This is the Business Tech Playbook, your source for It help for your business. Hello and welcome to the Podcast business tech Playbook. I'm your host Rob Zolson. And to my digital. Right? I have BJ pote from Etop technology.

Hey, how's it going? I'm I'm BJ Pote with Top Technology and today we're going to be talking about making cybersecurity accessible for everyone.

So what I'd like to go through is a little bit about because we're going to do this as an ongoing series, a little bit about yourself and background and then I'll go into details of what we want to do with the podcast.

I own a small managed service provider here in Southern California and we really focus on having the right clients. Something that we've come across as we've dealt with prospects over the last couple of years is specifically, most of the time people don't make decisions because they don't understand what we're talking about. And so we've really worked personally to improve our business language to be way more accessible. But then we realized the goal would be how do we make technology more accessible to owners, executives, managers of organizations, so that way they can make decisions more effectively on technology. So really our goal is to make technology accessible. Take out some of the buzwords, remove the there's so many buzwords and so much alphabet soup. That's always my there's so much jargon alphabet soup in the tech space and we use it to protect ourselves because if we confuse you, then you don't have to make a decision or it's a coping tool that It people use. So at the end of the day, how do we demystify that, how do we make It accessible and how do we help management teams make good technology decisions?

And that's actually not only what Etop is all about, that's what the podcast is all about. And to dial this back to eliminate some of the alphabet soup, I'm already going to get people messaging me. What's? An MSP. Just to let you guys know, MSP is managed service provider. So essentially Etop Technologies, which I work at as well with BJ, we are a provider. We are your It department for those that do not have an It department or want us to assist the activities with your It department. So we're here to help you make strong business decisions with your technology and your business. We are your right arm with the buttons and monitors.

Thank you, Robbie. I really appreciate you mentioning that because I did it so unconsciously. That is really the goal is to remove some of that unconscious alphabet suit.

So we get up in the morning, we punch in and we wear the badge just like we work at your company. And that's what we want to do with a bit of this podcast. If you're listening, we're hoping that this would go out to some of those business owners, business managers, small and large, on how to help demystify some of these It activities and help you figure out in plain English what some of these decisions affect your business with so you can make them along the way.

Well, so part of what we wanted to talk about today was a high level overview of five key things that your business can do to improve your odds of getting cyber insurance and that really dramatically improve your cybersecurity. So we'll go pretty high level over each of the items on the list. These are all things that you can do. You don't need us to do it. We obviously would love it if you did use us. But at the end of the day, the rising tide raises all ships. And at this point, I want your company to be safe. So we're going to go over five different topics that will dramatically improve your cyber resilience.

Now, I got to dial this back just a minute. So the moment you say the word security to someone that isn't technical, they don't understand why or care, especially with business owners. All they want. They're focusing on, how can I make the money? We're focused on how do I protect your property? People don't think about that. So these five topics are in the goals of low hanging fruit. The best things you can do to make sure that your company stays protected and it is your assets not stolen by someone else. We are the gatekeepers if you're going to physically hire a security guard guy that doesn't touch the stuff that we're trying to protect. So, five topics to make it super easy. At least the lowest hanging fruit to do the best job is securing your small or medium business.

Absolutely.

Well, what's number one?

So the easiest thing that a company can do is MFA. So, again, straight to the alphabet soup. I am sorry, but MFA is multifactor authentication. It's the text you get from your bank account. It's the rotating digit on the app on your phone. It's a push from Microsoft. Enabling multifactor is one of the number one things that insurance is going to require. And realistically, it should be a policy inside your organization that MFA is turned on on every single property, digital or otherwise, that you can turn it on.

So, three questions right off the bat, that again, I'm going to represent the human layman that isn't technical. Number one. What is MFA? And you said that it was the notification where if you try to sign in, it gives you that text message saying six digit code. It's something that pops up on your phone saying, yes, you approve it's that extra level of login security. The second question is, why does it matter? Well, you and me both every day deal with our customers that have to sign up for multifactor authentication. And I explain it just like this to everyone. Imagine that you are some third party in India or Dubai, and you're trying to get access to that user's account, I mean, that's what you're trying to do. You can steal company information, hopefully make a buck off of it. So if you're trying to access that at three in the morning in another country, and you have their password, I just get in. If you have that multi factor authentication, you have that one extra step that even if they know your password or can guess your password, you have to have it either that text message or something on your phone to prompt them, and it disables other parties, malicious or otherwise, from accessing those accounts. Now, you can think that Kathy, your secretary, might not have a ton of information. She does. She's got the emails from other people. She can try to impersonate other people. There's a lot of things they can do when they get in these accounts to fake things out. And of course, sea level, how many times do you approve invoices over an email, have intellectual property going over these emails, some super secret sauce of your company, those what is MFA, what does it do and why does it matter? So you said insurance companies specifically. That was a note. Can you explain why insurance companies ask this and why it matters?

Sure. Well, at the end of the day, insurance companies don't want to pay out premiums, so they don't want you to be breached, because if you get breached, then they have to pay out to help your company recover. So multifactor on email. We happen to use office 365, but there are other, like Google has email, there's a bunch of different providers that you can get email from. Email is one of the number one places we see compromise or potential incidents of compromise. And as a result, even if you don't have something that's privately, you don't have Social Security numbers or credit card numbers, but if they have your address book, they might be able to slip in the middle of a wire transfer. They might be able to send an invoice on your behalf to one of your clients, your client gets breached. So at the end of the day, multifactor just becomes that second layer of security that helps prevent somebody from getting in. MFA is based on something, you know, so typically a password and something you have typically a device or that second factor code. The chances of a threat actor having your password and your phone at the same time are much lower than just having your password.

Not to go into detail, but I have a lot of people in the industry saying what's the best form of multifactor authentication to use? So some common ones is once you sign in, you email address, password, and then the multifactor prompts. So you have some options there that you can ask your It company for. The best one that you can get is when someone installs an authenticator app there's. The Microsoft Authenticator app is the most common. Google has an authenticator app. Most any can be used there's, ones that are slightly easier than others. And this keeps a key essentially on your device, like your iPhone or Android device, and that every few seconds rotates a code and that code is only displayed every few seconds and it keeps changing. It can be used offline it's. By far the most secure one step down from that is the text message. It's still very secure, but in very sensitive areas people have logged into Verizon account and got those and intercepted those text messages. So it's not as secure. It's still pretty darn secure. Other ways are telephone call, literally you log in, username password and then the phone rings and reads you over a code you type in. Well, that phone call can technically be intercepted if someone was using maybe a VoIP service or picked up the phone for you. It's still very secure but not quite as good as that. Best method authentication app.

So for me I would say it's probably a token. So like a UB key token or they have other types of MFA tokens. Those tend to be the cream of the crop, like the absolute best way.

So when you say UB key again, I'm going to help the listener here. They're out in the weeds like us. So again, phone call, text message app on your phone. And then there's that UB key device to explain that a little bit in detail. It's like having a flash drive. It's a little device that's about the same size. It just plugs in your USB port. When the computer sees it automatically it lets you log in. That's another fantastic top tier version of multifactor that you can just plug in and they physically have to have the device. Now there's downsides. It's very inconvenient. You have to physically keep it in your pocket on a Lanyard in your bag. And what if you lose it? Well, guess what, you're not logging in. You got to call it support unless you have it on your phone and you have another one of the multifactors.

Available to you where the It guy is the multifactor. So that's a really good point. The multifactor tokens, I think they are technically more secure, but like you said, they are definitely less convenient because people can show up to work without their keys. A big part of why we like the phone based app or the phone based app is because people very rarely are going to show up at work without their cell phone.

Right?

So from just a pure convenience standpoint, we found that the cell phone has the best security with the least amount of inconvenience.

All security. If you not really thought about security before, all security is a balance between convenience and protection. You can make something super secure and make it impossible to log into. But is that really going to drive efficiency in your business. That's going to cost labor, time, loss, that whole thing. So it's all a balance of what can we make to make it more secure while still making your business doable 110%?

It's always finding that fine line between, as you said, secure and functional.

If you have an It department and you're listening to this and you're not in the It department and you want to make the It person your best friend, ask them. Go say, hey, I don't think I have multifactor yet. Is it something I could sign up for? And I guarantee you that dude will buy you coffee. He'll high five you. He'll brag about it to his friends. You won't believe this guy asked me for it. I didn't have to make them. It was beautiful. So if you want to make that nerd's day, do that.

At the end of the day, we always just want to make we're all try to be protectors at heart because we want our clients to be safe. At the end of the day, that's the most important thing is we want our clients and their team to be protected. And seriously, if somebody asked to have MFA turned on, I would dedicate my afternoon to helping them do it.

I'm serious. We have the chat between us and the office, and it would be a post. We would all talk about it for the next week. It would be in the team meeting. It would be a great day. Trust me. Do that. Now, as we go through this BJ, we have again, this is just step one. We got four other steps, but we want to talk about what it is, how it affects you, and then how can they implement it. So if you're a listener and you're a user, ask we already talked about how they'll make the It guy happy. Two, if you're a decision maker, a manager, or a C level person, and you hear this and be like, why can't I do that step to make it more secure? This doesn't cost you anything. This if you are using a Google environment or a Microsoft environment, it should be included in most of your plans. Again, talk to your It professional. Talk to your managed service rep on that. It should be part of it. And what we do is we do a communique rollout, whether it's 30 days, 60 days, 90 days, letting people know ahead of time. Here's how you do it. Please sign up if you have questions. Talk to the It department, get this rolling, and we keep putting this up. We talk to managers to put it up in their team meetings, and then by the time that 30, 60, 90 days rolls around, they've already been warned. And suddenly if they're locked out of their account, the It department already has hopefully, a little extra staffing to onboard the rest. The remainder of those people so it's not just something that you flip a switch and say I'm going to do this tomorrow. It's something that you want to communicate because you don't want business to stop.

Well and that's exactly it. I hate saying it, but almost every single one of these steps and tips are something that should happen at the sea level first and be a policy that's created. As a company we believe we need to be more secure and MFA is the first place to start and anything that can, should. Is everything going to allow you to do it easily? No, not necessarily. But the reality is the vast majority of software as a service or like web applications have multifactor as an option and you just have to go look for it.

Right. And even if you're just a user and your company hasn't opted into this yet, it will come. I mean this is the now. It's just soon to be reinforced. Even private apps that have nothing to do with business, they almost across the board all have multifactor authentication and more and more companies requiring you to do it even though you may not know it's multifactor. If you're getting logging in and something shoots you a text message, you're signed up because they require it to use that program. So if you're a user listening to this and you have Microsoft or Google product, you can go in and enable that without having to worry about is it something my company is doing? It's there, available to you and guess what? You're just a little better than the rest of your team.

Exactly. Well it means you're already used to it and you can be a power user and help others learn how to use it. My personal Microsoft account has their version of password list already set up. So it doesn't even require a password anymore. It's just a number match on my phone. Yeah.

I don't know if you've ever been in an environment where something happens and the It guys are scrambling because they're trying to figure out who let the virus in and everybody's sweating. Just know that it's not you because you signed up for multifactor authentication. When the It guys comes up there, what did you do? You'd be like, bro no, it's on my phone. We're good.

I got them multifactors.

I got them all the factors.

Exactly.

All right, what's next?

So the second one that it is a software tool and it does usually require some kind of spending but it's called EDR. Again, alphabet soup. But EDR stands for early detection and response. What that means is basically it's a piece of software that lives on every single endpoint in your network. An endpoint is a laptop, a laptop, a PC, Mac, doesn't matter if it's Mac, Windows servers, literally anything that can be used needs to have something called the EDR on it. So early detection and response. But what it does is it basically sits there and it doesn't monitor users, but it pays attention to processes that are running, applications that are running, and it's sitting there just in the middle looking for a potential threat. And most modern EDRs will actually lock down an endpoint. So again, that desktop laptop device, if something starts to happen sorry, I got way off.

Well, we already got the CFO here asking, hey, we already pay for antivirus. Come on now, what's this EDR thing I got to pay for? Are you just trying to milk more budget out of me?

Oh, goodness, I wish that was it.

How's this different? I mean, we already pay for antivirus. Come on.

It comes down to security is much layers. No single thing will protect you from a potential threat actor. And so it's trying to layer the again with like multifactor it's a layer.

Well, let's talk about this layer. How is it different than a traditional antivirus?

Traditional antiviruses typically are very much based on.

Here, I got this one because I have notes. Yeah, it's unfair I didn't share those. You didn't share those with a typical antivirus? When the Internet first came out and viruses first you heard about worms in 90s, pop ups were happening. A typical antivirus sees a piece of software, knows the name because someone put it on a list saying, this guy isn't welcome to the party. It's a simple thing. We block the list. Some company, whether it's McAfee, Antivirus, Norton, something semantic, they back in the day made a list. If it looked like that, it wasn't allowed. That was your antivirus. It blocks known infections, then we have more upgrades, we look for different permissions. So not only does it look like something, but they also what is it asking for? And they block that list too. So as antivirus evolved over the years, now we have the list, we have known permissions, and now they have something looking for activities. So antiviruses sandbox things, meaning that if it sees a file, even if it's something that's not on the list, even if it's something that's not asking for the correct permissions, they'll put it in a little so we call sandbox a little area, seeing what it wants to do, and if it's something malicious, it gets stopped. So that's a traditional antivirus. How it's got so far, EDR even goes further than that. Like, for instance, huntress. How's huntress different than, say, McAfee?

Goodness, I got you. This is where we're yeah, you did get me. I'm literally just trying to think of a kind of non technical way of describing it. The original antivirus like you were talking about is very much like a bouncer that has a list of people that aren't allowed in the club.

Love it.

Literally. He can go, oh, you look like Bob. Bob's not allowed in the club.

It's profiling. Sometimes they look like they're a bad dude. They won't let them in the club. Sometimes they're a walking funny not in the club. EDR goes a step further and after they get in the club it logs everything they've done, every drink they've had, every conversation they've done, and reports back as suspicious activity showing, hey bro, that dude we already let in and approved. He's looking pretty suspicious and guess what? He's had a lot to drink, so he's changing as he's been in the club. So now we're monitoring everything at the door and past exactly with these tools. Now this is an oversimplification on these software for sure, but if you're a C level executive or a manager, your It guy comes up to you saying hey, we have Malware Bytes, which is a good program, I've used it before. We want to move to the business platform of Malwarebytes. EDR know that he's asking a very reasonable and mature request that he wants the antivirus to do more than just be a bouncer at the door. He wants to audit everybody that's in the club so they're all having a good time.

That's a really good way of putting it. It's literally the difference between just simple pattern matching and then continuing to monitor what people are doing. And at ten drinks in Go, hey, this guy's probably going to be a real risk to the organization or to the club in about 45 minutes. So we are going to pay extra attention to him and kick him out early.

And then after the cops come and something did go bad happen, there's a whole list of, hey, we know what the guy bought at the bar. We know every person he talked to and interacted with in every way. And you can give them a full report saying this is why it happened and how we can stop it from happening again. That's what Hunters does so well. Again, we try to keep brands out of it, but where's biasness? I mean, we've been in the industry, I've been in the industry 15 years. BJ, how long you been in it? Too darn long.

A dozen years at this point, 1215 years. Been around the industry a lot longer than that, but as an owner for twelve years now, we try not to.

Be biased on brands, but these EDR programs, you'll see them like if it's Trend Micro, trend Micro sells an EDR. If you have I mentioned Malwarebytes before? They have an EDR at Etop we use a lot of Sofos and Huntress, we use a multi level approach, but know that if someone's asking you for budget for this, it's a real thing. It's not just him because he wants fancy tools or wants to have his life easier, he just wants to make sure that your stuff is protected one.

Of the better EDRs out there. So Huntress is an amazing tool and it's one that, like Rob said, we do use, but one that we've been exploring and is oftentimes included in your microsoft licensing is Defender Endpoint or Defender EDR. It's included in quite a few of the different licenses for Microsoft. You may already have it, or you may need to just bump up a single license level, and now you have it. And at that point, your team just has Microsoft behind it. It has Huntress behind it, it has Sofos behind it, I don't even really care what the tool is, but something is better than nothing in this case.

Now, in rare situations, if your business is insured with cyber insurance, which of course we recommend, absolutely, you tell them, Guess what? I have this cool thing called EDR. And they'll be like, all right, document it. Here's a discount. Because why wouldn't you want to insure someone that's already trying to protect themselves?

Well, and it's even getting to the point where it's more like if you don't have EDR, you don't get approved.

Yeah, that's sometimes a pre requirement.

Yeah, it's starting to become a requirement on almost every single insurance application that I see, where it needs to be 100% deployed. So every single endpoint that it can be installed on should have it. Because almost always the threats that come in or the incidents that start are on the one machine that doesn't have the software protecting it. You can't protect what you can't see. So if you put a blinder on your bouncer and you don't watch the person inside the building, you're going to have chaos.

Right? It doesn't make okay. People ask like, what's the budget for? Well, I mean, yes, that these people develop the tool and that's their business model, but how would you like to spend $8 an hour on a bouncer that doesn't really do his job well? He's limited. You haven't given him all the tools. Or would you like a well paid muscular, vigilante style bouncer at the front door? I mean, it's night and day. You just have a different product, you have a different set of tools, and that's what you're paying for. Take the extra what is it, a couple of dollars, $5, whatever the margin is per endpoint, and jump on that.

Another one of the big areas that we're seeing being a requirement in cyber insurance is Security Awareness Training. They shorten it to Sat. I actually had to ask what that meant to the person who this is.

Number three in the list, correct?

This is number three on the list. He's like, oh, yeah, you need sat. And I was like, I did that in school.

I think I passed it in like, fourth grade. Don't worry about it. I got passed. That's all I remember when I finished.

My senior year for the fourth time, I finally passed my SATS.

Right?

No, I joke. Basically, it's security awareness training. There's a lot of really great tools out there. One of the bigger ones in the space is no before, but effectively it's educating the users. Your team on what to what not to click on, how to look out for threats. We happen to use something called Fish Threat. It's in the Sofos line of products. Works well, it works perfectly well. But your team needs to be trained.

I'm sea level, right? Sure, I know that. They need to be trained, right. They're not going to know what they don't know. I certainly don't know a sea level So. I don't even know what I need to be trained. So how am I supposed to shop for this? Of course I can contact my It department, hope that that guy know what he's talking about. I mean, I pay him enough. I could talk to my managed service provider, they might have something that they know of. But how do I validate that, right? I'm talking to a guy, I need to know this is a real deal.

For sure. Again, it goes back to there's 50 different brands. I mean, there's malware bytes EDR. There's trend. Everyone has their own EDR version. The security awareness training is kind of the same, but realistically there's probably two or three in our space that I would are probably going to be the best ones or best bang for your buck.

What are the features I need to look for to make sure that whatever tool I pick is valid?

Is the training solid? And do other people in the space look at you? Recommend them?

Okay, look for recommendations of recommendations, maybe talk to a company.

Yeah, talk to a couple of their references. How easy is it to manage if it can't send to your team and then make them actually take the training, it's as good as not having it.

Sure. So if I have to set aside time where they do a computer based learning, if I can send them an email and they do a 15 minutes CBL cyber based learning module that would pop up like a YouTube video on their computer, they answer a question with how is it being used?

I mean cost is probably should be.

A factor in there, but that is the market. I'm not going to give you a blank check.

The other thing is to me, I look at security awareness training like professional industries, look at their CEUs, a nurse or an engineer or a doctor or a lawyer, they're all going to have to do continuing education to keep their license. It's getting to the point in my mind where you need to be doing security awareness training or people don't keep their jobs. I mean because we work in a.

Small company and we still got to do sexual harassment training because that's what state and governments require, this training. I think another question that would go is what is the training? The basis of the security awareness trainings is mainly phishing attempts. What to look out for, to see with email being compromised, who's trying to pretend to be the sea. Level manager, how to look for bad links, when not to give your password out. It's what you would think is basic training where people just never have done it before. If you have, I pick on Kathy in the front desk or Mindy and accounting make up a name. Right. They are professionals in a space that isn't necessarily computer related. Maybe they haven't had a ton of experience with email, or if they have, no one's taught them. It's all self learned. They don't even necessarily understand the implications of them typing in one of their passwords to something and suddenly now keys of the kingdom were given out.

Exactly.

If it doesn't do that training, that would be what I would put as the last step of checking your security awareness is what did it do for you?

So I think that security awareness training is obviously a very key component. But I think even just training people to be more adept computer users would really go a long way towards them understanding what is and what isn't a risk. If they just even know how to more effectively use their computer, they're going to be more efficient for your company, they're going to be a better employee. All the people that I found that are generally computer adept are people that are not. I'm not nearly as worried about when it comes to security.

Sure.

I think it should be probably more than just security Awareness training, but specifically, security Awareness training is what's called out.

In that's the tag name. The ABC soup.

Exactly. It's the three letters in the alphabet.

There that keep getting pushed. You mentioned that you should always have ongoing training. Like even a person that's been there for years, it doesn't hurt to have refreshers stuff changes everything evolves. But check. I mean, if you don't have training for how to use your account and make sure you're using best practices to keep it secure on Onboarding, there's so many times where businesses, especially small businesses, because they still haven't understood the swing of things and they don't have the first day's trainings, they miss this. They just say, here's your password, figure it out. Well, yes, they will learn trial by fire. I still feel like that's one of the best trainings out there, even though it's looked upon negatively. I would not do trial by fire. I would say, hey, this is your account. Here's how you use it, here's where you can use it, here's what to look out for. And start day one if you can. If it's not there at the beginning, why are you refreshing other people?

That's a really good point. I really do think that having some introduction to the security awareness training in the initial day of Onboarding actually makes a lot of sense. Like, yes, this is actually what we're looking out for and this is what you actually need to do, and here's why it's such an important part of our company and why. It's a culture of employee education. We spend a lot of time training our team because it's very important to have well trained professionals and it doesn't necessarily just have to be industry specific training.

So here's a real world example. Someone at what's it called ABC Company that we were working with, at least I was working with, worked there for six months. She was great in her position, did her job well. Got no training up front. It was trial by fire. But she's fast in her feet. She's a sharp cookie. Broke measurement expectations of her sales position, but didn't have simple basic we'll call it CBL or Security Awareness Training at the beginning. So when she got an account, she put everything on a notepad and she was front of the business. Put everything on a notepad right up front and stuck it to the monitor. Just little things that Security Awareness Trading would have given. Hey, don't do this. This is how we handle it. We have this cool password manager for you, and someone broke in the building. They tried to find assets to steal from, and, oh, look, they have a username and password right on the front to the bank account, of all things. Now, that's an extreme measure where someone broke into a building. This in real life, maybe that person could have instead shared that account with another person in the company, didn't know she wasn't supposed to, given out information. There's so many little applications that you'd think people say, well, common sense tells you it really doesn't. When you're in the moment, you've never been told you don't know what that login was for. There's a lot of things that go wrong.

Well, exactly. Again, it goes back to all of these things really should start with a pretty basic policy that the company lives and it becomes part of the company's culture to be secure. And most of these things are fairly low intrusiveness to the overall productivity of the company. But they all definitely hugely contribute to that culture of security.

Security versus convenience. 15 minutes to do a CBL with some tool that you purchased versus not having it at all. I figured that's an easy buy.

The fourth one is patching. That may sound like a really simple one, but is Windows up to date? Are your third party apps up to date? Chrome typically has one bad they call it a CVE. I apologize again, more alphabet soup. But they typically have one exploit a week that gets released. And so we'll run a forced Chrome or Edge or Adobe Web browsers for.

Those who are listening.

Yeah, sorry. Edge and Chrome are the main Web browsers.

How you get to the World Wide Web.

Are your applications up to date? Do you have software support for your QuickBooks, for Sage, for Activate? There's hundreds and hundreds of different applications out there. Do you have the latest updates installed. Do you have your Windows updates? Done? Do you have your Mike Mac updates done? It's really important. It's one of the number one threat vectors besides users.

My name is Bill. I'm the sea level guy that has to figure out why in the world this matters to me. Sure. It's more than just security. So you hear about someone that makes an exploit, make some sort of piece of software that can attack day one and no one knows about it. No one's put on the bouncers list that we talked about before.

You're right.

That's why they're patching things and putting updates for security. But there's also stability updates. Microsoft go through any provider. They have tools that either automatically update or update in the background without you knowing. And if your, for instance, Windows machine hasn't been updated, eventually you'll start seeing your programs are going to crash, stuff's not going to save, files will go corrupt. And instead of just being a security problem where you're worried about someone stealing something from your company, it becomes a how do I continue doing business problem. So if you ignore Windows and all these updates that we're talking about, eventually you get to the point where guess what, my computer is going to be completely down for the count for a day, maybe longer because I had to rebuild it or fix something or call It department. Keeping those patches up to date, make sure that your system is going to keep running going forward and the entire idea with tech is uptime. Uptime means you're making more money and the system is making sure to stay available for you to do those jobs.

Exactly. The other thing is be patient with your It team because getting patching right isn't the easiest thing to do. It's a very simple thing to do, but it's not easy.

Had a real conversation with a director and he said, hey, I got stuff to do. I have a busy life. I don't have time for patching. I'm like, okay, well I looked a ticket two weeks ago and you gave 8 hours because your computer was down because you didn't want to patch and you kept saying no, which was more convenient? 15 minutes to reboot your computer after it patched overnight when you let your It company take care of it on maybe a Wednesday or 8 hours because your computer broke and you didn't let us patch it in the first place.

And that's a big part of it. I also hear a lot like why can't I just buy the perpetual license? Trust me, there are times I wish I could buy more perpetual software for myself. So perpetual means you buy it once, you never have to do anything again.

You beat me to the explanation you're getting good.

I'm ahead of the game here. I know I'm going to get called out for using alphabet soup and not being clear.

Sorry. We're going to have a button saying soup.

Exactly. Yeah, exactly. Alphabet soup. Alphabet soup. Almost everything these days is a subscription. And I recognize that that can start to feel painful depending on how many different applications you use. Trust me, I know. We're a company of seven people, and my software bill is huge. It's a lot. But at the end of the day, I know that if there's a potential threat or an incident or a vulnerability, typically things are going to be patched very quickly. And by paying for it monthly, it's in their best interest to keep me running.

When the business of software, it was first modernized because software has been around since there's been a piece of technology, but modern software, since it's been modernized, you go to the store let's take the Walmart, for instance. Go into Walmart, you buy a disc, you install the disk, and you own that piece of software for, let's say, $100, whatever it cost you. That was a very tangible way of doing things like movies. I can go buy a movie. I can go rent a movie. It's piece of software on a physical piece that I can install or play on a piece of media. Software evolved just like everything else has, where even if you have the option to go buy and quote unquote, own that piece of software, that software only updates in patches and works for a period of time. Maybe it's when Windows updates and no longer supports the old version that you own. Maybe it's some other patch for a third party app like, for instance, even QuickBooks, they don't support back.

Was it three years?

Three years.

So even if you want to buy now, right?

So even if you want to buy QuickBooks, right, and you buy it for, let's say, $350, I don't know what the price is, you go buy it and you own that piece of software, it stops working for what you intended to buy it for after X years, and you lose features as it ages. So they're still pushing patches. You've prepaid for that three years of use of the product, or you just pay monthly indefinitely, and they'll just keep it up to date and keep to the newest version. No matter what you choose perpetual or month to month, it's going to be the same software, the same way they're going to deliver it, and the same expectation if you pay it once or pay it monthly. So you got to have patches, you got to keep it going. They're always going to keep updating that product, even if you have to figure out how to pay for it.

I appreciate it because it's operationalized a lot of the expenses. So you no longer have to buy a $100,000 piece of software. You can now pay 2000 a month or whatever, and that is your spend. And then you always stay up to date, but then subsequently it's in their best interest to keep it patched and up to date. And so you're hopefully getting new features every single month or once a quarter, every six months, whatever that release schedule is like. So it's not just the protection element, it's also the new feature element as well.

Now. BJ bill CFO here again. You said I need to keep a patch. Well, I just going to click update every now and again, and I'm going to try to remember to do that. Figure it out, or do you have a better method of keeping these things up to date?

Oh, man, make your It person whack buttons for you kind of joke.

Okay, so, no, let's go over the list here. Make your It department Whack the buttons for you.

So there's a list again, to me, it starts with a policy. What's your patching policy look like? We, as an organization, keep all of our software up to date. Every X. Here's our maintenance window for doing it. And this is the published, understood document.

Most places recommend once a week having some sort of window, preferably after hours, to get it done. So either you pay a guy to punch buttons we always pick. Was it our motto? We patch on Wednesdays.

On Wednesdays. We patch. Yes. Right.

On Wednesdays. We patch one. You don't want to make your It person work on the weekends unless something breaks. Only use him for emergencies. Don't beat him up. Otherwise he'll quit in front of your job.

Exactly. Have him work for us where he doesn't have to work weekends.

There you go. Come call us so you have the rest of the week to choose. You're going to try to do it when you close, so it's try to be after hours. And you can make that It guy stay. If you close at five, he'll stay there till six and he'll start pressing buttons. Or you can use RMM tools that you can purchase or have your It company purchase to install on computers they audit automatically enforce those updates on a regular basis. Aren't these RMM tools remote monitoring and management? Again, we're not here for more soup. These are just tools that tell you, hey, this computer is working, how it's working, and what patch it's at. So, we have RMM tools on all of our clients, and that's required. We can't do business without the tool. It allows us to completely see what's going on, make sure it's patched, and if it doesn't, it lets us know so we can go manually take care of it.

Exactly.

For your users. Right. You're a user, Mr. Bill, a CFO, all the way down to Kathy, the secretary. They'll just see that they'll come in on Thursday and ask the user to reboot. Or it already has rebooted overnight, which means your uptime is available, everything's working seamlessly. And if it didn't, it notified your It guy. So Thursday morning, he's already probably fixed it by the time you got your coffee.

And that's the goal. And actually, we've been working kind of reworking through our methodologies when it comes to patching. We're doing typically windows patching. We're considering running it at noon every day. Hear me out, because if you use some kind of patch management tool, what happens is a lot of organizations are going laptop based. And so people, when they leave for the day, or they are done for the day, turn off their laptop, that.

Thing gets closed, it's offline. I can't do anything.

They close the screen, it goes to sleep. And so now it just never gets patched because it's off. During our normal patch, Windows 09:00 10:00 at night, we're redoing some of our methodologies to say patch from twelve to one and then don't reboot until end of day, right?

So it still does the process and then still either if they haven't rebooted on their own, then it reboots later when you're not in a critical moment of making a sale or doing really hardcore business or worse. I've literally seen these companies where they'll do in the Zoom meeting, they'll just be like, hey guys, ready for the meeting? And then it goes black for 30 minutes, right? Not accept.

We try to avoid that. And so there's two different pieces of patching. So typically when you say patching, people think Windows or Mac, like Mac operating systems. There's other areas that I would take a look at. So I would make sure that your phones are up to date. So iOS and Android apps are main operating systems are up to date. And then there's something called third party patching. So basically, third party patching is everything besides the core operating system. So Windows or macOS, all your software.

Is your QuickBooks, what we call line of business applications. So let's pick on a customer. If I am a garbage truck business operator, right? I have software that manages my customers all the invoicing billing when their Trash got picked up, routes. That's going to be called we'll just pretend because this is a real company, trash Flow, right.

Are you serious?

That's actually the name of a real company.

That's incredible.

Their software is old, but their people are great. So you've purchased this from Trash Flow, right. And you want to make sure it stays working and up to date. So either you buy that software and it's your problem, and you got to tell a guy to hit a button or may hope that your RMM works on that computer to update Trash Flow. But best recommendation, if you're using that line of business software, that one special software that makes your magic work, you make sure to talk to that vendor and ask them, hey, how do we patch? How do I tell my It company, how do my It company integrate with you to make sure that we're staying up to date and Trash Flow keeps working? Because without Trash Flow, I can't roll trucks.

I'm totally on a tangent now. [email protected], you should not saying it's the.

Best, all be all. I'm just using that as one example. It's hilarious. It is. And every business has it. If you're a mattress company, if you're a car dealer, everybody has these special line of business products.

Exactly.

So if you can utilize the people you paid for to make sure it's patched, if they say, well, we don't handle that, probably find a different company. There's others out there.

It's a never ending game of trying to keep things up to date. It's a never ending task, for sure.

Well, last one on our list, unless you got something more to add.

No, that's plenty. The last one on our list is backups. Typically when people think backups, they think server backup or maybe a laptop or desktop backup. We call those endpoints. What we're finding is, yes, that should be part of your backup routine, but people then go, well, I'm all cloud based, I don't need backups. Well, yeah, you do. There's a reason there are salesforce backup partners. There's a reason there's Office 365 backup partners. Google workspaces. Backup partners. If you look at their terms of service, they guarantee data availability, not data integrity.

Right. So let's pretend right, let's go through the metrics of why.

Yeah, absolutely.

Bill, even Bill, the CFO, knows that if he makes a document, he needs that Bill will pretend that he's a lawyer. Right. He has to make all this paperwork, and that's why they're paying him, is for not only his physical work in the courtroom, but all the paperwork that goes along with it. And if he loses that paperwork, not only does he not get paid from the customer, but he also can get countersued for screwing up the paperwork. He makes a document. That document needs to have a copy in case anything happens. It could go corrupt for no reason. It could. Someone cathy the secretary deleted it on accident. Whatever it may be, it's there. So if you have quote unquote, cloud tools, that's like OneDrive Google Drive, something for business that tries to make that available online to you. They like BJ just said, assures it'll be there. Not that that didn't go corrupt, not that Kathy didn't delete it and remove it from OneDrive. Not that you think of it as a backup copy. It really isn't. And there's tools that attach to these things, whether it's Google Drive, OneDrive, these are Microsoft or Google products for business. They have backups for those. So if you say you're part of the cloud, okay, we're still asking, where's your backup?

Well, exactly. Our typical methodology for how we handle.

Backups, BJ always is typical because we try to standardize everything, but there's always going to be some sort of snowflake out there. So you'll hear this word, typical. It's because that one dude will have some weird business case where you have to go atypical. Just so you know, not everybody is cookie cutter. We know there's business cases for everything.

But we try really hard to stay within a pretty straight methodology internally because so for us, we see customers as either premise based or cloud based. The reality is our premise based customers. So on premise is anything inside your building. So servers that are running some kind of application for your business. So ERP, warehouse management, systems, practice management, tax platforms, there's hundreds of different types of line of business applications out there. So for us, most of our clients are again hybrid or cloud based. So premise and hybrid is your server is attached to like Office 365. It keeps things nicely integrated, it's very smooth. Some things make a ton of sense to host in the building. Some things make a ton of sense to host in the cloud. To me, email is one of those things that makes a lot of sense to be in Office 365. I don't want to be hosting your email in your building. It's too big of a risk for you not to have it.

One more piece to the alphabet soup acronym. Soup in cloud on premise. On premise you explain quite clearly you have a physical box. Whether, let's pretend you're a dentist office and all your X rays are saved on a computer, that's on premise. If you think in the cloud anywhere that that data would be saved on an application. If you log into your email for Office 365 and you don't have a box that controls that email that's suddenly in the cloud, it's not held physically in your office next to your X ray machine. It's held by Microsoft and you have a copy. All these tools, we call them SaaS apps, more and more acronym soup software as a service, you don't have to install the software. It's probably on the cloud.

Good point. And I forget that cloud is one of those acronyms because it's been around.

For so long, people are so confused, they get glossed over. What's the cloud? I don't know, I'm staring at it.

Yeah, right. Why is it cloudy out? That's cloudy with a side of meatballs. The cloud is literally just anything that's outside your building. So that could be QuickBooks. Online, Office 365, Google Workspaces, Amazon, that's all technically the cloud because it's somebody else's computer.

So if I have on prem, right, if I'm a dentist office, I have X rays and I want all my data backed up, what are the options?

As with all of these things we've talked about so far? So if there's any one of these that's a specific product, there's tons of different options. We specifically do a methodology called a BDR, so a backup and disaster recovery server on site. So it's a separate physical device on your network that reaches into your server and backs it up. So we take a snapshot of all your files and what's called a point in time. So it's an image. It's like taking a picture of a stream. You have a picture of what that stream looked like at that moment. And so that's how we take backups. We specifically use Veeam at the moment.

There's a ton of those.

Yeah, there's hundreds of options out there. It happens to be what we use, and there's a lot of other really good options out there.

So for the dentist office, since that's what we're talking about, is the BDR dentist office has his files and his X rays on one box, one computer that's shared between the office. Everybody accesses them. On that one box, you have a device you put in there called the BDR. It makes copies of that box in case that server, that computer dies and the hard drive is blown. You can't recover it. Now you have a copy and you can spin that up, meaning you can turn that copy on at a moment's notice. Most of these take within a couple of hours, to quote, unquote, spin up your copy. And with that two hour downtime is all you had. Your whole server, your whole computer that had all your X rays on all your data died. Now you have a new box you can spin up. Well, people would ask, what happens in the if a tornado hit me, wasn't there a tornado somewhere over in California there that they've just never heard of?

Oh, yeah, there was something at Montebello a couple of weeks ago. So it was about 50 miles from our office.

Yeah, you got just a random tornado and you're not in tornado alley, just hits you, some act of God, you're building lights on fire. All of that was that was on the box for your dentist's office. And the backup copies are gone. The good BDRs make another copy. So not only do they copy a machine locally, but they also copy something back to that cloud again. So you have two copies of every copy that it actually makes one on site on that little device that you could spin up in a moment's notice if you need to, and another often space waiting to be pulled down if they have to.

Correct.

Going through the scenarios again, it's always, worst case scenario, your server dies, we can spin one up maybe in a couple of hours, both die. Whether it's from a fire, something happened, both of those devices, as an act of God, burnt out. We still have another copy in the cloud. If you're doing the correct BDR device.

Correct, again, going back to having a policy about it. So the backup policies that we write are very specific to. We have a generalized one that we apply to everyone, and then anything more specific than that gets discussed with a client and what their specific needs are. Again, tons of different acronyms out there. There's going to be RPO, so that means recovery point objective, like, how much data can you afford to lose? And a recovery time objective where it's how long can you afford to be down?

I know business is the dentist's office. He's got a lot of appointments. He's got like three teeth cleaners alone in one corner of his building. And if his computers aren't down, he's not taking x rays, he ain't making money. So that dude probably has no tolerance for his stuff failing.

Well, or if you have a manufacturing company that's doing $100 million a year, if they're not able to produce for 4 hours, that could be a couple of hundred thousand dollars pretty easily.

There's a metal manufacturing company I did work for in the past in another life. And literally I sat down with them trying to talk to them about backups. He's like, oh, I don't think we need it. I'm like, So okay, if I go flip off that server and it doesn't go on for an hour, how many dollars are you paying to the 27 people on the floor that now can't do their job?

Exactly.

And immediately clicked? So what can't you afford to go down? Is how you measure it and then the spend. So the amount of data versus a dollar amount if I have 1 TB versus two terabytes, there's going to be different plans. You'll hear from your It executive or whatever tool you're using, but it's important to ask how long when it does go down, yes, I pay for all of that being covered. How long will it take to spin back up?

So that's the premise side of the backups, and then the non premise side to me is the are you backing up your office through 65 as more and more people go to fully cloud based files and folders, file sharing, email, people are way more upset about losing an email anymore than almost anything else. It's a function of can you afford to be without it? And it's part of why we personally require email backups at this point for our clients. But it's something that I highly recommend. One of the big questions I see on almost every single cyber insurance questionnaire is what's being backed up and how frequently is it being backed up and how fast could you come back online?

And that's where you can save some money. So some businesses you can talk to, like, I've talked to an auto mechanic, I'll pick on the trash company versus his auto mechanic. The auto mechanic, he had his invoicing done every three days, meaning that he physically wrote papers with him and his team of what they did and try to submit it to their secretary. And every three days she came in and filed them all. So they didn't need but one backup a day. They didn't have to pay an absorbent amount of money to make sure that every 30 minutes there's a new backup they don't need. That they need once a day. And that was all they needed for their It spend. The trash company. They had two check ins with their trucks because they have tablets and whatnot. The route goes out in the morning to the tablet, and then they could go drive and deliver and then It tallied once at the end of the day when their trucks were done, when they got back. So they needed two backups a day. It's not just we're not crying wolf saying you need all the backups you can get. There's real business conversations to save you money. If you only need it once a day, only do it once a day. But if you're going to be I pick on the lawyer. Lawyers make so many incremental changes to so many documents that probably every 30 minutes for these really high efficiency lawyer firms is necessary.

And there's many ways to kind of attack that, and some of them aren't expensive and some of them are expensive. So it comes down to make a policy that makes sense and then talk to your team and figure out the technical way of making this happen.

Here's what I need. Figure it out.

Yeah. Again, your It person is going to be thrilled if you go, hey, I have a policy around backups that we were thinking of implementing. Could you help me figure it out? I'd be thrilled. Most It people want to be involved in the business conversation, but they don't know the language. Teach them how to talk to you.

They're not as suave as you, BJ. I mean, really, they just need more hair, obviously.

And I'm struggling over here to come up with good terms for small businesses.

I don't know. You nailed that bouncer one.

The bouncer one. I'm proud of that.

We're going to copyright that one. That's fantastic, man.

Yeah, I'm going to use that going forward. I was pretty happy with that. But most of this stuff isn't sexy, it isn't flashy. But if you have a plan for it and you do it, you're going to be in such a better place security wise, and It wise, your stuff's.

Just going to work. All your focus is going to be left with just making money.

Exactly.

Make it easy. Let the security be there so it's not an inconvenience in the future.

And then back up your It person as a company. This needs to be happening at the executive management level. Like, this needs to be the policy at that level. And then it needs to be, we're backing up our It person to make it happen.

The last thing on backups that I like to talk about, we talk about disasters, what happens when that breaks or fails or something goes corrupt. But you know what's really used for backups most of all with these customers? It's not when stuff fails, because that rarely happens. The real thing is when Kathy the secretary has been working files all day and she clicks and drags and unacidentally deletes or moves a file. The most of the time when we're for the It people here, we're letting you in on something. You call in saying, hey, I just had that file yesterday and now it's gone. Where'd it go? I need a backup immediately. That is what we do on such a regular basis. People are like, Where is it? Okay, let me pull up the backup. Here's your copy. Okay, please don't delete it again. And then you move on. That amount of efficiency could be thousands of dollars in some of your work where you're missing a file. Something got deleted just from everyday activities, from either I'm missing an edit because I worked 2 hours and the document was moved in the wrong spot to some new guy decided to click and drag the wrong folder and make it go Poof.

Oh, seriously? I will say 95%, 98% of our restores are non emergent restores. It's convenience based restores.

And we say convenience. Trust me, when you're looking at 8 hours of real work, inconvenience based restores, us being able to take 30 minutes and pull that up could mean real money to a customer.

Well, it's days of work recreating. So that's part of why for us, we have for at the local level, we're doing something called previous versions. So on all of your file servers from Windows, they have the option to do previous versions. It allows it to take snapshots 2345 times a day. And the user can self restore files?

Yes. So you don't have to call us. You can just right click it and go, okay, here's from Tuesday. And then you just get yeah.

It typically takes like a five to 10% space premium. We typically have ours set up for two to four times a day, depending on the client, and then going back usually 30 to 40 days. It saves so much time having to go into an actual backup platform to restore data. Talk to your It team. You can enable it, make it a policy. It's a fairly inexpensive way to save your bacon, for sure. Actually, it's a free way to save your bacon.

Free. That comes with the normal Windows licensing.

It's built into windows.

Licensing Turn that on, use the extra space. It's 5% is not bad for your.

Equipment in a day of basically free space. Well, that's part of why online backups are pretty cool. Or online file sharing. So with SharePoint and OneDrive, it's what we happen to use right there's. Previous versions baked into all of it.

We'll have to do two episodes. One, we got to do it on insurance. I know there's going to be a bunch of people listen, like cyber insurance. I've been hearing about that. My guy called me. We got to do an episode on that. And then we have to do probably, I don't know, two separate episodes. One on Microsoft 365. What it is, how you use it just as a high level, why it benefits your company, and probably one other one for Google.

We could do an entire podcast series on just Microsoft. We could. And the tools that they bring to bear for small businesses.

We got to keep at least one high level because Bill's attention span. We talk exactly what I'm saying.

Well, again, our goal is to provide high level I'm actually a little concerned that this took as long as it did. I thought we would be done in ten or 15 minutes and we're solidly 45 minutes to an hour in oh no.

You see, you got a long commute in the la traffic. Ladies and gentlemen, this is easy listening. BJ sounds good.

Oh, that's right, I got my new podcasting mic.

Right.

I'm doing my bare tone.

Well, before we get to the last segment, we didn't do a little deep dive on you. On us, I should say. I'll start again. Robbie Olsen, work for Etop Technology. Love working for in the MSP space. I've been again an It 1415 years. Wearing a lot of hats. I used to be head of Research and development for an Internet service provider. Done a lot of different things. Kind of an It generalist like to have the ability to start and fail at something new every day.

Oh, goodness. Amen to that. My full name is William Pote. My dad never call him William. If you call me William, you're not friend William. I'm okay with if you call me Bill, we're not friends.

Bill. That's a CFO. He's a different guy.

Yeah, exactly like Bill is fine. It's just that was my dad's name. So I'm either William or BJ. As you've heard Rob's refer to me as BJ quite a bit. My wife and I have owned Etop Technology for a little over twelve years now. Previous types of jobs, I've been a blacksmith for four or five years, so had a really kind of long tenure doing that. Did a lot of subcontract work.

I'm learning about this right now.

Yeah, right. Sorry. Should have given you the too long den read.

I knew you were kind of buff, but I just thought you were working on it, you know what I'm saying?

I have done that too, about 13 years ago. Went on a kind of a rampage to lose a lot of weight. Lost a little over 120 pounds. Well, some of it's creeped back. Apparently being an It business owner with two small children is kind of hard on the physique. But working to recapture that. I love the game of business and I love technology. It's so interesting. We in the office figure out problems.

We call him the Squirrel because he thrives. Just feeds off of new and cool ways to make your life efficient. Literally. He'll just pop in like, Rob, you got to show you this. And then he'll just squirrel off on this sweet new way that he improved someone's life and day to day chores.

We use a very substantial suite of tools to improve how we deliver operations and hopefully improve our clients lives. And it's always trying to learn how do you optimize it? How do you integrate a thing? Can we take what we do for ourselves and bring it to our clients? I love technology, and I love business, and I love talking to people about this.

Well, it's a pleasure to meet you. Now, before we disappear, this is a heavy topic. We're going to do more of these evergreen episodes where if you're thinking about something, you are not a tech technical person and you want to make a business decision, we're going to help you along the way. But at the end, maybe we'll keep this, maybe we won't. I'd like to do a little bit of tales from tech support just as a giggle. So I select Scour Reddit something else for some actual story of what happened to someone else, and we'll give our take on it. But I'm a manager of a grocery store. We have multiple automated self checkout machines. One of our machines was down in a coin. Dispensing error. I opened the machine up, did everything I was shown in the past to clear errors, and nothing worked. One of our other managers called the It department, and they will call us back in under an hour later. They got in touch with us, with the tech, with some fixes for the machine and do over the phone troubleshooting. About 15 minutes later, I walk up, and one of our employees is on the phone with the tech saying I asked her, Is everything okay? She's like, yeah, everything's okay. The tech had me clean the inside and blow out everything. I look over, and there's a can of WD 40. And I asked her, did he tell you to spray it out with condensed air? She says, yeah, it's right there. No, this is WD 40. That's like spraying grease in there. I kid you not. It was like watching people die inside video in real life. Just notice at that moment that that machine is now pooched. Well, at least it's not going to squeak anymore. And then she walked away.

Wow.

So if you're talking to an It person, know that they don't see what you see, and they're trying to interpret with your words what's going on. So be over articulate. Even though it may seem it's annoying, we love you narrating everything you can read and see. So if you say, hey, I want even to the point of let's use a dust air can to blow it out, read them what's on the can, tell them the brand.

Amen to that.

Don't spray W D 40 into tech equipment.

Well, our job is our job is literally just it's to interpret what we're hearing or what we're seeing. And try to give you the best outcome. Yeah, that's a really good point. Oh, man, that's so funny. WD 40.

Well, BJ, do you have anything else from the business playbook?

From the business playbook? Honestly, I think over if you're still here. Thank you. I really appreciate it. I didn't expect for it to go nearly this long, but at the end of the day, we appreciate you listening and we're going to get this fine tuned. So this is version 1.0 and thank you.

Subscribe for more, get push notifications to your phone so you don't miss content like this and we'll keep on guide. If you have a request, you'll find in our show notes, the contact information, email us, reach out, let us know what issues you're having we can bring up on the future episodes or cover something without having to use ton of alphabet soup.

Amen to that. I appreciate it so much and have a great day.