Is Your Business Protected From A Cyber Attack?
Transcription
Announcer: This is NewsTalk 1260 WFTW Fort Walton Beach, a Cumulus station. The following program is paid for by Bit-Wizards Information Technology Solutions.
Dan: It is 8:30 it's time for Bit-Wizards tip of the wand in studio with me right now. I've got Vince and Sam. Good morning guys.
Sam: Good morning and good morning to our listeners.
Vince: Good morning.
Dan: Good morning Sam. Good to see you. As you know Vince was solo last week, so [ crosstalk 00:00:23]. Yeah. So now you're back on again kind of be able to prop him up a little bit. How about that?
Sam: Well, I listened last week I was listening because I was not an unable to attend. I was speaking at a local tech event and so I was unable to attend. But I did listen to Vince's solo acts and I texted him last night, let him know. I was very impressed. It's very engaging. I'm an IT guy, not really a software development guy. So I always find this very fascinating stuff to hear from someone who's been in the business for quite a long time.
Dan: A few years, anyway. How you've been with it for how long Vince? How long you've been involved with this?
Vince: With IT? Close to 30 years now.
Dan: Really?
Vince: Yeah.
Dan: My gosh. You start when you're two years old.
Vince: I am 53.
Dan: Oh, you are? You hold your age well. Oh man. So anyway guys, did you have a good Valentine's day?
Sam: Fantastic. No major screw ups I guess.
Dan: Oh, nothing really bad happened.
Sam: I'm still married, so-
Dan: You're still married-
Sam: I seem to have succeeded in that area.
Dan: So what do you do? Did you take your wives out for dinner or what did you do?
Sam: Bonefish. Took my wife out to Bonefish.
Dan: Bonefish?
Sam: Yeah.
Dan: How about you Vince?
Vince: Well we call that rookie night, so we don't typically go out on Valentine's night. There's too many people out there. Plus I got an eight year old and a 10 year old and so trying to coordinate that. So we pick another night during the week to go.
Dan: Got you. I fully understand that. I think we've all been there Vince.
Vince: Absolutely.
Dan: All right, let's get right to it.
Announcer: Bit-Wizards, bits and bytes.
Vince: All right. From Forbes. Well, it's kind of scary. The number of ransom tax has grown and it's crippling cities and businesses. I know that everybody knows most recently that we had the city of Pensacola. But what's interesting is some of the data that's out there, and according to newly released data, about 205,000 businesses in organizations indicated that they fell victim to ransomware attacks in 2019 which is up 41% from 2018. In the last part of 2019 the average ransom to get your files return was $84,000 nearly double of what it was the year before.
Dan: Oh my gosh. $84,000 now I'm kind of curious, if you pay that money, do they always turn it back on?
Vince: Well, it's in their best interest too, because they want to set the precedent that if you pay us, then they'll get paid. Right. That's their deal.
Dan: Okay.
Vince: So for the most part, what we understand is that typically once those things are encrypted, there's really no other option other than to wipe your drive clean and start over and lose everything or pay the fee to get it unencrypted.
Sam: Hopefully they will follow through. As been said, it is definitely in their best interest. Although I have heard of people doing this as almost to teach people a lesson just to encrypt their stuff and they have really no intention of ever un-encrypting it. I have heard of that. But for the most part, what we've seen... What I've actually seen personally in my own life as business owners refusing to pay that on principle and saying, " I'm not going to pay these people a bunch of money and we will start over if we have to, even if it's more expensive to wipe every single computer and try to start over again and we will do that rather than hand over this money." Unfortunately, those are really the only two options that you have. If you are unprepared for a ransomware attack when it happens is you either pay the bill, fingers crossed, you go buy a bunch of Bitcoin and figure out what is a Bitcoin and then after you've purchased it with real money that you can actually buy real things with and now you have this digital currency of Bitcoin. Then you send that off to some unknown person with some crazy address on the internet and hopefully they will return with a password for you to put in and to decrypt your files or you can just wipe everything and start over. The scary part about wipe everything and start over is make sure that whatever it was is truly gone because ransomware is a virus and it's spreads and the worst thing in the world would be to spend tens of thousands of dollars to wipe everything. Start all over and then that one employee who actually caused the ransomware in the first place go, " Okay, I finally have my computer back. Now, what was that email I had just opened right before? A lot of computers crash and double click the same email all over again."
Dan: Oh, my God.
Vince: A lot of people don't understand the cost to it. It's not just paying the ransom side of it. Even if you format and start over we have a client that we do software engineering for, but we do not do their IT for, and it's a manufacturing firm and they came in and they had a ransomware attack and basically it shut down operations for almost a week. I know that they lost millions of dollars.
Dan: Oh, no.
Vince: Now what they elected to do was to go back in, they had us in another IT firm come in and help them reformat all of their drives, restart, redo all of the firmware on all of their routers, all their firewalls and everything to get it back up and running.
Dan: So they didn't pay the ransom.
Vince: They did not pay the ransom. But I guarantee you that they probably paid probably six to 10 times more what it would've cost them to pay the ransom. Now, it was one of these deals where the owner of the company said based on principle, they weren't going to do it.
Dan: Right.
Vince: But I can tell you it costs them a lot of money. The issue is that ransomware continues to be a major security concern for small businesses mostly because they don't have the resources to properly defend against it or they don't have the technical knowledge and understanding of what they need to do. But there's things that you can do a lot of parts... A lot of the things that ransomware have to do with human engineering, have to do with training, and helping your people understand about recognizing what not to click on an email. What is okay and sort of recognizing the signs. At Bit-Wizards, we try to protect you at four levels. We start at the firewall and then there's antivirus and it looks at different packets that are coming over the wire to see if there are certain signatures that had to do with ransomware virus or things like that. Then we protect you at the machine level. There's antivirus on the machine both at the server and the workstation within your email and office 365 we protect you with advanced threat protection, which also does that. Then the last thing is I mentioned before is training. Teaching people what they need to do. Sometimes people will tell us, " Hey, I don't want to put my stuff in the cloud because I'm afraid and I think that's less secure." Just to give you an example, in the Microsoft cloud... Microsoft has 3, 500 security engineers and they are evaluating 6. 5 trillion threat assessments every day and coming up with solutions or ways of letting people know and understand how to fix those particular things. That's a lot of protection there. So if you think you're going to do it through just making it up as you go along. Or I'm going to disconnect from the internet or I'm going to do this. There's a lot of ways that a virus can get in and hit you.
Dan: Wow.
Vince: I'd like to-
Dan: That's a lot.
Sam: Every time we talk about ransomware with clients or potential clients, one of the things I hear back so often is, " Well, I don't have anything they would want." It's because we're thinking in an analog way. If I have a lot of money in my house, squared away under the bed, then someone's to want to break into my house. I have to protect my house. But if I'm living in someone's backyard and attend, I don't have anything for noon to break into. Why would someone break into my tent? The difference with ransomware though, it isn't whether it's valuable to somebody else, it's whether it's valuable to you. So think of this more like a high profile kidnapping case where they have something they don't really care about the thing they took, they just cared that it means something to you and that's where ransomware kicks in. Because I hear this so often, 'I don't have anything anyone else would be interested in.' When we talk about all the layers of protection we want to put in place and I let people know that they're not trying to get in there because they think you have something they want to steal. You're not Boeing or someone like this. You may have some trade secrets that are the government that the national security relies on. Well they care about is do you care about your files? Because if you go without your computer system for an hour, a day, a week, however long it takes you to come back, how much would you lose and how much would you be willing to pay just to get back up and running again as an organization?
Dan: Now that being said, what would be some of the steps as a person could take as far as backup goes? Would you backup on a hard drive backup to the cloud? Because if you get the ransomware and let's just say on principle, you say, " Oh, I'm not going to pay that money." Just for an individual if you will, or maybe a real small business. So if you backed it up and they did the ransomware, you could say, " Well fine, go ahead. Or we don't care because I have it all backed up in these different locations. I'll just pull it back down again and go on my way."
Vince: Yeah. Backup is a clear way of defending against this. I mentioned those four levels and that's trying to keep stuff from coming in.
Dan: Right.
Vince: But on top of that, we do, do backups. So we backup the entire machine. We back up also the individual file folders where specific pieces of data or cap and that way if they do have an attack, we can isolate it to a particular area. Because you're not going to 100% protect against these things. You're going to probably do 90% and like I said, a lot of this has to do with human engineering, right? Where you try to get somebody to click on something. I mean, just the other day I got an email telling me that Sam wanted me to transfer $1 million to his account. That wasn't you, was it Sam?
Sam: It was. I'd been waiting for that to go through. I just don't know why you've been delaying so long. With that, the security of the backups. One of the things we do with our clients is we have them start storing their files in the cloud to begin with and then we go another level and back that up. A good example of this is a co a company up in Niceville brought us in to work with them when they got hit with ransomware. Fortunately they were storing all of their files in SharePoint online, which is what you get with office 365. Is already bundled in there and we had helped them move all their files in and they got hit with ransomware and it was this big deal. Everybody, nobody could work. The entire company was taken out and so we get on the phone with Microsoft and we said Microsoft, we need to roll back all of their files to Friday at noon and Microsoft presses a few buttons on their end and then everything's exactly back the way it was Friday at noon they wrote all back. On top of that we've then backed up their SharePoint on top of that. So even if Microsoft fell through because they do a 14 days worth of backups, we do an additional 90 days on top of that so that we could even go back even further if we had to. Now of course you lose any work that happened in the meantime, but that's the main protection against it. That and training.
Dan: Yeah. Based on everything we've been talking about. What is the one thing that you would say that would help people from getting ransomware? Just the one thing.
Vince: Be careful what you click on in your email. In other words, take a look and examine each one. Don't just blindly go through and click on things and if you'd get things that you don't know who they came from, don't open them. If they're suspicious, they probably are an issue.
Sam: Yes.
Dan: Go you. All right guys.
Announcer: Bit-Wizards. What's up our sleeve? What's up our sleeves?
Sam: Well, what's up our sleeve? This is where we talk about our key topic for the weekend and this week Vince and I were talking about this last night about what we're going to talk about today. One of the things that we thought would be a good topic to discuss would be how much it does your business need. Depending on the size of your business or how long you've been in business or what you do in your company, what is the right or the appropriate amount of IT that you're going to need for your organization. Really there's probably four levels of how much IT you could have. There's the base level that everybody has, which is, well, I have a computer, I have an iPhone, I know enough to be dangerous. I'll take care of this myself. For a lot of organizations just getting started out. It definitely feels that way. Well, I've had an email for 20 some odd years. I'm sure I can figure this out for our company as well and that I have my own Facebook page. Surely I can figure out a social media presence from organizations as well. That would be the first level. The next level up though from there would be what we call the break fix model. The industry term for that is break fix. Break fix can happen a couple of different ways, but really what all it means is when something breaks you find someone to come fix it. In a break fix model, there's no preventative maintenance, there's no investment into it. It's really just I'm going to keep trusting that everything is moving along as smoothly as possible and when something goes horribly wrong, then I'll call in the expert to come in and fix. It's kind of like you would with your vehicle. You're going to trust that it's going to work and when it doesn't, you go to the mechanic and that expert is-
Dan: The preventive maintenance for nothing. When it breaks, it breaks and then, oh.
Sam: Right.
Vince: That expert is your second cousin twice removed. Who knows IT. Who thinks he can tell you how to fix this specific thing.
Sam: That's right. I know that kid, he's got an Xbox even it's not a lot about computers, so I'm going to have him come work on my company's files. A funny story about that. When I used to work in radio, we had someone come volunteer on our radio show and he was an IT guy and so he had volunteered for one of our people and so he took over some of the web presence that we were doing and then he had a falling out with the radio station and he went in and he wiped out their website-
Dan: Oh!
Sam: ... and he just put a big picture of a goat rearing end pooping. It was the main landing page for the radio station for about an hour. This is the problem with break fix. This is the problem with that nephews, cousins, brother twice removed this. When you allow them into your organization you are allowing them a certain level of access to things that you need to be able to trust them or you can work with... There are organizations definitely out there that do rather than what we would call managed services. What they do is they just do break fix. They are on call for when you need them. Typically it's pretty pricey in that model because the only way they can predict their revenue stream is by pushing up the prices as high as they can so that when you do call them, it really is an emergency and then they'll swoop in to the rescue.
Vince: Yeah, and you're at their mercy because you don't know what it takes to get things done or how long it takes to get certain things done. Or you know what the real problem is or underlying issue. Typically they're not fixing that. They're not doing any kind of root cause analysis or just basically patching what you've got.
Sam: Exactly. So they may come in and re-wipe a computer and restore it because it got some kind of virus on it, but then they're not doing anything after that to make sure that it has continued antivirus after that. There's no service level agreement in there to expect that, if I call, they'll get back to me within an hour and that they will get this taken care of. Then as the company grows larger, one of the options that a lot of people do is they look to hire an IT person. Sometimes that comes from within the organization. You have that one person who seems to be technologically gifted. so you kind of shift that person out of his or her role and into more of a technology position. But then you have the problem of, well, what is their job description, really? Is it doing the thing that you hired them for or is it doing the thing that you now rely on them to keep all your computers and your systems running? Because you have that one person who's the only person who knows how to work this piece of software that is absolutely critical to your business. Or you can start looking from the outside and say, " How could we hire either an IT person or as the company grows, maybe even an IT team."
Vince: Well, and I think the other thing that people don't realize is that IT is a wide field. I mean, you're not never expert in everything. So there's hardware, there's software, there's networking, there's productivity software, there's phones, there's security, there's compliance and then you get down into specific technology. So it is a very wide field and not all technology professionals are created equal. The other thing that people don't realize is what the cost is to hire an IT professional like that. I'm talking with somebody right now that they've got sort of a part time IT person that's coming two days a week and in my view it's definitely not enough because if you look at the industry standards, it's usually to take care of about 70 individuals. You need at least one it person. But the cost of an IT professional just to just a break fix type of person, somewhere between 40 and $62, 000 a year. Then if you start stepping up a little bit where they need to have a little bit more experience in understanding a sort of a network or system administrator type, you're talking 60 to $82,000 a year. Then if you get into the areas of firewalls and networking and that type of thing, you're talking somewhere between 82 and $125, 000 a year. Those are fully loaded rates with benefits and stuff. But people don't realize what it costs to get that.
Dan: Well, that being said though, that individual that you might hire versus having a team like Bit-Wizards, they might be expertise in a few fields where you have people expertise in every field. So when they draw with Bit-Wizards, whatever problem you have, you've got somebody there that knows how to fix that. Where if you hire an IT person, they might know part of it and they might not.
Vince: Yeah. That's sort of how a typical it department within a larger organization is set up and that's what we do. Typically, you have people and they're a mile wide across technology and then a mile deep and two or three areas. Right?
Dan: Right.
Vince: So, you may have a person that's an expert in hardware and software, another person that may focus on productivity software and other that is a person that understands phones and phone networks. Security and compliance is another particular area where people tend to specialize on. But in general to have a team of people to be able to do that is very difficult to staff.
Dan: It would cost them an awful lot of money if a team with yourselves, if they were to hire all of you guys just to work for their company.
Vince: Absolutely.
Dan: But they can hire you guys a lot less money just for the service you provide.
Vince: Well, and IT is... We've said this here before, IT is not a passive activity. It's a proactive activity and it's something that's absolutely critical to today's business. Whether you're a one person shop or whether you're a 5, 000 person shop of people. Right. It really doesn't matter. IT has equal weight within all organizations these days.
Dan: Sure.
Sam: In fact, that's why it's such a wide field because what you'll notice is that more and more things are being taken over by what we would call technology, right? Like all technology today, it used to be a thing and it used to be your car was a very mechanical piece of equipment. Now it's just a computer with four wheels on it. Right? It's happening across the board. The phones, it didn't use to be the purview of an IT person to worry about phones because that was the telephone companies problem. They would bring in the wiring and they would split the phones on your desks and it was completely separate. But now we have VoIP phones. The voice over IP phones is pretty typical across the board. So now even our phones have become an IT issue and security is the same way. Compliance didn't use to be a technology field. That was something that you had with whatever your requirements are by the government. Now almost 80% of your compliance regulation is probably going to be technology related. So the IT that you bring in for your organization is getting wider and wider. The different fields that they have to be, not just familiar with but also up to date and going deep on some of these topics.
Vince: Customers are just simply not tolerant these days of companies that don't have their IT act together. Then of course if you get yourself into trouble, you have a data breach or something that happens, not just the customer, that can end up in legal issues and the courts are becoming less tolerant of it. I happen to know another CEO that basically had a guy come in and work for him and the guy basically took the laptop with data and information out and then use that to set up a competing business. Took the individual to court and basically the judge told them, he said, " You know what? You didn't have your act together." He says, " I'm going to rule basically 50-50 on this deal. Don't come back to my courtroom again unless got your act together and do the things that you're supposed to do as a business to protect yourself." Basically, the guy didn't protect himself before. So as judges, there's a group of older judges that are kind of going away. Younger, more tech savvy judges are coming in and they're ruling a little bit differently than what the other judges. They're saying, " Hey, it's your responsibility to do this." Sam mentioned phones and just a phone itself, think about it, when people come and phones, we are worried about device management today. Because some of that business data exist on people's individual phones. Right? How do you control that data? If you've got a sales person that has access to your CRM or that has your customer data or information on it, that's critical, right? If they walk out the door, what happens to that word? Is your responsibility in? So it is critical for every business today.
Dan: Got you. So many businesses probably don't think they need IT, but in fact they really do need IT because your business isn't going to survive unless you're out there with technology, with on the internet, with social media and all of the and protected from getting viruses, getting hacked and getting your business destroyed.
Sam: Absolutely. But Dan, those things are a fact. Well and we... There's pros and cons to all the different ways of handling your it for sure. I mean the pro of I'll fix it myself is that it doesn't cost you anything in the short term. It's the freest solution there is. Is I'll just take care of it myself. But there's plenty of cons to that too and that is are you willing to also run your business and try to stay up to date with all of the things that you need to be aware of. Then even on the break fix model where you have your wife's cousin's nephew that can come in and fix it or a full time IT company that can be break fix. Then the con there is it is pretty expensive to do that, but there's... The pro is, well I don't have any ongoing recurring costs. However, that actually also makes it bad for budgeting. Having an IT person means that that person needs to be broad spectrum, that you can't hire someone right out of high school and expect them to learn on the job. But the pro with having someone there is they really do know the business and you can text them at two in the morning and say, " Why is my printer not printing?" But there's plenty of cons. We've tried to find the best of all of those worlds with the most pros and say what if we can do this IT as a service. Managed it services where you have a full team. We have about a dozen engineers on our team right now who are wide across the board but deep in their own specific areas, but with the lower costs of being able to only pay for it when you use it kind of model.
Dan: Do you have some... You have a company like Bit-Wizards where you don't have to do crisis management on a regular basis.
Sam: Absolutely.
Dan: Because that stinks?
Vince: It does.
Dan: All right guys.
Announcer: Bit-Wizards, from the spell book.
Sam: So from the spell book is where we take and demystify some technological geek speak. So what we're going to tell you about today is a term that I know many of you have heard is TCP / IP. It's usually done with a capital TCP and a slash and then an IP. So in base terms, what TCP /IP is, it allows one computer to talk to another computer via the internet through compiling packets of data and sending them to the right location. So the TCP part is called the transmission protocol. All right. That's the thing that it's basically, it's the top layer and it's the responsibility of aggregating a bunch of data information into packets of data and then transmitting them. Then the IP part of this is the bottom part of the layer and it's basically like the internet location or GPS. It says where does it go? You would often seen this with the four sets of numbers, right? Ten. one.one. two, something of that nature. What that basically says is it says, " I want you to take this packet of data and transmit it over the wire to this specific location or IP." What you'll, another term that we'll just throw out here just to make a little is DNS. So what that does is it takes that IP portion, which is that ten. one. one. two right? Turn it into a human readable name like www. dansplace. com right?
Dan: Okay.
Sam: So that now takes a human name and overlays it on top of that IP protocol. Because you've probably heard the term IP address around if you've ever watched CSI, they'd be like find the IP address and then zoom and enhance is what they can-
Dan: Well everybody has their own IP address.
Sam: Oh, he's looking for the IP address.
Dan: Yeah.
Sam: So every computer network has its own internal set of IP addresses. So the computers within and phones and different devices can talk to each other and know exactly where they live. Each one gets its own address. Usually those are handed out either by a server or by the firewalls handing out IP addresses to devices as they start looking for a network connection. But then on the broader scale across the entire internet, everybody has their own unique IP address across the board. Now a consumer, if you are paying for Cox internet at your house that IP address changes every now and then, every couple of days. They recycle that pool of IP addresses and it doesn't really matter as far as you're concerned you're on the internet. But for businesses we always say, what we should do is get you set up with a static IP address, which is basically locking in the IP address for your business and saying it will always be this. Bit-Wizard we had our IP address for what, 20 plus 20 years I would imagine. For almost from the get go that same IP address. So now when we set up servers and services and applications and things like that, that has a single address on the **inaudible** third layer of the DNS, the domain name resolution that goes with it. The domain name service that says www. bitwizards. com actually is this IP address on the internet. So this is one of the things that we do when we work with our clients is help get all of that squared away. Because a lot of times when your computer says, " I can't find the internet," it's because it wasn't able to get an IP address or it got the wrong one or it's fighting with something else on the network.
Dan: All right. Just like your key to get into the internet.
Sam: That's your, it's your mailing address. It's exactly where that is, that it'll always be that one spot on the internet.
Dan: When you do that, that's your identifier. Then that would be identifying this particular computer is always going to have this IP address.
Sam: Absolutely. That's it. That's exactly right.
Dan: But every time you plug around plug, like off the internet, your IP address can change. Right?
Sam: Yep.
Dan: So you're going to make it one.
Sam: Yeah. Your phone does that already. If you're on LTE or 4G, whatever, you already have a public IP address of your phone and it is changing constantly throughout the day, which again isn't normally a problem at all because all you need to do is make sure that your phone's aware of the internet and the internet's aware of your phone and then you can keep scrolling through Instagram.
Dan: Got you. All right guys, it's just about that time where you... If you'd like to talk about one of your clients.
Sam: Yeah, I would love to actually. I love that we get this opportunity at the end of our show each week to talk about some of our clients because we love working with just the wide variety of people get to work with and today I want to give a big Bit-Wizards thank you and shout out to our customer, the Air Force Enlisted Village in Poquito Bayou over in Shalimar and the Air Force Enlisted Village, AFEV. It's a nonprofit organization whose core mission is to provide a safe, secure home for surviving spouses of retired enlisted US airman. So we want to say thank you to Brooke McClean and Ryan Price for choosing Bit-Wizards. We've worked with them on some SharePoint projects and some networking projects to really see what we can do to help them secure their infrastructure and modernize their environment. Thank you to the whole hardworking team there air force, it was to serve you, we love working with Air Force Enlisted Village.
Dan: Yep. Air Force Enlisted Village and Bit-Wizards would be a good match because they do a lot of wonderful things like you were just talking about. I'm intimately involved with those guys myself and thank you for helping them out because that's a wonderful thing. You guys are pretty awesome at what you do now. How can they find you guys? If somebody wants your services, how can they find you?
Vince: Well you can go to bitwizards. com it's pretty simple. Www B-I-T-W-I-Z-A-R-D-S. com.
Dan: That sounds pretty easy. Can we call you? You got a phone number.
Vince: Yeah. You can also call us at ( 850 ) 226-4200 or you want to give them the midst line, Sam?
Sam: Yeah, our midline is basically, I help this line. You got a problem call ( 850 ) 864-4558.