<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=140508033228343&amp;ev=PageView&amp;noscript=1">

22| Handling Ransomware Attacks, Protecting Your Data & If You Should be Using the Cloud

Speaker: Dominic Vogel

This episode is Part 1 of our cyber security for small business series. Learn: what cyber security is, how at-risk our data is, if our phones or computers are more at-risk, if it's safe to store data on the cloud, how often we should be updating our software, how to handle a ransomware attack, and more. 


About the Guests

headshot_2

As Founder & Chief Strategist at CyberSC, Dominic Vogel holds a proven track record within cyber security across multitude of industries (financial services, logistics, transportation, healthcare, government, telecommunications, and critical infrastructure). Dominic actively participates in the Vancouver security community and is a well-respected cyber security expert for appearing on media news outlets across North American and Internationally on BBC World News. Dominic is highly regarded as a cyber security thought leader and was recently appointed to the BC Provincial Cyber Security Advisory Committee. 

Dominic focuses much of his energy on providing strategic security leadership to technology start-ups and small/midsize businesses to proactively solve their cyber risk challenges. He strives to provide practical cyber security advice to his clients and actively turning the security consulting world upside down.


About the Host

Morgan Berna is the host of Olympia Benefits’ podcast, The Small Business Mastermind. Her background is in marketing, journalism, and broadcasting. Passionate about small business, she aims to create content that inspires and educates listeners.



Transcript:

Dominic Vogel: If you do not take a professional approach to cyber crime or to cyber security, I always say that is like bringing a spoon to a gunfight. You are toast ten times out of ten.

 

Listen to Part 2:

Episode 23 - Keeping Your Email Safe, Handling Remote Work & Debunking Cyber Security Myths

 

[music]

Morgan Berna: You’re listening to The Small Business Mastermind, a podcast created to help small businesses juggle business, finance, health, and wellness. I am your host, Morgan Berna. To subscribe to the podcast visit olympiabenefits.com/podcast.

 

The Small Business Mastermind is brought to you by Olympia Benefits. To learn how you can reduce your health and dental costs visit olympiabenefits.com.

 

[music fades out]



Morgan: Hello, and thank you for tuning in to this episode of the Small Business Mastermind. Today marks the start of our month-long feature on cyber security for small and medium-sized businesses. On this episode, we talk about the shifting landscape of cyber security. Why small and medium businesses are so highly targeted, how at risk our personal data is, what impact COVID-19 has had on our personal security, common mistakes businesses make, and more. Our guest, Dominic, does a great job of taking topics that can be relatively complicated to understand and making them easy and fun to learn about. It is a really fun episode and we get a lot of really important advice on this one. So, with that, I hope you enjoy it, and I will be checking in with you again at the end of the episode.

 

[interview begins]

 

Morgan: Welcome Dominic. We are going to start talking today about cyber security. We are doing a couple of episodes about cyber security. This first one is sort of an overall defining terms, what people need to know, and then in our next episode we will go into some more to dos and a little bit more detail. Thank you very much for joining us.

 

Dominic: Absolutely, Morgan. I am really looking forward to this conversation. Let’s have some fun here.

 

Morgan: Yes. As founder and chief strategist at Cyber SC, Dominic Vogel holds a proven track record within cyber security across multiple industries. Dominic actively participates in the Vancouver security community and is a well-respected cyber security expert who appears on media news outlets across North America and internationally on BBC World News. Dominic is highly regarded as a cyber security thought leader and was recently appointed to the BC Provincial Cyber Security Advisory Committee. Dominic focuses much of his energy on providing strategic security leadership to technology start-ups and small to mid-sized businesses to proactively solve their cyber risk challenges. He strives to provide practical cyber security advice to his clients and is actively turning the security consulting world upside down.

 

Let’s start off just defining our terms. What is cyber security?

 

Dominic: That is a very good starting question. Especially when we are talking about small and mid size businesses and organizations, cyber security is really about protecting the data and the underlying systems that your business relies on in order to compete in this day and age. If you think about it the average company, they use computer systems, they use data. If the confidentiality of that data or the availability of that data is not protected, your company is going to stop operating and you will be losing money. That protection, that is cyber security.

 

Morgan: Fantastic. How at risk is our data and why?

 

Dominic: You are really asking these good questions off the top here. [laughs] I thought I would ease my way into here.

 

Morgan: Nope! We jump right in here. [laughs]

 

Dominic: Again, when we are talking about data and especially when we are thinking about this from the outside looking in, cybercrime has become one of the most or actually is the most profitable crime across the world. It recently surpassed the drug trade. It is the crime of choice for criminal syndicates across the world. We are in this day and age now where we are up against professional criminals. This is not how like it was fifteen or twenty years ago where you are dealing with 16 year old or pissed off teenagers, we are very much dealing with criminals and dealing with professionals. If you do not take a professional approach to cybercrime or to cyber security, I always say that is like bringing a spoon to a gunfight. You are toast ten times out of ten.

 

Morgan: Wow, that’s crazy.

 

Dominic: Yes. I just realized I didn’t actually answer your question, so let me continue. In terms of data, data is very much the commodity which drives organizations and drives businesses globally. It is very much the lifeblood of every company. If you do not have access to your data, whether it would be client data, customer data, or company data, your business halts. I always joke, or I perhaps have a saying, unless you sell tacos out of the back of your mom's Volvo, you are a company that deals with data. We live in the digital economy and thanks to COVID, we live in a very virtualized workforce as well.

 

Data is paramount to everything that we do and whether that be sensitive company information, so that could be like research and development, that could be proprietary information, that is monetizable. Criminals can steal that and if you lose access to that they will say, well you have to pay a ransom. Now, that is ransomware or extortionware. In order to regain access to that you have to pay them, maybe tens of thousands or hundreds of thousands of dollars in virtual currency. Or if you have personal information stolen. Every business that has payroll, you keep your employees social insurance number, financial information, that is all the stuff that is referred to as PII, personally identifiable information. If you lose that or if that gets stolen, you have to declare a privacy breach and then you have to talk to your privacy commissioners both on the provincial or federal level and that is a whole can of worms as well.

 

Data is very centric to everything that we do and criminals know that they can monetize that. We have to protect it as the valuable commodity that it is.

 

Morgan: Yes. I have grown up in this age where I am so used to giving my data pretty willingly online that I do not really often even think that much about it. That might be more of a generational thing, but it is a good point that it is a huge commodity.

 

Dominic: Absolutely, and I would not even say it is a generational thing, I think we have all become conditioned to it. If you want to use an online service, it seems like you have to give out all sorts of personal information to gain access to it. Even with just something funny like cat memes or something, you always seem to have to put in your username and password. Sometimes they want your date of birth, why do they want that? And I think what is important and I think from a consumer perspective what we are going to end up seeing is greater consumer advocacy around data security. This is why it is so important for SMBs to invest in cyber security now. Right now for SMBs, cyber security is either not important or it is just basic table stakes. In the near future, I am going to say probably the next five to fifteen years but hopefully sooner, it is going to become a source of competitive differentiation.

 

The analogy I give is if you follow what happened in the automobile industry. So back in the 40s, 50s, 60s, 70s, long before either you and I were ever born, cars were inherently unsafe. They were death traps and it was not until the late 80s and early 90s when car safety became more important and that was because of consumer advocacy. Mainly stuff that was driven in the U.S. by Ralph Nader. We fast forward to today and if you watch a car commercial, what are they competing on now? They are talking about safety crash ratings, they are talking about all the cool blinking lights up that pop on to give you warning if someone is in the lane next to you. They are all competing on safety. It went from being something which was not important to being table stakes to now being a source of competitive differentiation. I very much view cyber security taking that same trajectory in the SMB space.

 

Morgan: Yes. I have worked at companies that both have a very robust cyber security team and ones that have nothing at all. I have not seen a lot in the middle, and it is a good point that it is something that people need to be investing in.

 

Dominic: Yes. Right now like you said there Morgan, it is either feast or famine, either companies are doing it and they are making a consistent effort for it or they are just being willfully ignorant of it and choosing to ignore it. There is no middle ground.

 

Morgan: Would you say that our phones or our computers are typically more at risk?

 

Dominic: I am using my brain really hard on a Friday afternoon! [laughs] Whose idea was that? It was my idea. That is a really good question.

 

Right now, I would say the answer kind of depends. If we are looking at this through an SMB lens generally speaking, it is going to be the laptops, the desktops, the workstations, how people are engaging with their work. The smartphones and tablets, I would say it is more of a risk from a personal perspective of maybe having your personal email account hacked or something along those veins. We are seeing this increasingly happening now because of COVID and people working from home or working from anywhere, you are seeing more and more of this blend of people using their personal devices for work purposes or vice versa. Now I think you are going to see that more threats or, shall we say, which the threats does not really matter what device you are on, they are all going to be a part of that broader threat landscape. I think something like COVID here has served as an accelerator in that regard.

 

Morgan: Absolutely. I wanted to ask about what some of the things we are protecting ourselves against are. I had noted down, there are viruses, phishing, malware, ransomware, social engineering… Can you talk a bit about these terms, what they mean, and what exactly we are protecting ourselves from?

 

Dominic: Yes, absolutely. Again, when we look at this through the lens of an SMB, I mentioned this point earlier, what we are trying to protect against right now mainly is the confidentiality of your data and the availability of your data. One of the most common, most pressing cyber risks or cyber threats right now facing SMBs is ransomware. Ransomware and I sort of alluded to it earlier, that is when your IT systems get completely locked up, you are not
to access anything. Blinky lights and the big red screen comes out on all the systems and says, “your data and systems have now been locked down, in order to regain access to your data you need to pay ten thousand, fifty thousand, hundred thousand dollars in virtual currency,” often bitcoin, to be able to regain access to your systems or to your data. It is priced in such a way in which the majority of SMBs feel compelled to pay for because paying it is often cheaper than trying to recover it or trying to do the right thing.

 

By the right thing, and why SMBs are more targeted when it comes to ransomware than say larger organizations or enterprise organizations, is because the majority of SMBs do a very poor job of protecting their data and backing up their data. Really what ransomware is exploiting is the availability of that data and they know that the majority of these SMBs, the most important data is just on the staff and/or employee laptops, or it is backed up onto someone's external USB drive, which is connected to the CEOs laptop kind of thing. That type of architecture is ripe for ransomware. That is why ransomware just literally runs amok in the SMB space.

 

I kid you not, when we are prospecting and I work mainly with SMB clients, our organization focuses exclusively on SMBs, I hear from so many business leaders in the SMB space saying, we think it is cheaper for us to just keep paying the ransom than it is to do cyber security. As a cyber security professional, you have never seen my eyes roll into my head faster than when people say that. The thing is it is a very prevalent thought right now and again, it goes to show you how misunderstood the security, and cyber security, and cyber risk is within the SMB community. That is why it is so important to be able to leverage platforms like this to help educate the SMBs across this country, across Canada, to inform them that cyber risk is one of the most pressing risks facing organizations, big or small, right across the world. The World Economic Forum, for at least the past three or four years, had consistently said cyber risk is the most pressing risk facing organizations globally. You need to deal with this now.

 

The other sort of additional wrinkle to this is that when we are watching the news or anytime you see a big data breach story, Morgan, you will see on the news like Life Labs or Desjardin or in the State's Home Depot or Target or Equifax, it is always big companies that get the attention when it comes to data breach stories in the mainstream media. But the truth of the matter is that if you look over the big data breaches over the past twenty plus years all the big enterprises that suffer the data breach, they all survived. What people do not talk about is that data breaches and not taking cyber security seriously for SMBs, that is very much an existential threat. It is an existential risk because if you get hit by a data breach and you are an SMB on average that can cost hundreds of thousands or millions of dollars. The average SMB does not have hundreds of thousands of dollars laying around to deal with it. It can very much mean the very end of your organization, the very end of your business and that is something which I very much want to impart on the SMB community. Again, not trying to come from a place of fear, but just from a place of the fact that it is not well known that cyber risk is an existential threat. It only stands to reason, we live in an age of digital transformation, we live in an age of a digital economy, it only stands to reason that if you are not protecting the digital world, your digital business world, you are opening yourself up for tremendous failure.

 

Morgan: How prevalent is the ransomware? And where is it coming from?

 

Dominic: Ransomware is very very prevalent. It is hard to get accurate statistics because there is no overarching regulatory measures that say if you get hit by ransomware, you have to publicly report that to a public body. Much of it is just guesstimate by various analysts and anecdotally from what I have seen as well, I would say upwards or three quarters or seventy-five percent of all Canadian SMBs have been hit by ransomware and around fifty percent, if not more, are forced to pay a ransom because they were not adequately prepared to deal with ransomware and to recover from it. What is even more startling is that forty percent of them pay the ransom a second time because even after going through it once very rarely do they say, okay, we survived this, what do we need to do to make sure this does not happen again.

 

I will share a story about a prospect that we had. The CEO of the company was telling me how this business was built by her husband from the 1960s and how it became a family company and after he passed away two years ago, she took it over. Knowing nothing about business and she told me that they were hit by a massive ransomware attack and it knocked the company offline for months and she told me that they came within a day or two of shutting down the company. So when we are talking about all of these I said, well, you need to learn why that happened, let us do some root cause analysis and we will lay out a strategy in terms of how you can improve your cyber security capabilities. And then when it came to discussing pricing, we put down our quote and she said, I was thinking we could maybe do this for maybe five hundred bucks a month. And I said, you know what? Let me get this straight - your husband's company, your husband who is now deceased and you are continuing his legacy, you are telling me the company that came within a day of shutting down, a company that have been around for fifty plus years, because of lacks cyber security investment, you are telling me that is worth five hundred dollar and she said yes. I said, you know what we are on completely different oceans here, we cannot help you. That is the problem right now, it is that prevalence that cyber security and cyber risk is something that SMBs do not need to worry about. The truth of the matter is, if any sector that needs to worry and should be sweating it is the SMB community. The vast majority of cyberattacks globally are focused on the SMB community. Again, the reason being is that the SMBs have not traditionally invested in cyber security.

 

Morgan: They are more vulnerable.

 

Dominic: The larger organizations over the past thirty plus years, they have hardened down in terms of cyber security. It is now much harder to break into a larger organization and cybercriminals know that. What they see is low-hanging fruit. It is sort of the example I give as well is, let us say in your neighborhood, there are a hundred cars and let us say seventy of them make sure their doors are locked, the other thirty, the criminals are just going to keep hitting those until those people learn to lock their doors at night and that is very much the problem that we are seeing in the SMB community when it comes to cyber risk.

 

Morgan: It is interesting that you mention it is so much more prevalent because I feel like when I was younger, I grew up using LimeWire and completely destroyed my family computer.

 

Dominic: That takes me back. Holy crap!

 

Morgan: But I remember I would download a song and then completely destroy absolutely everything on the computer and it felt to me like things were less, less bad now. Is it just that it is sneakier?

 

Dominic: Yes. I mean it is certainly different than the days of LimeWire or Napster. I remember using Napster and like you said they are just destroying my computer, it just stopped working. I mean things are definitely different and there is more safer or more secure alternatives now for accessing movies and songs and what have you, but I think what is still prevalent though is what I referred to as a 1995 mindset.

 

When we are prospecting and we are talking about cyber security some of the more common roadblocks and what I refer to as myths, prevailing myths that we run into, we will hear people, SMB leaders, people who own SM businesses, people who are executives in the SMB space saying, “oh no, we have antivirus and we know to not click on the Nigerian prince scam, so we do not need to invest in cyber security.” I always sarcastically say, you know what? That is great, you guys have 1995 level security, Bravo. I am not sure when you last looked at a calendar but it is 2020. My sarcastic approach is rarely endearing, but that is just the way I deal with dated thinking.

 

The thing is it is so prevalent still. Another prevalent myth is when executives say to us, that is up to our IT guy or IT manager. That is why we have an IT service provider or that is why we have cyber insurance. Again, those are all myths and those myths drive me nuts because when it comes to at least focusing on trying to outsource cyber security, you can outsource the operational aspects of it but again, at the end of the day, the risk, and I would say cyber security is a discipline of risk management, that risk as an executive that still falls on your shoulders. It is up to you to do the right due diligence, to have the right oversight, to do the right governance, to make sure that risk is properly mitigated. In the event of a data breach, your clients, your shareholders, your customers, your vendors, they are not going to say oh, this was your IT service provider's fault, we are going to come after them. No, they are going to come after you and they will be merciless in that pursuit.

 

You know, that other level of thinking of in this day and age is cyber insurance. I cannot tell you how many times I have heard, “oh we have cyber insurance, we are good, we are covered, we do not need to worry about cyber security.” That does not make any sense and these are coming from people who allegedly know risk management. That is like me saying, oh I have fire insurance so I am going to throw a bunch of dry wood around in my house and walk around playing with matches and disable all the smoke alarms.

 

Morgan: Yes, I was just thinking that.

 

Dominic: It does not make any sense. Just like I said, there is so many prevalent myths and that is why cyber security is still very much a prevalent problem in the SMB community, because we are holding onto dated thinking.

 

Morgan: Yes. You really do not want to have to use your insurance, typically.

 

Dominic: No. Back to being a risk management discipline, insurance when done right, your insurance is about insuring against the residual risk. You still need to take steps to reduce the inherent risk and whatever you cannot mitigate then you can insure but that is the residual risk, and that is after you have done something.

 

Morgan: Absolutely. Is there a simple way you can explain how people are getting this data and then being able to hold it ransom?

 

Dominic: Yes. I mean and that is a really good question, Morgan. In the simplest non-technical terms why that happens and why it is successful for a couple reasons, one is that the majority of SMBs have very lax, what I refer to as user access controls, and that really means that anyone who works in a company can access any file or any data within the organization. That is not a good principle when it comes to security. Good data security means following what is referred to as the principle of least privilege and that means that per user role people should only be able to access what they need to access in order to perform their job. They should not have access to payroll unless they absolutely need to do that for their job. If everyone has access to everything you are increasing the likelihood of something like ransomware or data theft. You are increasing the likelihood and impact to that happening.

 

The other core reason is that the majority of SMBs run outdated, either computer operating systems or unpatched applications. I have seen so many companies that still run Windows XP or Windows 7. These are all systems that are no longer updated and no longer receive security updates. Or they are running applications like Adobe Reader, or Google Chrome browser, or their Windows operating system, and it has not received security updates in years or months. These security patches are important because they basically protect against vulnerabilities. The more vulnerable or the more vulnerabilities your systems have, from a technical perspective, the easier it is for someone to break in. Again, the analogy I will give is, let us say you live in your house and if you leave your front door open and the windows on the first floor open and the windows on your top floor closed, well it is still pretty easy for someone to break in. But if let us say now your front door is locked, your back door is locked, and all the windows on the first floor are closed, but only one window on the third floor is open, well, that is a vulnerability which you are okay to live with because it is very unlikely someone is going to break in and get through the third floor window. So that is the type of sort of approach that is needed is that you need to keep your systems as updated as possible. Again, that is a very effective technique in terms of reducing the likelihood and impact of a significant security incident.

 

The third and last item which I will list is what I refer to or what is referred to as multi-factor authentication. This is especially true for those who are leveraging cloud-based email systems, like Office 365 or Google G Business Suite. Those types of accounts they are getting compromised left, right, and center because the majority of people use the same username and password that they use on other websites which are compromised and then hackers will take those credentials and just use it to try and break in to Office 365 or G Business Suite accounts. Leveraging something like a multi-factor authentication which takes the form of maybe a one-time pin code, which is sent as an SMS text message or you receive it as a call and you hear the one time pin or even what is referred to as an authenticator app on your phone or mobile device that serves as an additional layer of security. We have to go on the assumption that usernames and passwords are compromised. That way even if your username and password is compromised unless someone physically has access to your phone, they are not able to crack into your email account. All those reasons there are some of the most prevalent reasons and techniques for mitigating some of the more common data theft and cybercrimes that we are seeing.

 

Morgan: It is good to hear you say we should be updating stuff. I know a lot of people put it off because it can feel like it is going to just be time consuming or the notification pops up while you are kind of in the middle of something but you are suggesting, always update.

 

Dominic: The thing too is that most of the applications and operating systems now allow you to auto update. It is not like how it was when we were growing up. I remember with Windows 95 or Windows 98, that you had to take time to manually do the updates. It might warn you or give you a notification, but you would ignore it. At least now you are able to either have that automated or there are IT tools that your IT team or IT service provider can use for deploying those in a more automatic fashion. So, it does not involve people having to manually apply those updates.

 

Morgan: You had mentioned the term patching. Can you just explain quickly what that means?

 

Dominic: Yes, absolutely. Patching means applying a fix to that underlying vulnerability. So the way I refer to security patching is almost like a kin to let us say with a newborn. They get their vaccines, as they get older they get their flu shots, it is the types of things that again is meant from a risk mitigation point of view in which any potential weakness can be mitigated by applying this fix or what is referred to as a patch in the technical community.

 

Morgan: Awesome. I wanted to back up a little bit because you had mentioned a bit about the Cloud.

 

Dominic: Yes.

 

Morgan: Do recommend small-medium businesses ever using the Cloud, things like Google drive. What would you suggest for file sharing?

 

Dominic: Yes, good question. Again, the sort of overarching response to that is, it depends. I always tell the SMB space in which if you are comparing let us say email in the Cloud. So email in the Cloud versus running your own on-premise email server. Microsoft and Google, they can do security a hell of a lot better than the average SMB, any SMB. So it is better in that case to trust the Cloud and to leverage their security capabilities. They are able to do a far better job. In terms of sharing files, yes, there are great tools like ShareFile, which is a very secure transfer tool which we always recommend for many of our clients. But before focusing on tools, you need to understand and go through what I referred to as a data mapping exercise in which what type of data is going to be moved around because depending on the data there may be privacy implications that need to be looked at or understood. I am not a privacy professional, I have great privacy friends who I refer to their expertise and guidance, but at a high level as an example, you cannot store Canadian PII, personally identifiable information on Drobox for example because Dropbox is all stored on U.S. data centers and Canadian personal information cannot be stored out in the U.S. The are certain conditions in which it can be. There is a lot more privacy implications there than it is underlying security implications. But again, those are a lot of questions that people just do not know to ask. It is important to really understand the usability, the business requirements, and the data privacy requirements, in terms of what data is being stored in "Cloud."

 

Morgan: Awesome. Thank you. I am wondering if you could touch a little bit on some ways we can protect ourselves. I know you have kind of thrown bits here and there. But do you suggest things like, we used to hear a lot about firewalls and getting anti-malware solutions, things like that.

 

Dominic: Yes, absolutely. Couple of ones I am going to rehash with, and I’ll add some other ones to that.

 

So starting off, multi-factor authentication even from a personal use perspective for any of your email accounts, for any of your social media accounts. Leverage multi-factor authentication, that is one of the single most effective techniques that you can use right now to prevent your account from being hacked or compromised.

 

Another tool to use is what is referred to as a password manager. One of my personal favorites is something called LastPass, another great password manager is called Dashlane, and really these password managers, they almost served as password vaults to a degree, it allows people rather than having to remember dozens of different passwords or just remember a handful of weak passwords. You just have to remember one good long password and then these password managers, they can auto create very secure passwords and will auto-populate for any online service that you access. At least that way then you do not have to remember like I said, a bunch of different passwords or use a bunch of weak passwords, which is very common right now. This is a very, very great technique again for reducing the likelihood of an online account being compromised. Those are my two personal favorite things to do from a password perspective, applying security updates and their security patches is a very important thing to do.

 

The next one you hinted at, Morgan, was installing or leveraging a what I refer to as just basic security software. At home, if you are using Windows 10, thankfully that has something awesome already built into it called Windows Defender. So, you already have some great basic security software built in and it is providing you that real-time protection. If you are using a Mac or a Mac operating system that does not come with something built in unfortunately. One of my personal favorites to use is a product called Sophos anti-virus for Mac. Sophos is spelled as S-O-P-H-O-S and it is a really fantastic tool, very lightweight, very easy, to download and install, and it provides just good basic protection when it comes to online threats, viruses, malware, that type of thing. All good things to use even on your personal computer at home.

 

Morgan: I have an iPhone and sometimes if I am on a new website and I am making a username and password, it will suggest passwords. Would you recommend using that?

 

Dominic: Yes, and that is a really great tool to be able to help you use or to create more secure passwords. But at the end of the day, it is not serving as a password vault or password manager. What we see as being very important with password managers is that it reduces the number of passwords people have to remember and right now is this technique that the majority of people do or follow is that they reuse passwords on multiple sites. They will use the same password for some online service that they signed up for once, they will use the same username and password that they use on their online banking and online banking is infinitely more important, [inaudible] not compromised. It is important there to be able to just use a password manager to auto populate and to auto create very secure passwords that you never even have to remember. It will do that automatically on the fly.

 

Morgan: Especially if you signed up a long time ago password requirements used to be very lax.

 

Dominic: And very different.

 

Morgan: A lot of people have very, very simple passwords still.

 

Dominic: Exactly. Very true.

 

Morgan: My last one for this episode is how often should we be backing up our information and where would you recommend backing information up to? Things like that, that kind of personal information, that data that companies might have.

 

Dominic: That is a good question to end on. Again, this goes back to what I mentioned earlier about almost like a data mapping exercise where before you even think about where are you going to back up, you need to understand as an SMB, what are we going to back up? What are the most important files, what are the most important data that this organization or this business uses, so we can back that up. There is no point backing up a whole bunch of Miley Cyrus MP3s or other unimportant data, you are just wasting valuable space and available time in backing data up which is not mission-critical. So, have that step one, identify that critical data.

 

Step two is identify where it exists, is it on laptops, is it on servers, is it in the Cloud, identify where it exists. Next one is then work with your IT team, your IT service provider, and identify the best mechanism for backing up that data and where it should be stored, what the frequency should be. Do you back that data up once a day, once every hour, once a week. Again, it depends on the data. Some data for some organizations, if they lose an hour's worth of data, that is a big hit. Other organizations are okay losing several days worth of data. It all depends on the context of the data and of your organization, but you need to go through that mental exercise.

 

Morgan: Absolutely. Well, thank you so much for sharing these tips. So far it definitely gives a lot to think about. Before we close out though, I am wondering if you could tell us a little bit about you and your company? And if anybody listening is interested in getting in touch, how they can do that?

 

Dominic: Absolutely, Morgan. Cyber SC was born to serve the SMB community and we provide what I refer to as cyber risk leadership services. When you think about the average small mid-size organization, there is not really someone in the leadership ranks who understand cyber risk and that is okay. There is often someone who is a CEO, a CFO, a COO, these are people who are very good at what they do, and they are focusing on the growth of their organization. Unlike large organizations who tend to have in-house cyber security leadership, smaller organizations do not and that is where we help fill that void. In which we take that risk portfolio off the shoulders of the CFO, or the business owner, or the CEO, allow them to focus on what they need to do to grow their business, and then we own that portfolio. We then serve as an in-house chief information security officer. We take control of that risk.

 

From a technical side, work with their IT team, work with their IT service provider, to make sure the right security controls are in place. We make sure that we do the right governance, and oversight, and due diligence. That allows us to a strategic level, to own that risk portfolio so businesses and business leaders can feel better knowing that it is in the hands of people who truly understand what cyber security means and does for an organization.

 

I always love it when people reach out to me whether it be just to say hello, just for a quick question. I am not going to just say no you have to pay me. I am a firm believer in helping the broader community, especially the SMB community. Please feel free to reach out whether it be through our website www.cyber.sc, reaching out to me via email, dvogel@cyber.sc, or even better engaging with us on our social media platforms and particularly LinkedIn where I spend a lot of my time. You can look up the Cyber SC LinkedIn page or even look up on me on LinkedIn and we put out what I feel is fantastic daily content on a daily basis and we tackle different security topics. Again, speaking in a way which will resonate with non-technical people. It is meant to help inform the business community. You can go back to our LinkedIn feed and see all the videos that we have done, we do want every day. That maps back to our YouTube page and there is a ton of great free information there. Even if you never become a client you can learn a heck of a lot and start applying a lot of what we see share in our content at your organization.

 

Morgan: Fantastic, very capable hands.

 

Dominic: Something like that. Sure. [laughs]

 

Morgan: Thank you so much for everything today. This has absolutely flown by and I will agree that you took a topic I knew very little about and have made this such a breeze. So, thank you again.

 

Dominic: Morgan, thank you so much. I cannot wait for Part 2.

 

[music]

 

Morgan: Thank you for tuning in to this episode of The Small Business Mastermind. As a reminder, you can subscribe to the podcast by visiting olympiabenefits.com/podcast or hitting subscribe or follow on the podcast app of your choosing. As well, I want to give a big thank you to our guest, Dominic Vogel. You can check all of his information out in the podcast description. We will be back with Dominic again in a couple weeks to talk more of cyber security, so stay tuned for that.

 

Finally, if you are listening on Spotify or Apple Podcasts and can take a second to hit the follow button or give us five stars, it really helps grow the podcast and allow us to bring on guests like Dominic. All right, that is all I have for you today. Thank you again for listening and I will be talking to you again very soon.


[END]