Business Tech Playbook

#18 – Security thats Budget Friendly

10 months ago
Transcript
Speaker A:

This is the business tech playbook. Your source for it. Help for your business. BJ, I am so excited for our Christmas party. We're recording this before it and I know, right, I'm telling you what, I'm going to come in in full ugly sweater. How about that?

BJ

I mean, as long as you have more clothes on than just your ugly sweater, that's all I really care about. You. We have to prevent HR violations ultimately.

Speaker A:

Well, I'm your host, Rob Zolson.

BJ

And I'm your host William poet, Etop Technology.

Speaker A:

Topic is security and how you can save some money on it and doing it on a bit of a budget. Now, there's a reason why you don't see this as a tagline out there is because anybody that's a security expert, they're not concerned with the wallet. They think to do business. Money is no object to your intellectual property. And don't get me wrong, that's a great person to have as a knowledgeable expert. But when it comes down to brass, tax, your money matters. And if we can give you a few options to help reduce the pain on your business wallet while still remaining equally as secure, we're all for it.

BJ

Amen to that. Well, I actually saw an ad on LinkedIn the other day that said, become an MSSP. So acronym alert managed service security provider. So it's a lot of advertising into our space saying you can become an amazing managed service security provider by just adding this tool. When anyone says you can become an MSSP in one day by just paying for our tool, my shenanigans alarm goes off. And honestly, I made a lot of fun of them because I'm going, that's not true. So much of good security is, is it configured properly? Are you doing good security? And there are tools that you absolutely need, but so much of good security is just doing the basics right and consistently and then doing it again and again and again.

Speaker A:

Well, we have some fundamental rules to give you as like tools or tips or a way to approach this. First one is we're not going to tell you all different types of tools. We're not going to say, hey, here's a list of options you can go spend money on, because that's not really saving money. You should be looking at what we call the stack. The stack is your stack of solutions to run your business. So we want to quote unquote, thin the stack, which is not normally a conversation. That would be something that we talk about in security, but we want to thin the stack and utilize the stuff you're already paying for, so you're not double paying someone else to do the same thing 100%.

BJ

We've been running through this exercise internally pretty heavily, where we realized that we kept adding on tools and we never really went through and made sure every single tool was configured properly. We never went through and made sure we did buy into the, oh, buy our tool and you'll become a security provider. And then we've had to start really stepping back and going, all right, how can we? You have too many tools. It becomes a lot of technical deficit, technical sprawl, where you just don't know where anything is. And so you can add on an av, you can add on antivirus, you can add on managed detection and response, you can add on EDR, early detection and response, you can have a phishing tool. You could have 50 tools in about two minutes. But if you already have some of these tools baked into some of the software that you're paying for, let's see how fast we can walk this back. So that way you're not overpaying for things, and it also is a lot less to manage. So managing the tools that you have more effectively becomes a big area of being budget conscious.

Speaker A:

So, terrible analogy. Incoming.

BJ

Bring it on. Let's do it.

Speaker A:

Imagine that you're a police officer and you're wearing a bulletproof vest. It doesn't pay to get three more bulletproof vests on top of each other. That first bulletproof vest that you paid for is going to stop the bullet. And adding three more is probably going to make you uncomfortable, slow, and cost a lot more. So let's thin the jacket, shall we?

BJ

That's actually a really good analogy, because if you have too many security agents on your office equipment, so your workstation, your computer, basically, computer, laptop, whatever, server, as an example, one of the antiviruses we use that we're slowly phasing out when we run a file transfer with it. Let's say a terabyte of file transfer takes four and a half hours. We turn it off and run just the basic built in windows defender. And that same file transfer happens in about 22 minutes. Like, okay, this is having a really heavy impact on that machine. And actually it can start tying into your time budget. So it's a cost thing and a time recovery type thing.

Speaker A:

If you're going to college and you want to become an IT expert and you're going to a class called intro into cybersecurity, the first thing that they sit down and talk to you about is this. They should be talking to you about if they don't in your particular class, is the balance between productivity and security generally. You move that toggle over to the left. The more secure you are, the less productivity you're getting. You move that toggle to the right, the more productive you are, the more risks are involved. So you got to find that happy medium and not double pay along the way.

BJ

I was talking to somebody who runs incident responses. Shout out, Hannah, if you're listening to this. She runs security incidents for a very large, very large organization. And at one point, she worked for a casino. She basically said, you know, working in the security incident section, security response section of the team, if the business called for opening all the firewall ports because they were going to make a billion dollars that weekend, they opened all the firewall ports because the risks of something happening did not outweigh the rewards of something happening. And I'm not saying you should do that. I'm not saying open all the firewall ports because that's not necessarily a good approach either. But it's constantly, like you said, Robbie, finding that balancing point of secure enough while staying efficient enough.

Speaker A:

Every decision you make in business on Security is a balance between how much money is it possible with that? I'm willing to risk doing something. Am I willing to risk paying a sales guy going out looking for sales for the opportunity that he could find that sweet customer? That's a business risk you already taking. Now do that same application against security and really hear out why we do things along the way. Now, the second rule of thumb that we have is trying to measure costs. Instead of just saying, oh, here's a $20,000 cost that we just got to pay up front. We like to take and essentially cut all security costs in your budgeting book. And your budgeters should already be doing this by applying it per employee. So if you're a ten person shop, each security asset adds how many dollars per employee, and that should be spread to a flat cost that you can actually divide between. And when you take on a new employee, you know exactly, because you already have a matrix built of what that's going to cost you. If they're going to be using your tools, it's already a flat, fixed cost that you know it's going to cost this much per month for that new employee, and you can fix that right into their wages and other HR benefits you have to pay for as well.

BJ

Well, and that's one of the reasons why working with a managed service provider can be a really good way of approaching it. So let's say, for example, we start at around $200 per user per month, and that handles all of the managed it and all of the security we provide. Are we a full managed service security provider? No, I wouldn't claim that, but we are really good at what we do. But now, you know, when you hire a new person, it's their salary and benefits, plus $200 a month for ETop. Great. Now you have a pretty clear point. Okay. Now it's a $3,000 computer. So you get them a new computer, pair of monitors. Now, you know what that cost is, and you know that that's going to come out about every three years. So now you're paying about $1,000 a year for a new equipment or 80, $85 a month. So you figure you're probably paying about $300 per user per month when you factor in computer replacements, managed services, security email, all that kind of stuff.

Speaker A:

Next rule of thumb that we would like to put out is check with your cyber insurance. If you're paying for cyber insurance that insures you when stuff does go wrong, inevitably, and you're not matching the requirements, you're literally throwing your money away. Because if you're not matching what they require and you make a claim, they'll go, you didn't follow our list, we're not doing any of this. And then you'll go, well, then why have I been paying you for so many years? And they're just going to say, not our problem, we told you so. Contact your cyber insurance, because that does nothing without following their rules.

BJ

Well, and a lot of the cyber insurance providers I've been seeing lately are doing some basic vulnerability management. So they're scanning the outside of your network, making sure that you're as secure as they can tell. A lot of them are even including, like, security awareness training. They're including a lot of the incident response plans. There's a lot of things that those insurance providers, by you just even having cyber insurance, they're giving you as part of that plan, because the more they train you and the more they help you prevent an incident, the less they have to pay out. So really, that's a good, really great point. Like lean into your cyber insurance provider and broker for them to give you as much as you possibly can get for free or included in that yearly cost.

Speaker A:

Let's take two industries. These examples that we're going to give today are more generic examples of stuff that you would need. In most businesses, every business is their own snowflake and when you sit there and measure those costs, especially when you talked about per employee, they're not going to be the same. You have to check with your industry. So if you're, let's pretend a law firm, something that's real secure, and you need to keep all of the information of your clients confidential, maybe even medical files. With HIPAA, you're going to have a different per employee cost per month for security and technology than say, a retail flower shop per employee, a metal manufacturer per employee. I mean, put every business has a different cap x that they spend per employee, and this is just going to help with most. If you want more details on your specific one, please reach out to us, etoptechnology.com. You can find us. We'll help you out with your questions or cases.

BJ

If you happen to, like, discord, pop in, talk to us. Probably the most interesting thing, and gratifying thing being the owner of e top is getting to talk to a ton of different industries and learning how different industries like finances work. So we work with one client who does huge amounts of tile distribution. They do like 80 million gross revenue a year. But then it's interesting seeing how much flows to their bottom line, but how much gross revenue they have to run to generate a dollar versus like a CPA. Or they might have a lot lower gross revenue, but what's flowing to their bottom line as a percentage is much higher than a tile distributor.

Speaker A:

Pick a restaurant, even. I mean, any industry, they're all different.

BJ

Well, like yesterday I literally had, one of our clients is a CNC shop, and one of their clients asked, are you iso 27,001 certified? Which he then forwarded to me and I immediately called him back and was like, hey, so, no, you're not. But I mean, they have like five people working in their shop, seven people working in their shop. For them to be iso 27,001 certified could be a 2030 $50,000 thing per year that they have to deal with. But I mean, they're dealing with a potentially million dollar a year client.

Speaker A:

Is it worth it? Again, that's the business conversation. I'm sorry. Now, going into these, one thing that we want to talk about up front, I'm going to talk about the general rule of thumbs of what we're going through with the security conversation we're having. There is a reference tool for the government, Cissa. You want to tell us more about that one? Bj?

BJ

Absolutely. So CSA Gov is not a, it's not like the FBI in that it's a full department or bureau, but they are doing the Cybersecurity Infrastructure Security Agency where they provide huge amounts of resources and kind of guidance to all of the other major, all of the like Homeland security, FBI, NSA, they provide a lot of cybersecurity guidance to those organizations, but then they also provide a huge amount of guidance into your water. They have an entire cybersecurity awareness program toolkit which we can link in the show notes that basically has different materials for your audience. And so there's a lot of really amazing materials on their website. I know our team is subscribed to all of their vulnerability emails simply because it gives us an idea of it's something that's coming out. Some of the emails don't apply to us, like we don't do anything with data systems, but if something comes out and I see a vulnerability for chrome, you better believe we're on that. So it just provides, it provides a free resource for you to know what's coming down the pipe, what types of tools do we need, that kind of thing, and it's a free resource for you.

Speaker A:

Again, the link is in the description. Check that out. Now, the first thing on the list that we have is something that traditionally would be expensive. If you're a small and medium business listening and you're considering purchasing or already have a security analyst, and for some reason you have massive budget cuts, we can't pretend that any tool is going to replace a real human and a real agency to be a security analyst, that's the best. But if you're maybe a small business that hasn't got that step, and you like to make sure that something's watching your data, something's watching what's happening, having a tool like Huntress is extremely valuable for a first step into that security analyst side without going full kilter to pay for that agency.

BJ

Well, absolutely. And this is areas where having the right tools implemented properly, and then here's the thing that you need to hear, 100% deployed, every single endpoint that you can needs to have these tools on it, because that's what keeps things from spreading laterally across your entire network.

Speaker A:

It's like you're in a boat. Why would you not want your entire boat waterproof? Just one hole is fine. Just see how long you float, brother.

BJ

Just the left hole needs to be waterproof. The right one can be like made out of a sponge.

Speaker A:

Before we get questions, can you explain a little bit to the listeners of what Huntress does?

BJ

Sure. So huntress happens to be the tool that we've chosen there are other tools that fit into this category that are really good tools, but for us it's managed EDR. So early detection and response with a human paying attention to it. So they're paying attention to processes, they're paying attention to files, they're paying attention to a ton of different indicators. So they call them iocs, indicators of compromise. So when they see a new IOC come out, like log jam, they're out there scanning all the devices for that. If they perceive that there's an active incident happening on an endpoint, they isolate it and just lock it down so it can no longer spread any further. But they have a 24/7 follow the sun model where they literally have people paying attention to endpoints. And then if something happens at 02:00 in the morning, they call us, they isolate the machine and they call us. That's about as good as you can get with having a 24/7 security operations team.

Speaker A:

Yeah, and this tool, you can find other brands that do it. Huntress is one of our favorites for sure. The tool is EDR we've talked a little bit about before. It's endpoint detection and response.

BJ

It's that early detection and response. Well, sorry, just have to make it's.

Speaker A:

Endpoint even on their website.

BJ

Brother, you're right. Oh, son of a gun.

Speaker A:

But yes, early detection response was the original tagline. They're calling it endpoint because that's what one company was selling to directly for computers. But still having that tool is on there. Having a listening device to watch everything that's happening and then having a real world team flag things before they happen is gold. So this you would put right alongside something like Windows Defender or your other antivirus. Other companies bundle their own EDR solution into an antivirus as well. So look for those. But Huntress is just one example we'll give you that is much cheaper than a security analyst does not replace them, but at least get your toes wet if you haven't been there before.

BJ

Also like there's sophos, MDR, Bitdefender. Pretty much all of the avs are going to have some kind of EDR tool baked in. Now even Microsoft Windows defender, if you're running the P one license, has EDR elements. So basically a lot of what makes it that endpoint and early detection and response is the fact that they're doing process review. So they're paying attention to things that are running on the cpu, in the memory, things that typically most AV only works on a file that's on your machine, where the EDR is really different, as it's paying attention to what's running on the machine. That never gets saved to a file.

Speaker A:

I mean, take a traditional managed service provider such as us. We're an it shop for other businesses.

BJ

We're not traditional. We're as anti traditional as they get. And I'm joking.

Speaker A:

Take one of them, pretend it's not us for a minute. Let's say they're super advanced, let's say it's a common MSP. They have ten employees, they'll have 600 to 1000 endpoints. Do you believe ten employees could possibly know everything that's going on at all times of 600 to 1000 endpoints? They use a tool like this that does real world detection with a team helping them. So they get a dashboard, they know what's up, and those ten employees, nice, quick and reactive to what's going on. So that is a secret sauce to our business right there.

BJ

Well, that's exactly it. So what makes a managed service provider tick is efficiency and having tools that allow us to reach into all of our customers effectively at once. So standards are huge in our space. So if you look at each one of our clients, I can walk you through how they're almost exactly the same on the back end. So to the client, they look unique and special and custom. But to the managed service provider, us, like we train our team, our clients are either cloud or premise. But if they're cloud, they look like this. They're sharepoint Onedrive, business premium, intune autopilot. That's how they're set up. If you have a very heavy premise based, it's. Here's how the firewall is configured, here's the types of servers we use. We're all Dell Poweredge. You're either going to be 445, 47, 40, depending on your need. Standards allow us to build automations and be able to see around the corner.

Speaker A:

Next on the list. That is something that's normally been expensive for quite a long time has been encryption. For those that need business encryption or have not tried it before, it used to be quite an expensive task. So the idea is you need to make sure that your data stays in your hands. So you need to encrypt the data so they have to have a key, if someone gets a hold of it, to be able to access it. If they don't have the key, there's no way of getting to it. This is what businesses, governments, healthcare industries, all use, legal industries to protect the data, to make sure it's not getting stolen. Ransomware is also using encryption on your computer. So if your computer has not already been encrypted, the infiltration to your computer encrypts the data, keeping it away from you. And then they try to ransom your data away from you, and they'll give you a key back for money. Governments can't decrypt the data, so they end up with the cyber insurance companies paying out to these hostages, excuse me, hostage negotiators, for the key to decrypt your computer. So it's a great, easy security step to do encryption. But it used to be very expensive. You have to pay for different types of tools, like semantic. It used to be very expensive. Now, again, really recommend Bitlocker. Bitlocker comes with Windows for free. As a licensed product to your Windows computer, it is a great way of taking care of it that doesn't cost you a dime if you're not doing it. It's a free tool that comes with it that you should already be enabling it. If you want to talk about things you can do to secure your system, that costs nada. There you go.

BJ

So this is something we just enforce kind of across the board for all of our client base, because if somebody walks in and steals a laptop or desktop, I want that to be useless without the key. Right. I don't ever want to have to come back to my client and say, well, we screwed up and didn't encrypt something. So now you have to go do disclosures. You know, it matters. So here's a way that you can save money, right? So if you have business premium licenses with Microsoft 365, if you use their intune management, you literally can enroll the device and it will pull that Bitlocker encryption key up to the cloud. So that way your it professional can manage it. And now you can force guarantee that that machine is encrypted and not the bad kind, the good kind. But now, if that laptop gets stolen out of somebody's car, you're not having to go file a disclosure with whatever your governing body is.

Speaker A:

You know that that was taken care of. I've also had people ask me in this same type of conversation. Well, don't you magical guys in it have like, a nuket button where if it gets stolen, you press a button and the next time it logs in, it just wipes the computer? Yes, but that stuff's expensive. They exist. That's a thing. But it does not do near as good as a job as just encrypting it in the first place. And encrypting it with the Bitlocker doesn't cost you anything. Those crazy tools that will nuke a computer remotely don't work 100% of the time. They have to be connected and they're very expensive.

BJ

So here's the thing, except if you're using Microsoft Business premium or that business premium licensing, so you literally can go in and say reset device. The best part is that you can lock that device's hardware hash. Sorry, I know nerd terms. I apologize. Such a nerd. Every machine has its own unique identifier that they call a hardware hash that gets locked into Microsoft's 365 and every single Windows machine before it logs in checks in with Microsoft and goes hey, do I belong to someone? And if it's in your 365 tenant you basically can leave it there. And if the bad guy logs in and tries to reinstall windows they can't use it like they connect it to Internet. That thing is locked down and never usable dead hardware. It's amazing. And that's all part of your $22 per user per month license that you're going to pay for anyway because you need it. It's a free feature that you don't have to pay extra for.

Speaker A:

Now when we say don't pay extra for businesses need email, you're getting your email. And almost all businesses use some form of either word, Excel, PowerPoint. That all comes with your office 365 subscription that you're already paying for per user. And what we're saying is that's already part of a plan you're already paying for because they have like basic, they have business premium, they have different packages. You're probably already paying for the package that includes these tools. And if you're not, it's not much more to include these for us.

BJ

For us, we've been including business standard up until this last year and now it's like we're just having everyone move up from standard to premium because that premium license can do so. Not to sound like a Microsoft shill, but I mean I basically have built my entire business around using Microsoft products.

Speaker A:

And those that listen to this being that hey, we're a Google shop. Google's got these same tools brother. They are another centric tool where you get your email, you get your hosting, they have these same encryptions and remote wipe. So check that one as well. We're definitely more fans of Microsoft in here.

BJ

Definitely.

Speaker A:

Except for he's not holding a gun to my head, I promise. Next one on the list, especially for small business, you won't believe when we walk into a shop saying, hey, we're having some it issues. We really like to onboard you guys as being our IT department. And what we do is a point of discovery. We're not just going to say, absolutely, I'm going to be your it guy. We want to know what's going on before we say yes, we can do that, because then we can give you a plan of how we need to either upgrade you, change, you adapt, so we're ready for your business. So we go through a point of investigation where we see how many computers you have, see what age the hardware is, see what's on those computers and the software running. That way we're not going blind into starting a company. And when we do some of these, you won't believe that the businesses that still are out there purchasing individualized antivirus keys just as though you went to the website, bought a single key for your grandmother and her computer that she plays solitaire on. The same licenses are being purchased for business. Those retail licenses are expensive and don't have a lot of features. They're intended. So they're taking care of the most common things for grandma and your personal use computer, and they really don't talk to each other. So the first step that you should be doing that is a lower cost is moving that let's pretend that you're using something like Avast, something that we don't use. We're going to pick on something. Almost every brand has a corporate version, a business version of their antivirus, that instead of you buying individual keys for each computer, you instead have one management console where you have all of the antiviruses talking to each other. Right, in a business console. And generally that lowers the cost an entire digit per endpoint at five, $6 per endpoint. It depends on what you can get, but it does lower the cost drastically, give you a lot more tools, and more importantly, they can communicate with each other if there's a network breach of some sort.

BJ

In most situations, even if the cost is the exact same, having it centrally managed, the big value to you is that you can have consistent application of policy. Like literally one of the biggest issues that we see besides business email compromise, which is a user driven problem, is an inconsistent application of security policy. Like, oh, the CEO doesn't want us limiting whatever they have to be able to have their firearms or whatever. Okay, we'll allow list that. That's fine, we don't have a problem with that. But when somebody's above the law, as it were, or somebody's above the I don't need security on my machine. I'm smart. That's your breach, that's your incident place. And even if they are smart, it's that inconsistent application of policy. Every single person in a company needs to have multifactor av edr.

Speaker A:

Let me use an example. It's not even about security at this point. It's also about productivity. I'm going to put out some hate out there. I personally detest Webroot. I hate the product to my core. It has been a bane of my it existence since I've been a professional. It's awful. You want to print things, it blocks it, it's got false errors. I've never been a fan. Come hate me for whatever. Webroot sucks. So I've been in a business where they have a 50 person business and they have a new vendor, they have a new customer, and they need to access something for that customer, a tool for the vendor, and suddenly web root is blocking it. Well, guess what? If it's in this corporate console that you have for all these endpoints, you as an IT professional can sit down and go allow vendor, allow this website, allow access to this, and then it deploys to all 50 computers like that. So it becomes a two minute issue. And now it's suddenly resolved in ten minutes versus if you had those individual keys and suddenly it's blocked. Now your it guy has done a better part of a day and a half going to each of the 50 computers across the company to set an exception on every individual computer. It's nonsense. And you're spending more money for it most of the time.

BJ

Well, and that's exactly it. It's the ability to do global things instantly. We can create a policy at etop inside of our security platform that can be applied globally, company, site, user, or department. So if accounting happens to need, I don't know, some terrible, they need the trustee app that is basically like just, I recognize why banks use it, but it is basically a horrific app for computers. But we allow it because they need to be able to do online banking with their bank, right? So we're not going to allow anyone else in the company to use it. But if the three people in accounting need to, we can create an exclusion for accounting folks. And the best part is we can pull that exclusion up and then use it for other people that use that same app.

Speaker A:

So that's, you could say, better than, the best step is if you're already using this awesome 365 suite that we talked about before in the last tip. You can simply use Microsoft Defender included in the subscription plan. If you're using a Huntress EDR, a Microsoft corporate defender, which is very much different than that free Microsoft Defender that you get on the computer. Very different. Then you have a security that you don't have to pay something extra for. You can manage policies through your 63 65 portal and not pay a dime extra.

BJ

So in the whole budget consciousness and saving money thought process. So I want to be clear, Windows defender that comes with a pc is actually really good. Would I recommend it for grandma? Absolutely. Don't pay for Norton, don't pay for symantic. Give grandma Windows Defender, turn all of the settings on. It's going to be a really good value for the money. Right? It's free and it's in many cases better than most of the paid Avs in a business environment. It goes back to can you globally apply policies? And that's where you need to have that p one licensed defender. It's centrally managed, you can provide global policies and it also gives you a ton more analytics on what it's blocking, what it's doing, how it's functioning, that kind of thing. So if you're really struggling to save money, at least have Windows Defender on your machine. Is it not having it centrally managed? Great. No, but it's actually a really decent included Av.

Speaker A:

Just for the sake of time, we're going to see if we can get through these in our allotted time that we don't have to listen to us all day.

BJ

Sorry. Yeah, we can drone on about this stuff forever.

Speaker A:

There are access tools out there that people have used so they can access their computer, so they have different keys. I'm going to just highlight this one. Access tools so people get into the computer. People can access information in certain places. If you're not already using the Microsoft included Windows Entra, what used to be called Azure ad for domain password management. You should get on that. And they also have Windows hello to make it even easier. So instead of just you typing in your password, you can do a piN number, I believe, a pattern. They have the face recognition like your phone does, so it can see you fingerprint recognition and that's all included in your Microsoft subscription. You don't have to pay know extra $5 a month per employee for this type know corporate access.

BJ

So exactly to what you're saying. So first off, Windows hello, it's Windows hello for business. So they have the basic one included, kind of like Windows Defender in every Windows ten installation. Windows hello for business is actually something that is manageable by your IT team at a global level. So you can enforce people to do a pin or face or fingerprint scan, whatever. And I think what you're referencing here, Robbie, is the other identity management tools like Okta or I'm drawing a blank on others.

Speaker A:

There's multifactor ones as well, like Duo. There's a lot of different access tools.

BJ

And really in this case, Microsoft Authenticator with baked in with Azure ad is an amazing tool and again it's all included in that area. I am sounding like a Microsoft shill again, but basically biz premium is pretty much the best value for money license you can get in my opinion.

Speaker A:

Another one that people pay a lot for is secure file sharing. Some businesses require a certain level of encryption for secure file sharing due to HIPAA. If you're in a medical know different secure file sharing, especially in the legal affairs that people need to have subs confidential and don't need to have information get leaked out. Secure file share is just a good habit to be in. If you have anything sensitive you want to share out, that's just not plain text. These tools can be very expensive and this tool is built in with your Windows subscription. Who knew another one? Yet again, using the business driven OneDrive product, you can actually share a link, have it authenticate to the other person's email, or give a secure link that can expire however you want to handle it. This can be done by OneDrive and if you're a Google shop in Google Drive as well, these are already included in. Now check your industry for your requirements. They publish the level of encryption and exactly what the Microsoft OneDrive tool does. And you need to be able to know is that what you have to have for your specific business. 90% of businesses it's encrypted to the point that they need.

BJ

The other thing that you can do is Microsoft includes purview, which is a true encrypted email solution as part of Business premium or their e three licensing. And you can do add on licenses for lower tier email subscriptions, but honestly just pay for the little bit higher licensing and they bundle in a ton more products. But that purview you can do like brackets encrypted in the subject line and it will do a fully encrypted email outside and you can control can they print it off? Can they forward it? There's a lot of control you have in that data loss prevention mindset. And again, it's all baked into making sure that you have that one main tool of yours or that one license. I mean, it's 100 tools paid for by one license. Making sure that the tools that you have are set up in the most effective and maximized way.

Speaker A:

Yeah. And just to paint out if you've never used a secure file tool, back in the day, I actually saw a business that paid $500 a month for three users to be able to send their secured files. That's a lot of cheese for three people to be able to send secure files. It's not that bad. Any not as bad anymore. But just saying that, why pay double when it's already possibly part of your suite? Another one on the list that I want to put out that we're not going to save you money on today. If you want to have a conversation on security and anybody brings up the word firewall, note that your checkbook just has to come out. Firewalls. If you're listening to this. And we'll do an entire topic on firewalls. Firewalls is the gate to your business. That is the front walls to everything that goes in and out digitally from your business. I'm holding my phone like it's a firewall. So pretend that because you can't see me. Of course I have to have a metaphor for our camera.

BJ

But you have one camera that nobody can use.

Speaker A:

Yeah, you have one block, that's grand central station for your business. That blocks everything in and out. That is not the piece to save money on people. You're going to need to purchase a device that not only is fast enough to be able to handle the amount of traffic coming in and out of your building, but also going to have to have the licensing to keep it up to date. Because a box that doesn't do anything isn't protecting you. You have to have it licensed. I've had so many people say I just bought a firewall off of Amazon and when I log in, it's not doing anything because you didn't pay for the subscription, it's not turned on. So get the appropriate firewall in date and under support. Make sure you're paying for the subscription and make sure it's activated and configured properly. Sometimes you have to buy these through a third party. You have to contact an MSP, someone secure and they'll configure it for you. I'm much less against people just purchasing a box, getting it set up once and forgetting about it. They should have someone make sure that's up to date and have a maintenance contract on your firewall. If you're not doing that you're not possibly getting the patches, they're not adapting to changes that's coming out there. And again, it will soon, not as soon, but soon come that dummy box. Again, you need to adapt to changes as much as everything else. So firewall is not the thing to save money on people. We're going to put that asterisk out there.

BJ

I will put one small asterisk on that that we've been toying around with the idea of doing a basic router on the edge, with the caveat that every single person's using zero trust applications. So walking back into that, if every single person's using zero trust, what's happening is every single bit of traffic is being scanned by an external platform, and then it's routing the traffic wherever it needs to go.

Speaker A:

You're just moving the firewall at that point, brother. Instead of a box in a building, you just move.

BJ

True, but I mean, the firewall is basically sitting in the cloud at that point.

Speaker A:

Either way, you're not cutting a discount on these things, but you almost need.

BJ

It that way nowadays because with so many people going work from home, remote work type things, it's actually a lot faster and more effective to do that scanning in somebody's data center. Right? You're moving to a firewall in the cloud, basically.

Speaker A:

But, yeah, that is the path. Now, the exception to the rule, if you are a three person mom and pop shop that sells ice cream on the corner and all you have is a computer that handles your quickbooks and a point of sale thing, we understand that spending $4,000 in a firewall, however astronomical, probably isn't in your budget category. And this is the first time that you're considering listening in to these tech guys and you're thinking, hey, man, I really should get something started. If you're just that one person shop and you want at least something to get you started, there's a company that I've used in the past called firewalla. We'll have a link in the description. Firewalla sells small, nice grade firewalls that do at least the basic necessities for maybe a couple computers. This is not an enterprise solution. I do not recommend replacing this for a real firewall. But if, again, you're just a simple business where you just need to check, log in and check your bank statement, something, that is where I would start for the smallest mom and pop shop.

BJ

Well, probably the number one thing to do with security is to start somewhere and keep doing it. You don't have to start with everything we've talked about. But in your organization, if you can just say, hey, we require everyone to use multifactor anywhere that you can. Even if you're just using a free like Google Authenticator, Microsoft authenticator on your phone and you go into GoDaddy or your bank or wherever and just scan the QR code and so you have that rotating six digit code. That's improvement. Most modern applications let you do multifactor. You just have to go look for it. I wish literally everyone would enforce it, but go look for it. And if you just make that the culture of your business, this is the one big thing we're going to do to prevent accounts from getting stolen. Everyone has to turn on multifactor for everything.

Speaker A:

That's huge.

BJ

I want to say high five. Congratulations, you're better than most. It doesn't take a lot to be better than average.

Speaker A:

I can't remind enough. I have customers that explain why are we doing this as I'm setting them up because they just got hired in one of our companies that we service, hey, why do I have to have this on my phone? What is this for? And I give them the easy explanation. I say, imagine that someone tries to log in from India, Dubai, another country, and they try to log into your account and they could guess your password. People are pretty good at guessing passwords. That's why passwords only go so far. So they luckily randomly guess your password. Maybe they got it from somewhere. Maybe they just guessed it. They're now in your account. This is one more step to send a notification to your phone saying, hey, were you trying to log in? If so, could we get that fun code from you? Stops everybody that's trying to get into your account right out the get go in the best form of security we can give you. So Microsoft authenticator works for the 365 suite. Even in your personal life, if you can find something like I for personal use, use a Google authenticator and that backs up my authentication codes. I use it for my social media accounts. I use it for this podcasting host that I'm using now. Anything that I have that I type a username and password in, the first thing I'm going to is I'm clicking settings and asking, does it have multifactor? Because then I know that later I'm not going to have to go call my mom and say on Facebook that I'm not selling my house and that that's a scam artist because I set up multifactor authentication, right.

BJ

Exactly. Now I'm embarrassed I didn't set it up on the podcast host. I'm going to go looking. See, even I forget to do it sometimes. Here we go. By the time we are done with this podcast, I'll have added another multifactor code to my.

Speaker A:

And if that's all we can get.

BJ

You guys watch how fast it goes. All right, I'm going to name it. Yeah, it even made that sound in my head.

Speaker A:

It did. If that's all we can get you guys to do, that's listening is just set up one more account that you use online for multifactor authentication. We did our job. We can sleep well at night.

BJ

But that's the thing. Security is that easy. It's not easy, but it's simple, right?

Speaker A:

We've gotten to that point. It used not to be. Now it is. So. And appreciate it.

BJ

I'm that much more secure by even thinking about it. I didn't think about it. You mentioned it was possible, and in this conversation we're a little bit more secure.

Speaker A:

Well, I don't think I have anything else to add other than have a great day. Multi factor up. Check out the links in the show notes. We have the CISA government resource. I think we added a link for Firewalla. Check out etoptechnology.com. If you got questions on your specific use case and you want to feel more secure and have a team helping you out, businesstechplaybook.com. You'll find the link to discord.

BJ

We'd love to work with you, or even if we just want to say hi and talk to us and learn a little bit more about security. That's what we're here for. That's what we do.

Speaker A:

Share with a friend. Voucher soon. Thanks.

Episode Notes

For more episodes got to http://businesstechplaybook.com

Find more on LinkedIn: https://www.linkedin.com/in/william-pote-75a87233

This podcast is provided by the team at Etop Technology: https://etoptechnology.com/

Special thanks to Giga for the intro/outro sounds: https://soundcloud.com/gigamusicofficial