How Your Business Can be Affected by Cyber Crime
Dan: And welcome back. It's 8:30. In the studio with me I have Sam and Vince from Bit Wizards. Good morning, guys.
Sam: Good morning.
Vince: Good morning.
Dan: And, well, we've got something kind of crazy going on this morning. We have a whole new show, and you guys are got our show going on over here, and it's kind of like a show within a show, and I'm really glad to have you guys here today. It sounds like it's going to be a lot of fun.
Announcer: Bit Wizards, Bits and Bytes.
Vince: Well, what we really want to do here in Bits and Bytes is sort of give you some technology, tech news for small business owners and talk about what's going on. One of the big things that everybody's hearing about is cyber attacks and cyber security.
Dan: Oh, yeah.
Vince: And so right now it's costing small businesses around $200,000 a year. I'm sorry, not $200,000 a year, but $200, 000 for each cyber attack. It's putting many of them out of business.
Dan: When they do a cyber attack like that, do they take away all the information, lock everything up, or how does that usually work?
Vince: Well, it really depends on the type of cyber attack, but what a lot of them are doing is they're getting access into systems, usually through weak passwords, and then once they do that, they encrypt all of the data on the computers and make sure that you don't have access to it, and they charge you some sort of ransom to get it back.
Dan: The ransomware, yep.
Vince: And the funny thing is is that a lot of people think, " Well, I'll just go to the Sheriff's office or I'll run down to the FBI." Well, I promise you they have bigger fish to fry and sort of their position on it is is that as a business owner, you've got a responsibility to sort of take care of your own tech and they don't have time to run around. They're chasing people that break into Target and the National Security Agency and things like that.
Dan: Yeah, I got you. Now, I'm kind of curious, Vince, on these people that do the ransomwares and they break in, how often do they actually catch those people?
Vince: Almost never.
Dan: That's what I thought.
Vince: I mean, what they'll tell you is to pay the... they usually charge the business owner in Bitcoin, so they have to go out and buy Bitcoin on the market, and they trade real money for that Bitcoin. That Bitcoin is anonymous as it gets transferred back to the individual, and then they're able to cash it in for real money.
Dan: Wow. So what's the average ransom they charge?
Vince: You know, it really varies on who they think that they're attacking. But one of the things that we know is that about 67% of small businesses are now the target, and only about 14% of them are prepared.
Dan: Oh no. So when they get attacked, they're locked into these guys and they have to pay it or they lose everything?
Vince: That's right. Some business owners, Sam, you know as our director of IT, I know that you've seen a lot of these different scenarios where people come to us after they've already been attacked and they ask us what to do, and we really don't have much else to tell them other than, " You need to pay the ransom or we're going to have to wipe all of your computers and start over from scratch."
Dan: Oh my gosh, yeah.
Vince: Right? So, what they really doing is they're locking your files that you already have. It started out as just viruses, right? A few years ago you'd worry about getting a virus on your computer because it would spread, and there wasn't much they could do with that, the people who were making the viruses, other than the fun of making a virus. Now it's evolved into they've figured out a way to make money from it. The way they do it is they put a lock on every single file you have on your computer, on the whole company's computers. And they say, " If you would like to see your files again, you're going to have to pay us some money," it could be as low as $30, 000. I've seen them as high as 30 $300,000. I've seen a few ransomware that's been over $1 million worth of Bitcoin that they're asking for to be able to get your files back.
Dan: Oh my gosh.
Vince: Once it's been locked, there's not a lot you can do about it. It's the equivalent of you have your bike locked up and then somebody else comes along and puts a bunch of locks on your bike along with it, and sure, you can still unlock your lock, but you can't unlock their locks without the key. And so really the solution there is to not rely on that bike being your only mode of transportation seems to be the right way to do this, because they've now figured out, and it used to be we had this idea of some nerdy guy in his basement just doing it for the fun of it or trying to hack people. But a lot of times now these ransomware attacks are coming either from state sponsored groups or entire organizations that they only live, they only exist to do this. People clock in 8:00 in the morning, clock out 5:00 at night, and this is all they do all day, every day. Try to find weaknesses in security for in, in IT, for small businesses, medium sized businesses. I know a lot of people think, " Well, it wouldn't happen to me. I'm too small, there's nothing they really need on my network, on my computer. But it's not about what they need. It's about what you value on your computer. Obviously while there's probably a lot of money in some of the big names out there, there's also a lot more security. And so for these attackers, these ransomware attackers, they would much rather go after smaller businesses and see if they could get them on the hook for a couple of grand to get the files back. Then if you pay the ransom, you're kind of hoping that they follow through on this, that they don't just say, " Well, you know what? Let's do another 30,000 before I give you your password."
Dan: Don't trust the bad guys.
Vince: That's right.
Dan: So, how do you prevent this from happening? Is there any way to prevent this?
Vince: Absolutely. Fortunately, it's about being proactive and taking IT seriously. A lot of people think it is an afterthought. It's just something that you just do, you know? And they see it as a cost center. But, really, in today's market, it's table stakes. It's a table stakes to be in business. Little things, so you think you're the local coffee shop down here in Fort Walton Beach, and you don't provide wifi for your customers. Your customers expect you to have that, right?
Vince: So you provide wifi but then you don't properly protect it and next thing you know, something's hacked in your network and they're upset with you. So, it's really important that you take these proactive steps. What a lot of business owners do is they do what's called break fix IT, which means they get some guy that knows IT and they call him in whenever something's broken and they do it. But what we do is we try to take a proactive approach, and that is in the industry, a managed IT services is the way to go. Why? Because you're doing a bunch of proactive steps in order to ensure that you are safe and secure. I don't want to scare people, but that's not the point here.
Vince: The point is that these are real threats and things that need to be taken care of, and it's not rocket science in terms of what you need to do. They're just steps and things you need to do and you need a good set of professionals to help you do it.
Dan: That helps prevent this, or if it does happen, let's just say, for example, somehow they get through, what's a good way to recover your system?
Vince: That's a great question. The answer is pay up the money or start over.
Vince: So, for ransomware, all of it is trying to head it off before it happens. There are a couple of different ways that we do that through our manage services IT. One of those is making sure that every file that any of our clients have has been backed up multiple times. We have several days or even weeks worth of that file going back in history so that when the ransomware comes along and locks it all up, we can just wave at them and say, " It was nice knowing you. Were going to just delete all of that and we'll restore back from what we had," I don't know, last Friday. Then we start right off where we leave off. Then another way of doing this is relying heavily on what we call cloud computing, which we'd say, " I'm going to take as much out of my building as possible and rely on hosting that somewhere else, finding a house for my data somewhere else, that way they can restore it if it ever gets compromised." And so through services like Office 365 and those kinds of environments that are business class tools for a reason because they allow you to keep a backup of everything.
Sam: The other thing too is is that just there's some basic things, like just keeping your computers up to date. A lot of business owners will tell us, " Well, if it ain't broke, don't fix it. Leave it alone and let it run." Well, if you think about, we're in a military community here. People fly jets. If they did it that way with the jets out there at Eglin, we'd have a lot of planes dropping out of the sky. But instead what they do is they do proactive maintenance. They do certain things in a phased way on a regular basis.
Dan: That's right.
Sam: It's the same thing with IT. We do some basic things like making sure that all of your computers are patched and up to date. It's not just the operating system. There's also firmware, there's third party applications, maybe you use Adobe or things like that. And we do that through what's called an RMM. That RMM basically manages in real time, watches what the latest updates are and pushes them out on your machine and makes sure that your computer is up to date. The other thing is just being proactive in monitoring threats and potential things in real time that a lot of small businesses don't do. They don't think it's important, but it's something that we do to make sure that we protect the businesses that work with us.
Dan: And then on top of that, backing everything up just in case.
Sam: Oh, absolutely. Right? So, if something does happen, and keep in mind, the hackers that are out there or the people that are out there trying to attack your business are always looking for new ways to do it. They've got a lot of time and effort. You know? What you want to be doing is working on your business and servicing your customer. But their job is to make money by hacking into your systems.
Dan: Holding you ransom so you pay them free, easy money.
Dan: And that sounds to me like it's a lot of money too, in some cases.
Sam: It can be. I mean, we were talking a little bit about Bitcoin, so Bitcoin makes it sound a lot bigger, but it could be, they'll say like 30,000 Bitcoin, and I don't know what the exchange rate is on Bitcoin right now, but that might be $3, 000. But think about it, if you're a small business and you got to cough up three grand, that's a lot of money. But if you'd been doing proactive maintenance on your computers and update, you prevent those things from happening. It goes back to, again, what I said, is that technology is now table stakes to be in business.
Dan: Sounds like it. Is there any particular software you guys recommend to the homeowner that would help him?
Sam: Well, there are a lot of different... what we're trying to think of is all the different ways that someone could try to attack you. We call them the attack vectors, right? All the different ways. That's why Vince says we are really big on making sure everything's up to date.
Sam: Because one of the ways people get in is by they figure out there's a bug in this piece of software. Let's just say you have this special program that you love to use at your business and it just makes things so much easier, and you pay, I don't know, 70 bucks a month for this program.
Sam: But then the software developers who wrote it maybe missed a little thing and some bad actor out there discovered if I flood this thing with a print request, even though it's not a printer, it responds and then, whoa, I'm in their network. That's why we make sure we keep these things up to date, because that's just one way that they could get in. That's why we also say then we're going to make sure we're monitoring them so that if anything looks out of the ordinary, let's say you're normally doing a couple of gigabytes of data every single day in your business and then out of nowhere it spikes into like a terabyte of data going in and out of your business.
Sam: We're monitoring that to say, " That looks sketchy to me, and why is it all going overseas? Why is it all going over to Russia? Why is all this data going over there all of a sudden?" And so these are the things we're constantly looking for to make sure anything that looks out of the ordinary, anything that looks anomalous, and then the backups are in place to make sure that if anything ever does happen, we've got a safe place to land and restore those files back again, because you know if you even have an internet outage, your business sort of comes to a screeching halt until someone comes out and they get a truck out there and they start fixing the lines or whatever it is, and then you get your internet back. The same happens if you ever get breached, if you ever get compromised in your business. How long can you afford to be down while we're trying to figure out how to get our files back again?
Dan: Yep, and how much of that data is vital just for your day to day operation, which could shut you down completely, apparently.
Sam: Absolutely. And if you think about it, anything in your business, whether it's HR or whether it's payroll, you have systems and processes, and that's what you need to have for IT. When we talk about managed services, we talk about a proactive approach. At Bit Wizards, one of the things that we try to bring to our customers is we take the practices that large enterprises, large businesses, that they utilize, and we bring them to small businesses in an affordable way. The way that we sort of do that is we've talked about those proactive backups that we were talking about, right? We've talked about patching and management. The other thing is is that we use standard productivity software like Office 365. You don't just go buy some $10 piece of software off of the web and put it in there because you don't know if that software is going to be maintained. You don't know if it has a roadmap. You don't know if somebody's keeping it up to date. You know? We pick commercial off the shelf software that's well-maintained, that's well intentioned and well meant for the types of purposes in business. The other thing that we try to do is we look out for our customers, because technology is always changing. You know? Most people... " I didn't get into business to own a bunch of computers." That's what I hear business owners tell me. The reality is that's absolutely true. But, again, it's a necessary thing. Like we said, it's table stakes. So now you need some people to come in, and one guy or one gal can't do that. We have a team of people that go in and do that. So, managing IT is all about putting that process in place, putting those systems and processes in place to make sure that you're patched, you're up to date, that your IT is ready, it's relevant, it's current, and that it's being proactively monitored. We try to do that with our customers and then we provide a virtual CIO service where we come in and we say, " Okay, we're looking out five months, a year, two years. What do you need to be thinking about? Do you need to do that refreshes? Is Windows XP going away and now you need to replace it with Windows 10? And when is it the most cost effective time to do that?"
Dan: That is a lot of good information right there, and you guys do this with all of your small businesses and large business, I'm sure, and so you take care of all the businesses, you monitor everything, you keep them from getting viruses, you keep them updated so everything you take care of the computers and the systems so they can take care of their business.
Dan: You do your job, they do their job.
Sam: Absolutely. It's like having your maintainers that maintain your airplanes out there at Eglin. That's what they do.
Dan: Yep. You got your pilots, you got your maintainers.
Sam: Yes, sir.
Dan: Absolutely. You guys have a wonderful job, and I will bet you that all of your clients are probably extremely happy with you too, because it sounds to me like you guys know all that stuff. I mean, a lot of this stuff, I'm catching bits and pieces of it, but you're saying it in good layman's terms so I can understand a lot of it. I'm sure a lot of other folks can too. Now, we have a small businesses listening right now. How can they contact you if they need your help?
Sam: Well, they can reach out to us on the web at bitwizards, with an S, . com. B-I-T W-I-Z-A-R-D-S.
Sam: We're right down here on 13 Memorial Parkway. You can always stop in. There's a friendly front desk receptionist there, and then we've got our friendly IT staff that's there to help them.
Dan: Sounds great, because you guys, you opened my eyes an awful lot, and I'm sure a lot of people that are listening, you opened their ears an awful lot, so now they're probably thinking, " Hey, I got these problems. I haven't updated my computer in quite a while. Am I leaving myself wide open to getting hacked and losing all of my information if I haven't been updating or I haven't been backing up my information? What happens as a small business guy, what happens if I get hacked and then all of a sudden all my stuff is gone or being locked up and I can't afford to pay $30,000 or whatever they want to ask, how am I going to..." you know, it makes perfectly good sense to protect yourself business marches forward and you don't have the big problem in your hands.
Sam: Well, and we talk about protecting your business, the information you already have in your business, but probably what's even more important than that is the information you have about your clients stored in your business.
Dan: Oh, yeah.
Sam: That's where, of course, government regulation comes in where they have these compliance rules. If you're a medical facility, you have to be HIPAA compliant. If you're a government contractor, you have to be DFARS compliant, and there's NIS and all these different compliance rules that are just basically a book several inches thick of all the rules that you have to do and not do and how long your passwords have to be and what kind of wifi you're allowed to have and not have in the building, and are there certain websites that your employees are about to look at and not look at. All of these rules are in place to try to protect and secure it, but the truth is, as Vince said, most people didn't get into business today and have to manage a bunch of computers to do that business.
Sam: I always look at it and think, " Well, I would be terrible at HR. I'm really, really bad at this, but I am good at computers, and so if I can let an HR company do what they do well because I would be really bad at that job. But if I can at least make sure that their computers are compliant with whatever needs they have to have, whatever regulations they have to be regulated by, we can step in and say, " Well, let me help you with that," because most people would not even want to start to think about how do I get into a firewall and start digging through the rules to say, " Am I going to allow this to happen or this not to happen?" A lot of people wouldn't even know which part of the network their firewall is, and that's completely okay. Whereas our job is to say, " Well, if you tell us that you have X, Y, Z rules that you have to follow, we can help make sure that happens. We can help you focus only on doing HR or whatever it is your job is, so that I'll take care of the it part of it. Don't worry about that. We'll keep an eye on all of these things. We'll let you know, again, if your computer's getting old and it's time to upgrade or if there's something happening that is a security risk on your network or in one of your buildings," because it's not just your information but it's also your client information or patient information, your customer database, that's when it makes it into the news. Target getting hacked is a bad thing, but Target getting hacked and leaking all of the people that have a target. com account, linking that information, that's really why it became a bad thing, because now all of those username and passwords are out there in the wild and people's credit card information and their spending habits. I could buy a username and password on the internet for two, three bucks of someone specifically that I would be looking for, so [crosstalk 00:18:27].
Dan: Is that the dark network they talk about?
Sam: That's absolutely right. That's dark net. Yep.
Dan: Oh my gosh.
Sam: It's usually two, three bucks, four bucks for someone's credentials, depending on what that is. Maybe 10, 15 bucks for a credit card. It's all because of these places where it's gotten leaked and has gotten hacked out of someone's network, and it's not even the information of the business so much as the customer information that they already have in their possession.
Vince: And the thing about it is is that the court systems are looking back at the business owners and saying, " It was your job. You had the fiduciary and the responsibility to protect your customer's information." And so we have a campaign that we've been doing around protect your privates. It's a little play on words there, but we want people to know that that private formation is important, both your internal company information, but also your customer's information. We know some business... unfortunately sometimes we have people, they don't know what they don't know. Right? And IT is scary to them. " Oh, the cloud, I'm scared of the cloud." You know? Or, " Oh, hackers." It's all pretty fear based. We don't want to be fear based, but what we want to tell people is is that there are systems and processes that can be put in place. You got good IT professionals that will come in, sit down, make it and set it up right. It's hard for a business owner to distinguish those things, so you look for companies that are reputable, they've been around, not just some guy.
Dan: And the businesses like yourselves to stay up to date.
Dan: Because that sounds to me like that's the key.
Vince: Well, it is. For our team, we have one of our core values is to be a lifelong learner. In IT it's like putting your mouth on a fire hydrant and trying to catch all the water. You've got to constantly reinvent yourself in this field, and so you really have to be totally immersed in what's going on to stay current. The reality is most of our engineers, they have a wide breadth of knowledge, but they're experts in two or three areas. Then the fact that we have a team, each one of those different team members overlaps and interlocks with each individual to provide that service for the customer.
Dan: I was just thinking about that when you have the analogy with the fire hydrant, because one person, which you might forget then, you might forget then, and you probably could catch everything, like you're talking about, and everybody has their expertise areas, you have a team, so whatever area it might be, you've got an expert in that area.
Vince: Yeah, absolutely. Another thing that we see, that small businesses will come to us and they'll say, " Hey, our guy that does IT for us, we can't get him to call us back. He doesn't show up. Or when he shows up, he's wearing flip flops and looks like he just came off the beach." Our folks show up, they're professionals. These are people that have degrees. They're certified, they're W2 to employees on our staff. They're held to a high standard. And more importantly, they're friendly. They want help. They want to talk to you. They don't want to talk to you in IT terms, they want to talk to you in people terms.
Vince: They understand business.
Dan: Yeah. That's very well done because there's oftentimes, like when you talk in very technical terms, you're going to lose people. They're not going to really understand what you're talking about. But then you can also give back the information you need from them to fix the computer because you talk in their terms.
Vince: Yeah, absolutely. That's part of the reason why we wanted to sort of do the show here. I mean, obviously we've been talking a lot about Wit wizards as we've been going through the show, but in our feature shows what we really like to do is impart some knowledge, some value to the people out there, teach them a little bit about some of the terminology so that when somebody talks to them, they understand what those things are, we'd like to tell them about that. We want to typically try to pick at least one thing that we discuss that may be relevant, like backups or something like that, that why that is particularly important, some of the ways that we do those things. Then we want to bring a little bit of technology news, because part of staying with tech is staying up to date and understanding what's coming down the pike. People always ask us, " Oh, the new iPhone 11 is coming out. Do I need to run out and buy that?" Or, " Oh, there's a special run in down here at Best Buy. Do I need to go buy that new computer?" Well, that's where you come to folks like us, and we sit down with you and say, " You know, you can probably hold off another year. You should get three years out of your computers, your phones, you should be about 18 months or so and then you need to keep them patched and updated." There's rules of thumb and things like that that we try to do. But, again, those are prevalent in big businesses, but they're not necessarily prevalent in small businesses. So, we've tried to package that and bring it down so that small businesses can get that same level of security, that same level of system and process to keep them protected. To be honest, computers are enablers. They're tools. They're tools to make things better. We want to service our customers better. We want to make our businesses run more efficient. And if you keep that business part of that in mind when you're doing it, not implementing technology for technology's sake, then you're going to do that business a big service.
Dan: I was just thinking, with small businesses, they might not be able to change out computers as much as a larger business, so you could keep them maybe on a little bit longer and keep them updated and keep them running, like you were saying, you spoke about three years or something or longer.
Sam: Well, and the big part for us is helping strategize, because it's different for everybody, and we want to make sure that we help people with exactly where they are so that if you buy a dozen computers now for all your employees and that way you're not thinking four years from now, " Oh, man, now I've got a huge expense again to buy the same dozen computers plus the extra three employees we hired in the interim." Let's come up with a strategy, we come up with a game plan, start working towards this. That's what Vince was saying, that virtual CIO, the chief information officer, most companies don't have their own CIO. They might have a CEO or even a COO as they're growing and a CTO, but the CIO seems to be one of the last ones. If we can provide that as a service, where we're looking at IT we're looking at needs and trying to help project where the business is going and saying, " How can we make sure that you're in the best shape to use what you already have to get the biggest bang for the buck for the value of what you already have, and where do you want to go with this?"
Dan: I see. So, systematically change things out versus a one blanket.
Sam: Absolutely. Yes.
Vince: And also as your company grows, I mean, I've always told everybody that inside a very small business is ultimately a big business trying to get out. You know? People want to grow, they want to do better. But the simple fact of the matter is the company you are when you're one person is not the same company you are when you're five, 10, 15, 20. You have to sort of reinvent yourself as you go through and your systems and processes get changed. That's what we're there to help guide you through.
Dan: There's a lot of small businesses in our area, lots and lots. You guys probably have lots of clients here because, a lot of mom and pop places, there are obviously some chains, but there's so many mom and pop areas or businesses in our community that you obviously are helping or could help if they contacted you, because I'm sure they've run into this problem. I'm sure plenty of people have, and to be proactive ahead of the game before you do get hacked and lose all of your information or get held hostage, that's the name of the game. That's what you guys are all about.
Vince: Yeah. I think I read somewhere that it said there are 30 million small businesses and they employ most of the people here and in our country, and so they're the engine. They're the fuel that fuels our economy, and so this is why we think that offering services like this to help those small businesses become that bigger business or that successful business is important.
Dan: Gotcha. You guys do a wonderful job, man. It sounds to me like you save a lot of people a lot of headache and probably a lot of money in the long run as well, because if you had to go out and redo all of the information that you had, that would just take a lot of money and a lot of time, rather than save it and be able to use it later, back it up, protect it, everything that you have already talked about versus trying to recreate your database, that would just be horrible, I would think.
Vince: Yes, it is.
Dan: And you've probably seen that happen to people.
Vince: We do. And it's unfortunate that a lot of times when people come to us, they've already had an incident, they've already had a problem. Either they had an IT guy that they had that left and walked away with all the passwords and now they want us to go figure it out, or they've had a security breach of some kind, whether it's a salesperson walked off with their customer list or maybe they got hacked with Bitcoin. There's a lot of different things that can happen to you. But, again, it goes back to that level of responsibility that you need to take as a business owner.
Dan: Absolutely. Well, I wish we had more time because we have some other areas that we'd like to cover, but we'll make sure that we will cover those next week.
Dan: Just kind of a trial run. But, you know, it was such a very interesting segment because everybody listening can relate to what you're talking about right now because how many times have people, just individuals with their computers, how many of them have been held at ransom and had to lose everything in there? And maybe it's not a business, but to you it's important, and to lose all of that, it's a terrible thing to happen.
Vince: Yeah. The biggest one that I see is people that have family pictures. Oh my gosh. I mean, it's just heartbreaking because we do everything digitally now.
Dan: Yeah. Well, everybody keeps all their stuff and don't back it up. I guess that's probably one of the biggest things that people could do to help protect themselves is to back it up, wouldn't you think?
Dan: Then the rest of it obviously to prevent anything from happening, but if it does happen and you have an extra database someplace with all of your information, at least you'll be able to have access to your stuff again, especially pictures like you're talking about. Guys, we're just about out of time. I wish we had more time, seriously, because this has been a very interesting segment to me. I've really enjoyed this.