April 26, 2024 • 33 mins
In this episode of Benefits in Brief, Jeff Turner sits down with Brandon Walcott, an esteemed expert in IT and Owner of Techtrix, a leader in safeguarding Cyber Security attacks and IT Services, to delve into the crucial realm of cybersecurity and IT protection.
Brandon brings a wealth of experience and insider knowledge to the table as he shares invaluable tips, tricks, and strategies for safeguarding your online assets in an increasingly digital world.
You can find out more about Brandon and his services at www.gotechtrix.com or connect with him on LinkedIn.
Visit aleragroup.com to find your local office and more resources on protecting your assets and insurance needs.
Local to Sacramento, Tahoe, or Reno? Email us at info@pwadmin.com or visit us at https://pwadmin.aleragroup.com to learn more about what we can do for you and your business.
Follow us on social media!
Facebook: facebook.com/pwa.insurance
LinkedIn: linkedin.com/company/pwa-insurance-services T
witter: @pwa_aleragroup
Brandon brings a wealth of experience and insider knowledge to the table as he shares invaluable tips, tricks, and strategies for safeguarding your online assets in an increasingly digital world.
You can find out more about Brandon and his services at www.gotechtrix.com or connect with him on LinkedIn.
Visit aleragroup.com to find your local office and more resources on protecting your assets and insurance needs.
Local to Sacramento, Tahoe, or Reno? Email us at info@pwadmin.com or visit us at https://pwadmin.aleragroup.com to learn more about what we can do for you and your business.
Follow us on social media!
Facebook: facebook.com/pwa.insurance
LinkedIn: linkedin.com/company/pwa-insurance-services T
witter: @pwa_aleragroup
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:03):
Good morning, everybody, Welcome toanother episode Benefits and Brief. Benefits and
Brief is a podcast that we hereat the Sacramento Alera Group office do on
a regular basis and talk a littlebit about business issues, interview guests and
speakers that are experts in many differentfields. And we're super excited we have
(00:25):
a guest today that's going to talkabout the importance of it and cyber oxecurity,
mister Brandon Walcott, and mister BrandonWalcott is a recent member of Sacramento
Executives Network and Sacramento Executives Network isa local executive group that provides expertise and
(00:46):
resources and knowledge in many fields thattouch your business. We'd encourage you to
go to sackexec dot net and checkus out on the website. Brandon is
a recent, as I mentioned,a recent member of that and super excited
to have him on the call today. Brandon is a good resource when it
comes to it, and we're goingto talk about some of the issues that
(01:07):
employers are facing right now, especiallyaround cybersecurity, and I'm super excited to
have him talk a little bit aboutthat. But before we get into that,
Brandon, why don't you go aheadand introduce yourself, tell us a
little bit about yourself and your business, and by franky, why you got
into the type of business you're in. Yeah, thank you, Jeff,
and thank you again for the opportunityto doing this podcast and just talk to
(01:30):
your members and share some resources.Yeah. So my name is Brendon Walcott.
I operate a company called tech Tricks. We are a consulting agency with
about a half dozen partner in overtwenty staff, now operated outside of the
greatest Sacramento, California region, specializingin small and mid sized business IT and
cybersecurity. What we aim to dois elevate your organization with a proactive secure
(01:51):
system and that encompasses all IT andcybersecurity controls so that we can help you
focus on the highest and best useof your time, which is typically running
your business. There's a lot ofbusiness owners out there that the business is
running them and then they're just oneshort cyber attack, one phishing email away
from disaster. And that's what weaim to eliminate and resolve before it ever
(02:12):
becomes an issue. The reason Igot into this is because Yeah, I
don't like Yeah, Jeff, weyou and I talked about this previously.
I don't like bullies. There's alot of bullies in the cyber criminal world,
in the organizations that protect businesses fromcyber attacks, a lot of predatory
software companies, a lot of predatoryconsulting agencies, a lot of one man
band its organizations which I was inthe past that they're not competent in their
(02:38):
security, but they're very confident,which is a very dangerous concoction. And
so at the end of the day, they are allowing a business owner to
act on incorrect information and thereby,in my thought process, kind of bullying
them into making a decision not basedoff of correct information. And so I
don't like that. What I liketo do and why I started tech Choice
(02:59):
is my aim is always to educate, you know. I hope to earn
your business, of course, butMichael is just to provide some comprehensive knowledge
because there's so much misinformation out therein the cyber world. And so I've
been doing this for fifteen years now. Started my first business at the age
of fifteen, rolling around in mymom's minivan fixing computers for different clients.
(03:21):
Yeah, so you knew kind ofat an early age what you wanted to
do. It sounds like I wasvery blessed the opportunity to have the knack
is what they call it, right, It's got technology related during sort of
mechanical capacity. Somehow I just figureout how it works for first engineering and
learn how to fix it. Yeah, you know, kind of talking about
bullies, if you will. Theworst feeling in the whole wide world is
(03:44):
when somebody has you know, brokeninto your car or you know, stolen
something from you, stolen your youridentity. It's the worst feeling in the
world. Is so frustrating because it'slike you can't do anything about it.
You don't know who did it andwho's behind I didn't can't retaliate if you
will, Yeah, exactly. Andwhen it comes to y somebody breaking into
(04:06):
your car, somebody breaking into yourhome, you know, file police report.
That's pretty much all you can do. There's very low chance of finding
them. When it comes to cyberattack, we'll call it attribution who did
it? Basically, it's like apoint zero zero one percent you're ever going
to find and process whoever caused irrepaiablefinancial harm to your business. Yeah,
(04:29):
I was at a Rooseville event thatyou spoke at last month and talking about
kind of the top ten items thatif I'm a business owner I need to
pay attention to. I need tolook to, you know, an IT
expert like yourself in my business andwhen it comes to it, And I
was kind of surprised when you said, Hey, just because you have an
(04:50):
IT professional firm whatever you know,handling your IT doesn't mean that you you
are safe and secure from cyber attacks. Is that accurate? Brennan, Yeah,
So that's kind of the fallacy,right why I dedicate a lot of
(05:12):
my time to cybersecurity because the realityis when it comes to cybersecurity risk,
Let's take phishing emails for example,you got three choices. As a business
owner or C suite leadership. Fishingattacks are going to happen. It's going
to affect your organization. You andyour employees are going to receive them.
How are you going to act onthem? What intelligence do you have,
(05:34):
what tooling do you have? Youhave three choices. You can do absolutely
nothing and say I'm good, they'renot going to affect me. That may
or may not work slightly effective.Right, You can have what we call
a DIY approach that might be kindilyan amateur IT guide. It's a brother
or an uncle or a friend thatdoes it part time, moonlight or even
(05:57):
they're a qualified professional so to speak, or remember when it comes to IT
professionals, there's some certifications you canget, but generally there's not a full
blown degree. There's not licensing requirements, there's not state insurance requirements, there's
no real qualification to become a professionalIT provider. And then you have a
lot of business owners they're diying itor the third option is having a professional
(06:20):
to it, a true professional witha team of experts, with multimodality support
with Treiged Cybersecurity Team, incident Response, Network Operations Center, Tier one two
three engineers helped us dispatch the wholenine. That's professional. That's what tech
Tricks does, right, And soJeff, to answer your question on the
nose, a lot of business ownerssay, oh, I got my IT
(06:40):
guy. He's been doing it forthirty years, YadA, YadA, YadA.
You know he's good. He's reallygood. Right. What I like
to draw the analogy to is imagineyour business is a vehicle, right,
and the technology is the vehicle that'soperating your business. You start out with
an old vehicle, right, nota lot of safety, not a lot
of seats in the space, nota lot of power. But as you're
growing, your revenue is in themillions of dollars, right, you're bringing
(07:02):
in staff, that vehicle becomes largerand larger, and then your IT guy
is an operational focus, right,so he is focused on ensuring that that
vehicle is tiptop shape and running smoothlyso that you can barrel down that road
at a million dollars an hour towardsprofitability. That's their goal. Security is
hopefully at the forefront of their mindset. But their goal isn't to design the
(07:25):
best seatbout system in the world,the best air bags, the best safety
technology. Their job is not tospot at the ten thousand foot view what
threats are in the road ahead,what dangers might be lurking. Their goal
is just to keep that system runningbecause if that bus, so to speak,
that's barreling down the freeway. Guys, none of your employees can work,
You can't operate your business. Butsecurity will often come in and smack
(07:47):
that down, and now it's theIT person's problem. When in reality,
Jeff, to your question, youknow, it should be two separate entities,
two separate organizations, two separate people, one focusing an operational it and
one focusing on security. And Ijoke that they shouldn't like each other because
they're competing for budget to best protectthe organization. But the reality is they
(08:09):
should always be collaborating and bouncing offideas, and they should be in competition
for resources, because it's one thingto keep your business running with the technology,
but it's a whole nother thing tosecure that efficiently. It's balancing act.
You know. You mentioned, youknow, do it your own versus
you know, having a professional doit. So if I'm a business owner
(08:30):
and I was interviewing you, forexample, and what kind of credentially questions
would I ask of you, youknow, in terms of your your expertise
and education. Yeah, I mean, any any company, right is built
off of word amount and referrals.That's everybody's best referral source. So I'd
(08:50):
say go straight to the source.You know. I'll give you a list
of half a dozen of my clientsthat you could call, you know,
some that I just onboard in thelast thirty days, some I've been working
with for years, have a conversation, and I'll prompt you for questions,
and I recommend you go to alot of others to ask those questions.
Other providers, like any contractor youknow, get three quotes, ask them,
what do you do, how doyou charge for it? What's kind
(09:13):
of your response time? We havewhat's called service level objectives. We guarantee
your response within twenty four hours fora low criticality, high creditality eight you
know, major critical incident, everything'sdown within an hour or two. You
know, these type of things thata lot of IT guys a good qualify
to ask. You know, ifyou're a couple of million dollars in revenue,
you're probably thousands of dollars an hour. If all your systems are down,
(09:37):
if your website stops working, yourphone system, your emails, your
computers aren't functioning, it's very expensivefor you. And so the IT guys,
yeah, they might be a littlebit cheaper. But when you are
hard down, as we call it, and all your systems are down and
they have another client, it's harddown. At the same time, you're
one person has to be stretched intwo directions and they have to pick and
(10:00):
choose and hopefully you have a goodrelationship that they choose you, but now
their other client is suffering. Andso that's where the sole prop guy,
the one man band, they're stretchedpretty thin, right, and that's where
professional difference is. Yeah, verygood. And you're just kind of coming
back a little bit to the cybersecurity. How often or how many times during
(10:22):
a day are we being you know, attacked fishing as you would I think
you said is the term you used. Well, the statistics are sombering on
that. So ninety one percent ofcyber attacks begin with a single phishing email.
And you know that's up to everyorganization. I don't know about you,
deaf, but I get phishing emailsevery single day, right, I'm
sure you do. I'm sure everybodygets a phishing email, and we try
(10:43):
to do a pretty good job thatyou know. Notice it that that's you
know, hopefully, oh that's ascam, right, But the reality is,
you know, three hundred and fiftypercent times more likely for a small
business to be susceptible and attacked withsocial engineering than those at large companies.
So the reality is it's daily,it's hourly. The onseought of cyber attacks
(11:05):
is very realistic, but most peoplemake the assumption. Most businessmers, oh,
I have an antivirus software, Ihave a spam filter. I'm good
on security. I don't see cyberattacks. Hopefully, it's a multi layered
approach. It's important to protect yourselffrom all different avenues, all different threats.
Think about a vehicle. How manyairbag do you have? How many
safety systems you have? All thoseare federally mandated because people were dying in
(11:28):
attacks right now, attacks, butcrashes right cyber attacks. There's no federal
mandate for your business to maintain cyberinsurance or have a qualified it cyber professional
because the pain isn't quite there yet. Cybercrime is the number one transfer of
wealth out of any financial metric ona global level period, more than cryptocurrency,
(11:50):
more than stocks, more than buyingreal estate from out of countries and
bringing it in. Cyber criminal organizationstransferring wealth are none, and these organizations
often are very their businesses right.They're set up. You know, they've
got people working for him, andthey look legit. Here's the crazy thing.
You can look on various news articlesand sources. They've got YouTube videos
(12:11):
of people who are going in andyou know, perpetrating these organizations and seeing
what the scam is that they're running. These people. They have a phone
number on their website. They havea very certififsicated website. You know,
we're an IT company they call it, or we're a technology based company,
usually based out of India or maybeEastern Europe for example. Right, And
(12:31):
they have a phone number. Theyhave an HR department, they have a
finance team, they have a marketingteam and budget. They have recruiters,
they bring people in. It's allperpetrated as part of this scam organization.
Think about it like a multi levelmarketing. Right, you scam somebody out
of a thousand bucks, you gotell your buddy, you bring him and
you get ten percent of everything hedoes. Right, you can work from
(12:52):
home. It's a pretty cool job. It's a great job. You can
scam Americans, scam Western people.It's very effective and it works and they
get paid. Well, that's whyit works. That's that's just that's mind
boggling. So if what would youyou know, say, are things I
can look for, you know ina scam email. I mean, let's
(13:13):
say, you know, like obviouslywe have our filtering et cetera. But
you know, something gets through.I'm super busy and I see something and
I click on it. I mean, am I in danger already just by
just clicking on it? The bestthing that I have seen is I work
with an organization. At a previousjob, I worked in the day area
doing cybersecurity consulting, managing a sixhundred and fifty person organizations, social engineering
(13:39):
protection. Right, So I thinkI'm I have the qualifications to speak on
exactly what this is. Right.The reality is the best phrase I've heard
is loose clicks think ships. Right. That goes back to World War Two
with loose lips sink ships, talkingabout not disclosing information, right, Think
about that. Any link that yousee and you click on, from any
(14:00):
employe in your organization that has thepotential to sink the whole ship. So
be extremely careful. The red flagsyou should look out for, of course,
you know email address and spelling,right, content of the email,
how is it formatted? How isit words? Where did you know this
person? You know? Investigating whatwe call these red flags, the key
indicators in an email. But thereality is, I can't really teach you
that in a thirty second web snippet. You have to take cybersecurity awareness training
(14:24):
and then beyond that you take training. That's great, but attack your employees.
You as a business owner need toknow. Ninety one percent of attack
start with a phishing email. Sofish your users, then them potentially malicious
looking phishing emails that are benign,they're cleaned and sanitized, and see do
they click on them. We findon average about forty five percent of users
(14:48):
in an organization click on a stimulatedphishing email when we send it out as
part of our level two pen test. And that's a summary statistic, and
you think, wow, that mustjust be you know, individuals who haven't
had training. No, Generally it'sthe c suite executive and the business owners
themselves that have a higher phish pronepercentage because they're really busy and they don't
have time to read it and analyzeit right. And then you have the
(15:09):
new employees who are aiming to pleaseand they want to click on everything to
make sure everything gets done quickly.Both people are very susceptible. Interesting,
so you provide that kind of educationand training them for your clients. Absolutely,
we have a clever platform that wetake real phishing emails that our companies
report, and we have threat intelligenceas a professional from our hundreds of clients
(15:31):
that then bundle it in and attackour own users with the same real world
attacks that we're seeing from their clientsand others in real time. Yeah,
you've shared a couple of stories withthe networking group, you know, examples
of where this has happened, andyou know it's just cost that business owner
a lot of money, a lotof money, you know, and time
(15:52):
and cash. So want do youhave a couple of stories you can share
with the group real quick? Yeah, as there's too many. I could
spend an hour just talking about thisalone. But just last month in the
Greater Sacramento area, I had aconstruction company. Last year five million in
revenue, this year ten million inrevenue. For six months, I've been
casually in a conversation with them,Hey, you need to worry about cybersecurity.
(16:15):
We're dealing with all these government contractsnow, YadA, YadA, YadA,
it's important, it's important. Andthen they go, you know the
cost it was not even a couplethousand bucks a month to manage all of
their systems, to protect them,manage all their emails, just handle everything
that their office manager was doing it. They were probably spending one thousand dollars
themselves on just the software. Itjust didn't make sense. And I knew
that, and I was trying toarticulate that, but it just was a
(16:36):
failure to penetrate the mind of thebusiness owner. Right. I get a
text on a Friday morning, Hey, quick cybersecurity question. I call them
back. What's going on? Wejust had one hundred and eighty thousand dollars
stolen from one of our clients.Can you help? That was the initial
Hey, not how's it going,but hey, we just had this happen.
You know, what can you do? Within two hours, we were
(17:00):
on site, we had all oftheir systems locked down, We had our
third party incident response company come in. Mind you this was a significant breach.
We didn't know where the information wasbreached, what happened? Who's compromise?
And then within seventy two hours weturn them around, cleaned up all
their systems. It became a criminalinvestigation. We had to forensically analyze all
the systems for any sort of mawerethat exists on the endpoints as well on
(17:23):
the cloud, and we actually foundthat their email system was breached via probably
one of those ninety one percent ofattack start with a phishing email. So
my client's email system was compromised.Somebody was in there analyzing all the email
boxes, seeing and scanning for wordslike ACCH payments, remittance accounts, payable
billing, hiding all those emails,and then sending their own modified account information
(17:48):
out. All it took was onephishing email to steal one hundred and eighty
thousand dollars. Happy ending that story, we were able to recover. It
happened on a Friday, right twentyfour hour hold on ACCH transfers for business
to business. In this case,we caught it early enough that we were
able to get the funds back,which is incredible. But that's the same
story. I just met a gentlemanlast night. He's a commercial banker for
(18:11):
Chase Bank, and he was saying, you know, one of his clients
buys luxury basically houseboats and then rentsthem out Airbnb style. He was putting
a deposit down on four of thesehouseboats. They were two hundred and fifty
thousand dollars for the initial deposit.He got an email from the manufacturer Hey,
here's our wiring information. Send itover. Not but thirty seconds later,
Oh, same person, So sorry, here's the update of wiring information
(18:33):
I missed misput in the numbers lasttime. He's thinking, Okay, no
worries. I've wired the money before, I should be safe. Now he
sends it. Twenty four hours later, the manufacturer goes, hey, you
wire you two hundred and fifty granddeposit. The client goes, yeah,
I did. Turns out that manufacturerhad their email system breach. So now
my connections client was out that money. But the manufacturer didn't have that money
(18:56):
either. The cyber criminals had it. You know, nobody is a winner
in this scenario. It's just devastating. Yeah, I remember you tearing that
first story with the group, andI think at that time it was fairly
recent. I didn't remember you sayingthat you were able to get the money
back. But so it was aclient of theirs that somehow they had been
(19:17):
able to get to the to theirclient's account. So my client had their
email system breached, but is nowmy client is no longer breached anymore,
and so bad guys likely out ofEastern Europe. We can't prove attribution because
there was using sophisticated threat actor methods. But they were monitoring my client's email
communications for anything inbound or outbound regardingpayment, any transfer money period. And
(19:41):
they were sitting in there, likelyfor months, waiting, waiting, waiting.
It's called the persistent threat and ATPadvanced threat, that's persistent, right,
and it is analyzing all their communicationsand they're just waiting. They're sitting
out there with binoculars looking in frontof your business saying, Okay, when's
that bank truck going to pull up? Boom, there is. We're going
to put on the uniform, actlike we're them and change where that money
(20:03):
is going. We're going to putit into our door. Right, And
that's exactly what they did, andit was highly effective. Don't like that?
Wow? And now, of coursethis client is is my client.
They understand their value in the serviceyou provide, because how many of these
contracts that was a government contract,how many of these government contractors are going
to work with them? If theykeep having fun stolen? That absolutely that
(20:26):
definitely would stop any business in thetracks. Yeah, so if you could
you know, we've got about fiveminutes left here, are there any kind
of quick universal cyber tips you canshare with the audience that you know they
can they can apply today. Absolutely, yeah, And I'll start with saying
(20:48):
I have a list of top ten. You're welcome to reach out to me
on my website gotechtricks dot com thathas a full list of top ten.
But I love to provide free resourcesto the community that they can use to
protect themselves if they do choose togo that second DIY route. But really,
the top three tips that I have, or all organizations, both personal
and professionally, all your employees,business owners, put multi factor authentication on
(21:11):
everything that you have, right,especially your email account, any sort of
website hosting, any file sharing Google, drive Box, drop Box, one
drive and so forth, any socialmedia that you have, any banking information.
Of course, you know all thosecomponents. If in a threat actor,
a hack or a bad guy whatare you going to call it,
gets into those, they can pivotto any of the other things. Imagine
(21:33):
your email. How hard is itto reset a password? Well, the
bad guys have your email, theycan reset your password to everything, right,
So the least you can do isspend thirty seconds setting up multi factor
authentication multi fact authentication For those notfamiliar, when you bog into your bank,
it sends you a text message withsix digits that set us most fundamental
level multi factor authentication. Yeah,I've seen that, that evolution of those
(21:56):
those security measures of you well,you know, just even five years ago,
I don't think we had all thesedifferent you know, gatekeepers hoping that.
Yeah, thanks for the first toroll it out. I used to
bank personally, but ten years agothey were requiring that because passwords really aren't
that secure. And that's my nexttip we'll talk about. But the reality
(22:19):
is you need something else to protectyour account beyond just a password alone.
Yeah, let's talk about passwords.You know, you have a suggestion around
that as well. And you knowthere are people out there that I don't
know that they have, you know, taken that extra stepick. You know,
it's not real super expensive. You'vegot to pay a little bit to
(22:40):
have these other tools in place.But yeah, I know you've talked a
bit about where to put your passwords. Yeah, So, like I said,
passwords, by their very nature onlyone factor authentication. They're not a
multi factored so even by themselves,they're not secured. However, we need
them for every single account. Ithink we're changing. There's a lot of
know your iPhone, your Android.They have facial recognition. You don't even
(23:03):
put a password or pasket it anymore. That's a little bit more advanced.
My websites don't have that yet.We're getting there. So I recommend use
to a password manager. I likea cloud based password manager. There's a
couple of variety out there that youcan utilize. They're pretty much all the
same for the most part. Lookup top ten password managers. Pick one
and roll with it, right.But I like those because it keeps all
(23:26):
my passwords for all my accounts synchronizedbetween all my computer's web browsers and my
phone, so anywhere that I amat any point in time, I can
get those passwords. Me personally,I like to share them with my wife
so that she has them if anythinghappens to me or if I'm not available,
right, and she could log intomy different accounts, right, And
so that's very important for me.And I have a strong, unique password
(23:47):
for every single account, and Idon't reuse my passwords and so correct me
if I'm wrong, Jeff. Butthis is the common story for people.
I have one or two passwords.It's my wife's name, my husband's you
know, birthday plus three digits,my dog name, you know, or
my anniversary. Right, and it'ssome variation of that plus one two three
(24:07):
explanation point for different accounts. Whenthey asked me to change it, I
just have this exasperated sigh of painand anguish. Right, So I just
change it, and I can't manageit. So I have a piece of
paper, a word documented cell spreadsheet, a note in my phone, I
text myself the password. It's likefive or six different systems, and when
you have to change it, it'sjust a pain in the butt. That
(24:30):
that is the reality for most people. Me. I need to update a
password. I log in. There'sa little icon in my web browser.
I click phil done. It's astrong, unique password. I create a
new account on my phone. Great, go on my phone a new generate
the password that creates the password forme, Phil done. Takes five seconds,
saves me a lot of time.Yeah, it is something I started
(24:53):
doing about five years ago. Ithink the system I use is called keeper
Keepers, the one we deploy aspart of our enterprise security stack. It's
excellent. Yeah, I have avery very unique password for that just to
get into the system by itself.I don't think anyone whoever would ever be
able to figure it out. Butyeah, it's very helpful. I must
(25:14):
have thirty forty different accounts in there. There's just no way I could ever
stay on top of all those exactly. And there's when computers first came out,
I would say the nineties and twothousands, and online accounts became a
little more frequent. I guess youwould say. The add is what you
should change your password often? Right? They said, treat your passwords like
your underwear, change them often,right, Have lots of different pairs,
(25:37):
is what they said. And thereality is there's some half that they actually
found after significant you know, realworld cyber attacks of people changing their password
every sixty days. It caused themto just write that password down on a
sticky note, stick it to theirmonitor, stick it underneath their keyboard,
have the same variation of you know, wife's name plus the dog's name plus
(25:57):
one two and then okay, wellone three, one four, one five,
And it really wasn't more secure.You're far better having a longer password
and having multi factor authentication on thingsand using a password manager. Yeah,
so something came to mind as we'retalking a little bit about this, and
you're talking about facial recognition, andit caused me to think about artificial intelligence,
(26:19):
and I'm just kind of wondering,you know, will AI be able
to duplicate my spatial features at somepoint. I don't know if you've heard
anything about the immunists. Seems prettynew. When all that technology first came
out, you could take a pictureyourself, print it on a piece of
(26:40):
paper and stick it up there.Then they got advanced and they scanned for
three D biometrics, so you couldput the piece of paper on your face
and curve it over and it stillworked. Like iPhones and android phones are
pretty sophisticated now for the most part, and you can't spoof it as easily.
However, every form of authentication isimperfect by its very nature. There's
always a way around it. Ifsomebody's motivated enough, they can get through.
(27:03):
For AI, everybody asked me AIAI, what is it? Is?
There cyber attacks attacking it every singleday. There are every ten AI
tools that get released to attack abusiness. I'm developing one or two as
part of my stack to prevent andthwart those. It's not possible to keep
up. There's no silver bullet andsecurity. It's not possible to win at
(27:26):
cybersecurity. There's no silver bullet iswhat we call it. There's no silver
bullet and security. Nothing is onehundred percent effective period. Yeah. I
think that's an important takeaway right there. Right, you know, do the
best you can that there's probably goingto be some breach at some point somewhere.
Maybe not as bad as the exampleyou gave of one hundred and eighty
(27:48):
thousand dollars, but still, Imean, even if it's just a thousand
dollars, I mean, you know, yeah, one hundred and eighty grand
was actually a small jeff for alot of the cyber attacks that we deal
with. Yeah, they're often inthen, and you're never going to hear
about these in the news, whichactually brings me to my third tip about
Okay, no security is one hundredpercent effective. Even if you hire a
tech trick, even if you hirea professional you diyatt, you have an
(28:10):
amateur doing it, you're doing nothing. It's not one hundred percent effective.
Whatever you're doing it will have flaws. To go back to the vehicle analogy,
you're barreling down the freeway at amillion miles an hour in your vehicle.
You got your IT team keeping thewheels, turning, the engine tuned
up to a top. You havea cybersecurity team that's protecting it. They're
watching the road ahead. You gotairbags and seat belts and safety systems.
Okay, what if a vehicle comesout of nowhere and smacks you around?
(28:34):
Right, you can have the bestIT and security. It's not one hundred
percent effective. You need insurance.That's my third tip is that you need
cybersecurity insurance, and you need cybersecurityinsurance that's effective that you can file a
claim successfully against. So many peoplehave cyber insurance and they go, I'm
good for a cyber attack, butthey don't lock the front door. They
(28:55):
keep all their windows and doors open, and somebody breaks in and the cyber
insurance company is going me all yoursecurity measures. They go, we had
insurance ineffective. Claim denied. Havea nice day. Yeah, yeah,
I think you can speak from experience. You've seen that, right, happen
more than probably on sounds like tome. Yeah, claims get rejected.
They don't have multi factor authentication,they don't have secure passwords just rejected.
(29:18):
Yeah, that's a great point.You know. Obviously you know my firm
Aler Group we you know, weprovide that type of insurance as well.
But that might be another topic byitself. I'll have to get one of
my buddies on talk about it.The octical contract if you will. And
you know then, mister employer,you need to read your contract. Yeah,
(29:40):
and it's not there. It's nota business owner's job at the end
of the day to read all thecontracts, understand the fine print. They
should have professionals that understand that lingo. And that's why I always recommend for
cyber insurance at least once a year, if not twice a year. Talk
to three different insurance providers, givethem the policy you have and say can
you beat it? Can you matchit? Whereas the gaps and weaknesses,
(30:02):
how do I protect myself? Talkto your IT provider. Most you would
be so surprised. Yet most ITproviders have no idea if their client has
cyber insurance or not. It's wildso they don't even ask if they have
it. No, it is focusedon keeping the wheels turning. You don't
care about security, Yeah, Iknow, that's a great point for sure.
(30:23):
You know we're running out of timehere, But is there a couple
other you know, quick tips thatyou'd like to share before we pose the
session today? Yeah, I meanthe final ones. It's pretty basic.
It's been around since the advent oftechnology. To back up your data.
I have a couple of copies ofyour data. It's so easy now with
cloud storage a couple bucks a month, you can back up anything and everything.
(30:45):
You've ever taken a picture of documentarieshad a conversation on it's very easy.
Right. You don't want your deviceto be stolen. You don't want
your flood to happen, a fire, disaster and incident. It's very important
on a personal level with a phone, and it could. But you talk
about a business, you know,back up your server, back up your
cloud system. We opplement on azero trust model tech tricks. We don't
(31:08):
trust anyone system in isolation, sowe back up and never dondancy. Contingency
plans, Business continuity and disaster recoveryis what we call it. For a
variety of scenarios and we test them. We do tabletop exercises, we do
real world scenarios. We pull theplug on the server and say how fast
until we can get this server spunup in the cloud? Right? What
if our email stops working, howfast can we migrate them to a new
(31:30):
provider? Run through these scenarios,test it. Don't just assume yeah,
I got a backup. I'm good. Right, But like I said,
I've got six more of those fourtips, right, I got six more
tips are available if you reach outto me on go tech trips dot com.
Yeah, so that was it goingto be the last question to ask
you. How people can contact you? Yeah? Yeah, my phone number
(31:52):
and contact form are all on mywebsite. Go tech tricks dot com is
g O T E C H tr ix dot com. And then you
can also reach out to me onLinkedIn. Brandon Walcott happy to connect with
you there. And something I'm activelyworking on for your audience is if you
have an opportunity to speak to yourclients or have a speaking engagement to talk
(32:14):
about cyber risk specifically for your industry, would love to provide education. Yeah,
no, I would appreciate that.You can also find Brandon on the
Sacramento Executive Network website, which iszachexac dot net. He's on there as
well. With all this contact information, you can also reach out to me
and I can connect you with Brandon. We've got all this contact information as
(32:37):
well. This has been very informative, very educational. Appreciate your time Brandon
today that we could spend a littletime together talking about it and cybersecuity.
Thank you so much, Jef.It was truly a privilege and an honor
to be here and participate. Iappreciate you very much. All Right,
(32:57):
you have a great day and we'lltalk to you soon. Right, I'm
a great one. Bye God mh.
Good morning, everybody, Welcome toanother episode Benefits and Brief. Benefits and
Brief is a podcast that we hereat the Sacramento Alera Group office do on
a regular basis and talk a littlebit about business issues, interview guests and
speakers that are experts in many differentfields. And we're super excited we have
(00:25):
a guest today that's going to talkabout the importance of it and cyber oxecurity,
mister Brandon Walcott, and mister BrandonWalcott is a recent member of Sacramento
Executives Network and Sacramento Executives Network isa local executive group that provides expertise and
(00:46):
resources and knowledge in many fields thattouch your business. We'd encourage you to
go to sackexec dot net and checkus out on the website. Brandon is
a recent, as I mentioned,a recent member of that and super excited
to have him on the call today. Brandon is a good resource when it
comes to it, and we're goingto talk about some of the issues that
(01:07):
employers are facing right now, especiallyaround cybersecurity, and I'm super excited to
have him talk a little bit aboutthat. But before we get into that,
Brandon, why don't you go aheadand introduce yourself, tell us a
little bit about yourself and your business, and by franky, why you got
into the type of business you're in. Yeah, thank you, Jeff,
and thank you again for the opportunityto doing this podcast and just talk to
(01:30):
your members and share some resources.Yeah. So my name is Brendon Walcott.
I operate a company called tech Tricks. We are a consulting agency with
about a half dozen partner in overtwenty staff, now operated outside of the
greatest Sacramento, California region, specializingin small and mid sized business IT and
cybersecurity. What we aim to dois elevate your organization with a proactive secure
(01:51):
system and that encompasses all IT andcybersecurity controls so that we can help you
focus on the highest and best useof your time, which is typically running
your business. There's a lot ofbusiness owners out there that the business is
running them and then they're just oneshort cyber attack, one phishing email away
from disaster. And that's what weaim to eliminate and resolve before it ever
(02:12):
becomes an issue. The reason Igot into this is because Yeah, I
don't like Yeah, Jeff, weyou and I talked about this previously.
I don't like bullies. There's alot of bullies in the cyber criminal world,
in the organizations that protect businesses fromcyber attacks, a lot of predatory
software companies, a lot of predatoryconsulting agencies, a lot of one man
band its organizations which I was inthe past that they're not competent in their
(02:38):
security, but they're very confident,which is a very dangerous concoction. And
so at the end of the day, they are allowing a business owner to
act on incorrect information and thereby,in my thought process, kind of bullying
them into making a decision not basedoff of correct information. And so I
don't like that. What I liketo do and why I started tech Choice
(02:59):
is my aim is always to educate, you know. I hope to earn
your business, of course, butMichael is just to provide some comprehensive knowledge
because there's so much misinformation out therein the cyber world. And so I've
been doing this for fifteen years now. Started my first business at the age
of fifteen, rolling around in mymom's minivan fixing computers for different clients.
(03:21):
Yeah, so you knew kind ofat an early age what you wanted to
do. It sounds like I wasvery blessed the opportunity to have the knack
is what they call it, right, It's got technology related during sort of
mechanical capacity. Somehow I just figureout how it works for first engineering and
learn how to fix it. Yeah, you know, kind of talking about
bullies, if you will. Theworst feeling in the whole wide world is
(03:44):
when somebody has you know, brokeninto your car or you know, stolen
something from you, stolen your youridentity. It's the worst feeling in the
world. Is so frustrating because it'slike you can't do anything about it.
You don't know who did it andwho's behind I didn't can't retaliate if you
will, Yeah, exactly. Andwhen it comes to y somebody breaking into
(04:06):
your car, somebody breaking into yourhome, you know, file police report.
That's pretty much all you can do. There's very low chance of finding
them. When it comes to cyberattack, we'll call it attribution who did
it? Basically, it's like apoint zero zero one percent you're ever going
to find and process whoever caused irrepaiablefinancial harm to your business. Yeah,
(04:29):
I was at a Rooseville event thatyou spoke at last month and talking about
kind of the top ten items thatif I'm a business owner I need to
pay attention to. I need tolook to, you know, an IT
expert like yourself in my business andwhen it comes to it, And I
was kind of surprised when you said, Hey, just because you have an
(04:50):
IT professional firm whatever you know,handling your IT doesn't mean that you you
are safe and secure from cyber attacks. Is that accurate? Brennan, Yeah,
So that's kind of the fallacy,right why I dedicate a lot of
(05:12):
my time to cybersecurity because the realityis when it comes to cybersecurity risk,
Let's take phishing emails for example,you got three choices. As a business
owner or C suite leadership. Fishingattacks are going to happen. It's going
to affect your organization. You andyour employees are going to receive them.
How are you going to act onthem? What intelligence do you have,
(05:34):
what tooling do you have? Youhave three choices. You can do absolutely
nothing and say I'm good, they'renot going to affect me. That may
or may not work slightly effective.Right, You can have what we call
a DIY approach that might be kindilyan amateur IT guide. It's a brother
or an uncle or a friend thatdoes it part time, moonlight or even
(05:57):
they're a qualified professional so to speak, or remember when it comes to IT
professionals, there's some certifications you canget, but generally there's not a full
blown degree. There's not licensing requirements, there's not state insurance requirements, there's
no real qualification to become a professionalIT provider. And then you have a
lot of business owners they're diying itor the third option is having a professional
(06:20):
to it, a true professional witha team of experts, with multimodality support
with Treiged Cybersecurity Team, incident Response, Network Operations Center, Tier one two
three engineers helped us dispatch the wholenine. That's professional. That's what tech
Tricks does, right, And soJeff, to answer your question on the
nose, a lot of business ownerssay, oh, I got my IT
(06:40):
guy. He's been doing it forthirty years, YadA, YadA, YadA.
You know he's good. He's reallygood. Right. What I like
to draw the analogy to is imagineyour business is a vehicle, right,
and the technology is the vehicle that'soperating your business. You start out with
an old vehicle, right, nota lot of safety, not a lot
of seats in the space, nota lot of power. But as you're
growing, your revenue is in themillions of dollars, right, you're bringing
(07:02):
in staff, that vehicle becomes largerand larger, and then your IT guy
is an operational focus, right,so he is focused on ensuring that that
vehicle is tiptop shape and running smoothlyso that you can barrel down that road
at a million dollars an hour towardsprofitability. That's their goal. Security is
hopefully at the forefront of their mindset. But their goal isn't to design the
(07:25):
best seatbout system in the world,the best air bags, the best safety
technology. Their job is not tospot at the ten thousand foot view what
threats are in the road ahead,what dangers might be lurking. Their goal
is just to keep that system runningbecause if that bus, so to speak,
that's barreling down the freeway. Guys, none of your employees can work,
You can't operate your business. Butsecurity will often come in and smack
(07:47):
that down, and now it's theIT person's problem. When in reality,
Jeff, to your question, youknow, it should be two separate entities,
two separate organizations, two separate people, one focusing an operational it and
one focusing on security. And Ijoke that they shouldn't like each other because
they're competing for budget to best protectthe organization. But the reality is they
(08:09):
should always be collaborating and bouncing offideas, and they should be in competition
for resources, because it's one thingto keep your business running with the technology,
but it's a whole nother thing tosecure that efficiently. It's balancing act.
You know. You mentioned, youknow, do it your own versus
you know, having a professional doit. So if I'm a business owner
(08:30):
and I was interviewing you, forexample, and what kind of credentially questions
would I ask of you, youknow, in terms of your your expertise
and education. Yeah, I mean, any any company, right is built
off of word amount and referrals.That's everybody's best referral source. So I'd
(08:50):
say go straight to the source.You know. I'll give you a list
of half a dozen of my clientsthat you could call, you know,
some that I just onboard in thelast thirty days, some I've been working
with for years, have a conversation, and I'll prompt you for questions,
and I recommend you go to alot of others to ask those questions.
Other providers, like any contractor youknow, get three quotes, ask them,
what do you do, how doyou charge for it? What's kind
(09:13):
of your response time? We havewhat's called service level objectives. We guarantee
your response within twenty four hours fora low criticality, high creditality eight you
know, major critical incident, everything'sdown within an hour or two. You
know, these type of things thata lot of IT guys a good qualify
to ask. You know, ifyou're a couple of million dollars in revenue,
you're probably thousands of dollars an hour. If all your systems are down,
(09:37):
if your website stops working, yourphone system, your emails, your
computers aren't functioning, it's very expensivefor you. And so the IT guys,
yeah, they might be a littlebit cheaper. But when you are
hard down, as we call it, and all your systems are down and
they have another client, it's harddown. At the same time, you're
one person has to be stretched intwo directions and they have to pick and
(10:00):
choose and hopefully you have a goodrelationship that they choose you, but now
their other client is suffering. Andso that's where the sole prop guy,
the one man band, they're stretchedpretty thin, right, and that's where
professional difference is. Yeah, verygood. And you're just kind of coming
back a little bit to the cybersecurity. How often or how many times during
(10:22):
a day are we being you know, attacked fishing as you would I think
you said is the term you used. Well, the statistics are sombering on
that. So ninety one percent ofcyber attacks begin with a single phishing email.
And you know that's up to everyorganization. I don't know about you,
deaf, but I get phishing emailsevery single day, right, I'm
sure you do. I'm sure everybodygets a phishing email, and we try
(10:43):
to do a pretty good job thatyou know. Notice it that that's you
know, hopefully, oh that's ascam, right, But the reality is,
you know, three hundred and fiftypercent times more likely for a small
business to be susceptible and attacked withsocial engineering than those at large companies.
So the reality is it's daily,it's hourly. The onseought of cyber attacks
(11:05):
is very realistic, but most peoplemake the assumption. Most businessmers, oh,
I have an antivirus software, Ihave a spam filter. I'm good
on security. I don't see cyberattacks. Hopefully, it's a multi layered
approach. It's important to protect yourselffrom all different avenues, all different threats.
Think about a vehicle. How manyairbag do you have? How many
safety systems you have? All thoseare federally mandated because people were dying in
(11:28):
attacks right now, attacks, butcrashes right cyber attacks. There's no federal
mandate for your business to maintain cyberinsurance or have a qualified it cyber professional
because the pain isn't quite there yet. Cybercrime is the number one transfer of
wealth out of any financial metric ona global level period, more than cryptocurrency,
(11:50):
more than stocks, more than buyingreal estate from out of countries and
bringing it in. Cyber criminal organizationstransferring wealth are none, and these organizations
often are very their businesses right.They're set up. You know, they've
got people working for him, andthey look legit. Here's the crazy thing.
You can look on various news articlesand sources. They've got YouTube videos
(12:11):
of people who are going in andyou know, perpetrating these organizations and seeing
what the scam is that they're running. These people. They have a phone
number on their website. They havea very certififsicated website. You know,
we're an IT company they call it, or we're a technology based company,
usually based out of India or maybeEastern Europe for example. Right, And
(12:31):
they have a phone number. Theyhave an HR department, they have a
finance team, they have a marketingteam and budget. They have recruiters,
they bring people in. It's allperpetrated as part of this scam organization.
Think about it like a multi levelmarketing. Right, you scam somebody out
of a thousand bucks, you gotell your buddy, you bring him and
you get ten percent of everything hedoes. Right, you can work from
(12:52):
home. It's a pretty cool job. It's a great job. You can
scam Americans, scam Western people.It's very effective and it works and they
get paid. Well, that's whyit works. That's that's just that's mind
boggling. So if what would youyou know, say, are things I
can look for, you know ina scam email. I mean, let's
(13:13):
say, you know, like obviouslywe have our filtering et cetera. But
you know, something gets through.I'm super busy and I see something and
I click on it. I mean, am I in danger already just by
just clicking on it? The bestthing that I have seen is I work
with an organization. At a previousjob, I worked in the day area
doing cybersecurity consulting, managing a sixhundred and fifty person organizations, social engineering
(13:39):
protection. Right, So I thinkI'm I have the qualifications to speak on
exactly what this is. Right.The reality is the best phrase I've heard
is loose clicks think ships. Right. That goes back to World War Two
with loose lips sink ships, talkingabout not disclosing information, right, Think
about that. Any link that yousee and you click on, from any
(14:00):
employe in your organization that has thepotential to sink the whole ship. So
be extremely careful. The red flagsyou should look out for, of course,
you know email address and spelling,right, content of the email,
how is it formatted? How isit words? Where did you know this
person? You know? Investigating whatwe call these red flags, the key
indicators in an email. But thereality is, I can't really teach you
that in a thirty second web snippet. You have to take cybersecurity awareness training
(14:24):
and then beyond that you take training. That's great, but attack your employees.
You as a business owner need toknow. Ninety one percent of attack
start with a phishing email. Sofish your users, then them potentially malicious
looking phishing emails that are benign,they're cleaned and sanitized, and see do
they click on them. We findon average about forty five percent of users
(14:48):
in an organization click on a stimulatedphishing email when we send it out as
part of our level two pen test. And that's a summary statistic, and
you think, wow, that mustjust be you know, individuals who haven't
had training. No, Generally it'sthe c suite executive and the business owners
themselves that have a higher phish pronepercentage because they're really busy and they don't
have time to read it and analyzeit right. And then you have the
(15:09):
new employees who are aiming to pleaseand they want to click on everything to
make sure everything gets done quickly.Both people are very susceptible. Interesting,
so you provide that kind of educationand training them for your clients. Absolutely,
we have a clever platform that wetake real phishing emails that our companies
report, and we have threat intelligenceas a professional from our hundreds of clients
(15:31):
that then bundle it in and attackour own users with the same real world
attacks that we're seeing from their clientsand others in real time. Yeah,
you've shared a couple of stories withthe networking group, you know, examples
of where this has happened, andyou know it's just cost that business owner
a lot of money, a lotof money, you know, and time
(15:52):
and cash. So want do youhave a couple of stories you can share
with the group real quick? Yeah, as there's too many. I could
spend an hour just talking about thisalone. But just last month in the
Greater Sacramento area, I had aconstruction company. Last year five million in
revenue, this year ten million inrevenue. For six months, I've been
casually in a conversation with them,Hey, you need to worry about cybersecurity.
(16:15):
We're dealing with all these government contractsnow, YadA, YadA, YadA,
it's important, it's important. Andthen they go, you know the
cost it was not even a couplethousand bucks a month to manage all of
their systems, to protect them,manage all their emails, just handle everything
that their office manager was doing it. They were probably spending one thousand dollars
themselves on just the software. Itjust didn't make sense. And I knew
that, and I was trying toarticulate that, but it just was a
(16:36):
failure to penetrate the mind of thebusiness owner. Right. I get a
text on a Friday morning, Hey, quick cybersecurity question. I call them
back. What's going on? Wejust had one hundred and eighty thousand dollars
stolen from one of our clients.Can you help? That was the initial
Hey, not how's it going,but hey, we just had this happen.
You know, what can you do? Within two hours, we were
(17:00):
on site, we had all oftheir systems locked down, We had our
third party incident response company come in. Mind you this was a significant breach.
We didn't know where the information wasbreached, what happened? Who's compromise?
And then within seventy two hours weturn them around, cleaned up all
their systems. It became a criminalinvestigation. We had to forensically analyze all
the systems for any sort of mawerethat exists on the endpoints as well on
(17:23):
the cloud, and we actually foundthat their email system was breached via probably
one of those ninety one percent ofattack start with a phishing email. So
my client's email system was compromised.Somebody was in there analyzing all the email
boxes, seeing and scanning for wordslike ACCH payments, remittance accounts, payable
billing, hiding all those emails,and then sending their own modified account information
(17:48):
out. All it took was onephishing email to steal one hundred and eighty
thousand dollars. Happy ending that story, we were able to recover. It
happened on a Friday, right twentyfour hour hold on ACCH transfers for business
to business. In this case,we caught it early enough that we were
able to get the funds back,which is incredible. But that's the same
story. I just met a gentlemanlast night. He's a commercial banker for
(18:11):
Chase Bank, and he was saying, you know, one of his clients
buys luxury basically houseboats and then rentsthem out Airbnb style. He was putting
a deposit down on four of thesehouseboats. They were two hundred and fifty
thousand dollars for the initial deposit.He got an email from the manufacturer Hey,
here's our wiring information. Send itover. Not but thirty seconds later,
Oh, same person, So sorry, here's the update of wiring information
(18:33):
I missed misput in the numbers lasttime. He's thinking, Okay, no
worries. I've wired the money before, I should be safe. Now he
sends it. Twenty four hours later, the manufacturer goes, hey, you
wire you two hundred and fifty granddeposit. The client goes, yeah,
I did. Turns out that manufacturerhad their email system breach. So now
my connections client was out that money. But the manufacturer didn't have that money
(18:56):
either. The cyber criminals had it. You know, nobody is a winner
in this scenario. It's just devastating. Yeah, I remember you tearing that
first story with the group, andI think at that time it was fairly
recent. I didn't remember you sayingthat you were able to get the money
back. But so it was aclient of theirs that somehow they had been
(19:17):
able to get to the to theirclient's account. So my client had their
email system breached, but is nowmy client is no longer breached anymore,
and so bad guys likely out ofEastern Europe. We can't prove attribution because
there was using sophisticated threat actor methods. But they were monitoring my client's email
communications for anything inbound or outbound regardingpayment, any transfer money period. And
(19:41):
they were sitting in there, likelyfor months, waiting, waiting, waiting.
It's called the persistent threat and ATPadvanced threat, that's persistent, right,
and it is analyzing all their communicationsand they're just waiting. They're sitting
out there with binoculars looking in frontof your business saying, Okay, when's
that bank truck going to pull up? Boom, there is. We're going
to put on the uniform, actlike we're them and change where that money
(20:03):
is going. We're going to putit into our door. Right, And
that's exactly what they did, andit was highly effective. Don't like that?
Wow? And now, of coursethis client is is my client.
They understand their value in the serviceyou provide, because how many of these
contracts that was a government contract,how many of these government contractors are going
to work with them? If theykeep having fun stolen? That absolutely that
(20:26):
definitely would stop any business in thetracks. Yeah, so if you could
you know, we've got about fiveminutes left here, are there any kind
of quick universal cyber tips you canshare with the audience that you know they
can they can apply today. Absolutely, yeah, And I'll start with saying
(20:48):
I have a list of top ten. You're welcome to reach out to me
on my website gotechtricks dot com thathas a full list of top ten.
But I love to provide free resourcesto the community that they can use to
protect themselves if they do choose togo that second DIY route. But really,
the top three tips that I have, or all organizations, both personal
and professionally, all your employees,business owners, put multi factor authentication on
(21:11):
everything that you have, right,especially your email account, any sort of
website hosting, any file sharing Google, drive Box, drop Box, one
drive and so forth, any socialmedia that you have, any banking information.
Of course, you know all thosecomponents. If in a threat actor,
a hack or a bad guy whatare you going to call it,
gets into those, they can pivotto any of the other things. Imagine
(21:33):
your email. How hard is itto reset a password? Well, the
bad guys have your email, theycan reset your password to everything, right,
So the least you can do isspend thirty seconds setting up multi factor
authentication multi fact authentication For those notfamiliar, when you bog into your bank,
it sends you a text message withsix digits that set us most fundamental
level multi factor authentication. Yeah,I've seen that, that evolution of those
(21:56):
those security measures of you well,you know, just even five years ago,
I don't think we had all thesedifferent you know, gatekeepers hoping that.
Yeah, thanks for the first toroll it out. I used to
bank personally, but ten years agothey were requiring that because passwords really aren't
that secure. And that's my nexttip we'll talk about. But the reality
(22:19):
is you need something else to protectyour account beyond just a password alone.
Yeah, let's talk about passwords.You know, you have a suggestion around
that as well. And you knowthere are people out there that I don't
know that they have, you know, taken that extra stepick. You know,
it's not real super expensive. You'vegot to pay a little bit to
(22:40):
have these other tools in place.But yeah, I know you've talked a
bit about where to put your passwords. Yeah, So, like I said,
passwords, by their very nature onlyone factor authentication. They're not a
multi factored so even by themselves,they're not secured. However, we need
them for every single account. Ithink we're changing. There's a lot of
know your iPhone, your Android.They have facial recognition. You don't even
(23:03):
put a password or pasket it anymore. That's a little bit more advanced.
My websites don't have that yet.We're getting there. So I recommend use
to a password manager. I likea cloud based password manager. There's a
couple of variety out there that youcan utilize. They're pretty much all the
same for the most part. Lookup top ten password managers. Pick one
and roll with it, right.But I like those because it keeps all
(23:26):
my passwords for all my accounts synchronizedbetween all my computer's web browsers and my
phone, so anywhere that I amat any point in time, I can
get those passwords. Me personally,I like to share them with my wife
so that she has them if anythinghappens to me or if I'm not available,
right, and she could log intomy different accounts, right, And
so that's very important for me.And I have a strong, unique password
(23:47):
for every single account, and Idon't reuse my passwords and so correct me
if I'm wrong, Jeff. Butthis is the common story for people.
I have one or two passwords.It's my wife's name, my husband's you
know, birthday plus three digits,my dog name, you know, or
my anniversary. Right, and it'ssome variation of that plus one two three
(24:07):
explanation point for different accounts. Whenthey asked me to change it, I
just have this exasperated sigh of painand anguish. Right, So I just
change it, and I can't manageit. So I have a piece of
paper, a word documented cell spreadsheet, a note in my phone, I
text myself the password. It's likefive or six different systems, and when
you have to change it, it'sjust a pain in the butt. That
(24:30):
that is the reality for most people. Me. I need to update a
password. I log in. There'sa little icon in my web browser.
I click phil done. It's astrong, unique password. I create a
new account on my phone. Great, go on my phone a new generate
the password that creates the password forme, Phil done. Takes five seconds,
saves me a lot of time.Yeah, it is something I started
(24:53):
doing about five years ago. Ithink the system I use is called keeper
Keepers, the one we deploy aspart of our enterprise security stack. It's
excellent. Yeah, I have avery very unique password for that just to
get into the system by itself.I don't think anyone whoever would ever be
able to figure it out. Butyeah, it's very helpful. I must
(25:14):
have thirty forty different accounts in there. There's just no way I could ever
stay on top of all those exactly. And there's when computers first came out,
I would say the nineties and twothousands, and online accounts became a
little more frequent. I guess youwould say. The add is what you
should change your password often? Right? They said, treat your passwords like
your underwear, change them often,right, Have lots of different pairs,
(25:37):
is what they said. And thereality is there's some half that they actually
found after significant you know, realworld cyber attacks of people changing their password
every sixty days. It caused themto just write that password down on a
sticky note, stick it to theirmonitor, stick it underneath their keyboard,
have the same variation of you know, wife's name plus the dog's name plus
(25:57):
one two and then okay, wellone three, one four, one five,
And it really wasn't more secure.You're far better having a longer password
and having multi factor authentication on thingsand using a password manager. Yeah,
so something came to mind as we'retalking a little bit about this, and
you're talking about facial recognition, andit caused me to think about artificial intelligence,
(26:19):
and I'm just kind of wondering,you know, will AI be able
to duplicate my spatial features at somepoint. I don't know if you've heard
anything about the immunists. Seems prettynew. When all that technology first came
out, you could take a pictureyourself, print it on a piece of
(26:40):
paper and stick it up there.Then they got advanced and they scanned for
three D biometrics, so you couldput the piece of paper on your face
and curve it over and it stillworked. Like iPhones and android phones are
pretty sophisticated now for the most part, and you can't spoof it as easily.
However, every form of authentication isimperfect by its very nature. There's
always a way around it. Ifsomebody's motivated enough, they can get through.
(27:03):
For AI, everybody asked me AIAI, what is it? Is?
There cyber attacks attacking it every singleday. There are every ten AI
tools that get released to attack abusiness. I'm developing one or two as
part of my stack to prevent andthwart those. It's not possible to keep
up. There's no silver bullet andsecurity. It's not possible to win at
(27:26):
cybersecurity. There's no silver bullet iswhat we call it. There's no silver
bullet and security. Nothing is onehundred percent effective period. Yeah. I
think that's an important takeaway right there. Right, you know, do the
best you can that there's probably goingto be some breach at some point somewhere.
Maybe not as bad as the exampleyou gave of one hundred and eighty
(27:48):
thousand dollars, but still, Imean, even if it's just a thousand
dollars, I mean, you know, yeah, one hundred and eighty grand
was actually a small jeff for alot of the cyber attacks that we deal
with. Yeah, they're often inthen, and you're never going to hear
about these in the news, whichactually brings me to my third tip about
Okay, no security is one hundredpercent effective. Even if you hire a
tech trick, even if you hirea professional you diyatt, you have an
(28:10):
amateur doing it, you're doing nothing. It's not one hundred percent effective.
Whatever you're doing it will have flaws. To go back to the vehicle analogy,
you're barreling down the freeway at amillion miles an hour in your vehicle.
You got your IT team keeping thewheels, turning, the engine tuned
up to a top. You havea cybersecurity team that's protecting it. They're
watching the road ahead. You gotairbags and seat belts and safety systems.
Okay, what if a vehicle comesout of nowhere and smacks you around?
(28:34):
Right, you can have the bestIT and security. It's not one hundred
percent effective. You need insurance.That's my third tip is that you need
cybersecurity insurance, and you need cybersecurityinsurance that's effective that you can file a
claim successfully against. So many peoplehave cyber insurance and they go, I'm
good for a cyber attack, butthey don't lock the front door. They
(28:55):
keep all their windows and doors open, and somebody breaks in and the cyber
insurance company is going me all yoursecurity measures. They go, we had
insurance ineffective. Claim denied. Havea nice day. Yeah, yeah,
I think you can speak from experience. You've seen that, right, happen
more than probably on sounds like tome. Yeah, claims get rejected.
They don't have multi factor authentication,they don't have secure passwords just rejected.
(29:18):
Yeah, that's a great point.You know. Obviously you know my firm
Aler Group we you know, weprovide that type of insurance as well.
But that might be another topic byitself. I'll have to get one of
my buddies on talk about it.The octical contract if you will. And
you know then, mister employer,you need to read your contract. Yeah,
(29:40):
and it's not there. It's nota business owner's job at the end
of the day to read all thecontracts, understand the fine print. They
should have professionals that understand that lingo. And that's why I always recommend for
cyber insurance at least once a year, if not twice a year. Talk
to three different insurance providers, givethem the policy you have and say can
you beat it? Can you matchit? Whereas the gaps and weaknesses,
(30:02):
how do I protect myself? Talkto your IT provider. Most you would
be so surprised. Yet most ITproviders have no idea if their client has
cyber insurance or not. It's wildso they don't even ask if they have
it. No, it is focusedon keeping the wheels turning. You don't
care about security, Yeah, Iknow, that's a great point for sure.
(30:23):
You know we're running out of timehere, But is there a couple
other you know, quick tips thatyou'd like to share before we pose the
session today? Yeah, I meanthe final ones. It's pretty basic.
It's been around since the advent oftechnology. To back up your data.
I have a couple of copies ofyour data. It's so easy now with
cloud storage a couple bucks a month, you can back up anything and everything.
(30:45):
You've ever taken a picture of documentarieshad a conversation on it's very easy.
Right. You don't want your deviceto be stolen. You don't want
your flood to happen, a fire, disaster and incident. It's very important
on a personal level with a phone, and it could. But you talk
about a business, you know,back up your server, back up your
cloud system. We opplement on azero trust model tech tricks. We don't
(31:08):
trust anyone system in isolation, sowe back up and never dondancy. Contingency
plans, Business continuity and disaster recoveryis what we call it. For a
variety of scenarios and we test them. We do tabletop exercises, we do
real world scenarios. We pull theplug on the server and say how fast
until we can get this server spunup in the cloud? Right? What
if our email stops working, howfast can we migrate them to a new
(31:30):
provider? Run through these scenarios,test it. Don't just assume yeah,
I got a backup. I'm good. Right, But like I said,
I've got six more of those fourtips, right, I got six more
tips are available if you reach outto me on go tech trips dot com.
Yeah, so that was it goingto be the last question to ask
you. How people can contact you? Yeah? Yeah, my phone number
(31:52):
and contact form are all on mywebsite. Go tech tricks dot com is
g O T E C H tr ix dot com. And then you
can also reach out to me onLinkedIn. Brandon Walcott happy to connect with
you there. And something I'm activelyworking on for your audience is if you
have an opportunity to speak to yourclients or have a speaking engagement to talk
(32:14):
about cyber risk specifically for your industry, would love to provide education. Yeah,
no, I would appreciate that.You can also find Brandon on the
Sacramento Executive Network website, which iszachexac dot net. He's on there as
well. With all this contact information, you can also reach out to me
and I can connect you with Brandon. We've got all this contact information as
(32:37):
well. This has been very informative, very educational. Appreciate your time Brandon
today that we could spend a littletime together talking about it and cybersecuity.
Thank you so much, Jef.It was truly a privilege and an honor
to be here and participate. Iappreciate you very much. All Right,
(32:57):
you have a great day and we'lltalk to you soon. Right, I'm
a great one. Bye God mh.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
My Favorite Murder with Karen Kilgariff and Georgia Hardstark
My Favorite Murder is a true crime comedy podcast hosted by Karen Kilgariff and Georgia Hardstark. Each week, Karen and Georgia share compelling true crimes and hometown stories from friends and listeners. Since MFM launched in January of 2016, Karen and Georgia have shared their lifelong interest in true crime and have covered stories of infamous serial killers like the Night Stalker, mysterious cold cases, captivating cults, incredible survivor stories and important events from history like the Tulsa race massacre of 1921. My Favorite Murder is part of the Exactly Right podcast network that provides a platform for bold, creative voices to bring to life provocative, entertaining and relatable stories for audiences everywhere. The Exactly Right roster of podcasts covers a variety of topics including historic true crime, comedic interviews and news, science, pop culture and more. Podcasts on the network include Buried Bones with Kate Winkler Dawson and Paul Holes, That's Messed Up: An SVU Podcast, This Podcast Will Kill You, Bananas and more.