Lois Sonstegard:

Welcome everybody to today’s Building My Legacy Podcast. I am with Brian Gill. Brian Gill is a computer scientist, he’s an entrepreneur and an angel investor. Brian began really in his basement with a friend I believe-

Bian Gill:

True.

Lois Sonstegard:

… and started looking at what is it that you can do to provide security. So he provides cyber risk assessments, data recovery, incident response, digital forensics, that has to be huge and interesting. You have also been co-founder of Phoenix Nuclear Labs and served on its board from its inception and until it’s spun off into Shine Medical Technologies, you’ve raised over $100 million in venture capital for companies. So, Brian-

Bian Gill:

Well, I didn’t personally do all that Lois.

Lois Sonstegard:

Okay.

Bian Gill:

I’m surrounded by a wonderful team of people who could take a lot of credit for a lot of those things more than myself. But I’ve been blessed to have some amazing teams that I’ve worked with.

Lois Sonstegard:

Okay, perfect. I’m glad to hear you say that, because we tend to think we have to do it all. And so I think the ones who really do best are the ones who have teams. And so I appreciate your saying that. Brian, as we get started, the whole issue of cyber security is huge, I think coming out of this pandemic, everybody is having some sort of thought about that. If you would just share a little bit about your observations, things that companies need to think about, we’ll probably be doing work a little bit both ways, both virtually as well as in workplace. So what do we need to think about?

Bian Gill:

Yeah, so especially with the most recent thing that’s going on as obviously millions or 10s of millions of Americans are now working from home for the first time. And a lot of the security systems that should have been in place or possibly were in place when they were behind that company’s firewall, there’s been a tremendous new amount of exposure. There was another security research firm that published that the amount of open RDP or desktops computers that were open for remote access not behind any firewall, spiked 40% just in the last couple months and-

Lois Sonstegard:

Oh, wow!

Bian Gill:

… and the number before that was flat for years and years and years and then it just went up and what that means is people are at home and they have their desktop or their laptop and they are just legitimately just on their cable modem or their Wi-Fi there and their machine has got their operating system says, “Hey, go ahead and remote desktop into me and all you need is a username and a password.” So it basically creates a tremendous field of opportunity for the cyber criminals now. A lot of those hacks are happening right now. Probably 10s of millions of boxes are under attack with cyber criminals trying to just guess usernames and passwords to log on to these boxes. And when they’re on, then they’re going to try to get access to the company servers, they’re going to try to encrypt everything, they’re going to try to destroy backups, they’re going to try to hold that company ransom for their own data back, they may threaten to release the information publicly if another ransom isn’t paid.

Bian Gill:

It’s happening a lot and there’s there’s definitely, people need to be very concerned about their internet safety at this point. And there’s a lot of adjustments that need to be made in a hurry.

Lois Sonstegard:

Okay, so what are those adjustments that need to be made in a hurry? Because I think… As I listen to you I’m beginning to scramble thinking about what is it that I need to do? So…

Bian Gill:

Yeah, everybody should be a little bit scared. That’s healthy. So first of all, I mentioned it, we need a firewall between your computing devices and the world. And ideally, that’s going to be a hardware firewall. I talk to people sometimes, they’re like, “Oh, I have my Windows operating system firewall on.” It’s like, “Yeah, that’s not going to cut it.” We really want… And it doesn’t have to be something crazy. Even something like a consumer product like a ERO E-R-O, that they make these devices. You can enable them with security and turn them into a firewall. And it is a piece of hardware between your modem and that. So, that’s the first thing we need. We need to be cognizant of whether or not we have remote desktop enabled on our desktops and laptop computers or our servers. And why would we want it? Is this a box that you’re commonly remoting into? Well, then turn it off if it’s not. We need… And a lot of people think, “Oh, I run Norton Antivirus,” or whatever.

Bian Gill:

Those types of AV solutions are good, they’re better than not having them, but they’re not really there to protect you from the modern type of devastating attack that we’re seeing, which is typically happening through phishing of credentials or brute force hacking of credentials. So the second big category stuff people need to worry about is user authentication. So, if how you log into everything is just a username and a password and that’s it, it is not good enough in the year 2020. It’s just not good enough. Every single service that you use, even for your personal life, like your Facebook account or your Twitter account, you have to enable multi factor authentication. And it’s as easy as having a smartphone app on your phone like Google Authenticator, logging into your Gmail and saying, “Hey, when I go to log into my Gmail…” You want to be able to be prompted for that rotating digit code on your app, which is always changing and it’s unique to you and that service.

Bian Gill:

And not only do you need your username and password, but then you also have this one in a million, or one in 10 million chance to guess this code. And it is usually free to turn it on and download the app. It’s going to add about five seconds of annoyance every time you log into stuff. But when you’re talking about your PayPal account or your bank or your Facebook or your Gmail, that five seconds is the price we pay for dramatically increased security. Right?

Lois Sonstegard:

Wow!

Bian Gill:

So it’s super easy and even better. So what I tend to do these days is I’ve got this little key here. It’s made by a company called YubiKey. And again, I don’t have any relationship with this company, I’m just peddling their wares for free. But you can buy these things for about 50 bucks on Amazon and it will do password management or password list entry for you. And when I go to log into something on my phone, I have to push this little button and it knows, “Okay, that’s Brian, he has the physical key in his possession.” And if you don’t have the physical key in your possession, you can’t log in.

Bian Gill:

So if you’re a bad guy who’s not in my house with my key, you’re going to have a problem. If you’re me and you lose the key or put it through the laundry machine, I’m going to have a problem. It’s a minor annoyance that I have to carry this thing around with me and I have to back it up of course. But all these little things add up to again, dramatically increased security. And the third major category is, I think I saw the latest estimate is maybe 20% of the world’s data is backed up right now.

Lois Sonstegard:

20%?

Bian Gill:

Yeah, it’s really low. And it continues to surprise I think everybody, how little of this stuff that we generate is backed up. But we need to get automated backup processes that are happening on all of our critical systems especially for our businesses. And those backups need to get put to a different network. So some people say, “Oh, I back all my stuff up to an external hard drive and it sits here.” That’s not a backup because when the bad guy gets on your box and they encrypt everything, they’re going to smash that data on that external drive as well if it’s on the same network. Good security starts with the assumption that someday this box is going to get hacked.

Lois Sonstegard:

Okay, got it.

Bian Gill:

We’re going to work hard to prevent that from happening, but that second evolution of thinking is, “Okay, so when this gets hacked, what’s going to happen?” Right? So you need to have very thoughtful user permissions. Should the CEO have access to every data store in the company? Well, from an executive perspective, “I’m the executive, I need access to everything.” Do you? Is that healthy? Is it okay that if you need access to certain accounting data or certain marketing data, is it that hard to ask an IT administrator for temporary access? Or ask somebody from that department to login? So having thoughtful user permissions is super important. But yeah, so backups. The thing about backups are, they have to be automated, it has to happen without you doing anything, because we’re busy, some of us are lazy-

Lois Sonstegard:

We forget.

Bian Gill:

… we forget, we get distracted. “I mean to back my data up once a month and it’s been seven months.” So, you need an automated system that’s going to grab those important things that have changed and push them to a different computing network. And you’ll notice a theme to all of this. We need to make sure that there’s a multi-factor authentication to get into those backups so that you don’t just need a username and password to get into them, you also need some other level of authentication so that the bad guys will be stymied even if they get into one network and they can do some damage, they really can’t get at that backup. So, at least you’re not going to get held ransom for your own data access, because your backups are safe on a different level of network authentication with multiple levels of authentication. The most important thing about backups, this is something that almost nobody does, especially with companies 100 people or less, is those backups need to get audited, where you actually pay your IT provider to do mock restores of this data intermittently.

Bian Gill:

And maybe once every three months, you pay them for five or 10 hours of their life to actually walk through the restoration processes and find out how long is it going to take us to be back up on our feet if some of these systems crash or if we have some sort of cyber attack? Is it going to be an hour? Is it going to be eight hours? Is it going to be four days? You don’t really know unless you’ve tried. And sometimes you’re going to be surprised. And you also need to make sure that they’re complete because one of the biggest problems with backups is what we call configuration drift, where some IT guy sets up a bunch of backup systems three, four years ago, but Lois has changed her CRM, she’s changed her accounting from QuickBooks to Drake, she’s made a bunch of adjustments. And those backup configurations have not adjusted along with it. Had you done an audit and said, “Okay, where’s my accounting data? Well, all this stuff is from 2016. Oops, let’s go adjust that configuration.”

Bian Gill:

So making sure that that audit happens where a human is going to go look at all of your critical five or 10 or 15, critical business systems and actually… That’s my son running in the background.

Lois Sonstegard:

It’s great.

Bian Gill:

You got to make sure all those systems are complete and current and how long is it going to take us? And if you don’t pay an IT person to do that, you’re just not going to know. And so, one of the main businesses I run is called Gillware Data Recovery. And we help primarily small businesses and some enterprise customers, when they have these disasters where they all of a sudden have a traditional disaster where a server dies or a human makes a mistake and accidentally deletes a bunch of critical data. And then they thought they had a backup and then they go to that backup and it’s incomplete, it’s stale, it’s old, it’s moldy, it’s not sufficient. And they’re often surprised. So, two thirds of our clients, when we ask them what ha… They’re like, “Oh, the data was backed up, but not this one thing or not this system or the backup was… It turns out the backup was on a weird tape system and that tapes been broken for years.” That kind of thing.

Lois Sonstegard:

Wow! So, Brian, there are a lot of startup entrepreneurial companies, at what point do they really begin to think about some of these things?

Bian Gill:

Yeah, that’s one of the hardest-

Lois Sonstegard:

Because it costs money, right?

Bian Gill:

It does cost money. And it’s one of the hardest questions. An MSP or managed service provider is probably going to cost an organization 1000 bucks a month, even when you have three or four people. So, it’s definitely a big concern. In general, I think that, when you look at a healthy organization, they’re going to spend… Depends on the industry, but two to 5% of their revenue is going to get baked into their IT systems. And a lot of those are going to come with efficiency and they’re going to come with collaborative tools and automated marketing systems. So, a lot of it is going to actually help the organization make money. So it’s not just sunk cost poured down the drain. And a lot of that is… So, there’s a couple things to think about. One, if you’re doing B2B sales, are you in one of these industries where your customers are going to start to demand to see your disaster plans and your cybersecurity plans, because this is becoming more and more and more common. You might not have any choice at some point.

Bian Gill:

If you are one of the 3ish hundred thousand small businesses in America that is working for the defense industry, you’re going to be forced to go through a new regulation that just came out this year. I think it’s CMMC, that is going to… Even if you’re making a nut that gets… That you’re five stages deep in the supply chain, the United States government has decided that it is not going to accept any disruption of their supply chain from the cyber stuff. So depending on where you are in the process, you’re going to have to achieve certain levels of audited certification in this stuff. And this is a trend. My little data recovery business, all of our enterprise customers demand our internal security documents and our internal security audits and our network typography documents, because why? They’re sending us their data and they trust us, but they also need to trust that our networks are secure and that we practice good sanitation with their data.

Bian Gill:

So, it’s a trend that if you’re doing B2B sales, you’re going to at some point, just going to have to just stay in business, especially the bigger your customers are, the more likely they are to demand this kind of stuff. I think an easier way to think about it though, is when do you go buy that business insurance for the first time?

Lois Sonstegard:

Oh well, yeah.

Bian Gill:

That moment, where it all of a sudden makes sense to spend a couple thousand bucks a month to have insurance for different types of disasters for your business. And that’s probably a really good moment to say, “All right, I’m going to take some of this same budget and apply it to preventing a lot of these IT disasters.” And it should go along… A lot of people don’t have a specific cyber insurance policy. So if you’re a more mature business and you have business insurance, you might be surprised that your general business insurance is not going to be all that helpful in any kind of cyber attack. So you should probably be calling your broker and finding out what it’s going to cost to get a cyber insurance policy.

Lois Sonstegard:

Well, there’re so many things that people really need to think about. And if you’re in small midsize business, you’re so focused on growth. And I think coming out of what’s happened right now with the pandemic, people are going to hit that road running, trying to make up for lost time as fast as they can. And so these kinds of things are the things that get pushed back and may not be thought about. The timing is perfect, isn’t it? For somebody to do some hacking right now and to do malicious work.

Bian Gill:

Oh yeah, that industry is booming. There is more and more and it’s almost exponential growth in the cyber criminal market. It’s a great business to be in.

Lois Sonstegard:

So tell me, it’s a great business to be in, you would think also that because it’s a great business and we have so many people that are vulnerable, that the government would have a greater role in finding these crooks and stopping them. But why is that so difficult?

Bian Gill:

Yeah, it’s really hard. So, one thing to understand is when you go to pay these criminals, you’re going to pay them with anonymous cryptocurrency, specifically usually bitcoin. And it’s a platform that is designed to be anonymous, where you’re going to push this many bitcoins to this big wallet and unless that wallet is registered with a North American Exchange or something, you’re not really going to know who that is. And it’s really easy to set up a new wallet and just always take those payments anonymously and it’s really hard to track them down through the payment side of things. You’re not having a briefcase full of money and the FBI guys can jump out of the bushes when you come to get the briefcase. It’s anonymous cryptocurrency. The second thing is they are very good at… They know that at some point there’s going to be some security folks trying to figure out who they were based on the IP addresses of the hacks. So they’re very smart about daisy chaining themselves VPN-to-VPN-to-VPN.

Bian Gill:

And a lot of these VPN sources are anonymous VPNs out of countries that are not going to cooperate with North American authorities. Right? So, they may not even track the traffic at all. So, even if they were to cooperate, they’ve designed their VPN to not track anything. So, good luck. So, you’re not really going to be able to grab them that way, you’re not really going to be able to nab them through the payment side of things, it becomes very, very difficult. They have to make a mistake and the good news is that there’s a lot of humans and there’s a lot of organized humans. And those organized teams of humans that are perpetuating this problem, they’re going to make mistakes and they do slip up and a couple of them have been caught when they went to turn their illicit gains cryptocurrency into hard currency in some country.

Bian Gill:

And they started to see some trends with, “Okay, they were sloppy.” That this wallet is dumping their money at this physical ATM because there are cryptocurrency ATMs in a lot of countries including United States, where you can walk in, scan your wallet and get cash. And that’s an opportunity, but the reality is that it would be easier to spend more money on playing defense. Should we play offense? For sure. I would love to see the United States government spend $10 billion a year staffing up security researchers to go play some offense to try to track down these folks down. But there’s also a lot of international issues. Some of these hackers are state actors, in countries that are enemies of the United States. If you’re in North Korea and you’re having a hard time raising money to do anything because you’re under international sanctions, this is a good opportunity to take a couple hundred people, get them all trained up in hacking as best you as can and turn them loose on the global economy. And some of these payments are huge.

Bian Gill:

I was talking to a client just two days ago and it was not a huge client, it was not a huge company, a couple of hundred employees and they got their network hacked, they got it ransomed, their backups were destroyed and the bad guys wanted $360,000 to unlock their data. You do that five or six times a day, that can turn out to be many 10s of millions of dollars a month. And if you’re in some of these countries where you’re looking for more money for your missile program or whatever you need money for, it’s a great opportunity for them. So even… So, we know some of these state actors are doing this. But should we go to war with them? Should we start dropping bombs? It’s a very difficult decision because we’re actively trying to get out of these countries and stop being at war. We’re in a cyber war. Does that deserve a kinetic response? These are tough questions to answer. And it’s just so much easier just to play defense in my opinion.

Lois Sonstegard:

Well, we maybe haven’t gotten to the point of having enough pain yet, to say that on a large scale we need to deal with that at a national level more aggressively by going after these people. But at some point it’s going to be on a larger scale unless you’re right where-

Bian Gill:

Well, they’ve already taken out like the city of Atlanta and the city of New Orleans. Some of these hacks have been against huge organizations, huge cities, state governments, maybe five or six months ago I think a couple of dozen districts in Texas got ransomed. It’s definitely… They’ve hit us pretty hard and there’s been billions of dollars of these ransoms paid and then 10s of billions of dollars of productivity loss and reputations lost and jobs lost and companies closed. It’s been pretty bad. It’s not as bad maybe as COVID, but it’s certainly… It just keeps getting bigger and I would like to see more spending at the federal level to arm a lot of these cities and municipalities and little counties up in Wisconsin, where their whole…

Bian Gill:

Some of these places, they’ve got computer systems that run things like dams and now you’ve got some international criminal on a computer able to open and shut dams or controlling the power utilities or the grid, it’s definitely nothing to… It’s really important and they don’t have the budgets in Northern Wisconsin to spend the kind of money on the types of systems that I’m talking about. So it would be… This is one of those opportunities where the federal government could really step in and arm these places with the types of defenses and just provide them.

Lois Sonstegard:

Wow! That it’s awfully sobering to hear that because I have often wondered how vulnerable We are from an electrical grid standpoint and water standpoint as well. So, I listen to that and I go, “We could have a great deal of damage that we’re not prepared for.”

Bian Gill:

Yeah. And a lot of these systems have been breached and the criminals just haven’t pulled the trigger because sometimes they’re just trying to breach things to see if they can breach them. And they’re happy to have that access in their back pocket in case they need to use it someday. So, those industries along with the defense industry are certainly much better off than almost most and they’re exponentially better off in their defenses compared to small businesses, entrepreneurial businesses, businesses with 100 employees or less. That’s where the real problem is right now.

Lois Sonstegard:

Brian, how about phones? Many of our phones relate to our computers and we’re doing more and more work on our phones. So, how is that protected?

Bian Gill:

Well, again, so the first thing to understand is that one of the big problems and we haven’t talked about it is what we call patch management. So, there are a bunch of associations out there, some are white hat and some are black hat. So they’re the good guys or the bad guys. But there are the good guy security researchers and the bad guy security researchers who are trying to figure out ways to break into phones and they find them. And they find them every once in a while and you’ll even see them in the news. There’ll be some… Jeff Bezos got his phone hacked.

Lois Sonstegard:

Right.

Bian Gill:

Okay? Jeff Bezos. If you can hack into his phone and get access to all his personal emails and personal pictures and corporate information, how safe is yours? They got Jeff Bezos. So, it’s a very valid question. And when we’re talking about consumers, the good news is we’re not nearly the target profile of a Jeff Bezos or of a United States senator. We’re just not at that level where they’re going to be huge, huge targets. But the bad news is a lot of us aren’t patching our phones. So, when they find these exploits, they release these notes and then they’ll say, “Hey, there’s A new version of iOS or there’s a new version of your Android operating system that has patched this security vulnerability. And sometimes you look at people and you look at their phones and [inaudible 00:29:15] that phone for eight months. So, it’s a pain in the butt, it takes forever and they just don’t do it. So, again. And just normal operating systems have the same theme, where you have these vulnerabilities and you need to patch these things, even the firewalls I was telling you to buy earlier.

Bian Gill:

There was some news last week that a major firewall manufacturer had a bug of this type and exploited this type where the bad guys could gain access to manipulate the firewall and just open up some doors for themselves. So, any computing system has a chance to have these vulnerabilities and they find them and then they patch them and we need to be very cognizant about patching these things faster.

Lois Sonstegard:

So, I think the other big challenge is if you’re in… Let’s say you’re in healthcare, because that’s a highly specialized field. You’re very into all the treatments, the procedures that need to be done. You’re not into this kind of information about how do hacks do hacking, how do I protect my system? So Brian, if I were in the healthcare business and I was interviewing, I know what questions to ask of a specialist I’m going to hire. I don’t know what kind of questions I need to ask about the IT people I need to hire. So what are some key things that people need to think about?

Bian Gill:

Yeah. So, I would say first things first. So, whatever industry you’re in, there are going to be specialized software companies that provide the platforms that lots of these folks run on. There’s hundreds of them in healthcare. My wife’s a radiologist and they don’t write their own software to organize the CT scans, right? They buy that stuff. And there are specialized companies out there that will provide not only that product stack, but also more and more commonly, those cloud services that everybody thinks are great and they are great. It’s a great idea. So, it’s a wonderful thing to be able to offload that hardware maintenance to somebody else and have an economy of scale up there. So definitely, if I was trying to hire some IT folks, that might be a call that I would make is to my vendor of my major system.

Bian Gill:

So, if I was a bakery and I had a point of sale system, or if I was a veterinary clinic and I had my whole veterinary maintenance stuff, call that provider and say, “Do you have a list of recommended IT providers that are very familiar with these systems specifically and maybe service dozens or hundreds of other veterinary clinics?” Versus trying to find somebody in your backyard who’s done a bunch of work for a bunch of different verticals, who’s not as familiar with the needs of that vertical. And yes, that provider might be remote, but that’s becoming less and less important. Now, that does not absolve you from backing up your data because this is where the problem lies, is that is a trend that’s happening where small business-

Lois Sonstegard:

I was going to ask you about that. What do you do about all these remote people like India or wherever?

Bian Gill:

Yeah. And again, if you need your desktop support, laptop support, it’s harder and harder to find that provider who is going to just drive to your office and help you with that specific piece of hardware. That’s definitely a pain point. And there are definitely good things about going to that local provider. For certain industries, it’s going to be required. But when it comes to what I was going to say about the cloud, we need to make sure that you as the business owner are still responsible for understanding how that data is backed up to a different network. And I would say, you should be hiring a different third party to house that so that you can ensure it’s actually happening. One thing that’s true, is a lot of these verticals have been hacked. So, they’ve pooled hundreds of these dentists under this one platform, under this one cloud and if the bad guys can penetrate that network, now they’ve done the work of being able to ransom 200 businesses all at once. And we’ve serviced quite a few companies in that specific situation. This is not something I’m making up, this is happening.

Bian Gill:

So some of those businesses, maybe had third party backups of their own data and did not have to pay and then most of those businesses, were relying on that cloud provider to do the backups. Like, “I don’t have backup, I’ve got a cloud provider.” Well, that’s again, not quite good enough. But-

Lois Sonstegard:

Goes back to the idea of the audit. Yeah, I’m sorry.

Bian Gill:

Yeah, auditing your backups and having a different layer of accountability in a whole different organization that’s responsible for that, whether that’s your internal IT group or whether that’s a different third party cloud provider that’s just doing cloud to cloud backup for you. But then those backups need to get again, audited. As far as… To go back to the original question, one of the questions, how do we hire an IT guy? Because you’re right. When I’m trying to hire certain engineers for certain projects that I’m working on, it’s super easy. I can sit down with a software engineer for 20 minutes or less and I can tell you without any shadow of a doubt after those 20 minutes is this person in the top 1%, top 10%, top 30%, bottom 50%, usually within five minutes I can tell you that. All I need is their time and a whiteboard and a pen and I will quickly ascertain where they are in the product stack.

Bian Gill:

But if I was going to try to interview a PhD psychologist, I’d be host, I would have no idea how to tell a good one from a bad one, an amazing one from a charlatan. No idea. And when a lot of these small businesses are out there trying to hire MSPs they don’t even know the questions to ask. So, I recently worked with a wonderful organization called Manage 2 Win and a gentleman named David Russell, and we were having a similar conversation we’re like, “Well, how do you hire an IT guy?” And we decided to collaborate on a piece and we made a piece that if people Google for… They just Google for Gillware and MSP buyer’s guide, it should pop right up. And it’s a list of about 32 questions with a lot of not just the questions, but the answers that you want to hear. It’s totally free, it’s not gated. If you’re thinking about hiring an IT guy after I scared you here a little bit, it’s a great resource, download it and it’ll definitely bring you up to speed from where you were.

Lois Sonstegard:

We will put that information in the notes below this podcast. Thank you.

Bian Gill:

I’ll get you a link.

Lois Sonstegard:

Thank you. I think we’re just going to need to be smarter about so many things. I think for me, part of what the COVID event did, was it just made me pause and think about what is it that we haven’t been smart about? Basic things like hygiene. We have been under the plains for forever and now it’s suddenly become important. But that’s true for a lot of things and things that I’ve been responsible for. You go off with people and you do different events, there’s questions you don’t ask that maybe we should have been asking. And so I think it’s been one of the healthy outcomes perhaps of this if there is such a thing as a healthy outcome from a pandemic, but we’re asking questions and for me, this whole issue of our cybersecurity has only gotten heightened by what we have seen, because if it can happen there, where else is it going to happen? And it’s not for fear as much as just be smart.

Bian Gill:

Yeah, totally. For me anyways, this whole… It’s certainly given us a lot of time of introspection, where a lot of our patterns and a lot of our daily things that we were doing got interrupted. And it definitely gives us some time to… Again, it opened up some doors of opportunity for the bad guys when it comes to cyber, but certainly as business owners we’ve got a lot of new challenges we’re tackling right now. And it can be a good time to assess a lot of our different behaviors and ask a lot of these questions.

Lois Sonstegard:

Super. Brian, one of the things that I’m going to do is you made a list of things that people should think about and devices that people should use. We will take that from this podcast and make it also a downloadable things so people can have that in front of them if they’re-

Bian Gill:

Yeah, it’s a great idea.

Lois Sonstegard:

… thinking about what to do.

Bian Gill:

Yeah, it’s a wonderful idea.

Lois Sonstegard:

Our time is almost… Well, it is up. And it has been just wonderful to have this time with you. Before we leave though, Brian, last thoughts that you would like to leave with the audience that you haven’t talked about that is important.

Bian Gill:

Yeah. In general, a lot of people get paralyzed by the sheer magnitude of the amount of crap you’d have to do to stay safe. And a lot of times when I look at an organization’s security posture and I’m like, “Well, these are the 17 things you’re doing wrong.” It’s easy to just get a really defeated mindset and say, “Well, I’m never going to do all that, so forget it.” We just need to get better, we don’t need to get perfect.

Lois Sonstegard:

Exactly.

Bian Gill:

The cyber criminals that are out there, there’s a certain amount of effort that they’re going to put in to penetrate in your organization. And if you are like a Jeff Bezos, they’re going to put a lot of effort. Huge, incredible effort by incredibly smart criminals to do something like that. But we’re not, most of us are not in that situation. So, we need to make it a lot harder and if you get that firewall, if you turn on two factor everywhere, if you get those audited backups with multi-factor authentication to get at them, you’re going to be exponentially better than you are right now and you’re going to make it exponentially harder for the bad guys to get in and do major damage to your organization. So again, when we assess a company that we’re actually doing risk assessments for, we’re going to look at over 30 categories staff and have specific recommendations on each and everyone of those. And even mature organizations that have spent millions of dollars on IT over the years, will usually fall down in a bunch of those areas and we’ll work with them to fix them.

Bian Gill:

But just because if we were to do it on your organization now and you’d go zero for 31, that doesn’t mean that we don’t need to do the top three and at least… Because it’s not as simple as, “Well, now I’m three out of 31.” Because those first three are magnitudes of importance compared to the other 28.

Lois Sonstegard:

Wow! Brian, thank you so much [crosstalk 00:42:04] your knowledge, your wisdom is absolutely wonderful especially for right now.

Bian Gill:

Well, [backachelos 00:42:09], thank you so much for having me. I appreciate the show and everything you’re doing and appreciate our chat before the show too.

Lois Sonstegard:

Thank you so much. And thank you all of you who are listening to Building My Legacy Podcast today, we look forward to talking with you very soon again.