If you’re a new business owner, the thought of investing hundreds of dollars to protect your network from potential cyber threats might seem like an unnecessary expense. After all, aren’t hackers only interested in infiltrating multi billion dollar corporations? Unfortunately, it is this common misconception that often leaves small businesses vulnerable to the most devastating cyber attacks. So, what should you be doing to ensure the security of your business’s operating system? In this episode, Jon Aidukonis and Gene Marks along with special guest, Paul Warnagiris from the Teneo Group, discuss several strategies that can help you keep your network safe from the latest cyber threats.

Executive Summary

0:23—Today’s Topic: What Should a Small Business Owner Know about Cybersecurity and Safety?

1:35—Because the most prevalent cyber threat to our data right now is ransomware, it is important for business owners to have a thorough understanding of their operating systems, in terms of hardware, software, and vulnerabilities. Knowing who has access to their data and what their network looks like on a regular basis will make it easier to prevent as well as detect potential data breaches.

6:51—When it comes to cyber security, it’s not so much a question of whether you have any important data that a hacker would want, but whether you have any data that you would need once a hacker encrypts your entire system.

7:43—To minimize the number of systems you’ll need to monitor, you should consider segmenting your network either by using a different access point or by setting up another SSID exclusively for your business. Consulting with a professional IT person or firm is highly recommended.

10:39—If you need to utilize your network while traveling, downloading the ZoneAlarm protection app for your mobile device and laptop can help prevent you from logging onto any suspicious operating systems.

14:10—In order to protect your passwords, avoid using the same one more than once and invest in a high quality password safe. Don’t be surprised if private industries begin adopting the government password standard of 64 characters.

16:23—VPN’s (virtual private networks) alone are not enough to provide adequate protection for your system because you are already being tracked before you get on a VPN.

18:15—While multi-factor authentications can make it harder for someone to access your system, they are not foolproof. Hackers can still access the necessary cookies to penetrate your system.

20:03—You can also limit your network’s exposure by never clicking on an email link unless you have verified with the original sender first. Should you need to access the link for work, access it directly from the website itself instead.

23:21—Keep your systems up to date with all the manufacturer recommendations.

24:23—Unfortunately, offline backups can also be compromised by hackers.

25:26—Small business owners need to acknowledge that everyone is vulnerable to cyber threats. Only then will they be ready to accept the advice of an IT security professional or firm.

Links

Transcript

The views and opinions expressed on this podcast are for informational purposes only, and solely those of the podcast participants, contributors, and guests, and do not constitute an endorsement by or necessarily represent the views of The Hartford or its affiliates.

You’re listening to the Small Biz Ahead podcast, brought to you by The Hartford.

Our Sponsor

This podcast is brought to you by The Hartford. When the unexpected strikes, The Hartford strikes back for over 1 million small business customers with property, liability, and workers compensation insurance. Check out The Hartford’s small business insurance at TheHartford.com.

Jon: Good morning and welcome back to another episode of Small Biz Ahead, the small business podcast presented by the Hartford. This is Jon Aidunkonis and I am joined today by my co-host Gene Marks and Paul Warnagiris from the Teneo group and we are here to talk about cybersecurity and safety. How’s everybody doing today?

Paul: Great.

Gene: We’re doing good Jon, and glad to be here. I don’t know Jon. This is not a very interesting topic. Nobody’s talking about cyber safety or anything now, right? Not too relevant-

Jon: I know. We only talk about data breaches every day lately, right?

Gene: Yeah.

Paul: Exactly.

Gene: I want you guys to know that I’m talking to you both from a cave in Montana because I feel that seems to be the only place to be safe from any cyber breaches. So hopefully at the end of this conversation, I can emerge back into real life.

Jon: I’ve decided you can take my data as long as you can make my online shopping easier and take my student loan debt if you ever steal my identity. That’s what I’ve accepted.

Gene: Yeah. It’s funny that you say that. I feel the same way. I clearly have a very sensitive to data breaches and data issues, and we’re going to get into all of that but you and I are, we like marketing stuff and I’m okay with a lot of my data out there as long as it’s used for the right purposes. To feed me products that I would be interested in. Digging into my bank account, that was another issue altogether.

Jon: So Paul, help us understand. After you decided you want to use data to optimize your products and services for your customers, what are some of the things you can actually do to make sure that you’re keeping everything safe and secure or prevent people from coming in a hidden back door?

Paul: The first thing you have to realize is you’re a target. A lot of times I meet people and they say hey, I don’t really have anything that anybody wants to steal or it’s anonymized but the question is not really, do you have anything that anybody else would want? Do you have anything that you would want, because today, the most prevalent thing is really ransomware and so it’s not about, could I take this data and sell it? That may be part of it but it’s could I take this data and encrypt it so you can’t have it unless you pay me to get it back. So the first thing I would tell you, and we may come back to this time and time again, during this podcast, is there’s a couple of things that no matter if you’re a Fortune 500, Fortune 100, a hundred users or one user, there’s some basics, right?

Paul: And the basics has to be followed no matter who you are or what you’re doing. If you’re a big company, the scale will be different. That’s the only thing. And so number one, the first thing I would do is I need to understand what’s on my network. If I don’t understand what’s on my network, it’s going to be hard to secure it. If I don’t understand what’s on my network from a hardware perspective, I certainly don’t know what’s on my network from a software perspective. And what that means is that I don’t know if I’m vulnerable or not. So do I know what hardware I have? Do I know what software I have and do I know what vulnerabilities I have? If I know those three, then who has access to the system if they, if they were able to talk to it? Are the default passwords changed? Who can control it?

Paul: Likely when we’re talking about… And it’s funny because I use a toaster as the example, would you want your system to be on the same network as your toaster? The reason I say toaster is because I was at a security conference well about five years ago now and I heard somebody from DHS say if you knew what I know now, you wouldn’t plug your toaster in. And so, it could be your toaster or it could be your coffee machine and it could be your laptop. It could be a printer, a TV, your Xbox, your thermostat, a doorbell, refrigerator. It can even be a car today, right? So if you don’t know what’s on your network, there’s no way to secure it and so all of those different things I mentioned, what are the administrative passwords to it? Have they been changed?

Paul: Are they secured? And then of course, let’s say you have your printer for example and it has all these fancy features that you don’t ever use. Is it more secure to turn them off? So have you looked into the things that are on your network and have you shut off the stuff you’re not using, and are you using the stuff that you are using correctly? And then that leads, of course, to the final thing. Do you know what your network looks like on a normal day? And the reason I ask that is because would you know what your network looks like on an abnormal day? So in other words, if you are under attack, would you even know it? What does your network look like when it’s in good health versus bad health? So understanding that you’re a target because after the [solar winds] attack, you got to assume everybody is compromised.

Paul: You really have to take some perspective as to what’s around you, and you have to understand what normal looks like. It’s a backhanded way of answering your question because I didn’t give you any specific advice, but those are the basic, good hygiene qualities that you need on your network or in your environment, and especially working from home today. It’s the things that you have to know and so it’s rudimentary but what I would tell you, say for example you’re a small business owner and you’re working from home and your kids are online. Your wife is online, your husband’s online, whoever it is, there’s x-boxes, there’s phones, all of these things are connected. Are you on that same network with your business? And if you are, the best thing I can tell you is to segment it somehow.

Paul: Maybe you go on the guest network, maybe you’d create another SSID and that’s the only place that your business devices go because at the end of the day, if you don’t know what’s going on in your network, then you can’t protect yourself and it’s definitely difficult in this day and age where everybody decided one day, flip the switch and we’re all working from home. So how do you do that and how do you do it securely? And it’s interesting because I’ve helped people recover from some encrypted attacks, some hacks, and when it’s all over, it’s all said and done, I talked to the CIO, the CIO, the CEO, whoever, and I say, is there anything I could have told you before this happened that would have helped you better understand what your risk was?

Paul: 10 out of 10 times, I hear no. There’s nothing you could have told me. People will never understand what this feeling is like until they go through it and so if I could help one person today, listening to this podcast, to understand what it’s like that I’ll have done my job. So imagine for a second that you come down and your laptop is encrypted, your server is encrypted. So you say okay, we’ll add back-ups there in the cloud. Well, they’re encrypted too. Everything that you own is encrypted. What do you do? What’s your first step?

Paul: So I have an offline backup system but the hackers have been in my system for months. Before they encrypted everything, they deleted all of my backup. What do you do, right? And so that’s the feeling that if you’ve never been in that situation, I just want you to understand it’s real and that’s why we’re talking about what we’re talking about today because if you say, like I said in the beginning, I don’t have anything that anybody wants to steal. I would ask you again, do you have anything that you want? Does that make sense?

Jon: It does, yeah. No, I think that’s an interesting point of view. I think that makes a ton of sense. What I’m curious as is you made a couple of good comments about knowing what your network looks like on a normal day, you see and you can recognize any abnormality, getting a sense of features that might be superfluous that you have turned on. And also, the potential of setting up different dimensions of that network, different access points. If you’re using personal versus business activity at home, or how would you know?

Jon: So if I’m someone who just has a lot of connected devices and I’m in a connected home environment or have a phone and tablet, a PlayStation, the gamut, how do I know what’s on my network and how might I think about segmenting that? Is that something the everyday person can do? Is that something that you really need to get an expert in on? Does that require like different types of accounts?

Paul: So it’s definitely easier with an expert, I could tell you that much. If you’re really a small business and you don’t have any IT folks, what I would tell you is that you should segment because you’re probably not going to be able to see everything that’s on your network. So the best thing to do is minimize what you do have to watch out for and so in that scenario, maybe you get a different access point. That would be the easiest thing, right? Go down to Best Buy and buy another wireless device, and that’s only for your business, or if you’re a little bit tech-savvy, set up another SSID so you’re still using the same wireless device but you’re logically separated and make it a point to only put your business stuff on there.

And once that’s done, maybe it’s a printer and it’s a laptop. Maybe it’s four or five devices but look in the log. If you don’t look in the logs, you have no idea what’s going on. And so for you to look in the logs, if you’re working from home and you have your house on the network and your family’s on the network, it’s going to be a big mess because you’re not going to really understand what you’re seeing and what’s going on. So if you could limit that to the necessities of your business, and then try to peek into the logs to maybe you don’t even understand what that is but at least you understand what you’re seeing. So assume that what you’re seeing is good and then if it changes, assume that’s not good. And that’s probably the best advice I could give you if you don’t have your own IT person. If you do have your own IT person, I would absolutely talk to them about some of what we’re talking about today.

Jon: Awesome. No, that’s great. And I think, from my perspective, Gene, I’m curious to get your point of view too because you worked in this remote world and your business relies on helping other people manage their data, right? So I’m sure you have some questions here too.

Gene: Yeah. I’ve got a bunch of questions for you, Paul, about this. We don’t provide the services that you do, but I have a 10-person company and we sell some cloud applications as well. So Paul, I’m going to put you on the spot a little bit because you spent your life and security and there’s a lot of just security issues that come up among my clients and among small business owners and I just want to get your take, just some of your advice.

Gene: So let me throw out some things to you and give you a chance to respond. Okay. The first is let’s talk about traveling. Okay. A lot of business owners are getting back on the road right now and they’re starting to travel. So you’ve got clients that are up and about. They’re using their laptops, they’re connecting into their networks, they’re using different devices. What are your thoughts on being as secure as possible when traveling? That’s my first question.

Paul: Traveling is no different than working from home. It’s no different than working from Starbucks because, and be honest, when you’re traveling, you may be at Starbucks. So what I would say is that you need to have 10 people, 10-person company. You have to have some protections. If they’re centrally managed, that’s great but if they’re not, that’s fine as well. Some of the small business type of things that I would recommend is Zone Alarm. That’s what I use. Zone Alarm has protections for mobile devices. So if you’re on a hotspot or if you’re on a wireless network at Starbucks, you know that the network has integrity. It’s not somebody’s pineapple SSID, it’s actually Starbucks. If you download an app, it protects you for things like that. And then Zone Alarm does the same thing for your laptop as well.

Paul: It gives you that anti-ransomware, anti-phishing type of thing. It’s come to the point where if you get a text, some of them you can tell are really ridiculous but some of them you’re like, is this legit or is this not legit? How do I find out? Well, if I click on it, I find out. Well, if you click on it, you also could just compromise yourself right there, just with a single click. So you have to have some controls on your laptop. Windows is, it’s a firewall. They have some decent threat but threats are way advanced, more than Microsoft. Microsoft has to have security because they can’t sell their product without it but by no means, are they up to the challenge with the generation of threats that we’re facing today. So figure out some security phones and endpoint. Zone Alarm is a good one. There’s other ones out there. Zone Alarm is what I use.

Gene: Great. All right. That’s good advice. And while still on that topic, so when you travel, do you connect to the Starbucks wifi or the airport wifi? Do you tend to connect more to your own mobile hotspot?

Paul: Not in a million years. I just don’t do it and it’s just me. It’s much easier to connect to a wifi and it’s probably cheaper too. And it’s funny because I have worked with colleagues and they’re in the same industry I’m in. They come in and they’re like, what’s the password for the wireless? I don’t know and I don’t care because I’m not getting on it. I have protections that protect me against if something bad were to happen on there but absolutely, I would use my phone every chance I get.

Gene: All right. That’s very helpful. All right. Let’s talk about passwords. What are your thoughts for protecting your network with… What is some good password management practices?

Paul: 64 characters.

Gene: 64 characters? Holy mackerel. That’s like a book.

Paul: Yeah. That’s the new government recommended standard. They’re just rolling it out but what that means really is password safe. It doesn’t mean password, right? So if you’re not using a password safe today, you’re doing yourself a disservice because when Yahoo or a bridal registry that you signed up for using the same password as your work account, your work account is now compromised. And so you should never use the same password twice. And the reason they’re going to 64 characters is because it’s easy to remember.

So you could think of a phrase or a sentence and you can type that out with spaces and punctuation. And with technology today, you can’t really crack a 64-character password in any relevant time period. So, that’s what the government is going to. I expect private industry will follow shortly but once again, this simply means password safe and the password safes, they’re good because they’re mobile, they’re on your laptop. They’re also on your phone. They’re everywhere that you are. And I don’t ever type passwords in anymore. It’s just copy and paste.

Gene: Yeah. I use Keeper. Is it Keeper? I forget that…

Paul: There’s a bunch. There’s PassKeep. I’m a Mac user so I use one password and I wouldn’t look for a free one here, to be honest with you. It’s like I wouldn’t buy my parachute on eBay or I wouldn’t buy it from Walmart, right? I would buy it from someplace reputable. Not that those places aren’t but I don’t want to discount on my parachute and I don’t want to discount on my password safe. I want to know that these guys are doing the right things and they take security seriously and you need money to do that. The free ones. I wouldn’t put all my passwords in a free password safe.

Jon: What’s your take on the VPN. I remember those from years ago and now. We’ll move work remote in a pure business environment but folks allow you can buy access to VPNs online, keep your personal data more secure. Do you find that to be a good practice? When you think of these, I guess, I don’t know. Aftermarket’s the right term but consumer facing companies now that are selling that service or access to their service.

Paul: Yeah. It’s funny. I personally don’t use it but it’s interesting because you’ll get somebody who uses a VPN for anonymity and then they’re on Google, logged into Facebook and we’re tracking tech everywhere. So it’s going to make you anonymous but I think part of the bigger problem is you’re already being tracked before you get to the VPN. So if you’re really interested in that, it’s more than just VPN. It’s just basically good security hygiene, which means this is hard to do. When you go to login, it says login with your Facebook, login with your Google, right. Well, there’s a single password, just like I was saying. So if that password is compromised, number one, you have a problem because all of these sites were just compromised.

Paul: But number two, that’s also how you’re tracked. So if you’re really concerned about anonymity, you need to do more than just the VPN. You need to maybe use a different browser. Don’t stay logged in to sites, go incognito if you want to use Chrome, those types of things. I don’t find it all that beneficial but then again, I take the security hygiene to another level. I’m pretty anal about what I do on my laptop what I’m plugged into, what I’m logged into, etc.

Gene: I still have a few other things I want to run by you and get your advice on. One of them is multifactor authentication. What are your thoughts on multi-factor authentication when it comes to securing your network?

Paul: So it’s harder to breach when there’s multi-factor but the misnomer about multi-factor is that you need to have something and know something. So for example, if you are using SMS code as your two-factor, you log in with your username, you log in with your password. Somebody sends you the SMS message. You type it in and now you’re good to go. So now you would think, well, nobody else could log in like that but the funny part is, is that once you get that SMS code, basically what your computer does is put you into some session cookie or browser cookie and it’s encrypted.

Paul: But if you have that cookie, you basically could paste that in using Chrome developer tools. I don’t need to know your username. I don’t need to know your password and I don’t need to know your SMS texts. That only lasts for 60 seconds. All I need is the cookie. So once again, if you click on the wrong thing and that cookie gets hijacked, you don’t need to login. So what I would say about two-factor is does it make it harder? Yes. Does it make you bulletproof? No. If somebody wants what you have, absolutely, they will get it. Two-factor won’t help.

Gene: Yeah, none of this stuff that we’re talking about right now, nothing’s a 100%. I think all we’re trying to do is just make it more difficult for the hackers so that they-

Paul: And I recommend two-factor everywhere.

Gene: Yep. They just giving them the ability to pass us by and try to look for easier pickings. Paul, let’s talk about ransomware again. You brought it up earlier. Obviously it’s a lot in the news as we’re recording this, the whole colonial pipeline thing happened. They shut down energy supplies in the East Coast, and that was just one case out of many. The FBI recently said that ransomware, you took about $4 billion worth of payments, ransomware makers last year alone. I’ve had many clients who’ve been affected by it. I had one client that actually was not only affected by it, Paul, but was given an 800 number to call a toll-free number to call the ransomware’s customer service to help him pay the ransom. That’s how crazy this stuff has gotten. So can you tell our listeners, give us some advice. We can’t be completely protected from ransomware but what are some of the things we can do to limit our exposure?

Paul: Never click on a link ever.

Gene: What does that mean? I get links all the time emailed to me. I’m never clicking on… What if it’s a link that it says clearly it’s cnn.com or thehartford.com. Something that’s like a clear URL. Is that okay?

Paul: So if it’s on the internet, it’s got to be true, right? And it came from the internet. That’s a joke, obviously. And so some of the best hacks that I’ve seen are better impersonation of one drive, for example, than one drive sends out. They’re meticulous. You can’t tell the difference. I can’t tell the difference. I have to take 15 minutes to look at it and it came from a trusted source. It came from my boss. It’s got to be good, right? I’m going to click on it. Don’t click on it. So you could do two things. One is, if your boss sent you a link, you could call them and say hey, did you just send me a link? Okay. Now I verified the link out of band. I can now click on it.

Paul: Number two, if the Hartford send you a link, log into the Hartford and find out what they were sending you. Don’t click on the link because the bad guys know exactly what the Hartford sends. They mimic exactly what the Hartford does. So just think about, if they send it out to a million people and only 10% click on the link, that’s a fair amount of people that were just compromised. And so they spend a lot of time on trying to mimic what legitimate businesses do. I don’t ever click on links. And it’s funny because I’ll start a fight with a company because they sent me a link and I’ll just go off on them.

Paul: And it’s probably not the best thing to do but when I’m bored, it’s what I do for fun. So don’t click on links. Honestly, it makes it harder but you said, how do you protect yourself? That’s how. You don’t click on links. SMS, by the way, SMS or email, because SMS is the same thing. Now one single click, and they could do many different things to your phone if there’s no security protection. So literally just clicking is all you have to do. Not clicking close because you messed up. Don’t click.

Gene: Alright. Besides not clicking on links, which is extreme, I’m not saying it’s wrong. It’s like, wow, that’s really wild. What else? How about upgrading your operating systems? Do you find a lot of clients miss in doing that?

Paul: Yeah. So that goes back to the six steps I originally talked about hardware and software. The third one was vulnerability management. Other than having visibility, the best thing you could do is always stay up to date. There’s attacks out there that are called Zero-Day but for the most part, you have to be targeted for that. They’re not going to waste the Zero-Day on a 10-person shop, right? Unless you’re a 10 person shop that has all of the insurance company’s data, then you may be a target but keeping your systems up to date, no matter what it is, if it’s your toaster or if it’s your laptop. If there’s a firmware update, if there’s an iOS update, you should update immediately. That’ll be the number one best thing that you can do as a small business is stay up to date with manufacturer recommendations.

Gene: How about backing up, Paul, as a way to protect yourself from ransomware? I have some clients that say to me hey, I’ve got an online backup. If I ever get a ransomware attack, we’ll just get rid of everything and restore from our last backup. Does that make sense to you?

Paul: Sure, if your backup’s still there. I just had a customer who, we just met recently but they weren’t fully implemented with the protections yet and they basically, they got ransomwared and the first thing that happened is all the shadow copy backups and all the cloud backups were deleted. So if backup is your only silver bullet to recovery and you don’t do anything else, you might find yourself in a predicament.

Gene: Paul, your company, and please correct me if I’m mispronouncing it but it’s the Teneo group, correct?

Paul: Teneo group. Yes.

Gene: Right. Okay. And that is theteneogroup.com. T-H-E-T-E-N-E-O group.com. I have to ask. You guys have numerous offices around the country. You deal with businesses that are both small and large. When you walk into a prospective new client, a small business, what are you looking for first? What is the low hanging fruits that you say to this prospective client, you need to do X, Y, and Z immediately that you frequently say?

Paul: So I’m not trying to dodge your question and then if I do, just let me know but the first thing I want to do is understand if the organization I’m talking to knows they need security. If they don’t know that they need security, there’s so many companies out there that I need to go and visit instead. I’m not the business of convincing you that you need security. If you don’t know, then I’m wasting my time because it’s like insurance. Do I really need insurance? I only need it if I need it, right? And the same with security, but number one is what are the assets on your network? Do you know? That’s a simple thing to do. If you don’t know that, then you don’t know anything else, right? You don’t know what software is on there.

Paul: You don’t know what vulnerabilities you have. You don’t know if they’re hardened and you certainly don’t know what traffic is going through your system. So those are the low hanging fruit. What do you have on your network physically? What do you have on your network logically? Do you patch? Are things patched ? Could you show me that things are patched? Not just are they? Then are the basic default configuration still there? Or have they changed or have been hardened? And then just visibility? Do you know what’s going in on your network?

Paul: Should your printer be talking to China or should it be talking to Atlanta? You know what I mean? And so if it’s talking to Atlanta every day and then one day it talks to China, would you know that? And so those are the basics. That’s what I would say. I try to find out and then I would try to get the understanding of yes we know but we don’t have a policy and it’s not reported to the business owner or the subject matter owner. And so that’s the maturity level, right? So it’s one. Do you implement controls? And then how mature are they? That’s basically how I focus on meeting a new customer.

Gene: Yeah. It really is a matter of making an investment as well. And you’re 100% right. If people don’t realize at this point that they need ongoing security for their networks, it’s like you’re not just living in this century. And I have to say Paul, and I’ll wrap this up. It’s just a must for small business owners. You buy insurance, you hire a financial person. You have a payroll service. You really need to have a relationship with an IT firm, particularly one that specializes in security. So, Paul, thank you so much for joining us.

Gene: We’ve been talking with Paul Warangiris. Paul’s the CEO at the Teneo group security and IT firm with offices around the country. His website again is theteneogroup.com, T-H-E-T-E-N-E-O-G-R-O-U-P.com. All really interesting stuff. So thank you. On behalf of myself and my esteemed co-host Jon Aidunkonis, you have been listening to the Hartford Small Biz Ahead podcast. If you need advise, help any type of tips and a lot of content to help you run your small business, visit us at smallbizahead.com or sba.thehartford.com. My name is Gene Marks. Thanks for joining us. And we will see you again next time. Take care.

Download Our Free eBooks