Security, Cybersecurity

Welcome to Building Better Developers, the Developer podcast where we work on getting better step by step professionally and personally. Let's get started. Well, hello and welcome back. We are continuing our series of interviews and we're starting a new interview this time. We're going to speak with Nate Sheen and we're going to talk about security. Security is something that I think we all have some knowledge of. We have some exposure to. We have some intent to create secure code, to create secure applications, to secure our work environments, particularly with so much in the news about hacking attacks and hacking attempts and it occurring at small companies, middle sized companies, big companies. But I think it's something that we don't spend enough time really understanding. It's one of those things like, hey, we know it's out there. We know it's a problem, but it's good to get somebody that's in the midst of it. Somebody that really does this, you know, it's their job to help companies be more secure and find opportunities to improve their security. And that's what Nate does. They help companies find ways to be more secure. They walk them through this process. So this is something that it is going to be a little bit technical at times, but I think it's a very important conversation for us to have and for you guys to listen to. So without any further preamble, let's get started with our conversation with Nate Sheen. Okay. Well, welcome back. And today we're going to be talking with Nate Sheen. We're going to spend some time talking about security, cybersecurity in particular, things that everybody I think has probably heard of, but not enough people actually pay some attention to it. And that is part of where that sort of Nate's calling in life is getting out there and finding people like us who don't spend enough time thinking about security and helping us figure out how to do it better. Now I am notoriously bad about catching all of the cool things about people in an introduction. So I'm going to go right to you, Nate, and let you tell us a little bit about yourself and maybe a little about your company and what you do. Well, hi, Rob. Thanks for having me here today. This is fun. I love just chatting about this stuff and maybe nerding out for a little bit of time about security. So yeah, I own Astoria. You can check us out at trustastoria.com. Astoria is a Cleveland, Ohio based managed service provider. We're very focused on the cybersecurity side for your small to mid market businesses. So it's really the kind of the thing that sets us apart from other managed service providers because all of those tech guys were really, really good at understanding the technology, which is something that we do every day. We have to understand technology to do what we do. And we sometimes we do often touch things that are not necessarily security related, but with that idea of security in mind, like we say, like, we need this network to talk to this network, but how are we going to secure that? And so that's what sets us apart of thinking about that and turning on the controls and working through that, which is really the world that we're living in now. We just really understand the nuts and the bolts of not only the security, but maybe even the procedures and processes that are there to that are required to document it because we can put a lot of security into place. But if you have compliance documentation requirements that need to be done, that's a whole nother aspect that comes into play with it. And it's so hard for that small business person to just handle that. Some of that's even on the just general liability insurance side, too, of understanding what your general liability insurance requires or covers and making sure that you're actually hitting those things that your insurance is telling you to hit so that you actually get a payout when you have a security incident. Hopefully that doesn't happen if you're working with us. We haven't had that happen, but we are not bulletproof like anybody else. That's a little bit about us and what we do. Glad to be here and chat through wherever the conversation leads us today, Rob. Excellent. Well, that starts with the smaller companies. I know there's some that look at it and they say, hey, we've got one little server. We've got a couple of customers or whatever it is. In their mind, it's not worth it. And particularly, because I think a lot of times people think of a firm like yourself, somebody that's going to come in and actually help with security. I think a lot of times they see these big dollar signs. I think these are going to be huge. I think sometimes it's like visions of people coming in in black helicopters and jumping in and securing everything and stuff that's a little bit maybe overblown. So what would you say to somebody, particularly because that's part of your market, is somebody saying, ah, we're not big enough or that's going to be too expensive. So how is your approach to that or your thought to that? That kind of an issue? Well, first, Rob, you gave me an idea. I'm going to go buy a helicopter after today because that sounds really cool. Might be a good marketing thing. Hey, I always say you're saying, hey, you got a small company. That's your livelihood. And so my first question, I'm going to say, what is your livelihood worth to you right now? Because the fact of the matter is you probably will not recover from a ransomware or hacking incident if you don't have a plan in place, because the average ransomware incident costs a company upwards of one hundred and fifty to two hundred thousand dollars. And I don't know what your bank balance is, Rob. I've been in business for seven years and I still don't see an average bank balance of two hundred thousand dollars in my small business. We definitely do business on that. But just to say, hey, I've got an extra two hundred grand laying around to send to some hackers in an obscure country I didn't even know existed. That's not really what I'm up for doing today. And you probably don't have enough insurance coverage in the first place. So it's really kind of then twofold saying, OK, what how how important is your livelihood to you? Can you survive this? And then it's also like look at the dollar amount and saying, is it better to do this thing? Not only is going to protect you, but really our type of service can make you more efficient as a company, because not only are we doing security, but we're looking at just your technology and your audit, because I do realize I get that pain of. How am I going to pay for this? So we typically say, let's take a technology audit, let's take a vendor audit and look through all of those expenses that you're paying, because I want I want a bunch to be able to pay for me and I want to add value to you. So sometimes we take on the front end, we take and we find that maybe you're spending too much on telecom. Let me introduce you to someone that can give you better telecom for a better price. Those things and help you be able to afford this thing that you have to have and actually make you more efficient and protect your business in the long run. So one of the things that you mentioned, particularly like these ransomware attacks and stuff like that, you know, a lot of those are internal, they're somebody I think there's even been some very high profile people where they like click on a bad link on an email or something and basically give the keys to the kingdom to the bad guys. So how do you do you guys as far as securing systems, do you actually include security awareness or how does that fit into your sort of your approach? Yeah, absolutely. So it's a multifaceted approach. So we we follow the National Institute of Security Standards framework. And so there's five steps in that. And typically your average business is going to have step one and two handled. Step one is really easy. It's identify what you have to protect because we don't know what to protect. We have no idea what we're doing. And then number two, they probably bought some antivirus or they probably have a password to log into things like that. Like that's that's step two. Step three is really that detection piece. It's where we actually look at it and say, here's what's happening. And you're going to send it to somebody who's actually going to read those reports, understand those reports. And then we go to step four and that's the response piece. And that's actually where we respond to that part. And we stop it. You know, maybe there's a hacker on there. Maybe you clicked on a bad link, start adding some softwares in there and stuff. Maybe going back to step two and when you see an email filtering into or giving you some alerts on the email, like you've never gotten email from this email address before. Be careful. This looks like spam or phishing. That's step five. That's our continuity piece. That's where the training piece comes in. So we create content specifically for our clients. We have general content and webinars that we provide to them that they can go to as training. We have trainings that they can attend in person. And then we'll do one on one training with them. But also a part of that step five is building a recovery plan. So first, obviously backups. We're going to back up all your apps and devices and things that need to be backed up. And then we're going to have a plan. So if you get hacked, Rob, you're here. Step one, two, three, four and five that we're going to do to get you back in operational next week, next day. And really, I have to have that conversation with you and say, how quickly do you want to be operational? Well, obviously, as fast as possible. Well, let's see what's reality. And the reality is maybe it's going to probably take us three days to get you fully operational. But what can I get done on day one? What can I get done on day two? And some of that is probably going to change in the moment. And depending on what's happening with the fact of the matter is we have a plan in place to resolve that and we know how it's going to get through that. And we just continually try to make that better and better so that we have a good incident response plan. So there's a lot of different things that we do, but it's having those pieces of using the software technologies available to us to make us efficient and then knowing that you have some way to respond to it and have a plan to work through when or hopefully if it happens. And that's that seems to be like one of the things that sort of makes sense, I think, on a logical sense, because you have this it's not it's a moving target. You've got people out there. The hackers are not just doing the same things they were doing last year or 10 years ago or even probably last week. And so there's it is an evolving kind of a an approach. So for for somebody that says, OK, I got I get some of this stuff, I get some of your ideas and in general and I can I can go do this. What sort of what do you what would you say to somebody that's like, oh, yeah, I'm good with it versus what you can bring to the table as far as sort of keeping up with what's the latest stuff out there and what are all the and not even thinking about getting into things like let's make sure all your software is like up to date. And you've got all of those things that are like the those little boxes to check off that some people are like, oh, yeah, we can do it. But what is it something you think, yeah, you could if you want to do it and spend the time or is it something where there's still where you say, hey, you really are going to be better off having somebody come in that that's what that they own it basically. I think it can be either or. You know, typically our market where we serve is that that small business. And when I think small, I don't know what the I don't know what the standard of small is, but I think small. So that's that's like under 50 employees. But if you look at like the US average, I mean, that's a lot of businesses in the US. There's a lot of businesses that one, two or three people. Well, we've got a team of five. OK. And we're a pretty average size business like the majority of my friend, owner, business networks that I work with. You know, I think that I have one friend, he has 25 employees and we think he's a pretty big company in comparison to everybody else around us. You really don't hire an IT manager. You start start hitting that hundred user base. So it's really then it falls to an operation person. It falls to somebody who's responsible for the IT infrastructure, but they're not really an IT person. So generally in that area, I say, let's take that responsibility off. We're aggregating that cost across multiple organizations. That's the beauty of MSP. And that's why there's a rise of MSP. We're aggregating that cost across all these organizations. So I've got big company IT tools to do big company things. And I'm I'm a big company IT manager and I've got more than one big company IT manager on my team to look at everything for you. So it's not just my brain, but somebody else's brain. We're a team working together with that. It doesn't make financial sense to put somebody like me on your payroll. But if you say, if I can pay a fraction of that, then it's a big win. Now, let's say you get to you've got 500 employees. I really want to work with Nate, my IT manager. He's really, really good at monitoring our antivirus. He's really, really good at making sure the backups happen, all of those things. But he says, I'm most really weak on getting this continuity plan together. I don't understand these insurance policies. I don't know the things that I don't know. Great. That's where we can really come alongside. And how can I help just make you better? Or maybe you just want to have somebody to bounce things off of, because a lot of times, even at 500 users, you're the only person and you're like stressed your max. Maybe it's worthwhile for the CEO to say, I'm going to put this MSP on retainer to save the life of my poor IT manager so they can take a vacation or help us get some better processes in place and think through the things that we're missing. Because if we're putting out fires every single day, we're definitely not doing anything proactive and we can take a lot of the processes we put in place and say, here, they're already built. You don't have to think through it. This works really well and we can implement that for you. So that's a lot of what we do and get into some of those projects like that or get on a retainer or we just take a seat at the table and we plan once a month to maybe just work through some things together, just some coaching or accountability or things like that, just to help them like, I can breathe again, I can actually think about this stuff and just help alleviate the pain in some of those areas. That makes sense. Now, when you're getting into when you're talking to a customer, what is, I guess, essentially, what is the best time if you think of like a, you know, starting a business and then moving along into growing a business, maybe you start it, you want your products, stuff like that, when is the best time to talk to somebody like you? When is a good time for you to be brought into that conversation? If somebody says, you know, I know I need to think about security. Where's where's that time? Do they say, hey, Nate, let's talk about it. I think it's probably cliche to say right before you start the business is the best time to do that. And we work with people all usually along the way. It's probably one of the first things you should talk about if you're going to start a business. Don't start a business like how I started the business. OK, I started a business and talked to anybody and I just did it. I didn't talk to an accountant, an attorney or anybody like that. I got an account. I had to get a counselor eventually because of all those messes. But a cybersecurity and IT person, you should probably talk to them pretty early on. And depending on where you're at budget wise, you're probably not going to be able to hire them. I've got a couple of free resources and time that I'll commit to somebody like that. And say, here's the things you need to think about. You know, do this, this and this. There's a value in using what we have and we can definitely help alleviate that pain. If you're pretty tech heavy, it's probably good investment up front. But we could also just give you some resources or you could buy some just one time resources up front and then you can run with it for a while and knowing that we can be your partner along the way if something like that happens. I don't think there's a better time to do it when you're starting. You definitely don't want to be calling me asking for my contact information when your place is on fire with ransomware. It's going to take me a lot longer. It's going to cost us a lot more money to figure out what's going on if you don't have clearly documented processes and what did you actually lose? Because typically when you have a ransomware incident, you're not even sure what your exposure is at that point. You know, with us, if any of my clients have a ransomware incident, I hope that that never happens. We have a clearly documented what our exposure already is and what we need to do to clean that up and they probably will be operational tomorrow. It's just going to look a little bit different than it did yesterday. That's good to know. And that's that's again, it's one of those that it's sort of a follow up question is, is somebody comes in and says, oh, OK, I'm six months into this and I want to have somebody take a look at my systems and I want to actually take a step to to make sure I'm secure. Nothing's happened yet, but I'm you know, I'm a true believer. I'm going to I'm going to go work with you guys. How often is that something that you come into it and you say, man, this is it would really have helped, you know, assuming that things aren't on fire, but just doing the general documentation, some of that. How much of that is stuff where you can say, you know, this would have saved you a lot of time and effort had we done this started six months ago or how much of it is something that's like, you know, once you start it, it's still it's the same amount of work. It's just sort of when you start it. I think what we lose in the you've started your business six months probably is not that much of a time from the startup phase to then if you're six years in and you haven't done anything and now you're bringing us in, what we lose in that is the historical knowledge. So we say it takes three to six months for us to get to know a business and really understand what actually happened because we'll go in and we do what's an initial assessment. And if you've had IT people in their contractors and they do all these, everybody does it works a little bit differently. Some work neater than others. Some are really messy. You can see the apathy kind of in the work that they've done. And so you're kind of like trying to piece this together, realize what happened and then get it to the next phase. Whereas if we can come in and do it right the first time, I don't have to rip things apart and try to rebuild stuff. So, I mean, really, it's kind of the question of if you want to build a good house, wouldn't you want to start with the foundation rather than, you know, go cheap on the foundation and then have to pay to redo the foundation? Because I don't know if you've ever seen a foundation on a house redone. It's possible. It's really expensive and a little risky than if you would have just poured the footer the right way the first time. Now, do you guys do security audits and software assessments and things like that, as well as that part of what you offer? And particularly if somebody is one of a customer that's, you know, that you start out with them, you're working with them. Is there a recommendation maybe of doing, you know, annual security audit or something along those lines? Yeah, absolutely. So we have our clients, we they're retained with us. We're going to do a security audit and like an assessment of the plan. Like, let's look at the plan and see what what are we doing? Where's that plan at? How's our like an incident response training plan? So we're going to do that. We also get contracted to say we're going to come in and maybe you've got an IT team, maybe you have another IT company and just to assess what are you doing and what are those procedures you have in place? And then we'll just make recommendations on like, hey, things that could be improved, like, you know, maybe this server needs to be updated. Maybe you should consider running this type of backup on this server or you should consider replacing that firewall or, you know, those things. Or when I walked into, you know, the sales office, everybody's passwords were written on their screens or I walked up, they weren't written on the screen. But when I typed password into the login, it got me right in, you know, things like that. So those are just real basic assessments and honestly pretty inexpensive as compared to like if you got like a penetration test, where penetration test is a lot more deeper dive and takes a lot more time to just really actually try to hack your system. So you can do a lot with a security assessment. You can go a lot further with penetration testing, but penetration testing is a much higher like cost on that end. They both can accomplish a lot, but sometimes they're just required by industry to get penetration tests, whereas a security assessment is really great for a small business who wants to know their exposure. But maybe we're going to do it probably in about three to four hours rather than three to four months. So that's and that's a good, good question, too, is what you sort of answer, but there's that general assessment and then you get into, you know, like that whole the pen testing and going in and doing and some of them, I know it's, you know, months because it is a very thorough attempt essentially to hack your organization, your company. So is there a similar to the other thing is, is there sort of like a watermark or something where you would say that you're these are things as a company that because you're this way, you should actually go ahead and spend the time and do a full penetration test versus doing more of a general assessment. There may be some things if somebody's saying, well, I want to get an assessment, but do I need to do I need to go all out or am I going to be really better off just doing like a good sort of general assessment? That there's kind of two aspects to that. That's generally going to be driven by having a pen test is going to be generally driven by compliance or insurance and their requirements and what you do. So bigger SaaS clients, they're going to have compliance that they need to hit and have to have that pen test or insurance is going to require that pen test to make sure that they're insured or maybe to get a discount. So that's typically what is driven by. I I've never had anybody come to me and want to get a pen test because they felt like they should have a pen test because of the cost. They say I want a pen test, but what they really want is a security assessment because the budget's not there for the pen test because pen test is about. I'm not going to quote any prices. They're five figures, OK, at a minimum. OK, security assessment, you get away with it for your small companies under 10. We're going to do it for under a thousand dollars. The next thing, you know, kind of kind of scales up. It's based on a per user price. Typically, it's just going to scale up and it's it's really easy. They're really great report to work with. You've got some really great action items and it really gives you an idea of where to start. And typically the reason we do an assessment is they have an IT company that's failing. And they just need us to go in and say these are the things that are happening so that they can say, I can pull the trigger and hire a new IT company or fire my IT manager. That's typically why we get hired to do an assessment is because I have a problem with what they have now. So do you so if somebody gets that point and they say, hey, I'm going to I'm going to need an assessment and let's assume it's just a regular one. Is there is it something where they are just like, as soon as you think you should do it, go ahead and give us a call. Is there something that they can do to help themselves out, maybe to sort of not maybe necessarily completely get their house in order, but maybe preparation or something that they could bring to you. So maybe it speeds that process up a little bit as far as being able to get your team in and do a proper assessment. I wouldn't just documentation of what you have. Yeah, what do you have? What are your procedures? Because we're going to look at everything electronic from that standpoint. And I'm going to. And this is what I think is funny. If you know an auditor is going to come, maybe for HEPA compliance, work with some medical clinics and they'll know they'll know the auditor is coming. So all of a sudden, you know, they're supposed to have clean desk policy. And so they put all the files away. Well, that didn't really help you know how good you're doing, because if you know that you're going to be audited, if you I worked in banking for a little while and when we knew that the, you know, regional ops manager was coming, they knew that everything was perfect. What everybody hated was the poppet. I didn't mind that. I didn't mind the poppet because I ran my branch like tip top. They liked me because I would really my success was that we just didn't have issues with compliance because we actually did our job every single day. And that's really like it comes down to the heart of the people that want to do it. Like if the auditor showed up randomly, would it be done right? And so honestly, what I want, I tell people, if I'm going to do an assessment, look at it as like an audit, like I'm going to come in. I want to look at it like a normal day. Like I don't want things to be put away. I just want everything left the way you would normally leave it. And let me look at it the way you can prepare me as I need to know what you say you have, I need to know what your procedures are. I need to know what you have, what you're saying you have. Typically, they don't have processes and procedures or, you know, if they've got clean desk policy, if they've got password policies, that's great. I want to look at that because I'm going to take it as a part of my report and say, you say that everybody should have multifactor authentication, but these users don't or you say don't leave your password on the desk. And I found 10 users that had them written in their desk drawers, things like that. I'm going to, you know, write that in the report, not to like throw people under the bus, but just to show like, here's the areas to improve it. So really just understanding what your procedures are, how things should be done according to what you have. Then we can actually make that a part of our assessments. Like here's the opportunities to improve. And that is where we're going to pause the discussion for this episode. We will be back with part two. We will continue our discussion with Nate Sheen. We're going to continue talking about security and penetration tests and testing it and validating it. And all of those things that are wrapped up in security, which if it's something that you don't spend a lot of time in, it may be one of those things that you can realize now why there are all of these layers of certifications and that that are related security, because there's all these different ways that hackers, attackers, bad people, bad infiel, bad seeds out there can try to get into your systems and mess things up or worse. So we will come back next time. Thanks again for your time here. Hopefully this has been useful. We'll continue our discussions as we come back. But go out there and have yourself a great day, a great week. And we will talk to you next time. Thank you for listening to building better developers to develop a new podcast. You can subscribe on Apple Podcasts, Stitcher, Amazon, anywhere that you can find podcasts. We are there. And remember, just a little bit of effort every day. Ends up adding into great momentum and great success. Hi, this is Rob from building better developers, the developer podcast. We're excited to be on Alexa now. You can enable us by simply saying Alexa enable building better developers. And we will be there ready for you every time you want to listen to your now favorite podcast. Whether we are your favorite podcast or not, we would love to hear from you. So please leave a review on Amazon.