Cybersecurity with Craig Petronella - CMMC, NIST, DFARS, HIPAA, GDPR, ISO27001

How the COVID Pandemic Paved the Way for the Cybersecurity Pandemic

Petronella Cybersecurity

Hackers have no shame.

Any opportunity they think they can exploit will be exploited.

That includes a global pandemic that has taken the lives of millions of people around the world.  The death and destruction are of no consequence to these bad actors and with millions of workers working remotely, hackers have a field day.

Did your business go remote to stay afloat?  Was your IT Department unable to fully prepare the at-home workers? If so, know that you aren't alone, and listen along to find out what you can do to improve your cybersecurity portfolio.

Link: https://remote.petronellatech.com/

Hosts: Craig, Erin and Blake

Support the showCall 877-468-2721 or visit https://petronellatech.com

Please visit YouTube and LinkedIn and be sure to like and subscribe!

Support the show

NO INVESTMENT ADVICE - The Content is for informational purposes only, you should not construe any such information or other material as legal, tax, investment, financial, or other advice. Nothing contained on our Site or podcast constitutes a solicitation, recommendation, endorsement, or offer by PTG.

Support the Show

Please visit https://compliancearmor.com and https://petronellatech.com for the latest in Cybersecurity and Training and be sure to like, subscribe and visit all of our properties at:

Craig:

We are live.

Erin:

Happy Monday.

Craig:

Yeah. Happy Monday

Blake:

Ooh, sounds scary.

Erin:

Oh yeah. Mondays are always scary. Did you guys see the moon last night

Blake:

did not.

Erin:

Oh my gosh. it was huge. It was a full moon, but it was extra bright. I don't know what was going on, but I had three people actually text me and be like, look at the moon.

Craig:

Oh, interesting.

Blake:

You see any werewolves?

Erin:

Just me. That's really why I have so much here because I'm a werewolf our world.

Blake:

Yeah.

Erin:

That's a lie.

Craig:

so we want to talk about how COVID 19 sparked the cybersecurity pandemic.

Erin:

Yeah. Yeah, I do think that's a good topic.

Craig:

Yeah. So there's the mass rush of companies that were trying to figure out, how do we still stay open? How do we still remain in business without having all of our staff come to work? So there's the big rush to work from home. And like you said, Blake that calls for what's called a, bring your own device policy or a BYO D policy. A lot of the listeners probably don't even know what that is, but it mostly affects regulated businesses. The regulated businesses should know what it is, especially HIPAA and some of the folks, but basically it's a policy. It's a document that defines what kind of devices can employees use for work? Are they allowed to use their personal laptop at home that the kids share and play games on and if so, did they need to grant their it department or provider access so that they could properly secure that endpoint? Or is there no, policy in place and they just use that computer or that endpoint and then hope for the best. And I think that that's where a lot of companies were getting into trouble on the latter point where they didn't have a good policy in place. And there was nothing defined. Everybody mass adopted zoom just moved on with their day. So that's where I think cyber security is sadly often pushed to the side and I think hackers, we're starting to see that. And that's where, I don't know if you saw a lot of the COVID scams around vaccine, just anything they can news Jack, they were taking advantage of including ransomware or different kind of bad payloads.

Erin:

It was interesting too. Cause I remember I guess two years ago, or two years ago now, A lot of articles about that. Also

Craig:

Absolutely.

Erin:

try to warn people that there's going to be vulnerabilities. So be careful, but you know, in a lot of times extreme situations, you have to just do what you can do to stay afloat.

Craig:

Yeah.

Erin:

been two years and it's like, okay guys, maybe it's time to really start buttoning up your cybersecurity. Now, even if we can't get handle on COVID, maybe we can get a handle on our cyber risks.

Craig:

yup. Yeah.

Blake:

think that's huge, too. Companies were trying to figure out okay, how is the COVID pandemic going to hurt our profitability? How's it gonna hurt our customers? How is it gonna hurt the services that we offer? And that was the core focus for maybe the first three to six months. And then obviously they had no choice, but to send everybody home. And then after that, they were like, oh, well, everybody's at home. How do we secure the people that work for them?

Craig:

Right. Yeah, it is a lot. I think that like I said a lot of people were like, okay, we'll use zoom. Teams was just really starting to amp up. So teams at that time started upgrading and kind of taking advantage of the situation too. So it was kind of the battle between teams and zoom as far as the online video meetings. And then I think still most companies, especially the ones that are not regulated, I said, that did not have this kind of foresight and policies in place. I think that they were still really scrambling to figure it out. I think a lot of times it's still not figured out. I think that there's still too much variance in the type of equipment that a lot of the homework force is using. There's no standardization makes cybersecurity a bit of a nightmare. If you've got 50 people that work for your company, and you're all using different internet providers and you've got different firewalls and you've got different end points, you've got whatever, computer or laptop you bought for your home, personal use. Maybe you bought it at best buy or target or wherever bought it. Most likely it's just not up to business standards. And what I mean by that is it might have a home operating system, maybe it doesn't have encryption and the security protocols that are built in at the higher level business quality pro or enterprise versions of an operating system. Some of the folks may use Mac computers, but here's the sad reality. The sad reality is most people when the COVID-19 hit, especially at the kind of the beginning stage, I would say most people that were working from home or forced to work from home. The pandemic people getting sick, or maybe they were sick, whatever. The point is that they probably did not have ideal equipment. And what I'm saying is some of them may have outdated equipment. Maybe they're using windows seven or windows eight, or maybe even older than that. And that's just a nightmare for cybersecurity because now you're giving somebody that is using, like I said, their family or their kid's computer that maybe was used for games or whatever could be potentially infected with malware. Pop-ups all sorts of junk on that machine. Now it's added access to do work related functions. That is literally like a garage door open for hackers to come in and just drop nasty ransomware and malware. And this is where also companies. Oh, well, outside of zoom, how do we get them into our server and how do we connect them to this or to that? And, maybe they had on-premise equipment or on-premise gear at the corporate headquarters, firewalls, VPNs, things like that. So they're rushing to adopt all these, this connectivity to try to keep, the workforce cohesive. Right. And quite frankly, it's a lot easier from a networking and cyber perspective. If everybody's in one building or one location, everybody's working from one place and corporations and small companies often when you have a business, they have similar equipment, it's business quality and their standardization's there. And my point is that when the whole remote wave came from the COVID pandemic, now you threw in every kind of make model that you can think of, mixture of Mac and PC and old versions of new stuff. And it's just an it and cybersecurity nightmare.

Blake:

I was waiting for you to mention that their local it friend who, you know, oh, Johnny L my house broken notice, let me walk to Johnny's office and let Johnny Hill swap it out or whatever. They don't have those assets at home anymore.

Craig:

So focuses on single points of failure and it focuses on business decisions or company decisions. And this is where the policy comes into play, but it's around, well, what happens if kid or family laptop or endpoint or desktop, whatever, what if it's not new enough to run zoom? Or what if it's not fast enough to have a good meeting or maybe you don't have a camera. And then now, then there was this rush to buy equipment. Right. I don't know if you remember, but buying, even for us, it was impossible to find lap. It still is with the supply chain issues and things like that. So then it's like, What can you get? And then how do you make whatever you can get? That might not be ideal? How do you make it work? It's just a nightmare.

Blake:

yeah. The COVID way China first. And then obviously where a lot of the semiconductors are, produced. Is there in China and the semiconductor facilities weren't producing processors for three months ahead of the wave before it hit here. So yeah, was like a whole little domino effect. and then of course a small percentage of companies, they assign device, surprisingly, it's not a huge percentage.

Craig:

That's right.

Blake:

You'd get the fortune 50 fortune 500 that do assign devices to their home employees or their just their employees in general. But surprisingly a lot of companies, just haven't done that.

Craig:

just want to tail off of what you just said. so what you said is such a great point and what, kind of popped into my head when you said that is, What if you have a company and you have employees that drive around, you reimburse them for fuel and you have the IRS mileage rate, but what if you're using a company or a personal device, that's not a car you're technically putting quote unquote miles on your computer. maybe you need more Ram. maybe. you need more hard drive space to do the job. So wouldn't it be interesting to get credits or something, I'm not saying that that's really the right way to go. I think the first part of what you said, Blake is company issued equipment. I think that's the cleanest way to do it because you're a small business, let's say you have 20 people that are in the company. It's much cleaner from a cyber compliance initiative to standardize on. Okay, we're going to get this make and model. Everybody's going to have the exact same equation. And we're going to buy 10 of them or whatever. And I understand that a small business of 20, maybe they can't buy 20 at one time, but at least standardize on a model that's more of a business level or a corporate level model. And the difference, by the way, if you don't know the difference between a corporate model and a consumer model, the main differences, manufacturer sticks to higher quality components on the business model and they don't change. they don't say, oh, well, the motherboard is going to be this version or this piece of hardware next month, they actually to a one-year window and they don't change. They freeze it. So meaning all the components are frozen and the same, and they don't do that, to hurt anything. They do it for standardization reasons and they do it for keeping quality of the parts high. So for example, if everybody has the same exact make and model computer. It makes it real easy if things break, because when things break, you could buy an extra, hot spare, right, or a cold spare, sitting on the shelf, it's ready to go and you can do that on a desktop or a laptop. And then if something happens with the boss's computer or whatever, now you have extra parts right there, that's a smart way to do it. It's not a substitute for warranty. Obviously you want to have warranty. But my point is that on the business levels, you get pro or enterprise versions of the software and the operating systems. So you get elevated software experience. And most of those levels are the ability to connect that end point to a server system, because that's typical when a corporate invites. The ability to enable at least on Microsoft's pro and enterprise or pro at least. And up is the BitLocker, and encryption of the hard drive. don't have that capability on a home level operating system. if you're in a sensitive or regulated environment, these are important features that you're going to want to have. So the consumer level equipment, though, it's like best effort. It's like bleeding edge, the video card, or the motherboard, or whatever might change and all of these hardware things, variances that change month or week after week, or whatever it's kind of a mess for a company. Because even if you buy that same make and model, you're not guaranteed to have the same innards and parts under the hood. So if something breaks, there might be a, fair answer, a difference there with, oh, this video card is different than this one. So that's why it's so important to get business. Equipment. And it cost a little bit more sometimes. Yes it does. But it's that standardization and that consistency that gives you that strong foundation from an it or a hardware perspective that now goes into cyber because now you've got policies. Everybody's the same, got people working from home. You have a plan, which model to get,

Blake:

So I think that, stuck too. And I felt when you said that is because obviously I have an apple computer and, upgradability.

Craig:

Yeah.

Blake:

So usually the prosumer equipment, it's like, oh, well, you can take the Ram out. You can take the SSD out it's very modular. if the hard drive fails, you don't have to send the laptop off, like you would for apple or something. It's okay. Just let me pop a new NBME drive in there and, bam, using Zuora, active directory or whatever, and log in, like you normally would wants to rejoin this device to the network and bam, seamless

Craig:

jumping off of that point, there the reason why, if you have a company that you want to join, the end point to the network is, so then you get the advantages of things like group policy and the ability to standardize at the software level. Okay. This is how everybody's going to behave on the network. We're going to require complex passwords and everybody's going to have to change their password every 60 days. And it has to be this long and you can't reuse the last one. And so Microsoft's ecosystem group policy, and the ability to script and systematize things is very crucial for an enterprise. And this isn't a conversation about which one's better as far as apple versus Microsoft. I use both of them, but in a business environment, If you're using Microsoft products, typically Microsoft operating systems are the choice for compatibility to take advantage of some of these functionalities, because if you've got a Mac, not to say that a Mac can't be made to work but my point is that you don't get the same feature set and you don't get the same depth on a Mac joining a corporate domain network. For example, as you would like a windows 11 endpoint.

Blake:

Yeah, no. this is kind of funny, but something that we kind of touched on our last podcast, but it was things that you do every day that expose you to hackers. I think that was our last podcast on Friday, but anyways, we kind of went on a little rant people and the way their mentality, this is probably something that we haven't really talked about, but when COVID hit, first of all, nobody was ready for. and then, it was just an overnight change. Okay. You're not coming to the office tomorrow,

Craig:

Yeah.

Blake:

Weren't ready for it. that's you, but the mentality of the workers. They weren't conditioned for that. It's not like okay, well, you've been in security training for a year. You should be good. that's usually not the case. something to that, and Aaron were bashing our head against the wall. And our last podcast was, there was some federal judge ruled that it is within law somebody to use their work email for personal use outside of office. Just because can doesn't mean you should. We were like, what the heck? First of all, I just thought that's a silly law,

Craig:

Yeah, I'm not a lawyer, but anything else in law could get overturned in the future. that just doesn't seem to make sense to me. it's a company owned domain and it's on company services, whether they're hosted SAS model or are there services that are being utilized at their premise, right? they bought a server, they have a license they're buying compute power to store that stuff. So you're telling me that with the current ruling, that person can have 20 gigs of personal kids' photos or whatever on their work, email, and consume all that property of the business and the business is supposed to just pay for it.

Blake:

that's right.

Craig:

I think it's a ruling now, but it probably will get overturned in the future. Obviously for best practices. For company standpoint, I would try to put a policy in place that basically prohibits that. And the reason for that is if you've got all your employees that have free reign. They're going to use all the resources and you're going to end up as the owners paying for more compu power, more storage, more resources that's necessary. And that just creates a really muddy area, especially if you're in regulation. definitely would avoid that from a business perspective. there's so many free email system, Gmail, Hotmail, MSN you name it, fill in the blank. There's free emails that can be used for personal use. I don't know the details of that. I'd have to do the research on it, but maybe one-off email, I guess there's just so many questions around that.

Blake:

I can send you the article that we pulled up. But yeah. So if you're using company email outside of the office, outside of your scheduled work hours, it is legal for you to use that device for personal use personal email. And the two things that immediately we talked about Aaron and I is one let's just say you're purchasing stuff on target or Walmart or whatever, or, you're entering a form on a website and then they share your information and then you start getting emails into your work email, one you're opening, an extra door that doesn't need to be opened. The second one is I think about it from my mind is productivity.

Craig:

yeah.

Blake:

I log into my email and I want to, see work emails. I don't want to see anything else. I don't want to comb through my work emails, or my personal emails to get to the work stuff. I already get plenty of emails for work. trust me,

Craig:

well, that's a good point. But the other thing I was thinking of is let's say you've got personal stuff in there in your work email. And if the company that you work for is regulated and subject to store emails for seven years for retention purposes. Cause that's true. Some companies have to store all the corporate emails. Well, now you have a privacy situation though. You have a privacy situation around, if that mailbox let's say you get terminated or somebody buys the company. If somebody buys the company, now they're going to have access to all your personal emails and the corporate emails. And there's no easy way to sift and sort like you were just pointing out. That creates a very gray area situation, I would think.

Blake:

a magic going to all the websites that you have, like Amazon target and changing your email from your work email a now personal email that you just set up

Craig:

Yeah.

Blake:

I'd rather have a root canal.

Craig:

Yeah.

Erin:

Yeah.

Blake:

Seriously,

Craig:

Yeah.

Blake:

at least I don't have to do anything,

Craig:

that's a messy, messy situation. I foresee.

Blake:

but it was just something stupid. and this is it kind of segwayed from conditioning. These employees, there was no condition period. Okay. Like You're here now. You're there. Sorry. And just because you can do this doesn't mean you should do this right. Legally on paper. We kind of had a little rant listened to our last podcast and hear it. But people just, they weren't ready. They weren't conditioned for this and that can create a huge problem. who knows where we're at now? I know we've all been working remotely before the pandemic. Right. We know what to do. been in this ecosystem for as long as I've been here, but people just weren't.

Craig:

I would still say, and I would speculate that I would still probably, assume that most people are still not in ideal situations. And what I mean by that is they may still be using home operating systems, shared internet or shared devices at home. Like I said, I'm speculating. Maybe 80% just guessing are not ideal. They're not using corporate issued devices, data pretty private. You don't have a BYOB policy that defines what they can and cannot do. are probably not using proper internet. That's another good point too, right? If you're at home and personal internet service, maybe it's not on the fast enough speed because now you're demanding more from the internet with zoom meetings and everything else. Right. So are you expected as the home user to pay for that? Or do you expense that? there's all these questions that needs to be defined and answered. And that's where these policies come into play. Like what do you allow? What do you not allow it? If you don't have a policy. it's very messy. First of all, if you're regulated and you don't have a policy, you'll fail. But if you're regulated or in that kind of gray area, you should still have a policy if you're not regulated, because it still creates defined boundaries of what the employees can and cannot do. What can they use as far as devices? What should the internet connections be? Should they use a VPN? All of these questions should have answers from your company culture.

Blake:

I've heard from people that worked at apple, that people that work at the support center for apple, it's all a hundred percent remote based job, but that they would send you, an IMS. And then they will not only this, when did you send your shoe and iMac, they would send you a hardware firewall.

Craig:

Okay.

Blake:

then obviously the iMac was loaded with all the little jazz, that you would need as a VoIP phone software or something. And some of them, a VPN that's already configured to their network and stuff like that. but now pretty recently with some of the security issues that have been going on, companies realized now it's like, okay, they may not have the right internet. They may not have the right operating system, but the least that we can do to get them secure is to put them behind a hardware firewall.

Craig:

when he just said that I'm thinking of, policy standards or compliance standards around like NIST 800, 1 71, there's 110, processes that we talk about. Right. And the firewall was one of them. And it's going to, depending on the make and model of the firewall and the capabilities, it may address more than one of those security controls. But like you said, this is where it was probably a good decision by apple because now they standardized, okay. Now they have a hardware firewall. They have all these things, and they've already mapped. My point is that every business should be doing that and they should be thinking that way. What can I standardize? Can I standardize on the firewall? Can I standardize on an internet speech? What am I going to allow in my corporate network? Or am I going to allow, am I going to allow windows computers? Am I going to allow to Linux, am I going to allow freedom to choose? Or am I going to standardize? And everybody's going to use this for this purpose. And all this stuff needs to be discussed and decided upon and documented, and then mapped back to those NIST 801 71 or whatever framework make sure that you're addressing all of these areas because otherwise, if you don't, do this stuff and you leave it to freewill. everybody's going to use password for password, and it's just going to be this open door and then guess what? Just like what phishing emails and business, email compromise one wrong click, right? Well, now you've got all these people have such variants in their configurations that can connect inside the corporate network represent your company. they do something wrong regards to not securing something or not using MFA or whatever, and you didn't define it it's a recipe for disaster and a breach, then it also becomes very interesting as far as an investigation or a forensics go. Because if the business owner if they're regulated or subject to some, and there's so many different regulations that keep changing and keep getting released at the state and federal level, point is that you can get in big trouble really fast by, oh, FTC had a regulation around that, and I should have been doing this. It just gets really messy, really fast.

Erin:

So, I worked at a place before I worked here and we worked remotely, I started an office and then they sent us, home, but their practices and this is 15 years ago now probably, but their were like so good. I think I was actually one of the first people where they stopped giving us laptops, so yay my luck. But we still had to bring our laptops in and our head of it would configure everything. I think she might've even come over to my apartment to make sure everything was set up properly. We had a VPN, a secure VPN that we could log into. They might not have done everything right. But they did definitely do that. Right. And then that's when all this happened and when we were writing blogs about cybersecurity for coronavirus and things, I really thought about that because it was so time consuming just for person to get everything set up properly, for this company, it wasn't a huge company by any stretch, but to think about the logistics of that and also it didn't quite happen overnight, but it kind of happened overnight, and everybody was scared to be around people in general. It's just a recipe for disaster. Hackers are shameless. They will take advantage any situation that they're given and it's. A little disheartening, think about that, but why wouldn't they, I right.

Craig:

Right.

Erin:

So it's just something to think about. And I guess another thing VPNs, I feel like would be such a great bridge to people for people, especially if they're, working from the office and they have to start working from home. Cause then they can connect to something that's familiar to them and things like that. I feel like a VPN would be a huge win for, cybersecurity and remote or command show. There's a lot of other things too. Right.

Blake:

those companies are doing that now.

Erin:

A lot of them don't

Blake:

Yeah. yeah.

Craig:

well, one thing I. would just point out real quick while we're on the VPN topic is there's two different kinds of VPNs too. And a lot of people understand the difference. There's consumer VPNs and the purpose of a VPN at the consumer. It's typically to mask your location to appear like you're in a different country or to mask your traffic for privacy reasons and so that, big companies can't track you on the internet. It encrypts the traffic and encrypts, what you're searching on. It makes it harder to pinpoint you where you're located. privacy is really that version of VPN and that's a consumer level. Then there's corporate VPN and the purpose of corporate VPN or business quality VPN is really to get that home worker and this scenario that we're talking about with COVID, right? So if you're working from home or maybe your work has changed the way that you work in your permanent work from home, my point is that a corporate VPN is often issued and should be issued. So. Then have a secure connection from where you are back to the server at the office for connecting or mapping drives sessions and things like that. Now you may not have equipment at the office anymore, or maybe your office is kind of restructured and they're not going to renew the lease. So maybe they're going to put that in the cloud. So then there might be a different, termination point for the VPN, or maybe VPN is no longer needed because you're going to use a different kind of service. My point though, is that there is a big difference between a consumer level VPN, like on your cell phone or on your computer for privacy reasons and then a business or a corporate level VPN, which intent and the purpose of the corporate VPN is really to bring you back into the office virtually it's really the best analogy or way to put it.

Erin:

And that's what it felt like to that one, especially because I'm going from home or going from work to home,

Craig:

Yeah.

Erin:

it was just a great way. You're still familiar with everything. Like you said, it's, just creating that constant,

Craig:

Yeah, that constant connection. And the other thing that comes to mind too, is when you were talking, Aaron is when we were talking about standardization, what comes to mind when you're talking about that is I remember very well-known local car dealership. About 15 years ago. They're like, oh we're expanding, we're buying new locations. And we want to get I can't remember if it was 50 or a hundred different computers, end points at the time. So what I did what my company did at that time was we created and worked with them to create what's called a master image. So we got one computer set up with all the software, all the security, everything was perfect. And then what we did was we closed.

Erin:

oh yeah.

Craig:

So we cloned it. So it was identical carbon image and mirror image to all the other end points. Every single one was the same. And then at that time we changed was called the security identifier or the Sid number. my point is now you have a rapid deployment of they're all set up. They're all preloaded. They have all the company stuff on there. They have all the security settings locked down the way it should be. The only difference is you have to log in with your unique company, issued username and pay. Everything else is there. I think people kind of forget about, or maybe not know about that kind of technology anymore, and they're just kind of doing this onesy twosy kind of stuff, and just kind of buying stuff as needed. But that's really the advantage of standardization for a company though, like to know Hey look, this technology has existed forever. And it's very valuable to a company to sure that you have everybody operating under the same standards that you set and that you customize for your company so that every single person that's working for you is all locked down the same way. They're all using the same software. just so much easier in the end for deployment of mind.

Blake:

I think every company should be exploring virtualization in my mind. Maybe it's just me, but it just makes so much sense, right? At that point, it doesn't really matter if you have a BYO because everybody's remoting into a virtual machine. They're working from a virtual machine they're behind your company network. And then, if whatever happens, let's just say, for example, that person decides to leave. What do you do? You just clip the VPN access? Bam. There's nothing on their machine. just such a clean...

Erin:

Clean exactly,

Blake:

process. I think.

Craig:

No, you're absolutely right. So there's two levels of that. There's called remote desktop services or RDS, which otherwise known as a terminal server. That's what the old name used to be. So there's that way to set up an environment like. And then this was a VDI or virtual desktop infrastructure, but yes, for a business, either of those solutions, obviously start with RDS or remote desktop services first because that's the cheaper option. The other option VDI is more full featured, but also more expensive because you're buying full licenses and everybody in the company technically has their own dedicated virtual machine. it's just a little bit more costly. But my point is that that is a great way to centralize things, introduced proper configurations around redundancy especially for compliance. It makes compliance work a lot easier because now you're no longer reliant upon the quality of equipment at home. So that could be a home device. And you could define that in the BYOB policy that you write, but all of its power, all of its compute, all of its Ram, all of its storage, all the work functions are all on that. That's hosted and server could be privately hosted like we hosted, or it could be in the cloud somewhere, what Microsoft or Google or wherever you want it to be. But oftentimes our hosting, which is local and personal is faster and cheaper than the competing offerings, because we work hard to establish all those vendor relationships. But my point though, and to underscore what you're saying, Blake is especially if you're a midsize or a little bit bigger company or even if you're a smaller company, just kind of really, it depends on where you are on the technology side of things, but that virtualization is a great way to standardize very quickly. So if you're growing and, or even if you know that you have a mess of technology, that's all different all over the place and you want to take the step to standardize and do it quickly. Virtualization is definitely the way to go and do that very fast and right.

Blake:

I guess you could look at as the cost breakdown, right? okay, let's just say, for example, you do want to standardize everything. You do want to keep everything secure. What's the cost of buying 10 laptops or 15 laptops. You've got 15 employees or whatever. Right. And then you have to pay somebody or an it department, or most likely need an it department anyways. But the cost of keeping all that under management, you just create a virtual environment, bam, give them a log in, let them log into it, let them use their own devices that everybody's got devices at home. They're already familiar with using those,

Craig:

So one of the things that we did, for the dealership said for other environments like manufacturing, was it adopt technology, cut thin client technology. thin clients are usually running an embedded version of windows Linux, and it's usually a hardened security operating system. And it's a smaller footprint, usually about the size of a paperback book, more powerful models. That'll support. Multiple screens are a little bit larger. Sometimes they Mount on the back of the monitor. So they're really clean as far as their appearance and cosmetics, but its purpose in life is really just to drive the screens and the mouse movements, because all of its power remember comes from the data center, comes from the virtualization layer. these devices that are security hardened often are running on flash or solid state technology. And here's the best part from a total cost of VR. I have actually a spreadsheet that calculates this. did this years ago, were one of the pioneers for thin client technology. If you graph it out, it's significantly cheaper to adopt methodology around this because like Blake just said, you're no longer reliant on that spinning hard drive. Or even if you're using a soft heart driver, whatever. A computer nowadays, exponentially more expensive than a thin client. And if you're a business and you buy 10 or 20 or 50 things. And you spec them in architecture the right way. They're all identical. Well now there's no imaging or any of that anymore because all of it's on the server, right? So now you send it off in the server. Now, all those are all identical and it's all centrally located on the server. have no risk of somebody a laptop there's laptop, then client versions, as well as desktops. If one of them gets stolen, there's no data that's on that device. It's all at the data center in a secure area. So there's a lot of security benefits scalability benefits as well. So yeah, definitely a great option.

Blake:

Something that I've noticed too. Cause I know the clients that you're talking about, obviously I've worked with them and I've been to their offices I've seen it then clients and I've worked with them. also something that I noticed when I was working on them it's an extra layer of security, Because you have to log into the thing client and then you have to log into your desktop.

Craig:

Yeah,

Blake:

it creates that extra separation between your virtual environment and the hardware living at end point.

Craig:

that's Right.

Blake:

So noticed that too. And I was like, oh, that's interesting.

Craig:

a lot of them are fan lists, so no moving parts. So if you have a really dirty automotive environment, manufacturing environment, a lot of dust, stuff in the air, machining, stuff that just would kill a computer with a fan. Thin clients are awesome for that because there's no moving parts, nothing spinning to suck in that dirty air or anything like that. and they run forever. And here's the best part. You literally can buy an extra one, have it on the shelf, or have a couple of extra ones. you literally unplug it, power, the new one on, and you log in just like you did before. There's zero connections. It gets everything from the server. So think about if you have a company 10, 20, 50, a hundred people, more people, all that time adds up. Now look at all that time savings you just avoided. And the same thing with personnel, you don't need it, staff everything could be outsourced more easily and less expensive. It's a great model.

Blake:

Those things are tiny, too. I know you said that already, but think when you said a book, I was like, oh, they're smaller than that.

Craig:

Well, some of them are, yeah, have one, it was like a little cube, but I don't know if I have it on my desk anymore, it was really small. I think it was four inches.

Blake:

Yeah. It's just enough to plug in to, dVI or whatever.

Craig:

That's right. Yep. And you could do dual screen, like you're saying, and then some of the models, some of larger ones support four screens at one time. So really the biggest the video capability on the model that you choose. they are running an embedded operating system. Like I said, it could be a windows operating system or a Linux operating system. Those are the most common there's USB ports in them for physical devices that you connect like printers or scanners and things like that. And those, by the way, can get mapped over through the virtual desktop connection so that you can still use those physical connections print to them and things like that. But yeah, it takes of that headache away from the end point level. it removes that central point of failure and puts it all at the data center.

Blake:

Yeah, it seems like some of our clients that we're lucky because we've already been talking about these things for years, like 5, 6, 7, 8 years, and they already ready.

Craig:

we still have clients that are using them that are seven plus years old. They're in thin client setups, but it's perfectly fine to do that. You could escape that three-year cycle with a computer because listen, it doesn't matter when that thin client dies. It will die one day, as long as you're prepared, as long as you have an extra, you literally plug it in. You could be midstream typing that email or working on that proposal. The whole thing can blow up. You literally unplug it, put the new one in log in and your, email is still on the screen.

Erin:

That's crazy.

Craig:

you finished your email and finish and you have zero downtime. Now we've designed systems like this for a very long time.

Blake:

Not only that too, but the responsibility of maintenance and hardware and performance all falls on, whoever's providing that to you. If think about the hardware lives at the data center. So like, oh, when we see the hardware needs to be upgraded or it needs to be modernized or something. I've been there with some of our team members who have upgraded the Ram and the data center and, that purpose, because we had so many users that were using remote desktop environments from us that our Ram was just like, Hey, upgrade me, upgrade, Imagine if you do the laptop thing and you cheap out, right? We've segwayed right into this perfectly. You might three grade laptops,

Craig:

Yeah.

Blake:

Let's just say the last Three to five years. That would be a good, purchase, I don't know any home grade laptop that'll last, you five years personally.

Craig:

And if it did it, be slower. It just wouldn't be ideal. And, even in this kind of thing, client with server backend and compute coming from the data center, instead of you putting all the money in the laptop or the desktop, like you said, the Ram or the storage or things like that you're moving that cost to a rented model or an operating expense model at the data center. So let's say, you would normally buy a one terabyte hard drive for all your stuff. And maybe you'd buy like 32 gigs of Ram or whatever your resources you would buy in a laptop or a desktop that would meet your. Well, you would still carve that out at the data center level for your user session, but here's where it gets interesting. Maybe you don't need 32 gigs of Ram and maybe you don't need a terabyte. Maybe you just bought that stuff for future-proofing yourself. Well, here's the best part with the total cost of ownership model on the data center side, you only pay for what you use and what you need. So if, and when the time let's say you only need 512 gigs storage and maybe you only need eight gigs of Ram and then, Hey, you need more. You just buy more, you expand it's scalable, but you only pay for it when you need it. So think about it from the perspective of you could really be saving a lot of money because maybe you overbought forecasting, oh, I'm going to need 32 keys gram, but maybe utilization really sits at eight.

Blake:

if we could wind back and we could preach about this six years, six years ago,

Craig:

Yeah.

Blake:

imagine how much people would have saved money,

Erin:

Money time headache. So many things.

Blake:

everything stress.

Craig:

I think it, depends on the mindset though, because I've talked to people years ago about this model and some people just really wanted to buy traditional gear because they wanted that right off. Usually it's section 1 79, I'm not an accountant or a financial person, but you can check. But my point is that usually there would be accustomed to buying computer equipment, buying the servers, buying the laptops, and that's fine. And you can buy these thin clients and things. like that. But beauty of this model is longevity. You're escaping that three-year cycle. even if you were to buy it and spend 50 or a hundred grand on that purchase, if you change that into an operating expense, you're moving farther ahead this model because just escapes that three years.

Erin:

Yeah.

Blake:

something to, I do know, and this is only because I do my own taxes, but again, not, a tax advisor or anything or a lawyer, but the disclaimer or the law that you're talking about has a term limit. You can only write off of the appreciating for, I don't know how many years. I think it's three to five. or something.

Craig:

Yeah. I think it's five.

Blake:

So, it just doesn't make sense. you pay all upfront and then you get a smaller life period or pay over time and expression this from a business perspective, cash is king to every business. That's the reason why apple has a billion trillion, how don't know how many billions of dollars in cash reserves Ilan Tesla. But then what they're doing is I've heard from the Twitter take over, which has now been halted from Elon. I've heard that he has enough money do the acquisition in cash, but what is he doing? He's raising money. because cash is king He can get like a point, 2% interest rate or something for that amount of money. And you should hold onto your cash if you're a business. in my opinion, common sense, but if you're spending thousands and thousands and thousands of dollars on all the stuff you have to buy, first of all, you buy the laptop, got to buy them headphones and go buy the mouse and keyboard, and then you gotta buy them extra monitors and you got to, oh, they're going to be traveling. Okay. You got to buy them a nice case. Then you've got to, who knows. It just keeps adding up and then maintenance and blah, blah, blah,

Craig:

to, be Frank, if some of that stuff you still have to buy, you still might need a microphone. You still might need headphones, but the root or the brain, or a lot of people will call it the tower or the CPU. that device is what we're saying. You can virtualize and put in the cloud. So you no longer have a piece of equipment that big bulky tower or mid tower at your foot that you kick you're outsourcing that role. And you're connecting all your devices, your mouse, your keyboard, your printer, your scanner, whatever you use your microphone for zoom meetings, your headphones, things like that, all of that gets connected into the thin client. And then you're virtualizing that compute power. And as your needs grow and change, you rent more of that, from the data center.

Blake:

Yeah, sorry. I probably should have clarified a little bit better, but you're going to get a much longer investment

Craig:

That's right. and that's where that total cost of ownership is so much cheaper. That's what I was saying. I graph that out on the spreadsheet and it basically on the spreadsheet, I have you just plug in the details. like. how many people do you have? How much compute power does each person need on average, what's the storage, and then it shows you, okay, this is your lifetime over a three-year term or a five-year term. This is how much you're going to save versus buying it. It's a really powerful visual diagram.

Blake:

It's surprisingly low too. Cause I've seen some of our customers and I've seen the compute power that they're using. it's less than you'd expect, Cheap.

Craig:

And it's more affordable than you would expect to. Obviously we have to do an assessment to figure it out, but the pricing, sometimes it's less than$200 a user. Sometimes it's more than that. It just depends engineering companies used to be. The big ones have to get wound it's called virtual GPU or video card virtualization, things more or more expensive if you have to do CAD and things like that. that pricing is going to go up because now you need a high powered, video card in the server that can then be virtualize, but all of this technology is available now and, it's really easy and you could still take advantage of that total cost of ownership savings. And it's significant. it's a lot of money savings.

Erin:

And it's cleaner

Craig:

Yup. Way cleaner.

Erin:

the inefficient.

Blake:

I just like how clean it is,

Craig:

Yup.

Blake:

we have a customer. I'm always adding new users and taking away users and they operate from a desktop environment. Aaron knows who I'm talking about is just smiling. But now it's just so clean cause they do that they send out an onboarding instructions. Hey, here's how you're onboard. Here's how welcome to the company. First of all, how you onboard. If you need some help, reach out to Petronella tech, we'll help you on board. And then, yeah, at the end of the month, if they get clipped or the same day, within 20 minutes, they're clipped from the server and they no longer have access to their desktop. Their company can literally hop in and jump right into their virtual environment and take the files if they need to, and then we can absolve the virtual machine or it's just so clean and it just feels right. it feels, like is the future.

Erin:

Yeah.

Craig:

Yeah. And it's proven. It's been around for a while. It's good, good technology. like I said, there's two flavors of it. Most people do the less expensive option, which is called remote desktop services. And then if your needs are more complex and you need, more compatibility that they work in an RDS environment, then you have to go full VDI or virtual desktop infrastructure. But which is more expensive. It's not a lot more expensive, but it is more expensive because you need virtual machines for each of your users. But the point is it is a cleaner design from a regulatory and compliance and cyber perspective. It's more scalable. It's easier to script out. It's easier to pass audits and be more aligned with compliance. So Yeah. It's definitely good way to go.

Erin:

Is there anything else, any other recommendations that you would give them, like some quick and dirty? These are going to help you the most,

Craig:

I think that for this podcast and for our discussion today, I think that the best thing I would advise is just only to our assessment process and methodology and reach out to us and we'll start that conversation and any other improvements can be made for you specifically. But yeah, for our conversation, there's so many different things that can be done, but that's acknowledged that we talked about within clients and RDS and VDI. Those are some really common approaches to really accelerating the compliance and cybersecurity initiatives and just really paving the way for a lot of people, because know that a lot of the folks, they don't have ideal configuration. It's almost like a clean slate or a fresh start, so to speak. And it doesn't necessarily mean that you're going to have to go buy all this stuff either. One thing that I'll just kind of leave before we close our podcasts for the day, say you have an endpoint that's at home user or operating system. You can use that as a thin client, but here's the caveat. And the thing to think about if the thing is outdated and no longer supported. So it meaning you can't patch it in. It still would pose a security risk. And that's why like Blake was saying, if it's beyond that three or that three years is the manufacturers end of life, right? if you're lucky. the most stuff, nowadays comes with 90 days or a one-year warranty. But if you're lucky and you have a business relationship and you have a business warranty, you can typically buy a three year warranty on very rare occasions, you can buy a five-year warranty. But my point is, if you're out of warranty and your device is no longer supported, that is when you have to just start over. Yes. I understand for the people that if it's not broke, don't fix it, but that's a different methodology. And in the cyber security world, if it is end of life, consider it broken because you can't get patches for it anymore. And if you can't get patches for it anymore, and you can't band. It's a security risk and it's going to cause your company more harm than good, which is why, if you're entertaining a model, like the virtual model that we're talking about today, this is where it would be important to go through our assessment process because we can then say, okay, well you can get them clients and they're this cost. And by the way, they're going to oftentimes be a lot less expensive than you're used to paying for that laptop or that desktop, especially with prices nowadays, with pricing going through the roof, thin clients are still great options for a lot of businesses. So my point is that Yeah, we can go into various different kinds of technologies, but I think that for today to keep it more simple, would say reach out to us. Let's do an assessment process. Start off with just a conversation. Doesn't cost anything to have a conversation with us. And if there's a fit, we'll go down the road of mid assessment process. Fine tune and customize it and show you with our spreadsheets that we have show you how much money you can save. oftentimes it's a lot of money. Well, usually it's, six figures.

Erin:

Wow

Blake:

we talked about in one of our other podcasts too, I think it was what we like about working in cybersecurity or something,

Erin:

a day in the life.

Blake:

Yeah, I just kind of want a segue because the reason for the assessment is because every organization is different. Every company has different needs. Every company has different people in place, in different assets and resources. And the reason why I bring that up is because every company is a new challenge, no one size fits all. There's no magic pill. There's no magic potion. There's no waving of the wand and Hey, your cyber secure now

Craig:

That's right.

Blake:

and people expect that business model has changed. The internet has changed.

Craig:

yeah.

Blake:

has changed with the internet within the past five years. That's what they expect. They're like, oh, I can just go online and order it. And then there's the fixed my problem, right. That doesn't exist in cybersecurity.

Craig:

Yeah, exactly.

Erin:

and Craig too, before we leave. If you don't mind, I would love for you to explain to people a little bit about the importance of an assessment. I really like the analogies that you tend to use with that. I think that, cause I think a lot of people think that they're unnecessary or a waste of money which is so far from the truth. It is so far from issue. So maybe if you want to take the opportunity to just explain why that is such an important first step in the process of coming up with an effective cybersecurity portfolio. I think that would be helpful.

Blake:

you should talk about RF assessment process as well the end of that. And then, so they'll know why we do it.

Craig:

sure. Yeah. So we have a four pillars assessment process, and we have different flavors of the four pillars, depending on if you're at a regulation such as HIPAA for healthcare or Nisty forest, and CMMC compliance for defense industrial base. So we have different versions of our four pillars, but we go through all seven layers of the OSI model start from the physical layer of your infrastructure, your wiring. And we go all through that. If you have a corporate building or you're leasing space, through all of that a fine tooth comb. And then we identify gaps and areas of issue that could cause downtime or cause loss of productivity. So we go through all of this process and by the way, if you're in a regulation of some sort, which most in some type of regulatory mandate security risk assessment processes, an annual requirements. So we're able to check that box and get you that requirements on. So you should be not just doing this one time, but you do this every year. it's very important to follow our process because it's really a way for us to deep dive into not just your technology and your cyber and your compliance, but your business. Like we look at your business, we look at what you do, what your workflows are, how you're using technology. look for ways of areas of highest opportunity to improve. How can we do things faster or cheaper? Like I said, with the thin clients, maybe there's a fit there that we can deploy that model to save you a lot on costs there. So it's a thorough, dive into your organization. We go through that with a fine tooth comb and the output is a blueprint and a plan of exactly what needs to be done and where your opportunities and your gaps are. And like I said, it's not only recommended for regulated businesses. It's really recommended for any kind of business to go through to really figure out, where are you? What's your score? What can be improved? And we do the it side as well as the cyber and the compliance side, and we meet with you and we go through it together,

Blake:

I would talk a lot about doctors and stuff like that, but a good example in that people are used to is like, you go to the doctor and you say, Hey, this is what's wrong with me. Right. And the doctor's like, Hey, let me run all these tests and we'll do blood work and we'll do this. And then they come back and they say, okay, well, here's the results of your blood work. Here's what action steps we need to take make you feel better.

Craig:

Yup. That's right.

Blake:

That's what people are used to. It's never really been in that way, because people and some of our competition, and we've seen it before, where they come in and they say, Hey, here's a solution, right? Bam, bam, bam. then ultimately the client doesn't get what they need. They get underserved, they get overcharged. And the solution is entirely wrong.

Craig:

that's, so true. So the analogy, you don't go to the doctor and you say, Hey, I want this drug. You, have to go through the doctor's methodology and we've worked hard for the past 20 years to develop this proprietary four pillars methodology. It's very easy for a competitor to say, oh, we'll sell you this solution. And it costs X, but it's not fair to you, the consumer or the business to get pitched a price like that, or a solution without a proper discovery and assessment process. Because every business, every person is. So you have to go through that process to figure out what are your options? What can and cannot be used because maybe throwing that certain solution out without a proper assessment. Maybe it's not compatible. Maybe you do something in your workflow where it's a deal breaker. It's just not going to work. So we find those gotchas before you invest a whole lot of money. before you go down that whole rabbit hole, and oftentimes in the end, we're saving you money. Anyway, we're improving efficiencies in cybersecurity. So it's very important. it's an eye-opening experience for sure. A lot of our competition does not follow this methodology. They're just quick to pitch out numbers and throat cheap numbers, but,. like I said, it's an invaluable exercise that we highly recommend for all the folks that have gone through it, they would agree that it's an eyeopening experience that has really helped them significantly save costs, but ultimately design a much more robust and solid foundational framework. That's really been the pillar of growth.

Erin:

If you think about it, you really can't solve a problem unless you know that the problem exists. Right.

Craig:

That's Right.

Erin:

So how are you going to solve your cyber security puzzle when you don't even know what the pieces are?

Craig:

Yep.

Erin:

You're not.

Craig:

That's right.

Erin:

You can try, but it's like throwing spaghetti at a wall. See which one sticks, but that's wasteful, it's inefficient, it's expensive, I know people look at an assessment and they're like, oh my gosh. just, fix it. I don't care. Just fix it, but it's just not, that easy.

Craig:

Yeah, everybody wants to jump to the solution and, know, fix, fix, fix, but you can't fix something unless you run proper tests and diagnosis first, and once you zero in on the problem and find the root cause of it, we can write a prescription of what's the plan of action.

Blake:

I think you said that stuck to me too, is you talked about growing, right? That's the thing, everybody here, who's listening, who's a business owner they're focused on growing their business. if you say, Hey, look, here's my needs currently. And this is what we do with our methodology as well. We look at your needs currently. And then we look your possible needs in the future.

Craig:

That's right.

Blake:

but if you just get a number from X cybersecurity company, oh, they're just looking at what your needs are now and not considering your future growth. And that's where we've had clients that have came to us, new clients that have said, Hey, look, I just outgrew my service provider. They don't enough support resources. They don't have the proper expertise to support me, we've outgrown them. And that happens so frequently. And that doesn't happen because of our approach one. And then two, we think about scalability. And then, that's your goal? Your goal is to grow your company

Craig:

Yeah. And you don't just wake up one day and say, I'm going to build a building a house. You need a plan. You need to have an design it, make sure you have solid foundation and footing. Make sure you don't have, a river running under your land or what you got all these. Gotcha. And that's the thing with our solution and in our methodology around our four pillars assessment process. And that's why we believe in it. And it's part of our culture. To do things right. And we want customer's best interest in mind to be able to give them that secure foundation for growth, much like a good doctor. You want to be able to trust your doctor, give you good advice and find things proactively, right? So that you are in good health and you have a long life. It's the same thing with your it and your cyber. We want to make sure. You're designed the right way. We're going to present you with all these different options, but they're going to be options that are specific to your business and your workflow. But thing I wanted to point out is with the thin client, some situations you can't use it then client there's two types of solutions, VDI remote desktop. Oftentimes people start with the remote desktop or the terminal server option, but there may be some application that you use that's vital to your business and maybe it's not compatible. So maybe you have to use the VDI option, but we don't want to just say, oh, you must use the VDI option at all times because that option is more expensive. So if we can save you the money we're going to help you save the money and do the alternative. The same thing with compliance, with NIS and deforestation, CMS. A lot of other companies won't tell you about what's called secure enclaves. We like to tell our customers about secure enclaves because it simplifies the security makes it easier and more affordable for businesses to be able to comply. So instead of if you're a 50 user company and maybe you only have five people working with sensitive information, we can scope out a five users, secure enclave and save you a huge amount of costs. That's what we're about in our culture.

Blake:

Something that we've talked about to you and kind of, we should probably say. But we end on, we take approach to cybersecurity and most of our competition takes a reactive approach to cybersecurity. And obviously we're talking about saving money and they're talking about spending money, that's the only way. And it's the same thing. We talk about doctors, we just got done talking about doctors. What do you think is going to be more expensive for you to go to the doctor when you're dying on your death bed or going to your yearly checkups and doing your health, your physicals and, things like that, being proactive,

Craig:

we make your vegetables tastes like candy.

Erin:

The sweetest onions you've ever had

Craig:

There you go. Eat your vegetables.

Erin:

homegrown right here in Carolina.

Blake:

Yeah. Cyber security onion, not the low hanging fruit.

Erin:

Thank you. It's always great talking to you, Craig, and I'm hope we all have a great week.

Blake:

next time.

People on this episode