Is Your Business Safe? The Truth About Third-Party Vendor Risks and How to Keep Your Company Secure - Webinar
I'm the founder and CEO of Vector Choice, and I started a company to help to
protect and secure medium and small businesses. Coming from a Fortune 100,
Fortune 500 company background and started a company in 2008. And we are
actually running our business off the EOS and culture index platform to make
sure we are running it smoothly for our clients and helping everyone there.
Also, we got a special guest today, Beau Dickey. Beau Dickey is our chief security
officer at Vector Choice. He's got 20 years in security and operations. He's
been with us for, I guess, Beau, you've been here, what, two years now? Two years
of fun.
Beau Dickie: Yeah. Coming up on two years.
Will Nobles: Coming up on two years. And so Beau is here to help
educate, and we're really going to be telling you stories today of what we've
seen out there in the marketplace. What you should be doing. Feel free to
definitely ask questions as well. And then also got another special guest, Mike
Bazar. Mike Bazar is the CEO of Bazar Solutions out of Texas. And so he owns an
MSP just like Vector Choice is. And he's out of Lubbock, Texas, has offices in
Lubbock, Houston and Fort Worth, Dallas area. And Mike, tell us a little bit
about yourself and introduce yourself.
Mike Bazar: Yeah, so I am a nerd by trade, right? I think I come
from a family of nerds. So, you know, I went to school for mechanical
engineering, decided I really didn't want to do HVAC and drawings, kind of
stuff like that, and kind of fell into IT. So I started doing it. And then at
some point my brother was a quarter owner of this company that did wireless
networks for big open pit mines and so traveled all over the US and everything,
working with Fortune 500 companies, putting equipment on haul trucks and all
these really cool technology stuff that came out of the Department of Defense
and DARPA projects and other things and really really cool tech. But I got
tired of the travel at some point with getting kids and everything. And so I
decided I'd try to bring that back to the SMB market. And so we've since 2009
been really focused on that and how do we bring good cybersecurity, networking,
IT solutions to that SMB market that needs it more than a lot of them realize
sometimes and just try to help push that along. And we've grown to, we're
probably do 4 million this year and like 21, 22 employees, we keep growing so
the number keeps changing fast. Awesome.
Will Nobles: Awesome. Well, Mike, welcome. Thank you for joining
us today. Before we get started, I want to share with everybody, if you've
never heard of Vector Choice and the first time you've been on the webinar
here, I want to share a little bit about vector choice and who we are and what
we do. We are an IT managed services provider, security provider, and our motto
is responsive and reliable technology solutions that just work for you and your
business. My executive team are a lot smarter than I am. Obviously, you've
already met Beau, Sarah Sawyer is our COO, she's in our North Carolina
location. Jon DePerro is our Chief Compliance Officer. So if you need to know
anything from your insurance compliance, all the way from HIPAA to PCI to CMMC
compliance, Jon is the person to work with and help you there. And as well as
you've already met Beau there. some of the management team members, we've got
an awesome team here. So Gabby is our Finance Manager. We've got our VP of Technical
Operations, Jon, Project Manager Daniel, and many others. Chelsea is actually
mentioned, our Marketing Manager Chelsea is riding shotgun with us today. So if
you have any questions, feel free to put those in the chat or the Q&A and
Chelsea will make sure to get our attention to go over those for you. So a
little bit more about what we actually do. We can do everything from your help
desk all the way up to your cybersecurity and compliance and all in between. So
from cybersecurity, you can buy hardware from us. We do cloud services, IT
consulting, VoIP services, and many of different compliance services as well for
you. I've had the privilege of working with an awesome team. And as you hear, I
said working with because even though I'm the owner, they are just as much
family to me than my actual immediate family is. And my team has given us the
honor to be able to get to Inc. 5000 four years in a row in the MSP 501 for the
past four years, matter of fact, we made 111 on the top managed services
providers in the world, and so honored to work with an awesome team. And that
team consists of multiple locations. So we're based out of Duluth, Georgia,
right outside of Atlanta, but we have offices in Baton Rouge, Mobile, New Bern,
North Carolina, Washington, DC, Nashville, and Philly. And you probably say,
hey, I've heard all those names besides New Bern. Well, why is New Bern there?
Will Nobles: Well, New Bern is where I'm
originally from. If anything you learned from this webinar, New Bern is the
home of Pepsi, and I moved to the home of Coca Cola here in Atlanta, Georgia.
So if you don't remember anything else, there's a little food for thought
there. We service clients in about 23 states, and we've done work in multiple
countries from Costa Rica, the UK, Netherlands, and the DR. Before we get
started, I want to give you guys the opportunity to download my new book that
came out, the Compliance Formula. I've worked together with several other
compliance specialists and to write me this book to educate people about
compliance, especially when it comes to CMMC. So if you do any government
contracts, you'll know what CMMC is, or if you don't, you definitely need to
know what that is. So take advantage.
Will Nobles: Scan the QR code there and take
advantage of that. So I'm going to stop sharing here and get everybody on
screen. And so, guys, let's talk about why is third parties a risk to
everybody's business, not just our business, but as well as anybody that's listening
today. So, Beau talk about, you know, a lot of times third parties, when they
install software on an environment, they immediately want to say, I need admin
access to and you need to run as admin. The user has to be admin on the local
machine to run this application. Talk to us about why that's so common.
Beau Dickie: Generally, the most common reason
for that is because the developers are developers. They don't understand
security. They don't care about security. And the easiest way for them to make
their product work is to have it have all access possible on a local system or
a network. And so they just immediately say in their documentation that it's
required that you have this permission because that's how they built it to
work. And nine times out of ten, that's not the case.
Will Nobles: Mike, where do you see? Can you
give us an example of a business saying, a third party coming into a business
saying, you've got to run this in admin mode?
Mike Bazar: Yes, we get a lot QuickBooks
honestly, is one that they want admin access. And some of the intuit products
always tend to be a problem. I would say the ones where we see it a lot too, that
is frustrating from a security perspective, is we use a lot of zero trust. I
know you guys as well. And a lot of that, what it is when somebody writes code,
they can sign it with a certificate. It's not hard, and most everybody should
do it. And if they do, and it's a legitimate certificate, we can approve that
certificate. So if they do software updates or other things, we can keep that
rolling through the system the way it's supposed to. And a lot of these guys
these days, they just don't. Right?
Mike Bazar: And so the problem is, we'll
approve software to run, we'll say that's legitimate software, we'll make sure
its permissions are right, the vendor will go do an update. And now it's
changed. The software has changed. The way the security software sees it, looks
at it differently, and says, that's different because we couldn't do it off
that certificate. And so you see it a lot where these third party guys, they
don't look at it like Beau said, they write good software or whatever, but they
don't write it from, hey, we need to make sure this is secure. We need to make
sure this is it. This is what we need to do.
Mike Bazar: I mean, it wasn't until a couple of
years ago, and it was law, and it still happens a lot, that IoT type devices,
the Internet of Things, devices had to have different passwords when things
shipped, and a lot of vendors aren't still doing that. So every router ships
with the same default password. Everything ships with the same default this.
Right, that makes it really easy as a hacker to go get into those pieces of
software, those devices. And then again, a lot of small businesses don't separate
them. So their thermostat that's on their Internet is on the same connection as
their server, and that's how they can use it.
Mike Bazar: And an interesting story about that
is one of the heists nobody has ever heard of in Vegas, one of the largest
heists that ever happened through the thermostat monitoring system for a fish
tank in the lobby. Hackers hacked that. They used that to pivot into their
network, and then they got into the network and they were able to cause these
damages. The Target thing is the same thing, and you can talk about some if you
want, but they went through an HVAC, a third party company that had access to
their network. And they needed certain things and that's how they got into the
network. And so you see it a lot where the third party is the target initially
to get into the other company.
Mike Bazar: I've got tons of other examples, I
guess, but there's several of those that we see all the time where that's where
these pivots come and that's how people go get into it.
Will Nobles: Yeah, Mike, it's funny that you
say that about thermostat because I did a TV segment. Does your smart home
think you're stupid? And they loved it on TV. For us IT guys, we laugh about
it, but a lot of people just get that device from Best Buy or from Amazon and
go immediately plug it into their home network. And I know we're talking about
business here, guys, but the same thing for your home is change the default
passwords. But let's define what a third party is. We're talking about third
party. A third party, it could be anybody that has a software, QuickBooks, your
EMR system, your primary business application that you use, or a third party
coming in doing work for you.
Will Nobles: So when I say third party, it
could be software, it could be a company, it could be a consultant, or it could
be hardware as well.
Mike Bazar: And I was going to say I would even
expand that to be hardware. Like, I've got a router story. It's pretty quick.
So we had a company we did co manage with, right? They had an in house IT guy
and their firmware and their router needed to be updated, which when you're
usually doing that, it'll cause a few minutes of downtime while it reboots it.
And so we kept telling him they needed to update it, they needed to update it.
And he kept saying later and later. And we said, well, we'll do it for you. If
you want to do it after hours, it'll just cost you money or whatever, but we'll
do it later. We'll do it later.
Mike Bazar: Then we got a call from the
security operations center we use and said, hey, somebody's trying to mount
network shares on their server from the Internet. So somebody was using the
vulnerability that was addressed in the software update to come in through that
firewall. And because they didn't update it right, the real vulnerability was
in the firewall. Well, the third party also offered the patch to it after it
happened, but they didn't implement it. And that created this weakness where
somebody was trying to get into their data across the Internet through a
perceived secure device because they hadn't done an update or a patch.
Mike Bazar: And sometimes those things exist
out there for even longer because we might not know about, know Windows,
Microsoft are releasing patches and know all these software vendors are all
those kinds of things that happen, and those are all third party, but they're
creating security holes, potentially in your own network. Yeah.
Will Nobles: And so both of you shared a little
bit about zero trust and application control, and I want to address that with
everybody. What is that? And how does that prevent these third parties that
need the user to have admin access to the device? Beau, I'll start with you.
Can you explain what zero trust and application control is?
Beau Dickie: Yeah, so starting with the core
there, zero trust is a framework. It's basically a guideline of how to keep
information that you own yours. And the way that's done is we don't trust
anybody or anything that connects to our data sources, whether that be something
we're hosting in the cloud or our on premise network. And in order for those
devices to be able to get connected so you can work with that information, we
put routines and policies and measures in place that force that device to
either be checked in, it has to match certain criteria, or that user has to be
identified using additional measures besides just your username and password.
Beau Dickie: We usually use multifactor
authenticators for that, where it's an application that lives on a device, you
own the second factor portion of the two factor there, and then something you
are, which is your thumbprint, your face, whatever your device supports for its
biometrics to verify that you are who you actually say you are. And then for
the application control element of that is we don't trust any application until
we have verified that application is authentic by using the certificate that Michael
spoke about earlier. And then we use other markers inside of that application
itself. Usually we use the metadata or the information that identifies that
application that the developers coded it. And we get that from those developers
when they publish the applications and software publicly.
Beau Dickie: We capture those and we keep those
in a giant database that matches it against that release version of that
software.
Mike Bazar: Yeah.
Will Nobles: So everybody's brain just went
boof with Beau's response. So from a business standpoint, Mike, the answer to
that, how does application control affect the end user? There's pros and cons
with it.
Mike Bazar: Right.
Will Nobles: But can you share a little bit
about your side of.
Mike Bazar: So, you know, that's always the
fight, right, of is it going to slow the user down? Is it going to make us less
productive? Is it going to do those sorts of things in general, I would say it
does not. Right. There are parts of it. That's why when they sign up with a
certificate, it makes it a lot more transparent. We can give it different
rights, makes it easy for updates to happen and those kinds of things. If not,
then it might be you install a new software and it asks for permission, you call
a help desk and we approve it. And that's usually a pretty quick process. But
the flip side of that is you get ransomware, you get your network hacked,
you've got all this downtime, which is a really bad thing.
Mike Bazar: The other thing that it really kind
of, in layman terms, that can help, as Beau had said earlier, a lot of the
software just requires full admin access, and if we don't give it to it,
sometimes it won't function and you need it to run for your business. But I can
go use zero trust to say, okay, fine, I'll give you full admin access, but then
I'm going to use zero trust, a third party thing to basically put walls around
you and say, you can only run in this box, so you can't go do things you're not
supposed to do. So you can't reach out and connect to things on the server
you're not supposed to.
Mike Bazar: You can't reach out to the Internet
and do things you're not supposed to because that's what hackers tend to do, is
take a known, trusted process and abuse it, make it do something it's not
supposed to do. And so we could help put walls around that as well and say,
look, we trust this process, but we only trust it this much, right? And we're
not going to give it any extra room to run, and we can box it back in if that's
the only way it'll go. We push back on vendors a lot, and we try to do testing
and other things if we have to, when they require admin access to minimize
that, but occasionally run into software. That's the way it's written and it's
terrible. And how do you do it?
Mike Bazar: And so we can use third party
applications that don't trust to narrow its scope. And so you can't do this.
Like good example, PowerShell, which know we use it as IT guys in the backend
all the time. I can make it so QuickBooks can't talk to PowerShell. It doesn't
need to. It doesn't have to, but in its default state, it can. Right? And now
as a hacker, can I make QuickBooks try to use PowerShell to do something it's
not supposed to do. But all of my security software is going to trust PowerShell and it's going to trust QuickBooks. And so it looks like it's a trusted thing,
but I can put walls around that and say it's not trusted, you can't do it, you
can't work on that, you can't do those things.
Mike Bazar: And that's what the kind of stuff
that ends up helping businesses stay secure. And like I say, there is a little
bit of give and take in security, but our goal is always to try to minimize the
end user pain while maximizing the security on the back end. And it's all
gotten good enough that for the most part it's fairly transparent, especially
if developers and third party people do what we want and use certificates and
other things to sign it. It makes it really easy.
Will Nobles: Yeah, I think there's a give and
take. There's an inconvenience, right. But that inconvenience, a short
inconvenience compared to the inconvenience if you actually get compromised.
And what would it actually cost your company, and that's why we always try to
explain to our customers, is, hey, we can remove it if you don't like it, but
here's the risk that you're taking. Is that a risk that you're willing to take?
And I think they start seeing like, okay, well, I can deal with this
inconvenience. And I think that's really what we got to think about is security
is not convenient, but getting hacked is not either.
Beau Dickie: And it's interesting you bring up that point, Will, because I
actually had a customer that I talked to probably about four weeks ago. We gave
them a couple of options for what they could use to add multifactor. They
didn't want it. And so we came back and said, okay, well, you may not want it,
you may not want to pay for it. We've got another option. It's going to be a
little bit lower cost for you. Let's just get it put in place so you at least
have that layer. Well, had a call with that same customer today, and now they
want the one that they didn't want to pay for like three weeks ago because they
realized it's not as inconvenient as they thought it was going to be.
Beau Dickie: And now, because they didn't get it, they're in the middle of an
event and now they're buying it.
Will Nobles: Yeah, and that's where you don't want to get guy for everybody on
here, you don't want to get to the point where we do not like saying we told
you so. That is not about what we're about, but we want to educate you so you
know what the risk is. You have to, ultimately, as the business owner, you have
to make a decision of what you're willing, the risk that you're willing to
take. But I see so many businesses wait until after they get compromised to
make a decision when it comes to security. And it's like your car, don't wait
until your car, the oil burns out in your car for your engine to lock up,
right? You're going to go get an oil change.
Will Nobles: And I know I'm not trying to take analogy of an oil change in a
car, of IT security, but it's the same. You don't want to wait until that
engine locks up to do something. You don't want to wait until you get hacked
and compromised to actually act. Sometimes it's too late. And there's so many
companies that fail. There's hundreds and millions of dollars lost in
companies. When a compromise does happen. And then you get, if you have to
divulge it to your customers, that's a reputation loss there. So think about
those types of things. So guys, let's move on to supply chain. The world we
live in today, getting equipment, getting cars. Over the past three years,
we've seen shortage of even getting cars in the car lots, to computers, to
everything, right, toilet paper.
Will Nobles: But how does that in a technology form, the supply chain and third
parties getting compromised throughout your supply chain, in your business, how
does that affect your business from security attacks? Beau I'll start with you.
Beau Dickie: Supply chains are a weak link for everybody, because again, it
starts with the developers, where they're not developing secure. And most of
those companies are people who are development based, where they've had a
background in developer and developing software and solutions. And so if I, as
an attacker, target someone, the big one that hit the news a couple of years
ago was the Solar winds attack. Solar winds got breached. That had a major
impact because they got targeted. Attackers got in. They used their coding
software to embed their malicious code into that application. It was signed by
Solar winds, and then they shipped it out as the next feature update. And that
affected every single one of their customers that had that product that was
targeted and nobody knew about it until several months afterwards.
Beau Dickie: And it was because some random third party company was doing a
test of an environment that had that solution and realized, hey, this is not
good. Another example was with the LastPass breach. Just last year, the threat
actors got into a developer's computer on their home setup where they weren't
supposed to be working from, but they were because of COVID and work from home.
And so they leveraged an attack to a personal computer that was being used to
do work for their business, and they used that to get in and stole a bunch of
password vaults that everybody thought was secure. Those are the two biggest
ones that really come into mind from that perspective. And a lot of people
think, oh, well, LastPass is big enough. That doesn't affect me.
Beau Dickie: I'm here to tell you, for the customers that we support, we've
seen an average of about a 300% increase in brute force attempts for people
trying to get into accounts that were in those LastPass vaults where we advised
all of our customers to go change every password that's in there. We
recommended they move off just to ensure that they were on a decentralized zero
trust platform that didn't use a cloud server where all that stuff was saved,
so that would mitigate that risk in the future.
Will Nobles: So, Mike, what have you seen?
Mike Bazar: Well, I was going to say,
even on the password thing, they're using know things like chat, GPT, and other
stuff that do machine learning to feed people's social media family, other
information hackers are, and then they're cracking passwords in minutes with AI
because they know you're going to use your pet's name and this and that. And I
can dump all this information into AI and it can correlate out, try some
passwords and crack things. So those things are presenting other challenges,
but that's kind off of, you know, I go back to right Target because everybody
knows the name. Target lost over a billion dollars in the quarter following the
breach. And most people go, again, Target's big, but what happens if the news
gets out for your small company or whatever?
Mike Bazar
People didn't shop at Target for a period of
time because they didn't trust their information would be safe there, that
their credit cards wouldn't be taken again, that it was going to be. And Target
can handle a billion dollar hit. Most businesses can't. Most businesses can't
handle fractional. I mean, or $100,000 hit. Right? What happens if your cash
flow stops for a period of time? Those are the kinds of questions you have to
ask because let's say QuickBooks got hit with something, and I'm not saying
just whatever, but if you couldn't do billing and invoicing, and that's what
you're using for it. And QuickBooks cloud got shut down for ten days because of
some weird breach. What does that do to you? Right? Do you have plans or
thoughts or other things in place?
Mike Bazar: And that's where you got to start
thinking through all this. And how does a third party impact me? How do I kind
of audit through that? What does that look like? Because there's potential that
some of those things could happen. We got an email yesterday, actually, and it
was a Xerox software that it's a paper cut that they use, and there's a
weakness in it. There was a security vulnerability that just disclosed, and
they've got a new patch for. But we basically, within an hour, had a script that
we wrote that was running through any of the servers on all of our customers
that have it, looking for those indicators of compromise. That's a third party
thing. Right? It was Xerox's software.
Mike Bazar: It was their problem that had it,
but it directly impacted the businesses that we manage because there's a chance
there's a hacker that got into there, and now you have all these privacy laws
and everything else. Right. In Texas, I think the privacy laws, if your privacy
data, which is pretty broad. Right. I think it's like name, address, like any
two pieces of identifying information. If that affects more than 250 Texans,
you have to report that within 30 days of knowing to the attorney general of
Texas. Right. And it doesn't matter where your business is, they say. So even
if they're in Atlanta, if you have 250 Texans in your database, you're supposed
to be reporting that. So now you may be violating laws that you didn't realize
because some of that data breach happened and somebody might have had access
to.
Mike Bazar: And what happens if that
starts coming out and that starts getting in the news and that starts getting
wherever? There's an erosion of trust that can happen. Sometimes people are
numb to this, but I think when they hear a name of somebody they've dealt with,
that's a small company, that's a big deal. And then the other side of that is,
if those third party things do happen, a breach or some of the thing, and it
potentially shuts down some major facet of your business, how do you survive?
Right. So if you talk through disaster recovery planning and all those sorts of
things, that all becomes a big piece of cybersecurity that a lot of people
aren't necessarily thinking about.
Will Nobles: A lot of people say, I don't have
to be compliant because they don't have to meet HIPAA or SOC or SOC 2 and all
the other compliances out there. But they quickly forget that states are
mandating compliance and the state level. There's not really a govern for every
company from GDPR in the EU, right? But every state is starting to deliver
legislation to say, here is the things that you have to have in place as any
business. I don't care if you're a doggy daycare or sell donuts, here's any
business that needs to.
Mike Bazar: And Jon has said it a lot like PCI
compliance, everybody accepts credit cards, right? And they very often go, oh,
they handle that. If you really go look at that agreement with that credit
card, almost every time Jon DePerro, your compliance officer, looks at it, he
finds something the business is violating, essentially, which means if there's
a breach, they're going to dump it in your lap. They're not going to come back
and go, oh, you're right, we own that. That was our fault. They're like, oh no,
you violated this one line you didn't even know you had to comply with in your
57 page agreement to accept credit cards. Now we're going to come back. And
again, that falls into this third party category because that's what it is.
Will Nobles: And they pushed it further down
now to the merchants, the individual businesses.
Beau Dickie: It's on the business owner
themselves now. That's one of the big things that changed just this year, just
to show how big of a deal this has been for the industry when it comes to
credit cards is, they pushed all of that down to the very business owner as
part of that compliance standard. So if you're accepting credit cards, and a
lot of people think that PCI or the payment card industry just applies to
credit cards. No, it's applying to your ACH bank transfers that you're using
for businesses as well. And it hasn't traditionally applied to that. Now it is
because guess who handles those? Your merchant services provider. So it's
gotten a lot more stringent and it's only going to get worse. Every state, five
years ago in the United States, every state didn't have any kind of PII mandate
act or law.
Beau Dickie: Now, within just the last five
years, every state in the 50 states now has some law in place to where you're
required to protect personally identifiable information. And as Mike said,
that's any two pieces of information, a name, a phone number, a name and email
address. Email address and phone number. If I can have those two pieces, I can
find you on the Internet and having those. Every state's got a law where that's
got to be protected not just for your customers, but for your employees.
Will Nobles: So, guys, we've got probably two
types of people. We've got a person that says, okay, what do I need to do? And
the other will say, well, it's going to happen to me. Why should I spend the
money? Right? We'll get in a second of what are some measures that they can do
to start protecting from and not getting off of the third party piece of it.
But what do you say to the company that says, you know what, it's going to
happen to me. My credit card is going to get stolen. I'm going to end up on the
dark web. I'm going to get compromised. So why do anything? Mike, I'll start
with you. What do you say to that person?
Mike Bazar: Yeah, I mean, there's the why
matter or whatever, right? So some people think they can dump it back off on
their insurance. But then again, you guys know this will audit people's cyber
insurance a lot, and they aren't complying with what they are. So their cyber
policy is not really valid. If you don't do what you're supposed to be doing on
your cyber policy, it's going to require a lot of this. And again, it goes back
to a lot of the reputation damage and what's going to happen with your business
if you just say, deal with it later? If it shuts your business down, you can't
bill, you can't invoice, you can't get to your credit card transfers, you can't
get to payroll, you can't get to those things are big. If you can't do payroll,
how long before your employees find other jobs?
Mike Bazar: Right. They're not going to stick
around while you sort it out. A lot of the time, they have bills to pay. They
got to go find another job. Potentially. If they're worried that means that's
not going to be there for them in the future, then they're going to potentially
run off with it. So I think sticking your head in the sand is just not a way to
go. And the more regulation that comes out, the state of New York, California,
has really stringent regulation, and it usually applies just if you do business
with people that do business there or whatever. But as that trickles down,
there's more and more teeth that are coming into this from a regulation
perspective, because the only way we get ahead of the hackers is if we actually
try. Right?
Mike Bazar: For the longest time, cyber has
been a very defensive battle, and it was convincing people and it was buying
the bare minimums and it was doing these little things. And now I can tell you
when companies are doing acquisitions or when companies. So if you're looking
at selling your business down the road or whatever, all those things they're
looking at, what's your cyber policy? What's your posture? Investment firms are
looking at that this is starting to trickle into other facets of things because
nobody wants to get caught with it. And I wouldn't be surprised the moment it
starts trickling in with, oh, you want a loan, oh, you want to do this, you
want a line of credit, what's your cyber? Because that's part of the risk
portfolio that we need to assess before I do these other things to do business
with you.
Mike Bazar: So more and more, this stuff is
getting pushed down and it's either you can stay reactive to it or you can
start to say, let me take steps into how do I become compliant? How do I become
more secure? Because I can guarantee it's not that far off before there's a
federal law like GDPR or something else. And truth is, you're probably
violating laws you don't know that you're violating right now. Right? You have
business with somebody in Europe and you don't realize it, but that means you
need to comply with GDPR.
Will Nobles: But Mike I only had one entry of
one person in London, does that matter.
Mike Bazar: Yes it does. So this is the thing
that a lot of people don't get. When you go to websites now and you get the
little pop up that basically says how we're using your information and it's the
cookie thing and you got to hit yes or no, and you can select how use a cookie.
That's all driven out of GDPR. But most of those websites you're going to
aren't even European websites, but they have one person or people from Europe
are, or they're not going to block traffic from Europe. So if a European person
hits your website, technically you have to comply with GDPR, right? And a ton
of us businesses don't. Now, can the European Union come sue a small business New
Bern. Probably not going to happen. Right?
Mike Bazar: But sooner or later, that
regulation is coming down on the US side and it's going to start getting pushed
more and more. It's a competitive thing. You can start talking to your
customers. We protect your data, we do these things. We won't sell it. When you
can start talking about that, people think about that more than they ever have
because of TikTok and whatever else. As all this stuff gets into. How is your
data being used, and you can use it as a competitive advantage. Hey, we have
good cyber. Hey, we protect your data this way. Hey, this is why you should do
business with us instead of somebody else, because we care more, and that can
be even a competitive advantage.
Beau Dickie: Yeah. I'm going to expand on what
Michael said. A lot of it is really, cybersecurity used to be the big ugly
elephant in the room that nobody wanted to talk about. Well, now it's in the
news. Everybody sees it. It's discussed in social media platforms. It's
basically become another business function.
Mike Bazar: Right.
Beau Dickie: So a lot of what the cybersecurity
industry is shifting to isn't just about the compliance aspect of it. They're
shifting it to where it's a business continuity piece. And that's a selling
point for a lot of people because that's a question in everyone's mind, even
though they may not ask it out loud. What is this company doing with my
everybody? Everybody talks about Mark Zuckerberg and what he's doing with meta
and how they collect all your information from Facebook. What are they doing
with it? They're profiting from it. I can guarantee you that they're selling
it. But who's buying it? Are those the people that are going to be the ones
coming after your business next? In this year alone, I've had five incident
responses that I've worked.
Beau Dickie: And in three of those five, it's
been where someone's personal identity was compromised somewhere, and they used
that information to gain access to business critical systems. And we're talking
hundreds of thousands of dollars lost for those business owners. Who's
answering for that? Do you hold that individual employee accountable? Or is
that something that is going to get a slap on the wrist? But it's because a
third party service that they were using on their personal aspect was
compromised. Now that information is out there and somebody used the same
password in multiple locations, and now they have access to the business
environment. Now the business is suffering. That's where we have to hold these
third parties accountable in every aspect of what we do.
Mike Bazar: Well, I was going to say one thing
I would want to bring up quickly. I think, too, that could lead into a big
deal. But is a lot of people don't think when you talk supply chain and other
stuff like who's doing business with you and what do you ask of them? I know
another it companies up, I don't know, in the, you know, Michigan somewhere up
in there. I forget exactly. But one of the people that owed them money had a
wire fraud attack. Something that happened. There was a mix. The way it happened,
I forget exactly. But anyways, they lost $50,000. They owe him money for a
project he was supposed to do. He wasn't managing their cyber stuff, and they
can't pay it because they lost $50,000 on some other thing.
Mike Bazar: So that's now directly impacting
him, even though his stuff wasn't soon. I think that's even going to be part of
the question, is, you're going to go to do business with somebody and you're
going to say, hey, before you do business, to protect myself, I need to know
you have okay cybersecurity.
Mike Bazar: I need to know you have a wire
fraud policy in place. I know you need to have whatever to prevent those,
because I just don't want you to go insolvent accidentally because you didn't
take cybersecurity on purpose. Cybersecurity seriously. And then that impacts
my business. And so that's what I say. It's this spider web of supply chain.
Everything else and more that's going to get pushed out where you'll see it.
Like, we work with a hospital system that does a billion dollars a year, and we
have to sign and carry different levels of insurance and all this. And we're
literally selling them hardware. They're going to install it, they're going to
configure it. I have to have cyber insurance and cybersecurity policies in
place to sell them hardware. That's the kind of stuff that's coming down the
pipe.
Will Nobles: I had actually a neighbor that got
compromised small business. And a lot of people say, well, I'm too small for it
to happen to me. This was a guy with two 18 wheeler trucks, a small trucking
company, and he got a phone call, said they had a late invoice of $25,000. And
the steps that happened, as I tell you this, you're like, why would he fall for
that? But the thing is, they are good. They had him on the phone. He went to
the bank, wired the $25,000 and gone, just like that. Now, because he willingly
did it. He's not going to get that money back. Right? That's $25,000 lost. Now,
he is a small business. That hurt him to the point that he had even sell his
personal car to cover bills. So don't look at it.
Will Nobles: That I'm too small or it's never
going to happen to me. It's going to happen to anyone. I had a CPA firm
actually, the last movie that I did was cybercrime movie, which is on Amazon
prime. And I had interviewed my CPA here in Atlanta, and he actually had his
wife got a phone call, said that they kidnapped him. And so I had both of them
in the movie for it and told the whole story. And the short version of it is
they convinced her to go to Walmart to get ten $500 gift cards and to send that
to them for them to release him. And so all in her mind is, he's in a trunk of
a car somewhere, and she's panicking, right? She never thought about. And they
said, you cannot hang up.
Will Nobles: And she never thought about
texting him or calling from another phone to say, hey, are you alive? He was in
a meeting the whole time. Right? And this is a small little CPA firm. So if
that can happen to a small CPA firm, a trucking company, it can happen to
anyone. And what we're trying to educate you here today is it's your third
parties, a lot of times, and your employees that actually cause the biggest
risk to your company. And when you're dealing with an it company, you want to
make sure it's not just an it guy. Right? My team does a lot of calls and say,
hey, we've got our it guy. He's been with me for 14 years. And that's great.
I'm glad you have that great relationship. What you've got to think about, are
they keeping up with the risk?
Will Nobles: Like, the bigger IT companies are,
like Bazar solutions, like Vector choice. Are they keeping up with the
standards that should be protecting? Because think about this, guys. If an MSP
or managed services provider gets compromised, we don't just get compromised.
Hundreds of clients get compromised as well. So you want to be very careful of
the it company that you use. And what measures are they taking to protect you.
We were a third party to you, just like other third parties are to you as well.
Well, final thoughts, Michael, start with you. Any final thoughts here?
Mike Bazar: No, I mean, I think you hit the
nail on the head at the. You've got everybody needs IT services. Who are they?
If you ask them how cybersecurity affects them, what do they do? What's their
policies? How do they do change orders? How do they do all those things? Right?
Talking through those kinds of things, looking at some of your third party
vendors, how do they work? And a lot of this can be mitigated by finding a good
IT firm that can help build those blocks, manage those things. Look at things
like zero trust and 2 FA and everything else to help minimize the risk to you
of some third party breach happening. Even simple things like, do you have a
policy?
Mike Bazar: Because I bet your IT provider, if
you got a really good one, has a policy they can give you about wire fraud,
right? Here's what you should have in terms of when somebody requests a wire
fraud or a gift card policy or whatever, here's the policy for the company.
Tell all your staff and then don't get taken advantage of because you're never
going to ask for that. And you've defined those up front. Good IT providers
will help you do that and help you build those walls and identify the areas
where you might need to go to somebody and say, hey, these guys are really
tight knit with you. Let's go talk to them and see if they are doing security
well or if they need help or whatever because you don't want them to impact
you.
Mike Bazar: And that goes back up to kind of
who's in your corner and who's helping you do that. And while Uncle Bob might
be great at it and fixing random computers and doing the other stuff, and he's
done it for 14 years, he probably hasn't stayed up on that cutting edge of
cyber and where it's all going.
Beau Dickie: Speaking of good IT providers,
Michael, another thing that your good IT provider is going to do is they're
going to evaluate who your third parties are as part of their security posture
because they can't secure what they don't know is there. Right. And so you'll
have an asset inventory. That asset includes the hardware and the software. And
somebody needs to be putting pressure on those third parties that your client
has as that IT provider and saying, okay, these are the things that they're
required to have. You want to do business with us? I need documentation. I need
proof that you're doing this, putting them on the hook and keeping them there
and making sure that they understand that somebody's looking at it because a
lot of third parties, they don't, because they're not being forced to do that.
Beau Dickie: Once they're forced to do it, they
stop asking. Some of the communications with them start being a lot easier,
too. Happens all the time.
Will Nobles: Well, guys, I want to thank you
guys so much for being on. If you have any questions for us, you can email us
at info@vectorchoice.com or give us a call. But for being on today, I want to
give you guys a special. And Beau loves when I do this, but I'm going to give
you some time of him for free, no charge. QR code here. You can scan that or go
to webinar, and you can go there and schedule a time with Beau, and he can talk
to you about your third party, your security posture with your third parties,
as well as with your it company. And sometimes we're not even looking at
displacing your current it company at all. We want to just really advise you of
what to look out for, educate you.
Will Nobles: So use Beau's time to help educate
you of what you should be asking your it company and your third parties. Mike,
Beau, thank you guys so much for being on today.
Mike Bazar: Appreciate it, guys.
Will Nobles: Thank you. And have a wonderful
day, everyone.
Mike Bazar: Thank you. Bye.
