Cyber Security and Protecting Your Customer’s Data
Dan: And welcome, it is 8:30 right now, and on the phone with me I have Vince and Sam from Bit Wizards for Tip of The Wand. Good morning, guys.
Vince: Good morning, Dan. How are you, sir?
Dan: I am doing wonderful. How about you, Vince?
Vince: I'm feeling great, man.
Dan: How's Sam?
Vince: I'm ready to get back to normal, baby. When are we going to be in the showroom there?
Dan: Gosh, I'd love to get you guys back in the studio as soon as possible, Vince. You guys are much more fun in person.
Vince: Absolutely. You too, man.
Dan: Yeah, that's not a knock. It's a lot more enjoyable to have you guys sitting across from me, we can chat and things. But you know what, over the telephone's not so bad either. So you guys been safe for the last couple of weeks?
Sam: Yeah, absolutely. We've been taking care of business and taking care of ourselves at the same time. It's been a good couple of weeks. When things change like this, I really feel like this gives us an opportunity to innovate. I don't know who I heard this from once before, but someone said " opportunity with lack of resources equals invention," right? Even though we have these limitations around us, it gives us opportunities to come up with creative ways to keep on doing what we're doing and see how we can still be of a benefit to the community.
Dan: I see. So Sam's a guy that's always " the glass is half full." I love it. All right, guys, let's get going here.
Announcer: Bit-Wizards Bits & Bytes.
Vince: All right, Bits & Bytes today, protecting your customer data. And the question that we're asking out there : are small businesses protecting their data, protecting customer data. This is according to **inaudible**. Small businesses, they certainly aren't immune to cyber crime, and a lot of people don't understand that the cyber crime and the cyber threat landscape has involved, the attacks don't often stem from only rogue hackers who are hoping to get access to corporate secrets from large businesses, but small businesses are now the target, they're just as likely to be victims of cyber attacks as large corporations, because many organized crime groups are targeting the points of weakness within small businesses in the hopes of making quick money.
Today's cyber attacks are simple enough to be deployed at large scale, and hackers are using them to target small businesses that typically have a moderate amount of data and with minimum security.
Sam: This is important, a Kaspersky study indicated that among small businesses, the average cost of recovering from any kind of data breach at all is a little over $38,000. So any kind of data breach, that averages out to 38K. The direct cost commonly associated with data breaches are far less significant than the hidden costs. Approximately 60% of small businesses shut down within six months in the aftermath of any kind of data breach, so cyber attacks tarnish both your customers ' trust and your business ' reputation, and allocating resources toward data protection can give you a competitive advantage by demonstrating how strongly you value your customers ' data, and you limit your business ' liability.
I think it's easy for us to keep thinking about, oh, this is my company, it's just a small company, it's just a small company. Why would I be a target? I don't have anything the hackers would want. But actually, you do. They want to attack the things that you care about, because you'll be willing to pay for those things, but really, the other thing they're looking for is your customers ' data. While you may not feel that you have anything to protect, that's worth protecting, the fact is you're working with clients who absolutely feel like they need their information protected. That's why it's imperative that we are aware of not just our own data, but our customers ' information that we have stored as well.
Dan: That's so true. It's amazing, though. You're talking about 60% of small businesses shut down within six months of the aftermath of a data breach? That must be a real hack on these poor small businesses that they don't recover, that's horrible.
Sam: Yeah. Two out of three of people who get attacked. Just the fact that the average cost of coming back from that attack is about 38, 39 grand. Most people don't have that sitting around just in case of an emergency of getting hacked to get them through a situation like this, and the fact is, it's really a little more than a one-in-three chance that the company can even survive this kind of an attack for a small / medium-sized business.
Vince: And the biggest issue is the loss of customer trust and that data. Data can be very valuable. You might be disclosing personally identifiable information about your customer, that could be anything from their credit card data, if you're not properly storing that and following the PCI payment gateway guidelines, could be their Social Security numbers or addresses or email addresses. That can add up and tarnish your business ' reputation. It only takes one " aw, shucks " to wipe out five " attaboys."
Dan: Gosh. I can see that, because after a while, if there's another business in the area that they think they're going to trust more, they'll jump from the one small business to the next.
Vince: Yeah, and people these days latch onto negativity pretty fast. The really thing to understand to combat this, there's solutions that you can do, but I think at first you need to understand the threat. There are different types of cyber attack, so one of the first ones that you need to be aware of is malware. Malware is malicious software that somebody will get and install on your system, it resides in the background and can do things like key-logging, and send that data or that information to attackers. These key-logging applications, and that's just one type of malware, basically gets all the keystrokes that you make, including, it can figure out where you're typing in passwords, things that are repetitive. Once they get that, then they can get access to your system.
Sam: Key-loggers themselves are pretty scary things, because it's a little application that's running in the background on your computer, and if you were to hit control-alt-delete to show all of the programs running, it's not going to show up in that list. They've hidden it super-deep into the operating system, and it's effectively intercepting every key that you press on the keyboard before it gets into the computer. That means every single username you've typed in, every single password, every bank account, every credit card number you type in. It's all being logged to a teeny-tiny little old text file on the local computer that gets uploaded regularly and compiled by the hacker who gets those out there.
So malware, lots of different types of malware, because anything that could be considered malicious software is malware, but probably one of the most pernicious of those would be keystroke loggers and key-logging systems that piggyback onto your keyboard and log everything you're doing. So if someone were to look at that text file, it might a bunch of just absolute garbage text and trying to find out, but all they have to do is look through there and be able to find with control-F find, to look for your passwords and your usernames and your credit card information. And you're the one feeding the system every time you type it in
Dan: Is this part of the same thing we talked about before, that when you download some of this software that says it's free, that maybe come with this malware and infect your computer?
Vince: Absolutely. The real issue with a lot of these attacks is they use what we call human engineering. Your need or thoughts that you want to use something that's free, and it gets you and entices you in to download and install that software willingly without them doing anything malicious. And then deep inside that software, and this is why we're always talking about using trusted sources for the software that you utilize. That rolls right into something called phishing attacks, and phishing attacks ... and that's not " fishing " as in you cast a reel out there, but it's similar. It's P-H-I-S-H-I-N-G.
What they do is they use fake emails, and they use sort of that human engineering to get you to click on an attachment or open a link within the email, often to basically install malware or ransomware onto your computer. The email might look like it comes from one of the regular people that you do business with, or they might impersonate somebody that you know within your organization. So when they click on it, it gives them access to the system.
Another way that they might do that, once you click on that link because you thought it came from a trusted source, it might ask you for your password with a prompt screen. Even though it doesn't actually even do anything, it just got your password, right? And they can disguise that and make it look like it's a Windows log-on or some website that you usually go to, like your bank or something of that nature.
Sam: And in fact, the nature of phishing, just like when you go out on a boat, I think it's cobia season right now, I saw some people pulling in some big cobia out of the gulf. You have a specific type of bait that you go for when you go fishing, and you know if you're going cobia fishing you know you're looking for them just a couple inches under the surface, you're going to get in front of it, and then you're going to cast maybe live eel in front of it, wait for it to swim up on it.
The hackers, the attackers are doing the exact same thing, they're looking for something that you would find valuable, and then using that to try to get their foot in the door. They may send you an email that says, " Do you need help applying for the PPP loan from the government right now?" And you got all these small businesses out there going, " Gosh, I don't know how to make head or tail of this, sure." And they'll click that link and it'll say, " Great! Just fill out your bank information right here and we'll help you get started." And all they're doing is trying to steal that information.
Or they may know that you've been shopping around online looking to see if you could buy Photoshop, but you're like, " Man, I really don't want to pay that $50 a month, it seems too expensive." And so then you see instead, they send you a link to " here's where you can get a free version of Photoshop." If it looks too good to be true, it probably is.
Those are those phishing attacks, and whatever you click through will contain that malware, because to them, it's more valuable to get into your information because it could lead to one of the worst types of malware, which is ransomware, which is relatively new in our world. For a while there, most viruses were just a nuisance, they were just spreading to spread, for the sake of spreading, because somebody could do the code and they wanted to see if they could make it work. But now, the malware has a financial incentive to it, that if they can lock all of your files with this ransomware by getting into your system, then you have to pay them to unlock it, and it's usually not cheap.
That's if you even want to pay for the ransom, because what they've done is they've gone and encrypted and encoded all of your files, and for you to open any single file, you have to have a password, which is incredibly frustrating when they're your files and you don't have that password.
Dan: Oh, that would just cripple a small business like you were talking before.
Sam: That's why I think nearly two-thirds of them don't recover from an incident like this, because what do you do if you lose all of your QuickBooks information, all of your data? What do you do if you now lose your compliance level that you've had this entire time because you can't even get to your own files.
Vince: Or worse yet, we know customers that have come to us and then asked us to start doing managed I. T. services for them because they've had one of these attacks ; they've actually gained access to their bank accounts and actually transferred money out of their bank accounts or other things like that. That's a pretty scary thing. I can only imagine, you think that that's going to be chased down by the Okaloosa County sheriffs or the FBI, the reality is they've got bigger fish to fry. They'll investigate it, but often a lot of these hackers and ransomware folks or people that have access to this are over in foreign countries. They have no way of prosecuting them, no way of getting access to them, and your money's just gone.
If you don't have insurance to go along with it and you didn't take proper precautions before, in fact, a lot of the insurances out there say you have to have made a reasonable attempt to do and protect the things that you have. If you haven't done things like run Anti-Virus and other things like that, they may not pay out. Then you're hosed there as well.
This goes into another thing that a lot of people don't understand, is why we're always telling people to use name-brand hardware and software. Software, and also hardware firmware, often have vulnerabilities or a glitch that hackers can come in and take advantage of to gain access to your system through a back door. They let them get in there, they wouldn't otherwise have access to, so it's really, really important that people keep their systems patched and their software updated, their hardware firmware updated, in order to avoid these kind of problems.
That gives rise to, what are some of the solutions that we use at Bit-Wizards? At Bit-Wizards, protecting your data is one of our primary concerns. That's why we have a mantra, you've probably seen it on the billboards around and on the radio show, we have a little theme, it's called " protect your privates." It's a little play on words. It's funny, but we're trying to drive home the point that every business, and you've heard me say this before as a technology business these days, ultimately your data, your information, your infrastructure, your business is critical, and you need to stay on top of that and protect it in a proper manner, do the right things.
Some of the solutions that we do, or that we tell the customers are number one, the first thing is to be proactive and vigilant. That is, and alone, be suspicious of emails that come in, be careful about the links that you click on. Second is keep your systems patched and updated. We do that as part of our manage services, we do it in an automated way, and then there are certain pieces of software, certain components of your network that we actually have to go in and do it by hand. It's kind of like doing maintenance on your car, changing the oil on a regular basis and making sure that the timing belt's changed when it's supposed to and you flush the radiator fluid, those types of things.
Vince: Same thing with your computer systems and your network. I've said it several times here on the radio and Sam has, use only commercial, name-brand software and hardware, know who your vendors are, know what the software and hardware is to choose. At Bit-Wizards, we screen all of that stuff, that's what we do. You may think you're getting bargain-basement out of China or Taiwan piece of software, this, that or the other, but that company may only be in business for a couple of months and not long-term support that hardware or that piece of software that you see out there.
There may be nothing that's nefarious, just a lot of these little businesses crop up, they exist for a little while, they prey on people that are looking for a bargain-basement solution, and they work for a short period of time, but then they're not patched or updated, and there's a vulnerability there because they didn't go through a full-scale commercial test, that type of thing.
Sam: We also tell people to use multiple levels of anti-virus. At Bit-Wizards, we do it at different places, we have the firewall, where it's scan at the firewall. We scan at your email, at the server level, before it ever comes down to your local machine. And then at your local machine, we also have anti-virus running locally, so there's different, multiple layers of protection.
In fact, then we scan it again before it gets uploaded to any of the cloud services, so we're scanning all data at least four times for all of our clients as it's moving in and out of the organization to make sure that it's been sanitized and that it's been scrubbed. In fact, just like Vince was talking about, you got a vehicle, you got to do upkeep and maintenance on it, change the oil and all those different things. It's a very similar of type of situation, that work can become tedious and you can either choose to change the oil in your fleet of vehicles, or you can either have somebody else come in and take care of it for you as often as needed.
This is where Bit-Wizards really steps in, is that we can take care of a lot these things, these security features and levels of getting your data backed up, setting up a VPN for you, making sure you have a commercial-grade firewall in place, protecting your organization, and even providing some education to your team members so that they learn because honestly, the biggest security vulnerability, most of the time, exists between the keyboard and chair. It's the person sitting there doing the typing who provides the biggest security vulnerability for your organization. So doing even some training with your team members to know what to look for and what not to fall for, that's a big part of the services that we provide when we do our managed I. T. service.
Vince: So Dan, what do you think ...
Dan: Go ahead.
Vince: Yeah, absolutely. So what do you think, you think maybe we ask some people if they want to call in and ask us some questions? We got a few to prime the pump here, but while everybody's kind of getting together, if they've got a couple of questions or two that they want to ask us, let's see if somebody wants to call in.
Dan: Okay. Well, we'll find out what's up your sleeve now.
Announcer: Bit-Wizards : What's Up Our Sleeve?
Dan: Oh, what's up your sleeve? You can call us here at 664-1260 if you'd like to ask Vince and Sam a question, they're available right now. This is for free. You don't get much for free these days, but this is for free and this is information, and they have all the information when it comes to technology. So you're asking the experts for real. 664-1260, give us a call. I'll put you on the air and you can talk and ask Vince or Sam, or both, a good question. But we can start out with a couple of questions.
Sam: Yeah, I'll start out with, these are some questions we've gotten here in the past or even recently, and I can pick some while we're waiting. Again, 664-1260. One of the questions is, can you help me get Windows up and running on my iPad or on my Mac? And that's a good question, because a lot of people have iPads and Macs out there, and they go to download, I don't know, QuickBooks, and it says, " Oh, this needs to be on a Windows device." The question comes in, can I get Windows to run on my iPad or on my Mac?
The answer, on the iPad, is a no, you can't run Windows software on an iPad at all. On a Mac, the answer is sort of. What you can actually do is you can go buy a copy of Windows and it will install on pretty much any Mac you can buy today, you could install Windows on it. And then when you boot up your Mac, it gives you the choice, do you want to boot it into the normal Mac, or do you want to boot into Windows? That kind of gives you the choice.
Vince: Another option on your iPad or an Android device is that you can do a remote desktop session or a remote session to a PC that is actually running that software. We do have customers, especially small business owners that are on the go that ask us to set that up for them. It's not exactly an optimal user experience, because they don't have a mouse, but a lot of people have gotten very adept at using their finger and doing things on an iPad, and they can get access into that system and use it just like it was in Windows.
So basically, what it does is you basically create a secure connection, a point-to-point using remote desktop software, and it is installed on the iPad, and connect back to a central location or a remote desktop server, and then it will serve up the desktop operating system in Windows, and you can then run that application. We can make that very seamless for folks and allow them to be able to do that.
Dan: So on the same token, can you get your Microsoft Office to function on your Android?
Vince: Well, absolutely. That's one of the beauties of Office 365, and also the beauty of how Microsoft has changed since Satya Nadella, the CEO there, has taken over. He has embraced other operating systems and other-
Vince: -platforms like Android and Mac and those types of things. And they've actually created versions that will run on those specific devices. They've also created or allow you to do it from a web browser as well, so you have a couple of different ways that you can utilize Microsoft Office to function on your Android device. You can either download the Office 365, which have Word, PowerPoint, Excel, all those different types of things as well as Outlook, and you can install those on your Android device or your iPhone from either the iTunes or the Google Play store, depending upon the device.
Or you can simply go into your web browser, and if you have Office 365, you can use the web browser versions, which are pretty much on parity with the desktop versions of the software.
Sam: And while it's not always exactly the same experience, of course, on an Android device or an iPad or an iPhone or even in the website for the Word or Excel or Outlook, it's not identical. But it is by no means anemic, and I'm constantly surprised at what I can and can't get done using the Office tools directly on my portable devices that I'm carrying around with me. Not only can you do it, we would highly recommend that you do it, that you get all of these Office tools on your mobile devices.
Dan: **crosstalk** Makes your mobile devices a lot more versatile, doesn't it.
Sam: Yes. It's one more reason that it can never be six inches from my person at any given moment.
Dan: I didn't mean to cut you off, Vince. I'm sorry, buddy.
Vince: No, it's all right. I thought, I know we're pushed on time, we took a long time in the beginning, but we probably ought to go ahead and move onto the spell book. But next week, we'll keep a longer Q & A period open and let people go. So let's go ahead and go onto the spell book, and then we'll highlight our customer of the week.
Dan: You got it, buddy.
Announcer: Bit-Wizards : From the Spell Book.
Dan: Okay, go ahead. I like the name of this, so let's start off with this one.
Vince: The spell book is where we demystify some technological geek-speak each week, and today's term is " Trojan horse." Back on our cyber-security mantra here, we're looking at what is a Trojan horse? Well, a Trojan horse is a piece of malware that often allows a hacker to gain remote access to the computer through a back door. So that might be like that piece of software that we talked about that you download for free, and within that software is a Trojan horse that then gets installed on your local machine and does those types of things that are nefarious.
Sam: Just like the Trojan horse story from ancient Greece there, what they're doing is giving you a gift that looks so fantastic on the outside, but by the time you roll it into your city walls and close the gates behind it, it's full of enemy soldiers just waiting to wreak havoc. There are so many of those types of malware that are hiding inside another piece of software and you would never even see it.
Another term that's related to that is a worm. That's not the break-dancing move, that's actually a piece of software that is replicating itself much like a piece of bacteria or a virus that is just constantly making new copies of itself and figuring out ways to spread and infect other connected computers. It can do that through the network or through email or multiple different ways. It can try to hook itself into a thumb drive that you plug into your computer, but what it essentially does is malware that replicates itself and then spreads out to other machines on the network and across the Internet at large.
Vince: And most definitely, Dan, it's not the kind of worm that you find in a Chinese wet market.
Dan: Oh no, no viruses. Keep that away.
Sam: It's a different kind of virus, definitely.
Dan: I'm thinking that since Sam knew what the worm was when it comes to a type of a dance, you must know how to do that, Sam. I'll bet you've done that before, haven't you?
Vince: I think it's probably from Sam hosting so many weddings and seeing all the bad dancing ... **crosstalk**
Sam: Dan, I think you can attest, you will also have been someone who is both overly drunk and overweight, attempting to do the worm across a wedding dance floor.
Dan: Looks more like a teeter-totter. **crosstalk**
Sam: That's exactly right.
Dan: Oh, yeah. Those were the days, my friend. You guys are great. So yeah, that's interesting, because I was just thinking, when you were talking about when it replicates, emails and so on, I'm just curious, would a worm be when you get an email from somebody, but it's not really from them and it's trying to infect you? Would that be a worm, or is that just another type of malware?
Vince: That's another type of malware. A worm, actually, once it gets installed, then goes out and it goes to other places on your network. Now, a worm might actually send out a bunch of emails to somebody else to get them to infect, but basically, the worm crawls across your network onto different machines, infecting each one as it goes, installing little, what we would call malware bytes or components on there.
Sam: Yeah, it's sort of self-replicating. A way it might do that through an email is it would send out an email chain with, let's say, a bunch of pictures. You've seen those emails, the subject line starts with " forward, forward, forward, forward, forward, you got to check out these pictures." And there's going to be 17 pictures, funny pictures in that thing, in that email, and you're scrolling through your email.
The thirteenth picture on the list doesn't load, for some reason, and so you're tapping on it or clicking on it to get that one last picture to load, and that's actually the one that, when you're clicking on that, you're installing a little piece of software on your machine. It's continuing to spread the worm along. Again, that's a good example of a Trojan horse, of them hiding it inside something that was actually going to be meaningful to you.
We're going to wrap it up. We always wrap up talking about some of the wonderful clients that we're working with, so we like to give a shout-out to our clients. Actually, recently, in the last few months here, we've had the opportunity to work with the city of Crestview, with the I. T., and with the city manager there, Tim Bolduc. I know a lot of people locally know Tim as well, and he's doing such a fantastic job up at the city working there, and we had the opportunity to help them in a number of areas on their network, working with their police department and their fire department and the 911 dispatching, getting it integrated and in a secure, compliant manner. I'm so proud of all of those hard-working folks right now, battling the fires that are around us.
We have several clients who are working in that area, but we got to be a part of that and to help them and to modernize some of their infrastructure, to help educate some of their employees as well, so we are so proud. We're thankful to Tim over there, the city manager, and to Caesar, the guy, the frontline there in their I. T., and for letting us and allowing us to work with them. We're very proud to be able to partner with the city of Crestview.
Dan: Gosh, that's awesome. You're working with the city of Crestview. Guys, you have been fantastic again on this Tuesday. Always enjoy our show, and of course we're pretty much out of time, but look forward to talking with you again. Next Tuesday, everybody get ready for next Tuesday so you can call in at 664-1260, and we'll do " ask the experts " again. Bit-Wizards, Tip of The Wand. You guys take care.