Is Your Business Safe? The Truth About Third-Party Vendor Risks and How to Keep Your Company Secure

Is Your Business Safe? The Truth About Third-Party Vendor Risks and How to Keep Your Company Secure - Webinar

Will Nobles: Welcome. We're going to give a few seconds here to let people join, but we will get started here in just a second. Look forward to sharing this with you guys today. Is your business safe, the truth about third party vendors risk and how to keep your company secure. A lot of times you'll see where you'll allow third party companies come in and do whatever they want. So we are going to definitely make sure we are educating you and protecting you from that standpoint. All right, so we'll give about another 10 seconds here before we get started again. Welcome to the call today, and we will go ahead and get started again. This is your business safe? The truth about third party vendors risk and how to keep your company secure. My name is Will Nobles.

I'm the founder and CEO of Vector Choice, and I started a company to help to protect and secure medium and small businesses. Coming from a Fortune 100, Fortune 500 company background and started a company in 2008. And we are actually running our business off the EOS and culture index platform to make sure we are running it smoothly for our clients and helping everyone there. Also, we got a special guest today, Beau Dickey. Beau Dickey is our chief security officer at Vector Choice. He's got 20 years in security and operations. He's been with us for, I guess, Beau, you've been here, what, two years now? Two years of fun.

Beau Dickie: Yeah. Coming up on two years.

Will Nobles: Coming up on two years. And so Beau is here to help educate, and we're really going to be telling you stories today of what we've seen out there in the marketplace. What you should be doing. Feel free to definitely ask questions as well. And then also got another special guest, Mike Bazar. Mike Bazar is the CEO of Bazar Solutions out of Texas. And so he owns an MSP just like Vector Choice is. And he's out of Lubbock, Texas, has offices in Lubbock, Houston and Fort Worth, Dallas area. And Mike, tell us a little bit about yourself and introduce yourself.

Mike Bazar: Yeah, so I am a nerd by trade, right? I think I come from a family of nerds. So, you know, I went to school for mechanical engineering, decided I really didn't want to do HVAC and drawings, kind of stuff like that, and kind of fell into IT. So I started doing it. And then at some point my brother was a quarter owner of this company that did wireless networks for big open pit mines and so traveled all over the US and everything, working with Fortune 500 companies, putting equipment on haul trucks and all these really cool technology stuff that came out of the Department of Defense and DARPA projects and other things and really really cool tech. But I got tired of the travel at some point with getting kids and everything. And so I decided I'd try to bring that back to the SMB market. And so we've since 2009 been really focused on that and how do we bring good cybersecurity, networking, IT solutions to that SMB market that needs it more than a lot of them realize sometimes and just try to help push that along. And we've grown to, we're probably do 4 million this year and like 21, 22 employees, we keep growing so the number keeps changing fast. Awesome.

Will Nobles: Awesome. Well, Mike, welcome. Thank you for joining us today. Before we get started, I want to share with everybody, if you've never heard of Vector Choice and the first time you've been on the webinar here, I want to share a little bit about vector choice and who we are and what we do. We are an IT managed services provider, security provider, and our motto is responsive and reliable technology solutions that just work for you and your business. My executive team are a lot smarter than I am. Obviously, you've already met Beau, Sarah Sawyer is our COO, she's in our North Carolina location. Jon DePerro is our Chief Compliance Officer. So if you need to know anything from your insurance compliance, all the way from HIPAA to PCI to CMMC compliance, Jon is the person to work with and help you there. And as well as you've already met Beau there. some of the management team members, we've got an awesome team here. So Gabby is our Finance Manager. We've got our VP of Technical Operations, Jon, Project Manager Daniel, and many others. Chelsea is actually mentioned, our Marketing Manager Chelsea is riding shotgun with us today. So if you have any questions, feel free to put those in the chat or the Q&A and Chelsea will make sure to get our attention to go over those for you. So a little bit more about what we actually do. We can do everything from your help desk all the way up to your cybersecurity and compliance and all in between. So from cybersecurity, you can buy hardware from us. We do cloud services, IT consulting, VoIP services, and many of different compliance services as well for you. I've had the privilege of working with an awesome team. And as you hear, I said working with because even though I'm the owner, they are just as much family to me than my actual immediate family is. And my team has given us the honor to be able to get to Inc. 5000 four years in a row in the MSP 501 for the past four years, matter of fact, we made 111 on the top managed services providers in the world, and so honored to work with an awesome team. And that team consists of multiple locations. So we're based out of Duluth, Georgia, right outside of Atlanta, but we have offices in Baton Rouge, Mobile, New Bern, North Carolina, Washington, DC, Nashville, and Philly. And you probably say, hey, I've heard all those names besides New Bern. Well, why is New Bern there?

Will Nobles: Well, New Bern is where I'm originally from. If anything you learned from this webinar, New Bern is the home of Pepsi, and I moved to the home of Coca Cola here in Atlanta, Georgia. So if you don't remember anything else, there's a little food for thought there. We service clients in about 23 states, and we've done work in multiple countries from Costa Rica, the UK, Netherlands, and the DR. Before we get started, I want to give you guys the opportunity to download my new book that came out, the Compliance Formula. I've worked together with several other compliance specialists and to write me this book to educate people about compliance, especially when it comes to CMMC. So if you do any government contracts, you'll know what CMMC is, or if you don't, you definitely need to know what that is. So take advantage.

Will Nobles: Scan the QR code there and take advantage of that. So I'm going to stop sharing here and get everybody on screen. And so, guys, let's talk about why is third parties a risk to everybody's business, not just our business, but as well as anybody that's listening today. So, Beau talk about, you know, a lot of times third parties, when they install software on an environment, they immediately want to say, I need admin access to and you need to run as admin. The user has to be admin on the local machine to run this application. Talk to us about why that's so common.

Beau Dickie: Generally, the most common reason for that is because the developers are developers. They don't understand security. They don't care about security. And the easiest way for them to make their product work is to have it have all access possible on a local system or a network. And so they just immediately say in their documentation that it's required that you have this permission because that's how they built it to work. And nine times out of ten, that's not the case.

Will Nobles: Mike, where do you see? Can you give us an example of a business saying, a third party coming into a business saying, you've got to run this in admin mode?

Mike Bazar: Yes, we get a lot QuickBooks honestly, is one that they want admin access. And some of the intuit products always tend to be a problem. I would say the ones where we see it a lot too, that is frustrating from a security perspective, is we use a lot of zero trust. I know you guys as well. And a lot of that, what it is when somebody writes code, they can sign it with a certificate. It's not hard, and most everybody should do it. And if they do, and it's a legitimate certificate, we can approve that certificate. So if they do software updates or other things, we can keep that rolling through the system the way it's supposed to. And a lot of these guys these days, they just don't. Right?

Mike Bazar: And so the problem is, we'll approve software to run, we'll say that's legitimate software, we'll make sure its permissions are right, the vendor will go do an update. And now it's changed. The software has changed. The way the security software sees it, looks at it differently, and says, that's different because we couldn't do it off that certificate. And so you see it a lot where these third party guys, they don't look at it like Beau said, they write good software or whatever, but they don't write it from, hey, we need to make sure this is secure. We need to make sure this is it. This is what we need to do.

Mike Bazar: I mean, it wasn't until a couple of years ago, and it was law, and it still happens a lot, that IoT type devices, the Internet of Things, devices had to have different passwords when things shipped, and a lot of vendors aren't still doing that. So every router ships with the same default password. Everything ships with the same default this. Right, that makes it really easy as a hacker to go get into those pieces of software, those devices. And then again, a lot of small businesses don't separate them. So their thermostat that's on their Internet is on the same connection as their server, and that's how they can use it.

Mike Bazar: And an interesting story about that is one of the heists nobody has ever heard of in Vegas, one of the largest heists that ever happened through the thermostat monitoring system for a fish tank in the lobby. Hackers hacked that. They used that to pivot into their network, and then they got into the network and they were able to cause these damages. The Target thing is the same thing, and you can talk about some if you want, but they went through an HVAC, a third party company that had access to their network. And they needed certain things and that's how they got into the network. And so you see it a lot where the third party is the target initially to get into the other company.

Mike Bazar: I've got tons of other examples, I guess, but there's several of those that we see all the time where that's where these pivots come and that's how people go get into it.

Will Nobles: Yeah, Mike, it's funny that you say that about thermostat because I did a TV segment. Does your smart home think you're stupid? And they loved it on TV. For us IT guys, we laugh about it, but a lot of people just get that device from Best Buy or from Amazon and go immediately plug it into their home network. And I know we're talking about business here, guys, but the same thing for your home is change the default passwords. But let's define what a third party is. We're talking about third party. A third party, it could be anybody that has a software, QuickBooks, your EMR system, your primary business application that you use, or a third party coming in doing work for you.

Will Nobles: So when I say third party, it could be software, it could be a company, it could be a consultant, or it could be hardware as well.

Mike Bazar: And I was going to say I would even expand that to be hardware. Like, I've got a router story. It's pretty quick. So we had a company we did co manage with, right? They had an in house IT guy and their firmware and their router needed to be updated, which when you're usually doing that, it'll cause a few minutes of downtime while it reboots it. And so we kept telling him they needed to update it, they needed to update it. And he kept saying later and later. And we said, well, we'll do it for you. If you want to do it after hours, it'll just cost you money or whatever, but we'll do it later. We'll do it later.

Mike Bazar: Then we got a call from the security operations center we use and said, hey, somebody's trying to mount network shares on their server from the Internet. So somebody was using the vulnerability that was addressed in the software update to come in through that firewall. And because they didn't update it right, the real vulnerability was in the firewall. Well, the third party also offered the patch to it after it happened, but they didn't implement it. And that created this weakness where somebody was trying to get into their data across the Internet through a perceived secure device because they hadn't done an update or a patch.

Mike Bazar: And sometimes those things exist out there for even longer because we might not know about, know Windows, Microsoft are releasing patches and know all these software vendors are all those kinds of things that happen, and those are all third party, but they're creating security holes, potentially in your own network. Yeah.

Will Nobles: And so both of you shared a little bit about zero trust and application control, and I want to address that with everybody. What is that? And how does that prevent these third parties that need the user to have admin access to the device? Beau, I'll start with you. Can you explain what zero trust and application control is?

Beau Dickie: Yeah, so starting with the core there, zero trust is a framework. It's basically a guideline of how to keep information that you own yours. And the way that's done is we don't trust anybody or anything that connects to our data sources, whether that be something we're hosting in the cloud or our on premise network. And in order for those devices to be able to get connected so you can work with that information, we put routines and policies and measures in place that force that device to either be checked in, it has to match certain criteria, or that user has to be identified using additional measures besides just your username and password.

Beau Dickie: We usually use multifactor authenticators for that, where it's an application that lives on a device, you own the second factor portion of the two factor there, and then something you are, which is your thumbprint, your face, whatever your device supports for its biometrics to verify that you are who you actually say you are. And then for the application control element of that is we don't trust any application until we have verified that application is authentic by using the certificate that Michael spoke about earlier. And then we use other markers inside of that application itself. Usually we use the metadata or the information that identifies that application that the developers coded it. And we get that from those developers when they publish the applications and software publicly.

Beau Dickie: We capture those and we keep those in a giant database that matches it against that release version of that software.

Mike Bazar: Yeah.

Will Nobles: So everybody's brain just went boof with Beau's response. So from a business standpoint, Mike, the answer to that, how does application control affect the end user? There's pros and cons with it.

Mike Bazar: Right.

Will Nobles: But can you share a little bit about your side of.

Mike Bazar: So, you know, that's always the fight, right, of is it going to slow the user down? Is it going to make us less productive? Is it going to do those sorts of things in general, I would say it does not. Right. There are parts of it. That's why when they sign up with a certificate, it makes it a lot more transparent. We can give it different rights, makes it easy for updates to happen and those kinds of things. If not, then it might be you install a new software and it asks for permission, you call a help desk and we approve it. And that's usually a pretty quick process. But the flip side of that is you get ransomware, you get your network hacked, you've got all this downtime, which is a really bad thing.

Mike Bazar: The other thing that it really kind of, in layman terms, that can help, as Beau had said earlier, a lot of the software just requires full admin access, and if we don't give it to it, sometimes it won't function and you need it to run for your business. But I can go use zero trust to say, okay, fine, I'll give you full admin access, but then I'm going to use zero trust, a third party thing to basically put walls around you and say, you can only run in this box, so you can't go do things you're not supposed to do. So you can't reach out and connect to things on the server you're not supposed to.

Mike Bazar: You can't reach out to the Internet and do things you're not supposed to because that's what hackers tend to do, is take a known, trusted process and abuse it, make it do something it's not supposed to do. And so we could help put walls around that as well and say, look, we trust this process, but we only trust it this much, right? And we're not going to give it any extra room to run, and we can box it back in if that's the only way it'll go. We push back on vendors a lot, and we try to do testing and other things if we have to, when they require admin access to minimize that, but occasionally run into software. That's the way it's written and it's terrible. And how do you do it?

Mike Bazar: And so we can use third party applications that don't trust to narrow its scope. And so you can't do this. Like good example, PowerShell, which know we use it as IT guys in the backend all the time. I can make it so QuickBooks can't talk to PowerShell. It doesn't need to. It doesn't have to, but in its default state, it can. Right? And now as a hacker, can I make QuickBooks try to use PowerShell to do something it's not supposed to do. But all of my security software is going to trust PowerShell and it's going to trust QuickBooks. And so it looks like it's a trusted thing, but I can put walls around that and say it's not trusted, you can't do it, you can't work on that, you can't do those things.

Mike Bazar: And that's what the kind of stuff that ends up helping businesses stay secure. And like I say, there is a little bit of give and take in security, but our goal is always to try to minimize the end user pain while maximizing the security on the back end. And it's all gotten good enough that for the most part it's fairly transparent, especially if developers and third party people do what we want and use certificates and other things to sign it. It makes it really easy.

Will Nobles: Yeah, I think there's a give and take. There's an inconvenience, right. But that inconvenience, a short inconvenience compared to the inconvenience if you actually get compromised. And what would it actually cost your company, and that's why we always try to explain to our customers, is, hey, we can remove it if you don't like it, but here's the risk that you're taking. Is that a risk that you're willing to take? And I think they start seeing like, okay, well, I can deal with this inconvenience. And I think that's really what we got to think about is security is not convenient, but getting hacked is not either.

Beau Dickie: And it's interesting you bring up that point, Will, because I actually had a customer that I talked to probably about four weeks ago. We gave them a couple of options for what they could use to add multifactor. They didn't want it. And so we came back and said, okay, well, you may not want it, you may not want to pay for it. We've got another option. It's going to be a little bit lower cost for you. Let's just get it put in place so you at least have that layer. Well, had a call with that same customer today, and now they want the one that they didn't want to pay for like three weeks ago because they realized it's not as inconvenient as they thought it was going to be.

Beau Dickie: And now, because they didn't get it, they're in the middle of an event and now they're buying it.

Will Nobles: Yeah, and that's where you don't want to get guy for everybody on here, you don't want to get to the point where we do not like saying we told you so. That is not about what we're about, but we want to educate you so you know what the risk is. You have to, ultimately, as the business owner, you have to make a decision of what you're willing, the risk that you're willing to take. But I see so many businesses wait until after they get compromised to make a decision when it comes to security. And it's like your car, don't wait until your car, the oil burns out in your car for your engine to lock up, right? You're going to go get an oil change.

Will Nobles: And I know I'm not trying to take analogy of an oil change in a car, of IT security, but it's the same. You don't want to wait until that engine locks up to do something. You don't want to wait until you get hacked and compromised to actually act. Sometimes it's too late. And there's so many companies that fail. There's hundreds and millions of dollars lost in companies. When a compromise does happen. And then you get, if you have to divulge it to your customers, that's a reputation loss there. So think about those types of things. So guys, let's move on to supply chain. The world we live in today, getting equipment, getting cars. Over the past three years, we've seen shortage of even getting cars in the car lots, to computers, to everything, right, toilet paper.

Will Nobles: But how does that in a technology form, the supply chain and third parties getting compromised throughout your supply chain, in your business, how does that affect your business from security attacks? Beau I'll start with you.

Beau Dickie: Supply chains are a weak link for everybody, because again, it starts with the developers, where they're not developing secure. And most of those companies are people who are development based, where they've had a background in developer and developing software and solutions. And so if I, as an attacker, target someone, the big one that hit the news a couple of years ago was the Solar winds attack. Solar winds got breached. That had a major impact because they got targeted. Attackers got in. They used their coding software to embed their malicious code into that application. It was signed by Solar winds, and then they shipped it out as the next feature update. And that affected every single one of their customers that had that product that was targeted and nobody knew about it until several months afterwards.

Beau Dickie: And it was because some random third party company was doing a test of an environment that had that solution and realized, hey, this is not good. Another example was with the LastPass breach. Just last year, the threat actors got into a developer's computer on their home setup where they weren't supposed to be working from, but they were because of COVID and work from home. And so they leveraged an attack to a personal computer that was being used to do work for their business, and they used that to get in and stole a bunch of password vaults that everybody thought was secure. Those are the two biggest ones that really come into mind from that perspective. And a lot of people think, oh, well, LastPass is big enough. That doesn't affect me.

Beau Dickie: I'm here to tell you, for the customers that we support, we've seen an average of about a 300% increase in brute force attempts for people trying to get into accounts that were in those LastPass vaults where we advised all of our customers to go change every password that's in there. We recommended they move off just to ensure that they were on a decentralized zero trust platform that didn't use a cloud server where all that stuff was saved, so that would mitigate that risk in the future.

Will Nobles: So, Mike, what have you seen?

Mike Bazar: Well, I was going to say, even on the password thing, they're using know things like chat, GPT, and other stuff that do machine learning to feed people's social media family, other information hackers are, and then they're cracking passwords in minutes with AI because they know you're going to use your pet's name and this and that. And I can dump all this information into AI and it can correlate out, try some passwords and crack things. So those things are presenting other challenges, but that's kind off of, you know, I go back to right Target because everybody knows the name. Target lost over a billion dollars in the quarter following the breach. And most people go, again, Target's big, but what happens if the news gets out for your small company or whatever?

Mike Bazar
People didn't shop at Target for a period of time because they didn't trust their information would be safe there, that their credit cards wouldn't be taken again, that it was going to be. And Target can handle a billion dollar hit. Most businesses can't. Most businesses can't handle fractional. I mean, or $100,000 hit. Right? What happens if your cash flow stops for a period of time? Those are the kinds of questions you have to ask because let's say QuickBooks got hit with something, and I'm not saying just whatever, but if you couldn't do billing and invoicing, and that's what you're using for it. And QuickBooks cloud got shut down for ten days because of some weird breach. What does that do to you? Right? Do you have plans or thoughts or other things in place?

Mike Bazar: And that's where you got to start thinking through all this. And how does a third party impact me? How do I kind of audit through that? What does that look like? Because there's potential that some of those things could happen. We got an email yesterday, actually, and it was a Xerox software that it's a paper cut that they use, and there's a weakness in it. There was a security vulnerability that just disclosed, and they've got a new patch for. But we basically, within an hour, had a script that we wrote that was running through any of the servers on all of our customers that have it, looking for those indicators of compromise. That's a third party thing. Right? It was Xerox's software.

Mike Bazar: It was their problem that had it, but it directly impacted the businesses that we manage because there's a chance there's a hacker that got into there, and now you have all these privacy laws and everything else. Right. In Texas, I think the privacy laws, if your privacy data, which is pretty broad. Right. I think it's like name, address, like any two pieces of identifying information. If that affects more than 250 Texans, you have to report that within 30 days of knowing to the attorney general of Texas. Right. And it doesn't matter where your business is, they say. So even if they're in Atlanta, if you have 250 Texans in your database, you're supposed to be reporting that. So now you may be violating laws that you didn't realize because some of that data breach happened and somebody might have had access to.

Mike Bazar: And what happens if that starts coming out and that starts getting in the news and that starts getting wherever? There's an erosion of trust that can happen. Sometimes people are numb to this, but I think when they hear a name of somebody they've dealt with, that's a small company, that's a big deal. And then the other side of that is, if those third party things do happen, a breach or some of the thing, and it potentially shuts down some major facet of your business, how do you survive? Right. So if you talk through disaster recovery planning and all those sorts of things, that all becomes a big piece of cybersecurity that a lot of people aren't necessarily thinking about.

Will Nobles: A lot of people say, I don't have to be compliant because they don't have to meet HIPAA or SOC or SOC 2 and all the other compliances out there. But they quickly forget that states are mandating compliance and the state level. There's not really a govern for every company from GDPR in the EU, right? But every state is starting to deliver legislation to say, here is the things that you have to have in place as any business. I don't care if you're a doggy daycare or sell donuts, here's any business that needs to.

Mike Bazar: And Jon has said it a lot like PCI compliance, everybody accepts credit cards, right? And they very often go, oh, they handle that. If you really go look at that agreement with that credit card, almost every time Jon DePerro, your compliance officer, looks at it, he finds something the business is violating, essentially, which means if there's a breach, they're going to dump it in your lap. They're not going to come back and go, oh, you're right, we own that. That was our fault. They're like, oh no, you violated this one line you didn't even know you had to comply with in your 57 page agreement to accept credit cards. Now we're going to come back. And again, that falls into this third party category because that's what it is.

Will Nobles: And they pushed it further down now to the merchants, the individual businesses.

Beau Dickie: It's on the business owner themselves now. That's one of the big things that changed just this year, just to show how big of a deal this has been for the industry when it comes to credit cards is, they pushed all of that down to the very business owner as part of that compliance standard. So if you're accepting credit cards, and a lot of people think that PCI or the payment card industry just applies to credit cards. No, it's applying to your ACH bank transfers that you're using for businesses as well. And it hasn't traditionally applied to that. Now it is because guess who handles those? Your merchant services provider. So it's gotten a lot more stringent and it's only going to get worse. Every state, five years ago in the United States, every state didn't have any kind of PII mandate act or law.

Beau Dickie: Now, within just the last five years, every state in the 50 states now has some law in place to where you're required to protect personally identifiable information. And as Mike said, that's any two pieces of information, a name, a phone number, a name and email address. Email address and phone number. If I can have those two pieces, I can find you on the Internet and having those. Every state's got a law where that's got to be protected not just for your customers, but for your employees.

Will Nobles: So, guys, we've got probably two types of people. We've got a person that says, okay, what do I need to do? And the other will say, well, it's going to happen to me. Why should I spend the money? Right? We'll get in a second of what are some measures that they can do to start protecting from and not getting off of the third party piece of it. But what do you say to the company that says, you know what, it's going to happen to me. My credit card is going to get stolen. I'm going to end up on the dark web. I'm going to get compromised. So why do anything? Mike, I'll start with you. What do you say to that person?

Mike Bazar: Yeah, I mean, there's the why matter or whatever, right? So some people think they can dump it back off on their insurance. But then again, you guys know this will audit people's cyber insurance a lot, and they aren't complying with what they are. So their cyber policy is not really valid. If you don't do what you're supposed to be doing on your cyber policy, it's going to require a lot of this. And again, it goes back to a lot of the reputation damage and what's going to happen with your business if you just say, deal with it later? If it shuts your business down, you can't bill, you can't invoice, you can't get to your credit card transfers, you can't get to payroll, you can't get to those things are big. If you can't do payroll, how long before your employees find other jobs?

Mike Bazar: Right. They're not going to stick around while you sort it out. A lot of the time, they have bills to pay. They got to go find another job. Potentially. If they're worried that means that's not going to be there for them in the future, then they're going to potentially run off with it. So I think sticking your head in the sand is just not a way to go. And the more regulation that comes out, the state of New York, California, has really stringent regulation, and it usually applies just if you do business with people that do business there or whatever. But as that trickles down, there's more and more teeth that are coming into this from a regulation perspective, because the only way we get ahead of the hackers is if we actually try. Right?

Mike Bazar: For the longest time, cyber has been a very defensive battle, and it was convincing people and it was buying the bare minimums and it was doing these little things. And now I can tell you when companies are doing acquisitions or when companies. So if you're looking at selling your business down the road or whatever, all those things they're looking at, what's your cyber policy? What's your posture? Investment firms are looking at that this is starting to trickle into other facets of things because nobody wants to get caught with it. And I wouldn't be surprised the moment it starts trickling in with, oh, you want a loan, oh, you want to do this, you want a line of credit, what's your cyber? Because that's part of the risk portfolio that we need to assess before I do these other things to do business with you.

Mike Bazar: So more and more, this stuff is getting pushed down and it's either you can stay reactive to it or you can start to say, let me take steps into how do I become compliant? How do I become more secure? Because I can guarantee it's not that far off before there's a federal law like GDPR or something else. And truth is, you're probably violating laws you don't know that you're violating right now. Right? You have business with somebody in Europe and you don't realize it, but that means you need to comply with GDPR.

Will Nobles: But Mike I only had one entry of one person in London, does that matter.

Mike Bazar: Yes it does. So this is the thing that a lot of people don't get. When you go to websites now and you get the little pop up that basically says how we're using your information and it's the cookie thing and you got to hit yes or no, and you can select how use a cookie. That's all driven out of GDPR. But most of those websites you're going to aren't even European websites, but they have one person or people from Europe are, or they're not going to block traffic from Europe. So if a European person hits your website, technically you have to comply with GDPR, right? And a ton of us businesses don't. Now, can the European Union come sue a small business New Bern. Probably not going to happen. Right?

Mike Bazar: But sooner or later, that regulation is coming down on the US side and it's going to start getting pushed more and more. It's a competitive thing. You can start talking to your customers. We protect your data, we do these things. We won't sell it. When you can start talking about that, people think about that more than they ever have because of TikTok and whatever else. As all this stuff gets into. How is your data being used, and you can use it as a competitive advantage. Hey, we have good cyber. Hey, we protect your data this way. Hey, this is why you should do business with us instead of somebody else, because we care more, and that can be even a competitive advantage.

Beau Dickie: Yeah. I'm going to expand on what Michael said. A lot of it is really, cybersecurity used to be the big ugly elephant in the room that nobody wanted to talk about. Well, now it's in the news. Everybody sees it. It's discussed in social media platforms. It's basically become another business function.

Mike Bazar: Right.

Beau Dickie: So a lot of what the cybersecurity industry is shifting to isn't just about the compliance aspect of it. They're shifting it to where it's a business continuity piece. And that's a selling point for a lot of people because that's a question in everyone's mind, even though they may not ask it out loud. What is this company doing with my everybody? Everybody talks about Mark Zuckerberg and what he's doing with meta and how they collect all your information from Facebook. What are they doing with it? They're profiting from it. I can guarantee you that they're selling it. But who's buying it? Are those the people that are going to be the ones coming after your business next? In this year alone, I've had five incident responses that I've worked.

Beau Dickie: And in three of those five, it's been where someone's personal identity was compromised somewhere, and they used that information to gain access to business critical systems. And we're talking hundreds of thousands of dollars lost for those business owners. Who's answering for that? Do you hold that individual employee accountable? Or is that something that is going to get a slap on the wrist? But it's because a third party service that they were using on their personal aspect was compromised. Now that information is out there and somebody used the same password in multiple locations, and now they have access to the business environment. Now the business is suffering. That's where we have to hold these third parties accountable in every aspect of what we do.

Mike Bazar: Well, I was going to say one thing I would want to bring up quickly. I think, too, that could lead into a big deal. But is a lot of people don't think when you talk supply chain and other stuff like who's doing business with you and what do you ask of them? I know another it companies up, I don't know, in the, you know, Michigan somewhere up in there. I forget exactly. But one of the people that owed them money had a wire fraud attack. Something that happened. There was a mix. The way it happened, I forget exactly. But anyways, they lost $50,000. They owe him money for a project he was supposed to do. He wasn't managing their cyber stuff, and they can't pay it because they lost $50,000 on some other thing.

Mike Bazar: So that's now directly impacting him, even though his stuff wasn't soon. I think that's even going to be part of the question, is, you're going to go to do business with somebody and you're going to say, hey, before you do business, to protect myself, I need to know you have okay cybersecurity.

Mike Bazar: I need to know you have a wire fraud policy in place. I know you need to have whatever to prevent those, because I just don't want you to go insolvent accidentally because you didn't take cybersecurity on purpose. Cybersecurity seriously. And then that impacts my business. And so that's what I say. It's this spider web of supply chain. Everything else and more that's going to get pushed out where you'll see it. Like, we work with a hospital system that does a billion dollars a year, and we have to sign and carry different levels of insurance and all this. And we're literally selling them hardware. They're going to install it, they're going to configure it. I have to have cyber insurance and cybersecurity policies in place to sell them hardware. That's the kind of stuff that's coming down the pipe.

Will Nobles: I had actually a neighbor that got compromised small business. And a lot of people say, well, I'm too small for it to happen to me. This was a guy with two 18 wheeler trucks, a small trucking company, and he got a phone call, said they had a late invoice of $25,000. And the steps that happened, as I tell you this, you're like, why would he fall for that? But the thing is, they are good. They had him on the phone. He went to the bank, wired the $25,000 and gone, just like that. Now, because he willingly did it. He's not going to get that money back. Right? That's $25,000 lost. Now, he is a small business. That hurt him to the point that he had even sell his personal car to cover bills. So don't look at it.

Will Nobles: That I'm too small or it's never going to happen to me. It's going to happen to anyone. I had a CPA firm actually, the last movie that I did was cybercrime movie, which is on Amazon prime. And I had interviewed my CPA here in Atlanta, and he actually had his wife got a phone call, said that they kidnapped him. And so I had both of them in the movie for it and told the whole story. And the short version of it is they convinced her to go to Walmart to get ten $500 gift cards and to send that to them for them to release him. And so all in her mind is, he's in a trunk of a car somewhere, and she's panicking, right? She never thought about. And they said, you cannot hang up.

Will Nobles: And she never thought about texting him or calling from another phone to say, hey, are you alive? He was in a meeting the whole time. Right? And this is a small little CPA firm. So if that can happen to a small CPA firm, a trucking company, it can happen to anyone. And what we're trying to educate you here today is it's your third parties, a lot of times, and your employees that actually cause the biggest risk to your company. And when you're dealing with an it company, you want to make sure it's not just an it guy. Right? My team does a lot of calls and say, hey, we've got our it guy. He's been with me for 14 years. And that's great. I'm glad you have that great relationship. What you've got to think about, are they keeping up with the risk?

Will Nobles: Like, the bigger IT companies are, like Bazar solutions, like Vector choice. Are they keeping up with the standards that should be protecting? Because think about this, guys. If an MSP or managed services provider gets compromised, we don't just get compromised. Hundreds of clients get compromised as well. So you want to be very careful of the it company that you use. And what measures are they taking to protect you. We were a third party to you, just like other third parties are to you as well. Well, final thoughts, Michael, start with you. Any final thoughts here?

Mike Bazar: No, I mean, I think you hit the nail on the head at the. You've got everybody needs IT services. Who are they? If you ask them how cybersecurity affects them, what do they do? What's their policies? How do they do change orders? How do they do all those things? Right? Talking through those kinds of things, looking at some of your third party vendors, how do they work? And a lot of this can be mitigated by finding a good IT firm that can help build those blocks, manage those things. Look at things like zero trust and 2 FA and everything else to help minimize the risk to you of some third party breach happening. Even simple things like, do you have a policy?

Mike Bazar: Because I bet your IT provider, if you got a really good one, has a policy they can give you about wire fraud, right? Here's what you should have in terms of when somebody requests a wire fraud or a gift card policy or whatever, here's the policy for the company. Tell all your staff and then don't get taken advantage of because you're never going to ask for that. And you've defined those up front. Good IT providers will help you do that and help you build those walls and identify the areas where you might need to go to somebody and say, hey, these guys are really tight knit with you. Let's go talk to them and see if they are doing security well or if they need help or whatever because you don't want them to impact you.

Mike Bazar: And that goes back up to kind of who's in your corner and who's helping you do that. And while Uncle Bob might be great at it and fixing random computers and doing the other stuff, and he's done it for 14 years, he probably hasn't stayed up on that cutting edge of cyber and where it's all going.
Beau Dickie: Speaking of good IT providers, Michael, another thing that your good IT provider is going to do is they're going to evaluate who your third parties are as part of their security posture because they can't secure what they don't know is there. Right. And so you'll have an asset inventory. That asset includes the hardware and the software. And somebody needs to be putting pressure on those third parties that your client has as that IT provider and saying, okay, these are the things that they're required to have. You want to do business with us? I need documentation. I need proof that you're doing this, putting them on the hook and keeping them there and making sure that they understand that somebody's looking at it because a lot of third parties, they don't, because they're not being forced to do that.

Beau Dickie: Once they're forced to do it, they stop asking. Some of the communications with them start being a lot easier, too. Happens all the time.

Will Nobles: Well, guys, I want to thank you guys so much for being on. If you have any questions for us, you can email us at or give us a call. But for being on today, I want to give you guys a special. And Beau loves when I do this, but I'm going to give you some time of him for free, no charge. QR code here. You can scan that or go to webinar, and you can go there and schedule a time with Beau, and he can talk to you about your third party, your security posture with your third parties, as well as with your it company. And sometimes we're not even looking at displacing your current it company at all. We want to just really advise you of what to look out for, educate you.

Will Nobles: So use Beau's time to help educate you of what you should be asking your it company and your third parties. Mike, Beau, thank you guys so much for being on today.

Mike Bazar: Appreciate it, guys.

Will Nobles: Thank you. And have a wonderful day, everyone.

Mike Bazar: Thank you. Bye.