In this episode, my guest Bryan and I discuss multiple Tech Myths that can leave YOU at risk every day.
Bryan from Echelon Technologies provides so much information in this episode and leaves you with multiple takeaways for you to start applying to your home and office today.
I am too small for criminals go after me?
I just need an IT department.
I only need to review my tech training 1x a year.
SMB = Small to Medium Business = Largest victim of CyberSecurity Breaches!
Soft Targets = this is US!
Gateway Targets = Using US to get to the bigger enterprise companies.
Enterprise Organizations = Bigger Business vs. SMB
BEC = Business Email Compromise
P-I-I = Personal Identifiable Information
Phishing os fake email to prompt you to do something, typically with an attachment with malware or hyperlink.
We discuss how we are usually at fault when it comes to breaches from the bad guys.
**Humans can be your weakest links inside of your businesses!**
Please listen until the end to learn about these techniques and must-do's that you can implement today:
1) Start with your cybersecurity today and weekly! Not quarterly or annually!
2) Learn the "Stop Look and Think" Method
3) Practice the "SLAM Method"
We hope you enjoy learning on how to protect yourself, your family, and your businesses!
Hello, and welcome to the amber Stitt show. I am Amber Stitt and today I welcome my colleague Brian from Echelon technologies with us today. So welcome Brian, thank you for being here.
Thank you ever thanks for having me.
I appreciate so being Cybersecurity Awareness month I thought you'd be perfect for the audience because we need to really dive deeper into the idea of cybersecurity but also really do some myth-busting because I think there's a way that we potentially have grown up thinking that it might be able to be the only solution. But I actually met you through webinars talking about cybersecurity implementation inside the office setting as a way to prevent the business owners from a lot of risks because there's some training that's involved with employees or if that's what you are teaching us about phishing and so on. So, I thought we would start by introducing you and what you do over Echelon, and then maybe what your team can help with, and maybe kind of the history, your background, and then we'll dive into some high-level 101 of cybersecurity for the Awareness month this month. So I'll pass the mic to you and let's do a little background on yourself.
Thank you, again. Thanks for having me. Again, everyone. I'm Brian and with Echelon technologies, we are a managed IT service provider. So think of that as kind of like a third party like a virtual IT department for our clients. So we handle everything from your helpdesk to your projects to keeping the bad guys out in the first place, which is what we're talking about today the cybersecurity aspect of things. So, my background I actually graduated from U of A back. I don't want to date myself too much, but back in 2001 been doing it thing pretty much ever since I graduated a couple of degrees in computers that really aren't worth that they're written off because it's changed so much over the past decades. But so then I did a stint out with some software companies out on the East Coast for a while then came back to my roots here in Arizona. I've been doing the managed IT service thing for a while. Director of Operations here at Echelon Tech for five years now. And we've been doing it for about roughly 18 to 20 days. Wow.
When you mentioned your graduation here. I remember that year last year I moved from Arizona to Arizona from Nebraska after finishing college so we're on the same page. Yeah, we're at that cusp of not being a millennial or just that final year right?
We actually started off as kind of the second iteration of the company we started off in Arizona tech back in 2002. And built the company up to be with a pretty substantial client base to the point where we actually got bought out by a bigger managed service provider who will remain nameless at the time they proceeded to turn our client base into numbers as opposed to names my boss, the owner of the company was brought with stayed on with the purchasing MSP and found within nine months he actually left because he just saw what was happening with his clients and waited for the noncompete to wear out and then cane or to expire and then came back as echelon. So we've been doing that ever since and have proud to say we've definitely brought back the majority of those old clients that have left at the time so I'm really pretty cool. So it's a testament to my boss for sure.
Oh good. Well, so that sounds like oh, it's like what teams are working as efficiently as possible. And then really, it sounds like you're customizing for the client. It's not just like, getting all these memberships and just running everything on autopilot. We really wanted to dive deeper into each client's needs, even though there are some that are always foundational. That's really really cool. So sounds like you love what you do. So it's nice.
I love it. It's every day is there's never a dull moment really. I mean, the world of it and cybersecurity is definitely ever changing ever evolving. You know, we actually did start off as just that traditional kind of break-fix it to Company Number years back but I mean, I want to say seven, seven years ago they really took a step back and refocused and really started honing in on cyber and being more proactive protection from a 360-degree standpoint, which I'll get into later. So that's really been the focus and it's really been successful for us.
Yeah, we grow up thinking or even as a business owner or you are an employee and you have the IT department. Hey, Come help me fix this problem. But now it's really important to have two departments and the second department being cyber security Correct?
That's one of the biggest questions we get from small to medium business owners is they say, why would they go after me? Why do I I'm so small? Furthermore, doesn't buy it covers my cybersecurity as well. The two major problems right there between the two already?
Yeah. Yeah. I mean, it's really, I'm guessing that the smaller the one that's not putting on the parameters, and just they're more vulnerable as a business to these predators online, right?
100%. In fact, now for the first time, really since the pandemic we're seeing Small businesses are the number one targets today. Small business owners think that it's just the big guys like the Colonial Pipeline to JBS foods. Just this morning I heard about airlines, and major airports across the country getting hit with cyber attacks that tie back to Russia. That's the other thing about the Ukraine war in Ukraine. All of this has brought a lot of heat to the US and it's not just enterprise organizations. They're still getting hit. But for every major attack that you hear about the news with a major company, there are at least 100 more that have happened to small and medium businesses that never get
reported. Kind of like the big victim will be on the media channels. But for everyone, there are so many more behind the scenes that are just not being reported. I would say a first. Like if we were to maybe do some myth-busting here, the first myth would be just assuming it can be your everything. You have to fold in that cybersecurity department and that team, correct?
Yes, absolutely. So you know, and I hate to say this, but we kind of did this, you know, my industry. We did this to ourselves in a way because for so long, prior to cybersecurity being such a big thing. We said You know, we got anti-virus, you're okay, right? We've got a firewall, on your router. That should be good. But all of these like consumer-grade firewalls, right back in the day, so things have changed significantly. And these protections minor protections that we recommended in the past really just don't cut it and small to medium businesses being the prime targets I call them soft targets we are we're softer targets because we don't have the budgets for those high-end enterprise security solutions that HBO Netflix, target. All these entities get hacked all the time, right? So they still get hacked, but again, we are the ones that they want to use. So soft targets but also gateway targets is another way I put it because they want to use us to get to the bigger fish, which we can talk about. enterprise needs just bigger. the soft target would be just on the side assuming that something can happen to them. That could be really any one of us. Even just in our homes working from home or on the road. Thinking up to a Wi-Fi in the airport or secure for the hotel. I mean, that's a risk a lot. A lot of us take whether or not we're business owners, correct? I mean, we really have to not rely on these. Open unsecured Wi-Fi I mean, that's just is that a gateway right there.
100% you'll see all of us in the IT industry will never have our Wi-Fi just turned on and ready to catch any open signal that's out there. So that's definitely open, open Wi-Fi. Public Wi-Fi is definitely a high-risk option. Really just a conference that I'm trying to do a mobile podcast station for my women and insurance and financial services. And we all pause because Okay, is that so that their IT person was walking around the media person? And he goes, You know, this is really secure. I mean, it's through the hotel but we all had a hotspot just to make sure that we were okay there we were not going to open up, and then there's not always the best signal. So that's just something I think for people that are traveling and as you go to the airport, different things just to be aware of not just relying on that. And then we'll talk a little bit more about kiddos in a different episode where just the general topic of the iPad or on that tablet on risk but let's go back to the back originally when I met you is through a webinar that talked a lot about training your teams and so if you're not doing the work, almost like you might have your standard HR webinars about sexual harassment or some of those legal things that compliance might require for the financial services departments or whatever it might be. Cybersecurity training should be at the forefront for any onboarding and then continuously, I think on an annual basis, right? So I'm gonna let you talk about that a little bit what do you recommend? Sure.
So, within the organization, people can either be your strongest defense, your human firewalls are your weakest link, and nine times out of 10. They're your weakest link. These days, even small businesses, have better security technology protection, which I'll talk about later, I'll go more into depth on your firewalls, your spam filtering, and things like that, that do help at a top level, but it's human error, that they're really seizing on right now. And so, phishing simulations, and ongoing training, that's imperative for any small business. So the problem there is that so many SMBs are small to medium businesses, right? So many SMB owners don't put much value much importance on that. So they do the bare minimum annual compliance training, they might do their 45 minutes for the year in one swoop and then they're done with it. I have tons of clients that are like that right now.
I just said annual. No, that's not enough. It should.
Not in my opinion, really.
So then there are certain businesses I think that one of them does have updated. It's not evergreen. It's updated technology. Maybe once a quarter, is that something that should be implemented?
It's a good idea. It's better it's getting there. I have some clients that take it on a weekly basis. So where I'm going with this training, it needs to be in school. So the day the old school training was about long PowerPoint presentations like you saw me do, right as I'm standing up on stage, rattling off a bunch of things for an hour. That's boring, that puts people to sleep, and do they retain much of that, you know, so little 5-10 minute increments here and there? That's what's key. Repetitive ongoing Repetition is key. Right? It's a marathon, not a sprint, and you have to keep your guard up at all times. Because the bad guys know that we are the weakest link, especially right now to pay in the industry as well. So that's all right, I'm not gonna get too much into that because CPAs they're extremely busy right now trying to meet their October 17 18th deadline. And so right there, they're much more prone to maybe clicking on that link because I updated this information here. I have this updated piece of information for that attachment, whatever it is. So we need to stay frosty, right? We need to stay savvy at all times. And ongoing short snippet training is really, in my opinion, the best way to do that. Yeah. Easy Ways to deploy.
This training you're talking about you. Do you deploy these fake emails on purpose to the team so they can see what is really going to come through their inbox? That would best do Oh, yeah, yeah. So who gets to create those that'd be probably a fun task to be the bad guy kind of to see it's like a game I'm sure. Unfortunately.
I've actually asked that question. So the bad guys actually help us with that. So our clients report phishing emails to us, right? So they say hey, is this phishing we check it out? Determine whether it is or is not. If it is, sometimes we'll take those and then you fold those in to make the tournament into simulated phishing emails. But our vendors on the back end also do that. So now I have some top you know, nationwide vendors in the industry that work exclusively with managed service providers, and they're the engines on the backend that are blocking out we have a particular tool that will scrub an email that's coming in, check the attachments, it'll check your check the attachments and hyperlinks and then also anything you send out it's going to scrub. That's a risky statement because a lot of people say Oh, well that's coming through. I don't have to worry about it. It's always a cat-and-mouse game and they're all the bad guys are always two steps ahead.
Okay. Number two would be assuming once-a-year training is enough. I mean, I think some people assume just a little bit of training will get you there. It's been evading it's happening real time. Everyday. So keeping in front of it is important.
So thinking that it is going to cover all of that we kind of touched on that but let me get back into that a little bit more. So with your IT department these days any small to medium business if they're doing their job, right, that's all they have time to do. Right? So they're reacting to what's going on in the organization. They're those password resets, right, the printers I can't get the printer to work, and my emails not going through my computer won't turn on what's going on here? So they're constantly maintaining operational efficiency, right? That should be their number one focus. So if a business owner then asks them to be on top of all of what you're doing doesn't handle our cybersecurity for us. Well, you're gonna get mediocre. At best, because it'll be your best effort, possibly, right? But you're not going to get the attention that cybersecurity really requires which is proactivity.
And I think one of the things I wanted to circle back to when you're talking about CPAs for example, these bad guys will know that all right, certain firms have. So people working long hours long projects like 12-hour days to go through some of these deadlines, if that's your business and the nature of your business. That's probably when you're going to be subject to more of this, this risk factor. So really trying to be sure that you're not moving too fast, and still being aware and that training can help you stay in front of that and notice certain things even when you're tired working on those long days and still paying attention. You're going to be potentially under the microscope was somebody's people looking for you.
Absolutely. 100% and business email compromised. BEC is the number one what they get. So yeah, it's emailing us at the right time of day when we're stressed and when the pressure is on. Applying that pressure in the email itself. Good batter up you know sometimes it's "Hey, can you....," I'm updating this you'll get rewarded in some way if you respond to this soon or you're gonna suffer some kind of consequence if you don't respond to this soon. So they really apply that pressure and get their victims to let their guard down.
Yeah. Unfortunately, I was at an insurance conference and I heard a story it was about three people talking about their firm. There were certain things that were being emailed from the boss or the team and it wasn't completely out of the nature of some of the words that they were using Brian I know that you've taught a couple of clues and some of the emails things to look for, whether it's a.co or different arrangements of the emails or the domains could be an easy way to spot something especially when it looks so close to your team's emails. Are there a couple of pointers you could provide the audience with on that? Yeah, absolutely.
So there are a couple of different methods that we employ. So one is simple as this is to stop looking things, right? So just stop, look at the email and think about it in itself so the other is the slam method. So you look at the subject you look at the links, you look at the attachments, and they look at the message. So just the things to think about, especially what really gets the bad guys where they fail in their phishing attempts is the verbiage is a language unless it's really mimicking that CEO. Then that's that often goes. Employees oftentimes have a funny feeling about that. But that's what we're that's what our point is, if it feels off in any way, shape, or form, pick up the phone, call someone verifies an email to your support team. That's the problem. We just don't pick up the phone anymore. No one wants to talk on the phone. I don't know what the problem is.
Yeah, I think that's an important thing. Because if you're just going to send another email, what if that's the wrong email to be forwarding and sending or you don't know if you're compromised, so picking up the phone and validating that way in a different mechanism using that as another verification is important, and you're right, picking up the phone. I know that we don't do it that often. But sometimes you just need to get that quick answer because the ramifications and consequences could be so, so bad. I know that you're gonna talk about that in some future episodes. So high-level cybersecurity one-on-one. I know you mentioned phishing, what's the quick easy explanation of what phishing is for the audience?
So phishing is going to be a fake email, right? It's going to prompt some kind of action from the user from the victim. Usually, there's going to be an attachment that has some kind of malware, malicious something in it, or a hyperlink that has some kind of malicious code in it. Or they're going to again, the pressure victim to divulge PII, that's Personally Identifiable Information here and hear more about that. So that's a big one, right? So that's things like your first name, last name, address, date of birth, phone number, social security number, and things like that. So now they realize that all I got to do is poke and prod us a little bit and we'll give up the goods.
What is something that if someone were to listen to this episode, and just walk into work, what would you recommend somebody just to start today?
Talk with your people and talk to them about the importance of email, if this if your business lives and dies by email, which most do, right, that's a primary means of communication, then you're at risk. Then you have a talk. And you need to be aware of that. That's the biggest thing you can do is be is accept the fact that I'm a small business, and I'm a target and I'm a prime target. They want to use me to get to my clients. They don't care about me so much. They want to impersonate me, the CEO, and get all my employee's information, get all my client's information, get all those financial details that they can pull. So think about that. And then stop looking, think at those emails. Apply that slam method to the subject. Links, look at the attachments, and look at that message. If any of those things, raise a red flag, reach out to your trusted reach out to me.
Yeah, that was a shameless plug, but I will take it. I do agree. And that was actually the second thing I wanted to bring up implementation is all right. If you don't have the IT team that you might employ, maybe you contract one, find one but then find the secondary component, which is almost obviously fixing problems with tech is always important, but then pull in a team like yours to then add that second layer. Because if you're picking up the phone and calling the CEO and they're traveling, they're not available, then they could call the person in charge of the department to say can you look at this, can you verify this for me? Having that backup source has helped me I know you guys have helped me in the past with that. So So that's great. So being Cybersecurity Awareness Month. Is there anything else I know that we're gonna start talking about a little bit of some strange stories in our next episode, but as of today, just for overall awareness to wrap up this episode, is there anything else you want to share with or maybe even some statistics, anything that you want them the audience to know before we wrap up today?
Let's stick with it. Stay with it in cybersecurity working together I have too many scary statistics and stories for a perfect day. For this episode, let's talk about the fact that let's wrap up with the fact that really small to medium business need needs both departments IT and cybersecurity working together. So there's this term called co-managed it so most companies have some form of it in place already made it a freelance person, a third party company, or an internal person that they pay. That's all payroll, right? So, cyber department cybersecurity. Companies such as mine can work in tandem with those individuals. We're not there to take their jobs. We are there to make their jobs easier to make them rockstars really, in the eyes of the owners, because they're the ones that brought their cyber team on board that's really protecting their organization from a 360-degree perspective. So it's really imperative for business today because of cyber threats. Cyber attacks are not just an IT problem anymore. They're a business problem. It's all about the risk in the organization. And with what we're finding these days. The risk is significant. So that especially went in the financial sector every year is far more than it ever was before.
And it doesn't only affect the immediate team and the owners of the business but the clients really just a trickle-down effect. So I really appreciate you giving the pointers today and I'm gonna give a lot more of these acronyms. And the links are in a couple of things. I'll put it in the description box for the audience. So I really appreciate your time, Brian, and all the pathways audience listeners. I hope this was helpful and we'll see it in the next episode.
This transcript was generated by https://otter.ai