Hello and welcome back!

Yesterday was Father’s Day so I want to give a quick shout out to all the father figures out there! Today, I’m chatting with my husband Zach. He is an IT professional with knowledge in so many areas and he’s going to be allowing me to pick his brain on various tech topics that are important for any entrepreneur to consider. We’re starting with cybersecurity, which I feel is crucial when it comes to your small business, especially in this digital age. Give the episode a listen to find out ways to safeguard your business.

Main Topics included in this Episode

  • Zach’s background in the IT field.
  • Essential and low-cost cybersecurity practices for entrepreneurs.
  • Common cyber attack methods and what to watch out for.

Connect with Zach

Connect with Alysha

Music Licensing Info

Music by Eli Lev - Dancin' on the Lawn

Link

Episode Transcription

Speaker 1

Hello and welcome back to the Messy Mompreneur podcast. I'm your host, Alysha Sanford, and I'm so happy to have you here. Yesterday was Father's Day, so I wanted to give a quick shout out to all the father figures out there. Today we're chatting with my husband. I thought it would be a fun time to have him on just because Father's Day and all that he is an IT professional. He's knowledgeable in so many areas. So today we are going to focus on one of them. I wanted to bring him on because I feel like tech and security and anything related to any of that. It's not talked about that often. I see so many. Business coaches, marketing coaches. You know small business supporting. Accounts online cheering people on, but I really don't see much of the tech or security focus, so I wanted to talk about cybersecurity with him today. It's a crucial topic, but especially in today's digital age and we are going to start with that and shed more light. So without further ado, meet my husband. Okay, so before we start and jump into the conversation that we're going to have today, can you give a little background to? The listeners who don't know who you are or what you do.

Speaker 2

I primarily have been working in the IT industry for. I don't know, I said. Last six years. I'm just working for various companies here and there. I do a lot of base kind of IT needs for companies as far as like maintaining their infrastructure, I. Do a lot. Of programming, whether that's web programming or native application programming. And then I also have a background with a little bit of cyber security, which I have cyber security certification. So that's just a little bit about me.

Speaker 1

OK, so today we are talking about cybersecurity and. I definitely want to chat about various IT topics that can relate to small business owners and entrepreneurs.

Speaker 2

OK.

Speaker 1

If you're still willing to have those conversations in the future. But today, so cybersecurity is definitely. Probably the most important topic I would think to protect small businesses. So let's just jump into the questions I have for you. So my first one, what are some essential cybersecurity practices that every entrepreneur should implement to protect their sensitive data?

Speaker 2

Um, you know, as far as like someone who's. You know, just starting up, obviously you're going to touch technology quite a bit in this day and age because a lot of people and still doing like storefronts, they might just have an online business or whatnot. But you know. There are a ton of things that. You can do some cost a lot of money, some don't. But just some like basic things that. You can do to help kind of. Give you a better security posture so to. Speak would be, you know when. You're when you're signing up for services online, you can use complex. Passwords or phrases. Just to make it harder to kind of. Get into those accounts. You know one thing that a lot of people don't actually do is use like 2 factor authentication it. With some people that I've talked to it, it just seems like it might be an inconvenience for them, but a lot of services such as even basic like social media accounts. And most of them nowadays will have. Some sort of setting in the back end where you can go in and enable two factor authentication, and while it might be inconvenient, it actually stops a lot of like unwanted people from trying to like hack your accounts because that's very common nowadays. A lot of people have their Instagram hacked. And whatnot, but. I'm going in and enabling this and using it. With so for example, like I use it with just about every service that I'm signed up for online and. I just have the. Microsoft Authenticator app on my iOS device and it's really neat because whenever I go to like hey my Twitter account and you want to enable two factor authentication, usually there's some sort of QR code you can scan. With that specific application and it'll just add it to it. So it kind? Of keeps all your codes in just one app and So what it does is for my hackers kind of point of. You. Is it? It obviously adds more red tape for them to kind. Of go through because. It's one thing for them to kind. Of figure out what. Your password is and just use it anywhere. Even if let's say like I'm located here in Oregon and let's say a hacker from, you know, Florida gets it, they can log in from there. Well, that might be just something that they know. And what makes 2 factor authentication 2 factors? They have to know your password, but two they have to physically have this device with this app that has a, you know time generated code that you have to enter in each time. You log in. So it's two. Different factors, so it does again it. A lot of people kind of find it inconvenient. I love it. I mean I use it for again. Just about every service, but it really does. Add a whole. Barrier of you know, protection against, you know, unwanted people.

Speaker 1

Yeah, I know. I just finished trying to set all of mine up and it does feel inconvenient at first, but it is really reassuring to know, like for example, even with PayPal, I've got the two factor and so I know that PayPal isn't going to be near as jeopardized.

Speaker 2

Yeah, you know and a. Kind of a side thought with that is every time that I use it, let's say so. Like one thing, I mean everybody does. Is, you know, they watch YouTube. So I have, with my Google account, two factor authentication and I never really saved my passwords to my browser. It's just kind of a bad practice, so every time I log in with my password. Google will send. A kind of prompt for me to open up an app on my phone like the Google app or the, you know, YouTube app and then it'll have a prompt in there for me to physically press. And that allows me to log in on my. Browser on my computer. So the cool thing about that is if somebody does find out what your password is. And let's say. They're over there in Florida and I'm over here in Oregon, but they're over in Florida and they go to Web browser and they try to log in with my credentials. Because my phone will prompt me. But hey, somebody's trying to log in. I mean, and that kind of just in your mind is like, hey, I'm not trying to log in right now. And then for some. There's other things you can do, like go and see where this is. This login is coming from or if you need to change passwords. If you feel like. Your passwords been compromised so. It does a couple things, but again, yeah. You know you're saying. It at first it feels inconvenient, but it kind of goes a long way.

Speaker 1

So Speaking of inconvenience, you had mentioned complex passwords and not using the same password. Do you have any recommendations for dealing with multiple passwords? Because I'm guessing the reason most don't want to do that is because it's hard to remember a bunch.

Speaker 2

Yeah, I mean I can go on for days with, you know your original question about just like, hey, what are some things I can do? So yeah, you know, one thing that I. Like to do and. People have, I would assume a lot of people have more than like 10. Services they use online now, whether it's. Google or whether it's Microsoft, whether it's. You know the meta with. Facebook and Instagram and Twitter. So that's, I mean, we're listing five right there. A really good thing to do is not only use complex passwords, but like you're saying, use different passwords per service, right? Because what happens is, you know, hey, if that guy, if I keep. Going on Florida, I have no, you know. They're well against people from Florida, but that's just the example I'm using for this. So that guy from Florida, you know, if he compromised my, you know, YouTube account and figure out the password is if I use that password or he can slowly pivot and figure out hey he also uses these services let's. Just try that password. And all of a sudden he's into my Facebook, he's into my Instagram, he's into just everything. My Microsoft 365 account. So one it it's good to have different passwords, but like you're saying like how do? You manage that. When you know you have a. Complex pass for this, but I can't remember. A really common tool that people use. Is like a password manager where you it's like a small little database or a piece of software that you know you. I know there's some that are on iOS and I know there's definitely a lot for like Windows and stuff. But it's essentially just like a little database, and you can keep records up. Hey, this service, you know, here's my username. Here's the password to it. And then, you know, here's a link to the login screen or whatever. And then so once you kind of build out this database with all these services you use and all the passwords, it is sensually encrypts this database and then all you have to do is remember 1 password to unencrypt it and see all these passwords. So it's. Easy for you to manage, but there. There is a side effect to that where you. Have to be. Really careful in which provider you're. Looking at so one that I had used in the past was called, I believe it's still open source, but it was a is called keypass. And just recently they had an issue with some sort of vulnerability with a specific version of it where? People, if they. They were malicious and trying to figure out what your passwords were. They can use that vulnerability against keypass to figure out what your master password. That one password you have to use to unencrypt the entire database. They were easily able. To get it through this vulnerability. I think they fixed that with a patch or. Whatever. So you just you. Have to do a little bit of research. They're using like one. I think it's called Len, Pass Keypass or some online service. I typically like to have something that's local to my devices instead of using like an online service that just floats. Ground, but that would be. A good way to kind of manage. That so you can use different. Passwords for everything, or if you need to update passwords all. That and just and have it in one spot so.

Speaker 1

So if I was looking to set that up on one of my devices, would I go into like my settings and just type in password manager? Is that kind of a universal?

Speaker 2

I think it's becoming more and more common. I can't speak for like Android devices, but I think the newer versions of like. Kind of figured out my best way of doing it and I'm just sticking with that until something goes. Sideways with it. But I think in in. IOS there's actually. Like a built-in kind of password manager in it, I'd assume because it's Apple that it's pretty good, but you'd have to look into it, see if. Anybody's had issues with it. But from my understanding if. You go to like a site. Let's say I just use a safari to go to facebook.com and I create an account. And as soon as you're doing the username or password to log in for the first time, I think there's like a little prompt that pops up in Safari that says hey, do you want us to remember the password and then it? Stores all that. And of course in like MacOS they have the their key vaults in there as well, where you can store those types of passwords and they're all going to be encrypted so. Some, you know, operating systems and some piece of software have it built into it, but if you wanted to have like an all in one place, which I because I use so many different like operating systems and services online, I just like keeping them all in one place. How I kind of do it but. To answer your question, yeah, I think some of the software and it's becoming more and more prominent as time moves forward.

Speaker 1

So and those are, are they free or are they just low cost?

Speaker 2

Some of them will have paid and. Some are free like I mentioned the. One that I used to use was open source and so open source. Is a really good option for software and whatnot. Because it's free one first of all, it's free. That's kind of implied with the open source, but it's really supported by the community, so it's usually. Pretty secure, but some of the other stuff you know, like when I go get my apple computer, like my Macintosh or whatever, you're going to pay for that operating system, you pay for that hardware. So it does come built into it, right? So that you are kind of paying in a sense.

Speaker 1

OK. Well, my next question was going to be how can small businesses with limited resources effectively manage their cybersecurity needs? But so far it sounds like the three things you've touched on which are. The two factor authentication, complex passwords and then a password manager. They're essentially free if not. Just low cost in a service.

Speaker 2

Yeah, I mean if you're limited on resources, I mean the biggest thing you can. Kind of do. If you're a small business, I'm assuming that you know, maybe you're the only employee, or maybe you. Have like you and a couple of other. People, but really just. Going in and using some sort of training like to always be training cause. Kind of threats that are out there online trying to get your passwords, trying to get into your systems and see your data. They're always using new techniques as days go on, so you always have to kind of be up on the on training. So just being aware of what's going on around you and what services you use and what kind of risks are involved with using those services can go a long way because. And again, this kind of goes with, you know, I've worked for companies who have a lot of users and so. So some of the things that you learn is, yeah, I can, you know, pay for the greatest software. That's the most secure and all this stuff. And we can use secure e-mail servers and all. This stuff, but at the end of the. Day the big the biggest weakness to the organization is always the end user and it sucks saying that, but it is and. It's usually due to. To user training like hey going through and just. You know, for instance, with emails, you know, just there's a lot of phishing campaigns out there that these malicious people are sending emails. Hey click this link I don't can you put your password in for this and they're just always trying to get your information or get you to click on things or download things and just having these end users or yourself. If you're the only person just always being aware of like what these kind of look like. How they, you know, think look for. And then again, what services you? What risks are around them?

Speaker 1

So real quick, you have tried your best. To educate me on what to click and not to click in emails and just last week I received an e-mail from you supposedly so you had taught me to always double check the senders e-mail address because they can. They have a way of. Basically, I don't know titling their name or whatever. However they want, but then if you click that it shows you the e-mail address that it's actually coming from and it did say yours and so I thought, OK, well this is a. Weird message from you that I'm reading. It was a link and I clicked it anyway because I thought it was from. Your e-mail address. And it turns out it wasn't. And you mentioned the term spoofing. Can you kind of go into that a little bit because you said phishing, are they the same?

Speaker 2

UM, so fishing is UM. Kind of like is. There's some types of fishing that's targeted and whatnot, but like fishing is just like sending out emails. So that guy from Florida, I feel bad for. Him, but yeah. He's sending out, just blasting all these e-mail addresses with, you know, maybe an e-mail that looks like. For instance, let's say it looks like something that came from U.S. bank, so I might hop on Photoshop and make a U.S. bank logo that's similar and all this stuff, and I might just draft up this e-mail that looks, you know, pretty convincing that. But it might say something like. Hey, the last few transactions against your checking account you know have been halted. Please click this link and log in with your U.S. bank credentials to review and resolve these issues right. And so beyond that e-mail, that link might be he might stand up some website and actually do the same thing. Like it looked like a U.S. bank website and it had a login screen and. As soon as. You put your username and login. That person has hey guess what your username login to your U.S. bank account so. Those are the those are that. Kind of falls into the category of phishing. They're just sending out these emails and it's fishing with a "ph" and not an "f" but just sending out, blasting out these emails and seeing what they can get. I mean it in the literal sense. It's almost like you're fishing, right? You're putting the worm on your hook and you're putting it in the pond and. Just seeing who bites right. With that spoofing's a little bit different. Spoofing is like appearing as someone you trust, but you're actually not and you just said it. We've had docs in the past about there's ways in your e-mail client, like if you're using Outlook, you can. You can see sometimes it'll pop up with a with a known name. So like if I send you an e-mail, it'll say from Zach Sanford, not necessarily my e-mail address. Specifically, but if you kind of hover over certain areas, it'll tell you who it's from, or you can look at the e-mail headers and it'll tell you exactly what e-mail address is coming from, and so that's kind of a common thing. The spoofing it. Might say, hey, it's coming from Zach Sanford, but as. Soon as you. Hover over it, it might be some. Weird. You know, letters and numbers at some weird domain.net or something like that. And you're like, oh, that's. Not actually Zach or whatever. So that's like a common way to kind of determine, hey, you know, I wasn't expecting an e-mail from Zach and you know, it's something about, you know, his auto insurance or something kind of strange, you know, that's something you can kind of look at. With our case last week, it was kind of unique and this might happen to a lot of other people. But it actually came, they spoofed my e-mail address, so it actually came, it looks like it came from my e-mail. But of course it didn't, when you dig deeper into the e-mail headers and stuff and that that means kind of beyond this, this conversation. But looking at that e-mail, you can determine hey, OK, it looks like it came from Zach, but as soon as you got into the subject and the body of the e-mail, you can tell it doesn't sound like me. It was barely like, Hello, Alicia Sanford. Like that, you know. Those are things, so that's another thing to. Look for in emails like if you're unsure like are there a lot of spelling errors or the grammar is just not quite right. You know, those are those are indications. Obviously if an e-mail has a link in it you just want to kind of be cautious of it and sometimes. Times, they might mask the link by just using text and it's a hyperlink and you can always hover over those links and it will tell you what address it's going to. Take you to. In your browser. So I mean there's. A handful of things you can just do as an end user to kind of identify. But yeah, our case was a little bit more unique. And so it's just always. I might not know everything. You might not know everything again. It kind of goes back to your last question of just trying to always be aware and train yourself on what the next thing they're trying to do. You know what it kind of looks like or what to. Look out for.

Speaker 1

So Speaking of that, so these are definitely relevant right now. I mean feel like. I feel like my inbox, or at least my spam folders, are just full of that. Do you know of any other emerging cybersecurity trends or technologies that entrepreneurs should keep an eye on within their small businesses?

Speaker 2

Uhm, I mean, as far as risks go, I mean, the biggest things that. You should always. I mean the two simple things. One, we just kind of went over is everybody uses e-mail and that's one of the biggest kind of entry points for like people trying to steal information or they just might be a malicious. Person so just. Knowing what to look for in emails and we kind of went over that. But another thing is web browsers are a really good entry point for people because a lot of times people might have a. Chrome Web browser and they use extensions and you just install extensions willy nilly and you don't really know who authored them or if they're malicious or not. So you might install wrong things so. A really good thing which is web browsers is just always making sure they're up to date because. There are a lot of. Like and I follow this like a cyber security. You know, threat of daily like hey update this you know, Google just came out with a new update for Chrome because of a zero day you know vulnerability and you know known extensions that are bad and all stuff. So just having that up to date and then. What to look for and emails? Are really good ways. Kind of trends you know to look for. But as far as like emerging technologies that might be useful, you know, on the opposite side of things, I know we're talking about malicious people a lot, but like right now, a real hot topic is like AI. So I mean, I'm sure you've. Heard AI in the last I don't know. It feels like the last at least. Six months, but. That might be a really handy tool as of right now for people to use, so one of the biggest ones is the chat TBT, the language model. It's pretty phenomenal. I would keep an eye. On that because I use it almost. Every day I know you use it. Quite a bit as well, but. Like a really good use case is just having I. Use it to. Draft up emails from me like I'm just like, hey, here's the parameters, you know, this is the kind of tone I want for the e-mail. Hey, can you make one up and it'll just spit one out and. Then you can. Kind of look at it and revise it. You can say, hey, you know I like that. First paragraph but. Let's make it a little more, you know. Settle here and there and it'll redraft it for. You so it's. A. It's a pretty handy tool as far as productivity, so AI's always. Wanted to kind of watch for.

Speaker 1

You already know this, but I may or may not have sought out some help with these questions from ChatGPT because I wanted to make sure I'm asking the questions that would be the most beneficial as far as. The conversation, but also the answers and the information that listeners could get from you, who is very knowledgeable on this and I am not and I just wanted to make sure I was asking. You know, worthwhile question. So anyway, yeah. ChatGPT has been helpful. And I definitely want to do another conversation regarding AI, but as a whole conversation on its own. So we'll revisit that. But you were mentioning to keep an eye on AI as far as. Security, but I don't know. That you dove. Further into why?

Speaker 2

Well, not really. Security. I use it more for productivity, security wise. The only thing I mean because I do follow a little bit and it's something you got to take with a grain of salt because some people think it's like the be all end all of like hey, I'm just going to. Start using it and. There have been, I mean, numerous accounts where it's. It's beating some really hard test at university with like super High scores and all that and it could they the parent company open AI. No, they're still coming out with more iterations of it, and so it's a really interesting topic, but there have been a couple like downsides to it, and like for example there's one and I don't have the article up in front of me because I read this. I don't know. I think it was a couple weeks ago, but there was a. Who had a client and they were. Trying to build a case. For their client to use in court and. Attorney used ChatGPT and it said, hey, we're trying to make this case or whatever. And so it asked a few questions and ChatGPT. Had come back with a bunch of references to cases, so like, you know, Sanford versus, you know, McDonald's or, you know, stuff like that. And it came back with quite a. Few of these references. And the guy didn't like proof it or anything. He didn't go back to check these and so, and being a lawyer, you have access to a lot of tools where you can go and check. Previous court cases and. That's how you kind of build your case. Anyway, so he presented this in court. And uh, apparently. They found out almost instantly that all this was bogus, and so, you know. And when you when? You go and look at each of these court cases against their database of previous court cases. None of these existed. And so it's one of those things where people. Just go at it. So that's why I'm always saying just kind of watch what it's. Doing or see. What else is? Out there, just and again the biggest. Thing is just. Use it because. It's a great tool, but. Very sparingly, or if you do use it quite a bit, make sure if you're using it in a professional sense to really look at the answers and see you know, hey, is this really what it's supposed to be or you know, is this just bogus coming out of the, you know, just spitting out some weird answer. So just always double check it.

Speaker 1

Is there ever a concern of personal information that you share in your prompts or questions to ChatGPT? Is there ever a concern of that information being able to? I don't know what I'm trying to ask like leave the ChatGPT.

Speaker 2

So and this was even an older story that. I had read but so I do a lot of programming. In programming, is a wide and vast, you know kind of vector of. IT but so. To do a lot of things, and. In programming, you're usually working against a set of data and it's, you know, it's found upon to work against a like a live production set of data. You want to make some fake data and. There have been cases and I've heard I don't. I didn't look too deep into where. People when they're working for a company and they're programming a. Certain you know. Thing or trying to figure something out. They can use chat, ChatGPT. Excuse me to you. Know generate codes. For them and it's. Actually really handy, but there was a case where. A guy that was asking for, hey, you bought me this snippet of code and use this and that and actually in the process of doing that for whatever reason, he actually leaked out some information, proprietary information to the from the company that he worked for out to Chad GBT. And now it's being kind of cycled in into the. Logic of chat TV because it's always learning, right? And so that's kind of always you always got to be watching what goes into ChatGPT and also what's coming. Back out of it, right? So it's just again, just kind of take it with a grain of salt. Don't think that it's it knows everything because it's. Been wrong on a. Number of occasions and then obviously it's been right too. So it's just take it. With a grain of salt.

Speaker 1

So we're going to have a separate conversation about AI further down the road, but I just wanted to make sure that we touched on the cybersecurity concerns of it, and I'm glad you shared that last bit because. I know lots of people are using it right now. It's kind of the hot new thing. So my next question, what would you say are the differences between cloud based and on premises cybersecurity solutions? And how should entrepreneurs decide which one is right for their business?

Speaker 2

Yeah, I mean that's a pretty good question. You know, originally 1015 years ago it was all and I'm going to use the term on Prem because that's usually how people in IT said for the on premises meaning. Hey, you know we need an e-mail server, right? Well, we have to buy the physical hardware. We have to buy the server. We have to have, you know, a rack that it goes into. We have to have a networking switch that our computers can connect to the switch and the switch goes over to the e-mail server and all this infrastructure. Essentially you have to own it. One thing that's one part of it is owning it. Also, maintaining it like issuing patches or software updates or all this stuff and so on Prem was the model for. I mean forever right. And that's why we have IT professionals who really dive into these and do tests and stuff like that as far as like patching servers and all this. Because sometimes you might have a server that's production like our main e-mail server, and you, you know, Microsoft comes out with an update for it and then you just push it without testing it. And all send your e-mail server is not working correctly and now all these users are they can't send emails outside of the organization and they can't e-mail each other and then it just opens a can of worms. So there's a lot of headache. When it comes to just being. But if you're the. The owner of a company and having to manage that as well as your other duties. Egg and kind of just. Spiral out of control. So one of the nice things with most. Of these and. And I'm going to call them CSP's, which stands for cloud service providers. They usually take care of all that stuff for you, right? A great example is you can go to. Like Microsoft and you can actually just go and get a standalone Exchange Server which Exchange Server is their e-mail server. That's hope they host it. They do all of the network stuff to get in and out from the Internet out to other e-mail service and I think they charge like at the time of this podcast, I think it's something like $5 per user. So like if you were a small org and you had five employees, so it's $5 per user a month. To have your own kind of private e-mail where you. Can you can go in? And configure it like if you want. Hey, we want to block domain like these known malicious domains and also you can do that but you don't have to maintain the hardware or the software so you don't have to update exchange itself. That's all pushed out by Microsoft so. Cyber security wise, it's there. You know, UPS upsides to them and downsides on both sides. Right now if. You're kind of a smaller business, or even, I would say a mid-sized business. The cloud solution is a great way to go and that can be through, you know, depending on what your needs are, I mean, I'm assuming a lot of people need emails, so that might be something you want to use, or if you want to go out and just use your own. You know, like a free. E-mail server like Gmail or Microsoft's outlook. You can do that as well, but as far as like small and mid-size, I mean there's a lot of benefits to using these new you know software as a service you know. You and I we use. Microsoft 365, which is really beneficial. Because we get the office. Suite, you know. Back in the day, it was Microsoft Office. You know 2000. 7 or whatever it was, and you get the discs and you install it, put the product key in all that. With the 365 or cloud version of it, you know all these security updates, all this patching and. All the stuff. Surrounding that it's all just done for Microsoft, and they just automatically push it. Out and all we have to do is. Pay our yearly. Fee and we get all these apps and they're all. Available to us online or you download the client. Or, you know, it's really easy, you know, and it's something. If I was to start a business and not only am I managing, you know, the ends and outs of the business, but now I got to worry. About OK going to install office. And I got to make sure it's patched and all stuff. So it just it. It's just an easier way to. Go about it. But again, there are. Security measures you want to take? And a lot of these. CSP's or again cloud service providers, they use what's called a zero trust model, meaning that essentially everything is just locked down and you have to go in and kind of. Unlock it so they'll allow people. To go and do. So it's a good way to keep people out that that are unwanted. But you do have to kind of go through and kind of configure things in a certain way initially, but. At the end of the day, it's really good.

Speaker 1

Can you share any real world examples of successful cyber attacks on businesses and the lessons that entrepreneurs could learn from them? I'm sure we've heard a bunch of different headlines, but even some local ones, I think. We've heard of.

Speaker 2

Oh, I mean, I can go on. For days about this it seems to. Be like a weekly thing. You always just, you know, again, I kind of follow these specific, you know, streams of information and cybersecurity is a big one just because, you know I. Try to help other people out. With, you know their IT needs and they use certain pieces of software. So I follow these streams. Just to see if I hear. Hey, you know, so and so is. Using you know. Well, Maria, you know there's a Chrome. Issue it's like, oh, OK then I. Know there needs to be a patch, maybe I should? Call them and patch it or whatever, but. Back to the question, I mean it does happen all the time and so. You know, actually a local one that's kind of relevant and still relevant. We don't actually know all the details of it because it's so ongoing is. I think was last. October. So that would have been like October 2022 or November maybe of 2022. HI, which big in the healthcare industry, lots of hospitals across America. We have the local to us in Roseburg, the CHI mercy. Their parent company was suffering A ransomware attack I believe, and I again I. Don't have the article pulled up? Essentially were victims of ransomware which affected, and I think the total count last I saw was about 164 hospitals across America. So these are in states like Oregon, Texas, Nebraska and others. But they're affected by this Cyber Security Act because it affected a. Lot of their different systems. And in fact, just our local MRC, I think it affected something to do with their system. That controlled appointments for for customers and but mainly it was their payroll system for paying employees and it caused a huge headache and people weren't getting paid correctly. And so, and that's just at our local level here, I mean again, these things happen all over the country. All the time and you. Know we were just talking about these. Vicious people, or they're threat actors. Essentially, they're just coming up with newer ways of attacking these organizations and so. As an entrepreneur. You can sit back and look at it, and it's usually the ones you see in the headlines are going to be the bigger companies, but. I assure you there are a lot of small organizations or small just startups that are being attacked as well. And it's I think it's in part because, you know, being a small entrepreneur or a small startup, you know, they you, you were on a budget, let's face it. You know I. Mean you can go out and get business loans and all this stuff or you can save up money personally. Put into it, but at the end of the. Day you're on a budget and. IT in general is very expensive. To pay for hardware to pay for software, and that's why we have. These cloud solutions and whatnot, but. You're always on a budget, so I even though you do see a lot of larger companies being attacked because that's just what's in the news. I mean, a lot of them do. Get attacked. As well, so you know. Just kind of reading the news. What kind of? Security threats are. Out there and it kind of. Just goes back to just being informed you. Know once a week, maybe look still. You know, 30 minutes of Googling around. See what you see out there. Even just look into your sector. Let's say you're starting up, you know. Or not sector. That's the wrong word. I'm sorry, your industry. You know, if you're doing something that's healthcare related like manufacturing some sort of medical tool, you might want to see what you know, cyber security tax or ransomware attacks that have happened in the in the medical industry and see kind of who they're targeting. You kind of want to put yourself in the threat actors. Is to see. If you're maybe a potential target for them, right? And also with these. Stories that come out they usually tell. You how things happen. So back to this. Ransomware attack it was all because of a vulnerability in this software that they purchased through a third party and I believe it was a sequel injection, which is a very common way for malicious people to attack you through, you know, web-based attacks, right? They send commands to your databases that aren't allowed. And they can retrieve passwords and stuff like that, and once they get the passwords then they're they kind of have the keys to the castle, so to speak. So just knowing that they're doing that, then you. Can find out ways to mitigate against that type. Of vulnerability, right? So just kind of staying informed, you know.

Speaker 1

Yeah, this is somewhat unrelated I guess, but you had mentioned. Small businesses having limited budgets to be able to. Potentially invest in cybersecurity solutions, but so you also had mentioned the essentially free or low cost ways at the very beginning. And one of them was a two factor authentication. I have a friend who had an Instagram account and she had built it over years and years and years. She had over 10,000. I don't know followers. I guess you call them but. She had invested so much time she had. I'm sure a bunch of client communication in her messaging inboxes with that, and I'm guessing that A2 factor wasn't set up because she had someone hack her account. And hold it hostage and demand. I don't know the dollar amount, but I'm sure they demanded thousands of dollars for her to get it back. And it just wasn't feasible. Unfortunately, you know. I don't know. Just you had mentioned. Business is having a limited budget, but if you get. Hacked and kind of screwed like that. You have even less means to be able to. Get it back and you've worked so hard for all of it. And you're kind of stuck.

Speaker 2

I mean, you're right. And I'm just going to kind of go back, since you mentioned the two factor authentication, I mean. If people are. If these malicious people are smart enough or have the will to kind of keep trying and. Trying, I mean they can get. Through the two factor authentication in certain circumstances. But just by. Enabling that I mean it does add a huge well that they have to try to climb over, you know, versus just using a traditional you know. Password based authentication against services so. But yeah, I mean a story like that and you know just. In kind of. My personal realm of things there. There was a. Kind of a. Celebrity that I follow that had their Twitter account hacked. And it was a similar thing where it's like, hey, if you pay this amount of money. I'll, you know, give. You give you the password or the back so. You can log in. Apparently they were sending because there was a Twitter account they were sending. Tweets with hey. I purchased these laptops and there was a link and people are actually going to it because they're like, hey, this is that person doing a link and buying these laptops which. I mean, I have questions about that alone cause that's kind of strange. Buying a laptop from celebrity, but I would assume just like in your case that maybe the, you know two factor authentication could. Have helped out a little bit so. But yeah, going back to like the budget, I mean, a lot of these services, they're starting to provide these for you. It's almost becoming a standard, which is great because that's no cost to you. It protects you in your accounts, but it also protects the company whoever's providing the service because they could be liable for, you know, these types of things. And so having that become more of the. Standard or more than norm? It's great, you know, and this is kind of a side note, but like, because we were just talking about Twitter and two factor authentication they had just. On Twitter, the DM's portion of it, because they weren't fully encrypted. These messages going back and forth to the you know, if I was sending you a DM through Twitter to your account, it wasn't fully encrypted or I'm not sure the specifics of it, but they now do full end to end encryption so nobody can see these. Messages or, you know, get them in transit or whatever. But the downside is Twitter wants you to pay for it. Have to be one of their. Verified whatever it is, 8 or $10. A month, you know, to get it. Which I don't agree with. I think that with these services and the amount of advertising they do. Think end to end encryption for the end user should be just a standard, it should. It should be part of the thing. So like if you're on Instagram using messenger. You know those messages between you and whoever clients or whoever those should be encrypted by default and not that's not always the case. So that might be another area to just hey, some people think that, you know, nobody can see these messages or no, you know, they're all. Private because they it's. Don't ever think that. Don't ever assume that. You know, so because that's not always the case.

Speaker 1

Yeah, it's a scary thought. Oh well, OK. So my next question. I'm going to I'm going to admit this is very much a chap GP T question because I didn't even know they were called this, so I'm going to ask it anyway. What are the potential cybersecurity risks associated with Internet of Things devices and how can entrepreneurs mitigate those risks?

Speaker 2

Yeah, so do you. Know what the Internet of Things is. When somebody says like an IO T device, OK.

Speaker 1

I do not, I'm sure many other people don't.

Speaker 2

So I mean. This is kind of 1. Of those, I call it like a Gray term or a fuzzy term because it's something you can use it for some things and some people don't consider that an IO T device and it's just it's just kind. Of a Gray area but. Essentially, it's like everything's now smart enabled. You see a lot of home devices, right? Like your smart homes and your, you know. Your you can. Have a smart fridge or a. You know, even down to like a light bulb. Be a smart light bulb that you can control with your phone or whatever. All these smaller devices are all Internet enabled devices and that's what.

Speaker 1

OK.

Speaker 2

They I mean. They communicate through the Internet to your to your phone. Let's say it had a smart home and I was getting close to my house. I can open this app and you know, turn on those lights before I get home. So that we can see it because. It's after dark, right? So all these devices have to go through the Internet to get to your phone and vice versa for you to communicate back to those things. So these are all IO T devices or Internet of Things. But yeah, a lot of people will buy. These devices, you know, like a little. You know something that you can talk to in the room or your smart fridge, or do you smart fridge or just all these little things? Right. And so a lot of times they'll just out of. The box they'll have. Kind of a default username or password on it and a lot of people just kind of. Skip that and so. My advice for kind of protecting these things. I have two. Two pieces that are, you know, free to. They're really good to use to help. Against people trying to attack you would be malicious, but the first one has changed the default username and password. I mean, get it out-of-the-box, read your instructions. Or maybe they have some PDF online that you read. But be sure to change it because. One thing that a malicious person can do is literally just. So let's say it was like a G smart fridge and the model was like AY BG112 or something. That person can just go to Google and just say, hey, what's the default username and password for that? And there's usually some site that shows literally known like username and passwords that will. Work against these refrigerators, you know, and so. Depending on how they're trying to attack you, that just gives them a little bit of extra, you know, kind of a head start in. Trying to attack. So getting these little devices and changing them, the next thing is some devices they obviously a fridge is a bad example for this, but some devices you want to kind of walk away, especially if you're using them in a business setting like if you had a storefront you want to. Kind of have a secured area and this goes for. Like all of your stuff, all your networking switches, all of your you know, loose tech devices like laptops and stuff. You want to kind of have them in a locked area, you know, away from people who that can just get instant access to it and. That will help out tremendously as well, but I mean I've thought my head that's really for IoT devices, they're kind of little self-contained things and doing that will help tremendously and making sure they're patched and all that stuff because you know you might push out on a software update that you might pull off for months and it was an update that was a security update. That block maybe that going back to that example, you know a sequel injection thing, you know, just and that that's not always the case. But you know, those are just things you can do to try. To protect yourself.

Speaker 1

Well, how can entrepreneurs assess the cyber security readiness of third party vendors and service providers that they work with?

Speaker 2

UM, that's actually a really good question. And this might be kind of outside of what I know, but. I would say probably doing an assessment on their. Security documentation, right? So as an entrepreneur, if you were going to use something, some sort of service in line with whatever product you're trying to give to your customers. So like a supply chain. You might want to ask them for like a. Their security practices, or if they've been certified in certain areas because you can ask that of vendors just to see what their kind of security posture is and there's a technical term for it I'm trying to. Remember it could be. Like vendor risk assessment, I think that's actually a thing. Where you can just. Go through and identify you know we have three companies that provide the same service. That we need. And going through and just checking what they do. And so one thing and again this is something I wish I had, I don't have a computer in. Front right now to. Go look out. But there are certain things depending on what you're doing. As your business. Certain acts and regulations that you have to abide by, and it really depends on what country you're in and. You know, since where you're located and what industry you're in? So like a lot of people will know of in the healthcare industry, there's HIPAA, right? You have to abide by HIPAA, the HIPAA act, and to protect data of, you know, people, customers or I say customers, but they're going to be clients in the healthcare industry and I'm protecting their information such as like Social Security numbers. Dresses and all that stuff. And so as well as our medical records, right? And so there are other things like if you were trying to sell stuff online. I know that in the European Union, they do have a an act called the GDPR believes the acronym, but it's essentially a Data Protection Act that will they all have to abide by and. Companies within them, as far as they kind of sets rules and regulations on how. They have to manage and store their data and how they use customers data which is really nice. That should be everywhere. Unfortunately, I don't think there's a whole heck of a lot of that in America. I do know that in California they do have a similar type act. So if you're working out of there, these might be things you want to ask of that supply chain, right, that vendor. You might say, hey, you noticed that you're located in in the UK, you know, can you show me some certification? Show me some regulations and you can even ask for reviews from other people who use their service. Right. And typically these companies because they're wanting their kind of the middleman between you and your clients, right? They'll, they'll actually. They're used to this type of, you know, request. And so they might have security. Documentation, just to kind of prove their the kind of integrity of their security posture, right?

Speaker 1

That wraps up my questions for you today. I know that we're going to have more tech talk conversations in the future and I'm excited about them. That might surprise you to hear because I know that it's all above. My head a bit, but I know that it's also all extremely beneficial and not really. I feel like it's not talked about a. Whole lot you see. So many I don't know, social media accounts, coaches, small businesses geared toward. Like literally business coaching or just, you know, encouraging business owners focused on supporting small business and. I really don't see much focus on the cybersecurity or the tech side of running a business. And so that's what I'm excited for the future conversations, because it just needs to be talked about more.

Speaker 2

Yeah, you know. And it might. Be a couple of things that you know. One, it's kind of boring. Right to talk about so it's. Not really appealing, especially when you're trying. To start up. Yeah, you do see that there's like, hey, you know, try these X amount of things and you'll generate more, you know, customers and stuff. But on the flip side, it's like always. So we go from 10 customers to 200. Customers how we're storing the data, are we following the rules? Like you know, they say we actually there's. A lot more that. Is done behind the scenes and not a lot of people are really talking about. It or how? To like effectively set something up to protect themselves as well as their customers, right?

Speaker 1

Well, if you'd like to allow listeners to connect with you, can you tell us where to find you?

Speaker 2

Yeah, sure, I. Do have a. Blog which I post to super infrequently. It's just zachsanford.com. And then I. Only use one social media which is Twitter, and that's just at Zach Sanford. All lower case. Which I do post a lot on there so.

Speaker 1

Well, we'll make sure to include the links in the show notes as well, so it's a quick way. To find you as well. Well, thank you for your time.

Speaker 2

Thanks for having me.