Cybersecurity with Craig Petronella - CMMC, NIST, DFARS, HIPAA, GDPR, ISO27001

**Breaking Cybersecurity News Raw & Unfiltered** How the COVID Pandemic Paved the Way for the Cybersecurity Pandemic

May 16, 2022 Petronella Cybersecurity
Cybersecurity with Craig Petronella - CMMC, NIST, DFARS, HIPAA, GDPR, ISO27001
**Breaking Cybersecurity News Raw & Unfiltered** How the COVID Pandemic Paved the Way for the Cybersecurity Pandemic
Cybersecurity with Craig Petronella - CMMC, NIST
Help us continue making great content for listeners everywhere.
Starting at $3/month
Support
Show Notes Transcript

***In order to get the breaking cyber news to you guys FAST we are posting these right after the live broadcast! If you prefer your news more filtered, keep an eye out for the edited posting tomorrow!***

Hackers have no shame.

Any opportunity they think they can exploit will be exploited.

That includes a global pandemic that has taken the lives of millions of people around the world.  The death and destruction are of no consequence to these bad actors and with millions of workers working remotely, hackers have a field day.

Did your business go remote to stay afloat?  Was your IT Department unable to fully prepare the at-home workers? If so, know that you aren't alone, and listen along to find out what you can do to improve your cybersecurity portfolio.

Link: https://remote.petronellatech.com/

Hosts: Craig, Erin and Blake

Support the showCall 877-468-2721 or visit https://petronellatech.com

Please visit YouTube and LinkedIn and be sure to like and subscribe!

Support the show

NO INVESTMENT ADVICE - The Content is for informational purposes only, you should not construe any such information or other material as legal, tax, investment, financial, or other advice. Nothing contained on our Site or podcast constitutes a solicitation, recommendation, endorsement, or offer by PTG.

Support the Show

Please visit https://compliancearmor.com and https://petronellatech.com for the latest in Cybersecurity and Training and be sure to like, subscribe and visit all of our properties at:

Craig:

We are live.

Blake:

Live..

Erin:

Happy Monday.

Craig:

Yeah. Happy Monday

Blake:

Monday the 16th. Ooh, sounds scary.

Erin:

Always, always scary. The Monday after the Friday, the 13th.

Blake:

I think, the Friday, the 13th makes it less scary because it was a Friday. So Monday the 16th

Erin:

Oh yeah. Mondays are always scary. Did you guys see the moon last night speaking, which?

Blake:

did not.

Erin:

Oh my gosh. It was like, it was huge. It was a full moon, but it was like extra bright. I don't know what was going on, but it was, I had like three people actually text me and be like, look at the moon.

Craig:

Oh, interesting.

Blake:

You see any werewolves?

Erin:

Just me. That's really why I have so much here because I'm a werewolf our world.

Blake:

Yeah.

Erin:

That's a lie.

Craig:

so we want to talk about how COVID 19 sparked the cybersecurity pandemic.

Erin:

Yeah. Yeah, I do think that's a good topic.

Craig:

Yeah. So there's the mass rush of companies that were trying to figure out, well, how do we, how do we still stay open? How do we still remain in business without having all of our staff come to work? So there's the big rush to work from home. And like you said, Blake, you know, that calls for what's called a, bring your own device policy or a BYO D policy. A lot of the listeners probably don't even know what that is, but it mostly affects regulated businesses. The regulated businesses should know what it is, especially HIPAA and some of the folks, but basically it's a policy. It's a document that defines what and how employees can use, like what kind of devices can they use on for, for work? You know, are they allowed to use their personal laptop at home that the kids share and play games on? Or, and if so, did they need to grant their it department or provider access so that they could properly secure that endpoint? Or is there no, no policy in place and they just use that computer or that endpoint and then hope for the best. And I think that that's where a lot of companies were getting into trouble on the latter point where they didn't have a good policy in place. And there was nothing defined. Everybody mass adopted zoom and just moved on with their day. So that's where I think cyber security is sadly often pushed to the side and I think hackers, we're starting to see that. And that's where, I don't know if you saw a lot of the COVID scams and you know, around vaccine, just anything they can news Jack, they were taking advantage of including ransomware or different kind of, you know, bad payloads.

Erin:

It was interesting too. Cause I remember I guess two years ago, or two years ago now, I wrote about that. A lot of articles about that. Also

Craig:

Absolutely.

Erin:

trying to warn, try to warn people like they know that there's going to be vulnerabilities. So, you know, be careful, but you know, in a lot of times extreme situations, you have to just do what you can do to stay afloat. But now it's been, it's been two years and it's like, okay guys, maybe it's time to time to really start buttoning up your cybersecurity. Now, even if we can't get a handle on COVID, maybe we can get a handle on our cyber risks.

Craig:

yup. Yeah. Yeah.

Blake:

think that's huge. Do like companies were trying to figure out like, okay, how is the COVID pandemic going to hurt our profitability? Like, how's it gonna hurt our customers? How is it gonna hurt the services that we offer? And that was the core focus, you know, for maybe the first like three to six months. And then obviously they had no choice, but to send everybody home. And then after that, they were like, oh, well, everybody's at home. Like, how do we secure the people that work for them?

Craig:

Right. Yeah, it is a lot. I think that like I said, you know, I think a lot of people were like, okay, well we'll, we'll use zoom or we'll, you know, teams was just really starting to amp up. So teams at that time started upgrading and kind of taking advantage of the situation too. So it was kind of the battle between teams and zoom as far as the online video meetings. And then I think still most companies, especially the ones that are not regulated, like I said, that did not have this, this kind of foresight and policies in place. I think that they were still really scrambling to kind of figure it out. I think a lot of times it's still not figured out. I think that there's still too much variance in the type of equipment that a lot of the homework force is using. There's no standardization there, you know, and it, it makes cybersecurity a bit of a nightmare. If you've got 50 people that work for your company, and you're all using different internet providers and you've got different firewalls and you've got different end points, you've got whatever, you know, computer or laptop you bought for your home, personal use. Maybe you bought it at best buy or target or wherever you bought it. Most likely it's just not up to business standards. And what I mean by that is it might have a home operating system, you know, maybe it doesn't have the encryption and the security protocols that are built in at the higher level business quality or pro or enterprise versions of an operating system. You know, some of the folks may use Mac computers, but here's the, the sad reality. The sad reality is most people when, when the COVID-19 hit, especially at the kind of the beginning stage, I would say most people that were working from home or forced to work from home. You know, the, the pandemic people getting sick, or maybe they were sick, you know, whatever. The, the point is that they probably did not have ideal equipment. And what I'm saying is some of them may have outdated equipment. Maybe they're using windows seven or windows eight, or, you know, maybe even older than that. And that's just a nightmare for cybersecurity because now you're, you're giving somebody that is using their, like I said, their family or their kid's computer that maybe was used for games or whatever could be potentially infected with malware. Pop-ups all sorts of junk on that machine. Now it's, it's added access to do work related functions. So that's, that is literally like a garage door open for hackers to come in and just drop, you know, nasty ransomware and malware. And this is where also companies. Oh, well, outside of zoom, like how do we get them into our server and how do we connect them to this or to that? And, you know, maybe they had on-premise equipment or on-premise gear at the corporate headquarters, firewalls, VPNs, things like that. So they're rushing to adopt all these, this connectivity to try to keep, you know, the workforce cohesive. Right. And quite frankly, it's a lot easier from a networking and cyber perspective. If everybody's in one building or one location, you know, everybody's working from one place and, you know, corporations and small companies often when you have a business, they have similar equipment, you know, it's business quality and their standardization's there. And my point is that when the whole remote wave came from the COVID pandemic, now you threw in every kind of make model that you can think of, of mixture of Mac and PC and old versions of new stuff. And it's just an it and cybersecurity nightmare.

Blake:

I was waiting for you to mention that they're there, their local it friend who, you know, oh, Johnny L my house broken notice, let me walk to Johnny's office and, you know, let Johnny Hill swap it out or whatever, you know what I mean? Like they don't have those assets at home anymore.

Craig:

So it focuses on single points of failure and it focuses on business decisions or company decisions. And this is where the policy comes into play, but it's around, well, what happens if that kid or family laptop or endpoint or desktop, whatever, what if it's not new enough to run zoom? Or what if it's not fast enough to have a good meeting or maybe you don't have a camera. And then now, then there was this rush to buy equipment. Right. I don't know if you remember, but buying, even for us, it was like impossible to find lap. It still is with the supply chain issues and things like that. So then it's like, what can you get? And then it's like, how do you make whatever you can get? That might not be ideal? How do you make it work? You know, And it's just, it's just a nightmare.

Blake:

Yeah. It's like the COVID way hit China first. And then obviously where a lot of the semiconductors are, are produced. Is there in China and, you know, the semiconductor facilities weren't producing processors for like three months ahead of the wave before it hit here. So yeah, it was like a whole little domino effect.

Craig:

yeah,

Blake:

and then of course, I mean a small percentage of companies, you know, they assign device, you know, I mean, it's not a huge, surprisingly, it's not a huge percentage,

Craig:

That's right.

Blake:

you know, like you'd get the fortune 50 fortune 500 that do assign you know, devices to their, to their home employees or their just their employees in general. But you know, surprisingly a lot of companies, they, just haven't done that.

Craig:

just want to tail off of what you just said. so what you said is such a great point and what, what kind of popped into my head when you said that is, What if you have a company and you have employees that drive around, you reimburse them for fuel and you have the IRS mileage rate, but what if you're using a company or a personal device, that's not a car you're technically putting quote unquote miles on your computer. You know, maybe you need more Ram. maybe. you need more hard drive space to do the job. So wouldn't it be interesting to get like credits or something, you know, I'm not saying that that's really the right way to go. I, I think the first part of what you said, Blake is company issued equipment. I think that's the cleanest way to do it because if you're a small business, let's say you have 20 people that, that are in the company. It's much cleaner from a cyber compliance initiative to standardize on. Okay, we're going to get this make and model. Everybody's going to have the exact same equation. And we're going to buy 10 of them or whatever. And I understand that, you know, a small business of 20, maybe they can't buy 20 at one time, but at least standardize on a model that's more of a business level or a corporate level model. And the difference, by the way, if you don't know the difference between a corporate model and a consumer model, the main differences, the manufacturer sticks to higher quality components on the business model and they don't change. Like they don't say, oh, well, the motherboard is going to be this, this version or this piece of hardware next month, they actually stick to a one-year window and they don't change. They freeze it. So meaning all the components are frozen and the same, and they don't do that, to you know, hurt anything. They do it for standardization reasons and they do it for, for keeping quality of the parts high. So for example, if everybody has the same exact make and model computer. It makes it real easy if things break, because when things break, you have you could buy an extra you know, a hot spare, right, or a cold spare, you know, sitting on the shelf, it's ready to go and you can do that on a desktop or a laptop. And then if something happens with the boss's computer or whatever, you, now you have extra parts like right there, you know that's a smart way to do it. It's not a substitute for warranty. Obviously you want to have warranty. But my point is that on the business levels, you get pro or enterprise versions of the software and the operating systems. So you get elevated software experience. And most of those levels are the ability to connect that end point to a server system, because that's typical when a corporate invites. The ability to enable at least on Microsoft's pro and enterprise or pro at least. And, and up is the BitLocker, the and you know, encryption of the hard drive. You don't have that capability on a home level operating system. So if you're in a sensitive or regulated environment, these are important features that you're going to want to have. So the consumer level equipment, though, it's like best effort. It's like bleeding edge, the video card, or the motherboard, or the re you know, whatever might change and all of these hardware things, these variances that change month or week after week, or whatever it, that it's kind of a mess for a company. Because even if you buy that same make and model, you're not guaranteed to have the same innards and parts under the hood. So if something breaks, you know, there might be a, a fair answer, a difference there with, oh, this video card is different than this one. So that's why it's so important to get business. Equipment. And it does it cost a little bit more sometimes. Yes it does. But it's that standardization and that consistency that gives you that strong foundation from an it or a hardware perspective that now goes into cyber because now you've got policies. Everybody's the same, got people working from home. You have a plan, you know, which model to get,

Blake:

So I think that, that, that stuck too. And I felt when you said that is because obviously I have an apple computer and, upgradability. So usually the pro the prosumer equipment, it's like, oh, well, you can take the Ram out. You can take the, the SSD out or you can, you know, it's very modular. if the hard drive fails, you know, you don't have to like send the laptop off, like you would for apple or something. It's okay. Just let me pop a new NBME drive in there and, you know, bam, you know, you're, you're, you're using Zuora, you know, active directory or whatever, and just log in, like you normally would wants to rejoin this device to the network and bam, you know, like this seamless

Craig:

jumping off of that point, there the reason why, if you have a company that you want to join, the end point to the network is, so then you get the advantages of things like group policy and the ability to standardize at the software level. Okay. This is how everybody's going to behave on the network. We're going to require complex passwords and everybody's going to have to change their password every 60 days. And it has to be this long and you can't reuse the last one. And so micro in Microsoft's ecosystem group policy, and the ability to script and systematize things is very crucial for an enterprise. And this is where, and this isn't a conversation about, you know, which one's better as far as apple versus Microsoft. I use both of them, but in a business environment, If you're using Microsoft products, typically Microsoft operating systems are the choice for compatibility to take advantage of some of these functionalities, because if you've got a Mac, not to say that a Mac can't be made to work and you can obviously, you know, but my point is that you don't get the same feature set and you don't get the same depth on a Mac joining a corporate domain network. For example, as you would like a windows 11 endpoint.

Blake:

Yeah, no. And you know, this is kind of funny, but you know, something that we kind of touched on our last podcast, but it was like things that you do every day that expose you to hackers. I think that was our last podcast on Friday, but anyways, we kind of went on like a little rant on you know, people and the way their mentality, like this is probably something that we haven't really talked about, but when COVID hit, first of all, nobody was ready for. and then, you know, it was just an overnight change. Okay. You're not coming to the office tomorrow,

Craig:

Yeah,

Blake:

weren't ready for it. And now that's you, but th the mentality of the workers weren't ready, they weren't ready for that. They weren't conditioned for that. It's not like they were like, okay, well, you've been in

Craig:

right.

Blake:

training for a year. You should be good. that's usually not the case. something to that, that we were kind of like me and Aaron were kind of like bashing our head against the wall. And our last podcast was, there was some like government or some federal judge ruled that it is within law for somebody to use their work email for personal use outside of the office. Which I mean, just because you can doesn't mean you should. And we were, we were like, what the heck? You know, like that's a silly, first of all, I just thought that's a silly law, you know, but

Craig:

Yeah, You know, like anything, I'm not a lawyer, but anything else in law could get overturned in the future. that just doesn't seem to make sense to me. it's a company owned domain and it's, it's on company services, whether they're hosted SAS model or are there services that are being utilized at their, their premise, right? Like they have, they bought a server, they have a license they're buying compute power to store that stuff. So you're telling me that with the current ruling, that person can have 20 gigs of personal kids' photos or whatever on their work, email, and consume all that property of the business and the business is supposed to just pay for it.

Blake:

that's right.

Craig:

I think that, like anything else, you know there's other kinds of political headlines that I won't touch on, but my point is that it it's our law. It's a ruling now, but it probably will get overturned in the future. Obviously for best practices. For a company standpoint, I would try to put a policy in place that, that basically prohibits that. And the reason for that is if you've got all your employees that have free reign. They're going to use all the resources and you're going to end up as the owners paying for more compu power, more storage, more resources that's necessary. And that just creates a really muddy area of for, especially if you're in regulation. You know, so I definitely would, would avoid that from a, from a business perspective. I mean, there's so many free email system, Gmail, you know, whatever, Hotmail, MSN you know, you name it, fill in the blank. There's free emails that can be used for personal use. I, I mean, I don't know the details of that. I'd have to do the research on it, but maybe it's maybe one-off email, like, I guess there's just so many questions around that.

Blake:

I can send you the article that we, that we pulled up. But, but yeah. So if you're using company email outside of the office, outside of your, your your scheduled work hours, it is legal for you to use that device for personal use personal email. And the two things that immediately we, we talked about like Aaron and I is one, you know, like, let's just say you're purchasing stuff on target or Walmart or whatever, or, you know, you're entering a form on a website and then they share your information and then you start getting emails into your work email, like one you're opening, an extra door that doesn't need to be opened. The second one is I think about it from my mind is productivity. Like I log into my email and I want to, I just want to see work emails. Like I don't want to see anything else. Like, I don't want to have to like comb through my work emails, or my, personal emails to get to the work stuff. like I already get plenty of emails for work. I trust me,

Craig:

well, that's a good point. But the, the other thing I was thinking of is let's say you've got personal stuff in there in your work email. And if the company that you work for is regulated and subject to store emails for seven years for retention purposes. Cause that's, that's true. Like some companies have to store all the corporate emails. Well, now you have a privacy situation though. You have a privacy situation around, like, if that mailbox let's say you get terminated or somebody buys the company. Now they're going to get, if somebody buys the company, now they're going to have access to all your personal emails and the corporate emails. And there's no easy way to sift and sort like you were just pointing out. So now, I mean, that creates a very gray area situation, I would think.

Blake:

a magic going to all the websites that you have, like Amazon target and creating and changing your email from your work email to a now personal email that you just set up

Craig:

Yeah.

Blake:

I'd rather have a root canal.

Craig:

Yeah.

Erin:

Yeah.

Blake:

Seriously,

Craig:

Yeah.

Blake:

at least I don't have to do anything,

Craig:

that's a messy, messy situation. I I foresee.

Blake:

but it was just something stupid. and this is where it kind of segwayed from conditioning. These employees, like there was no condition period. Okay. Like you're here now. You're there. Sorry. You know, like, and just because you can do this doesn't mean you should do this

Craig:

Yeah.

Blake:

right. Legally on paper. And that was where, I mean, we kind of had a little rant listened to our last podcast and, you know, hear it. But, but PPI people just, they weren't ready. They weren't conditioned for this and that can create a huge problem. And they still not, I mean, who knows, like where we're at now? Like I know we've, we've all been working remotely before the pandemic. Right. So we we're, we know what to do. We've been in this ecosystem for,

Craig:

Yeah,

Blake:

I mean, as long as I've been here, people just weren't.

Craig:

I would still say, and I would speculate that I would still probably, assume that most people are still not in ideal situations. And what I mean by that is they may still be using home operating systems, you know, shared internet or, you know, shared devices at home. Just probably I would, if, like I said, I'm speculating. Maybe 80% and just guessing are not ideal. They're not using corporate issued devices, data pretty private. You don't have a BYOB policy that defines what they can and cannot do. They are probably not using proper internet. You know, that's another good point too, right? Like if you're at home and, you know, personal internet service, maybe it's not on the fast enough speed because now you're demanding more from the internet with zoom meetings and everything else. Right. So how do you know, are you expected as the home user to pay for that? Or do you expense that? Like, you know what I mean? Like there's all these questions that are, that needs to be defined and answered. And that's where these policies come into play. Like what do you allow? What do you not allow it? If you don't have a policy. Then it's very messy. First of all, if you're regulated and you don't have a policy, you'll fail. But if you, if you're regulated or in that kind of gray area, you should still have a policy if you're not regulated, because it still creates defined boundaries of what, what the employees can and cannot do. What are they, what can they use as far as devices? What should the internet connections be? Should they use a VPN? You know, all of these questions should have answers from your company culture.

Blake:

I've heard from people that worked at apple, that like people that work at the support center for apple, like it's all, all a hundred percent remote based job, but that they would send you, an IMS. And then they will not only this, when did you send your shoe and iMac, they would send you like a hardware firewall.

Craig:

Okay.

Blake:

And then obviously that the hard, the iMac was loaded with all the little jazz, you know, that you would need like us as a VoIP phone software or something. And some of them, a VPN that's already configured to their network and stuff like that. but now pretty recently with some of the security issues that have been going on, companies have realized now it's like, okay, they may not have the right internet. They may not have the right operating system, but the least that we can do to get them secure is to put them behind a hardware firewall.

Craig:

when he just said that I'm thinking of, policy standards or compliance standards around like NIST 800, 1 71, you know, there's 110, processes that we talk about. Right. And the firewall was one of them. And it's going to, depending on the make and model of the firewall and the capabilities, it may address more than one of those security controls. But like you said, this is where it was probably a good decision by apple because now they standardized, okay. Now they have a hardware firewall. They have all these things, and they've already mapped. My point is that every business should be doing that and they should be thinking that way. And how do I know, what can I standardize? What can I, can I standardize on the firewall? Can I standardize on an internet speech? And I, I should standardize on, you know, what am I going to allow in my, my corporate network? Or am I going to allow, am I going to allow windows computers? You know, am I going to allow to Linux, you know, am I going to allow like freedom to choose? Or am I going to standardize? And everybody's going to use this for this purpose. And you know, all this stuff needs to be discussed and decided upon and documented, and then mapped back to those, those NIST 801 71 or whatever framework to, make sure that you're, you're addressing all of these areas because otherwise, if you don't, do this stuff and you leave it to freewill. everybody's going to use password for password, and it's just going to be this open door and then guess what? Now you've got, you know, just like what FIS, phishing emails and business, email compromise, you know, one wrong click, right? Well, now you've got all these people that have such variants in their configurations that can connect inside the corporate network and represent your company. And if they do something wrong in regards to not securing something or not using MFA or whatever, and you didn't define it well, it's a recipe for disaster and a breach, but then it also becomes very interesting as far as an investigation or a forensics go. Because if the business owner didn't, if they're regulated or subject to some, and there's so many different regulations that keep changing and keep getting released at the state and federal level, my point is that you can get in big trouble really fast by, oh, FTC had a regulation around that, and I should have been doing this. It just gets really messy, really fast.

Erin:

So, I worked at a place before I worked here and we worked remotely, like I started an office and then they sent us, they sent us home, but they, I will say like their practices and this is, you know, 15 years ago now probably, but their were like so good. I mean, we had to bring in, I think I was actually one of the first people where they stopped giving us laptops, so yay my luck. But, you know, we still had to bring our laptops in and our head of it would like configure everything. I think she might've even like come over to my apartment to like, make sure everything was set up properly. You know, we had a VPN, a secure VPN that we could log into. And I, I don't know. I feel like they might not have done everything right. But they did, they did definitely do that. Right. And then that's when, when all this happened and when we were writing blogs about cybersecurity for coronavirus and things, I really thought about that because it was so time consuming just for one person to get everything set up properly, for this company, it wasn't a huge company by any stretch, but, you know, th th to think about the logistics of that, you know, and also, you know, you still, it just, it almost, I mean, it didn't quite happen overnight, but it kind of happened overnight, you know, and everybody was like scared to like, be around people in general. I mean, it was just, it's just a recipe for disaster. And, you know, there was a lot, hackers are shameless. They will take advantage of any situation that they're given and it's. A little disheartening, to think about that, but why wouldn't they, I mean, their scammer is right. So it's just something to think about. And I guess another thing too, I mean, wasn't easy, not like an easy solution as in its only option, but VPNs, I feel like would be such a great bridge to people for people, you know, especially if they're, they're working from the office and they have to start working from home. Cause then they can, you know, they can connect to something that's familiar to them and things like that. so I feel like, I feel like a VPN would be a huge win for, for cybersecurity and remote or command show. There's a lot of other things too. Right.

Blake:

I think those companies are doing that. Now I can mean VPNs. I mean, a lot of the companies that

Erin:

a lot of them don't

Blake:

Yeah. yeah.

Craig:

well, one thing I. would just point out real quick while we're on the VPN topic is there's two different kinds of VPNs too. And a lot of people don't understand the difference. There's consumer VPNs and the purpose of a VPN at the consumer. It's typically to mask your location to appear like you're, you're in a different country or, you know, to, to mask your traffic for privacy reasons and, and see, you know, so that, that big companies can't track you on the internet. That's really the, you know, it encrypts the traffic and encrypts, what you're searching on. It makes it harder to, you know, cut up, pinpoint you at where you're located. So privacy is really that version of VPN and that's a consumer level. Then there's corporate VPN and the purpose of corporate VPN or business quality VPN is really to get that home worker and this, you know, scenario that we're talking about with COVID, right? Like, so if you're working from home or maybe your, your work has changed, the, the way that you work in your permanent work from home, my point is that a corporate VPN is often issued and should be issued. So. Then have a secure connection from where you are back to the server at the office for, you know, connecting or mapping drives, you know, sessions and things like that. Now you may not have equipment at the office anymore, or maybe your office is kind of restructured and they're not going to renew the lease. So maybe they're going to put that in the cloud. So then there might be a different, you know, termination point for the VPN, or maybe, maybe VPN is no longer needed because you're going to use a different kind of service. My point though, is that there is a big difference between a consumer level VPN, like on your cell phone or on your computer for privacy reasons and then a business or a corporate level VPN, which the intent and the purpose of the corporate VPN is really to make you bring you back into the office virtually it's really the best analogy or way to put it.

Erin:

And that's what it felt like to, you know, like that one, especially because I'm going from home or going from work to home,

Craig:

Yeah.

Erin:

it was just a great way. You're still familiar with everything. Like everything's set up, you know, it's, it's like you said, it's, just creating that constant,

Craig:

that yeah, that constant connection. And the other thing that comes to mind too, is, you know, when you were talking, Aaron is when, when we were talking about standardization, you know, it, what comes to mind when you're talking about that is I remember a very well-known local car dealership. About 15 years ago. They're like, oh we're expanding, we're buying new locations. And, you know we want to get, like, I can't remember if it was 50 or a hundred different computers, end points at the time. So what I did and what my company did at that time was we created and worked with them to create what's called a master image. So we got one computer set up with all the software, all the security, everything was perfect. And then what we did was we closed.

Erin:

oh yeah.

Craig:

So we cloned it. So it was identical carbon image and mirror image to all the other end points. Every single one was the same. And then at that time we changed was called the security identifier or the Sid number. But my point is now you have a rapid deployment of they're all set up. They're all preloaded. They have all the company stuff on there. They have all the security settings everything's locked down the way it should be. The only difference is you have to log in with your unique company, issued username and pay. Everything else is there. So I think people kind of forget about, or maybe not know about that kind of technology anymore, and they're just kind of doing this onesy twosy kind of stuff, and just kind of buying stuff as needed. But that's really the advantage of standardization for a company though, like to know, you know, Hey look, this technology has existed forever. And it's very valuable to a company to make sure that you have everybody operating under the same standards that you set and that you T you customize for your company so that the, every single person that's working for you is all locked down the same way. They're all using the same software. It's just so much easier in the end for deployment peace of mind.

Blake:

I think every company should be exploring virtualization in my mind. You know, I know that's just, maybe it's just me, but I mean, it just makes so much sense, right? If you have a BYO policy or if you don't, I mean, at that point, it doesn't really matter if you have a BYO because everybody's remoting into a virtual machine. They're working from a virtual machine they're behind your con your company network. I mean, and then, you know, if whatever happens, let's just say, for example, that person decides to leave. What do you do? You just clip the VPN access? Bam. You know, there's nothing on their machine. just such a clean...

Erin:

Clean exactly,

Blake:

process. I think.

Craig:

No, you're absolutely right. So there's two levels of that. There's called remote desktop services or RDS, which otherwise known as a terminal server. That's what the old name used to be. So there's that way to set up an environment like. And then this was a VDI or virtual desktop infrastructure, but yes, for a business, either of those solutions, obviously start with RDS or remote desktop services first because that's the cheaper option. The other option VDI is more full featured, but also more expensive because you're buying full licenses and everybody in the company technically has their own dedicated virtual machine. And it's just a little bit more costly. But my point is that that is a great way to centralize things, introduced proper configurations around redundancy key, especially for compliance. It makes compliance work a lot easier because now you're no longer reliant upon the quality of equipment at home. So that that could be a home device. And you could define that in the BYOB policy that you write, but all of its power, all of its compute, all of its Ram, all of its storage, all the work functions are all on that. That's hosted and server could be privately hosted like we hosted, or it could be in the cloud somewhere, what Microsoft or Google or wherever you want it to be. But oftentimes our hosting, which is local and personal is faster and cheaper than the competing offerings, because we work hard to establish all those vendor relationships. But my point though, and to underscore what you're saying, Blake is, you know, to, to keep, especially if you're a midsize or a little bit bigger company or even if you're a smaller company, just kind of really, it depends on where you are on the technology side of things, but that, you know, virtualization is a great way to standardize very quickly. So like, you know, if you're growing and, or even if you know that you have a mess of technology, that's all different all over the place and you want to take the step to standardize and do it quickly. Virtualization is definitely the way to go and do that very fast and right.

Blake:

Something to, I mean, I guess you could look at as the cost breakdown, right? It's like, okay, let's just say, for example, you do want to standardize everything. You do want to keep everything secure. Okay. What's the cost of buying 10, 10 laptops or 15 laptops. You've got 15 employees or whatever. Right. And then you have to pay somebody or an it department, or, you know, you most likely need an iPad it department anyways. But the cost of keeping all that under management, or you just create a virtual environment, bam, give them a log in, let them log into it, let them use their own devices that everybody's got devices at home. They're already familiar with using those,

Craig:

So one of the things that we did, for the dealership said for other environments like manufacturing, was it adopt technology, cut thin client technology. So thin clients are there a I'm usually running an embedded version of windows or Linux, and it's usually a hardened security operating system. And it's a smaller footprint, usually about the size of a paperback book, more powerful models. That'll support. Multiple screens are a little bit larger. Sometimes they Mount on the back of the monitor. So they're really clean as far as their appearance and cosmetics, but its purpose in life is really just for the, to drive the, the video, the, the screens and the mouse movements, because all of its power remember comes from the data center, comes from the virtualization layer. So these devices that are security hardened often are running on flash or solid state technology. And here's the best part from a total cost of VR. I have actually a spreadsheet that calculates this. I did this years ago, we were one of the pioneers for thin client technology. And you there it's, if you graph it out, it's significantly cheaper to adopt methodology around this because like Blake just said, you're no longer reliant on that spinning hard drive. Or even if you're using a soft heart driver, whatever the, you know, a computer nowadays, it's exponentially more expensive than a thin client. And if you're a business and you buy 10 or 20 or 50 things. And you spec them in architecture the right way. They're all identical. Well now there's no imaging or any of that anymore because all of it's on the server, right? So now you send it off in the server. Now, all those are all identical and it's all centrally located on the server. You have no risk of, you know, somebody getting a laptop there's laptop, then client versions, as well as desktops. If one of them gets stolen, there's no data that's on that device. It's all at the data center in a secure area. So there's a lot of security benefits scalability benefits as well. So yeah, definitely a great option.

Blake:

Something that I've noticed too. Cause I've I've I know the clients that you're talking about, obviously I've worked with them and I've been to their offices and I've, I've seen it then clients and I've worked with them. something that I noticed when I was working on them is, is it's an extra layer of security, Because you have to log into the thing client and then you have to log into your desktop. So it creates that extra separation between your virtual environment and the hardware living at the end point.

Craig:

that's Right.

Blake:

So I noticed that too. And I was like, oh, that's kind of interesting.

Craig:

And a lot of them are fan lists, so no moving parts. So if you have a really dirty automotive environment, manufacturing environment, a lot of dust, you know, stuff in the air, machining, you know, stuff that just would kill a computer with a fan. Thin clients are awesome for that because there's no moving parts, nothing spinning to suck in that dirty air or anything like that. They and they run forever. And here's the best part. You literally can buy an extra one, have it on the shelf, or have a couple of extra ones. You, you literally unplug it, power, the new one on, and you log in just like you did before. There's zero connections. It gets everything from the server. So think about if you have a company 10, 20, 50, a hundred people, more people, all that time adds up. Now look at all that time savings you just avoided. And the same thing with, with personnel, you don't need it, staff you know, everything could be outsourced more easily and more, less expensive, you know? So it's just, it's a great model.

Blake:

Those things are tiny, too. I know you said that already, but I mean, I think when you said a book, I was like, oh, they're smaller than that.

Craig:

Well, some of them are, yeah, I have one, it was like a little cube, but I don't know if I have it on my desk anymore, but it was really small. It was about, I think it was four inches.

Blake:

Yeah. It's like just enough to plug in, like to,

Erin:

Hm.

Blake:

or whatever. I mean,

Craig:

that's right. Yep. And you could do dual screen, like you're saying, and then some of the models, some of the more, the larger ones support four screens at one time. So really the biggest is the, the video capability on the model that you choose. And they're, you know, they are running an embedded operating system. Like I said, it could be a windows operating system or, or a Linux operating system. Those are the most common there's USB ports in them for physical devices that you connect and like printers or scanners and things like that. And those, by the way, can get mapped over through the virtual desktop connection so that you can still use those, those physical connections and print to them and things like that. But yeah, it takes a lot of that headache away from the end point level. And removes that central point of failure and puts it all at the data center.

Blake:

Yeah, it seems like some of our clients that we're lucky because we've already been talking about these things for like years, like 5, 6, 7, 8 years, and they were already ready.

Craig:

we still have clients that are using them that are seven plus years old. They're in thin client setups, but it's perfectly fine to do that. You could escape that three-year cycle with a computer because listen, it doesn't matter when that thin client dies. It will die one day, as long as you're prepared, as long as you have an extra, you literally plug it in. There's no doubt you could, you could be midstream typing that email or, or working on that proposal. The whole thing can blow up. You literally unplug it, put the new one in log in and your, your email is still on the screen.

Erin:

That's crazy.

Craig:

you finished your email and finish and you have zero downtime. Now we've designed systems like this for a very long time.

Blake:

Not only that too, but the responsibility of maintenance and hardware and performance all falls on, whoever's providing that to you. If it's us, for example, I mean, think about the hardware lives at the data center. So like, oh, when we see like that the hardware needs to be upgraded or neat, I mean, it needs to be modernized or something, you know what I mean? Like I've been there, I've been there with some of our team members who have upgraded the Ram and the data center and, that purpose, because we had so many users that were using you know, remote desktop environments from us that, you know, our Ram was just like, Hey, like, upgrade me, upgrade, you know, like,

Craig:

Yeah.

Blake:

I mean, think about that, you know, like, imagine if you do the laptop thing and you buy you cheap out, right? Like we've, we've, we've segwayed right into this perfectly. You might three grade laptops, you know, let's just say the last Three to five years. I mean, that would be a good, purchase, I don't know any home grade laptop that'll last, you five years personally.

Craig:

And if it did it, be slower. It just wouldn't be ideal. And, even in this kind of thing, client with, you know, server backend and compute coming from the data center, instead of you putting all the money in the laptop or the desktop, like you said, the Ram or the storage or things like that, you're, you're, you're moving that cost to a rented model or an operating expense model at the data center. So let's say, you know, you, you would normally buy a one terabyte hard drive for all your stuff. And maybe you'd buy like 32 gigs of Ram or, you know, whatever your resources you would buy in a laptop or a desktop that you, that would meet your. Well, you would still carve that out at the data center level for your user session, but here's where it gets interesting. Maybe you don't need 32 gigs of Ram and maybe you don't need a terabyte. Maybe you just bought that stuff for future-proofing yourself. Well, here's the best part with the total cost of ownership model on the data center side, you only pay for what you use and what you need. So if, and when the time let's say you only need 512 gigs of storage and maybe you only need eight gigs of Ram and you know, and then, Hey, you need more. You just buy more, you expand it, it's scalable, but you only pay for it when you need it. So think about it from the perspective of you could really be saving a lot of money because maybe you overbought forecasting, oh, I'm going to need 32 keys gram, but maybe your utilization really sits at eight.

Blake:

if we could wind back and we could preach about this six years, six years ago,

Craig:

Yeah.

Blake:

imagine how much people would have saved money,

Erin:

Money time headache. So many things.

Blake:

everything stress.

Craig:

I think it, depends on the mindset though, because I mean, I've talked to people years ago about this model and some people just really wanted to buy traditional gear because they wanted that right off. Usually it's section 1 79, I'm not an accountant or a financial person, but you can check. But my point is that usually they would, there would be accustomed to buying computer equipment, buying the servers, buying the laptops, and that's fine. And you can buy these thin clients and things. like that. But the beauty of this model is longevity. You're escaping that three-year cycle. So even if you were to buy it and spend 50 or a hundred grand on that purchase, if you change that into an operating expense, you're moving farther ahead this model because it just escapes that three years.

Erin:

Yeah.

Blake:

Something something to, I do know, and this is only because I do my own taxes, but again, not, not a tax advisor or anything or a lawyer, but the the, the disclaimer or the, the law that you're talking about has a term limit. Like you can only write off of the appreciating. For, I don't know how many years. I think it's three to five. or something.

Craig:

Yeah. I think it's five.

Blake:

So, it just doesn't make sense. It's like you pay all upfront and then you get a smaller life period or you pay over time and expression this like from a business perspective, like cash is king to every business. Like that's the reason why apple has like a billion trillion, how don't know how many billions of dollars in cash reserves or Ilan and Tesla. But then what they're doing is like, I've heard from like the, the Twitter to take over, which has now been halted from Elon. But, but anyways, I've heard that he has enough money to do the acquisition in cash, but what is he doing? He's raising money. T to do it because cash is king, you know, you can borrow money. He can get like a, like a point, 2% like interest rate or something, you know, for that amount of money. And I mean, you should hold onto your cash if you're a business. in my opinion, common sense, but if you're spending thousands and thousands and thousands of dollars on, on, I mean, thinking of all the stuff you have to buy, like you, first of all, you buy the laptop, then you've got to buy them headphones and go buy the mouse and keyboard, and then you gotta buy them extra monitors and you got to, oh, they're going to be traveling. Okay. You got to buy them a nice case. Then you've got to, who knows, you know what I mean? It just keeps adding up and then maintenance and blah, blah, blah,

Craig:

to, be Frank, if some of that stuff you still have to buy, I mean, you're, you still might need a microphone. You still might need headphones, but the root or the brain, or a lot of people will call it the tower or the CPU. that device is what we're saying. You can virtualize and put in the cloud. So you no longer have a S a piece of equipment that, you know, big bulky tower or mid tower at your foot that you kick you're outsourcing that role. And you're connecting all your devices, your mouse, your keyboard, your printer, your scanner, whatever you use your microphone, you know, for zoom meetings, your headphones, things like that, all of that gets connected into the thin client. then you're, you're virtualizing that compute power. And as your needs grow and change you buy, I want you rent more of that, from the data center.

Blake:

Yeah, sorry. I probably should have clarified a little bit better, but you're going to get a much longer investment

Craig:

That's right. and that's where that, total cost of ownership is so much cheaper. That's what I was saying. I graph that out on the spreadsheet and it basically on the spreadsheet, I have you just plug in the details. like. how many people do you have? How much compute power does each person need on average, what's the storage, and then it shows you, okay, this is your lifetime over a three-year term or a five-year term. This is how much you're going to save versus buying it. It's a really powerful visual diagram.

Blake:

It's surprisingly low too. Cause I've seen like some of our customers and I've seen like the compute power that they're using. it's less than you'd expect, Cheap.

Craig:

And it's more affordable than you would expect to. I mean, obviously we have to do an assessment to figure it out, but I mean, the pricing, sometimes it's less than$200 a user. Sometimes it's more than that. It just depends, you know, engineering companies used to be. The big ones that have to get wound it's called virtual GPU or video card virtualization, those things more or more expensive if you have to do CAD and things like that. So that pricing is going to go up because now you need a high powered, you know, video card in the server that can then be virtualize, but all of this technology is available now and, you know it's really easy and you could still take advantage of that total cost of ownership savings. And it's significant. it's a lot of money savings.

Erin:

And it's cleaner

Craig:

Yup. Way cleaner.

Erin:

the inefficient.

Blake:

I just like how clean it is,

Craig:

Yup.

Blake:

we have a customer that does, there's a lot of turnover. And like, I'm always adding new users and taking away users and they operate from a desktop environment. Aaron knows who I'm talking about is just smiling. No, I don't know who that is, but now it's just so clean cause they do that, you know, like they send out an onboarding instructions. Hey, here's, here's how you you're onboard. Here's how welcome to the company. First of all, here's how you onboard. If you need some help, like reach out to Petronella tech, like we'll help you on board. And then, yeah, I mean, at the end of the month, you know, if they get clipped or the same day, you know, like within 20 minutes, they're clipped from the server and they, they no longer have access to their desktop. Somebody from their company can literally hop in and jump, jump right into their virtual environment and take the files, you know, if they need to, and then we can, you know, absolve the, the virtual machine or it's just so clean and it's just, so it just feels right. it feels, like is the future.

Erin:

Yeah.

Craig:

Yeah. And it's PR it's proven. I mean, it's, it's been around for a while. It's good, good technology. like I said, there's two flavors of it. Most, most people do the more, a less expensive option, which is called remote desktop services. And then if your needs are more complex and you need, you know, more compatibility that they work in an RDS environment, then you have to go full VDI or virtual desktop infrastructure. But which is more expensive. It's not a lot more expensive, but it is more expensive because you need virtual machines for each of your users. But the point is it is a cleaner design from a regulatory and compliance and cyber perspective. It's, it's, it's more scalable. It's easier to script out. It's easier to pass audits and be more aligned with compliance. So Yeah. so, I mean, it's definitely a good way to go.

Erin:

Is there anything else, like any other recommendations that you would give them, like some quick and dirty? Like is, these are going to help you the most,

Craig:

I think that for this podcast and for our discussion today, I think that the best thing I would advise is just only to our assessment process and methodology and, you know, reach out to us and well, we'll start that conversation, you know, and any other improvements can be made for you specifically. But yeah, for our conversation, I mean, there's so many different things that can be done, but that that's acknowledged that we talked about within clients and, you know, RDS and VDI. Those are some really common approaches to, you know, really accelerating the compliance and cybersecurity initiatives and just really paving the way for a lot of people, because we know that a lot of the folks, they don't have ideal configuration. It's almost like a clean slate or a fresh start, so to speak. And it doesn't necessarily mean that you're going to have to go buy all this stuff either. So you can, you know, one thing that I'll just kind of leave before we close our podcasts for the day, let's say you have a an endpoint that's at home user or operating system. You can use that as a thin client, but here's the, here's the caveat. And the thing to think about if the thing is outdated and no longer supported. So it meaning you can't patch it in. It still would pose a security risk. And that's why like Blake was saying, you know, if it's beyond that three or that usually three years is the manufacturers like end of life, right? if you're lucky. at the most stuff, nowadays comes with 90 days or a one-year warranty. But if you're, if you're lucky and you have a business relationship and you have a business warranty, you can typically buy a three year warranty on, on very rare occasions, you can buy a five-year warranty. But my point is, if you're out of warranty and your device is no longer supported, that is when you have to just start over. Yes. I understand for the people that if it's not broke, don't fix it, but that's a different methodology. And in the cyber security world, if it is end of life, consider it broken because you can't get patches for it anymore. And if you can't get patches for it anymore, and you can't band. It's a security risk and it's, it's going to cause your company more harm than good, which is why, if you're entertaining a model, like the virtual model that we're talking about today, this is where it would be important to go through our assessment process because we can then say, okay, well you can get them clients and they're this cost. And by the way, they're going to oftentimes be a lot less expensive than you're used to paying for that laptop or that desktop, especially with prices nowadays, with pricing going through the roof, thin clients are still great options for a lot of businesses. So my point is that Yeah, we can go into various different kinds of technologies, but I think that for today, you know, to keep it more simple, I would say reach out to us. Let's do an assessment process. Start off with just a conversation. Doesn't cost anything to have a conversation with us. And if there's a fit, we'll go down the road of mid assessment process. Fine tune and customize it and show you with our our spreadsheets that we have show you how much money you can save. And oftentimes it's a lot of money. I mean, well, usually it's, it's six figures.

Erin:

Wow

Blake:

Yeah, we talk, we talked about in one of our other podcasts too, like the things that I think it was like like what we like about working in cybersecurity or something,

Erin:

a day in the life.

Blake:

Yeah, Dana life or something, but like, I just kind of want a segue because the reason for the assessment is because every organization is different. Like every company has different needs. Every company has different people in place, in different assets and resources. And the, the, the, and the reason why I bring that up is because every company is a new challenge, no one size fits all. There's no magic pill. There's no magic potion. Like there's no waving of the wand and Hey, your cyber you're secure now, you know, like it,

Craig:

That's right.

Blake:

and people expect that business model has changed. The internet has changed.

Craig:

yeah.

Blake:

everything has changed with the internet within the past five years. That's what they expect. They're like, oh, I can just go online and order it. And then there's the fixed my problem, right. That doesn't exist in cybersecurity.

Craig:

Yeah, exactly.

Erin:

and Craig too, before, before we leave. If you don't mind, I would love for you to explain to people a little bit about the importance of an assessment. I really like the analogies that you tend to use with that. I think that, cause I think a lot of people think that they're unnecessary or a waste of money which is so far from the truth. It is so far from issue. So maybe if you want to take the opportunity to just explain why that is such a first step, like, so such an important first step in the process of coming up with an effective cybersecurity portfolio. I think that would be helpful.

Blake:

you should talk about RF assessment process as well the end of that. And then, so they'll know why we do it.

Craig:

sure. Yeah. So we have a four pillars assessment process, and we have different flavors of the four pillars, depending on if you're at a regulation such as HIPAA for healthcare or Nisty forest, and CMMC compliance for defense industrial base. So we have different different versions of our four pillars, but we go through all seven layers of the OSI model and we start from the physical layer of your infrastructure, your wiring. And we go all through that. If you, if you have a corporate building or you're leasing space, we go through all of that with a fine tooth comb. And then we identify gaps and areas of issue that could cause downtime or cause you know, loss of productivity. So we go through all of this process and by the way, if you're in a regulation of some sort, which most companies are in some type of regulatory mandate security risk assessment processes, an annual requirements. So we're able to check that box and get you that requirements on. So you should be not just doing this one time, but you do this every year. So it's very important to follow our process because it's really a way for us to deep dive into not just your technology and your cyber and your, your compliance, but your business. Like we look at your business, we look at what you do, what your workflows are, how you're using technology. we look for ways of areas of highest opportunity to improve. You know, how can we do things faster or cheaper? Like I said, with the thin clients, you know, maybe there's a fit there that we can deploy that model to save you, you know, a lot on costs there. So it's a thorough, deep dive into your organization. And we, we go through that with a fine tooth comb and the output is a blueprint and a plan of exactly what needs to be done and where your opportunities and your gaps are. And like I said, it's not only recommended for regulated businesses. It's really recommended for any kind of business to go through to really figure out, you know, are you, where are you? What's your score? what can be improved? And we do this that, you know, the it side as we, as well as the cyber and the compliance side, and we meet with you and we go through it together,

Blake:

I would talk a lot about doctors and stuff like that, but like a good example in that people are used to is like, you go to the doctor and you say, Hey, this is what's wrong with me. Right. And the doctor's like, Hey, let me run all these tests and we'll do blood work and we'll do this. and and then they come back and they say, okay, well, here's the results of your blood work. Here's what we, here's what, what action steps we need to take to make you feel better. That's what people are used to. And it's never really been communicated in that way, because most people and some of our competition, and we've seen it before, where they come in and they say, Hey, here's a solution, right? Bam, bam, bam. then ultimately the client doesn't get what they need. They, they get underserved, they get overcharged. Right. And the solution is, entirely wrong.

Craig:

that's, so true. So like the analogy, you know, you don't go to the doctor and you say, Hey, I want this drug. Or, you, have to go through the doctor's methodology and we've worked hard for the past 20 years to develop this proprietary four pillars methodology. You know, it's very easy for a competitor to say, oh, well, we'll, we'll sell you this solution. And it costs X, but it's not fair to you, the consumer or the business to get pitched a price like that, or a solution without a proper discovery and assessment process. Because every business, every person is. So you have to go through that process to figure out what are your options? What, what can and cannot be used because maybe, you know, throwing that certain solution out without a proper assessment. Maybe it's not compatible. Maybe, maybe you do something in your workflow where that is. It's a deal breaker. It's just not going to work. So we find those gotchas before you invest a whole lot of money. And before you go down that whole rabbit hole, and oftentimes in the end, we're saving you money. Anyway, we're improving efficiencies in cybersecurity. So it's, it's very important. It's it's an eye-opening experience for sure. A lot of our competition does not follow this, this methodology. They're just quick to pitch out numbers and throat cheap numbers, but,. like I said, it's an invaluable exercise that we highly recommend for all the folks that have gone through it, they would agree that it's an eyeopening experience that has really helped them significantly save costs, but ultimately design a much more robust and solid foundational framework. That's really been the pillar of growth.

Erin:

If you think about it, you really can't solve a problem unless you know that the problem exists. Right.

Craig:

That's Right.

Erin:

So how are you going to solve your cyber security puzzle when you don't even know what the pieces are?

Craig:

Yep.

Erin:

You're not,

Craig:

That's right.

Erin:

I mean, you can try, but it's like throwing spaghetti at a wall. See which

Craig:

Yeah.

Erin:

you know, but that's wasteful, it's inefficient, it's expensive, I know people look at like an assessment and they're like, oh my gosh. just, fix it. I don't care. Just fix it, but it's just not, that easy.

Craig:

Yeah, everybody wants to jump to the solution and, you know, fix, fix, fix, but you can't fix something unless you run proper tests and diagnosis, know, first, and once you zero in on the problem and find the root cause of it, we can write a prescription of what's the, what's the plan of action.

Blake:

I think you said that stuck to me too, is you talked about growing, right? Like that's the thing, like everybody here, who's listening, who's a business owner they're focused on growing their business. Right. And if you, if you say, Hey, look, here's my needs currently. And this is what we do with our methodology as well. Like, Hey, here are my needs. Current. We look at your needs currently. And then we look at your possible needs in the future.

Craig:

That's right.

Blake:

get a number from X cybersecurity company, oh, they're just looking at what your needs are now and not considering your future growth. And that's where we've had clients that have came to us, new clients that have said, Hey, look, I, I just outgrew my service provider. They don't have enough support resources. They don't have the proper expertise to support me, like we've outgrown them. And that happens so frequently. that doesn't happen because of our approach And then two, we think about scalability. And then while you're growing, that's your goal? Your goal is to grow your company like,

Craig:

Yeah. And you don't just wake up one day and say, I'm going to build a building or a house. You need a plan. You need to have an architect, design it, make sure you have solid foundation and footing. Make sure you don't have, you know a river running under your land or what, you know, you got all these. Gotcha. That's right. You got to make sure that things are, and that's the thing like with our solution and in our methodology around our four pillars assessment process. And that's why we believe in it. And it's part of our culture. We'd like to do things right. And we want the customer's best interest in mind to be able to give them that secure foundation for growth, much like a good doctor. You know, you want to be able to trust your doctor, give you good advice and, and find things proactively, right? So that you are in good health and you have a long life. It's the same thing with your, your it and your cyber. We want to make sure. You know, you're designed the right way. We're going to present you with all these different options, but they're going to be options that are specific to your business and your workflow. Like I mentioned before, and then I'll leave you guys for the day. Cause I have another meeting, but one thing I wanted to point out is with the thin client, you know, some situations you can't use it then client, you know there's two types of solutions, VDI and remote desktop. Oftentimes people start with the remote desktop or the terminal server option, but there may be some application that you use that's vital to your business and maybe it's not compatible. So maybe you have to use the VDI option, but we, we don't want to just say, oh, you must use the VDI option at all times because that option is more expensive. So if we can save you the money we're going to help you save the money and do the alternative. So my point is like the same thing with compliance, like with NIS and deforestation, CMS. A lot of other companies won't tell you about what's called secure enclaves. We like to tell our customers about secure enclaves because it simplifies the security makes it easier and more affordable for businesses to be able to comply. So instead of, you know, if you're a 50 user company and maybe you only have five people working with sensitive information, can scope out a five users, secure enclave and save you a huge amount of costs. So that's, that's what we're about and in our culture.

Blake:

Something to that, that we've talked about to you and kind of, we should probably say. But we end on, we take a proactive approach to cybersecurity and most of our competition takes a reactive approach to cybersecurity. And obviously we're talking about saving money and they're talking about spending money, we're talking about that. That's the, that's the only way. And it's the same thing. We talk about doctors, we just got done talking about doctors. What do you think is going to be more expensive for you to go to the doctor when like you're dying on your death bed or, you know, going to your yearly checkups and you know, doing your health, you know, your physicals and, you know, things like that, being proactive, like

Craig:

we make your vegetables tastes like candy.

Erin:

your onions tastes like the sweetest onions you've ever had

Craig:

There you go. Eat your vegetables.

Erin:

homegrown right here in Carolina.

Blake:

Yeah. Cyber security onion, not the low hanging fruit. Sounds like a good one to leave it off

Erin:

Thank you. It's always great talking to you, Craig, and I'm hope we all have a great week.

Blake:

next time.