Cybersecurity with Craig Petronella - CMMC, NIST, DFARS, HIPAA, GDPR, ISO27001
Cybersecurity with Craig Petronella - CMMC, NIST, DFARS, HIPAA, GDPR, ISO27001
Unraveling The Complexities Of Cybersecurity, Compliance And Bitcoin Wallet Security
Do you think you're up-to-date with cybersecurity and compliance? This episode will uncover some surprising facts that you may not be aware of. Firstly, we'll be unravelling the complex challenges that healthcare organizations face, especially when dealing with outdated medical equipment. We'll look at a real-life case where a hospital was hacked, and we'll discuss the importance of third-party security testing.
Next, we're shifting gears to discuss the intriguing world of Bitcoin wallet security. We'll explain why wallets prior to 2012 are particularly vulnerable and why moving them to cold storage is a strategic move. We'll also be exploring the regulatory landscape and the importance of self-assessment. We'll introduce you to resources such as NIST and CMMC and emphasize the value of antivirus software, disk encryption, and firewalls.
Finally, we'll be discussing the crucial role of compliance within companies. Compliance isn't just a box to tick - it's about taking responsibility and making sure your company has tailored its own path to compliance. We'll explore the potential impact of personnel changes on compliance scores and delve into a recent case involving a CISO charged with fraud. This episode is for everyone – business owners, cybersecurity enthusiasts, or anyone interested in staying safe in the digital world. Tune in for an eye-opening discussion that will help you navigate the complex world of cybersecurity and compliance.
Support the show - Call 877-468-2721 or visit https://petronellatech.com
Please visit YouTube and LinkedIn and be sure to like and subscribe!
NO INVESTMENT ADVICE - The Content is for informational purposes only, you should not construe any such information or other material as legal, tax, investment, financial, or other advice. Nothing contained on our Site or podcast constitutes a solicitation, recommendation, endorsement, or offer by PTG.
Support the Show
Please visit https://compliancearmor.com and https://petronellatech.com for the latest in Cybersecurity and Training and be sure to like, subscribe and visit all of our properties at:
- YouTube PetronellaTech
- YouTube Craig Petronella
- Podcasts
- Compliance Armor
- Blockchain Security
- Call 877-468-2721 or visit https://petronellatech.com
Morning everybody. I'm Blake Ray. Hello, welcome to another podcast. We're going to talk about some top news cybersecurity and compliance. We're going to talk about CMMC, a little bit healthcare, a little bit about what you can do on your own for compliance, rolling your sleeves up if you should to dare to dive into that rabbit hole. And then obviously, we're always here to help. Blake, you want to take it with the hospital?
Blake:situation. Yeah, so obviously we like to touch up on some of the news, get the podcast going and, funny enough, the cybersecurity firm has pled guilty to hacking two hospitals to boost his company's business. I don't really know how you get away with stuff like this, but I mean, maybe he saw low hanging fruit and was looking for extra money. I don't know, but it was GMC hospitals and Duluth and Lawrenceville, I'm assuming that's in Georgia, and this was an attack that happened in 2018. He hacked into their phone system and their printer services, and he also stole personal information for more than 200 patients.
Blake:Wow, he somehow connected some type of digitizer to like a mammogram machine as well. So, yeah, and also he used there's over 200 printers in the hospital and he printed stolen information out on those printers and then he had a message on it that says we own you. Oh, my goodness, it just gets worse. And then he promoted the hack on Twitter, tweeting like names, dates of birth, sexes of 43 patients and other data that had been stolen. And now they're trying to give him 57 months of probation, but they estimated that this hack cost the hospital over $800,000 in losses.
Craig:I always think it would be even higher than that.
Blake:Yeah, I mean 200 printers, 200 patients.
Craig:Well, they probably had to declare a HIPAA breach with the Office of Civil Rights. So you know, because it was all kind of fabricated and that guy, you know, leaked information, so wouldn't that kind of class or count as a breach. I mean, I'm not a lawyer, but he exposed their information right. So I mean that's there's technical PHI involved, I don't know. I mean I'm sure there's an investigation happening, but yeah, that's a mess. I mean you trust a provider and then they go rogue on you and I don't even.
Blake:Blackmail them if they were the IT provider for them. They didn't state anything like that Interesting, but the company was Securolytics was the name of his company, and yeah, yeah, I mean the maximum term for something like this is 10 years, you know. So he could go down and do hard time for this, you know. Wow.
Craig:Whenever? How did they find it Like? How did they figure it out?
Blake:I have no idea. There's nothing stated here about, like you know, the investigation that led to this. I mean, it seems like, you know, posting on Twitter, you know, like your own data, like that you've recovered in the breach, seems to be a little silly and and yeah, I mean just doing this in general, you know. I mean, obviously this was in 2018. You know, obviously, like the cybersecurity landscape was a lot different than it is now, you know, it was a lot more challenging. I would say maybe, but, but yeah, it just seems like something that would be from a movie more than it would be from real life, you know.
Craig:Yeah, agreed. Yeah, that's pretty crazy. I mean obviously out-care in general. What's that?
Blake:He has agreed to pay back the $817,000 plus interest Wow.
Craig:Yeah, I would say healthcare organizations in general are somewhat from a cybersecurity and compliance landscape challenging for the organizations because they have a lot of medical equipment and sometimes that equipment is dated and not necessarily focused on cybersecurity. Some of that equipment runs old operating systems, so it's it's a challenge for healthcare organizations to run that equipment and keep it secure, so they need different. You know we talked about different layered technologies and not trusting a single vendor. So you know one of the things that I recommend when doing like a pen test, for example, is not necessarily alerting your IT provider of the test and kind of seeing if they find something wrong, you know and alert you. It's kind of like a checks and balance approach. And the same with your vendors.
Craig:You know you might have a cybersecurity vendor that's doing I don't know security operation center service or something, or maybe you have your own soccer. My point is that hiring trusted third parties to test your people, process and technology is a good idea not necessarily a bad idea and trying to figure out and constantly drill and hone on your weaknesses and gaps and you know continuous improvement is a good thing to do and that's what we teach in tabletops and our pen testing methodology and things like that. So it would be interesting to see what would happen in this kind of scenario If they were to follow that would they, you know who would have detected this kind of thing? So that's why I was curious like how they didn't it sounds like they didn't disclose how it was discovered.
Craig:But, yeah, anyway, that's. Yeah something that.
Blake:I just finally got to the end that he was diagnosed with like a rare and curable form of cancer and some type of dangerous like heart condition.
Craig:This is the IT company.
Blake:The IT guy. Oh, the IT guy, Like there's one, I think there's one IT guy behind it. So something that kind of spins back to me is like, was he like treated at that hospital? Like, was he like did he get the news from that hospital? Like?
Craig:Yeah, like what was the trigger right.
Blake:Yeah, yeah, I mean, I can't think of it being financial. I mean, a lot of the stuff is always financially motivated, but how does that? That's the missing piece. Like, if he was the IT provider, like were they going to hire him, you know, and then he's oh cool, easy, you know, click the box and undo all he did. Or did he get, you know, diagnosed at that hospital and you know he just was having a hard time coping with it and took it out on the hospital. You know, which again, would be the motive, right, Like what's the motive? You know? Right, A lot of times in crime, you know, you never know the motive, you know, and but anyways, found that one to be pretty interesting.
Craig:Yeah, that's definitely an interesting one, for sure. I was going to talk a little bit about this new bug Well, not necessarily new, but this discovered bug called the Randstorm bug, and how it affects millions of people. It affects millions of cryptocurrency wallets. These are software wallets that were created pretty long time ago, but most of the ones that are affected with this vulnerability we're using what's called Bitcoin JS and leveraging a secure random function in the software to generate the seed phrase. So basically, in short, the people back in it says the easiest wallets to attack were those that are generated before March of 2012. So, basically, the early adopters of Bitcoin cryptocurrency that created these wallets, which would be created with software leveraging the secure random. We're trusting that the secure random functionality was truly creating random seed phrases. Well, what happened was a security researcher using the handle ketamine back in 2018 had discovered this in his research that they weren't truly random and the seed phrases were weakened based on this creation. So, in the short answer is these folks that if there's anyone listening that has Bitcoin on a wallet a software wallet that was created before 2012 of March, you really need to move that to a ideally a cold storage wallet, and not necessarily.
Craig:I don't like to recommend a specific brand maker model, but the popular ones. I know Ledger's been under scrutiny recently, but Ledger, trezor, handjump Engrave those are all cold wallets that are much, much more secure than any kind of hot wallet or a soft wallet, and you never want to leave anything on an exchange either. So, anyway, I thought that was a good one. So, basically, wallets that were generated between 2011 and 2015 are quite vulnerable to this type of attack. So you could, according to the researcher, just have your wallet just wiped out, check your wallet balance and it's just gone. So that's really, really scary.
Craig:So I just want to touch on that and kind of put an alert there I also wanted to talk about. There was like a question or somebody posted somewhere asking about more advice around. How do listeners roll up their sleeves and actually become compliant? We talk about all these standards like CMMC and NIST and healthcare with HIPAA and all these compliance regulations, but it sounded like there was an ask about, well, how do we do this, like what are the actions? And it's kind of a difficult question to answer because it's different for everyone. So you've got frameworks. You can go to NISTgov, nistgov and you can download these regulations.
Craig:So if you're in healthcare, for example, if you go and search NIST 866, that's the version of publication from NIST of what you need to. That's your playbook, for example, of what you need to follow for your healthcare organization. Now, some of this, or most of this, is gonna be very complicated. It's long, it's dry material, but it does give good information on what needs to be done across your people, process and technology. And if you don't know where to start, my recommendation is to start with some type of assessment or a gap assessment. Now, I don't, I mean you can do what's called a self-assessment if you want to start there. If you don't have budget, it's always best to hire a certified third party, but you can roll up your sleeves and do it yourself a self-assessment. That is a possibility. There are documents on NIST and there are new documents on the CMMC what's called a assessor's guide, or assessor's guidebooks that tell you what a third party certified assessor would look at like.
Craig:What are they gonna focus on? And they're broken up into different controls and you just you chip away at them. You look at each control and you figure out do you have this, do you not have this? And as far as actions, I think most IT folks are quite hands-on. They know their operating systems and they probably know some software to put on, like antivirus or something like that. And I think that's part of the ask part of this question. It's like what do we need to do, what do we need to put on and that's why I was saying that it's challenging because it's different for everyone. Like I don't wanna say you need to go buy this brand maker model software for everyone because it's not a fit for everyone. And I mean, like you can have in certain situations Microsoft Defender, that's Microsoft's antivirus product is that gonna get you compliant with everything? Absolutely not.
Craig:We talked about layers and different things, but just to kind of throw out examples, that could be a layer for addressing that specific control. And another layer that would come to mind would be like Microsoft, on a pro-level operating system, has what's called BitLocker, that's disk encryption, hard disk encryption. In the Apple world it's included. You don't have to buy anything, you just turn it on. So these are examples of specific controls and actions that listeners and people can take to make sure that they have these controls turned on. And if you're listening in your in a regulated environment, you should have something like BitLocker or Mac OS disk protection. In regards to hard disk encryption, you should have these on as a minimal, like you should absolutely. If you're noticing you do not, then that's a problem, that's a gap. But there are other brand makes and models of software as well as hardware to address these. I know there are several companies that have like physical hard drives that have encryption built into the hardware, which is, in my opinion, a step up from software. So it uses not just software but hardware and software working together to give you even more security at the disk encryption level.
Craig:Then you've got your traditional firewalls, for example. Firewalls used to be the gold standard in protecting your network. Think of a firewall as kind of like a traffic cop what packets are good, what packets are bad, block all the bad stuff. Well, what happened was, with the landscape changing, a lot of the bad traffic was coming over the internet, so the firewall wasn't really doing anything, it was just letting that information through. Back in the old days it was port 80 for insecure, now it's mostly port 443. For secure SSL traffic, the firewall is not looking and doing what's called deep inspection, unless you have a specific firewall that has that function. And that function is technically different. It's intrusion detection, intrusion prevention, so IDS, ips. So those filtering technologies are again another layer and another discussion point and reference point for a control in these frameworks, for example, nist.
Craig:For example, if you're in the DOD or Defense Industrial Based World and you're subject to NIST 800171 and the new CMMC 2.0, which is supposed to be signed into law any day now, you have a requirement for what's called a PEN test or a penetration test, and the controls for that are 3.12.1, 3.12.2 and 3.12.3, and they require you to perform tests of these controls and implementation and to make sure that there's any corrective actions if there's any gaps. So in order to pass your audit and become NIST 800171 or the new version of that would be CMMC 2.0, maturity level two in order to get your pass you need to have a PEN test done, and we could certainly help you with that. There are other companies that can help you with that too. But you want to have a thorough third party PEN test and evidence of that and then you have what's called a report that shows all your gaps and then you need to fix all your gaps. If you can't fix them in the NIST world, you need to do what's called a plan of action in Milestone or a PoAM. You only got one time to PoAM and you got six months. Now in the NIST world you can keep PoAMing, but they got rid of that in the CMMC. So currently with the law you can PoAM and then PoAM again. Well, they took that away with CMMC, so you can only PoAM once. So my recommendation is try not to PoAM at all, because you got to fix it anyway. So try to fix whatever you can permanently and get your points for your SPRS in the NIST world and then get your double scoring for CMMC's world.
Craig:But my point here is these are some action items that everyone can do, whether in the CMMC world or in the HIPAA world or any kind of really regulated world. I mean, all these things really would be good things to do. Right? The same thing with training Training, security, awareness, training is so important. I think it's the most underlooked item. I think most people assume oh yeah, yeah, yeah, we got training, we're good, but they don't take training and testing and drilling seriously enough in my opinion, and they don't actually have the evidence to prove that fact. And we find this time and time again with advanced training like tabletop exercises. So my point is with training, you've got different levels again, different control points that reference whichever regulation you're subject to. But in the CMMC world you've got three. You got 81, 82 and 83, and that's in the NIST 800-171.
Craig:In the CMMC world Now most people have the first one, which is your generic anything on the web cybersecurity and awareness training, but very rarely do they have the second and third one. And the second and third one talk about role-based training. So if you're a small company, you probably have your typical users. You might have managers in your company, you might have C levels in your company. So the role-based training means you have that different training modules for each of those groups of people, because the training for your IT admin guy is gonna be different than your typical user training and they're gonna use different software and they're gonna need to be trained on those software packages. And the same for C levels. C levels they're more interested in the executive side of things. If the CFO, for example, should get different training than your users and different training than your IT guy, so by having these different training pieces and then different testing and drills, it's super important to have all the evidence for that because that's how you pass the training pieces.
Craig:And in the NIST world you've got 110 different controls that you need to address and it's actually quite higher than 110 because you have what's called NFO controls and then you have controls that have what's called dependencies. So it's way higher than 110. I mean, 110 is a lot, I think, for a small business. But to encapsulate everything meaning policies, procedures, different software, hardware to run on things, trainings if you add all that together it's well over 110. So my point is there's still a lot of work to do for most people.
Craig:We're here to help on any or all of it, but yes, there are things that people can do themselves. Those are some examples. There's many, many more of those examples and I encourage listeners to go on the trusted websites like the NISTgov and the CMMC. There's a page there from the Department of Defense and you can download these documents there's no charge. You can read them yourself they're mostly PDFs or HTML versions and just browse through them. I mean, some of them are super long 300, 400, 600 pages. There's supplements to some of them, so you need to have all pieces. But dive deep and, yeah, if there's things that you can do, by all means go ahead and do them.
Craig:But if you're looking for the catalyst, if you're looking to, if you're sitting there listening thinking this is just too much, I don't know how I'm gonna do this. I mean, we're here to help you. We're not here to shame you or anything. We're here to support you wherever you are in your journey and our promise to you is to get you compliant as quickly as we can and as reasonably as we can at a budget that you can afford, and just keep chipping away at it until we get you there and give you all the evidence so that you can pass the audit on the first try. That's our promise to you and that's why we do this. We do this for you guys, so that you can continue to do what you do best, which is focus on your business.
Blake:Yeah, we've also talked about how we can make the podcast educational as much as we can, but there's no one-size-fits-all I think everybody has a different course. If you're trying to get fit and get healthy some people are going to start running, some people are going to start swimming it's hard for us to say, okay, here's everything you need to do From the first episode to the last episode of our podcast. Okay, that's all you're going to need to listen to, that's all you're going to need to do. No, there's more to it. And also it crosses an ethical perspective, whereas it's not super ethical for us to talk about how you can be compliant, because it's different for every company, and we can't list out and name certain vendors, because that's vendor bias and that's unfair and that's why the NIST and the CMMC, that's why they don't do that.
Craig:That's why they don't say, oh, just go buy this, this and that, and we, as your provider, don't want to do that either. That's why we're vendor independent. We like certain vendors, we've tested certain vendors and if you want that information, we're happy to give that to you. But we also want to give you options so that you can make the choice yourself. It's not our choice to make. We can make suggestions, but again, it would be our vetting and testing and our opinion. But ultimately you're signing your name and your company at the bottom of this. So even if we were hired to help you or you hire somebody else, they're not signing their name. At the end of this thing. You are.
Craig:So you can't outsource that responsibility and that's very important for people to understand. You can't go buy Microsoft 365 and think, oh, it's Microsoft's problem now for you to be compliant and secure. If you read Microsoft's terms and conditions, they don't back you up, they're not responsible for your data. If you don't have your own backups or you don't do your own process to download your data, send it to a hard drive and that's a process or hire a company to do that for you, or buy software to do that for you. If you don't do those things, you're not going to pass an audit against that, because you're going to fail on that gap. And it's the same thing with medical companies. You can't just go buy Epic or some EHR product and assume that, oh, they're going to do all your HIPAA compliance. It doesn't work that way. Yes, they have their part of the ecosystem. However, you have your part too, and as you read through these hundreds of pages, you'll realize what's the company's responsibility and ultimately, most of it's your responsibility. So the inner workings and the methodology of how you become compliant are different for everyone, as Blake said, and everybody's risk tolerances and budgets are different. So one system or solution that works and a methodology that works for a small company may not work for another company that's either even similar in size or maybe a little larger. Everything's different. But you cannot outsource the responsibility of compliance and you can't just go buy a product or a software service or a piece of hardware and assume that your job is done and then you're done with this.
Craig:This is a continuous effort and for most it's a. I don't know if you remember Blake, but we had a cartoonist actually draw the journey of compliance for HIPAA and also the mountain for CMMC that has different peaks on it and I feel like that's a great graphical depiction of the journey and you could be somewhere on that trail of the mountain. Everybody's on a different spot, but the point is that you're not going to get to the top of that mountain without a lot of hard work at the beginning. Yes, your job will become easier as you hit the peak and you're compliant, and then to kind of coast, I guess, or what's the best way to put it just kind of your ongoing maintenance of keeping you in compliance, because once you get compliant you can fall out of compliance very quickly. Like, let's say, you get compliance and you've got your 110 perfect score for SPRS and you don't have any poems anymore and you're good.
Craig:And then now you switch gears to CMMC 2.0. And maybe if you're in, if you're subject to NIST 800171 and you're handling CUI, now you're equivalent to CMMC 2.0, maturity level two, if you're in that world and that's, that's your company. You know what if your IT guy or your cybersecurity analyst put their two week notice in. You know, now you've got a gap. So if that person or those people were a part of your structure, of how you became compliant and job roles and responsibilities, then you have them named in your documents and your policies and procedures and you should, you should have teams in there and they should all be. You know responsibilities and things like that, but now you have a people or a human gap you need.
Craig:You just dropped your score. You were 110 and now, however many you know control levels that are affected, your score just dropped until you find a replacement. And then, when you do find the replacement, now you got to make sure they're trained enough to speed and then you got to test them Right. So if you, in order to get your points back, you got to retest. So my point is that this is never a one in done. It's a constant effort, but it affects everything. It affects people, process and technology.
Blake:Yeah, I mean, I like to think of it as kind of like hiking. You know, like you're not able to take the paved like dirt path right, that it doesn't exist in compliance. Like you are going through the forest. If you have a service provider or consultant, like us, we're the compass. You know, if you don't have a service provider, you're just walking through the forest with aimlessly so compliance. It doesn't really work like that.
Blake:And something that I think that Craig, like we can't really overstate or you know it's super important is is we never really talked about liability, like compliance liability, like as you who's taking, you know, the grant or getting funding, or you know you're always going to be liable.
Blake:You know, I think Craig kind of touched on that, but not not deep enough. You know, like some people assume and we've had here's an example like we've had a lot of people that came to us for healthcare, you know, for HIPAA, and they're like, oh, I'm using this customer resource management software like insert, you know name here right, oh yeah, they're HIPAA compliant. Like I don't need to be. It's like, no, does it really work like that? You know, we've had so many doctors and dentists and chiropractors that have told us that and there's, there's misinterpretation of the law and it's like, you know, all these doctor buddies or all these dentist buddies, or all these chiropractor buddies, one person thinks he's got the recipe and then he tells all of his buddies, and then Well, and the part that kind of adds on what Blake's saying is that there's a lot of misinformation out there.
Craig:There's a lot of like. We'll talk about dentists for a minute. There's a lot of dental IT service providers that all they specialize in is dentists and they're well known in dentists. However, they are not cybersecurity experts. They're not compliance experts. So when the dentist goes to them and says I need you to help me with X, y and Z and they don't, the dentist is trusting that IT company to just do what they need to do because the dentist doesn't understand the compliance and the requirements. Now the dentist should read up and understand what they're getting themselves into because again, like I said before, the dentist at the end of the day is signing off on everything and saying, yeah, yeah, we're HIPAA compliant now because XYZ IT provider said we did. But here's the. Here's the thing we're trying to drive home.
Craig:The IT provider is great at doing IT, but they're not a cybersecurity and compliance provider and they should not be doing cybersecurity and compliance. It's actually a conflict of interest. And if that IT provider is saying, oh, yeah, yeah, we do your HIPAA compliant, we do everything for you, we roll it all up and it's this cheap price of $500 a month or whatever it is. That's a red flag and, yeah, they might be doing some things for you, but they're certainly not doing everything and there's liability there and I'm not a lawyer, I'm not pretending to be one, but my point is that as a customer, you need to be doing your own due diligence and hiring after that project's done, hiring an expert in cybersecurity and compliance and doing the gap assessment and or pen test and checking all that work, because I guarantee you're going to see gaps that you didn't realize you had and you thought your IT provider covered for you but did not. You'll find real quick your gaps and weaknesses on what needs to be filled and oftentimes you should hire that or a cybersecurity or compliance expert to fix the gaps and then retest, because there's always going to be gaps.
Craig:Nobody's perfect and if you're perfect at a certain period of time, tomorrow you might have lost a guy or some software got unwound or some hardware had an issue. This is always an up and down thing. That's what we were saying before. It's always continuous improvement and continuous work on this stuff. But what came to mind when Blake said that is I don't know if you guys are aware, but with the SolarWinds hack that happened, that we talked about in several episodes ago, which was software that a lot of medical as well as department of defense clients were using to manage their updates and their patches At the time, a trusted vendor that these people were paying to make their automations and IT run more efficiently Long story short, they got hacked and that's how malware was dropped onto these endpoints and caused all sorts of breaches and things like that.
Craig:Well, I saw an article recently that the authorities are charging the CISO with fraud. That's a game changer. Now think about that for a minute. If you are a medical company or you are a department of defense contractor and you've hired XYZ IT company, or maybe you had an IT guy for 20 years and you trust that that person is doing everything great for you and you're just at the end signing off saying yeah yeah, my SPUR score is 110, we're all great, everything's all good.
Craig:Then an audit happens. Or fast forward to CMMC 2.0 and you need your audit. You need to get your gold star. C3pao comes in or, if you're a level three, government led assessor comes in, finds all these gaps and weaknesses. No man, you're not compliant. You think you have a 110, but you really got a 50. When you're like what I thought Bob in the corner had everything going.
Craig:No, you can't say that you have this control met, because here's why, by the way, the auditor doesn't tell you what you did wrong. They just tell you here's your new score, go fix it. Pretty much, they're not allowed to tell you how to fix it. You get your fail and, by the way, you paid for that. You got to pay for your audit. It's expensive and if you fail you got to pay for another one after you fix your gaps and you got to keep paying until you pass. It's not easy. This work is hard. That's why we exist and we're here to help people.
Craig:But yeah, that CISO is getting charged with crime and prison time, because I guess the case against them is he should have caught that and should have known the risks. Before such a devastating breach one of the top breaches of all time he or she let it happen, or the team let it happen. That comes back to the listener or the business owner or the CTO or the CIO. If you're signing off on this stuff and you don't really have the evidence to back up what you're signing, that's a red flag because that could put you in hot water.
Blake:I think something that this case proved is negligence, and this is compliance, for talking about, of course, existing and compliance. Negligence is fraud and fraud is criminal. That's the connection that I took from this.
Craig:Well, I think the other part of that is you can't if you know if you're taking contracts from the government or a grant. They were grants that were given out in the medical world from the push, from paper records to electronic medical records. The government was like oh yeah, we want to get you accelerated to the digital world. They gave grant money. Well, part of the catch for the grant money was you need to be HIPAA compliant. Well, what the government did when they did enforcements is they found that a lot of practices were taking the grant money but they weren't doing the action. They weren't moving from paper to electronic. So guess what happened? They had to give all that money back and pay multiple Oftentimes up to three times multiple back. So if they got 100 grand in a grant, they had to pay back 300,000 plus penalties.
Craig:And that happens in the defense world too, with the false claims act. Same kind of methodology there. So if you signed off and you got a million dollar grant over three or five years from the government and in your grant in your details it says you have to be NIST 871 or you're handling CY. If you don't have your evidence to back all that up, they can audit you and you'll have to pay all that money back. And I think that's the thing that people don't realize. They don't realize what they're signing and their responsibilities and they just don't think it's going to happen to them.
Craig:Well, I know for a fact that there's crackdowns and there's audits happening. There are NIST audits. They are happening, there are CMMC audits and I think a lot of these defense contractors, especially the subs, are it's kind of a wake-up call. I mean, if you know that you're not compliant but you're not doing anything about it I think that's Blake's point You're committing a crime. It's not legal to do that and we're not telling you how to run your business. But if you're signing off on something and you need to be compliant with it, we're here to help you get the evidence and do the right thing to become compliant.
Blake:So I think there's also a misconception for service providers like ours. We're not here to police the law. We get a lot of people that are scared to communicate with us, it seems like because they feel like we're going to turn them around and put some handcuffs on them. We're not here to police the law. We are here genuinely to help. So, yeah, I mean there's really only I could say about that. If you're considering going into healthcare or complex regulated industry, you should probably look at compliance first before you even start about getting your business together or what.
Blake:One of us can hop on a call with you. We also can do some consulting and tell you what you're going to have to face. It's like summiting Mount Kilimanjaro or Mount Everest. People that go to Mount Everest will tell you what it took for them to get to the top of Mount Everest. It's not like, oh no, you go figure it out yourself. Meanwhile, people die on the summit. That's not what we're here for.
Blake:We are here as genuine consultants to help, to assist, to navigate, because we found challenges. We have summited Kilimanjaro or Everest or whatever, and it's not easy. A lot of clients aren't prepared and they get into it and they're just realizing how minute and mundane everything is for this adventurer. A lot of people get halfway up and some people stop. Or we've had instances where people they don't listen to what they say because they read something on the internet or that misinformation. Oh, my friend's a dentist or my friend's a chiropractor. He told me this is all I need to do. Okay, but you're paying us to tell you and help you and you're listening to your friend who you feel like has gone on that summit. No, he watched it from the television, like no? There's been a lot of instances where people push back on what we advise. Obviously that's a different topic, right?
Craig:Yeah, but to stem off of that, though, we exist for you guys, we exist to help you guys. We're always vetting and testing different product services, software, hardware, whatever. We are here to give you the best security possible. We're often asked you're a smaller company, how could you protect us? Xyz is a bigger company? Well, guess what? All of the most of the bigger companies are all in the headlines. We're not saying to be arrogant or to just kind of. Our point is that we have a methodology that we've developed over two decades now and it's extremely effective For the clients that listen to us, that truly don't want to experience being hacked. We help you, we help protect you, but you need to listen to our advice. We are the experts in this industry and we work super hard to stay at that high level and protect our clients. It's not a simple solution and it's not the same solution for everyone. Everyone's different, everyone's workload's different, everyone's climb up that mountain is different or that hike. My point is that it just starts with a phone call to ask us some simple questions around your situation and how we can help you.
Craig:One thing that comes to mind when the CMMC came out is they allowed what's called enclaves. Enclaves are small areas that are security hardened. If you're a company of 100 and you have an enclave and you've only got five people or 10 people in your organization that handle the CUI the sensitive information, a cheaper way to get you compliant is to leverage enclaves Instead of you doing top security for everyone all 100, that could get costly and out of budget real fast. A way that the government in the defense industrial base or the CMMC world has said you can leverage what's called enclaves and secure only those that are handling CUI, separate them from the rest of the network and show evidence of that. We are experts in building and maintaining enclaves and that in turn saves you a ton of money.
Craig:Another competition will actually hide enclaves from you and just want to get the bigger payout of the project. We don't exist for that. We're in it for the long haul. We want to build relationships, we want to be your partner forever and we don't want any kind of quick project payout. Like Blake said before, it's different for everyone. It all starts with a call and we're not here to just check the box. We're not here to give you that minimum effective dose so that you can just say yes to that questionnaire and move on. We're here to make sure that if you say yes to something, you have multiple forms of evidence to back it up, and we're here looking through an auditor's lens of will that pass the muster and will it pass it today? That's continuous effort and evidence building needs to happen for it to continue to pass, and that's why we're here.
Blake:And there's two different types of doctors. You know, obviously we use this doctor analogy a lot. But there's doctors that you go to the doctor and you're hey, here's your pill, get out. You know they're treating your symptoms right. And then there's another doctor that's more thorough, that addresses the underlying cause. You know that's us. You know we're like okay, why aren't you compliant? Like was holding you back from being compliant? We're not just saying install this software, get out of here, you know, and then taking X thousands of dollars or X thousands of dollars, you know, like that's not who we are. You know, and we get a lot of people that want that pill and I don't feel like and I know Craig, I mean Craig, obviously we have the same goals Like we both don't feel like that's very ethical. It's an ethical approach. You know Everybody wants the quick.
Craig:They all want the quick version that doesn't cost much money. What's the cheapest way I can do this so I can check the box and move on with my day, and it just doesn't work that way.
Blake:Yeah, and a lot of times too, like from the health and doctors perspective. Like, you know, before a doctor prescribes you medication, you know sometimes they'll test you Like, oh, like what's your? They'll do blood work, you know, to see if you have some reaction or maybe you have something in your blood that would react or negatively impact this drug. Or they'll look at you know what other drugs you're taking. You know, I mean, come on, you know, like, let's be real, like that's what needs to happen for safety reasons, like we need to look at what's going on, you know, with your business internally before we can say, hey, here's a path. You know, here's what we would suggest. Like we just can't, we can't do it, you know, and you know the podcast has been, it's informational and, to a degree, is educational. But how can we put all that in a podcast? You know, like, if you have a suggestion, please write us, please call us. You know we just can't, we don't feel like that we could figure. I mean that just doesn't exist, right, you know. I mean it's like you buying a lock for your door, you know, and just, oh, just, let me go buy a random key, you know, let me just see if it works. And then, you know, you go to Home Depot 85,000 times, you know, to get that key, you know. And until you finally get it, you know. Imagine the time, effort, energy, right, I mean, obviously we know that's not how it works, right, you know.
Blake:But that's essentially the same thing that you know some companies are asking for us to do. You know, from that perspective, like, oh, here's a paragraph about my business. Tell me how I can be compliant, you know. Or we go to their website. Tell me how I can be compliant. I don't know. I really don't have the answers for you, because I need to get hands on. Craig needs to get hands on.
Blake:Like, we need to figure out, you know, gap assessment. You know we need to figure out where you're lacking, right, what's wrong. You know we need to do some tests and that is our form of a checkup. You know, a physical or whatever, you know, health check. That's just what we need to do. So hopefully that addresses, you know, sorry for the rant, but hopefully that addresses some of the comments that we've been getting. You know, I mean, please feel free to, you're free to reach out to us, you know, you never said it to us directly, you know, if there's questions you have that you feel like we're not addressing on the podcast, I think it'd be cool for us in the future to collect questions.
Craig:You know, maybe on our website we could put you know, or maybe in the podcast description, you know, we could have a submission section, or just yeah, for you know, until we kind of build that out, just go to our website and just reach out and put your questions there and we'll just collect them each week, you know, and then we'll just, you know, try to answer them live on the podcast. You know, I mean we, you know this podcast. It takes a lot of time and effort and money to make this work and we're doing this for our listeners to understand a glimpse into the cybersecurity and compliance world, to get caught up quickly with news and updates in our industry and different regulations. But it's definitely not to put anybody down or instill fear or anything. I mean we truly are here to help and we work really hard for our customers, you know, day and night. And you know, like I said before, we're not vendor-tied. We're not, you know, just looking to use or sell you something that we make a quick commission off of. That's just not how we operate.
Craig:We work really hard over the past two decades to build partners and good relationships with our customers because we truly want to make them as unhackable as possible, and that's just our, that's our mission, you know, and our promise with compliance is to help you pass your audit so that you're not sideswiped and hit with something that you just completely just missed. You know we're here to show you, as an auditor would or a hacker, how they view your company and that company viewpoint, that vantage point. It could start with your website. It could start with social media, it could start with how are they doing recon on you, and it could also be with social engineering and impersonations.
Craig:You know we've talked about it in other episodes where we've done testing for major financial institutions, and you know we want all of the legs of the stool across people, process and technology to be the strongest that they can be and we want you and your company to be the strongest that it can be so that you can grow. And in turn, you know a lot of people, I think, view regulations and compliance as kind of like the storm in their side. But I think the fact that remains is that if you guys do a lot of this stuff that you're supposed to be doing, if you're in a regulated industry, it makes you better, it makes you stronger, it gives you the foundation, the organization, so that you guys can grow at a faster pace and have that competitive advantage, and I think that that's really the takeaway from all this.
Blake:Yeah, and something too that we never really addressed on air. But obviously, like when we first started our podcast, it was more to address our current customers, right. Obviously, that has wildly changed after we saw the data. You know we have a lot of people that are listening. So then we're like all right, we wanna give our take on cybersecurity, right? You know, that is where that's the niche we fill in the podcast world. And you know, obviously we talk about compliance because we are a compliance focused company, but it's hard for us to cross that threshold.
Blake:So the podcast has evolved a lot. You guys have made it evolve, you listeners, and we appreciate everybody who listens, leaves comments, reaches out, you know. But, yeah, you know, that's something that you know, as I'm sure you've probably listened, you've heard the evolution, right, and that's just really the only way that it can evolve. That only evolves in this direction. You know, if we had the ability to be 100% compliance focused, I mean, we'd probably have no listeners for one, because unfortunately it's not a hot topic. You know, nobody wants to hear your parents scream at you or whatever you know for cleaning up your room. You know, I mean, unfortunately, that's the role it seems like we have to take in compliance. But no, no, it's spun into our opinion on the direction of the cybersecurity industry.
Blake:You know, it's never been a DIY how-to podcast. You know, imagine, you know here's, imagine trying to learn how to build a house from a podcast. You know, not seeing anything, not having blueprints, you know, I mean, it's just that's the challenge that we face, you know, and of course, we're trying to be better. You know we're always trying to progress the information we disclose, and you know, so all it takes is for you to call us. You know, and I see the data, you know, and we definitely don't get as many calls as we do listeners, you know. So, yeah, I mean, we're not here just to talk, we're here to help, you know. So, yeah, for some of you that are our clients, thank you, and for some of you that are listening, that aren't our clients, we're here.
Craig:Yeah, One thing to just add to that too is that we're very well connected in our world, in our space. We've, for over two decades now, have strong partnerships. One case that came to mind is a customer that is looking to get SOC2 type 2 compliant. We can help with all the readiness consulting and the prep work but we can't do the formal audit. But we have a great partner that does the formal audit. A formal audit for SOC2 type 2 requires a certified public accounting firm, a CPA firm that has to have the certification to be able to do the SOC audit. We work closely with them for that readiness consulting. We work before the audit the formal audit and we work after for remediation to help our client.
Craig:If you're a listener and you have an issue that you're not really sure, if it's something that we can handle, reach out anyway, because there's still a high chance that we know a partner that we could refer you to if you're not a fit for us. Last thing I'll say is it's close to Thanksgiving, so everybody likes a Black Friday deal. We've got a secret Black Friday thing going on If you just reach out to us and you put secret in the description or in the body of the subject line of the email. Then we'll let you know in those details.
Blake:Wow, I didn't know we were doing this for Black Friday.
Craig:That's because it was a secret. I see that as an insider.
Blake:I didn't even know that I'm sitting here shopping for Black Friday stuff.
Craig:Also, it's everybody else. But I figured well, why not try to give our listeners something that is on their radar, to get this stuff done and a starting point right Nobody wants to. Nobody wakes up and says I want to do compliance today, but hopefully we'll make it worth your while. So reach out to us.
Blake:Yeah, I've been looking at all the Black Friday deals this year and it seems like post-COVID. All the Black Friday deals are just nothing. I used to be super excited for Black Friday and now I'm just like, nah, not for me. Maybe I'll pick up something, a video game or something, who knows right, but that's it.
Craig:Yeah, I mean our Black Friday deal is pretty awesome. Like I said, it's a secret, but the reality for you, blake, most of the deals they either exclude certain brands or whatever and then you don't get the deal. It's pretty rare that you actually get something that's worth it. There was some deals I heard going on at Trezor's website not an endorsement, I don't have a commission or anything from there for a cold wallet. I think Ledger's got some stuff there if you're looking for something like that. So I think there are some legit deals there. Again, with those kind of things, go direct to the manufacturer. Never go to a reseller. Again, I'm not vendor-tied with them. I don't get a commission. I don't have a special link for you to use. I'm just saying that as I was browsing around, I did see some legit deals like that. Certain companies, like software companies they do have some legit deals. I know one of the tools that we use for certain things like Snagit. I think that I saw a pretty good deal on their software Just depends.
Craig:I think it depends, like the whole Amazon Prime Day, things like that. I could never find really good deals on anything there. I think maybe they had deals on an Amazon branded thing like a Kindle or something like that they might have had a deal on. But Apple I don't think Apple really does anything for Black Friday, do they? Or Microsoft? I don't think any of the big names, I don't think they really do anything like that. It just depends on what you're looking for, I think. I think it depends on what kind of niche or vertical the item if you're looking for gifts falls into. I think most software probably has a Black Friday deal, because software has a pretty good markup. I think it just depends. But yeah, I think everybody's looking to see if there is a legit deal. So that's why I put out the one for our listeners there. But I think that's probably a good endpoint.
Blake:Yeah, I did see unrelated, but I did see some of the Bose. I think their QC35 IIs were like $150. And I was like, okay, that might be something I pulled a trigger on. But happy Thanksgiving everybody.
Craig:Absolutely happy Thanksgiving. We're very thankful for our listeners and for our customers for sure.
Blake:Thank you for our continued support. You know, obviously we wouldn't have kept doing this without you. So yeah, I guess reach out to Craig and he'll have to send me off stream what that Black Friday deal is. So would you call? I'll know. Absolutely Well thanks guys Till next time.
Craig:See ya.