Episode Transcript
Speaker 1 00:00:03 Hello, and welcome to this episode of Cyber Matters, part of the kassouf Podcast Network. I'm your host, Russ Dorsey. I'm a principal and CIO at Kassouf and Company. Then the Cyber Matters podcast is basically talking about the cyber and technology that that matters to us and our clients, their businesses, their families. Um, looking for those things that are important to know, um, you know, for technology, not only to protect yourself, but also how, uh, how technology is benefiting some of our clients, how they put it to use, uh, but also talking to, um, industry professionals and people that have been, you know, in, in business and, and doing those things, um, to serve this community. All right. Well, today we are very excited, uh, to have, uh, have Darren Mott, um, uh, retired special agent with the fbi. Uh, now, uh, working with, uh, am I allowed to mention your company? You wanna mention? Sure, yeah. Yeah,
Speaker 2 00:00:53 It's fine. Quantum
Speaker 1 00:00:54 Research, quantum research, uh, of up in Huntsville, but also, uh, the host of, uh, two podcasts, right?
Speaker 2 00:00:59 Only one now. Yeah. I've, I've you consolidated
Speaker 1 00:01:01 Back. Okay. I came across Darren, uh, I guess, I guess right before Covid when I was doing the more InfraGuard work. And I heard you speak, uh, a couple of times. Uh, very exciting and, and engaging speaker and he'll, he'll explain why he's actually got more of a background in that. Um, but then also 20 years with the FBI after being a high school teacher, which I definitely want to get into. Uh, you, you decided to, uh, to, to put in for the fbi and you had two kids at the time, which your wife mm-hmm. <affirmative> must wife must have thought you were nuts, or maybe you Yeah.
Speaker 2 00:01:31 She was all for it. She was, she supported it. She was
Speaker 1 00:01:32 All for it. Uh, it must have really been bad in high school if you decided to go into law enforcement, right?
Speaker 2 00:01:37 No. Yeah. Well, <laugh> we'll have that discussion. I'll tell you, I'll tell you how we got there. That's first question everybody always asks. I always get that question first. Exactly.
Speaker 1 00:01:45 Um, but, uh, but, but the interesting things you did with the fbi, because you had a, uh, your, your, your career took you through, uh, counterintelligence. So what, what it says here in your bio is that, uh, you, you worked with the, uh, fsb the Russians on collaborative efforts in the, in 2011, uh, and then created the first national level program blending counterintelligence and cyber. And I think if there was a, a solid days in the fbi, and from what I've heard from other agents, and, and listen, listening to some of your podcasts, there really was, you got to invent things as you went along cuz the FBI was playing catch up big time, uh mm-hmm. <affirmative> for all those years. And, and I think you'll, you talk about that in your podcast. Um, but I'm, I'm excited to have you here today. Um, and at this point with over a hundred po a hundred podcasts or more in the bag, you're seasoned at this, but you really started up during Covid, uh, I mean, you've, you've, you've been going hard at it for three and a half, four years with this,
Speaker 2 00:02:36 Right? Um, yeah, pre covid, actually I started, so I, I retired in 2019, actually, I guess it was Covid when I did start the podcast. You're right. Yeah. Thinking back now, you had 2020, I started the Cyber Guy Podcast in the summer of 2020. I kind of always wanted to do a podcast. I, but I'd retired, gone to work for Quantum Research, um, doing some cyber stuff for them. Um, but it took me a while to make sure they were good with me doing a podcast. I don't really talk, I don't talk. If you ever listen to my podcast, you really don't know where I work. I don't discuss it a whole lot cuz it's not really germane to the podcast. The point of my podcast is to help people understand in general terms what cyber means to them. And there's plenty of technical podcasts you can go listen to and they'll tell you all about the ones and zeros and you know, why people do whatever.
Speaker 2 00:03:22 And then how to program A, b, and C. Mine is more because I have a, an education background, so I'm gonna have two master's degree, one in education, one in cybersecurity. I'm trying to blend those two d I've blended those two together to help people better understand what cyber means to them if they're a small business owner. What does it mean as a small business owner? If you're an individual, what does it mean? How do you protect yourself from the array of cyber actors out there looking to steal information from businesses, individuals and so on. So I tried to distill it down into simplest format. So if you were to, in the last week, it's been the Move It file transfer app has been the big data breach unit for the, for everybody. You know, I mean, Congress got hit by it, or least the US government got hit by it.
Speaker 2 00:04:05 Several European companies have been hit by it. There's been three vulnerabilities in the software discovered in the last two weeks. But I talked about it in this week's podcast, but not from a technical perspective, just from a what's it mean to you? So why, you know, it's really a, it's, that particular example just kinda shows a, you should patch your software and why you should patch your software. So it's more sim I try to make it simplistic, um, because there's plenty of technical ones that out there. It's, that was a long answer to your question, so No, but apologies
Speaker 1 00:04:31 On that. No, no, that's, that's the, that's, that's one reason it's enjoyable and I won't, I won't say I've listened to, to hours and hours of it. I've probably, uh, sure. I've probably caught five or six of the episodes. Um, you know, the, the, the, the thing that as you go through it is, I like the mix of it because you do have the FBI stories and so if lately, listen, if, if you're listening to this podcast and you like True crime or any of those kinds of things, this is a good podcast to go listen to because some of the things that you guys talk about, um, the, the, one of the first ones I caught was about the, about the Envi Invita or, or Invita, um,
Speaker 2 00:05:07 Oh yeah, invi, yeah. The Invita case. Yeah.
Speaker 1 00:05:09 Which, which was, uh, if, if you can imagine when the police have the raffle ticket for all the deadbeats, uh, where they get 'em down to the police station to arrest them by giving 'em a free raffle. Mm-hmm. <affirmative>, this was an invitation to why I understand it, to a couple of Russian hackers who were posing to as, uh, uh, consultants to come over to us and perhaps do some consulting work. And the FBI grabs their credentials and arrests 'em before they, they go back cuz you guys then turn around and go into their systems. And there was a lot to that. But, uh, then you listen to, uh, the, the one that I, I caught the other day prepping for this was the innocent images. And that was a fascinating hour, uh, because just having to figure out how you go in and this again, go find this podcast, um, was, uh, one of the first agents to work on child pornography. And I'm sure that led to, uh, you know, human trafficking and other things. But you say that's the, uh, one of the longest standing ongoing fbi,
Speaker 2 00:06:02 Its today Yep. Continues today. So she was, so yeah, so the Innocent Images program, my first boss in the FBI was the case agent for innocent images when it started in 19 92, 93 timeframe. And it was really the first big cyber case in that the bureau dealt with from and had dealt with child pornography online. Right. Obviously, I mean, there certainly had been other intrusion stuff. And this is not, so 92, remember the internet started 88 first crime in first, first internet crime was the Morris worm. Um, and so that really kind of started looking at, hey, there's problems we need to deal with here. And, and she'll tell the story about how it was a, they had done a search warrant at a guy's house for, for if he was a child predator. And they found he was talking to all these guys online about child pornography and that kind, that's what kinda led to it. She went and bought the first computer, first covert undercover computer in the FBI outta the Baltimore division and started this undercover program that has continued as a national, a national investigative, um, methodology since then. Every field office has some version of innocent images that they still do today. It's kinda like it was the federal version of, to catch a predator. If you ever watched the, you know, the NBC to catch a predator series, this was the federal version of it to catch a pre to catch the bad guys. So, yeah.
Speaker 1 00:07:17 And, and, and if I remember correctly, she had to, she, she was the first to go to, uh, to, to get a Title three, uh, search warrant. Uh, cuz they go into AOL and realize that some of the chat rooms they can't get into and there's no legal precedent yet. Uh, but you've got this, you know, the wiretap titles title three if I understand that correctly. So there were things done there that have now become standard practice, but then also, uh, listening to the section about the psychology of it and, and, and where on the agents, uh, you know, emotionally and psychologically having to deal with this mm-hmm. <affirmative>. And then the bureau then had to adjust and say, well, this is how we're going to handle this material internally and keep everybody's mental health in check. I mean, it's a, a fascinating hour. Um, yep.
Speaker 2 00:07:57 Yeah. The invited, the funny, the invited case with the two Russians that they, they invited to Seattle. That was a multi-office in investigation cuz there were victims and other field offices that were part of the, that were targeted by this group. And one of my friends I worked with at FBI headquarters who talked about that case, she was a case agent out, or one of, she was on the case out of Los Angeles because of that case and her name being released through some of the, the public record documents. She is now forbidden from traveling to Russia. Not that she's looking to go mind you, but if she, if she ever goes to Russia, she can be arrested. And she's retired from the FBI as well now. So it's kind of, and that's one of the things on the, I started the podcast to interview folks like that.
Speaker 2 00:08:35 Um, and I did interview a bunch of 'em, but that kind of, that well runs dry after a while. So it's kind of changed, it's morphed over. The podcast is morphed over time. I had a second one called Cyber, the Get Cyber Smart podcast. It was only seven to 10 minutes long and it's kind of focused on one topic, but that never really got any traction for me. So I've kind of blended that particular aspect of that podcast into the cyber guide. So there's a, the last seven minutes of the Cyber Guide podcast is to get cyber smart portion. So I've kind of, it, it gives me less, it, it makes it easier to do it than trying to do two podcasts a week, which is, I thought I could do it every day, but certainly I, I cannot, I cannot. I could do it. I'm lucky if I get it out once a week at this point. Now
Speaker 1 00:09:13 If there's only so many FBI agents that'll talk, of course you can get Scott Achenbaum on to talk anytime,
Speaker 2 00:09:18 Probably <laugh>. Yeah. But everybody's heard what he has to say. He says the same thing every time.
Speaker 1 00:09:20 Yeah. And, and, and, and we wanna make sure we mention him cuz his book, the, uh, the, what is that book? The Secret to Cybersecurity. Yep. Um, which he, he touts as these are the free things that you don't need to spend money on to protect your business. Um, and Right. And pretty dead on. I mean, these things, again, we can't say these things enough because as, as you talk about in your podcast, um, so many of these things are preventable, you know? Mm-hmm. <affirmative>, that's that, that's the tragic thing. Um, and if you wanna talk about that for a minute, why this podcast is, you know, k kind of pushing that, because that was one of the things you talk about is that as an FBI agent, you figured out that most of everything that could have been done could have been prevented if people were educated, right?
Speaker 2 00:10:03 Sure. If you look at most, the majority of cybercrime is all it, it starts somehow with social engineering, be it intrusions into computer networks, be it what the, the, the new thing now is pig butchering, which is really just a, it's a variation on a romance scam. You have plenty of people who wanna find love online and they find love online and it's, it ends up costing the money You have the lottery scams, it's not sophisticated. It's because bad guys are prying on people's goodness at the, at the end of the day, you have, you know, a lot of people who, like, if you're like me and spend all day dealing with cyber crime stuff, when I get these messages on LinkedIn saying, Hey, I came across your profile. I'm really interested in what you do. Can we talk, I will engage them for a while just for content so that I can then print what they told me.
Speaker 2 00:10:49 Cuz because that leads to pig butchering. Um, cuz I want to go to WhatsApp or WhatsApp or another encrypted service happens all the time, but I know it, I know what to look for. But there's plenty of people that don't. If you were, you know, just retired from your job and so you're looking for another job, you go on LinkedIn and you start getting messages from people who you know, and these are attractive ladies, obviously they're using somebody else's picture. And if you don't do your due diligence, suddenly you're in a rabbit hole and you're, it's hard to get out of. I remember once the, the worst story I heard as an FBI agent, and this was certainly not the worst ever, but it was bad for me, was a guy brought this lady in who was his neighbor and said, we need to file a complaint.
Speaker 2 00:11:29 Um, she, she got an email saying she'd won the lottery online, this is in 2010. Um, and she kept sending these people money and before she told anybody, cuz she was embarrassed, she'd lost $200,000 to this lottery scam online. And then this, and the sad thing, and this is what Scott, Scott will say this in his book as well, one of the, one of the truths of all of this is chances are you're not getting your money back. Because once that money goes overseas, it's gone. I've had many people since I've retired reach out to me and say, Hey, can you help me? I, you know, this happened, blah, blah, blah. They got me for $50,000 and I'll dig into it a little bit. And, you know, it happened three months ago. They can't figure out how to get the money back. The money is gone. It is not, I mean, it is not coming back and chances are no one's going to, to jail. That's a hard pill for people to swallow. And it's a hard pill for me to give them to take. But, um, a lot of times it is, it is what it is.
Speaker 1 00:12:20 You know, there, there, there is a short window to get that back. Uh, yes. If, if people are aware of that, and I think that's a, that's an important message to get out there, is if you do fall victim to this, and especially if it's a wire transfer of a large amount you can get with the FBI and IC three, which I, you know, we'll need to plug later, uh, and mm-hmm. <affirmative>, they can do what's called a a, I think call it a kill chain within 72 hours.
Speaker 2 00:12:42 Is this email compromised kill chain's, what they call it. Yep.
Speaker 1 00:12:44 Um, so, so that's something to make sure that, you know, we, we get out to, you know, to people. But what amazed me was the stories and, and pig butchering, you keep mentioning that. So I wanna throw it back over to you cause I've explain what that term is, but then explain kind of how those scams are working, because those, again, once they get 'em on the hook through technology, the rest of it's just, uh, a con game that they run, and then the money's going.
Speaker 2 00:13:08 Right. So the newest, the newest evolution of the romance scam is what's being called pig butchering. And the, and the reason it comes from that term is there was a, there's a span, there's a Chinese phrase, Shana Zpa or something like that. I sh it, if I was smart, I would've had it pulled up here to look at. But it, in it's, it literally means pig butchering. What they do is they, they, they, they pull you in as a typical romance scam, either through social media account. You start a conversation and it goes for a long time. It's why it's called pig butchering, cuz I do, is they fatten, you fatten the fatten the victim up before they take all their money. So essentially they'll convince you, Hey, I've got this great business opportunity, we can go into it together, download this cryptocurrency market app.
Speaker 2 00:13:52 So you download this app that, that, or you go to a website that appears to be a cryptocurrency exchange site. And, you know, cryptocurrency is, you know, one of those magical cyber buzzwords that people don't wanna be left behind. So they think it's a good idea. Uh, I'm not saying, you know, plus or minus to cryptocurrency. I invested it in previously, but I've cashed out of it all because it kind of all collapsed. But, um, so, but you go in and you'll invest a certain amount and they'll invest a certain amount. And there's a Ponzi scheme aspect to it where you'll watch the value of your investments go up, you can pull a little bit out of it, and then you'll invest more and more and more and more and more. And then six months down the road, you've invested hundreds of thousands of dollars.
Speaker 2 00:14:32 It looks like you've made hundreds of thousands of dollars. And then you come in the next day, the money's all gone, the website disappeared. The, your online paramore has disappeared and you've basically been pig butchered at that, that particular point. I actually was doing a presentation, um, several months ago at a community college for some educators. Um, and a guy came, came up after me. And I didn't call it pig butchering, I don't think at the, I might have, I, I forget what I, but I mentioned that particular scam. And he said, yeah, you mentioned that scam. I was a victim of it because I, I'm embarrassed to tell you how much I lost, but it was, it was amazing how easy it was to get roped into it. And he had the whole text string of the conversations with the person, and he was asking me how, you know, is it possible? Get his money back. I said, when did you, when did it happen? He said, uh, two or three months ago. And I had to say, nah, I'm sorry that money is, is probably gone.
Speaker 1 00:15:25 I, I listened to presentations from the, um, Alabama Security Commission every year for different things that we do within for Guard. But, uh, Joe Borg down there, who's, and, and the scams that lay out and how quickly those do evolve. And again, you know, just to, just to warn, uh, you know, everybody's listening to this is understanding the, the, I think the term is catfishing that goes on. We had a, uh, mm-hmm. <affirmative>, we, we had a, a, uh, email come in here, a spam, but it was a, somebody looking for tax services. Uh, but it was a pretty reasonable email. A couple of paragraphs, Hey, I'm coming to, I'm coming to town. I I'm looking for this service. Uh, here's my story. My wife, you know, the, it's always in the details as they say. The, my wife's been doing our accounting, uh, using TurboTax.
Speaker 1 00:16:12 I've got a small construction company named the city up in Ohio. Uh, he had his name. Uh, the email came from a legitimate website. You go to the website, it's a nice WordPress site that's built out 30, 40 pages, pictures of homes, all this work that they've been done. You know, the letter from the president on the front, there's the guy's name, you go look him up on sp he's been living there for 20 years, looks legitimate when I go to social media. There's nothing there. I said, well, this is odd, because if this guy was doing this great work up there, there'd be a lot of raving fans, right? They'd be talking about 'em. And so I look up some text off of the website, and lo and behold, there's another website in Cleveland with the same information, the same site, but a picture of the truck, um, you know, on that's wrapped with, with the employees.
Speaker 1 00:17:02 Um, and, uh, you know, and, and at that point, I go back and look in the domain is about two weeks old. And that's when I realized that they'd actually stood up this site. Or actually a bot had probably done it for them. They'd taken off all the identifiable stuff, but this guy's name. Um, but, so I went to chat gpt, and that's the punchline to all this. I said, Hey, write me a letter. I'm this person. I've got this, this, I gave, I gave it the four details. It wrote the, almost the exact same email for me.
Speaker 2 00:17:31 You know what you can do, you can take that email, put it in chat g pt and say, did you write this? It'll tell you if it did or not. No,
Speaker 1 00:17:36 That's news. Okay. I didn't know that. Mm-hmm. <affirmative>.
Speaker 2 00:17:39 Okay, because I did that for Scott. So Scott asked me to put together like an outline for something. So I very quickly went to chatt. He said, write an outline for this. I sent it to him and he took it, put it in Chatt, G P T. He said, did you write this? And he sent me, he sent me those screenshots. Said, yeah, I wrote that, did chat. G PT said, yeah, that came from me, <laugh> or whatever. I'll Chad GP PT wrote this for you.
Speaker 1 00:17:57 That's, that's, that's, that's a good takeaway from this because I, you know, what we've always told people when we talk about phishing, but what we've always told in training was that English, especially southern English, has always been a little bit of an armor for us because mm-hmm. <affirmative>, you know, if you're not from around here, you don't say the right words. Right. Well, Chad Gpt, that all goes away, right? You can say, right, write me an email from Alabama and it's going to pattern after that. So we're seeing more and more of those things come and, you know, with the, with the APIs and everything, they're able to tie this in. Um, are you doing all right on time?
Speaker 2 00:18:32 Yeah, I got about 15 minutes.
Speaker 1 00:18:34 Okay, well just to, just to kind of swing into business a little bit, cuz you were talking, we were talking about business email compromise, um, which is far and above the, the most costly of the crimes that are out there at out flanks, uh, cyber, you know, cryptoware or ransomware, what, 30 to one, 40 to one? It's huge,
Speaker 2 00:18:51 Correct? Yeah. Ransomware, 29 to 29 to one. Now I will say cryptocurrency and investment fraud has overtaken business email compromise. It has for 2022. For 2022. It, dude. Yeah.
Speaker 1 00:19:01 Okay. But we need to follow up on that. Then I may see if I can get Joe Borg or somebody to come talk on, uh, from securities, uh, and my Alabama security mm-hmm. <affirmative>. Um, but on the other side of that, you know, ransomware is still what everybody's afraid of. Um, and as, as you point out, uh, if you, you do get ransom, there's probably an exfiltration component of that too, where they got your data first and they dropped the bomb on their way out. So they've got the data too, but understanding that it is the cloud as well. Uh, you know, the, um, Microsoft, you know, office 365, which is supposed to be, you know, the, you know, it's probably the gold standard as far as security Gmail. Of course they, they've had issues over there at Google recently. Um, but what are companies needing to do that have, have gone to the cloud? Um, and they've got this, I'll, I'll say it's a false sense of security about it. Um, I mean, what, what are you advising there? Because yeah,
Speaker 2 00:19:56 I would say don't count on, don't count on outsourcing your risk to your cloud provider. Sure, you're making some things easier for yourself by having everything in the cloud. But if you just say, Hey, we're good. We put everything in the cloud, what do we have to worry about? We're golden. All right, well let's say, let's say you have 25% of your workforce works from home. In order for them to access the files they need, they have to go into the cloud. Well, the bad guy is able to send Susie from accounting an email and she opens the spreadsheet that appeared to come from the cfo. The spreadsheet had malware, which gave an attacker access to her laptop, which now gives her access to all the, the bad guy access to all the cloud applications that you have now stored. How is that cloud really helping you versus, I mean, same problem with, you'd have the same problem if you had an on-premises network, but do not think that just because you're moving stuff to the cloud that you are off offloading your risk as well.
Speaker 2 00:20:46 You have to do all the same things. You have to make people aware of what not to click on. Be aware of all of the particular scam items, be aware of if they're working from home particular risks there. Are you letting your kids download illegal movies on your work computer so they can watch, uh, uh, guardians of the Galaxy three before it comes out on Disney Plus, because that could potentially have malware that impacts your machine and allows a bad actor access into your network. All those kind of things. So, I mean, I, I'm not saying clouds are Cloud access is bad, but do your due diligence for who you know, don't use, you know, don't use Floyd's Cloud service for your data. I mean, you know, if you're using Azure or you're using AWS or using Google's infrastructure, you're probably reasonably safe that your data is secure.
Speaker 2 00:21:28 But Office 365 was down last week for a couple hours mm-hmm. <affirmative>. So people who, who were using that as their cloud service didn't have access to it for a while. So make sure you have multifactor authentication turned on on all of those things as well. I, we had a company we were dealing with that they had multifactor authentication for their on-premises stuff, but they didn't have it activated for their cloud access. So they got dinged there, they got the, the bad guys were able to use online cloud, um, access to hijack a session for one of their users and they got access to everything. They, they committed a business email compromise fraud in the middle of it. And it was simply because the company didn't turn on multifactor authentication there as well. So even in your personal life and your business life, multifactor authentication, long passwords is your key, is your main key to success
Speaker 1 00:22:18 Ab Absolutely. And I think when you talk about something like Office 365 or, or, or, or G Suite if, if you're on the business side mm-hmm. <affirmative>, um, is understanding you've gotta turn on all the switches. I mean, it's a secure platform, but, you know, the first thing when we went to, uh, you know, 365 was why do we need, uh, uh, non, you know, offshore access? So we turned, you know, through geo filtering, basically all of our accounts are shut off overseas. Uh, you know mm-hmm. <affirmative>, that's not to say somebody can't VPN and I understand that, but so much of the other stuff that ties in there is not always tied to VPN on the back end. Like you say, if they're coming in through a web, you know, an API or doing something there, uh, you know, hours of operation, if you can restrict those things, there's device controls.
Speaker 1 00:23:02 Uh, you know, we, we don't do, uh, outlook web access, cuz we had the conversation, everybody's got phones mm-hmm. <affirmative> so we can pair the phone with mfa. Why do they need web access? And the answer was, most of them don't, this group does. And then we were able to lock that down further. Um, yep. So, so those are the things, if you are, you know, if you've moved to the cloud already and, and you're evaluating that, um, or if you think about going there is understanding outta the box, it's up to you. And Microsoft's got a great set of tools and so does G Suite, but you gotta go in there and, you know, it's, it's not a do-it-yourself thing. You need somebody that's a cyber professional that can go through and go, okay, this is why you want to turn those things on, uh, and, and use this system for somewhat less than it was designed <laugh> to do. Um, because all of these other things are convenience. We, it's like the third party ap, you know, the third party, uh, plugins, we don't allow 'em, uh, you know, some of 'em are very useful and we've allowed I think one, but there's a place in Office 365 where you can turn that off. Say nobody can install third party plugins into Outlook.
Speaker 2 00:24:03 Yeah. And you need to really, I mean, even if you outlaw outsource your security, outsource your security, I'm using air quotes to a cloud provider, you still need to do a risk, an overall risk assessment of your entire enterprise. I mean, don't have to be NIST 801 71 compliant necessarily. Obviously that's more government oriented, but still, you don't have to go to the the 120 controls, but think about the, what are your top 10, what are the top 10 things you need to know about your network to keep it safe? You know, are you patching regularly? Do you know your hardware? Do you know your software? Do you have multifactor authentication? Are you using good plugin, uh, good passwords? Um, are you training your folks, you know, there's, you can find 10 to 15 to do those well and export those to your cloud environment as well.
Speaker 2 00:24:47 So when you've got all your data in the cloud environment, you know, come up with a cloud risk assessment as well and say, okay, what is our risk here within this environment? It may may not be a whole lot, maybe very limited, but still you should at least look at it. If you can't do that yourself, find someone who can do it for you. I mean, cyber cybersecurity is a cost you're gonna, you're gonna have to pay for it. Yeah. But there's, I mean, not saying you have to go get CrowdStrike or Manan and pay a hundred thousand dollars a year for their endpoint detection, but there's certainly investments you can make that can limit your exposure because one data breach and you're looking at 4.6 million on average for one data breach. So if you can absorb that, you know, fine, if that's the risk you wanna, we're gonna, we can absorb that 4.6 million, but most small and medium sized businesses I know can't afford that 4.6 million and 60% of them are gonna go outta business with one day to breach. So
Speaker 1 00:25:41 Yeah, that's a very good point to wrap on is that, um, you know, the, the, the move to the cloud, and again, we, I won't say we, we were reticent to do it, but we, we waited a long, long time, but I remember having the conversation with Microsoft a couple of years ago when they first came knocking on the door to come to their cloud. And I, uh, I used to resell Office 365 back, you know, in 20 12, 20 13 when it, you really took a lot of risk with it. But, uh, the guy from Microsoft said, we spend a billion dollars a year on cybersecurity. And I said, man, how much do you think the Chinese are spending against that? I mean, seriously, Microsoft mm-hmm. <affirmative>, uh, you're also, you're also the biggest target, uh, right. You and Google. So if, if, if you're a small business and the move to the cloud makes sense, the apps are better, the convenience is there.
Speaker 1 00:26:26 The, the mobility, especially now with the mobile workforce is all there. Don't give up on, uh, don't throw away the idea that you still have to have, uh, you know, a a a a CISO or somebody that's looking at this from a security perspective and helping you with your cloud sru, you know, your, your cloud, uh, right. Security, like you said. Um, and, and you know, it, it is probably something that you can just ramp up and do in a, you know, period of time and say, Hey, yeah, we've got that done. And then you just come back every year and revisit it. Because once you get there, you're not changing things very often. But I, but, but yeah, the other home, the home use computers is a whole nother, is a whole nother, uh, podcast without a doubt.
Speaker 2 00:27:05 So, well one of the biggest, you know, one of the biggest vulnerability breaches, I guess, I don't know a better way to state it in the last six months was outlooks vulnerability. Mm-hmm. <affirmative>, it was so bad that the government was going into companies and fixing it for them without their knowledge. That's how bad they realized it to be. So I mean, yeah, great. Microsoft has is a great company, does great, but a billion, they're doing a billion dollars for to, to secure themselves. But even that it's not, is not, it's not a hundred percent.
Speaker 1 00:27:33 Yeah. And, and then once you get that plan in place, if it's your cloud strategy or keeping, if you gotta keep legacy on premise, um, get somebody that come, you know, can come in and look, and again, you don't have to spend tens of thousands of dollars to do this right now cuz so much of this is templated, but you do need somebody that understands the material and understands what those switches all mean in the cloud. Um, again, just, I, I always get anecdotal, but we're doing a, uh, a risk assessment for a third party for us. And they said, have you got a Microsoft ba? We need to make sure you've executed one. I said, you don't even, you don't execute a business associate agreement with Microsoft anymore used to, but now it's, it's done far you and it's their agreement, which is not even, and I'm talking about HIPAA here, but that's not business Associate agreements are supposed to be from us, the covered entity, and it's supposed to be our legal language that protects us, but Microsoft's so big now you get, you get to use theirs.
Speaker 1 00:28:24 Well, I I guarantee you there's things in there that the lawyer would have a field day with if we were ever try to get damages outta Microsoft. Mm-hmm. <affirmative>, they're gonna be like, Nope. Uh, you know, you can't, we're held harmless from that and all these other things that if it was our agreement, we would've never agreed to. But Microsoft doesn't even give you the option anymore. So you've gotta read the service agreement and, you know, and the standard terms and conditions and oh, by the way, there's your HIPAA BAA that we templated out for you and good luck to you. And then it
Speaker 2 00:28:52 Says, and check your cyber insurance provider. Make sure he's good with it too. Yeah.
Speaker 1 00:28:55 Which brings it down to the final part, which is make sure that once you've done all of this, is that your cyber insurance providers got you covered. Um, because as we all say, it's not if it's when Right. Uhhuh. Well, Darren, I wanna thank you for very much for your time, uh, giving us this hour. Um, as we, as we wrap this, uh, if you're looking for more information, like I said, Darren's got over a hundred hours of, of material up on this, uh, cyber guy, C Y B U R guy, uh, wherever you get your podcast. Um, look for the ones for family or for fbi. They're all very well labeled and he's got links to a lot of content behind that too. Um, but this has been a, a very in, in, uh, informational and educational, uh, couple, couple of segments and, uh, and thank you for tuning in with us too. Uh, I'm your host, Ru Dorsey with Cyber Matters, here with Kassouf and the Casso Podcast Network, and wishing you a good afternoon and we'll see you again soon.
