October 31, 2023 • 34 mins
Hold onto your security blankets folks! Are we ever secure enough in this digital age? Get a grip on the pulse-raising lawsuit from the SEC against SolarWinds and the unexpected ban from the Canadian government on WeChat and Kaspersky. We harness the power of hindsight, looking back at how this enormous breach happened and what could have been done to prevent it. We delve into the harrowing reality of the threat lurking in every unvetted third-party vendor and the possibility of any app from adversarial countries spying on us.
Brace yourselves as we discuss the dark underbelly of cybersecurity, shedding light on social engineering, smishing, and phishing. The safety net of multiple layers of security measures and the crucial role of backups, are the shields you didn't know you needed. We bring to you the wake-up call to constant self-questioning and understanding the vital steps to secure your business. We take you through the process of identifying business vulnerabilities, discussing proactive security measures, and preparing for disasters. You can't afford to miss this candid conversation about the essence of a data-driven business model and the absolute necessity of being prepared for the worst.
This is Encrypted Ambition—a podcast about the builders rewriting the rules. Join Petronella Technology Group as we decode the ideas, challenges, and momentum behind tomorrow’s business, technology, and leadership breakthroughs.
That’s a wrap on this episode of Encrypted Ambition. Subscribe wherever you listen, and if today’s guest inspired you—leave us a review or share the show with someone in your circle.
To learn more about how we support innovators with AI, cybersecurity, and compliance, head to PetronellaTech.com.
Thanks for listening—and remember, the future favors the bold.
NO INVESTMENT ADVICE - The Content is for informational purposes only, you should not construe any such information or other material as legal, tax, investment, financial, or other advice. Nothing contained on our Site or podcast constitutes a solicitation, recommendation, endorsement, or offer by PTG.
Support the Show
Please visit https://compliancearmor.com and https://petronellatech.com for the latest in Cybersecurity and Training and be sure to like, subscribe and visit all of our properties at:
- YouTube PetronellaTech
- YouTube Craig Petronella
- Podcasts
- Compliance Armor
- Blockchain Security
- Call 877-468-2721 or visit https://petronellatech.com
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Craig (00:03):
Hey guys, welcome to another podcast.
You got Blake Rea.
Hello everybody, we're back,we're going to do a news
highlight.
Blake, you had a couple thatcaught your interest.
Blake (00:16):
Yeah, I think the solar winds.
If you thought we were donetalking about solar winds, more
updates.
So I found it pretty, prettyfunny.
Well, I wouldn't say funny, butironic.
So the SEC is suing solar winds, alleging fraud and weak
(00:40):
cybersecurity.
Craig (00:43):
So for the people listening, what is solar winds?
Just quick run down.
Blake (00:50):
So solar winds essentially is an information
technology firm.
Back in 2019, they wereattacked by a Russian backed
cybersecurity group.
So yeah, essentially a huge ITprovider and the chief
information security officer.
(01:11):
Essentially the SEC was kind oftargeting him, but yeah, it's a
huge IT company.
Craig (01:20):
Yeah, so just kind of give a little more depth to our
listeners.
So it's a piece of softwarethat a lot of government defense
as well as commercial, will useto manage updates, patches on
their endpoints and things likethat.
Has other capabilities, but ina nutshell, it's an agent.
Right, it's a software agent,so back.
(01:42):
So basically the hackers werelike, hey, if we attack this
company, this particular vendor,they've got thousands of people
that use this solar windsoftware agent, so it'll infect
all those people in one shot.
So that's really what happenedin the breach.
And then what happened recentlywith the SEC charges is that,
(02:06):
even though they lost a lot oftheir credibility and their
trust because they're an ITcompany and they were breached,
it just goes to show that whatwas that?
2019, I think you said they hadwhat is that?
Four years ago now, they stillhave not improved their
cybersecurity to bolsterthemselves and take it seriously
(02:28):
.
And then the CISO apparentlygot charged from the SEC after
there was an investigation ormaybe the investigation is
ongoing around how there ispossible misleading of investors
around cybersecurity.
I think that's the.
Blake (02:44):
Yeah, they overstated their cybersecurity practices
and they understated their knownvulnerabilities.
Craig (02:53):
Yeah.
So this goes back to what we'vebeen preaching for a really
long time now you can't trust,sadly, anyone trustless.
Right, we keep hammering thathome.
Had there been some type ofthird party that has to check
them and make sure and then puta report out, I mean, I don't
(03:14):
think that's such a bad idea forespecially for publicly traded
companies to be audited likethat by a third party.
You know, kind of brings usfast forward to CMMC and why
everything's evidence based andeverything has to get audited
and all those controls have toget checked by a third party and
make sure that everything'sbeing done properly and there's
(03:36):
no fudging anymore.
And that's kind of the point.
But the stark reality or thelearning lesson I guess in this
is just because you have avendor that might look good on
the surface and so you know youhave to do your own due
diligence and risk on them.
They may be an open window or agap in your system to
(03:58):
potentially have a breach, for,you know, to rope you into
things.
Blake (04:04):
Yeah, I mean this is making headlines pretty much
everywhere and so when we werelooking through the news to talk
about on today, I mean peoplejust repeatedly different huge
outlets are loving to talk aboutthis one.
Craig (04:21):
Yeah, I feel like you know.
I feel like the story is justkind of almost like mind numbing
.
It's like I don't know just myperspective.
I feel like the headlines andthe it's almost like noisy right
, like it's just happening somuch.
I think people are just almostoverstimulated with all this
stuff and it's just like, well,okay, here's another headline.
(04:41):
What do we do now?
And I think the takeaway isaudit your, your vendors, audit
your third parties that you'redoing business with and push
back on them.
Push back on the vendors fortheir security.
Ask them for proof and evidenceof, you know, various standards
.
You can go as high as SOC2,type two or ISO 270001 and some
of the derivatives.
(05:02):
Those are kind of like the goldstandards.
But small businesses, you knowthey're not going to be able to
afford that.
But there's still somequestions that you as customers
of these companies can putpressure on these vendors.
You know, I feel like if thepublic puts more and more
pressure, you know, into more ofa trustless model that don't
trust would verify, I thinkthat's going to be, you know,
(05:25):
good for all of us.
Blake (05:27):
Yeah, another one that stuck out for me is the Canadian
government apparently bannedWeChat and Kaspersky on any
government focused apps.
I mean I think I'm surprisedthey're just getting around to
it now in all honesty.
I mean I think the USgovernment had banned WeChat
(05:50):
years ago.
Obviously, kaspersky is Russianantivirus software, which is
probably I mean, they were a lotmore popular back in the day
than they are now.
But yeah, I'm surprised it tookso long for that to happen.
Craig (06:08):
Well, it's kind of like what we talked about in our last
podcast.
Around DJI was under themicroscope and still is, and we
talked to our listeners and wewere like, look, you don't kind
of go through all your apps andyour software on your phones and
your endpoints.
You'd be really surprised ifyou actually did that and went
through all the stuff on yourdevices to see where it is.
(06:31):
And, quite frankly, I would notbe surprised if there were one
or more apps that were kind ofgray or shady, in my opinion,
around where they developed.
What country are they comingfrom?
And I think that's the bigtakeaway with this.
I think it's if you've got appsthat are in a country that the
(06:53):
current landscape and climate iseither hostile or considered an
adversary.
I mean, it's a big risk for youhaving that on your phone
because you have to assume theworst.
You have to assume that, oh,this app's spying on me.
It's kind of like you have toput the layers in place and
(07:13):
assume that everything is yourcamera, your microphone's being
turned on without your knowledgeor consent.
So what are you doing toprevent that stuff?
So you either make the choiceto uninstall the app If you're
on an iPhone or another devicethat has controls where you can
limit, that's obviously limitlocation services, limit the
(07:34):
usage or only ask for, allow theapp to ask permission on.
When can we use the microphone,when can we use the camera,
physical safeguards, the tapeover the cameras or cover them
up.
It's just crazy all the stuffthat we, as consumers, have to
(07:55):
look out for.
But I think it's awareness.
You're making your job a lotharder if you have hundreds of
apps on your devices.
This is really the bottom linehere.
So try to simmer it down, tryto go through an exercise and
regularly check these things,especially if you're in a
regulated industry or you're adefense industrial-based
contractor.
But even at the consumer level,like with the WeChat, we talked
(08:18):
about TikTok.
We talked about what was theother one?
It was TikTok.
Oh, we talked about Meta andthe lawsuit 41 states banding
together and suing Meta aboutunfair practices towards minors
and children, purposely creatingaddictive products.
I mean, it's just crazy, Idon't know, it's just mind
(08:41):
blowing to me.
Blake (08:45):
Yeah, I mean obviously anything TikTok is huge.
It seems like the-.
Craig (08:56):
I don't know why.
It's huge, though YouTube hasshorts which isn't short,
similar to TikTok.
I don't know what thedifference is.
I guess I'm-.
Blake (09:04):
I've never used TikTok, I've never even had but isn't
the whole point of TikTok likeshort video clips.
Yeah, it's short format videos.
Craig (09:12):
Right, so I think YouTube's answer was shorts.
They call it shorts.
Blake (09:17):
Instagram has shorts.
Craig (09:19):
Right, but I don't understand why.
Why so much gravitationtowards-.
It's kind of like the Twitterthing.
There was the character limitwith Twitter and then there was
just explosive growth at thattime.
It was just kind of weird howsome of these platforms just
explode like that, in my opinion, I mean-.
Blake (09:43):
Yeah, I mean you would think like I think TikTok did it
first, right, like, with theshort format video, and then
Instagram rolled out theirshorts, and then YouTube rolled
out their shorts, or whateverthe reels, whatever they call
them.
So I think the fact that TikTokdid it first and then these
other but you would think, likepeople would want to consolidate
(10:06):
their app, you should like tosee the same shorts from
Instagram, for example, thereels, like you're going to
TikTok to see the same content.
I just don't understand.
Craig (10:18):
Yeah, I don't know, does TikTok do like pay-per-click ad
revenue models as well?
Yeah, yeah, I mean they're allpretty much trying to fight for
the same Because I know thatGoogle posted that their stuff
was down big time as far as adrevenue and people using online
advertising throughpay-per-click and stuff like
(10:39):
that.
Blake (10:40):
I find that hard to believe because so through the
Google Ads Manager, I meanyou're running ads on YouTube, I
mean you're running ads ontheir Google Ads network, which
essentially Google allows userslike web admins to put little
generic banners.
So essentially then Google willfeed a banner to it, or an ad,
(11:01):
depending on the dynamic networkthat the user or the audience
finds interesting, and then theypay those web admins for that
space.
So I find it kind ofinteresting that they would say
ad revenues down.
Craig (11:19):
Yeah, I think that that was the last that I saw, anyway,
just trying to see if there'sany other.
I know that there is this hugemove it ransomware.
We talked about that a littlebit.
Do you remember that?
Blake (11:36):
Yeah, I do.
Craig (11:38):
Then there's also the Android spyware that's tracking
almost like the Pegasus.
Blake (11:49):
Speaking of ads, I saw the malvertising.
Did you see that one?
People that are downloadingmalware through ads now, so like
ads are delivering.
Craig (12:01):
I've talked about that many years ago, but I haven't
seen recent press around it.
Blake (12:05):
Yeah, I just saw the headline but I didn't read too
much about it.
But essentially, you know,malware distributors and
architects are essentiallyserving up ads to their own.
Craig (12:22):
I know what would happen in the past was these malicious
actors would buy legitimate ads,get them approved and then swap
the content on the web serverto have an infection.
Blake (12:37):
One of them has been targeting like a payment
platform, like a Brazilianpayment platform that I was
reading.
But yeah, essentially themalware ads are being placed in
advertising sections of searchresults and then, whenever they
(12:57):
click on it, they'll beredirected to like a cloaking
service, so it'll filter, youknow, obviously, any type of.
They'll have some type of likeclick cease or some type of
technology like that thatfilters out any type of bot
traffic and then, and then, yeah, I mean essentially it'll look
like they're banking, they'rebanking software, or I don't
(13:20):
know how it's crazy.
Craig (13:24):
The other one I saw was the FTC put out some new
guidelines for car dealerships,automotive dealerships.
Blake (13:34):
You see that I saw you sent the link, but I didn't get
a chance to read it.
Craig (13:40):
Yeah.
So basically in a nutshell,there's a new extension to the
FTC where they're requiring thecar dealerships to use
encryption more heavily,specifically adopting encrypted
messaging tools and hard drives.
So I know we've got someclients have fallen to that
(14:04):
bucket and I've sent out someemails to talk about that.
But you know we talked months,if not years now, about how it's
.
Just every day is going to besome new regulation and my hope
is that you know we just simmerit down to CMMC.
So it's just kind of the goldstandard for everyone to follow,
(14:27):
right to make everybody's liveseasier.
But if you're in a business andyou're not regulated now I
actually find it hard to believebecause there are so many state
and federal breachnotifications and privacy laws.
You may just not know thatthose laws exist.
And then if you're handlingcertain types of data, like the
(14:48):
whole reason why the FTC crackeddown on car dealerships is
because they were like oh, allof our customers are giving,
they want credit to buy a car,you know.
So there's so much personalinformation being given and then
there's handling of thatsensitive information to protect
the public.
So that's where the whole FTCcrackdown happened and I think,
(15:09):
again, it's for good, you know.
I mean we're obviously in cyberand compliance, so we want to
make it harder for cybercriminals to, you know, steal
people's identities and cause abreach.
But yeah, I think that thetakeaway here is, even when, if
you were to go to a financialeither a car dealership or a
(15:32):
bank or wherever you're goingI'd still be pretty stingy on
how you give your informationand require evidence of
protection of that informationto protect yourself, because you
know if they're handling itsloppily and what happens,
you're the result of the breachand then now you have your own
cleanup to do to protect yourown identity.
So it's you know.
(15:52):
The takeaways here are, you know, we share this news and
information not just to kind ofscare everybody, but just to
this is the world we live in.
I mean you just got to takematters into your own hands
sometimes and embrace everythingthat you can that's trustless
and assume the worst.
Assume that you know people arespying on you and data mining
(16:16):
points around you to maliciously, you know, put harm on you,
either by social engineering andphishing and targeted attacks,
or you know there was a anotherheadline I saw around the data
breach with LastPass.
I mean that was December of 22.
And then just recently I thinkit was just a few days ago, it
(16:39):
was on October 25th 25 differentLastPass users lost more than
$4 million worth ofcryptocurrency.
Now, my argument with that wouldbe, yeah, they had a breach,
but once the consumers in thepublic were notified of the
breach, any people that wereholding crypto, especially, or
(17:01):
any people that were affected,for that matter, again should
have taken matters into theirown hands, chose a different
password manager and changedtheir passwords.
But these 25 people and again,I'm not, you know, pushing blame
on people, but I'm just sayingthat it gets to a point where we
have to take certain thingsinto our own hands and do our
(17:21):
own thing.
You know these companies thatget breached left and right.
Again, we're the victims, right?
So assume the worst, assume allof our stuff is out there.
What are we doing to monitor itand what are we doing to
protect it and how do we make it?
What actions can we do as ahuman and a consumer to make it
more difficult for hackers tobreach our identity or our
(17:44):
systems?
Blake (17:46):
Yeah, I mean it's all about embracing the zero trust
framework.
You know, like another, anotherinstance, I mean I don't think
I ever told you this, but I wasimporting something from abroad
and then I get a phone call andit was FedEx or UPS or one of
the I can't remember which one.
But they called me and theysaid hey, are you Blake?
They're like hey, yeah, we, wegot your package here.
(18:09):
What's your social securitynumber?
Like they're like oh, our taxID number.
Like they didn't put that onthere, you know.
I'm like Okay, how do I knowthat you're from FedEx, you know
.
And then, of course, theyverified a bunch of stuff.
(18:29):
You know, like that it was alegitimate call, but immediately
, I'm just quite surprised thatyou actually answered the phone.
Craig (18:38):
I mean, it's gotten so bad where I don't actually
answer my phone live anymore,unless I'm expecting the call
for a meeting or something, orit's somebody that I know and
trust.
But if it's just a randomcaller, there's no way, because
there's so many socialengineering, smishing, fishing,
all sorts of stuff.
Blake (18:59):
I normally wouldn't answer the call because, you
know, I typically will onlyanswer phone numbers if they're
from, like, my network orextended network.
So in this case it was,ironically, a call from South
Carolina.
So I'm like All right, like I,you know, have a California
phone number, like if somebody'scalling from North Carolina or
South Carolina, like they knowwho, I am like right, because I
(19:23):
lived in North Carolina, southCarolina, so so yeah, that was
like the one reason why Ianswered it, so yeah, Well,
that's crazy.
Craig (19:37):
I mean, that happens all the time.
I get weird text messages.
My wife showed me a textmessage, you know it was kind of
similar to what you were justtalking about, about a shipping
or something.
And she's like, is this legit?
And I looked at it up and I'mlike no.
I'm like look at the phonenumber, it was like plus 60
something, different country.
I'm like absolutely not.
(19:58):
You know, but it, you know, justput so much pressure on us as
everyday people and we live andbreathe this stuff.
Right, blake, I mean.
But imagine the people that donot right, how, how hammered
they are every day from everyevery direction, whether it's
phone calls, emails, textmessages or any other messaging.
(20:18):
You know social apps, thingslike that.
Again, the more you involveyourself in the wider spread
your your attack surfaces foryou to get scammed, right.
I think it's.
It's sad and unfortunate forthese folks.
You know that lost all thismoney.
But you know, I don't sayanyone layers to cure all, but
(20:39):
had they used Googleauthenticator or Microsoft
authenticator, the software appsfor you know one time pins and
passwords in addition to thepassword?
I'm saying that's not an excuse.
You should have changed yourpassword.
And you know again, adoptingmore layers, adopting more
trustless systems.
But you know it goes back tobackups, right?
I mean, we can't even getpeople to listen and backup
(21:01):
their stuff and they won't.
They don't want to pay for it,and they don't.
They're like, oh, it's justcost too, it's too hard, or they
don't want to pay the money todo it.
But then they lose everythingand they're like, oh crap, you
know what does it cost for datarecovery or whatever you know.
So it's like we all need to domore in in in educating
ourselves and taking thesecurity training that we talk
(21:22):
about and the testing, and justkeep doing better and putting
more pressure on our vendors andand demanding more evidence and
pushing more back on thesevendors to take security more
seriously.
Blake (21:36):
And it all starts with, like, questioning yourself,
right, like you know.
Ask yourself the simplequestion, like what is the worst
thing that could happen to mybusiness?
Like what is the worst thingyou know?
Craig (21:48):
like I would cease to operate if this happened, and
then but I don't think peoplewant to see the reality of that,
though.
I think that they just don'tthink it's going to happen to
them until it does.
And then it's the old crapmoment of how do I get out of
this?
Blake (22:03):
Yeah, I mean, it may not, it may not happen, but it
doesn't cost anything for you toask yourself that question,
Like, hey, what would happen ifthis happened, you know.
And then you ask yourself, whatam I doing to prevent this from
happening?
Like what you know?
And then you put your plan inplace like, okay, well, if you
(22:25):
have one single point of failurefor all of your intellectual
property, you know, and yourbackups are in this service or
that service, and if that youdon't have anything backing up
that service and your wholecompany falls and uses that,
that one service provider, andthere's no redundancy, you know,
how can you implementredundancy?
(22:46):
You know?
I mean, that's a simplequestion, it doesn't cost you
anything to ask that.
And then you start exploringthe wrap.
Oh right, Okay, Well, if we'reyou know, here's how we
implement backups for saidservice.
Well, it even.
Craig (22:58):
it even goes back to your everyday life too.
So like who do you bank with?
What happens if this bank goesout of business?
You know, do you have money inanother bank?
You know, like, fdic insuranceonly protects you for a certain
amount.
You know, if you're a businessowner and you have more than
(23:19):
that amount, how are youprotecting yourself?
Do you have multiple?
But you know what I mean.
Like it's redundancies in every, every part of our lives.
I think and I think that's agreat point that you bring up
it's asking these difficultquestions and taking whatever
time it takes to just kind ofchip away at it and it's it's,
it's a snowball effect and it'sa lot of work, but but it's
(23:41):
planning and preparing for theworst and in a layered, you know
, methodology.
Blake (23:49):
Yeah, I mean, it's a simple question.
It costs nothing for you tothink about it, right?
You know a lot of people thatyou.
You know you have resourceshere.
Obviously, we're makingpodcasts, we like to give out
free information, right?
So you know you're more thanwelcome to pick up the phone and
(24:09):
give us a ring, chat with me orCraig about.
You know disaster recoveryoptions, or I mean who knows
even a disaster recovery plan?
Right, absolutely, if ithappens, here's what we need to
do, right, and that all it takesis you just saying, hey, I'm
interested here's, here's what I, here's what I thought about.
(24:32):
Right, I thought here's wherethe weaknesses are in our
company, and it's really easyfor you to spot it once you
start framing it right, it's allabout the framing.
Okay, here's our weak points.
You know it doesn't take youpaying somebody to tell you that
to figure it out, because youlive and breathe that
(24:52):
organization every single day,those workflows, those practices
.
It's really easy for you tolook at it right from an
internal perspective and tobecause you're familiar with the
environment.
You know, you know to do a selfassessment of your, your
business.
Craig (25:12):
It costs nothing you know , yeah, and then for the
businesses that are more midmarket or more mature, then then
we can move into tabletopexercises with your team and
test the the plans that you haveworked so hard to put in place
and see how, how effective theyare, if there's any gaps that
need to be filled.
Or you know that constantdrilling and testing is only
(25:36):
going to make you faster, betterand stronger.
Blake (25:39):
I think one thing I've noticed with a lot of people
that I talked to it's almostlike they get embarrassed for
having vulnerabilities orthey're.
It's almost like I don't know,I don't know how to describe it.
It's almost they feel likeembarrassed.
(26:00):
They're like oh, I am doingthis, or anytime I've asked a
question to somebody I'm talkingto, it's like automatically go
into defensive mode.
Right, you know, and that to meis almost like I wouldn't say
like makes me think about theirweaknesses even more.
(26:20):
But but yeah, every time we'veasked these questions to clients
that we work with, theyautomatically go to defense.
Well, I do this, I will, I dothat.
Craig (26:29):
It's like yeah, and I agree with that.
I think that you know.
I think the takeaway is we'renot here to make you feel bad or
shame you or put you down.
You know we're here to help,right, and that's why we're
doing these.
You know, that's why our phonenumber or website, and you know
you can reach out to us and getthe help that you need.
(26:50):
We're not going to be like, oh,you should have done this or
what if there are gaps?
We're going to show you whatthe gaps are and and you know
you don't necessarily have to doall of them.
You can hire somebody to dosome of it for you, but
somebody's got to do the jobsright.
And our job is to show yourgaps and your, your
vulnerabilities, your weaknessesand how you know.
Look through the lens of ahacker is what I've said before
(27:12):
how are you going to be viewed,or how are you viewed right now
and how much of a mark are youand how easy of a target are you
?
And our job as your provider isto make you better and stronger
and more safe.
And you know leverage technology, some of which are free, you
know, and don't cost money.
It's just a.
You know differentmethodologies and recipes of
(27:33):
doing things.
You know you'll get to a pointwhere either your business is
best served by you and thesekind of functions are better
outsourced to professionals.
But if you're super small andjust just starting out, maybe
you do all of it yourself at thebeginning.
But it gets to a point in yourgrowth and your maturity where
(27:54):
you have to document yourpolicies, features and and how
you're going to respond tocertain situations so that your
company can grow and have thatstrong foundation.
So as you hire people andexpand, you have a blueprint.
Blake (28:10):
Yeah, I mean a lot of companies now with digitization,
like data is the business model?
Yeah, right, like we haveclients that their whole
business and all of theirrevenue comes from the data that
they produce, that they shareand that they, you know, publish
, right.
So, so if you're, if yourbusiness model is data driven,
(28:35):
you know, maybe you should lookat it, you know, but if you have
a food truck and you're youknow you don't take credit cards
, you're all cash powered foodtruck, and you don't, you know
you don't store any credit cardinformation, or you know you
don't get anybody's phonenumbers or emails, or I mean,
it's obviously differentconversation, right.
(28:56):
So, but, yeah, you know theself, the self kind of
realization as to, hey, what isour, what is our revenue source?
What does that come from?
Like, what, what drives therevenue?
If you're a medical debtcollection company, you know,
when you're making calls leftand right trying to collect debt
(29:19):
or whatever, like, the data isthe revenue source, right, yeah,
I mean there it is so.
So, yeah, that self realizationhas to happen.
Don't be embarrassed, you know,like there's nothing wrong with
being uncompliant.
I think the only thing that wethat I think is wrong is once
(29:41):
you realize that you're notdoing the right thing and
continue to ignore and continueto ignore the right thing, that
you you know.
You know you're doing the wrongthing.
That is when you know obviouslyit's, it's, it's embarrassing,
(30:03):
right, you know, for yourclients to know and find out.
So so, once you realize you'redoing the wrong thing, start
doing the right thing.
You know these are choices,right?
You know that we make everysingle day.
It's like you know you can gomake a cake and eat a whole cake
, or you can go to the gym andeat, you know, a plant based
(30:23):
diet or something.
You know what I mean.
Like we know, we all know theright choices and they're right
in front of us.
It just starts with one foot infront of the next, like small
steps, yeah, yeah.
Yeah, yeah.
It's just making the rightchoice at the right time.
So being ignorant doesn't makeit okay.
Craig (30:42):
You know?
Absolutely not.
I think it.
It almost makes it worse,because now you're holding
information that you know iswrong and you know what you need
to do.
And then it's like, all right,take action, start today, chip
away at it it's not going tohappen overnight, you know and
just keep working towards theend.
(31:03):
You know, and once you getthere, it's a continuous effort
to keep yourself secure andcompliant.
However, if you've got all thebig work done and you've climbed
the mountain, you know itbecomes easier.
Blake (31:16):
Yeah, it's easier to go down the mountain than it is to
go back up it, you know.
So, once you've reached andsummited that mountain, you know
not saying you have to go downin your cybersecurity, but it's
easier.
The uphill battle right.
Craig (31:34):
But I think the takeaway is not only does this stuff that
we're talking about make yourbusiness and yourselves more
secure, but if you're inbusiness to profit and make
money, it gives you thatfoundational layer to build on.
You know you can.
When you start a business, youcan be just you and do what you
(31:55):
want and try to do everythingyourself, and that's fine.
People do that.
But you're going to hit aceiling.
There's going to be a point intime where it's either too much
work or you need to expand, oryou need to bring on somebody
and hire and expand.
And if you truly want to beable to take back control of
your time and be able to expand,you need to hire good people
(32:18):
and then you need to train thosepeople and then follow the
policies and procedures and themethodology that you put in
place for your company.
And then that's the kind of thematurity ladder as you become
more and more mature, it becomeseasier to expand because you
have the blueprint and, like Isaid, the hard work, the heavy
lifting, it's been done and it'salmost like maintenance mode,
(32:40):
right?
Like you brought the good pointaround exercise Typically
people that don't exercise it'sreally hard to go to the gym,
right, and then it takes a goodtwo to four weeks of going
consistently to really breakthrough that psychological and
emotional barriers on a healthlevel to change that habit, the
(33:05):
bad habits, right.
And then, once you do it oftenenough, then you actually look
forward to it, it actuallybecomes somewhat enjoyable, and
then you're mad when you miss aday, kind of thing.
But in order to break throughand that's different for
everybody, but my point is, inorder to break through that it's
just like anything else youhave to break through that habit
and you have to be persistentand you have to keep chipping
(33:27):
away at it and keep trying, keepworking and eventually it'll
pay off.
Blake (33:32):
That's it.
I think that's a good note toend on Yep agreed.
Well, thank you guys.
Have a great day, as always.
We'll talk soon.
Take care, We'll see you on thenext one.
Hey guys, welcome to another podcast.
You got Blake Rea.
Hello everybody, we're back,we're going to do a news
highlight.
Blake, you had a couple thatcaught your interest.
Blake (00:16):
Yeah, I think the solar winds.
If you thought we were donetalking about solar winds, more
updates.
So I found it pretty, prettyfunny.
Well, I wouldn't say funny, butironic.
So the SEC is suing solar winds, alleging fraud and weak
(00:40):
cybersecurity.
Craig (00:43):
So for the people listening, what is solar winds?
Just quick run down.
Blake (00:50):
So solar winds essentially is an information
technology firm.
Back in 2019, they wereattacked by a Russian backed
cybersecurity group.
So yeah, essentially a huge ITprovider and the chief
information security officer.
(01:11):
Essentially the SEC was kind oftargeting him, but yeah, it's a
huge IT company.
Craig (01:20):
Yeah, so just kind of give a little more depth to our
listeners.
So it's a piece of softwarethat a lot of government defense
as well as commercial, will useto manage updates, patches on
their endpoints and things likethat.
Has other capabilities, but ina nutshell, it's an agent.
Right, it's a software agent,so back.
(01:42):
So basically the hackers werelike, hey, if we attack this
company, this particular vendor,they've got thousands of people
that use this solar windsoftware agent, so it'll infect
all those people in one shot.
So that's really what happenedin the breach.
And then what happened recentlywith the SEC charges is that,
(02:06):
even though they lost a lot oftheir credibility and their
trust because they're an ITcompany and they were breached,
it just goes to show that whatwas that?
2019, I think you said they hadwhat is that?
Four years ago now, they stillhave not improved their
cybersecurity to bolsterthemselves and take it seriously
(02:28):
.
And then the CISO apparentlygot charged from the SEC after
there was an investigation ormaybe the investigation is
ongoing around how there ispossible misleading of investors
around cybersecurity.
I think that's the.
Blake (02:44):
Yeah, they overstated their cybersecurity practices
and they understated their knownvulnerabilities.
Craig (02:53):
Yeah.
So this goes back to what we'vebeen preaching for a really
long time now you can't trust,sadly, anyone trustless.
Right, we keep hammering thathome.
Had there been some type ofthird party that has to check
them and make sure and then puta report out, I mean, I don't
(03:14):
think that's such a bad idea forespecially for publicly traded
companies to be audited likethat by a third party.
You know, kind of brings usfast forward to CMMC and why
everything's evidence based andeverything has to get audited
and all those controls have toget checked by a third party and
make sure that everything'sbeing done properly and there's
(03:36):
no fudging anymore.
And that's kind of the point.
But the stark reality or thelearning lesson I guess in this
is just because you have avendor that might look good on
the surface and so you know youhave to do your own due
diligence and risk on them.
They may be an open window or agap in your system to
(03:58):
potentially have a breach, for,you know, to rope you into
things.
Blake (04:04):
Yeah, I mean this is making headlines pretty much
everywhere and so when we werelooking through the news to talk
about on today, I mean peoplejust repeatedly different huge
outlets are loving to talk aboutthis one.
Craig (04:21):
Yeah, I feel like you know.
I feel like the story is justkind of almost like mind numbing
.
It's like I don't know just myperspective.
I feel like the headlines andthe it's almost like noisy right
, like it's just happening somuch.
I think people are just almostoverstimulated with all this
stuff and it's just like, well,okay, here's another headline.
(04:41):
What do we do now?
And I think the takeaway isaudit your, your vendors, audit
your third parties that you'redoing business with and push
back on them.
Push back on the vendors fortheir security.
Ask them for proof and evidenceof, you know, various standards
.
You can go as high as SOC2,type two or ISO 270001 and some
of the derivatives.
(05:02):
Those are kind of like the goldstandards.
But small businesses, you knowthey're not going to be able to
afford that.
But there's still somequestions that you as customers
of these companies can putpressure on these vendors.
You know, I feel like if thepublic puts more and more
pressure, you know, into more ofa trustless model that don't
trust would verify, I thinkthat's going to be, you know,
(05:25):
good for all of us.
Blake (05:27):
Yeah, another one that stuck out for me is the Canadian
government apparently bannedWeChat and Kaspersky on any
government focused apps.
I mean I think I'm surprisedthey're just getting around to
it now in all honesty.
I mean I think the USgovernment had banned WeChat
(05:50):
years ago.
Obviously, kaspersky is Russianantivirus software, which is
probably I mean, they were a lotmore popular back in the day
than they are now.
But yeah, I'm surprised it tookso long for that to happen.
Craig (06:08):
Well, it's kind of like what we talked about in our last
podcast.
Around DJI was under themicroscope and still is, and we
talked to our listeners and wewere like, look, you don't kind
of go through all your apps andyour software on your phones and
your endpoints.
You'd be really surprised ifyou actually did that and went
through all the stuff on yourdevices to see where it is.
(06:31):
And, quite frankly, I would notbe surprised if there were one
or more apps that were kind ofgray or shady, in my opinion,
around where they developed.
What country are they comingfrom?
And I think that's the bigtakeaway with this.
I think it's if you've got appsthat are in a country that the
(06:53):
current landscape and climate iseither hostile or considered an
adversary.
I mean, it's a big risk for youhaving that on your phone
because you have to assume theworst.
You have to assume that, oh,this app's spying on me.
It's kind of like you have toput the layers in place and
(07:13):
assume that everything is yourcamera, your microphone's being
turned on without your knowledgeor consent.
So what are you doing toprevent that stuff?
So you either make the choiceto uninstall the app If you're
on an iPhone or another devicethat has controls where you can
limit, that's obviously limitlocation services, limit the
(07:34):
usage or only ask for, allow theapp to ask permission on.
When can we use the microphone,when can we use the camera,
physical safeguards, the tapeover the cameras or cover them
up.
It's just crazy all the stuffthat we, as consumers, have to
(07:55):
look out for.
But I think it's awareness.
You're making your job a lotharder if you have hundreds of
apps on your devices.
This is really the bottom linehere.
So try to simmer it down, tryto go through an exercise and
regularly check these things,especially if you're in a
regulated industry or you're adefense industrial-based
contractor.
But even at the consumer level,like with the WeChat, we talked
(08:18):
about TikTok.
We talked about what was theother one?
It was TikTok.
Oh, we talked about Meta andthe lawsuit 41 states banding
together and suing Meta aboutunfair practices towards minors
and children, purposely creatingaddictive products.
I mean, it's just crazy, Idon't know, it's just mind
(08:41):
blowing to me.
Blake (08:45):
Yeah, I mean obviously anything TikTok is huge.
It seems like the-.
Craig (08:56):
I don't know why.
It's huge, though YouTube hasshorts which isn't short,
similar to TikTok.
I don't know what thedifference is.
I guess I'm-.
Blake (09:04):
I've never used TikTok, I've never even had but isn't
the whole point of TikTok likeshort video clips.
Yeah, it's short format videos.
Craig (09:12):
Right, so I think YouTube's answer was shorts.
They call it shorts.
Blake (09:17):
Instagram has shorts.
Craig (09:19):
Right, but I don't understand why.
Why so much gravitationtowards-.
It's kind of like the Twitterthing.
There was the character limitwith Twitter and then there was
just explosive growth at thattime.
It was just kind of weird howsome of these platforms just
explode like that, in my opinion, I mean-.
Blake (09:43):
Yeah, I mean you would think like I think TikTok did it
first, right, like, with theshort format video, and then
Instagram rolled out theirshorts, and then YouTube rolled
out their shorts, or whateverthe reels, whatever they call
them.
So I think the fact that TikTokdid it first and then these
other but you would think, likepeople would want to consolidate
(10:06):
their app, you should like tosee the same shorts from
Instagram, for example, thereels, like you're going to
TikTok to see the same content.
I just don't understand.
Craig (10:18):
Yeah, I don't know, does TikTok do like pay-per-click ad
revenue models as well?
Yeah, yeah, I mean they're allpretty much trying to fight for
the same Because I know thatGoogle posted that their stuff
was down big time as far as adrevenue and people using online
advertising throughpay-per-click and stuff like
(10:39):
that.
Blake (10:40):
I find that hard to believe because so through the
Google Ads Manager, I meanyou're running ads on YouTube, I
mean you're running ads ontheir Google Ads network, which
essentially Google allows userslike web admins to put little
generic banners.
So essentially then Google willfeed a banner to it, or an ad,
(11:01):
depending on the dynamic networkthat the user or the audience
finds interesting, and then theypay those web admins for that
space.
So I find it kind ofinteresting that they would say
ad revenues down.
Craig (11:19):
Yeah, I think that that was the last that I saw, anyway,
just trying to see if there'sany other.
I know that there is this hugemove it ransomware.
We talked about that a littlebit.
Do you remember that?
Blake (11:36):
Yeah, I do.
Craig (11:38):
Then there's also the Android spyware that's tracking
almost like the Pegasus.
Blake (11:49):
Speaking of ads, I saw the malvertising.
Did you see that one?
People that are downloadingmalware through ads now, so like
ads are delivering.
Craig (12:01):
I've talked about that many years ago, but I haven't
seen recent press around it.
Blake (12:05):
Yeah, I just saw the headline but I didn't read too
much about it.
But essentially, you know,malware distributors and
architects are essentiallyserving up ads to their own.
Craig (12:22):
I know what would happen in the past was these malicious
actors would buy legitimate ads,get them approved and then swap
the content on the web serverto have an infection.
Blake (12:37):
One of them has been targeting like a payment
platform, like a Brazilianpayment platform that I was
reading.
But yeah, essentially themalware ads are being placed in
advertising sections of searchresults and then, whenever they
(12:57):
click on it, they'll beredirected to like a cloaking
service, so it'll filter, youknow, obviously, any type of.
They'll have some type of likeclick cease or some type of
technology like that thatfilters out any type of bot
traffic and then, and then, yeah, I mean essentially it'll look
like they're banking, they'rebanking software, or I don't
(13:20):
know how it's crazy.
Craig (13:24):
The other one I saw was the FTC put out some new
guidelines for car dealerships,automotive dealerships.
Blake (13:34):
You see that I saw you sent the link, but I didn't get
a chance to read it.
Craig (13:40):
Yeah.
So basically in a nutshell,there's a new extension to the
FTC where they're requiring thecar dealerships to use
encryption more heavily,specifically adopting encrypted
messaging tools and hard drives.
So I know we've got someclients have fallen to that
(14:04):
bucket and I've sent out someemails to talk about that.
But you know we talked months,if not years now, about how it's
.
Just every day is going to besome new regulation and my hope
is that you know we just simmerit down to CMMC.
So it's just kind of the goldstandard for everyone to follow,
(14:27):
right to make everybody's liveseasier.
But if you're in a business andyou're not regulated now I
actually find it hard to believebecause there are so many state
and federal breachnotifications and privacy laws.
You may just not know thatthose laws exist.
And then if you're handlingcertain types of data, like the
(14:48):
whole reason why the FTC crackeddown on car dealerships is
because they were like oh, allof our customers are giving,
they want credit to buy a car,you know.
So there's so much personalinformation being given and then
there's handling of thatsensitive information to protect
the public.
So that's where the whole FTCcrackdown happened and I think,
(15:09):
again, it's for good, you know.
I mean we're obviously in cyberand compliance, so we want to
make it harder for cybercriminals to, you know, steal
people's identities and cause abreach.
But yeah, I think that thetakeaway here is, even when, if
you were to go to a financialeither a car dealership or a
(15:32):
bank or wherever you're goingI'd still be pretty stingy on
how you give your informationand require evidence of
protection of that informationto protect yourself, because you
know if they're handling itsloppily and what happens,
you're the result of the breachand then now you have your own
cleanup to do to protect yourown identity.
So it's you know.
(15:52):
The takeaways here are, you know, we share this news and
information not just to kind ofscare everybody, but just to
this is the world we live in.
I mean you just got to takematters into your own hands
sometimes and embrace everythingthat you can that's trustless
and assume the worst.
Assume that you know people arespying on you and data mining
(16:16):
points around you to maliciously, you know, put harm on you,
either by social engineering andphishing and targeted attacks,
or you know there was a anotherheadline I saw around the data
breach with LastPass.
I mean that was December of 22.
And then just recently I thinkit was just a few days ago, it
(16:39):
was on October 25th 25 differentLastPass users lost more than
$4 million worth ofcryptocurrency.
Now, my argument with that wouldbe, yeah, they had a breach,
but once the consumers in thepublic were notified of the
breach, any people that wereholding crypto, especially, or
(17:01):
any people that were affected,for that matter, again should
have taken matters into theirown hands, chose a different
password manager and changedtheir passwords.
But these 25 people and again,I'm not, you know, pushing blame
on people, but I'm just sayingthat it gets to a point where we
have to take certain thingsinto our own hands and do our
(17:21):
own thing.
You know these companies thatget breached left and right.
Again, we're the victims, right?
So assume the worst, assume allof our stuff is out there.
What are we doing to monitor itand what are we doing to
protect it and how do we make it?
What actions can we do as ahuman and a consumer to make it
more difficult for hackers tobreach our identity or our
(17:44):
systems?
Blake (17:46):
Yeah, I mean it's all about embracing the zero trust
framework.
You know, like another, anotherinstance, I mean I don't think
I ever told you this, but I wasimporting something from abroad
and then I get a phone call andit was FedEx or UPS or one of
the I can't remember which one.
But they called me and theysaid hey, are you Blake?
They're like hey, yeah, we, wegot your package here.
(18:09):
What's your social securitynumber?
Like they're like oh, our taxID number.
Like they didn't put that onthere, you know.
I'm like Okay, how do I knowthat you're from FedEx, you know
.
And then, of course, theyverified a bunch of stuff.
(18:29):
You know, like that it was alegitimate call, but immediately
, I'm just quite surprised thatyou actually answered the phone.
Craig (18:38):
I mean, it's gotten so bad where I don't actually
answer my phone live anymore,unless I'm expecting the call
for a meeting or something, orit's somebody that I know and
trust.
But if it's just a randomcaller, there's no way, because
there's so many socialengineering, smishing, fishing,
all sorts of stuff.
Blake (18:59):
I normally wouldn't answer the call because, you
know, I typically will onlyanswer phone numbers if they're
from, like, my network orextended network.
So in this case it was,ironically, a call from South
Carolina.
So I'm like All right, like I,you know, have a California
phone number, like if somebody'scalling from North Carolina or
South Carolina, like they knowwho, I am like right, because I
(19:23):
lived in North Carolina, southCarolina, so so yeah, that was
like the one reason why Ianswered it, so yeah, Well,
that's crazy.
Craig (19:37):
I mean, that happens all the time.
I get weird text messages.
My wife showed me a textmessage, you know it was kind of
similar to what you were justtalking about, about a shipping
or something.
And she's like, is this legit?
And I looked at it up and I'mlike no.
I'm like look at the phonenumber, it was like plus 60
something, different country.
I'm like absolutely not.
(19:58):
You know, but it, you know, justput so much pressure on us as
everyday people and we live andbreathe this stuff.
Right, blake, I mean.
But imagine the people that donot right, how, how hammered
they are every day from everyevery direction, whether it's
phone calls, emails, textmessages or any other messaging.
(20:18):
You know social apps, thingslike that.
Again, the more you involveyourself in the wider spread
your your attack surfaces foryou to get scammed, right.
I think it's.
It's sad and unfortunate forthese folks.
You know that lost all thismoney.
But you know, I don't sayanyone layers to cure all, but
(20:39):
had they used Googleauthenticator or Microsoft
authenticator, the software appsfor you know one time pins and
passwords in addition to thepassword?
I'm saying that's not an excuse.
You should have changed yourpassword.
And you know again, adoptingmore layers, adopting more
trustless systems.
But you know it goes back tobackups, right?
I mean, we can't even getpeople to listen and backup
(21:01):
their stuff and they won't.
They don't want to pay for it,and they don't.
They're like, oh, it's justcost too, it's too hard, or they
don't want to pay the money todo it.
But then they lose everythingand they're like, oh crap, you
know what does it cost for datarecovery or whatever you know.
So it's like we all need to domore in in in educating
ourselves and taking thesecurity training that we talk
(21:22):
about and the testing, and justkeep doing better and putting
more pressure on our vendors andand demanding more evidence and
pushing more back on thesevendors to take security more
seriously.
Blake (21:36):
And it all starts with, like, questioning yourself,
right, like you know.
Ask yourself the simplequestion, like what is the worst
thing that could happen to mybusiness?
Like what is the worst thingyou know?
Craig (21:48):
like I would cease to operate if this happened, and
then but I don't think peoplewant to see the reality of that,
though.
I think that they just don'tthink it's going to happen to
them until it does.
And then it's the old crapmoment of how do I get out of
this?
Blake (22:03):
Yeah, I mean, it may not, it may not happen, but it
doesn't cost anything for you toask yourself that question,
Like, hey, what would happen ifthis happened, you know.
And then you ask yourself, whatam I doing to prevent this from
happening?
Like what you know?
And then you put your plan inplace like, okay, well, if you
(22:25):
have one single point of failurefor all of your intellectual
property, you know, and yourbackups are in this service or
that service, and if that youdon't have anything backing up
that service and your wholecompany falls and uses that,
that one service provider, andthere's no redundancy, you know,
how can you implementredundancy?
(22:46):
You know?
I mean, that's a simplequestion, it doesn't cost you
anything to ask that.
And then you start exploringthe wrap.
Oh right, Okay, Well, if we'reyou know, here's how we
implement backups for saidservice.
Well, it even.
Craig (22:58):
it even goes back to your everyday life too.
So like who do you bank with?
What happens if this bank goesout of business?
You know, do you have money inanother bank?
You know, like, fdic insuranceonly protects you for a certain
amount.
You know, if you're a businessowner and you have more than
(23:19):
that amount, how are youprotecting yourself?
Do you have multiple?
But you know what I mean.
Like it's redundancies in every, every part of our lives.
I think and I think that's agreat point that you bring up
it's asking these difficultquestions and taking whatever
time it takes to just kind ofchip away at it and it's it's,
it's a snowball effect and it'sa lot of work, but but it's
(23:41):
planning and preparing for theworst and in a layered, you know
, methodology.
Blake (23:49):
Yeah, I mean, it's a simple question.
It costs nothing for you tothink about it, right?
You know a lot of people thatyou.
You know you have resourceshere.
Obviously, we're makingpodcasts, we like to give out
free information, right?
So you know you're more thanwelcome to pick up the phone and
(24:09):
give us a ring, chat with me orCraig about.
You know disaster recoveryoptions, or I mean who knows
even a disaster recovery plan?
Right, absolutely, if ithappens, here's what we need to
do, right, and that all it takesis you just saying, hey, I'm
interested here's, here's what I, here's what I thought about.
(24:32):
Right, I thought here's wherethe weaknesses are in our
company, and it's really easyfor you to spot it once you
start framing it right, it's allabout the framing.
Okay, here's our weak points.
You know it doesn't take youpaying somebody to tell you that
to figure it out, because youlive and breathe that
(24:52):
organization every single day,those workflows, those practices
.
It's really easy for you tolook at it right from an
internal perspective and tobecause you're familiar with the
environment.
You know, you know to do a selfassessment of your, your
business.
Craig (25:12):
It costs nothing you know , yeah, and then for the
businesses that are more midmarket or more mature, then then
we can move into tabletopexercises with your team and
test the the plans that you haveworked so hard to put in place
and see how, how effective theyare, if there's any gaps that
need to be filled.
Or you know that constantdrilling and testing is only
(25:36):
going to make you faster, betterand stronger.
Blake (25:39):
I think one thing I've noticed with a lot of people
that I talked to it's almostlike they get embarrassed for
having vulnerabilities orthey're.
It's almost like I don't know,I don't know how to describe it.
It's almost they feel likeembarrassed.
(26:00):
They're like oh, I am doingthis, or anytime I've asked a
question to somebody I'm talkingto, it's like automatically go
into defensive mode.
Right, you know, and that to meis almost like I wouldn't say
like makes me think about theirweaknesses even more.
(26:20):
But but yeah, every time we'veasked these questions to clients
that we work with, theyautomatically go to defense.
Well, I do this, I will, I dothat.
Craig (26:29):
It's like yeah, and I agree with that.
I think that you know.
I think the takeaway is we'renot here to make you feel bad or
shame you or put you down.
You know we're here to help,right, and that's why we're
doing these.
You know, that's why our phonenumber or website, and you know
you can reach out to us and getthe help that you need.
(26:50):
We're not going to be like, oh,you should have done this or
what if there are gaps?
We're going to show you whatthe gaps are and and you know
you don't necessarily have to doall of them.
You can hire somebody to dosome of it for you, but
somebody's got to do the jobsright.
And our job is to show yourgaps and your, your
vulnerabilities, your weaknessesand how you know.
Look through the lens of ahacker is what I've said before
(27:12):
how are you going to be viewed,or how are you viewed right now
and how much of a mark are youand how easy of a target are you
?
And our job as your provider isto make you better and stronger
and more safe.
And you know leverage technology, some of which are free, you
know, and don't cost money.
It's just a.
You know differentmethodologies and recipes of
(27:33):
doing things.
You know you'll get to a pointwhere either your business is
best served by you and thesekind of functions are better
outsourced to professionals.
But if you're super small andjust just starting out, maybe
you do all of it yourself at thebeginning.
But it gets to a point in yourgrowth and your maturity where
(27:54):
you have to document yourpolicies, features and and how
you're going to respond tocertain situations so that your
company can grow and have thatstrong foundation.
So as you hire people andexpand, you have a blueprint.
Blake (28:10):
Yeah, I mean a lot of companies now with digitization,
like data is the business model?
Yeah, right, like we haveclients that their whole
business and all of theirrevenue comes from the data that
they produce, that they shareand that they, you know, publish
, right.
So, so if you're, if yourbusiness model is data driven,
(28:35):
you know, maybe you should lookat it, you know, but if you have
a food truck and you're youknow you don't take credit cards
, you're all cash powered foodtruck, and you don't, you know
you don't store any credit cardinformation, or you know you
don't get anybody's phonenumbers or emails, or I mean,
it's obviously differentconversation, right.
(28:56):
So, but, yeah, you know theself, the self kind of
realization as to, hey, what isour, what is our revenue source?
What does that come from?
Like, what, what drives therevenue?
If you're a medical debtcollection company, you know,
when you're making calls leftand right trying to collect debt
(29:19):
or whatever, like, the data isthe revenue source, right, yeah,
I mean there it is so.
So, yeah, that self realizationhas to happen.
Don't be embarrassed, you know,like there's nothing wrong with
being uncompliant.
I think the only thing that wethat I think is wrong is once
(29:41):
you realize that you're notdoing the right thing and
continue to ignore and continueto ignore the right thing, that
you you know.
You know you're doing the wrongthing.
That is when you know obviouslyit's, it's, it's embarrassing,
(30:03):
right, you know, for yourclients to know and find out.
So so, once you realize you'redoing the wrong thing, start
doing the right thing.
You know these are choices,right?
You know that we make everysingle day.
It's like you know you can gomake a cake and eat a whole cake
, or you can go to the gym andeat, you know, a plant based
(30:23):
diet or something.
You know what I mean.
Like we know, we all know theright choices and they're right
in front of us.
It just starts with one foot infront of the next, like small
steps, yeah, yeah.
Yeah, yeah.
It's just making the rightchoice at the right time.
So being ignorant doesn't makeit okay.
Craig (30:42):
You know?
Absolutely not.
I think it.
It almost makes it worse,because now you're holding
information that you know iswrong and you know what you need
to do.
And then it's like, all right,take action, start today, chip
away at it it's not going tohappen overnight, you know and
just keep working towards theend.
(31:03):
You know, and once you getthere, it's a continuous effort
to keep yourself secure andcompliant.
However, if you've got all thebig work done and you've climbed
the mountain, you know itbecomes easier.
Blake (31:16):
Yeah, it's easier to go down the mountain than it is to
go back up it, you know.
So, once you've reached andsummited that mountain, you know
not saying you have to go downin your cybersecurity, but it's
easier.
The uphill battle right.
Craig (31:34):
But I think the takeaway is not only does this stuff that
we're talking about make yourbusiness and yourselves more
secure, but if you're inbusiness to profit and make
money, it gives you thatfoundational layer to build on.
You know you can.
When you start a business, youcan be just you and do what you
(31:55):
want and try to do everythingyourself, and that's fine.
People do that.
But you're going to hit aceiling.
There's going to be a point intime where it's either too much
work or you need to expand, oryou need to bring on somebody
and hire and expand.
And if you truly want to beable to take back control of
your time and be able to expand,you need to hire good people
(32:18):
and then you need to train thosepeople and then follow the
policies and procedures and themethodology that you put in
place for your company.
And then that's the kind of thematurity ladder as you become
more and more mature, it becomeseasier to expand because you
have the blueprint and, like Isaid, the hard work, the heavy
lifting, it's been done and it'salmost like maintenance mode,
(32:40):
right?
Like you brought the good pointaround exercise Typically
people that don't exercise it'sreally hard to go to the gym,
right, and then it takes a goodtwo to four weeks of going
consistently to really breakthrough that psychological and
emotional barriers on a healthlevel to change that habit, the
(33:05):
bad habits, right.
And then, once you do it oftenenough, then you actually look
forward to it, it actuallybecomes somewhat enjoyable, and
then you're mad when you miss aday, kind of thing.
But in order to break throughand that's different for
everybody, but my point is, inorder to break through that it's
just like anything else youhave to break through that habit
and you have to be persistentand you have to keep chipping
(33:27):
away at it and keep trying, keepworking and eventually it'll
pay off.
Blake (33:32):
That's it.
I think that's a good note toend on Yep agreed.
Well, thank you guys.
Have a great day, as always.
We'll talk soon.
Take care, We'll see you on thenext one.
Popular Podcasts
Are You A Charlotte?
In 1997, actress Kristin Davis’ life was forever changed when she took on the role of Charlotte York in Sex and the City. As we watched Carrie, Samantha, Miranda and Charlotte navigate relationships in NYC, the show helped push once unacceptable conversation topics out of the shadows and altered the narrative around women and sex. We all saw ourselves in them as they searched for fulfillment in life, sex and friendships. Now, Kristin Davis wants to connect with you, the fans, and share untold stories and all the behind the scenes. Together, with Kristin and special guests, what will begin with Sex and the City will evolve into talks about themes that are still so relevant today. "Are you a Charlotte?" is much more than just rewatching this beloved show, it brings the past and the present together as we talk with heart, humor and of course some optimism.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.