Don’t think it won’t happen to you, because stats say it will...

Episode Show Notes:

Intro & get to know us (00:30):

Hey everybody. I am Justin Shelley, CEO of Phoenix IT Advisors, and I'm Joe Melot CIO.

Welcome to episode 16 of stupid or irresponsible. We have gotten in the habit of talking about the most interesting thing that's happened to us this week. What do you got?

  • Joe: Oh man, I got a zinger for you. Good. Let me preface this with, I acknowledged that 18 year old Joe would be kicking my right now. I bought a rug about a month and a half ago and it showed up and I can't tell you how excited I was to see it finally arrive while the anticipation of a rug you've turned interior decorator. It is disgusting. It is terrible inside. I'm kicking my own self, but I can't imagine what 18 year old Joe was thinking. Uh, yeah, but anyway, yeah, that was two year old. Joe's not impressed with a two year old Joe, exactly. 72 year old, whatever. However old, this makes you well, congratulations on your, thank you, man. I can't tell you how excited I'd love to come over and see you and your brother.
  • Justin: For me, my most interesting thing that's happened to me today is I'm beat, man. This is my 3rd podcast recording today.  Two of them I knew about the third one was more of a surprise. I mean, I knew I was going to, I just didn't think it was going to be an actual recording. I thought it was kind of a prep meeting and they're like, no, we're rolling. Let's go. The age-old pop, up, podcast. But I love it. But it's exhausting. So hopefully I can keep the energy up and get through one more before I head home, head off, to the great state of Tennessee, because my nephew is getting married on Saturday.

Why do we call this podcast “Stupid or Irresponsible” (02:24):

So we got a wedding in the family coming up. Should it be a good time? All right. On that note, Joe, why do we call it stupid or irresponsible?

I mean just mean playground, bully style, like calling people names. I like it. We branched on it enough, but everybody wants to talk. They have got their mitts on. They, you know, he should probably do this. You should probably take care of this. And unfortunately, that always goes to the back burner and yeah, in the end, people just end up being, they need some hard truth.

They need some, levity in their lives. They need to be a little scared. They need to understand how important this stuff is. You need to know that you're being stupid. You need to be called stupid. You need to understand that these are real risks with gigantic, risks involved. Your livelihood. It’s not just your own, but everyone around you.

And I've probably said it before, but the example I stood in front face-to-face with the doctor who looked me in the eye and said he didn't care about security and it wasn't even about the money. It's just a guy. I don't care. Right. I don't care. Yeah. All right. Yeah. That's stupid folks.

So that's why we call it stupid or irresponsible. We are going to point out the stupid things that people do, the irresponsible things that people do. And really we're here to give you answers. We're here to counter that. We're here to give you resources so that we don't have to be stupid so that we don't have to suffer these consequences that could end your business.

So on that note, Joe, do we have any updates, any stupid updates since we've last met?

Stupid Updates (04:11):

We have been talking a lot about the spoofing campaigns. That's when people see an email, click this link to, we've got a document for you. Hey, can you check my resume? Hey, here's this invoice and it's just got an invoice number. You click on it and it takes you to a fake landing page for maybe Microsoft windows. Hey, you got to sign this, or log into your one drive and you can access this file.

The big one right now

Around the Christmas time, apparently, it's happening our gift cards, specifically target gift cards.

You might get an email that says, Hey, you, you know, you've got $14 and 6 cents remaining on your gift card, click this link and you get double, or it just says, check your it's about to expire, check your balance. And it'll refresh for another year. Especially around Christmas. People are logging in, they punch in their little code. Maybe it's a $20 card. Maybe it's a hundred, but it's just a, a scam campaign. They got that number. They're going in. They're pulling the money out. Your gift

A good tip for you type it into the browser yourself. Especially when people, when you get something in an email, unsolicited click, this link don't ever click that link.

Cybersecurity Tip (07:04):

You've been HACKED, what's the first thing you should do, Justin?

I mean, we kind of teased this last week. There are things that need to be done. There are protocols to be followed. Um, but for the love of all things, Holy, we want to prevent this from ever happening.

Absolutely. And that's the name of the game you want to prevent it? You want to put all the impediments for these guys., today's podcast is, is more about not the mitigation, but okay. Now you've been breached

  • A hundred percent. You know, we, we talk statistics 97% is the number that seems to hold true for preventable of the attacks out there. 97% of them are preventable. There are some that just, no matter how hard you try, if somebody, for example, if somebody wants to break into your car, no matter what you do to that car, if they want it bad enough, they are getting in!!

Spoiler for a headline later. “Even the un-hackable can be hacked.”

So you've been, heck what's the first thing you do? Well,

  • Step one, let someone know, let your it team your security, whoever takes care of your network, network infrastructure. If you don't have somebody like that, find someone immediately let them know. You need to let these people know the number one cause of these things going on longer and costing much more is not alerting the F learning people that should, that can take necessary actions, uh, before it just spreads and causes all kinds of.

Yeah. Well, let me tell you exactly why people are afraid to do that because we have built a culture of fear and shame around cybersecurity.

You know, when we were doing this traveling circuit of seminars, cybersecurity seminars a year ago, year and a half ago, one of the ones that I had talked about frequently was the employee of the city of Fort worth, who did find a security glitch, brought it to his superiors. It ended in him getting terminated. He had identified the problem, brought it to his superiors, and they wanted to silence him and he wouldn't be silenced. And so anyways, we don't have a culture generally. We don't want our customers to know. We don't want our vendors to know. We don't want our employees to know. We sure as hell don't want our boss to know if we did something wrong. So, I mean, this point that you're making is huge, even though, it can sound odd.

  • Step 2: Well, based on how hard you got breached, once you talk to your IT department, your MSP, or, you know, whoever's handling your network security, to the extent of what data application, if you're a healthcare industry, HIPAA requires, you know, you gotta let the FBI know you got there, they're a government resource needs to be reported to the authority. You have to report it. And if you don't, you're going to face the fines. You're going to face a lot harder, audits. You're going to face like the full brunt of the law here. If you don't let them know, they didn't have their fingers in the cookie jar. And this is insult to injury
  • Talk to your attorney. Let’s say you got breached, he's just sending an email with personal information on all of your clients to a list of a whole bunch of other people, or maybe the breach that happened in your network actually affected all your customers. You're required by law and, check with your attorney.

How, how should you proceed? Should you let all them, you know, you should probably let all them know. Sometimes you don't want to make like a, a public statement, right. Because there needs to be an FBI investigation before you can make that statement, or what can you make in your statement?

  • When you notify, if, and you should notify your clients, customers, patients, whichever industry you're in, um, there is an art to that. Definitely. You've got to be careful how you do it. Yeah. So yeah. Get the attorney involved.
  • If your first instinct is, we want to be as honest and truthful and forthcoming as possible. So now you email client X and say, Hey, we got breached. Here's all the details. Here's exactly. They got in through here and here's your password. And now he blasts on Facebook, your email. Now your attorney's got to do double work,  because he didn't let him know and say, Hey, you're not, you can't tell them this, because now you've got a, now we've got six things we've got to do instead of just the one to clean this situation up. Um, so yeah, those are two big things. Let them know and let those guys know. And then the remediation happens. Um, cyber crime, it's at an all time high right now, hackers are setting their sights on small and medium businesses who are low hanging fruit. That's us. Don't be the next big,

The low-hanging fruit is small businesses who do not take precautions. Let me, let me just put that little footnote on what you're saying there. I'll come back to it. I've got a, I got another point there, but it's for later.

We can help, give us a call. Go to and we'll give you five, 10, 15 minute, checklist during this call:

  • How good are you?
  • How, how clean is your system?
  • How hot, tight is everything, you know, maybe getting that, that router from spectrum is not enough for security, maybe everybody, the same password and safe, you know, but you don't know what you don't know.
  • We'll have the questions to ask and the things you can ask yourself, and ask your employees, ask, ask your, your company, is this, are these the standards that are going to get us in trouble?
  • Or, you know, are we going to lose data?
  • Are we going to lose our livelihoods?
  • If you don't care about security of your patients’ information, then you don't really care.

(15:41): Quick point on this discovery call that we always talk about where I'd say, and you just said it, you know, in 10 minutes, 10, 15 minutes, we can tell where you're at. And it's interesting as you know, especially the more of these that I do. I just had one right before we recorded this. And in literally it was 15 minutes because Oh, great guy. I mean, we had a good conversation. I enjoyed talking to him, but within the first, probably five minutes, I knew that they were absolutely screwed from a security standpoint. I can tell by mannerisms by how they talk. I know this guy is in desperate need now, you know, transferring that into, getting somebody to take action. We’ll see.


Back to our tip, that's the nature of small business, you know, you start at the bottom, Hey, let's how do we get my product to market? How do I make this happen? And now it's logistics and you're doing logistics, logistics, logistics, eventually, you know, it's time to pay the Piper. You know, there are security elements and network security elements that are required and necessary to keep everything going. So you can worry about logistics. Right. And that's kind of why we're here as an MSP. So you don't have to worry about that guy.

And because you physically cannot do everything yourself, right? We don't have the human capacity to be good at everything. I'm not, I'm not doing my own heart surgery.

Final point on this weeks tip (17:29):

  • Talk to your local IT, if you don't have local it get one, hire, in-house get an MSP (like us!), a MSSP, get somebody to take care of, at least take a look. Give Justin a call at the very least, so you can just check your poll, see where you're at. Then you can ask yourself, you know, what do I need to do? You know, you don't need to empty the bank. A lot of this stuff is all just procedure. A lot of it's just “do we have documentation?” “What is our policy here?” If you have never thought of this kind of thing, it's really just kind of a change in behavio A lot of it, all of it.

The cost, the investment, of  having good security measures in place, good technical, , processes in place. This is something that a lot of businesses look at this as a cost. It's a, you open up the profit and loss statement and you find a line item and you're like, ah, how can we shrink this cost or that cost?

Um, this is something that really technology when done right, should be, it should be leveraged.

It should be something that is increasing your productivity, your output. One of the things that almost never comes up is the emotional cost of technology. Because when you walk in and, you know, just the other day we had a lawyer, Caldwell has his assistant called up.

He walks into the office, turns on his computer and it turns on he can hear it spinning up, or I guess they don't spin up anymore. I don't know whatever, but he could hear it. He can hear it turn on, but the monitors down, it there's just no monitor. So, you know, attorneys bill at, you know, three, four, $500 an hour on the low end. So every minute is costing. And not only that, he's probably. And now he's got to go interface with his clients that he should have been doing whatever with, but he's dealing with this problem. And I mean, there's just that emotional cost.

It can make you have a bad day for a long time. The guy I talked to a minute ago, he was stewing over something that had happened over the weekend on his server that, that his former it company had screwed up. So, I mean, it's just, there's this emotional cost as well as an actual tangible cost to not taking action and having your technology work. So we focused so much about security.

I just wanted to make that point. This is separate from security because it is insurance mostly, but there's also a tangible benefit to this too.

Stupid Headlines (20:03):

  1. Foxconn
  2. FireEye – This one has me terrified, I’m not going to lie

So speaking of dollar amounts, I want to jump into our headline, stupid headlines, stupid headlines. Here we go. So speaking of being hacked, here's a couple of big ones. Uh, we'll go more into this next week, but Foxconn in North American region of Foxconn, basically all of your iPhones, every Apple device basically has a Foxconn, hardware in there. They got hacked, a ransomware, they're asking $34.7 million, for these guys, encrypted 1200 servers. These guys actually went in and started deleting a 10 gigabytes, uh, uh, or a 20 to 30 terabytes of their backups. So the number one key to like, we got ransomwared well, at least we got backups. They even went after those guys.

Oh, I mean, they're smarter than this. Yeah. Backups, but that was answer 10 years ago. Yeah.

But 34 and a half million plus, you know, nuts and we'll go away into that next week. Okay. The big one, I want to talk about not Foxconn FireEye,

  • This one has me terrified. I'm not going to lie.

Oh. And it should, it kind of freaks me out a little bit. So if you're not familiar with who FireEye is, they're the guys that deal with cybersecurity, we're talking States and governments and we'll, you know, in it, or, you know, CIA, FBI, government officials, state of you, here's a, here's the list of their a, they're a for profit four four-point clients, you know, just a small list, Sanford, Cisco, uh, CERN, USC, uh, the, the stock exchange, you know, and those are the ones that lift there's, there's, there's tons. I mean, there's a whole bunch on it. If you want to just dig into who FireEye is, they do, they are the it guys they're, they're the big leagues, right? Yeah. If we're, if we're a, you know, we're, we're a Frisco, uh, uh, the rough riders and those guys are the Texas Rangers. Yeah. I would even say the New York Yankees I'd

These are the guys that figure out the guts of the guts of the guts of how security works. Right. They know it inside and out. These guys got breached

  • A couple of quotes here, the threat actor who breached FireEye's defenses, specifically targeted FireEye's assets with tactics designed to counter both forensic examination and security tools that detect malicious activities.
  • These guys had hacker tools for hacker tools, right? So these guys got in there, the best of the best with the best backups, the best tiered levels of security. And these guys snuck in and they stole, guess what did they steal from FireEye? They weren't after documentation, they stole our tools. They stole the act. Right? Well, and, and the anti-hacking tools, because now they can reverse engineer it. Now I'm, I'm supposing that. I don't know that

That's the big, that's the big thing going on. Why did they get it? You know, there's so many questions. They haven't been able to release. Cause they're, I mean, this, these are the top dogs there. We're talking like that. The heads of Microsoft, the heads of Cisco, all the top vendors are talking and discussing with, with FireEye. How did this happen? What could possibly go on, um, their official statement? This is definitely like top tier world-class, uh, cyber security tools. that's Knuck in, they sniped their tools and got out, it's a state actor. Yeah. So world-class state actor. There's three world-class state actors right now. And that's the U.S. and China. New York times. They say people that know, say it's going to be Russia. Inside threads, a black hat, they're saying it's possibly internal us. There are even some sub threads talking about it's uh, potentially, um, I, did we talk about vault seven now?

Vault Sevem (23:45):

  • Vault seven was two or three years ago. I want to say it was 2016, a CIA informant, talked to WikiLeaks about all the CIA tools that were illegally, talking to US people and like stealing their data and going through and illegally stealing all that stuff. He said, look, the CIA is doing a lot in nefarious crafts guys. We need to call them out on this and put a stop to it and nobody blinked an eye. So, then he released all of the CIA hacking tools, for free open source, like come and get it. So, there’s a lot of people saying that these are modifications of those. These are up to date the world-class the best there is that could possibly be in existence. And there were all targets specifically at FireEye, their specific systems.

I'm going to tell you, I'm going to answer that question because this type of headline feeds into the problem. We face selling cybersecurity. It's “well, if they can get hacked, then it doesn't matter what we do. Right. We were like, we don't have any hope.” So why try? So why spend money? So why bother? Because clearly you cannot prevent a hack. All right. So it's a valid question and I've been asked that question.

One thing I'm going to point out is that the cyber criminals go two main groups of people.

  1. One is great big organizations like this that have a huge target on their back. And, and these are highly sophisticated. They're highly targeted. They're studied their research. Like this has probably been in the works for years. Yeah. So there's the huge targets are one group of people that get breached. I'll agree. Like what could they have done? I'm sure there's something they could have done, but it's all hindsight cannot wait.
  2. The other group of people that get hit are the ones who take this mentality, this is the true low hanging fruit

Stupid Teaser (29:55):

Next week we want to learn the three essential rules for all cloud applications.

So this is actually, I'm going to, I don't usually get into our teasers, but one of the things I don't hear it so much anymore, but earlier on trying to sell security. That was always the answer. Our safe, we moved to the cloud, right? Hey, dummy. That's not really going to help you at all. In fact, that makes your problems worse. Not better when it comes to security so that my friends is stupid to not think that moving to the cloud is the answer. And the security problem.

Taken from someone that just did a bunch, we did a HIPAA, PCI. I did so many compliancy reports today. Cloud security is probably the biggest, red flag in most of these cases. Just as we'll talk more about that.

  • If you're doing the right things upfront, you have the right policies and procedures in place and you get breached. There's hope. Yeah. If you haven't taken the precautions, you don't have the procedures in place and you get breached. Goodbye. Those are the companies that do not come back. It is game over. So, guys, don't go to game over. Just jump on the website. 10 minutes. I swear to you in 10 minutes, I can tell you, uh, whether you should be sleeping at night or whether you should be like terrified and running around, like your hair's on fire.

Do not be like Justin, where something might be hurting you, but I don't want to go to the doctor until it's too bad. Just talk to you. Talk to a doc here. Five minutes, 10 minutes.

Do not wait until your car has been broken into to put a security system on it. Don't wait until your house burns down to, by a fire alarm. You know, we've talked about that kind of stuff before. Go to: