The City of Pensacola Cyber Attack and All About Firewalls
Dan Diamond: Good morning. It's 8:30. My name is Dan Diamond and in the studio with me I do have Bit-Wizards. First of all, Vince. Good morning, Vince.
Vince: Good morning, sir. How are you?
Dan Diamond: I am doing wonderful, and thanks for that input, by the way. Also, we have Jennifer Kraus in here. Good morning Jennifer.
Jennifer Kraus: Good morning, Dan.
Dan Diamond: Jennifer, tell us what you do for Bit-Wizards.
Jennifer Kraus: My official title at Bit-Wizards is the mid-service manager. We have an internal mantra in my department. It's, " Happy customers. Great IT," in that order. My responsibility is to make sure all of our clients are happy.
Dan Diamond: Well, that's good. She got a big smile on her face, and everybody's happy. You probably serve hot chocolate too.
Jennifer Kraus: I do.
Dan Diamond: Absolutely. Well, let's get right into it, shall we?
Announcer: Bit-Wizards, bits and bytes.
Dan Diamond: What do you got, Vince?.
Vince: Well, today I'm going to not necessarily start off with the news. I got a couple of housekeeping items that I wanted to address. First of all, I wanted to give a good shout-out to Jennifer Adams and the folks over at the TDC. Last week I attended the TDC annual meeting. I was really impressed with the direction that they're going, in terms of the way that they're trying to brand Destin, Fort Walton Beach as a destination, and how they're trying to balance that we want to create socially responsible programs that benefit both our locals, as well as our tourism. It's important to us because a rising tide floats all boats. Two of the areas that our economy is on, is on military and tourism. I just think that they're doing a good job, and I wanted to give a shout-out. I attended that meeting last week, and give them a big thumbs up.
Dan Diamond: For those who don't know what TDC stands for, it's Tourist Development Council.
Vince: Yes. Absolutely.
Dan Diamond: I've attended that a few times myself. Really and truly you get a good feel, a good sense of what's going on in our area when you attend one of those meetings.
Vince: Absolutely. They just do a great job. They're really taking a fresh approach in the way that they're looking at it and how they're trying to attract the right kind of folks to our neighborhood that basically props up our community.
Dan Diamond: Absolutely. Get that tourism down here.
Vince: Yep. Absolutely. The other one I wanted to address is, I'm going to poke the bear a little bit, per se. I want to give a shout-out to the businessmen who called in to voice his displeasure about our commercials that are running currently on Cumulus Broadcasting.
Dan Diamond: We do fun commercials.
Vince: We heard you loud and clear it. I just want to tell you guys that Sam and I wrote all eight of those commercials, and Cumulus did the voiceovers for us. Charlotte Bergman, our friendly sales rep, helped us get all those taken care of, and we're really proud of them. We accomplished our goals there. We wanted them to be funny. We wanted them to be memorable. We wanted to be edgy, and we want to be remarkable. I know that they are, because this gentleman took time out of his busy day, as a business owner, to call us, and let me know that it had struck an emotional chord with him. We connected, and that's actually a good thing.
Dan Diamond: Well, good.
Vince: But his call also tells me that we got our contact information correct because he used the website address, that's www. bit-wizards. com and was able to find us. He actually looked up our phone number and gave us a call. I want to let him to know that we understand that not everybody's a good fit, and he was insightful and helpful in helping me determine that our commercials are meeting our goals, and that we're not going to change a thing about them. They're clearly effective. Again, I want to thank him, and wish him the very best.
Dan Diamond: Absolutely. You know what the power of radio, Vince, can you believe it? Yeah. How about that? Instant success.
Vince: We can launch into the next segment.
Announcer: Bit-Wizards, what's up our sleeve?
Dan Diamond: This one is, " What's up your sleeve?" We'll let [inaudible 00:03:50].
Vince: Well, we're going to start with the thing that happened over in Pensacola yesterday. It came out in the Wall Street Journal that the City of Pensacola was hit by a cyber attack. They shut down most of the city network, and they are trying to get things back up. Right now they're doing things via stubby pencil and paper. It's going to stay that way until they resolve the issue.
Dan Diamond: Even some of the phone lines aren't working right now in City Hall and things of that nature.
Vince: Absolutely. Tying that back into small business, everybody is vulnerable and IBM security research did a study. The cost of a data breach has risen about 12% over the last year, around 3. 92 million on average. What's interesting about that, when they divided out by business segment, they found that it costs about $204 per employee breach, or per employee for each breach for employees over 25, 000. Organizations that are 500 to a thousand employees, it costs about $3, 533 per employee. Even smaller companies, it cost even more. Smaller organizations, then, have higher costs relative to their size than larger organizations. This really hampers their ability to recover financially from some sort of an incident. It's really important. And people need to take it seriously.
Jennifer Kraus: AI wanted to add to this. Even these smaller businesses, it can be much more detrimental to the smaller businesses because the larger businesses might have the capital and the money to bounce back even if it takes a little while. But the smaller businesses don't always have the ability to bounce back.
Dan Diamond: Yeah, I can see that. I mean because you know, larger businesses obviously have larger capital, and smaller businesses could really wipe them out.
Vince: Well, and they also often don't have the expertise or the resources to battle an incident that happens. A lot of people don't realize this, but the lifecycle of a breach is about 279 days. For about 206 days, they've breached your inside of your systems, and they sit there, and they watch what's going on. Usually by the time you realize that there's been a breach or something's happened or they take some sort of action or they do ransomware or something, it takes about 73 days typically, on average to, to contain that type of a breach. I want to be positive here because I don't want to scare everybody to death. I mean I want to tell them that there's hope. There's things that you can do that will help you be proactive about this and make sure that your business is protected and ready to go on. The first one is to understand that security is not a passive activity. It's something that everybody has to be vigilant about. You need to make sure that you train and educate your employees on the different things that are going on.
Jennifer Kraus: Part of the being vigilant, a lot of the breaches and a lot of viruses come through email. There are a lot of crafty, very clever ways to disguise emails. Being vigilant is very important, especially when it comes to what is arriving in your inbox. Always pay attention to the sender and pay attention to what the email is asking of you because that is a big way that breaches are happening.
Vince: [crosstalk 00:07:24].
Dan Diamond: **inaudible** Excuse me, just for a side. I do have a question though?
Dan Diamond: Because oftentimes, when you have a business and you're expecting emails, maybe for your business, the people you don't know because you're looking for new business, and you open that email, how can you control yourself? Or how could you avoid getting a virus into your computer or malware or anything else?
Jennifer Kraus: Part of the being vigilant is paying attention to who the sender is, who it's from, what they're asking of you. Not that long ago I received a junky mail from Vince Mayfield in my spam folder, and it said in the subject line, " Hey, I need a favor." In the email it said, " Hey, I need you to run up to the store, buy me a gift card, and email it back to me real quick. I'm busy. I don't have my phone on me right now, please. Just email me back." First of all, I know that Vince is not going to send me an email like that. Second of all, I looked at the sender, anybody can change their name to Vince Mayfield, but if you look at the actual sending address, that's the first thing you want to pay attention to you because that's usually how they catch you.
Dan Diamond: Now when it comes to malware though, usually it's a link, isn't it? You got to click on the link and once you click on that link, then it downloads a new computer.
Vince: But it's the same thing. You can see the contact, the name. It could be a name that you recognize but the sending address if it's, ilovetheradio652 @ yahoo. com, that's when you want to pay attention.
Dan Diamond: Yeah, I know what you're talking about. The sender's email address, for example, **inaudible** Cox communications, they have tons **inaudible** Cox communications. They have tons of that come out, but it won't say Cox communications. It don't say cox. net. It won't say anything. It'll have some weird address and you go, " There's no way it's coming from them."
Jennifer Kraus: Exactly.
Vince: I was going to say the other thing that we could do, that bit wizards does to help out with that is that we use Office 365. In the email that with Office 365, we use Advanced Threat Protection. One of the things it does is it takes every hyperlink that exists inside of your email, and it goes out and does a scan of that link to see if it is a safe sender. It may take a second or two longer for your email to come into your inbox, but one of the things that it does is do that scan and does that proactive step beforehand.
Dan Diamond: Good.
Jennifer Kraus: True story about the link scanning and attachment scanning... It will continue scanning weeks and months after the email arrives to your inbox. I actually had an alert a couple of weeks ago that said that a link in one of my emails that I saved in one of my folders has changed, and I should be aware of that. That was the first time that I've ever experienced a link actually changing on me. It is good to know.
Dan Diamond: Well, that's interesting.
Vince: I want to give a quick shout-out back to the office to Tabitha Erickson, our Director of Finance, and Caroline McCoy, my Executive Assistants. I promise I will never send an email that asks you to transfer money out of our bank account to someplace else that's sent-
Dan Diamond: **crosstalk** Or a gift card-
Vince: **crosstalk** Or a gift card.
Dan Diamond: Absolutely.
Jennifer Kraus: Definitely not.
Dan Diamond: Oh, man. Do you guys get attacked? I mean you guys are Bit-Wizards, you get attacked too?
Jennifer Kraus: They try. One of the interesting things that we have recently gone through is penetration testing, which means that we have hired a very reputable company to attempt to breach us internally and externally. We went through this exercise so that we could protect our privates, and we can protect the privates of our clients. We went through that testing so that we could be prepared in the event that somebody does try to attack us because they do. They'll try to attack anybody. They try to attack any organization that they can get their hands on, but it doesn't mean that they can get through.
Vince: Cyber crime is big business. There is a lot of financial gain to be done by doing it. If you think Bitcoin doesn't ultimately have value, it does. This is why these guys do it. They're able to transfer stuff anonymously because you pay real cash to get Bitcoin, right? It's almost like a commodity that you might use on the exchange. That's how these guys get their money, but once they get the Bitcoin, it's transferred encrypted, and there's no way for you to track where it actually came from or what it-
Dan Diamond: **crosstalk** Good way to launder the money I guess.
Vince: Yeah, it. It makes a really significant problem for law enforcement...
Dan Diamond: To track it down?
Vince: Yeah, absolutely.
Dan Diamond: And that is your ransomware. Those people get in, and they will hold you ransom for all of your information, your computer, everything at ransom until you pay you the Bitcoin I guess. And then they unlock it hopefully.
Vince: Yeah. That's one way of doing it. The other way that they also do it is they go in, and they go through your data, and they may find things like social security numbers if you have them stored of your employees and then utilize that to get tax returns or things like that.
Jennifer Kraus: Credit cards-
Vince: Credit cards is another one. They also, if you're storing a customer credit card information, we're all told not to do it, but I know small businesses all the time that continue to store customer credit card information electronically. It's not just electronically that's issue. Sometimes you have somebody that comes in the front door. If you've got a Credit Card Authorization Form laying out on the desk somewhere, somebody will walk by, snap a picture of that, and then use it. So there's a lot of things that have to do with their not just electronic security that you need to get into place. One of the steps that we took with Bit-Wizards here. She talked about the penetration testing is that we recently went with our accounting firm, Warren Averett. We had them do an SSA-18, [ SSC-1 00:13:13] attestation and certification. The reason why we had to do that is they come in and make sure that we've got proper controls in place for our business and make sure that we've got best practices implemented, and that we have controls in place to make sure that things like this don't happen both at a physical level as well as an electronic level.
Jennifer Kraus: The focus of that compliance is on the availability of information, the security of information, and the confidentiality of information.
Dan Diamond: And that's what you do for your customers?
Jennifer Kraus: Mm-hmm (affirmative).
Dan Diamond: You learn from all of this so you can pass it down and enhance the security of your customers. This is what sounds like to me.
Jennifer Kraus: We've learned a lot.
Vince: Absolutely. Then that's also to let them know that we're also a trustworthy source, in terms of providing these types of services for the customer. As I talked before that there are things that the customer can do themselves. One of them is to make sure that you have the right plot partner and the right platforms. When you choose a partner that you make sure that you do your homework and sure that the company that you're trusting with your business is truly trustworthy. It's not just, " Go look in the yellow pages," or " Listen to somebody on the radio, and make the choice." You need to get out there, and do your homework.
Dan Diamond: However, if you do listen to some people on the radio, you will find that people like Bit-Wizards, can be trustworthy.
Vince: We can be!
Dan Diamond: Because they are after all the tip of the wand.
Vince: We are.
Jennifer Kraus: We are the tip of the wand and in all jokes aside, we have a fun environment. We have a great culture. Thank you to Vince and Louis Erickson. We take what we do very seriously. Information technology and protecting our clients and protecting data. It's very serious. We do take it seriously.
Dan Diamond: No, I agree. You know that is one point.
Jennifer Kraus: **crosstalk** We have fun!
Dan Diamond: That's one point very well taken because we can joke around with commercials, and we can joke around back and forth. But what you do for your clients, you take extremely serious. It's one way for you to be able to help them enhance their business. Like we've talked before, you take care of their computers and security so they can do their business.
Vince: Absolutely. We know not only to take care of them, but we talk about the culture that we have at Bit-Wizards. If you go to our website, you'll go out and take a look, and it looks like we have a lot fun, and we do. But we also know that people that are professional and they want to have a great work environment because they want to stay there. You don't want high turnover. This is why we invest so much in our culture that exudes over into how we help our clients out, and how we deal with our clients, and try to make technology be simplified. Then at the same time, we also have that level of professionalism that's necessary to deliver these types of services.
Dan Diamond: You guys are fun but serious.
Jennifer Kraus: We are. I have to give a little shout-out to one of our lead infrastructure engineers, Patrick. He pulled an all nighter at our office last night. It doesn't happen very often, but we have our director of IT, Sam and Brett helping one of our clients in Ohio right now with firewall issues. Patrick stayed at the office all night supporting them and making sure we get done what needed to be done for their firewall and their VPN. We're fun, but we're serious.
Dan Diamond: No empty whiskey bottles. They were seriously working.
Jennifer Kraus: There may be some empty whiskey bottles. I don't know.
Vince: Well, that's an interesting point because you mentioned firewalls. That's another thing that a customer can do is to have a firewall and to understand having a firewall needs to be continuously updated. At Bit-Wizards, we use a cutting edge cloud-managed firewall, called Fortinet, as part of our service. It ensures that you've got the very edge of your network protected. We also have multiple layers of security that we implement, which includes antivirus on your clients. We do real time monitoring and backups, patching, password complexity, and providing training and support for your employees. I would mention that a lot of people will run out and say, " Oh, I went down to Best Buy, and I bought a firewall, and now I'm good to go." Well, I want to say the type of firewalls that we use is a Fortinet Firewall is on the Gartner Magic Quadrant. Gartner is the market research company that publishes, and it's an IT consulting firm. It rates and looks at all of the qualitative and quantitative data analysis and demonstrates the market turn, such as direction and maturity that participants... You have to earn your position in the Gartner Magic Quadrant. Fortinet is on the Gartner Magic Quadrant as a leader in enterprise firewalls and in security information and event management. We use top of the line stuff so that we can stay at the tip of the wand or the tip of the spear, if you may.
Dan Diamond: Yeah. There you go. When you put that firewall in, say like you said, somebody goes down to Best Buy, and then they think they get a great firewall. But also the firewall... Isn't it also when you're installing the firewall and all the different-
Jennifer Kraus: **crosstalk** And the configurations...
Dan Diamond: **crosstalk** Yeah, the configurations. The firewall you're talking about, which is top of the line firewall, you're putting it in, and you're making sure that it's an effective firewall.
Vince: Yeah, absolutely. We set them up, we configure it, we set up the rules that are tailored to your particular business and how you operate. Today, in our [ From the Spell Book 00:00:18:49], we're going to talk about one aspect of that.
Dan Diamond: I got you. Speaking of spell book-
Announcer: Bit-Wizards, From the Spellbook.
Vince: From the spellbook, today, we're going to talk about VPNs or virtual private networks. The best way to understand a VPN is it provides a point to point tunnel, that is the best way to think of it, between your network and some other location. That point to point network basically or that tunnel, what it does is everything is encrypted across that tunnel, and at each end there's a handshake on either side that says, " Hey, I am who I said I was. Yes, you're the person that you said you were," and vice versa as the traffic goes back and forth across. Some of the uses for that might be one, connecting two offices together that you may have. Like the client that we're talking about that we're onboarding, they have offices in Ohio and California and Michigan, and they want to connect those offices together so that that they are on the same network together as one. That's done with a VPN. Another one might be if, Dan, you want to work from home, and do your broadcast from home. You might have a VPN that connects to the firewall, and then brings you into the network here at Cumulus Broadcasting and allows you to work securely and transfer your data back and forth in a manner that would be secure and protected from prying eyes.
Dan Diamond: So with a VPN it's much more difficult to hack into.
Vince: Absolutely. Or for them to see or inspect the traffic that's coming across and see what you're transmitting back and forth, any sensitive data. The other way that we do it is use it to do data center to data center or your office to, say, a data center. For example, a lot of our customers, we move most of their servers off premise or off their location, and we moved them up into the cloud. Well the way we are able to connect them is we use a VPN that ties them between their firewall and where it resides up in the cloud to provide that secure connection and make that server as if it's actually part of their network.
Dan Diamond: So you can do that with a server as well.
Vince: Well, yes, sir.
Dan Diamond: In the cloud.
Vince: A server as well in the cloud, and that happens through the firewall. That firewall, obviously, that's a hardware device, and it runs software. It needs to be updated and kept patched. But it also requires software on your clients.
Dan Diamond: Oh yeah. Oh, that sounds to me like about the most secure way you could run your data.
Vince: Oh, absolutely. When you're doing VPN connections, that's the best way to connect locations together, connect two data centers, or allow your users to work from home.
Dan Diamond: Got you.
Jennifer Kraus: There are a lot of people these days that do work from home. We have a lot of clients whose bookkeepers work from home. When you're dealing with financial data, you definitely want it to be secure when you're transmitting it back to the home office. Having that VPN tunnel helps with that security.
Dan Diamond: Is that getting to be more and more common with VPNs?
Jennifer Kraus: Mm-hmm (affirmative).
Dan Diamond: More and more people using that?
Jennifer Kraus: Oh, for sure.
Jennifer Kraus: And there's more and more people working from home, as well.
Dan Diamond: Right. So they use the VPN so that their information is secure. It's probably faster too, I would imagine because you're going directly from one to the other.
Vince: It's not necessarily faster because all of the data has to be encrypted and deencrypted as it goes across the wire, but the speed is negligible these days. The encryption technology and the way that this works is pretty sophisticated. Plus, we're recommending to our customers because of the amount of data that's going back and forth, we're suggesting that they, not just with VPNs but just in general and the way that you communicate with websites and other things like that, your internet speed is very critical. The amount of bandwidth that you have, that's very critical.
Dan Diamond: I see. For the average small business, is there a speed that you would recommend for a small business or does it have to be tailored depending on how many computers they have and so on?
Jennifer Kraus: Depends on how many people, how many computers, what they're utilizing, what the capacity is. If you've got one office with five people, but each of those five people have a laptop and a mobile device, they may need a bigger internet speed, faster than an office that has five employees, but no mobile devices. It just depends on how much capacity is being used.
Dan Diamond: Obviously, you would need more than you would, say, at home-
Jennifer Kraus: **crosstalk** Yes, for sure.
Dan Diamond: **crosstalk** ... internet speed.
Vince: We monitor those things. We talked about that cloud managed firewall, the Fortinet firewall. We monitor your connection, and we monitor your network in real time. We just had a customer calling the other day that called me up and said, " Hey, I just want to tell you, your team rocks." I said, " Well, what happened?" He said, " Well, our internet went down and before I could even get into work, they had called the office, told me that the internet was down, and offered to call Cox on our behalf, and get a technician out there to get the network router replaced that is managed by Cox." They got that coordinated and done. He said, " If you do this for all your customers..." I said, " Yes, sir. We do." He said, " That is a testament to the type of company that you are."
Dan Diamond: That is a great testament right there. When you're a business owner, and somebody contacts you, and tells you what a fantastic job that your company did, other employees. That's got to be a great pat on the back, and you feel like you're going in the right direction.
Vince: Absolutely. We listen to our customers even when they're not happy with us. When they tell us there's something that's not working right, we go back, we have a group within the team, we get together, we talk about how we're going to mitigate that, and how we're going to fix that problem going forward.
Dan Diamond: That's valuable information though.
Vince: Absolutely. Truly is.
Dan Diamond: Some people will grumble, and they'll tell all their friends or whoever they know, " They did a horrible job." But if they can give you an idea like, " This didn't work for me." You can fix it and make them happy, then everybody's happy.
Jennifer Kraus: Part of what we do is we are the virtual CIO for our clients. Even though my responsibility is to keep our clients happy, I actively want to know when there is a problem so that we can talk about a solution from a higher level. A lot of people don't want to complain. Some people love to complain, but not everybody wants to complain. I actively meet with our clients, and I want to know what challenges they're having, what difficulties they're having, even with technology, Because technology is not always going to be seamless, but we want to work with our clients to make it as easy as possible.
Dan Diamond: Yeah, and you must have a lot of work on your hands because always websites are updating, they're improving, and software improving as well. To keep up with that, you guys must always be digging into information and reading and getting-
Jennifer Kraus: **crosstalk** Constantly.
Dan Diamond: I would bet that it's a constant information overload trying to stay up.
Jennifer Kraus: We feed on each other, we feed from each other. We have a really good team. Our department is very strong, and we learn from each other. It's not one person's responsibility for anything. Everybody, just like today, every Tuesday, we have a weekly IT meeting. It's a longer meeting, but we go through changes that are happening, and things that everybody needs to know. We all bring something to the table, a value.
Dan Diamond: Yeah. I think Vince, in the past, you've said with your team, there are members of your team that are deep into certain things. You all have your specialty, but like you said, you can get together and cross-feed, if you will.
Jennifer Kraus: Mm-hmm (affirmative).
Vince: Absolutely. It's important to create that feedback loop, not only within the team but also with our customers, which is why we have multiple touch points with our customers. It's not just an email address. They can pick up the phone and call us at any time. Quarterly, we go over and do a review where we print out what are the things that we've done over the last quarter, what types of things you need to be looking at coming forward. Is there anything that's going to be obsolete? They are able to take that, and they know that we're keeping them protected and address whatever issues that they might have at that particular point. It's great touch point.
Dan Diamond: Well, you know something? You brought up a good point. It's not necessarily obsolete, but Windows 7 is now not going to be supported by Windows anymore. I think that's January 14th. Is that right? Something like that.
Jennifer Kraus: Yeah. About that timeframe.
Vince: January 20.
Dan Diamond: **crosstalk** 20th?
Jennifer Kraus: Yeah. January. It's within a few weeks.
Dan Diamond: Yeah, it's not far off.
Jennifer Kraus: No.
Dan Diamond: If you haven't upgraded to 10, at least, by now, you're putting your company in jeopardy after the 20th, if it is, in January.
Jennifer Kraus: And from a personal level, as well.
Dan Diamond: Yeah.
Jennifer Kraus: It's not just going to be businesses. It's any Windows 7 machine. Even if you're sitting at home with your Windows 7 laptop, you need to pay attention to that, as well, because they're all going to be vulnerable.
Dan Diamond: Oh, that's not good news. But then again, you guys have always talked about Windows 365. To me, that sounds like the Cadillac.
Vince: It is. It is the top of the line commercial product for productivity is Office 365.
Dan Diamond: Yeah.
Jennifer Kraus: Yeah. I do want to give a big Bit-Wizards thank you and shout-out to one of our clients. It's the Emerald Coast Regional Council. They provide transportation planning and economic development, emergency planning, environmental planning, and housing strategy and some land use planning. Bit-wizards, we do provide the managed IT services for ECRC, and we want to thank Austin Mount, the CEO, as well as your team, Austin, for allowing Bit-Wizards to serve you. We absolutely enjoy working with you.
Dan Diamond: How about that? A good shout-out to one of your clients. I love that. Well, we're just about out of time. So Vince, Jennifer, I hope you have a wonderful Christmas. I actually, I think I might see you before Christmas. Vince?
Vince: I think we have one more.
Dan Diamond: One more.
Vince: **crosstalk** Yeah.
Dan Diamond: **crosstalk** Yeah. But thank you for coming in. We appreciate you, and I guess we'll see you next Tuesday for Bit-Wizards Tip of the Wand.
Jennifer Kraus: Yay. Thank you.
Vince: Yay. Thank you.
Jennifer Kraus: You bet you. Thanks for coming in.