On this episode Josh talks Cybersecurity with Adam Anderson from Element Security Group.
Adam Anderson is a long-time small business owner who also happens to be one of the leading authorities on small business cybersecurity.
This serial entrepreneur is also an author, writing several books on cyber security and cyber crime to help other business owners understand and navigate the digital world.
Adam is on a mission to help fellow business owners find the answer to the question, “Should I even care about cybersecurity?” His newest book, The Monster Within, shows business owners that cybersecurity isn’t something reserved for only the nerds in Silicon Valley – we all have a stake in this
In today’s episode you’ll learn:
- What is cybersecurity?
- What do you need to be doing to protect yourself and your firm?
- Is cloud computing an appropriate backup?
- Is username and password protection enough?
- Seven steps you should take and lots of tips…
Narrator: Welcome to The Sustainable Business Radio Show podcast where you’ll learn not only how to create a sustainable business but you’ll also learn the secrets of creating extraordinary value within your business and your life. In The Sustainable Business, we focus on what it’s going to take for you to take your successful business and make it economically and personally successful. Your host, Josh Patrick, is going to help us through finding great thought leaders as well as providing insights he’s learned through his 40 years of owning, running, planning and thinking about what it takes to make a successful business sustainable.
Josh: Hey, how are you today? This is Josh Patrick. You’re at The Sustainable Business podcast.
We’re in for a treat today. Our guest today is Adam Anderson. Adam is s CEO and founder of the Element Security Group. It’s a cybersecurity group. If you’re not paying attention to cybersecurity in your business, you’re going to have a really rude and unhappy day that’s going to come down the pike at you. I’m hoping that it doesn’t happen to us because we have paid some attention. But I’m sure we’ve not paid the right attention which is why I’m really happy to have Adam on. Instead of me yammering on, which I kind of like to do, let’s bring Adam in and we’ll get started.
Hey, Adam. How are you today?
Adam: Josh, I’m fantastic. Thanks for having me on.
Josh: Hey, for those of you who are just listening to us on the podcast, as I was going through my little cybersecurity thing, Adam had this very interesting grin going on. And so, I’ve got to ask, Okay, what’s the grin about?
Adam: You’re absolutely right. There’s a rude awakening. And the idea that it’s a surprise to people that something might happen with cybercrime is often a humorous thing to me because there’s just so much out there. There’s so much danger. But again, the grin really comes from because I know people think about cybersecurity incorrectly which causes them to be scared which causes them to do interesting behaviors. And so, I’m just really excited to have a conversation about this.
Josh: Okay, so what causes them think to interestingly about cybersecurity?
Adam: Well, it’s your core beliefs. Most small business people share three core beliefs. “I’m not important. I don’t have anything that anyone is looking for and no one would want to hack me. And I can’t do anything to stop them even if I wanted to.” And so, when those are your core beliefs, you are in a victim mentality which means you only act for two reasons with cybersecurity. You either act out of fear, so you buy the illusion of security. Or you act out of compliance because some other person told you had to do it. Think PCI compliance or I have to be HIPAA-compliant or something like that. There’s a compliance driver. When you’re living in those core belief systems, you take actions that don’t actually make it so that you can recover from a cyber attack.
I tell people, cybercrime isn’t about computer science, it’s about behavioral science.
Josh: Interesting. I’m a small business person. I don’t have a ton of money to spend on this stuff nor do I have any interest in it whatsoever.
Adam: Good. You worry about sales and marketing. Forget this whole cybersecurity stuff.
Josh: Well, you know, it’s not like I don’t forget about it. It’s just I’m not interested in it at all. You know, it’s sort of like one of those things that I know I have to do, don’t want to do but I know if I don’t do it, I’m going to get myself in trouble. So what kind of advice can you give me because I’m kind of this, you know, dope when it comes to this stuff about what I need to be doing to protect myself and my firm?
Adam: Yeah, so I’ve got a list of seven things that are super easy to do and very inexpensive because I was not joking. Sales and marketing is where you should be worried about, right? Let’s get customers. Let’s get revenue and let’s provide a fantastic solution and offering to them so they’ll tell everyone else about it. If you’re spending more than a few moments thinking about cybersecurity, you’re probably in either fear or compliance.
I’m just bullet point, run right through these seven things. The first two are how do you recover after a cyberattack, so you need really good backups and a cybersecurity insurance policy. To me, good backups are not, “I’ve got a jump drive plugged into my machine and I back some stuff up and I put it in the safe. This is some kind of solution that automatically backs up stuff that you need, that is important on your machine, puts it somewhere else. And there is an adult who will put it back after something goes wrong.
Josh: Is cloud computing – would that be an appropriate backup?
Adam: I use Google Drive.
Adam: So that is cloud computing.
Josh: It is cloud computing.
Adam: Yup, anything that you can do to get it off of your local machine – and I count myself as my own adult because what I’m doing right now is a small company. I don’t need to buy a backup as a service type thing. But if your company is a little bit more complicated, then you should look at investing. But even that is pretty inexpensive. You’re talking a couple bucks a month to have a professional human being and service backup your important data.
Josh: Yeah. We use a program called Ignite which is designed for the financial services business.
Josh: And, for a couple thousand dollars a year, provides us really heavy-duty backup.
Adam: That’s it, right. And I’m sure that if something went wrong, they would help you get your data back for that price point?
Adam: Yeah. The thing that we’re trying to do here is not make people safe. We’re trying to reduce the liability of a cyber attack so that the attack itself is inconsequential. Why build a cyber fortress when you can make the consequence of the attack obsolete?
One of the cool things about having that product is that if you have the right cybersecurity insurance policy which, again, very cheap. I think, for me, it was $2000 for a $3-million revenue cybersecurity company – $2000. And what it does is it doesn’t dump a bunch of money on you because who cares if I don’t know who to call and I have no nerd to sweep in and save me, then I’m just sitting on a million dollars, right? So get an insurance policy that provides a disaster recovery team. And that is a forensic investigator so they can tell you what went wrong. It’s a cyber lawyer so they can make sure you’re not legally liable. It’s a PR person because you have to communicate what happened. And, at the very last part, it’s a system administrator who helps put everything back together. And that system administrator will work with that backup company.
In a perfect world, you get a critical hack, what’s called a ransom wire, and you’re able to execute your cybersecurity insurance policy because you now know. I call my policy holder and they take it from there. And within 24 hours, you’re back to working again. That’s what these first two things are all about – recovery quickly and mitigating liability.
Josh: Cool, so what’s number three?
Adam: Number three is let’s get things off of your computer. Let’s move everything we possibly can to the cloud. Stop having your Outlook on your machine. If you have a product, move it to the cloud. QuickBooks online. Email.
I am, to the point, now that I don’t need anything on my laptop. If my laptop dies, it’s sad because it’s a nice machine but I can go get another one, connect to all of my online portals and I can keep working. I can borrow a friend’s laptop. There’s no interruption of business. And the reason why you want to do that is that you’re responsible for the security of your laptop. And we don’t want to be. You know, we don’t to, right? Outsource the stuff. And, yes, Google, and Microsoft, and Apple, and all those guys absolutely get hacked but they are so much better at it than we are. And listen to the PR.
I’ve got this server in my garage and it’s got all your financial information on it. And it kind of got hacked. And now it’s out there versus I’m using Amazon web services. I’ve got the data there. Amazon got hacked. There was nothing I can do about it. I’m very sorry. Those are two very different messages. So, move stuff to the cloud as much as possible and own that story when you’re having a conversation about what’s going on.
Josh: One of the things about the cloud which we paid a lot of attention to and I wonder if it’s important, is that we were not considering any cloud services unless they had multiple data centers with simultaneous backups. Is that something that we should be really paying attention to?
Adam: It depends, right. If you’re doing government contracting, there’s a whole list of requirements that you have to have in order to have your stuff in the cloud and in the data center. And you’re looking for something called D4. I have no idea what that means but D4 – ask for that, right. Or maybe google it later. It’s fine.
So certain data centers have certain scores. And you can ask them about their score. For me, I decided that any kind of cloud provider I was going to use, I was going to set it up like I was going to be doing business with the military because now you’ve got all the box checked. And so, rather than trying to do “just right” security, the price differentiation is so small that just go for “Hey, I’m going to be setting up my cloud presence and working with cloud partners that are clear to work with the government,” and then you’re pretty sure.
Josh: Now, my question is that— I mean, all our data is off our local machines. That’s all in the cloud. But not all of our applications are.
Adam: That’s right.
Josh: Some are and some aren’t. We use Google for business which, obviously for email, is in the cloud. But we’re using Microsoft 365 for local application. Do you recommend people use only cloud software or is it combination something that’s okay?
Adam: The perfect world is 100% cloud. But you and I both know that is impossible. You are going to have– we call them legacy applications. You’re going to have something you’re running on your computer, either a proprietary database or some kind of software that you particularly wrote, or even just the Microsoft example that you gave and you’re not going to be able to move them, so you move all of the things you possibly can to the cloud. And then, after you do that, you set up your machines to have automatic patching and updates. This is annoying. I don’t know if you’ve ever in the middle of a project and your computer jumps up and says, “I need to reboot” right? That’s the automatic patching.
Josh: Yeah. I have that happen all the time.
Adam: I’ll confess, I was working on the Power Point for my TED Talk about cybersecurity and the computer said, “Hey, we just patched. I need to reboot.” And I knew. I was actually on the slide, talking about this, and I knew I should hit that button. I’m not going to tell what I did. I’m not going to tell you if I actually rebooted and got the security patch or kept working on my business or my presentation.
Josh: Well, by not telling, you did.
Adam: I told you that, right? So never let cybersecurity get in the way of making a profit or completing your project, right. It rebooted later that night.
But 99% of the bad stuff that’s out there, these big companies write patches to fix. And here’s the terrible thing – it’s wonderful and terrible. Every Tuesday, there are things called patch Tuesdays where Microsoft and all these companies say, “Here are the patches. Here are the security holes. Please install these patches.”
There’s two groups of people who are looking at that. One is us, the business community. The other is the hackers and cybercriminals. They’ll basically look at that list and say, “Here’s all the vulnerabilities and all the things that go wrong.” They’ll write programs that night and by Wednesday morning, they’re attacking the world based off of that. So if you didn’t update your machine based off of what Microsoft and the rest of the community has told you to do, you’ve just left yourself vulnerable to the latest cyberattacks that came out. This ransomware epidemic we had a couple months ago called Wannacry only impacted non-patched operating systems.
Adam: If you’ve got local stuff, the best thing you can do is configure automatic patching and turn on all of the cybersecurity tools on your operating system. And then it’s pretty good.
Josh: Okay. So what can we do next?
Adam: We’ve just solved the problem and created a problem [inaudible 00:12:14]. We’ve moved everything online. And now, the keys to the kingdom are the username and passwords needed to get into the online content, right. And the username and passwords are horrible – horrible. Chances are most people use the same passwords everywhere so if you get one breached – I won’t even go into it. It’s super easy to break into people’s computers, break into systems, using username and passwords.
So what you do is, again, we try to make the problem irrelevant than fixing it, right? Rather than coming up with a 70-character password that you’ll never remember and have to write it down, you add something called two-factor authentication. And I will give you an example of that. Two-factor is when there is the username and password and then a second factor being like a fob – like this kind of thing that’s changing the numbers and you have to put it in and the number changes every 10 seconds. Or, what I do, for Google, anytime I log into my Gmail account, I use one of Google’s tools. It will send an alert to my phone and say, “Is this really you?” And if I don’t hit yes, it doesn’t log the person in. So you could get my username and password but if you don’t also have my phone, you can’t access my critical information. And when you’re looking to move to the cloud, verify that the service provider you’re working with, for their online tools, offers a free two-factor authentication offering.
Josh: It seems like almost all the online programs today, if they don’t have it, they’re moving to it really rapidly.
Adam: Exactly. I mean, honestly, it’s the wisest thing you can do because usernames and passwords are just not a deterrent anymore.
Josh: What about one of these master password programs like LastPass, or 1Pass, or something of that nature? Are they worthwhile using?
Adam: Yeah, if you cannot get a two-factor authentication tool, maybe there’s a particular online product you absolutely have to use. It’s Mission Critical but they don’t have two-factor authentication. The next thing you do is you get a password management tool where it creates very complex passwords that you never see and it manages that whole thing for you. The risk to that is that sometimes those password management online communities and online products, they also get hacked.
The two you just mentioned, I believe LastPass– you know, I’m not going to say which one it was because I don’t remember but I know that they have been hacked and the usernames have gotten out. So when you do that– I use another program. I keep that one locally because it’s encrypted and its two-factor authenticated, I think we’re using KeyMan or IKeyMan, but absolutely use that.
But let’s say you don’t want to trust anyone with your passwords, my password policy suggestion is get away from passwords and get two passphrases – something that you can understand like Abraham Lincoln was a good president. And that’s your password. And now, you just put capital letters for the beginning of each one. And then, add some numbers in, so “Abraham Lincoln Was A Good President.” Now all of the words have capital letters at the beginning and finish it off with 123 at the end. Boom.
Josh: Interesting. Great suggestion.
Okay. What’s our next thing?
Adam: Number one was get some backups. Number two was get a cybersecurity insurance policy. Now, you can recover from basically anything. So think of that as kind of like the soap and water washing your hands, right, for cyber hygiene.
The next three were move everything to a cloud. Do automatic patching and updates for your computers. And then, the last one was two-factor authentication.
I’m going to add to that that you should never log into your computer as an administrator. What I mean by that is that as soon as you get your computer or your office offers you one, you’re configured to be the administrator of that computer. You can do anything. You can install whatever programs you want, anything like that. Well, I am not a responsible adult. I will click on things. I am human. I will err. So I make sure I set up – the very first thing I do is create an account to log into my computer with that does not have rights to do a whole lot of things.
The reason I do this is it protects me from me. If I click on something I shouldn’t and then the virus tries to attack my computer and install a ransomware or some kind of malware, I don’t have the right to hurt myself. I kind of think of it as admitting— I took my son on a field trip yesterday and rather than letting him do anything he wanted, I controlled his actions to prevent him from hurting himself. By not logging into the computer, you put yourself at a position not to hurt yourself. Does that make sense?
Josh: Yeah, it makes some sense. I mean, it becomes a little bit inconvenient–
Adam: It is very inconvenient.
Josh: –because if I wanted to do something that requires administrative action, I’ve got to log back out and log back in as the administrator.
Adam: Well, with Microsoft now it will do something called step-up authentication. So if it asks you to install something, you can then just log in right there as the administrator. I like that and I dislike that because— I like that because if I’m actually trying to do something then there you go, I have the ability to do it. I can install software. I can do the things I need to do.
What I don’t like about it is it’s far too easy for me to remove the barrier. So, remember, it’s behavioral science versus computer science. And so, the harder I make it to have the behaviors that will harm me, the more inconvenient those behaviors are, the less likely I am to deal with them.
Josh: I’m assuming you’re talking about PC’s with using Microsoft. And an awful lot of people, especially in the small business world are Mac users.
Adam: Yep, the same thing. It all works the same way.
Josh: Same thing?
Josh: Okay, cool.
Adam: I’ve got one left. After you do all of this stuff, you realize the major threat to you is not cyber, it’s the people. And so, here’s what most people do. They get all of their employees together and they hire a very handsome bearded man such as myself to come in and scare the crap out of them for an hour with a really elegant Power Point. And for two months, they’re really good about not clicking on stuff. And then it goes away.
You need to take serious, training your employees to discover and be aware when they’re being socially engineered. None of the things that we have talked about will protect you from your financial controller getting an email that looks an awful lot like you asking them to wire money to a particular account. The last thing you need to really do worried about is so social engineering. And so, what I have done is I’ve launched this new company that sends fake cyber attacks through emails to employee. And if anyone clicks on it, they get a two-minute training video [laughs].
Josh: Oh, isn’t that cool? I love that.
Adam: On demand, right?
And so, the cool thing is is that it will happen four or five times a quarter but they’ll know it’s going to happen. And the analogy I give people is like, “If I told you I was going to hide behind a corner and punch you in the face four times this month, you’d be really aware of corners, wouldn’t you? Especially after the first one where you get hit.” And it’s the same thing with employees. When they know that the attacks are going to come, and they know that it’s going to happen, and then they know their boss is going to get the data that shows them, “Susan has clicked on 100% of every attack for the last six months. It’s time to take her computer away.”
So, to me, the last thing is train your employees. And whether you use a product like I’m describing– or another simple way is, at the beginning of every meeting just have a one-minute safety briefing about where the emergency exits are in the building or what to do in case of an alarm. If you get the people thinking about security, they have awareness and awareness is the key to defeating social engineering.
Josh: That’s really good advice. This is a great session.
Unfortunately, Adam, we’re out of time. But I do have some questions I want to continue with on Facebook Live if you have a couple of minutes.
Adam: Yeah, absolutely. Let’s do it.
Josh: But before we leave, how would people find you and what is the cost of your ghosting service or your, you know, let’s pretend I’m a hacker service.
Adam: Right. So that is very cheap. It’s about three bucks a month or four bucks a month, depending on how many emails you want us to attack. Basically, think of it as $3 a month per employee.
Josh: That’s so cheap. You’re an idiot if you don’t use that service.
Adam: Right. That’s it. Hey, that’s’ going to be my newest sales pitch, by the way.
Josh: We’re going to have a conversation after we’re done today about how we can sign us up.
Adam, how can people find you?
Adam: Yeah. You can go to ElementSecurityGroup.com/sustainable or you can follow my YouTube channel which is Adam Anderson CEO. On that channel, I do one-minute business videos because if you’re not good at business you have no chance at being good at cybersecurity.
And I also have an offer for you, too. I recently published my first book. Actually, it was nine months ago but to me it seems like yesterday. The book is called Sustainable: A Fable About Creating a Personally and Economically Sustainable Business. You can get it at Amazon in the Kindle version or the paperback version. But if go to my website, sustainablethebook.com, you get the book there and you get a free 20-minute conversation with me where I will guarantee that you get at least one piece of actionable take home information. And I wrote a 37-page cheat book on how to use all the principles that we talk about in the book Sustainable.
You’ve been with Adam Anderson. I’m Josh Patrick. This is the Sustainable Business. Thanks a lot for stopping by. I hope to see you back here really soon.
Narrator: You’ve been listening to The Sustainable Business podcast where we ask the question, “What would it take for your business to still be around a hundred years from now?” If you like what you’ve heard and want more information, please contact Josh Patrick at 802-846-1264 ext 2, or visit us on our website at www.askjoshpatrick.com, or you can send Josh an email at firstname.lastname@example.org.
Thanks for listening. We hope to see you at The Sustainable Business in the near future.