March 21, 2025 • 33 mins
We make a lot of assumptions in the world of tech and cybersecurity. The most common one I see is assuming that a vendor is properly protecting your data. And honestly, that feels like the only option since we can't really see behind the curtains. But what if I told you there is a way to verify that your vendors have the proper cybersecurity safeguards in place? Take a listen!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Justin (00:15):
Welcome everybody to episode 45 of Unhacked. Mario,
we're a little bit lean today.There's there's just two of us.
It's it's kinda weird. Used tobe when I did podcasts, it was
always two people, and now I'vegotten really comfortable having
a few more voices.
So you might have to help carrythe the episode, Mario.
Mario (00:37):
My pleasure. Was it were we both me and you by we were by
ourselves last week too.
Justin (00:42):
It's it's a couple weeks in a row, and it's like, yeah.
I'm I'm my nerves are aretingling. So anyways I'm sorry
about that. Okay. Good.
Let's let's go ahead and getstarted. We're gonna talk about
third party integrations today,and I know that that's got
everybody on the edge of theirseats. But first, let's go ahead
and introduce the, the podcast,Unhacked. You know, said all the
(01:05):
time, it's a deliberate misnomerbecause, really, you can't get
unhacked. The good news isninety seven percent of breaches
are preventable with the basics.
And that's what we talk aboutevery week is what are these
basics and how do we prevent thepreventable. But if you don't do
that and you get hit, gettingunhacked really isn't a thing.
So here we are helping businessowners outsmart Russian hackers
(01:28):
week after week, you know, andnow we're bad at the list, the
government, we have to outsmartthem because they want to come
in and audit things and causeproblems. And that's not bad
enough. The attorneys aresniffing around trying to sue us
for stuff, you know, problems.
So anyways, I am Justin Shelley,CEO of Phoenix IT Advisors, and
I work with businesses in Texas,Nevada and Utah. And like I
(01:51):
said, keeping the hackers, thegovernment and the attorneys out
of their bank accounts. Andtoday, it's just you and me,
Mario. Tell everybody who youare, what you do, and who you do
it for.
Mario (02:02):
Yeah. Mario Zacke, CEO of Mastech IT. We are located in
New Jersey. We're at outside ofManhattan. And we work with
small to medium sized businessesprotecting their IT network and
providing the business ownersbetter sleep at night so that
they know the businesses will bethere the next day.
Justin (02:24):
I mean, that's always a bonus when you wake up and your
business hasn't just beenannihilated overnight. God, it
is Well, mean, it really you saythat and I mean, it it really is
a thing. I lose sleep over this.It's crazy. A crazy world and I
don't want like to instill fearin people and yet kind of I do
(02:47):
because it's a it's a realthreat.
It's a real problem.
Mario (02:50):
Yeah. It's funny because I tell people all the time like,
yeah, we help business ownerssleep better at night. But for
me, you know, I don't sleep, butthat's because I'm always
thinking and I know you're thesame way. We're always thinking,
hey, can we can we add this? Canwe do this?
Should I look more into this?You know, like, we're constantly
(03:11):
looking to improve security.We're always trying to be, you
know, a couple steps ahead ofbusiness owners keeping, you
know, what we call in like anindustry, our security stack,
you know, strong. And we'realways adding layers, you know,
the Yeah. We're trying to, youknow, if they get past this, can
(03:33):
they, you know, should we dothis?
Should we do this? Should we dothis? And this is the stuff that
keeps up at, like he just keepsus up at night, know, so
Justin (03:41):
Well, mean, it's a cat and mouse game. Right? We can
Yeah. We can put everything inplace and then tomorrow it
changes. Mhmm.
And yeah, it's a it's a fungame. And, you know, I've said
before, I I did not get into theworld of cyber security and
crime prevention on purpose. Iwas kind of kicked into that
(04:02):
world. You know, I got into thisbecause I like computers. I like
pulling circuit boards apart,you know, and plugging in modems
and sound cards back in the day.
And and that one, one fatefulFriday afternoon, I had a client
get breached and I realized Iwas no longer in the computer
repair business, but I was inthe crime prevention business
and the, you know, extortionprevention business. Jesus.
(04:26):
Yeah. Yeah. Okay.
So Mario, today we're going totalk about integrations because
I had a company reach out to meand they were considering an
integration and they wanted meto help, you know, talk with
this third party vendor to getit set up. And so leading up to
it, I reached out to this thirdparty and I'm like, hey, we've
(04:49):
got a meeting next Tuesday.Before that, I would like to
have because this was in thehealthcare industry, I'm like,
please send me a copy of yourBAA agreement, business
associate agreement, so that Ican review that. And I'd also
like to know what kind of datayou're gonna have access to,
what you're gonna do with it,and you know, I just and I wanna
(05:09):
be prepared for our meeting whenwe're when we're setting this
up. And what would you imagine Iheard back from the third party?
Mario (05:15):
What did he say?
Justin (05:16):
Crickets. Nothing. No response. So I emailed him
again, you know, two or threetimes and and never really heard
anything back. And so as soon aswe the meeting came, know, I
jump on the call and I'm like,hey, guys, been emailing you.
Do we have a business associatesagreement in place? Because I
can't in good conscience, giveyou access to patient records.
(05:38):
Again, this is all protected byHIPAA without having that
agreement. And the guy's like,no problem here. You know, I'm
we're both remoted into thiscomputer and he's like, here,
here's the BAA right here, signit.
Like, I'm not gonna sign it. I'mthe IT guy. I'm a third party IT
guy. I can't sign on behalf ofthis healthcare clinic. It was
(06:00):
just, it was crazy.
And so I just, I just put thebrakes on it and like, know,
because the client wasn't evenon this call and I reached back
out to them. I'm like, listen,I'm not super comfortable. I put
the brakes on this and we needto get some things handled
first. And I thought she wasgetting mad at me and, you know,
(06:20):
to my relief, she just kind ofsighed is like, thank you. She
had kind of been had a littlepressure to go in and do this
integration from her higher ups.
She was a little bit uneasyabout it. So it was it was
validation for her that I I alsohad some reservations. And so
(06:40):
that's kind of what introducedthis today is like, we have a
lot of they call this a supplychain attack, right? If we and
and Mario in our industry, likehow many different vendors do we
do business with and and havesome sort of a tie in to what we
do?
Mario (06:58):
A lot. You can't even
Justin (06:59):
count it. It's a it's a ton and that's the direct
integrations, the direct vendorsthat we do business with, but
then they have theirs, right?This just goes, that's why they
call it a supply chain. Thischain goes back to the, you
know, Adam and Eve, don't know,to the beginning of time. So
many pieces to this puzzle thatwe have to be watching for.
(07:19):
So that's my story. As I wastelling you what happened, you
said that you had a little bitmore personal story or you were
the vendor, right? Yeah. Yes.Tell me.
Mario (07:31):
So now this is a couple years back. Right? So we, you
know, with our IT company rightnow, we do one of the services
that we offer is voice over IP.So we Okay. Have the ability to,
you know, obviously set upoffice phone systems and we
have, you know, ways to dointegrations and stuff like
(07:52):
that.
So a colleague of mine, youknow, from another company asked
me one time, he's like theyspecialize in medical software.
He asked me if we have like anintegration to do like
appointment reminders, you know,through our phone system. So I'm
like, no. But you know, that isactually pretty interesting. You
(08:13):
know, let's talk more.
I ended up hiring some people,you know, overseas, but it
wasn't like somebody, you know,just sitting in their basement
in their underwear doingprogramming, but it was, you
know, an overseas company. And Ihad them built me a platform
that would integrate with myphone system and doctor's
(08:35):
office, the appointmentreminder. I'm sorry, the office
hours programs. So it took youknow, it was a good amount of
money. It took a good chunk ofmoney and we built this
integration.
It's you know, we we tested it.We went through everything and
went live and installed it on abunch of different doctor's
(08:59):
offices. And thank God we didn'thave any breaches or anything
like but later on, I realizedthat it was a money pit and we
weren't scaling enough, youknow, to a point where I would
start seeing like an ROI on itfor for a while. So I decided
to, you know, sunset the wholething. You know, I you know, we
(09:21):
we sunk a lot of money into it,but, you know, we, you know,
didn't break even was and, youknow, a shot that I took in
didn't work.
But more I think about it, themore I went back and again, this
was a couple years back now thatwe are so laser focused on
security, I realized like, holyshit. You know, if this thing
(09:43):
would have stayed live, youknow, for a long period of time,
you know, we had access eventhough we were only taking, you
know, the patient's first name,Their appointment time. And
their phone number we're onlytaking those three things
because that's all we need so.It wasn't necessarily a HIPAA
(10:05):
violation because we're onlytaking the first name. We're
taking their appointment time.
And their phone number. Okay? Alot of it is public records or
two of the three's publicrecords.
Justin (10:16):
Right.
Mario (10:17):
What ended up Nothing happened, but if something would
have happened, our integrationwas only pulling those three
information that information,but we had access to the entire
database for the entire medicalfacility. Right. You know? So,
you know and just like we'vetalked about it in the past,
(10:40):
unfortunately, when you do someof the stuff you're so eager to
go live and start testing and,you know, start making some
money, then after the fact yourealize like, you know what?
Maybe we should start putting insome security.
Yeah. You know?
Justin (10:53):
And Yeah.
Mario (10:54):
That was that, you know, that this was, you know,
speaking from personalexperience, that is something
that we ended up doing. We I
Justin (11:01):
mean, we
Mario (11:01):
we we pushed back security to later on.
Justin (11:04):
Yeah. And we talk about that a lot that that's kind of
the I mean, it's just the way itworks. It shouldn't be, but it
is the way it works andhopefully we, you know, in our
industry we change that. Butwhen we're developing software
or hardware, our first priorityis to solve the problem. Right?
That's that's where the money isgonna be made and then it's kind
(11:26):
of this, oh, we also ought tomake sure that the Russians
don't get in here and then wedon't get sued on top of it. So,
you know, and and you'rementioning not only first of
all, you had access toeverything so that that if
somebody were able to breachyour software, they could go in
and pull much more than you werepulling out. Exactly. But not to
(11:48):
minimize even the amount ofinformation you had, a first
name and a phone number. Andthere's actually a technical
definition of what qualifies asPII and it has to be a couple of
pieces of information that tietogether so that you could
actually identify somebody.
And I I'm I might be speakingout of turn here, but with a
phone number and a first name,you probably could identify
(12:11):
somebody or you can make getreasonably close. There's only
so many phone numbers with thesame first name tied to it. So
even that little bit ofinformation is significant.
Mario (12:22):
So Yeah. And we we weren't pulling like the last
name. We weren't pulling, youknow, social security. We
weren't pulling any medicalrecords. You know, We were just
pulling those three pieces, butagain, we built a bridge that we
literally were sitting on theserver.
Justin (12:43):
Yeah.
Mario (12:43):
And every five minutes it was it was pulling and pushing
to our our database. Now, we didhave like some things in place.
Know, we had like SSLs, youknow, the connections to secure
and stuff like that. But acouple things that we didn't do
is like to FA you know, on theplatform. We didn't do some
(13:04):
verification checks and stufflike that.
We we you know, I don't wannamake it seem like we were
completely neglecting security,but it wasn't, you know,
thinking back about it now as Irealized like, you know what? We
could've there there could'vebeen things that could've been
breached. And if that would'vebeen breached, you know, could
(13:27):
they have, you know, turned aone way bridge? Actually, sorry.
We had a two way bridge because,you know, in, like, version two,
we would Push the confirmationback.
We would push the confirmationand say, okay. Yes. They either
replied with, you know, canceledor did not reply at all. So
there was a two wayconfirmation, a two way bridge.
(13:50):
But, you know, thank God, youknow, it it we pulled it before
anything happened.
It was it could have been, youknow, it could have been
serious.
Justin (14:02):
Yeah.
Mario (14:03):
You know? And it brings back to, you know, what you were
mentioning earlier. We didn'thave any of that, you know,
things in place, you know, like,you know, we weren't compliant,
you know, for for, you know,HIPAA or SOC two or any of that
stuff, you know, and that wasone of the reasons that I I
decided to to pull the trigger.
Justin (14:25):
Right. Well, and here's the thing. So you didn't have
direct control over who wrotethe code. Right? Because that
was outsourced.
You don't know what librariesthey're using. So when when
writing code and I mean, this isdating me right now because AI
writes all this stuff thesedays, but you would you would
either buy or you would usepublicly available DLL's are
(14:47):
called, which is just a a chunkof code that you would use to
simplify your own writing ofcode. The problem comes if that
DLL that you get becomes in insome way that gets breached,
that code gets altered, youknow, you run an update or it
automatically updates orwhatever and now your code is
(15:07):
infected and you have no ideabecause you don't really know
what's going on behind thescenes. And and I mean this is a
great example because it'sexactly what was on my mind as
I'm being asked to give someunknown third party vendor
complete access to a clinic'spatient records. Like I don't
(15:28):
know what they're doing with it,don't know what the integration
looks like, I don't know whatdata they're pulling And
regardless of what they'repulling, what do they have the
ability to pull?
Should they get breached orshould they just be malicious?
You know, maybe maybe they'rejust bad guys all the way
around. I don't know. And one ofthe things that really stopped
me in my tracks as I was doingthis, I told you they presented
(15:48):
me with a BAA, right? Well,problem is the name on that BAA
was their third party softwarethat they were using.
So we're now, you know, it's noteven the company that I was
initially working with, I'm nowworking with some completely
unknown name and it's not evenin English like I don't I don't
I can't pronounce the name ofthis third party that has their
(16:09):
name on the BAA. So yeah, I justshut it down like we clearly
have more work to do here and solet's go ahead and pivot there.
What do we do? Because it's andI think when we were talking
about, you know, prepping forthe session, you said something
about, we don't really have anychoice. If we're gonna do an
integration, we don't have a lotof say in what they do.
(16:34):
Or or I think you said maybe itwas like the only option is to
not do it. Right? Do you do youremember that? Okay.
Mario (16:40):
Yeah.
Justin (16:40):
Yeah. So I wanna talk about a, first of all, if if you
can't be secure in theintegration, then it probably is
the better option to not do it.Right. May maybe you'll lose
some functionality, but maybe wejust go find a different vendor
at that point. But let's talkabout how do we evaluate third
(17:03):
parties.
How do we evaluate them? How dowe know? Like even even have a
hope that they're taking carebecause I and by the way, I
still have to do this with thesetwo now two third party vendors,
have to go out and assess themand find out, know, make a
recommendation back to theclient to see if this is a a
safe option. So Mario talk aboutthat. What What do we do?
(17:27):
How coach me through it as ifI'm an idiot. How do I make sure
before I give this company'scompany, the third party's third
party complete access to myclient's data?
Mario (17:38):
Well, I mean, first you need to find out from them what
information they actually aregoing to be pulling from your
client.
Justin (17:45):
Right?
Mario (17:46):
You you know, if it's, know, like we said, it's a
doctor's office. What whatinformation do you need access
to? Right. Okay? And when youpull this information, like,
let's just say, you know, forexample, you know, there's
similar situation.
They're pulling the patient'sfirst name, you know, phone
number, and appointment time.Alright. Well, first of all, are
(18:09):
you pulling it and putting itonto your server? And is this
being encrypted, you know, intransit? Like, as the data is
being pulled, is it encrypted?
And is it sitting on your serverencrypted? And how long are you
storing that information for? Sofor example, in in my situation,
(18:29):
we were pulling two weeks worthof appointments and only holding
it onto our server for fourdays. At any given time, we only
had, you know, no you know, alittle less than three weeks
worth of patient information.Okay.
And then after four days, wewould just, know, delete it.
Justin (18:50):
So you had a, I guess some automation that just went
in and purged the older datafrom your software, from your
database. Yes. Okay. Yeah.
Mario (18:59):
You know, And so the so we stored it for no more than
three weeks. But now, you know,again, systems offline help, so
I could easily say it. But atfirst, we were storing it on
Wasabi, Wasabi is a data storagecompany with very pretty good
(19:23):
prices. We later moved it on toAWS, but, you know, at first,
just to kind of get rolling, wewere putting it on Wasabi. And
I, you know, I don't quote me onthis.
I don't think Wasabi's securityis really as good as like what
you would say AWS is or,
Justin (19:43):
you know,
Mario (19:43):
and Microsoft and stuff like that. But we didn't have
like two FA or anything. We didhave, you know, the at least the
guys overseas told me that thedata was encrypted, you know, in
transit and sitting on ourserver encrypted. But you're
also relying, you know, that'sone of the questions that you
you would need to ask is like,who's working on this, you know,
(20:06):
and where are they? And are theyyour employees or are they
subcontractors?
Because that makes a differencebecause you could only sign
paperwork and go through certainthings that you're responsible
for. But how do you know theother company is compliant? How
they how do you know whatthey're doing with the data? How
(20:28):
do you know what you know, ifthey're SOC two compliant, you
know?
Justin (20:32):
Well, okay. So that's I'm I'm glad you mentioned SOC
two because that's that's whereI was gonna go next. First of
all, I wanna back up a littlebit. Do you remember it was back
in episode 41, I think withJonathan Steele, he was an
attorney, divorce attorney, andthat was a point that he made
that I really liked is don'tstore data that you don't need.
(20:54):
You can't lose what you don'thave.
I love that you at least hadthat safeguard in place where
you were purging that data aftera few weeks. But now let's let's
talk about SOC two and why thethe thing that I love most about
this because I mean, said ityourself, your your developers
(21:14):
who you hired, who were overseastold you it was encrypted, but
you couldn't personally confirmthat. Right?
Mario (21:21):
Correct.
Justin (21:22):
And even so you could say, you know, whatever you want
to a client. SOC two is kind ofa a third party assessment or or
validation of, you know, how youare protecting your client's
data. So it's somebody elsegoing in another, you know, it's
a framework, it's a set of,know, standards that you have to
(21:45):
prove to somebody else, to athird party that you're doing
it, that you're keeping your,you know, the information safe.
So I love that. If if I justhad, you know, the best way, if
you just wanna tell somebody thebest way, do you know if if a
third party is is solid, if it'sa safe bet, at least it's a
reasonably safe bet, get theirSOC two certification.
(22:05):
You know, make sure that theywere actually certified SOC two.
Beyond that, you know, like yousaid, where is the data stored?
How is it stored? And can youprove it? Because saying it is
one thing, but can you prove it?
That that and that becomespretty tricky.
Mario (22:22):
Yeah. And we we have a a like a client of ours that is,
you know, always has to becompliant with SOC two. You
know, they they work with creditrestoration. So they have, you
know, their SOC two is not justsomething that has to be done,
you know, once a year. Okay.
Provide this, this, and this.It's not like, kind of like tax
(22:45):
time and you're here's all theinformation you need and then I
alright. I'll hear I I'll seeyou guys next year. SOC two is
year round. Right?
And one of the things that theyhave is there's I forgot how
many different hundreds ofdifferent things that you have
to provide. But it's not justsaying, are you using MFA? You
(23:08):
know, and it's a yes or no. It'syes. Okay.
Upload, you know, provide, youknow, evidence. Right. You know,
are is that encrypted? Yes.Okay.
Provide evidence. You know,everything is providing
evidence. And it could be, ascreenshot, it could be
configuration log that you'reuploading or something like
(23:29):
that. But it's never gonna takesomebody for the on their work.
It requires proof along the way,you know, every step of the way.
Justin (23:40):
Right. And and there is so there's SOC two type one and
SOC two type two. It's amouthful.
Mario (23:45):
I think there's type three too now too.
Justin (23:49):
But the the key difference is just that you have
to continue to prove it overtime and and prove the
effectiveness of it. So theseare these are great. Know,
nothing's absolute, but it's inin the world where we are
evaluating risk. That's whatthis all comes down to. What is
a reasonable amount ofprecaution to take?
(24:10):
This is probably the best bangfor your buck that you've got.
Go out and and, you and dobusiness with people that at
least have taken that that extrastep and become SOC two
certified.
Mario (24:20):
Yeah. And if I could add one more thing too, is SOC two
is not something that you'regonna get the certification for
in like a week or two or amonth. It's It's a lot of work.
Takes a while. So when somebodyis SOC two compliant, that means
they've been around for a while.
They've invested the amount of,you know, a lot of resources, a
(24:41):
lot of manpower to get to thatpoint. You know, these types of
companies that are SOC twocompliant is has been around and
is ready to to to really dobusiness. And, they've taken the
measures to have your datasecure. In a place like that,
(25:01):
it's beyond, in my opinion, it'sbeyond HIPAA. It's beyond NIST.
Know, it's beyond PCI. You know,it's one of those bigger ones
like PC, you know, SOC two,CMMC, those ones are like the
bigger ones.
Justin (25:18):
Right. Well, a lot of the you know, the a lot of these
frameworks are self, you canself assess, you can self
certify, you don't you don'thave to have somebody else come
in and do the assessment foryou. So that that is a key
difference.
Mario (25:35):
Yeah.
Justin (25:37):
Alright, so make sure that you know who you're doing
business with. Right? That'sthat's number one. And then
number two is, well, we got toknow what software we're even
using to start with. Right?
So the the second thing I wouldtell people is audit your
inventory your softwareinventory on a regular basis.
You know, we have tools to dothat. Most of most IT companies
(26:00):
have some sort of an inventorysystem, we call it an RMM,
remote management andmaintenance. But it it will
easily inventory that. Now theproblem, the challenge here is
that how long is that listusually, Mario?
Mario (26:16):
On one computer, it's a lot of times, it's like goes up
to like four or five pages atleast.
Justin (26:22):
Right. For one computer and now you gotta do this across
a department or a, you know, anorganization. It definitely gets
messy. But we're talking about,like you said, waking up the
next morning and finding outthat you still have a business
or don't. So somewhere we'vegotta we've gotta build this
process into the the way wework.
Mario (26:44):
Yeah. It's and like, you know, as far as like software
inventory, like a big one thatwe are always keeping an eye out
and we set alerts in case we seethis as like TeamViewer. Now
TeamViewer is a legitimateremote access program, but out
of the box, it's very unsecure,you know? So we always get, you
(27:06):
know, whenever we see that, wealways like, hey, this needs to
go, you know? Right.
This can't stay on your computerbecause it's it can be and has
been used previously, formalicious activity.
Justin (27:21):
Well just to clarify for the audience, Shadow IT isn't
necessarily sketchy programs,It's just software that's been
installed and is being used ornot being used, but it it's in
it lives in your system and yourIT company or department doesn't
know about it. So they're notmanaging it, they're not
maintaining it, they're notmaking sure it's secure.
(27:43):
TeamViewer is a great example ofthat. It is a legitimate problem
product, but eithermisconfigured or even if it's
configured right, somebody gainsthose credentials and and now
they're in. And once they're inthey're in they can you know,
that's like the drop bridge isdown.
You're you're inside the castleand you can you've got all kinds
(28:04):
of access that you justshouldn't have. So
Mario (28:07):
Yeah. And and TeamViewer, it's out of the box, it's the
only program that or one of theonly programs is that you all
you need is an ID, which neverchanges. It's linked to your
computer and a password thatthey generate.
Justin (28:21):
Right.
Mario (28:22):
Okay. You don't need to unlike splash top or log me in
or screen connect, you don'tneed to authenticate to a
website with a username,password, 2FA to get to a
computer screen, you know, tojust to get to even see which
computer has access. All youneed is those two numbers and
the number and the password, andyou're in. You can do it from
(28:44):
sitting in a Starbucks inAlbany, you know, with a burner
phone, you know, like you justdownload the app you're in.
You're, you know, you don't needany authentication, you know, as
a username or password oranything like that elsewhere.
Justin (29:01):
Right. Oh, good times. Right? Good times. All right,
Mario, listen, that's
Mario (29:09):
we'll talk for a minute.
Justin (29:11):
Yeah, we're gonna go ahead and wrap this one up. It
was just one of those thingsthat caught my attention. I'm
glad it happened just because itbrought something that I know,
to the front of mind to put aspotlight on it and something I
felt we needed to talk about.It's so convenient to do all
these integrations and it'shappening more and more and
(29:31):
more. IT used to be a prettysecurity anyways, used to be
pretty simple.
But now, I still remember, don'thear it as much anymore, but
people would say, we're fine, wemoved to the cloud. Like, Oh
shit, now we've got problems,because everybody's in the cloud
and everything's got tointegrate and talk to each other
and anywhere along this supplychain, something can happen that
(29:54):
just screws everybody else up.So important topic and, know,
let's let's just move to keytakeaways. Mario, if if somebody
just came to this part, what'sthe one thing you would want
them to know and understand?
Mario (30:09):
When you're working with a third party system, you need
to find out are they how longthey've been around? How long
are they new to the block? Iswhat's attracting you? Is it
just their price? Because thatprice is probably because
they're trying to just getstarted with with their company.
(30:30):
You know, the ones that are SOCtwo compliant are probably a
little more expensive. So, findout how long this company has
been around and find out whatcertifications they have to
prove to you that they're legit.
Justin (30:44):
Right, perfect. And for me, I'm gonna say that part of
I've I talk a fair amount aboutcompliance, that's something
that we're just really focusingon in in our business, and part
of the compliance package isvendor risk assessments, and
they are thorough. It's notsomething that you're gonna do
in a few minutes, but there isan actual framework for going
(31:05):
and assessing vendors and Iwould highly recommend when you
do these integrations to hiresomebody and run through that.
Spend a few bucks up front tosave yourself the nightmare or
the waking up into a nightmarewhere it's game over. Right?
That's and and SOC two. I mean,we've already talked about it
but find a find a way toactually validate that what they
(31:29):
tell you is true.
Mario (31:31):
Yeah. Unfortunately, some people technically all they ask
is how much and how long do Ihave to sign up for? That's all
they're asking. Mhmm. You know?
Justin (31:39):
Yep. That's exactly right. And you know what what
what does it deliver? You knowwhat problem is it solving? As
long as it's gonna solve aproblem, you know the price.
That's where it's where theevaluation stops. Actually,
that's really where this processshould begin before you sign up.
Go and do that vendorassessment. If you'd like that
done for you, to unhack.live,right? You can get either Mario
(32:03):
or my information there or, youknow, hire your own firm, but
just make sure that this is aprocess that you follow on a
regular basis.
And guys, you know, every go tothe website and you can find our
social media links. We alwaysgive out a free assessment.
We've been talking about thatfor ages. Haven't mentioned it
recently, so I wanted to bringthat back up. But there's
(32:24):
actually a tab on unhacked.livefor the free assessment.
You can go in and pick one ofus, sign up, and and we'll help
you out. Take care of you.Mario, that's a wrap. We're
gonna go ahead and, close outfor this week. But as always,
thank you for being here.
Say goodbye, and and we'll seeyou guys all next week. Take
care, guys.
Welcome everybody to episode 45 of Unhacked. Mario,
we're a little bit lean today.There's there's just two of us.
It's it's kinda weird. Used tobe when I did podcasts, it was
always two people, and now I'vegotten really comfortable having
a few more voices.
So you might have to help carrythe the episode, Mario.
Mario (00:37):
My pleasure. Was it were we both me and you by we were by
ourselves last week too.
Justin (00:42):
It's it's a couple weeks in a row, and it's like, yeah.
I'm I'm my nerves are aretingling. So anyways I'm sorry
about that. Okay. Good.
Let's let's go ahead and getstarted. We're gonna talk about
third party integrations today,and I know that that's got
everybody on the edge of theirseats. But first, let's go ahead
and introduce the, the podcast,Unhacked. You know, said all the
(01:05):
time, it's a deliberate misnomerbecause, really, you can't get
unhacked. The good news isninety seven percent of breaches
are preventable with the basics.
And that's what we talk aboutevery week is what are these
basics and how do we prevent thepreventable. But if you don't do
that and you get hit, gettingunhacked really isn't a thing.
So here we are helping businessowners outsmart Russian hackers
(01:28):
week after week, you know, andnow we're bad at the list, the
government, we have to outsmartthem because they want to come
in and audit things and causeproblems. And that's not bad
enough. The attorneys aresniffing around trying to sue us
for stuff, you know, problems.
So anyways, I am Justin Shelley,CEO of Phoenix IT Advisors, and
I work with businesses in Texas,Nevada and Utah. And like I
(01:51):
said, keeping the hackers, thegovernment and the attorneys out
of their bank accounts. Andtoday, it's just you and me,
Mario. Tell everybody who youare, what you do, and who you do
it for.
Mario (02:02):
Yeah. Mario Zacke, CEO of Mastech IT. We are located in
New Jersey. We're at outside ofManhattan. And we work with
small to medium sized businessesprotecting their IT network and
providing the business ownersbetter sleep at night so that
they know the businesses will bethere the next day.
Justin (02:24):
I mean, that's always a bonus when you wake up and your
business hasn't just beenannihilated overnight. God, it
is Well, mean, it really you saythat and I mean, it it really is
a thing. I lose sleep over this.It's crazy. A crazy world and I
don't want like to instill fearin people and yet kind of I do
(02:47):
because it's a it's a realthreat.
It's a real problem.
Mario (02:50):
Yeah. It's funny because I tell people all the time like,
yeah, we help business ownerssleep better at night. But for
me, you know, I don't sleep, butthat's because I'm always
thinking and I know you're thesame way. We're always thinking,
hey, can we can we add this? Canwe do this?
Should I look more into this?You know, like, we're constantly
(03:11):
looking to improve security.We're always trying to be, you
know, a couple steps ahead ofbusiness owners keeping, you
know, what we call in like anindustry, our security stack,
you know, strong. And we'realways adding layers, you know,
the Yeah. We're trying to, youknow, if they get past this, can
(03:33):
they, you know, should we dothis?
Should we do this? Should we dothis? And this is the stuff that
keeps up at, like he just keepsus up at night, know, so
Justin (03:41):
Well, mean, it's a cat and mouse game. Right? We can
Yeah. We can put everything inplace and then tomorrow it
changes. Mhmm.
And yeah, it's a it's a fungame. And, you know, I've said
before, I I did not get into theworld of cyber security and
crime prevention on purpose. Iwas kind of kicked into that
(04:02):
world. You know, I got into thisbecause I like computers. I like
pulling circuit boards apart,you know, and plugging in modems
and sound cards back in the day.
And and that one, one fatefulFriday afternoon, I had a client
get breached and I realized Iwas no longer in the computer
repair business, but I was inthe crime prevention business
and the, you know, extortionprevention business. Jesus.
(04:26):
Yeah. Yeah. Okay.
So Mario, today we're going totalk about integrations because
I had a company reach out to meand they were considering an
integration and they wanted meto help, you know, talk with
this third party vendor to getit set up. And so leading up to
it, I reached out to this thirdparty and I'm like, hey, we've
(04:49):
got a meeting next Tuesday.Before that, I would like to
have because this was in thehealthcare industry, I'm like,
please send me a copy of yourBAA agreement, business
associate agreement, so that Ican review that. And I'd also
like to know what kind of datayou're gonna have access to,
what you're gonna do with it,and you know, I just and I wanna
(05:09):
be prepared for our meeting whenwe're when we're setting this
up. And what would you imagine Iheard back from the third party?
Mario (05:15):
What did he say?
Justin (05:16):
Crickets. Nothing. No response. So I emailed him
again, you know, two or threetimes and and never really heard
anything back. And so as soon aswe the meeting came, know, I
jump on the call and I'm like,hey, guys, been emailing you.
Do we have a business associatesagreement in place? Because I
can't in good conscience, giveyou access to patient records.
(05:38):
Again, this is all protected byHIPAA without having that
agreement. And the guy's like,no problem here. You know, I'm
we're both remoted into thiscomputer and he's like, here,
here's the BAA right here, signit.
Like, I'm not gonna sign it. I'mthe IT guy. I'm a third party IT
guy. I can't sign on behalf ofthis healthcare clinic. It was
(06:00):
just, it was crazy.
And so I just, I just put thebrakes on it and like, know,
because the client wasn't evenon this call and I reached back
out to them. I'm like, listen,I'm not super comfortable. I put
the brakes on this and we needto get some things handled
first. And I thought she wasgetting mad at me and, you know,
(06:20):
to my relief, she just kind ofsighed is like, thank you. She
had kind of been had a littlepressure to go in and do this
integration from her higher ups.
She was a little bit uneasyabout it. So it was it was
validation for her that I I alsohad some reservations. And so
(06:40):
that's kind of what introducedthis today is like, we have a
lot of they call this a supplychain attack, right? If we and
and Mario in our industry, likehow many different vendors do we
do business with and and havesome sort of a tie in to what we
do?
Mario (06:58):
A lot. You can't even
Justin (06:59):
count it. It's a it's a ton and that's the direct
integrations, the direct vendorsthat we do business with, but
then they have theirs, right?This just goes, that's why they
call it a supply chain. Thischain goes back to the, you
know, Adam and Eve, don't know,to the beginning of time. So
many pieces to this puzzle thatwe have to be watching for.
(07:19):
So that's my story. As I wastelling you what happened, you
said that you had a little bitmore personal story or you were
the vendor, right? Yeah. Yes.Tell me.
Mario (07:31):
So now this is a couple years back. Right? So we, you
know, with our IT company rightnow, we do one of the services
that we offer is voice over IP.So we Okay. Have the ability to,
you know, obviously set upoffice phone systems and we
have, you know, ways to dointegrations and stuff like
(07:52):
that.
So a colleague of mine, youknow, from another company asked
me one time, he's like theyspecialize in medical software.
He asked me if we have like anintegration to do like
appointment reminders, you know,through our phone system. So I'm
like, no. But you know, that isactually pretty interesting. You
(08:13):
know, let's talk more.
I ended up hiring some people,you know, overseas, but it
wasn't like somebody, you know,just sitting in their basement
in their underwear doingprogramming, but it was, you
know, an overseas company. And Ihad them built me a platform
that would integrate with myphone system and doctor's
(08:35):
office, the appointmentreminder. I'm sorry, the office
hours programs. So it took youknow, it was a good amount of
money. It took a good chunk ofmoney and we built this
integration.
It's you know, we we tested it.We went through everything and
went live and installed it on abunch of different doctor's
(08:59):
offices. And thank God we didn'thave any breaches or anything
like but later on, I realizedthat it was a money pit and we
weren't scaling enough, youknow, to a point where I would
start seeing like an ROI on itfor for a while. So I decided
to, you know, sunset the wholething. You know, I you know, we
(09:21):
we sunk a lot of money into it,but, you know, we, you know,
didn't break even was and, youknow, a shot that I took in
didn't work.
But more I think about it, themore I went back and again, this
was a couple years back now thatwe are so laser focused on
security, I realized like, holyshit. You know, if this thing
(09:43):
would have stayed live, youknow, for a long period of time,
you know, we had access eventhough we were only taking, you
know, the patient's first name,Their appointment time. And
their phone number we're onlytaking those three things
because that's all we need so.It wasn't necessarily a HIPAA
(10:05):
violation because we're onlytaking the first name. We're
taking their appointment time.
And their phone number. Okay? Alot of it is public records or
two of the three's publicrecords.
Justin (10:16):
Right.
Mario (10:17):
What ended up Nothing happened, but if something would
have happened, our integrationwas only pulling those three
information that information,but we had access to the entire
database for the entire medicalfacility. Right. You know? So,
you know and just like we'vetalked about it in the past,
(10:40):
unfortunately, when you do someof the stuff you're so eager to
go live and start testing and,you know, start making some
money, then after the fact yourealize like, you know what?
Maybe we should start putting insome security.
Yeah. You know?
Justin (10:53):
And Yeah.
Mario (10:54):
That was that, you know, that this was, you know,
speaking from personalexperience, that is something
that we ended up doing. We I
Justin (11:01):
mean, we
Mario (11:01):
we we pushed back security to later on.
Justin (11:04):
Yeah. And we talk about that a lot that that's kind of
the I mean, it's just the way itworks. It shouldn't be, but it
is the way it works andhopefully we, you know, in our
industry we change that. Butwhen we're developing software
or hardware, our first priorityis to solve the problem. Right?
That's that's where the money isgonna be made and then it's kind
(11:26):
of this, oh, we also ought tomake sure that the Russians
don't get in here and then wedon't get sued on top of it. So,
you know, and and you'rementioning not only first of
all, you had access toeverything so that that if
somebody were able to breachyour software, they could go in
and pull much more than you werepulling out. Exactly. But not to
(11:48):
minimize even the amount ofinformation you had, a first
name and a phone number. Andthere's actually a technical
definition of what qualifies asPII and it has to be a couple of
pieces of information that tietogether so that you could
actually identify somebody.
And I I'm I might be speakingout of turn here, but with a
phone number and a first name,you probably could identify
(12:11):
somebody or you can make getreasonably close. There's only
so many phone numbers with thesame first name tied to it. So
even that little bit ofinformation is significant.
Mario (12:22):
So Yeah. And we we weren't pulling like the last
name. We weren't pulling, youknow, social security. We
weren't pulling any medicalrecords. You know, We were just
pulling those three pieces, butagain, we built a bridge that we
literally were sitting on theserver.
Justin (12:43):
Yeah.
Mario (12:43):
And every five minutes it was it was pulling and pushing
to our our database. Now, we didhave like some things in place.
Know, we had like SSLs, youknow, the connections to secure
and stuff like that. But acouple things that we didn't do
is like to FA you know, on theplatform. We didn't do some
(13:04):
verification checks and stufflike that.
We we you know, I don't wannamake it seem like we were
completely neglecting security,but it wasn't, you know,
thinking back about it now as Irealized like, you know what? We
could've there there could'vebeen things that could've been
breached. And if that would'vebeen breached, you know, could
(13:27):
they have, you know, turned aone way bridge? Actually, sorry.
We had a two way bridge because,you know, in, like, version two,
we would Push the confirmationback.
We would push the confirmationand say, okay. Yes. They either
replied with, you know, canceledor did not reply at all. So
there was a two wayconfirmation, a two way bridge.
(13:50):
But, you know, thank God, youknow, it it we pulled it before
anything happened.
It was it could have been, youknow, it could have been
serious.
Justin (14:02):
Yeah.
Mario (14:03):
You know? And it brings back to, you know, what you were
mentioning earlier. We didn'thave any of that, you know,
things in place, you know, like,you know, we weren't compliant,
you know, for for, you know,HIPAA or SOC two or any of that
stuff, you know, and that wasone of the reasons that I I
decided to to pull the trigger.
Justin (14:25):
Right. Well, and here's the thing. So you didn't have
direct control over who wrotethe code. Right? Because that
was outsourced.
You don't know what librariesthey're using. So when when
writing code and I mean, this isdating me right now because AI
writes all this stuff thesedays, but you would you would
either buy or you would usepublicly available DLL's are
(14:47):
called, which is just a a chunkof code that you would use to
simplify your own writing ofcode. The problem comes if that
DLL that you get becomes in insome way that gets breached,
that code gets altered, youknow, you run an update or it
automatically updates orwhatever and now your code is
(15:07):
infected and you have no ideabecause you don't really know
what's going on behind thescenes. And and I mean this is a
great example because it'sexactly what was on my mind as
I'm being asked to give someunknown third party vendor
complete access to a clinic'spatient records. Like I don't
(15:28):
know what they're doing with it,don't know what the integration
looks like, I don't know whatdata they're pulling And
regardless of what they'repulling, what do they have the
ability to pull?
Should they get breached orshould they just be malicious?
You know, maybe maybe they'rejust bad guys all the way
around. I don't know. And one ofthe things that really stopped
me in my tracks as I was doingthis, I told you they presented
(15:48):
me with a BAA, right? Well,problem is the name on that BAA
was their third party softwarethat they were using.
So we're now, you know, it's noteven the company that I was
initially working with, I'm nowworking with some completely
unknown name and it's not evenin English like I don't I don't
I can't pronounce the name ofthis third party that has their
(16:09):
name on the BAA. So yeah, I justshut it down like we clearly
have more work to do here and solet's go ahead and pivot there.
What do we do? Because it's andI think when we were talking
about, you know, prepping forthe session, you said something
about, we don't really have anychoice. If we're gonna do an
integration, we don't have a lotof say in what they do.
(16:34):
Or or I think you said maybe itwas like the only option is to
not do it. Right? Do you do youremember that? Okay.
Mario (16:40):
Yeah.
Justin (16:40):
Yeah. So I wanna talk about a, first of all, if if you
can't be secure in theintegration, then it probably is
the better option to not do it.Right. May maybe you'll lose
some functionality, but maybe wejust go find a different vendor
at that point. But let's talkabout how do we evaluate third
(17:03):
parties.
How do we evaluate them? How dowe know? Like even even have a
hope that they're taking carebecause I and by the way, I
still have to do this with thesetwo now two third party vendors,
have to go out and assess themand find out, know, make a
recommendation back to theclient to see if this is a a
safe option. So Mario talk aboutthat. What What do we do?
(17:27):
How coach me through it as ifI'm an idiot. How do I make sure
before I give this company'scompany, the third party's third
party complete access to myclient's data?
Mario (17:38):
Well, I mean, first you need to find out from them what
information they actually aregoing to be pulling from your
client.
Justin (17:45):
Right?
Mario (17:46):
You you know, if it's, know, like we said, it's a
doctor's office. What whatinformation do you need access
to? Right. Okay? And when youpull this information, like,
let's just say, you know, forexample, you know, there's
similar situation.
They're pulling the patient'sfirst name, you know, phone
number, and appointment time.Alright. Well, first of all, are
(18:09):
you pulling it and putting itonto your server? And is this
being encrypted, you know, intransit? Like, as the data is
being pulled, is it encrypted?
And is it sitting on your serverencrypted? And how long are you
storing that information for? Sofor example, in in my situation,
(18:29):
we were pulling two weeks worthof appointments and only holding
it onto our server for fourdays. At any given time, we only
had, you know, no you know, alittle less than three weeks
worth of patient information.Okay.
And then after four days, wewould just, know, delete it.
Justin (18:50):
So you had a, I guess some automation that just went
in and purged the older datafrom your software, from your
database. Yes. Okay. Yeah.
Mario (18:59):
You know, And so the so we stored it for no more than
three weeks. But now, you know,again, systems offline help, so
I could easily say it. But atfirst, we were storing it on
Wasabi, Wasabi is a data storagecompany with very pretty good
(19:23):
prices. We later moved it on toAWS, but, you know, at first,
just to kind of get rolling, wewere putting it on Wasabi. And
I, you know, I don't quote me onthis.
I don't think Wasabi's securityis really as good as like what
you would say AWS is or,
Justin (19:43):
you know,
Mario (19:43):
and Microsoft and stuff like that. But we didn't have
like two FA or anything. We didhave, you know, the at least the
guys overseas told me that thedata was encrypted, you know, in
transit and sitting on ourserver encrypted. But you're
also relying, you know, that'sone of the questions that you
you would need to ask is like,who's working on this, you know,
(20:06):
and where are they? And are theyyour employees or are they
subcontractors?
Because that makes a differencebecause you could only sign
paperwork and go through certainthings that you're responsible
for. But how do you know theother company is compliant? How
they how do you know whatthey're doing with the data? How
(20:28):
do you know what you know, ifthey're SOC two compliant, you
know?
Justin (20:32):
Well, okay. So that's I'm I'm glad you mentioned SOC
two because that's that's whereI was gonna go next. First of
all, I wanna back up a littlebit. Do you remember it was back
in episode 41, I think withJonathan Steele, he was an
attorney, divorce attorney, andthat was a point that he made
that I really liked is don'tstore data that you don't need.
(20:54):
You can't lose what you don'thave.
I love that you at least hadthat safeguard in place where
you were purging that data aftera few weeks. But now let's let's
talk about SOC two and why thethe thing that I love most about
this because I mean, said ityourself, your your developers
(21:14):
who you hired, who were overseastold you it was encrypted, but
you couldn't personally confirmthat. Right?
Mario (21:21):
Correct.
Justin (21:22):
And even so you could say, you know, whatever you want
to a client. SOC two is kind ofa a third party assessment or or
validation of, you know, how youare protecting your client's
data. So it's somebody elsegoing in another, you know, it's
a framework, it's a set of,know, standards that you have to
(21:45):
prove to somebody else, to athird party that you're doing
it, that you're keeping your,you know, the information safe.
So I love that. If if I justhad, you know, the best way, if
you just wanna tell somebody thebest way, do you know if if a
third party is is solid, if it'sa safe bet, at least it's a
reasonably safe bet, get theirSOC two certification.
(22:05):
You know, make sure that theywere actually certified SOC two.
Beyond that, you know, like yousaid, where is the data stored?
How is it stored? And can youprove it? Because saying it is
one thing, but can you prove it?
That that and that becomespretty tricky.
Mario (22:22):
Yeah. And we we have a a like a client of ours that is,
you know, always has to becompliant with SOC two. You
know, they they work with creditrestoration. So they have, you
know, their SOC two is not justsomething that has to be done,
you know, once a year. Okay.
Provide this, this, and this.It's not like, kind of like tax
(22:45):
time and you're here's all theinformation you need and then I
alright. I'll hear I I'll seeyou guys next year. SOC two is
year round. Right?
And one of the things that theyhave is there's I forgot how
many different hundreds ofdifferent things that you have
to provide. But it's not justsaying, are you using MFA? You
(23:08):
know, and it's a yes or no. It'syes. Okay.
Upload, you know, provide, youknow, evidence. Right. You know,
are is that encrypted? Yes.Okay.
Provide evidence. You know,everything is providing
evidence. And it could be, ascreenshot, it could be
configuration log that you'reuploading or something like
(23:29):
that. But it's never gonna takesomebody for the on their work.
It requires proof along the way,you know, every step of the way.
Justin (23:40):
Right. And and there is so there's SOC two type one and
SOC two type two. It's amouthful.
Mario (23:45):
I think there's type three too now too.
Justin (23:49):
But the the key difference is just that you have
to continue to prove it overtime and and prove the
effectiveness of it. So theseare these are great. Know,
nothing's absolute, but it's inin the world where we are
evaluating risk. That's whatthis all comes down to. What is
a reasonable amount ofprecaution to take?
(24:10):
This is probably the best bangfor your buck that you've got.
Go out and and, you and dobusiness with people that at
least have taken that that extrastep and become SOC two
certified.
Mario (24:20):
Yeah. And if I could add one more thing too, is SOC two
is not something that you'regonna get the certification for
in like a week or two or amonth. It's It's a lot of work.
Takes a while. So when somebodyis SOC two compliant, that means
they've been around for a while.
They've invested the amount of,you know, a lot of resources, a
(24:41):
lot of manpower to get to thatpoint. You know, these types of
companies that are SOC twocompliant is has been around and
is ready to to to really dobusiness. And, they've taken the
measures to have your datasecure. In a place like that,
(25:01):
it's beyond, in my opinion, it'sbeyond HIPAA. It's beyond NIST.
Know, it's beyond PCI. You know,it's one of those bigger ones
like PC, you know, SOC two,CMMC, those ones are like the
bigger ones.
Justin (25:18):
Right. Well, a lot of the you know, the a lot of these
frameworks are self, you canself assess, you can self
certify, you don't you don'thave to have somebody else come
in and do the assessment foryou. So that that is a key
difference.
Mario (25:35):
Yeah.
Justin (25:37):
Alright, so make sure that you know who you're doing
business with. Right? That'sthat's number one. And then
number two is, well, we got toknow what software we're even
using to start with. Right?
So the the second thing I wouldtell people is audit your
inventory your softwareinventory on a regular basis.
You know, we have tools to dothat. Most of most IT companies
(26:00):
have some sort of an inventorysystem, we call it an RMM,
remote management andmaintenance. But it it will
easily inventory that. Now theproblem, the challenge here is
that how long is that listusually, Mario?
Mario (26:16):
On one computer, it's a lot of times, it's like goes up
to like four or five pages atleast.
Justin (26:22):
Right. For one computer and now you gotta do this across
a department or a, you know, anorganization. It definitely gets
messy. But we're talking about,like you said, waking up the
next morning and finding outthat you still have a business
or don't. So somewhere we'vegotta we've gotta build this
process into the the way wework.
Mario (26:44):
Yeah. It's and like, you know, as far as like software
inventory, like a big one thatwe are always keeping an eye out
and we set alerts in case we seethis as like TeamViewer. Now
TeamViewer is a legitimateremote access program, but out
of the box, it's very unsecure,you know? So we always get, you
(27:06):
know, whenever we see that, wealways like, hey, this needs to
go, you know? Right.
This can't stay on your computerbecause it's it can be and has
been used previously, formalicious activity.
Justin (27:21):
Well just to clarify for the audience, Shadow IT isn't
necessarily sketchy programs,It's just software that's been
installed and is being used ornot being used, but it it's in
it lives in your system and yourIT company or department doesn't
know about it. So they're notmanaging it, they're not
maintaining it, they're notmaking sure it's secure.
(27:43):
TeamViewer is a great example ofthat. It is a legitimate problem
product, but eithermisconfigured or even if it's
configured right, somebody gainsthose credentials and and now
they're in. And once they're inthey're in they can you know,
that's like the drop bridge isdown.
You're you're inside the castleand you can you've got all kinds
(28:04):
of access that you justshouldn't have. So
Mario (28:07):
Yeah. And and TeamViewer, it's out of the box, it's the
only program that or one of theonly programs is that you all
you need is an ID, which neverchanges. It's linked to your
computer and a password thatthey generate.
Justin (28:21):
Right.
Mario (28:22):
Okay. You don't need to unlike splash top or log me in
or screen connect, you don'tneed to authenticate to a
website with a username,password, 2FA to get to a
computer screen, you know, tojust to get to even see which
computer has access. All youneed is those two numbers and
the number and the password, andyou're in. You can do it from
(28:44):
sitting in a Starbucks inAlbany, you know, with a burner
phone, you know, like you justdownload the app you're in.
You're, you know, you don't needany authentication, you know, as
a username or password oranything like that elsewhere.
Justin (29:01):
Right. Oh, good times. Right? Good times. All right,
Mario, listen, that's
Mario (29:09):
we'll talk for a minute.
Justin (29:11):
Yeah, we're gonna go ahead and wrap this one up. It
was just one of those thingsthat caught my attention. I'm
glad it happened just because itbrought something that I know,
to the front of mind to put aspotlight on it and something I
felt we needed to talk about.It's so convenient to do all
these integrations and it'shappening more and more and
(29:31):
more. IT used to be a prettysecurity anyways, used to be
pretty simple.
But now, I still remember, don'thear it as much anymore, but
people would say, we're fine, wemoved to the cloud. Like, Oh
shit, now we've got problems,because everybody's in the cloud
and everything's got tointegrate and talk to each other
and anywhere along this supplychain, something can happen that
(29:54):
just screws everybody else up.So important topic and, know,
let's let's just move to keytakeaways. Mario, if if somebody
just came to this part, what'sthe one thing you would want
them to know and understand?
Mario (30:09):
When you're working with a third party system, you need
to find out are they how longthey've been around? How long
are they new to the block? Iswhat's attracting you? Is it
just their price? Because thatprice is probably because
they're trying to just getstarted with with their company.
(30:30):
You know, the ones that are SOCtwo compliant are probably a
little more expensive. So, findout how long this company has
been around and find out whatcertifications they have to
prove to you that they're legit.
Justin (30:44):
Right, perfect. And for me, I'm gonna say that part of
I've I talk a fair amount aboutcompliance, that's something
that we're just really focusingon in in our business, and part
of the compliance package isvendor risk assessments, and
they are thorough. It's notsomething that you're gonna do
in a few minutes, but there isan actual framework for going
(31:05):
and assessing vendors and Iwould highly recommend when you
do these integrations to hiresomebody and run through that.
Spend a few bucks up front tosave yourself the nightmare or
the waking up into a nightmarewhere it's game over. Right?
That's and and SOC two. I mean,we've already talked about it
but find a find a way toactually validate that what they
(31:29):
tell you is true.
Mario (31:31):
Yeah. Unfortunately, some people technically all they ask
is how much and how long do Ihave to sign up for? That's all
they're asking. Mhmm. You know?
Justin (31:39):
Yep. That's exactly right. And you know what what
what does it deliver? You knowwhat problem is it solving? As
long as it's gonna solve aproblem, you know the price.
That's where it's where theevaluation stops. Actually,
that's really where this processshould begin before you sign up.
Go and do that vendorassessment. If you'd like that
done for you, to unhack.live,right? You can get either Mario
(32:03):
or my information there or, youknow, hire your own firm, but
just make sure that this is aprocess that you follow on a
regular basis.
And guys, you know, every go tothe website and you can find our
social media links. We alwaysgive out a free assessment.
We've been talking about thatfor ages. Haven't mentioned it
recently, so I wanted to bringthat back up. But there's
(32:24):
actually a tab on unhacked.livefor the free assessment.
You can go in and pick one ofus, sign up, and and we'll help
you out. Take care of you.Mario, that's a wrap. We're
gonna go ahead and, close outfor this week. But as always,
thank you for being here.
Say goodbye, and and we'll seeyou guys all next week. Take
care, guys.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Boysober
Have you ever wondered what life might be like if you stopped worrying about being wanted, and focused on understanding what you actually want? That was the question Hope Woodard asked herself after a string of situationships inspired her to take a break from sex and dating. She went "boysober," a personal concept that sparked a global movement among women looking to prioritize themselves over men. Now, Hope is looking to expand the ways we explore our relationship to relationships. Taking a bold, unfiltered look into modern love, romance, and self-discovery, Boysober will dive into messy stories about dating, sex, love, friendship, and breaking generational patterns—all with humor, vulnerability, and a fresh perspective.
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.