Cybersecurity with Craig Petronella - CMMC, NIST, DFARS, HIPAA, GDPR, ISO27001

Don't Get Cybersecurity Insurance (Until You Listen to this Podcast)!

May 05, 2022 Petronella Cybersecurity
Cybersecurity with Craig Petronella - CMMC, NIST, DFARS, HIPAA, GDPR, ISO27001
Don't Get Cybersecurity Insurance (Until You Listen to this Podcast)!
Cybersecurity with Craig Petronella - CMMC, NIST
Help us continue making great content for listeners everywhere.
Starting at $3/month
Support
Show Notes Transcript

Hackers aren't going anywhere, any time soon, so a lot of companies are (wisely!) looking into cyberinsurance. 

However, not all companies know what they need to do to get cyberinsurance, or they try to use it as a replacement for ACTUAL cybersecurity.  On today's podcast, we discuss the right (and wrong) ways to get cyberinsurance for your business.

Hosts: Craig, Blake and Erin

Support the showCall 877-468-2721 or visit https://petronellatech.com

Please visit YouTube and LinkedIn and be sure to like and subscribe!

Support the show

NO INVESTMENT ADVICE - The Content is for informational purposes only, you should not construe any such information or other material as legal, tax, investment, financial, or other advice. Nothing contained on our Site or podcast constitutes a solicitation, recommendation, endorsement, or offer by PTG.

Support the Show

Please visit https://compliancearmor.com and https://petronellatech.com for the latest in Cybersecurity and Training and be sure to like, subscribe and visit all of our properties at:

Erin:

Welcome everybody to another PTG podcast. It's live. So that means it's Monday. We have Craig here today and myself. Oh, in Blake. Blake's here too. welcome everybody.

Blake:

You always forget me.

Erin:

How could I ever forget you, Blake? I don't think it's possible.

Blake:

It is Monday though.

Erin:

It is Monday.

Blake:

So you could get me because it's Monday,

Erin:

Monday's new computer day today. I'm so excited. You guys idea?

Craig:

That's right.

Erin:

so Craig, what are we going to talk about today?

Craig:

Cyber security insurance and why you should have it.

Erin:

Ooh.

Blake:

fun one, super fun.

Erin:

Now why it should have it and what you should do to get it to right?

Craig:

that's right? There's requirements. So if you're a business and you most likely want to grow and you want to get new customers, if you're a little company and you want to do business with a larger company, typically, they're going to ask you if you have cybersecurity insurance and you may go down the rabbit hole of researching what's required for cyber security insurance. And the market's changed a lot, you know, with the ransomware and the, all of these threats that are. You don't just ramp it now with the issues that are happening in our world, the insurance providers were paying out a lot of money for claims for ransomware. So they've essentially raised the stakes. Multi-factor authentication, which we've talked about at MFA for a really long time. Now they want to make sure that you have that in place. They want to make sure that you're, you've got policies and procedures. You know, all the stuff that we've been talking about, but they want proof. They want evidence because if you can't provide the proof, they're not going to pay the claim. So in order for them to actually even insure your business, they ask you some questions on a cybersecurity insurance questionnaire, and they basically rate the risk profile of your business. So obviously if you have a.com business and you're online, you're taking credit cards, or maybe you're doing custom development. You have different actions may have different risks associated with it. Maybe your business is small and you use a provider like square or PayPal or something to take credit cards, and maybe your risk is pretty low. Or maybe you have more modern e-commerce company, for example, and you're taking more personal identifiable information from the public. So there's all these different questions that they'll ask you, but you know, multi-factor authentication or MFA is that extra step, you know, in addition to just a password and it's a technology that's pretty commonplace now and they want to see that you're using that in your business. And there's supporting evidence of that. There's different kinds of MFA different providers provide it, you know, the big websites like Google, Facebook, you know, they have MFA provided as options to access those resources. But what if you're a business and you want to incorporate that into your own systems? You know, there's different ways to do that. Even with what's called virtual private networks or VPN technology, you can add, add MFA layer to that, which is highly recommended. So MFA is really the, the number one thing that cybersecurity insurance is looking for. Any questions about MFA for you guys?

Erin:

Yeah. So what is it about MFA that makes it so popular with all of the insurance agencies?

Craig:

it's kinda like your ATM card at the bank, right? So you have like something on your person in addition to you, like to, to get money. So in the, in the case of MFA or multifactor authentication, so you've got a username and a password and then you've got this extra layer now, and you can get MFA as a text message or a one-time passcode. It could go SMS text message, which is not recommended anymore. There's also one time passcodes that could be emailed to you. And then there's my favorite, which is either Google or Microsoft authenticator, and then you can pair the authenticator solution to a hardware token. And that's my favorite solution, a hardware token. We talked about gatekeeper in the past. That's a popular one that we highly recommend that we've negotiated a great bundle pricing for our clients on. So MFA, it's basically that added security layer in addition to just your general credentials, because you know, let's face it a lot of the popular websites and services they've been breached already. There's a website called have I been pawned.com that aggregates all that data together. So a lot of the information hopefully you guys listening are not using the same credentials or breached credentials somewhere, but you should be using a password manager, complex, unique passwords everywhere. But in addition, they, you know, the insurance companies really like this MFA layer because it is an effective layer. It's certainly not a cure all, but it's not the only thing that a business needs to have, but it is effective. So if your credentials are breached or you have a key logger on your system and your, your passwords are compromised, you have that extra layer. That's going to block the hacker out.

Blake:

Yeah, I think it's kind of surprising the amount of people that come to us and say, Hey, we need help getting cybersecurity insurance. And the first, I think probably the first two questions that we ask is, okay, how many end points do you have or do you have a an inventory of your devices and most people like, no. Or do you have like a system security plan or maybe even a network diagram? People are like no.

Craig:

you know, a lot of small businesses, the owners usually run it around multiple hats, right? So the last thing they want to think about is cybersecurity. But the reality is that with all of this technology at our fingertips, pretty much it's you know, it could be used for good and for bad, right. You know like look at hard drive sizes, for example, you know, like, I dunno if anybody's bought a hard drive recently, but hard drive sizes are multiple terabytes inside of very large in size. Right. You know, it's not uncommon to get a computer with a couple of terabytes of storage. That's a lot of storage. So my point is that, you know, back 10 years ago where you had, you still had the issue, right? The issue of somebody breaching into your system, And stealing your, your, or deleting your data or causing damage. But as time goes on and storage becomes cheaper. Now the, the amount or the we'll use a bucket as an example, your bucket is bigger and it could, and it's going to do more damage nowadays than it would 10 years ago. If that makes sense. So like, if you lose two terabytes, let's say two terabytes is kind of the average size of a data storage, and you're a small business owner. If you got a two terabyte hard drive and you've got about half of that full of business stuff and intellectual property and sensitive customer information, you know, in just a couple key strokes, it's super easy for a hacker to either exfiltrate and steal the data or delete it. And it, poof, it's all gone. Whereas, you know, just years ago, the storage where, you know, the risk is still there, don't get me wrong, but the amount of damage is less because the storage wasn't there. So my point is that it becomes more and more important to not only backup your data, protect it, make sure that it's off site you know, have, have more mature policies. Like Blake mentioned a system security plan, policies, procedures, all of this, this maturity level for your organization is, is no longer optional. It's really essential and supporting evidence of it. It's essential to get things like cybersecurity insurance, you know, they don't want, they don't want you to go on the internet and just go download policies and then just stick them in a folder that you're not going to read and then say, yeah, Yeah. we got policies. That's not the point. The point is that you have to customize these policies. First, you got to, you have to write them. And we have templates on our websites and we help with those functions. You need to customize them. And only that can be done by the business and the business owner or the C-levels in the stakeholders. You know, a provider can't do that for you. That's, that's part of your culture, a part of your business. So they need to be customized and then they need to be mapped over to what's called security control layers and multifactor authentication. It's one of many different kinds of security control layers.

Erin:

Yeah. So I think what's important too, to note is I was just looking it up while you're talking, according to Microsoft, back in 2019, they said that MFA blocks 99% 99.9% of hackers, or it can stop up to 99.9%, which that might be a little bit high, because if you think about it too, like over the years, you know, hackers, they know about multifactor authentication, MFA, and they are working on ways to get around it. Right. So just because you have MFA does not mean that you are a hack proof obviously, or good to use it.

Blake:

I think the stat was 90% or something. 90 plus percent of breaches that occurred did not have MFA enabled it. Doesn't stop

Erin:

I just looked it up though. This one, I was just saying, Microsoft said 2019.

Blake:

It's 2022.

Erin:

I know it was three years later. but the point is it does stop a lot, but that, like you're saying Craig and Blake, I mean, that doesn't mean that that's the only thing that you need to have in place, because you're still asking for it.

Craig:

Yeah. we'll also look at it from the perspective of the hackers too. So if that, if that stat is accurate, Aaron and the bar is really high for a hacker to get through, well, what are they going to, they can evaluate next. They're going to look at what type of MFA. And if you're using SMS or text message MFA. Now, what they're going to do is they're going to try to do, what's called a SIM swap attack or a social engineering attack on your cell phone provider. So if they can somehow look through breaches and, you know, maybe find out your phone number, they may be able to find out which provider Verizon at and T T-Mobile, et cetera that you're using. And now they're going to target and try to impersonate you calling that cell phone provider and say, oh man, I'm in another country. I don't have access to my phone. You know, and they're going to try to become you and steal your identity. And what's scary is the statistics around how successful they are at doing this. So this is why we do not recommend SMS for an authentication method. We highly favor something like Google authenticator, Microsoft authenticator. Or more importantly, something like a gatekeeper with a hardware layer or a YubiKey or something like that in addition to the software. So what those devices do is they have an algorithm they generate every minute or every so many seconds, new pin codes that are one-time usage, but you could also pair a special device called a YubiKey or a gatekeeper, which is a hardware token in addition to that algorithm. So now you have to have that, that key fob on your person near you, in addition to the proper authenticator algorithm and the code all in that timeframe. So it. makes it really difficult for a hacker to get through that layer. But again, it's still one layer. And like I said, if a hacker is going to find that, oh, this method or you're using multifactor, now they're going to keep checking, you know, your defenses to see where's the weak point and look at what happened with the headlines. I mean, I think it was just a few months ago with Octa. Do you remember the Okta?

Blake:

I haven't heard about that one.

Craig:

So Octa was, you ever could log into a website Blake and it says login as Google.

Blake:

Oh yeah. Yeah.

Craig:

Yeah. So that's, that's Octa's framework and technology. So there was a big breach around Okta. So my point is that the hackers, they know that people are starting to use different kinds of multifactor now. And what's happening is a lot of vendors and companies and frequent and websites that you're frequenting, they're starting to require and mandate you set up. Multi-factor like, especially like, you know, cryptocurrency buying Bitcoin, things like that. They require the user to set up. Multi-factor often, you know, that's pretty commonplace now. But again, you know, it's still just one layer.

Erin:

Yeah. So it's not completely protect you from hackers. So you just don't want to be lulled into a false sense of security just because you have one. Even if it's a good thing, it's not enough most likely all of these.

Craig:

Yeah. Well, that's why I've always said, you know, it's always, that's why we built our own stack and we have a 22 plus layer, patented cyber safety stack or cybersecurity stack. And we're always looking to add to those layers. And it's the onion concept that I've talked about many times where you never rely on one person, one, one technology, one layer, you always have these redundancies in place and you just keep fortifying and adding layers. And before you know it, you've got all these. layers and you're just that most difficult company or person to hack. So the hackers move on to an easier target.

Erin:

So what are some other requirements that you've noticed that insurance companies have for coverage.

Craig:

Yeah. So they want to see, you know, your policies and procedures specifically. They want to see. You know, where does your data live? Is it on your hard drives? Are you putting it in the cloud? If it's in the cloud, they want to see supporting evidence of security control layers that the cloud provider may give you. For example, Amazon, AWS, or Google, or Microsoft Azure, they all have these platforms, but you have to configure them properly to secure your data and your information, or maybe you're using those services for your customer information. The point is that you want to have supporting evidence that the controls are in place you want, they they're looking for the, you know, different policies and procedures around disaster recovery, data, backup, password complexity. Blake mentioned, system security plan you know, all these different policies in place. They want to see EV they want to see the policy. They want to see evidence of the policy. They want to see culture that it's actually being adhered to. They want to see proof of security, risk assessments. They want proof of penetration test. So they want to see supporting evidence of these third party checks on your company. And again, it's a risk question for them. You know, if you're an average business owner and all this stuff sounds like Greek to you, then you're a high risk for that insurance company. So now you have to convince the insurance company why you're not a high risk. And if you can't answer some of these questions that we're talking about, then you need the help to get it done so that you become a lower risk. And it's not just the insurance companies that are going to be profiling you for risk. It's the, the companies and the vendors that you want to be doing business with. They are becoming more mature and you as a vendor to them are at risk. And that's why as you grow your company, and as you try to do business with larger companies that are more mature and more established, They're going to hit you with, what's called a vendor security questionnaire, or VSQ sometimes four or five, 600 questions of all this deep due diligence into your, your workings of how you're safeguarding your customer's information and how you're safeguarding your data. And again, convincing them why you're a low risk and why they should do business with you.

Blake:

I actually actually pulled up one of those VSQ right here. Cause one of our clients paid us to do it. And I think it'd be pretty interesting to go over. Maybe some of the questions here. Just to give an example of what Craig's talking about, first of all, it talks about, you know, your antivirus, if you have antivirus, of course, super simple. If so what's the antivirus. Do you use a firewall? If so, what is the firewall hardware like the make model issue? Do you have to FAA enabled? Is it enabled on windows? But before accessing customer data do you use backup or cloud of storage? If so, is it on-prem or cloud, is it encrypted? Do you have drive encryption enabled? Do you use the VPN? If so, who issued the VPN and how it was encoded? Password security you know do you have a password history? you enforce it? Is there a minimum of eight characters, yada, yada. As the default logging on the router enabled, do you have a public SSI ID? Do you have a guest wireless network? Is it you know do you have a TX range reduced of the router? Do you have WP and cable? I mean, gosh, you know, and then of course it goes into, you know, MSP type of stuff. Like, do you have patch management? Do you have a Wednesday tune up frequency of the computers? You know, do you have an SSP? Is it printed and readily available? Do the employees know where it is? Do you have, you know, calling XYZ vendor a part of the plan, you know, do you go over training procedures, how to spot data theft, yada yada yada of course.

Craig:

Yeah.

Erin:

I mean, honestly, like you've said before, Craig, we need a credit score, a cyber score. Like how much easier would that make things for everybody? Not just, you know, the companies, but also the insurance companies. I mean, it's just like, let's submit this score. I mean, it would make so much sense

Craig:

Oh, absolutely. You know, it goes back, it really goes back to training, right? So that's why a compliance armor.com. We'd launched our own university and we're continuing to add content and curriculum to that. To make sure that our people that take our training are well-educated on all these threats. They can confidently answer these questions, that cybersecurity insurance providers, as well as their vendors and their prospects that they want to do business with these, you know, they know what they're talking about, and that's why we we've so highly recommend our training or security awareness training, but it's not just training it's drills and testing. And, you know, going through these, these exercises, you know, what comes to mind is tabletop, you know, incident response, tabletop, which could be adapted to really all these different things that we're talking about. But, you know, like Blake was saying, you know, your employees need to be on board too. So, you know, if you're just a small business owner and you're, you know, wearing all these different hats and you're one guy or girl, and you started your company from nothing, that's fantastic. And I commend you for doing that, but you need to really know what we're talking about in regards to cyber safety and cybersecurity. And you need to train yourself, get yourself up to speed. Test yourself, score yourself. Like Erin said, you know, I talked about this many months ago, we've adapted a methodology around the credit score for cyber, you know, come to us, we're here to help you. We're not gonna, you know, hurt you. W we want to show you how we can help grow your pit, your business by making you less of a risk. And, you know, you become more attractive to the vendors. They want to do business with you because you're mature and you have the proof and the evidence for that. So it doesn't take long for, you know, to have a quick, no obligation, no cost phone call with us, just reaching. Come to us. We'll we'll score. You instantly ask you a few questions in an interview. And then obviously the next step from that is usually something, some more deep dive assessment. We have a, a proven four pillars, assessment methodology that we've adapted for all different verticals and niches, and that's a paid assessment, but that's also a lot of work, you know, that's where we're going deep into your company. We're asking all these questions that are similar to what Blake was, was rattling off, but we also go deeper into the handling and the workflows of your company. You know, as a small business, or maybe you're a medium or large business, but you start small and you have to start somewhere. The point is that you might be using a lot of third parties and different kinds of software, you know, maybe using Google or Microsoft for email, excuse me, or maybe you're using QuickBooks or, you know, all these different software systems. Well, from a compliance perspective and a cyber perspective, the more soft. And the more providers you use, the more complicated you become. So even though you might be one, two, maybe three people or a small company, if you use in five or 10 different software packages, you're complicated. And there, you know, it takes more work and effort to get you in compliance and an alignment. But you know, going back on what Blake was saying, they want to know, you know, you were talking about wireless you know, system security, IDs, and transmission, and they want to make sure that you're, you're looking at all these, these these it functions that help your business, you know like I, I remember talking to a client and, you know, one of the questions that we asked them was, you know, do you have a network diagram that shows all of the cabling in the building and the network jacks that are plugged back into the patch panel and then back into your switch. And then, you know, when we do it onsite penetration test and we try to plug in. To maybe the conference rooms, network Jack, and maybe the conference rooms, doors wide open. Anybody can go in there and sit is that Jack live? You know, if it's not behind a locked door, it shouldn't be live. So, you know, there's different things that people don't think about that make it really easy for a bad actor to gain access or do bad things. You know, we've had other situations where we've done forensics and helped folks figure out, you know, how did they lose their intellectual property? And we found that there was exfiltration of data and you know, it, it all you have to start somewhere. And my point is that this is, this is very complicated information. It's hard for people to digest and we're here to help people figure it all out. Any particular question that you've rattled off Blake, that you want an answer to.

Blake:

Not particularly, I mean, I've obviously I've done these types of audits, but something that, you know, I think is really important is what it takes for you to be, to become insured by a cybersecurity insurance. Not only that it differs from what an auditor is actually going to pry into. There's a huge variance, right? Between those two things. So yeah, you can be, you know, you can be insured by a cybersecurity insurance company. Of course, you know, once you make this appropriate steps, but just because, you know, you get your cybersecurity insurance doesn't mean that you're compliant in all the areas you need to, you need to be compliant in.

Craig:

that's a really good point. So what happened was in the industry as a whole, what happened was, it was not so difficult to get cybersecurity insurance, you know, small businesses, they'd fill out a form and then bam, they'd get, they pay, you know, their money and they'd have cybersecurity insurance Well, then what happened was the insurance companies found that the businesses that were insured were doing anything or hardly anything for their cybersecurity. So then they would get hit with ransomware and they would go through an interview process. The first thing that business owner would do would call their insurance company and say, oh, we got ransomware. You know, we need you to pay so we can get, you know, the hackers want to Bitcoins or whatever it is. And we need our data. You know, we got insurance, we need you to pay. So then what happens is the insurance company will interview you as the business owner on your it person or it team. And they'll, they'll go on these calls with you and they'll have their legal experts on there too. And they'll start asking you questions about, okay, well, you know what happened? Did you click on a link in. an email that looked that it was a phishing email? Was it, you know, was it business, email compromise? So they're going to ask questions first and then they're going to get into what's called digital forensics and discovery, where if you can't answer some of these questions, they may want to appoint a DFAR or digital forensics incident response team from the insurance provider, send them to your office and have them rip everything apart and do their investigation and try to figure out how did this happen? And the reality is it most often happens from social engineering, phishing emails, business, email, compromise. We've had countless cases that we've worked where we'll talk about MFA. Again, the it guy set up the organization with Google G suites or Microsoft office 365 and then the it guy forgot to enable MFA. So the it guy got treated. With a phishing email that looked like a Microsoft office, 365 administration page or something that came from Microsoft or Google, whatever he gave up or she gave up their credentials then, and I've said this before, whenever a breach happens, it doesn't mean that there's all these red flags and alarms that go off at that point in time, the guy did, or, you know, in this particular case it was a guy. So he had no clue that something wrong happened. It was months later when the hackers were spying on all the emails and they came across a wire transfer that was about to happen. That's when they stepped in and they said, no, no, no, the routing and the checking account number, is this not that I said, a mistake or whatever, and they've registered the domain name with one letter difference in the law firm. Okay. So in this particular case, had they had MFA enabled. On the office 365 account, the hackers would have been unable to get in. It would have avoided, it was almost three quarters of a million dollars that they lost due to wire fraud. This is absolutely true, true case that happened. And this is just one of many we've worked on. So, so many others that that's why insurance companies like MFA so much because they feel like that. At least if you're protecting Google G suites or Microsoft with MFA, they feel like they can get, you know, good protection and it is good protection. However, the hackers are always becoming smarter and they're always working in looking for low hanging fruit. Right. So if they find that you do have MFA enabled, they're going to look down, okay, what, what do you not have in place? You know, how good are your employees at social engineering? You know, like I said, we talked about the SIM swap attack, you know, can we hack the CEO or C-level and get, you know, break into their phone and get their MFA that their codes that way and take over their account. You know, it's all these different other things that hackers can do. And, you know, you mentioned antivirus it's a common question on the form and a virus. Yeah. You have to have it. It's 5% effective, So. it's not really very effective anymore, but it is still at a layer. Edit it. You still need to have it. And by the way, if you answer some of these questions that Blake rattled off and, and the way you answered the question, it's kind of strange. Meaning you list a firewall, that's not really common, or you list a VPN or, or the way that you answer. Some of the questions are not like common brand names, and they're going to throw a red flag and they're going to, you know, get scrutinized.

Blake:

Yeah. So that, that E-bay firewall that you purchased for your company? No, no. It's not something that but I've heard of too. And we were talking, I was talking about this with another client. But just because you have cyber security insurance doesn't mean, I mean, obviously it doesn't mean you're compliant, but there, there is contingency. That state's in, in the insurance clause that you are compliant. And so obviously if a breach occurs or something, and you know, obviously there's evidence that is unraveled, that you aren't compliant, then what do you think is going to happen?

Craig:

Well, they're not going to pay the claim. Yeah. I mean, think about it this way that, you know, these, the insurance companies are playing it by the numbers right there. They're making their decisions of risk based on risk and decision-making around risk. You know, if, if you're a testing that you're doing all this stuff that the cybersecurity insurance is asking for, if you're saying, yeah, yeah, we're doing all that we have. If you're lying and you're filling that form just to get the insurance. the point is that Yeah. you might've, might've got the insurance in the application, but you're not getting the protection and the claim to be paid. At the time of a breach, if you don't have all of your evidence and proof that you've answered all those questions truthfully, and that's really the proof and the bottom line there. So if you're not doing the risk assessments and you're not doing all the stuff that we've talked about, and you're just lying on the application just to get the insurance, that's a recipe for disaster. And the same thing, like with the firewall example, you know, if you go to best buy or it goes somewhere and you buy a home router or a home firewall and you stick it in your business, you know, that's not a business level, piece of equipment and it's not meant to be, you know, protecting your organization. So if they, you know, think about it, if the insurance company goes through all the stuff of how you answered it and they find, oh, you're using a link or a TP link router, and you have 50 employees, that thing costs 75 bucks. That's a red flag. So my point is, all they have to do is. You know, one of these things that you did wrong and you're not getting a payout, you're not getting the claim. It's, it's going to be on your check, writing ability to pay yourself out of the situation. And sometimes you could pay the hackers and, you know, give them the two Bitcoin or whatever they're asking, but oftentimes they won't give you the key back and they won't give you your data back in that situation either. And other times where you could try to negotiate with the hackers, maybe they know, well, not maybe they know that you've negotiated with them. They know that they hit you and then they try to hit you again in a few months or a few weeks to see if you've actually made any changes to make it harder for them to hit you again. So my point is, it's a game for them and it's a job for them, you know, they're just trying to get money and get paid. And if you make it easy for them,

Erin:

Little, snatch it up,

Craig:

that's right. They just clean you out and

Erin:

snatch that up, just take that opportunity and grab it. And so it was just making me think. Craig, when you were talking about. Basically the insurance company will gladly take your money, even if you lie to them, but they will not give you the money. So you're basically like if you're aligned to them and you get hacked, you're screwed. Like there, they've got like digital forensics. They can tell if you're lying or being dishonest and you know, and maybe it's possible. They won't completely not give you money or it won't completely protect you, but, you know, it's likely you won't get the full amount that you're requesting or, you know, it's just not, it's not a good idea.

Blake:

It's the same thing that happens when you get in a car accident. Right. You know, you get in a car accident, an auditor comes out and sees like, what happened? Like who's at fault, yada, yada, yada, not quite the exact same for cybersecurity insurance from my understanding. they prove that there is some where the, what, you know, they're looking for where the liability falls

Erin:

Right. And it's just, yeah, like with fires too, you know, like you have a fire, they're going to, if you set your own house on fire, they're probably

Blake:

yeah.

Erin:

find out.

Craig:

Well, it's really with everything. And we talked about this with, with defense, industrial base contractors, too. It's really with everything. It's, it's, you know, they ask you all these questions and, and I'm not saying that you're going to lie or do anything, but there are people that do. And, but what I am saying is they're asking all these questions and some things you may be doing proper, you may be doing correctly, and they're going to give you partial credit for that. And they're answering partial credit is dollar. So they're just going to give you very few dollars. And we, we, as a provider at a cybersecurity organization, we want to get you maximum payout on a claim. God forbid you did have a breach and more importantly, while we want to protect you from that breach in the first place. So you don't have to rely on insurance companies. You know, we've been doing this well over 20 years now. And I've actually been told by various organizations that they're not going to do all of the stuff that we recommended because they think it's too expensive. And that they'll just get the cybersecurity insurance and, you know, back 10, 15 years ago when that's, when they were, you know, people were saying that to me, you know, maybe they weren't getting payout. If they did get a breach, you know, the other thing I hear commonly is, oh, I've never had a breach before. Why should I have to pay for all this stuff? If I've never had a breach? Well, the reality of that situation is you're saying you never had a breach, but if you don't have all your stuff in place, you don't have the evidence to prevent a breach. How do you have, and how can you be confident that you have everything in place to detect a breach? How do you know you weren't already infiltrated? And the only way to know that it's again to have a forensic firm, you know, doing a deep analysis to figure out, you know, what do you have in place and what your maturity level is.

Blake:

It's like life insurance companies too. Or like, you know, if you're some high net worth individual or something and they're putting together a life insurance policy on you and they ask you about like your behavior, you know? Oh, like, like, are you into jet skiing? Are you into the sky diving? Are you in, are you into swimming with sharks and the Cayman islands?

Craig:

high risk behaviors. Right.

Blake:

That's what a lot of businesses do, but they don't even know.

Craig:

that's right.

Erin:

Yeah, good point.

Craig:

So, that's where we go back to our, what we, our methodology that we've put together around cyber score and risk, you know, it's all, all risk question. You know, if you're swimming with sharks, you're risky, so we want to make your business succeed. And we want to help you do that as efficiently and most affordably as possible and all this stuff, folks, you know, it doesn't all cost a ton of money to do. You know, you'll actually be surprised at how affordable a lot of it is and how effective some of these affordable solutions are. But it's a, it's a, like I said before, it's a methodology that we've come up with that helps you put all this together, make sense of it and give you the evidence that you need should a vendor, third party or cybersecurity insurance provider request it. You have it at your fingertips. And you're able to share all of the good stuff that you're doing to protect yourself, your organization, as well as your clients. And you know, it's not just about cybersecurity insurance. There's also data breach laws that are in all, almost all the states. There's new laws being written every day. There's new regulations being put forth. There was a new regulation in January for CPAs and bookkeepers, you know, around sensitive information. So if you're thinking, well, my business doesn't really handle sensitive information. Most likely it does in some way, shape or form. If you're doing business with a vendor and you've got sales, receipts, or identifiable information on what did they buy? And just the common information, once you start asking and pinpointing, you know, well, who bought it, first name, last name, email, company, name, phone number, all these fields. They now zero in from a mass to an individual corporation or an individual. And now you've got sensitive, personal identifiable information or PII. If you're in medical, you might have patient health information or Phi. So my point. is that it's very rare, especially now to have any kind of business. That's not dealing with something that's. It very quickly can go from nonsensitive to sensitive record speed.

Blake:

I actually have one of these sensitivity charts up here. This might be a good, a good, a good segue point segue. But so in, in this example it says the Infor the information types and the impact if stolen, right? So obviously we have customer contact information. That's actually, it says impact media. Right. And obviously this is super, super vague. Right? Billing information. We already know, we already know that one is pretty high or personal information, you know, such as name, phone, number, email, like that stuff's already out there, like it is on your Facebook as long as your LinkedIn, yada, yada, yada. Right. but of course they have likelihoods, right. So, I mean, there's so much stuff. I mean, gosh, I mean, if you're in HIPAA, if you're subject to HIPAA and you have social security numbers or something, or, you know, you're filing claims and you require some, I mean, yeah. It's just headaches. How does this exploding? I can't say any

Craig:

Look at it from a vendor perspective, let's use your cell phone provider. For example, you probably one day you wanted to buy a cell phone. Maybe you bought an apple iPhone. You maybe you went to the apple store and you signed up well, what did you give them? You gave them your name, your first name, last name, your address. You gave them personal identifiable information to identify you. Right. But you know, a lot of the information that you filled on that form you've most likely filled at other places too. So how do you then prove that you're who you say you are. You know, they may ask for a driver's license. They may ask for like Blake said a social security number. Well, what if the driver's license the information has been out there or PR or pieced together, you know, people make fake IDs all the time. My point is that it's becoming more difficult to prove that you're who you say you are. So one common thing that a lot of, for, you know, on the topic of cell phone providers, one common thing that it's recommended that you do is you call into your provider and you ask the provider to generate a unique pin number to associate with your account that you don't use anywhere else for on any. other system. So that pin number allows you to again, have an extra layer to identify yourself. But if you think about it really. Unless you're calling, like I say, you have a working device and you call support, like at and T for example, and you're calling from the device that's registered on your account. It's pretty easy for them to detect that you're calling from that device. So that makes it easier for them to identify. Okay, well, that's probably you, but let's put, let's say you lost that device or you're a bad actor and you're trying to steal somebody identity and you use a different device and you say, well, I'm traveling, I'm in a different country. Again, they're asking you the same questions that you filled out on the form from the very beginning, that nowadays are pretty easy to answer based on current breach statistics. So my point is, unless you call your provider and add the pin number and add some of these extra layers, then it's very, very easy to be hacked. No, I talked about that with even health insurance too. You know, I wrote about that in my, my book on HIPAA. You know, there was a guy that I wrote about. Who had his identity stolen. And the health insurance companies were going after him to pay the surgery that he never had. And he just kept getting bombarded all these collection calls. And he finally went up to the hospital and he pulls up his shirt and he said, look, if I've had a surgery, I would have a scar, you know, on my chest and I have no scar. And so my point is that they were going after him for, I can't remember if it was 50 or a hundred thousand, a huge surgery and his whole identity got stolen. And that's what the hackers want. They want to be able to steal your identity, steal your credit, to do these things like get surgeries or get money from you. But, you know, until the main system is upgraded and we moved beyond the social security number, we as individuals and consumers and businesses, we need to take this into our own hands from a cyber and compliance perspective and really work hard on the training and the testing and the drills and work with our vendors to make sure that, you know, we know who we're doing business with and we trust them to protect the information just like we would and, you know, make it so that we have these extra layers in place.

Blake:

I was actually scrolling down this this security questionnaire and one thing that like stuck out and another question is, do you have a personal email and business email on the same device? That question. And then if you do, like how, how are they segmented?

Craig:

Yeah. So, you know, like if you've got an iPhone or Android device, super easy to add multiple accounts, and I would say most people add their personal and their work email, but now let's take this a step further. If you're a business or. And, you know, like with COVID for example, a lot of people working from home, are you issuing out corporate owned devices to your remote workers, or are you allowing your workers to use their own device? If you're allowing them to use their own device, that's called bring your own device or BYOB. And there's a policy that you need to have in place that they signed off on that allows you as the organization owner T to use their device for work purpose. If you don't have that, then there's a violation there. And there's also not just a violation, but there's, there's a problem that could occur in a dispute situation, especially when trying to protect sensitive information. Because think about it. If you've got a remote worker and they have an outdated phone, that's not supported anymore, can't get the latest patches and updates. Well, that is now a window and a door That's open for a breach into your company.

Blake:

That's exactly it like, you know, to be most secure, think about like cornering yourself. Right. And having like, you know, like scanning the room, you know, like if you're in the center of a room, you know, something may come behind you, you know, like if we're talking military logistics or something, you know, some, some attackers may come behind you, but if you're in the corner of a room, you know, they talk about that military training and how to clear a room. You know, you start off with the furthest wall to the left and then work your way into the center of the room. But and, and, you know, it's such a good point that we never talk about is of course, you know, you have both those doors open, you know, you may check your personal email and then click on a link that Sally, you know, sent you da da da and then it opens the door for a hacker, but you have your work email on the same device or vice versa. Right.

Craig:

Yeah, well, that's why it's so important to, and that's well said. That's why it's so important though, to embrace what's called zero trust technologies, which is what encompasses most of our 22 plus layer stack. It's not trusting it's technology that doesn't rely on the provider to be trusted. So in this case, you know, we use an encrypted data encrypted email system. That's passwordless, you know, that the, the provider, they can't get into our emails, you know, using things like signal and WhatsApp and end-to-end encrypted solutions like that. The provider say, you know, if you called signal.org and said, oh, I can't get into my signal account. That's on you. It's zero trust. You know, you're done, you, you can't get into that if they can't get into that information, but there's good. That comes about from that, you know, now you've, you've made it. harder for hackers to get into it, but there's also great responsibility that comes along with that. You as the user or business owner have a larger responsibility now to make sure that you have your recovery keys and your, your information in order. Because if you don't, there's no third party that can help you in that situation. Much like a banquet back in the day.

Blake:

We have in our podcast topics how to transition your business into a zero trust framework that one's going to be a good one.

Craig:

Yeah,

Erin:

can do that one next Monday.

Blake:

Yeah. I mean, that was a Craig one.

Erin:

Yeah. Yeah. We talked about it. We're like, we'll let, we'll leave that with Craig.

Blake:

Yeah. Which, which podcasts are quite the Craig podcast and which one are not correct podcast.

Erin:

Yeah, exactly.

Blake:

zero trust is the future. but every business, like a small percentage actually understands what zero trust is and actually has it implemented like maybe like 2% or 3% of business is,

Craig:

Well, it's, you know, it's like I was saying before, it's, You know, I, I'm a very big believer and proponent in zero trust and that's why we embrace it and we add it to our stack layers, but it comes back to the business owner or the person to, you know, with those technologies with great power comes great responsibility. Right? So if, if you are just confused about all this, you know, just call us and reach out and we'll help you, you know like Aaron said, we'll give you that score. We'll interview you quick conversation, no cost or obligation. And then if there's a fit well, we'll certainly help you with our more in-depth methodology around our four pillars. But. If we decide to go through that journey together, which is always an eyeopening, fun experience. My point is that you're, you have a partner which is Petronella technology group to lean on to that, that has the answers for each of these solutions that are tailored to each individual type business. But, you know, going back to employees and, you know more personnel and staff and training, you know, the, as you grow your company and you have more people that help you get the job or jobs done, all of those people now are risk vectors into your breach profile because if one untrained employee gives the keys to the bad guys, well, that could cause a breach for the whole organization. So that's why training is so essential and the drills are so. And, you know, technology, especially zero trust technology. It's great. And it helps solve some of the, the trust issues with certain vendors, but there's still, like I said, there's more training and legwork and responsibility that you can't outsource. So it's kind of this balancing act, right? You know, we talked earlier about risk profiling of, for that your organization and yourself, you know, when you buy cyber insurance, for example, you don't want to just buy it from the cheapest provider of cybersecurity insurance. You also want to buy it from a provider that's well-known and respected, and it's the same thing with other companies and other solutions that you use, you know, there might be a brand new solution and it might be great, but if it's a high pro high risk high profile company that doesn't have supporting evidence of certain security standards, Then you may want to keep shopping because you, you need to make sure that you're doing business and you're who you're trusting has been vetted and tested. And that's so important nowadays, especially with all the breaches, like solar winds and, you know, think about like your iPhone or your droid device, how many apps you have on that thing, or how on your desktop computer that you use, whether it's Mac or PC, all of the companies and solutions that you purchase, whether it be for Microsoft or apple, every single one of them has a risk. And it only takes one of them to become unpatched and breached to breach you. And you have to think about that's where I was talking about these tabletop exercises. You have to plan these fictitious events in advance and proactively go through them much like a military drill or a fire drill. If you'd never do the fire drill, then when something happens because it will happen when something happens in the future, how are you going to be best prepared?

Blake:

You know, something that I was just thinking about as you're talking about this and you know, from experience working here for, I think going on three years now you know, a lot of people come to us. I think maybe a lot of people, there's two people, there's two different types of customers that come to us. There's one or ones that, that submit something to us. And then, you know, we reach out to them and they never answer our. Right. Or the people that are super engaged, like, Hey, like let's get going. Like, duh, like let's do it now. And the reason why I'm bringing that up is because I think the first customer or the people that reach out to us that, that maybe listen to our podcast or put together, or, or look at the resources we put together, they may be fearful in some type of way where they say, Hey, like I was listening to the podcast and, and they were talking about these questions. I don't know how to answer these. I don't know what an SSP is, you know, I I've heard of it. So I think I have to have it you know, like all these things where they start burying themselves with a fear and then they don't reach out to us, or. They don't engage with us because they're scared because of their maturity right there, their cyber maturity level. They're scared that it makes them vulnerable and some type of it, it does, it does make you vulnerable to the outside, but not the inside like us, you know, if you reach out to us it's not like we're, you know, I don't, I don't even think ethically. And, and this is a correct question, but let me think ethically, we can be a whistleblower because we are a service provider.

Craig:

Yeah. Whenever somebody reaches out to us, we always have confidentiality and we, you know, we do NDAs and things like that. So your conversations are safe and secure with us. One of the first steps that we usually do on an intake is we move you from insecure email, to an encrypted data in an encrypted email solution that we use. So we, we, we have those, those systems in place to protect not only ourselves, but our clients. And, and I understand that a lot of, you know this is complicated stuff. It is, it is kind of put into the fear mindset, you know, that, but that's just kind of the world we live in now. And I think the bottom line though, is that we're the good guys we're here to help you. We've, we've been doing this for a really, really long time. We have the most efficient path forward and we don't just say that, but we back everything up that we do with supporting evidence and the evidence that we provide. It's all truthful because we pass audits. So my point is that we're here to help you wherever you are on the journey and it doesn't have to be embarrassing or, or anything like that. We don't make any judgments on anyone. We just want to get, you know, we want to learn more about you and your company so that we can prescribe the right solution. And it, unfortunately with every business and every person being different, there's no commercial off the shelf solution that you know is inexpensive. It just doesn't work that way. That's why we have, you know, our first step is a free phone call. There's no cost or obligation just to kind of get to know one another, learn a little bit about your situation. But then after that it's consulting, you know, and then we help you because we're working hard for you and in your best interest to prescribe that right solution. And that is a lot of work, you know, it's, I'm not going to sugar coat it and say that it's not. But you know, like I said, if you listen to our podcast and you try to do as much as you can on your own. And what I mean by that is you try to organize your business and you try to maybe reduce some of the third parties that you work with and, you know, ask your third parties for evidence of compliance and security on your behalf. You know, how are they keeping your, your information safe and secure? What reports and evidence can they give you if you do some of this due diligence on your own, that that's okay. That's good. That's, you know, I commend that, that makes our job easier. If we choose to work together in the future,

Blake:

I know we like to use cybersecurity insurance and compare it to doctors and healthcare and general practice and stuff like that. But, you know, Craig is saying like, it's such a valid point. Like, and the comparison here that I'm thinking about is you've got two different types of people, people that go to the doctor when they're in pain, right. Or they're, or they feel like they're dying. And then this isn't, it's not too late to save you, you

Craig:

That's right.

Blake:

You know, if their doctor puts them on a meal plan, you know, they're, they're falling that meal plan and they're proactive. And I mean, there's two, those are the two people, you know? Right. And those are, I mean, there's, there's just, we're split. We're humankind is split into those two different types of groups. Right. And unfortunately it's hard to move somebody from one group into the other group, unless something life-changing or dramatic happens.

Craig:

it's usually an event that takes place. Like when you buy life insurance, you know, nobody wakes up one day and says, I'm going to just buy a million dollars life insurance. You know, it's usually some family member or some friends that maybe you lost and, you know, it makes you kind of think about that. It's the same thing with, with our world in cyber and compliance, you know, maybe you're trying to do business with a bigger company and that bigger company has more maturity level in regards to cyber than you do. And they're asking these fender security questions and they're asking maybe they have a SOC two type two or an ISO 27,001 report. Or they're asking questions around that. And maybe you've never seen these questions before. So you're like, well, what is that? And you do kind of your own research on it. My point is that there's some event that happens. So at some point in your journey, you hit the event and that event usually puts you on the search to get help or to try to do something on your own. And if you can't do it then to get help, it's the same thing. Like Blake was saying, whether it's diet, exercise, or health, you know you know, nobody wants to face the reality that, you know, you may get sick or you may have an illness one day, but if you eat right and you eat your vegetables and you do all of the best that you can do for preventative. It's proven to help you live longer. So it's the same concept with cyber and compliance. If you maintain your systems and your end points and your equipment, and you don't use technology, that's out of date or unable to be patched, and you're doing all the firmware updates and the patches every Tuesday, or whenever they come out and you're updating everything and you're going through all the due diligence on prevention, and you're doing the security risk assessment. You know, the more this stuff that you're doing on a preventative level. Yes. It all takes time and it all takes money. However, it's a fraction of the cost of doing nothing and then trying to hurry up and rush to do everything overnight. Because like I said before, with the defense industrial base of the DIB with the cybersecurity maturity model certification or the new CMMC 2.0, that's coming up, you know, all those folks that are sitting on the sidelines thinking, oh, they're not going to catch me. You know, Where we've been doing and this compliance and we've attested. And once we get through a lot of the folks that are subject to deforestation, this compliance, and we asked them a few questions. We very quickly know the truth of are they compliant or not? And very rarely sadly to say, are they even close to being compliant? So my point is that don't be the guy on the sidelines with the curl on the sidelines. Take action. Now give us a call, reach out to us, start your journey, let us help you, you know, at least show you the way and the journey of, of how to move forward at the most efficient way possible.

Erin:

Yes. Be proactive,

Blake:

it only takes one thing that you can do. It's to start now and to take action everybody starts in the same exact place as you.

Craig:

That's right.

Erin:

Yeah.

Blake:

And you're all, you're all, we're all going to different destinations, but you're never going to get there unless you have the intent on going or doing or anything. Right. That's just the life principle. One-on-one business motivation coach. One-on-one, you know, you have to get up and take action.

Erin:

if you don't take a step, you're never going to get there

Craig:

That's right,

Blake:

being, fearful isn't is not an option anymore. You know, I mean, it, if it comes back down to your livelihood or your, your future or taking care of your family or being a provider to the people that you care about and above, it's the same thing. We refer it back to health again, if, the doctor says, oh, you know, you have high cholesterol, you know, and you've got kids or, you know, wife or something, and you want to spend the next 50 years with them, you know, like, what do you got to do?

Craig:

right.

Erin:

Laurie that cholesterol.

Craig:

And it's definitely not. I'm not saying that it's an easy path either, you know, exercise or whatever it is is it's never changed. It's never easy. Right. But, but I will say that with the experience and the team that we have put in place, we do make it as painless as possible. And the other thing I'll say is the people that follow our program, they get results. And the you know, w I have personally helped clients get the big company that they wanted to do business with, that they never could have imagined. They would have been able to show enough evidence and red tape to be able to get through all their compliance. We did it, we got them that huge client that they were after. So the other thing that I just wanted to say before we end our podcast today is that like Blake said, everybody has to start somewhere. We've all been in. But there is light at the end of the tunnel. And what I mean by that is, yeah, it's going to take work. There's going to be work that you're going to have to do each, each and every one of you, but we make it as easy as possible. Like with our policy program, we've got 80% of that work done. We've literally left the answers that we do not have answers to because they're specific to your organization or to you. So we, we work through coaching with that to help you along and get that done. But my point is, you know, everybody needs goals too, right? So maybe your goal is to get that bigger client to make that extra money or get that extra revenue. And the reality of the situation is this stuff is not crazy. Crazy. Is it, is it cost money? Absolutely. Is it millions of dollars? Absolutely not. I mean, the point is that we help you get that client that you're after, and then it becomes easier after, you know, just like exercise. Once you get into a routine, it becomes easier. And now guess what you thought that you wanted, that, that client that you put as your goal. Now you're getting to three clients just like them and your business is exploding. So if you want to grow your business and you want to not be a statistic and not just go out of business because of all the bad stuff happening, and you want to be an outlier and basically pick who you do business with, then you need to call us.

Erin:

Cyber security is not a sunk cost. It does not have to be a sunk cost. I think a lot of people think of it as something that they just have to do. And they think like, oh, what a waste of money? But I mean, really, if you think about it, especially if you're going after a contract or the insurance or whatever, you're going to be ahead of the game. If you become cyber security compliant. So you're going to be ahead of your competition. You're going to have a competitive advantage and it's not just a sunk cost. It's not just like I'm throwing money out the window. You know, why am I doing this and say, you know, I could be paying a hacker or whatever, but it's, it really does. Like you were saying, there's light at the end of the tunnel. there is a bright spot to all of this. And so not only are you securing your data, your client's data, but you're also giving your company competitive advantage.

Craig:

That's exactly right. And you know, we're, we're that easy button, you know? It I've said this many, many times, but it's true. If you listen to our advice and you take what we're saying to heart, and you do what we say. You're not going to get hacked. If you do everything, you know, you do the workout, you do the program, you're going to see results. And it's the same thing. If you follow our advice and you follow our program, the likelihood of you getting hacked is so small. I mean, is it possible? Yes, but that's just because we're all humans. But my point is that we could put everything perfectly in place for you around policies, procedures, security, controls. We could do all the tests, all the drills we can give you. The recipe that we know is proven in that works. And for those over the past 20 plus years in doing this, the ones that listen, I could tell you with a hundred percent certainty, the ones that listen and follow our program, they don't get hacked. They don't get hacked because they give so many layers in place that the hackers move on to easier targets. And that's absolutely true. And that's what we want to build for your business. And for yourselves, you know, not just at a. Business level, but at a personal level too, you know, people, people get hats. So depending on where you are, if you're working from home or you want to start that new business, you have to take cybersecurity as an investment. It's part of the cost of your operation. It needs to be factored into that. I'm not saying you need to go and take out millions of dollars in loans to do it the right way. But I am saying that there is a process that we've developed that it is proven.

Blake:

We, in one of our previous podcasts, I don't think you were on it, Craig, we talked about budgeting for cybersecurity. I think Aaron's probably gonna be like, yeah, I was getting ready to go there cause we vibe off each other like that.

Erin:

I was going to say don't be a fruit being onion.

Blake:

oh yeah, we talked about that. I'll have to bring value enough, heard that one yet,

Craig:

No.

Blake:

But no, in one of these previous podcasts, we mentioned anywhere from six to 12, I think it's six to 12 or six to 14% of your revenue be going towards cybersecurity.

Erin:

And the average is like 0.6

Blake:

the average is 0.6, but depends on the space that you're

Craig:

well, not only does it depend on the space, but it depends on where you are in the journey. So like, if you're just starting out, I mean, 16% or whatever you said is not going to be enough to just start out. Right. It might need to be more than that, but because remember we're building a foundation, right. And the foundation that we build, that's custom, it's like a custom home built specifically for your requirements for your business and where you are right now to build that home oftentimes has a minimum effective foundation or a minimum effective dose. Right? So whether you're one person or a thousand people, you still have to have a strong foundation. Now, if you have a thousand person custom company or a 10,000, you're going to need bigger stuff. Right. And that's okay. But my point is, The statistics that, that you guys were saying, that's in your maintenance mode. So after all the work is done and you're moving along and you have the evidence for all this stuff that we've been talking about, then you should be yes, 15, 16, maybe 20%, depending on the risk category of your business model. That's going to depend on how your percentages should be. But the reality of the situation is right now, I think Aaron said 0.6%. That's just woefully too low. That's not going to get you very far. it's just going to take forever. And then by the time you even make any traction or progress, bad things will probably happen already. So the point is that it really depends, and it's different for everyone, but be prepared if you have nothing and you know that you don't don't have anything or, or maybe you have contracts and you thought that you didn't really understand what NIST and compliances or whatever mandates or regulations you're subject to. If you, the bottom line is, if you don't have much in place, be prepared to spend, you know, fair market value and reasonable price to build out your foundation and then put you in that maintenance mode. And again, it's not a sunk cost. It is an intensive. In your business and it's also your obligation really nowadays not only for the law, but to ethically protect yourselves and your customers, because the statistics are against you. If you don't, if you do nothing, you will, it's a fact you will get breached. It may not be tomorrow, but some point if you do nothing, you're most likely going to get breached. And when you do it's game over, so all that work that you're think that you might be saving by, oh, I didn't have to pay for that. Or I sidestepped that one, you know, you know, what, how bad would it be to wake up and then find out, oh crap, I just lost all my stuff due to ransomware. And I should have just done this or whatever, you know, the point is that we're here to help you be proactive and preventative and be reasonable with budgets and realistic that, Hey, you know, some of this stuff does cost money, but you don't want. You know, he used that$59 router because of all the issues with that layer. And you never want to run your whole company on an unstable foundation, if you want to do it. Right. You know, we're the ones to call

Blake:

Yeah. Not only that too, you know, saying you didn't know or that you, oh, I wasn't, I didn't know. I wasn't supposed to, I didn't know. I was supposed to do this. that doesn't get you off the hook.

Craig:

that's right.

Erin:

doesn't stop the hackers, the hackers don't care. And neither does the government.

Blake:

it doesn't get you out of time out, And then we should probably put Craig our quote. I'll let you tell him

Erin:

No, no, please, please.

Blake:

be a low-hanging fruit., be a cybersecurity onion.

Erin:

if the hackers trying to cut in there, cut into your onion, they're going to cry and go away. Right.

Blake:

Yeah.

Craig:

That's great.

Erin:

But if a hacker tries to eat a fruit, it's going to be like, let me stay here all day and just eat off of your tree.

Craig:

That's right.

Blake:

every layer you cry through every letter.

Erin:

onion.

Blake:

Yeah. Just came to us one day.

Craig:

That's

Erin:

yeah

Craig:

That's really good.

Blake:

We've been saying it ever since,

Craig:

That's awesome.

Blake:

at least on the podcast,

Erin:

Probably do each other too.

Craig:

But it's so true though. I mean, you got to invest in yourself, you got to invest in your company, you know, not just for the laws and the regulation, but for yourselves. I mean, it's, it's truthfully going to make you more money. It's going to make you more secure, more stable. It's going to give you the foundation to support growth. You're going to increase your revenue by doing, by investing in cybersecurity and compliance with PTG.

Erin:

I think about it too. what would you prefer to go with a customer or a business that has strong cybersecurity or weak cybersecurity? Obviously strong cyber security. So your customers wants to puncture cyber security as well. I can say words I promise. But you can even, you know, like that's something that you could even use if you do have strong cybersecurity layers in place, that's something that you can use even as marketing. If you want it to like, Hey, we're, you know, we'd take care of you. Unlike our competitors. There's lots of ways you can do.

Craig:

Yeah, use it as a competitive and marketing advantage. You know, once if you, if you do the, the the big jobs, like the SOC two type two or the CMMC or HIPAA compliance, you know, showcase that work, I'm not saying share those reports, but at least tell your clients, look, we take your information secure seriously, and we keep it secure. Here's the evidence, the proof, everything that we say. And we do. as part of our culture at Petronella technology group is we support everything with third-party evidence. We vet and test. We have a whole research and development department. So where. Where that catalyst, we can get you there. Even if you have nothing, we can get you there to where you need to be custom tailored. And, you know, sometimes it's, I can't give exact timeframes because every business is different sometimes in just three to six months, though, it can make a huge, you know, amount of progress and build a strong foundation that we can keep building on get you on the road to getting more clients.

Erin:

Absolutely. Okay. I'm glad you were able to join us today. It's always great. When you're on, you have so much knowledge. It's just, I love picking your brain. So

Craig:

Absolutely.

Blake:

Yeah, we got to save all of our really juicy topics for the ones that Craig Craig comes in on. We can talk about the other, the other silly stuff, but now I've got to save our hard

Erin:

And cyber insurance is really important.

Craig:

everybody should have cybersecurity insurance. I mean, even, you know, even us, we have cybersecurity insurance, you know, we're not perfect. We, we like onions, you know, and we definitely, you know, eat our onions and we do our exercise, but we're human too. Right. And we, we have followed our own advice. We eat our own dog food. So to say and we've gone through our due diligence with our vendors, but there's still you know, every business has risks, right? So every business needs cybersecurity insurance, but here's the, here's the, the, the most important reality message around that. When we buy as a company, cybersecurity insurance, we're buying it as a worst case scenario. Our intention is, and our hope is to never, ever have to. We're not using it as a substitute for doing the right thing. And we're always going to keep adding to our stack and, you know, maybe replacing things in our stack as things become more modern and driven by AI and, you know, artificial intelligence and quantum and everything else. You know, my point is that we're always using research and development to make sure that we have best of breed technologies in place. And we've got the best people in place. And we're constantly testing across people, process and technology, but every single business, every consumer needs to have insurance. It's very, very vital and important. And I just don't see how in, in our climate with, you know, it being, I can't believe it's may or may of 20, 22. I don't see how any business can not have cyber insurance. I mean, and that would be like a deal breaker immediately. Like if I did business with somebody and I found out they didn't have cyber insurance that tells me that they're not taking cyber secure. Important and, and seriously enough that they don't really care enough to have that. I mean, that's like the most minimum thing nowadays to have in place. But again, you know, the, the requirements for cybersecurity insurance, they are getting more difficult. However, we have the recipe and the proven methodology to get and make sure that you can qualify, get that cybersecurity insurance, but not just, we don't stop. There is the point, you know, like we talk about NIST 801 71 and D FARs and CMMC, you know, and we talk about the 110 practices, right? Cybersecurity insurance may, if we had a map that over maybe like 20, 30 points worth of those practices, we're not going to stop there and say, oh, okay, you got enough to get cyber insurance. You're done. W that's not how we work. We were going to try to make you that most awful tasting onion as possible and the most layers and, you know, in place, we want to make sure that a hacker spits you out moves on. So we're not going to stop at just 30 practices, but we're also going to work with you on your budget too. I understand that not every business can put in place, you know, 110, but it also depends again, on what is your business model? You know, if you're a dip contractor or a defense industrial base contractor, you have to have 110. And if you're not going to get 110 and you don't have the buy-in to do that, well, then you should probably reevaluate your business model because that's been in place for over five years. And it's, you know, the, the, the point is that you don't have much choice there. You have to show evidence of all of that. But if you're, you know a different kind of business that isn't maybe currently as regulated as. Maybe you could afford to not go into 110 and at least two half or something like that. But the point is to always aim high treat all of this as investments in your company. Even if you are a little business and you, you don't do a lot in the regulated space, it's still not a bad idea to go go after 110 practices, if you could afford to do so. And there are affordable ways to do so.

Blake:

Tech our services, our tax write-offs.

Craig:

That's true. Op ex expenses operating expenses. That's right.

Blake:

not only that too, and all of that um, we have some areas of compliance that people have reached out to us and you actually get tax credits in some areas,

Craig:

Yeah, we're not finance financial advisors or CPA. So check with your professional for sure. But I do know that, I've heard of section 1 79 for hardware purchases that we, you know, we may recommend that may fall into that category on the cyber stack side of things, you know, new firewalls, XDR appliances, different kinds of things like that may fall into that, that section 1 79 category, the obviously cloud services cyber services that we provide or SOC services. Those are all typically operating expense services. But again, check with your, your tax and your local professional on that. Cause we're not financial advisors, but yeah. Good point.

Erin:

But I'm not anyway, just FYI.

Craig:

All right guys. Well, I gotta wrap up, but yeah. Any other questions on cybersecurity insurance for today?

Erin:

Not

Blake:

no, I think, I think we should for next Monday, which a height may be the how to transition into zero zero trust.

Erin:

I like that

Blake:

I think that's a great one for next Monday.

Craig:

Yeah. We could talk more about enclaves and you know, how enclaves are really a great, effective way to help a business. Do a lot of the stuff that we're saying, affordably, you know, a lot of our competition sadly, is ripping people off and selling them just a mixed bag of goods that we don't operate that way. I mean, we have a reputation to uphold. We win awards and kudos, and you know, we're on the news all the time and we work hard to get there. We're not saying that at an arrogance or to, you know, gloat, we're saying that because w we wake up every day, we want to do the right thing. We want to help people. And enclaves will save you guys tons and tons of money. I mean, tens of thousands of dollars to build out secure enclaves, to get all this stuff in order for you. And just really need to reach out to us and get started with.

Blake:

I can hear the listeners Googling now. Enclaves. What is it?

Erin:

What does not, well, it's how you on Monday next Monday, and speaking of other podcasts too I cannot wait for Wednesday. We're going to do the first podcast with the, with AI and marketing. So if you are interested in more abstract, fun, like kind of stream of consciousness, you know, the intuitive, like big abstract, I guess, is really the worst way to put it Don't forget to tune in to the AI podcast. We get into less practical, more abstract ideas. the future of cybersecurity, the future of marketing. It's going to be fun if you like that kind of thing. If you don't obviously, stick to this podcast, but, check it out.

Craig:

Cool.

Blake:

some some ideas for those in our list here that I think would be awesome.

Erin:

I can't wait. I'm so excited. I love doing these so obviously, so,

Craig:

awesome. All right. guys have a great rest of your day.

Erin:

later.