in the beginning,where you are figuring out where
the boundaries of thecardholder data environment are
and figuring out exactly howthey're processing credit cards,
(12:32):
so you can figure out whichself-assessment questionnaire
they need to be compliant with.
It's all.
It gets pretty involved.
Speaker 2 (12:40):
Changing gears a little bit to talk more about
the cybersecurity realm, whichis vast, and there's lots and
lots of information that smallbusinesses need to know about
how to be cyber aware and cybersafe.
When a client reaches out toyou to say, hey, I need you to
handle my cybersecurity, whatdoes that look like?
Speaker 1 (12:57):
So I have several different services that I can
offer that help withcybersecurity.
So one of the services I haveis called what we call endpoint
detection and response, and thisis kind of like an antivirus
that's all grown up now and hasa lot more capabilities than
your traditional antivirus.
But the other thing is that itis monitored 24-7 by a security
(13:21):
operation center.
So even if I'm asleep at threeo'clock in the morning and there
is some kind of hacking attemptor a virus that lands on one of
your computers, these guys canbe notified of that and isolate
that machine on the network sothat it doesn't spread laterally
throughout your network.
So that's one of the services Ican offer when it comes to
(13:45):
endpoint security.
And then when it comes tonetwork security, I will install
a security appliance from CiscoMeraki that has a lot of
advanced network securityfeatures.
For instance, there is anantivirus engine built into the
(14:06):
network appliance that willanalyze packets of data as
they're coming across thenetwork, so they can detect a
virus at the network before itever lands on your desktop and
stop it there.
Another cool thing they can dois they have something called
retrospective malware analysis,so if they see something today
that they're not sure about.
(14:27):
But then, two or three dayslater, they get some new intel
that lets them know that, ohyeah, that was malicious.
They will let you know.
Hey, two days ago this file wasdownloaded on this machine and
we now believe that it may bemalicious, which is really cool
that they can do thatretrospectively.
So there's a lot of differentsolutions we can put in place
(14:48):
that help with cybersecurity and, honestly, a lot of small
businesses.
It might be something as simpleas a password manager too.
I still see a lot of smallbusinesses storing passwords in
spreadsheets or storing theirpasswords in their browser, and
if they click on one wrong link,all those passwords are going
to be captured.
You know, that's why we havepassword managers now, and
(15:09):
password managers are reallycheap.
You know.
You can get a decent passwordmanager for like $3 a month, you
know.
Speaker 2 (15:16):
Yeah.
So with all of these solutions,a small business might be
wondering.
You know I have a lot of budgetconstraints when it comes to my
cybersecurity needs.
How does that come into?
Speaker 1 (15:27):
play and I certainly get that.
You know I'm a small businessowner myself and so I realized
that there's only so much moneyto go around.
But we know, when it comes tocybersecurity there's really a
lot of things that people can dofor free.
You know password managers arefree or very cheap.
You know, like I said, passwordmanagers a lot of times do have
(15:47):
a free tier, but even the paidtier may only be $3 or $4 a
month per user.
That's really cheap.
You know the email protectionthat I mentioned that you get
with Microsoft Defender foroffice, the safe links and safe
attachments that's $2 per userper month.
That's really cheap.
You know there's a lot of thingsyou can do for free.
So, like a lot of people, whenthey go buy a computer, they go
(16:11):
to the Best Buy and they buy acomputer and they take it home
and they sit down and they login and they're logging in with a
full administrative account andthey don't even realize that
there is such a thing as astandard user account.
It doesn't have admin rightsand Microsoft has been telling
people for over a decade nowdon't use an administrative
account for your daily useaccount.
But most small business ownersare still doing that because
(16:34):
they don't know any better, andMicrosoft has previously stated
that Just using a standard useraccount instead of an admin
account would stop somethinglike 80% of targeted malware
attacks.
And that is free.
All you got to do is implementit.
There's a lot of other freethings that you can do.
(16:56):
Obviously, there's a lot ofawareness training out there.
That's free.
The FTC makes a lot ofinformation available.
The SBA has a lot ofinformation good information
that's free.
The FTC makes a lot ofinformation available.
The SBA has a lot ofinformation the good information
that's free.
So, yeah, there's a lot ofthings that can be done that are
really effective that don'treally cost that much.
(17:18):
Oh, patching as well.
You know Microsoft.
I read yesterday Microsoft oncea month.
Microsoft has Patch Tuesdaywhere they release most of their
patches.
They will release patches outof band as well, but yesterday
it was Patch Tuesday and theyhad a record.
They had 147 patches releasedyesterday.
And a patch is what A patch is?
(17:39):
An update for software of somesort.
So Windows has patches, officehas patches, and a lot of these
patches are security patches, sothey are fixing a known
security vulnerability.
Oftentimes it's something thatthey've seen being exploited in
the wild.
So it's really important toinstall these updates as soon as
they become available, and Istill see a lot of small
(18:02):
business owners that are notpatching.
Again, that's one of the mosteffective things you can do,
because it is literally shoringup that vulnerability.
It's eliminating avulnerability when you apply
that patch.
And it's free yeah, all you gotto do is install them.
Speaker 2 (18:17):
So check for those updates.
Speaker 1 (18:18):
Yeah, yeah.
Speaker 2 (18:20):
What are the consequences for a small
business if they neglect toimplement some of these things?
Speaker 1 (18:27):
Yeah, you know.
So the consequences can rangefrom just a nuisance to going
out of business.
You know, I was listening to astory on the radio the other day
.
They were interviewing thislady, I think.
She was in Nevada, she hadstarted some kind of business
where she was selling stuffonline and she kind of said it
all up herself in the beginning,the way most of us do.
(18:48):
She didn't get a lot of inputfrom any kind of cybersecurity
professionals and at some pointshe was doing very well and
somebody started DOSing herwebsite.
So DOS stands for denial ofservice.
So basically they're justsending an enormous amount of
traffic at her website and ittakes it down, it takes it
offline and while it's offline,of course she can't process any
(19:10):
sales.
Nobody can buy anything fromher because her website's
offline.
So she calls her web host andthey're like well, there's
really not much we can do aboutit, you just got to wait it out.
Well, this went on for monthsand she eventually went out of
business.
Speaker 2 (19:21):
She had to close, close shop and when we're
talking about those hits, we'renot talking about just like 10
or 20.
It's like thousands of hits onyour website.
It's like overloading itexactly, yeah, yeah so, in your
experience, what are the biggestmisconceptions that small
business owners have about cybersecurity?
Speaker 1 (19:40):
I think the biggest misconception I hear is that you
know that doesn't apply to usand they might convince them.
They might tell themselveswe're too small or we don't have
anything that's that valuable,and so that just doesn't apply
to us.
I think that is the number onemisconception.
Speaker 2 (19:55):
Yeah, I would say.
If you're online, it applies toyou.
Speaker 1 (19:57):
Yeah, if you got a computer that's connected to the
Internet, it all applies to you.
Speaker 2 (20:01):
Sure, and that goes for your.
I mean, we're talking aboutsmall business, but that goes
for your personal information.
Speaker 1 (20:07):
Exactly so.
You want to be very carefulabout who you share your
personal information with,because we're kind of veering
off into privacy, which isrelated to security, but not
quite the same thing.
I tell people.
You know, security is all aboutprotecting the information that
you have that's in yourpossession, where privacy is
(20:27):
really about trying to protectinformation that you've already
given somebody else.
It's really, once you give itaway, it's out of your hands,
right?
Really, when it comes toprivacy, the best thing you can
do is just be very careful aboutwho you give that information
to.
And unfortunately, there's areally famous security
(20:48):
researcher, a journalist, namedBrian Krebs.
He's previously stated that ifyou're an American citizen, your
social security number is onthe dark web period Because
there have been so manythird-party data breaches over
the years.
We hear about them all the time.
You may get a letteroccasionally saying that you've
been in a data breach.
It'll be some company you'venever even heard of no kidding,
because it's some B2B databroker, you know and so this
(21:11):
stuff is happening all the time.
So there's a good chance thatyour information is already out
there on the dark web.
And which brings me back aroundto something else that small
business owners and anybodyreally can do for free is
freezing your credit.
It's something people don'talways think about when it comes
to cybersecurity, but identitytheft is one of their goals of
(21:34):
these criminals and obviously ifyou're a small business owner
and somebody wrecks your credit,that can be problematic.
Speaker 2 (21:41):
No kidding, there goes your buying power, exactly
no-transcript.
Business life and credit areaffected.
Speaker 1 (21:45):
So you can actually freeze your credit, such so that
if some identity thief goes andtries to buy a car or something
like that in your name usingyour stolen identity, they will
not be able to check your creditscore.
Therefore, they're not going toissue credit.
So the credit freeze is reallyum, it's a really effective tool
(22:08):
and it is free.
It takes it takes about 20minutes to set it up, sure, and
it works very well yeah, sogoing back to, because I think I
pulled you off in that, on downthat yeah but um, employees
have a big role to play whenmaintaining cybersecurity.
Speaker 2 (22:24):
So how do you train your team?
How do you share informationwith them?
You just mentioned sharinginformation.
You need to be selective aboutwho you do that with, but you
have to share that kind ofinformation with your team.
Speaker 1 (22:35):
Yeah, I think there's cybersecurity awareness
training.
Obviously there's a lot ofcompanies out there that can
help with that.
I can help with that, obviously, if you're a customer of mine,
but there's a lot of free stuffavailable out there from, like I
said, the FTC, the FCC, the SBA, nist.
(22:56):
There's a long list oforganizations that provide free
cybersecurity awareness training.
You know, another thing you cando is what we call simulated
phishing attacks.
So we basically simulate aphishing email and see who
clicks on it and then you go andcounsel that person so that
you're not just beatingeverybody to death.
(23:17):
Some people get it a littlefaster than other employees are
going to get it right, and sothe simulated phishing can help
you target those people thatreally need more education.
You know, there's probably along list of tips I could
provide, but you know I wouldjust say take cybersecurity
seriously.
I don't care how small you areor how insignificant you think
(23:37):
your data is.
You will be targeted eventually.
And I should back up A lot ofthese are not really targeted
attacks per se.
They are.
You know, I like to use theanalogy of a car thief just
walking through a parking lotand checking for doors that are
unlocked.
You know they're notnecessarily targeting your car.
They just picked your carbecause it was vulnerable, and
(23:59):
that's how these hackers worktoo.
They're not necessarily goingout and targeting Joe's Plumbing
or whatever your business is.
They have tools thatautomatically scan the internet,
looking for vulnerable systemsand users and networks, and when
they find one, they're justgoing to exploit it.
And it's not always about yourdata.
(24:20):
Even just your box, yourcomputer, is valuable to them.
You know the FBI was on TV awhile back talking about a
massive botnet attack wherethese hackers have taken over
home routers and small officerouters and turned them into a
giant botnet that they're usingto attack US infrastructure and
they find a way to use it.
(24:41):
And they will find a way toleverage it and monetize it.
Sure.
Speaker 2 (24:44):
Exactly Well.
Thank you so much for beinghere today.
Speaker 1 (24:46):
Yeah.
Speaker 2 (24:47):
Linked down below.
We will have a plethora ofresources for anybody listening
today, all of the ones that youmentioned.
Anything we can Also linkedbelow.
We will have Craig's contactinformation If you want to
connect with Craig and learnmore about him.
You might also see him at afuture BBB event.
About it.
We might also see him at afuture BBB event?
Speaker 1 (25:04):
He attends those from time to time.
Yeah, maybe this evening.
Speaker 2 (25:06):
Yeah, oh yeah, maybe this evening.
Speaker 1 (25:07):
Well, it'll be too late before our listeners are
able to hear yeah, that's true,that's true.
Speaker 2 (25:11):
Anyway, Craig, thank you so much for being here.
Speaker 1 (25:13):
Yeah, thank you for having me and for all of your
tips.
Speaker 2 (25:16):
They really are so, so helpful and, I think, so
needed in the very cyber worldthat we live in today.
Thank you so much for listeningto the Build With BBB podcast.
Make sure to share this episodewith your fellow business
owners and friends, and we willsee you in the next one.
Bye, friends, bye.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
The Breakfast Club
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy And Charlamagne Tha God!
The Joe Rogan Experience
The official podcast of comedian Joe Rogan.