Cyber-crime has been on the rise for the past 20 years.
Ransomware costs businesses billions of dollars a year.
SMBs are especially vulnerable to attacks.
How safe is your business?
Michael Markulec is a Chief Information Security Officer with decades of experience working with the federal government, Department of Defense, and large financial firms. He is also the co-Founder of Harbor Technology Group, a comprehensive service provider of cyber-protections for SMBs.
Michael joins us to discuss the threats, the vulnerabilities, and the fixes you can put in place right now. He is a wealth of knowledge on the topic and shares with us:
- How to avoid the costly mistakes most companies make with their cyber-security
- How to put together your own plan to stop ransomware attacks
- Why proper employee training is your best line of defense
- And more
Cyber-risk is a business problem FIRST and a technology problem second. Get proactive with your security plan and never again leave your business vulnerable to cyber-attacks.
Mentioned in this episode:
Voiceover: You’re listening to the Conversational Celling podcast with Nancy Calabrese.
Nancy Calabrese: Hi, it’s Nancy Calabrese. And this is Conversational Selling. The podcast where sales leaders and business experts share what’s going on in the world today. And it always starts with the human conversation. Joining us today is Michael Markulec, co founder of Harbor Technology Group. Harbor provides companies with a comprehensive set of consultative services that allow SMBs to make informed, fact based decisions and manage cyber risk.
They offer a range of services from cyber risk advisory to virtual ciso. Harbor Technology believes cybersecurity is a business problem first and a technology problem next. In addition, Michael is also a CEO pure advisory board chair at Vistage worldwide. So folks, cybersecurity is such a hot topic nowadays. And yet, so many firms don’t have a current strategy to manage this. We’re all looking forward to hearing why this is so important, Michael. So welcome to the show. Let’s get going.
Michael Markulec: Great. Thanks for having me.
Nancy: Always a pleasure. So I just want to jump in and like talk in generalities. And then we can get down to some specifics. But what are some of the common threats all businesses businesses face today?
Michael: Well, cybercrime has been on the rise for the past 20 years, and it’s moved from you know, defacing websites. And, you know, early hackers who, who did it for the fun of it, to now a business? Things like ransomware costs businesses worldwide, billions of dollars a year, according to the FBI. So what we’ve seen is this trend that’s moved from what was just a nuisance to now a real business threat, especially small and medium sized businesses.
Nancy: Wow. So I mean, that is really scary. Scary, and, you know, knock on wood. It hasn’t happened to me, I’m sure. Many of you out there it hasn’t happened to. But you know, what, how do we go about protecting our data? You know, I know you published five tactics for doing this, maybe you can share it with us?
Michael: Sure. You know, from from a business perspective, it always starts with understanding what your critical assets are, you know, for some of us, that is the data, our client data, you think about a law firm and the data that they have on their clients. You know, for other businesses, it might be manufacturing equipment, and protecting that manufacturing equipment. But again, it starts with, you know, identifying what the critical assets are. And then I really believe you need to take a couple of basic simple steps.
And this is true, whether you’re, you know, whether you’re looking at your home computer, your small business network computer, or even if you’re a large enterprise, and that that starts with protecting the endpoints, which is really the, you know, the computers, the servers, that make up your network with things like antivirus anti malware. And for home users, small, small business users know there’s free software out there that comes with most of your PCs, that just needs to be turned on. Second.
Nancy: Can I ask you something? Why isn’t it automatically turned on? Why do you have to turn it on?
Michael: Because it’s, yeah, I mean, again, because a lot of software and I laugh, I chuckle because, you know, the IT, Information Technology, information security world has made this hard and it really doesn’t need to be hard. You know, endpoint protection is something that you definitely need. If you’re running, you know, Windows or the new version of Windows, Windows 10. It comes with something called Windows Defender, but yet it doesn’t come fully turned on when you get the machine. That’s required by your IT staff or your managed service provider, or in your home environment for you to do that yourself. And again, I chuckled, because having been in the industry for 25 years now, you know, we still haven’t gotten to the part where we make security easy, where we build it in. It’s something that we seem to layer on top, not build into the solution.
Michael: And then I was I was going to continue the other two big things that I really recommend for folks or backup your data. I don’t care whether it’s you know, my wife’s photographs of the dog, or my business data, or even as I advise, you know, larger clients, look at the data that’s important to you and back it up. Because when you get hit with ransomware, or you have some kind of cyber breach, your best defense, your best solution is to wipe the systems and start clean. And the only way you can do that is if you have a current backup of your data, right?
The data, the data is important to us, as I said, the critical assets. You know, back it up having someplace off site where you can recover very quickly. And then finally, I’d be remiss if I didn’t say this, the best thing you can do for cybersecurity, according to Harvard Business Review, that says the best return on an investment is training your employees. 90 plus percent of all cyber incidents, start with the employee doing something wrong. Clicking on an attachment they shouldn’t. Entering the correct entering their credentials into a fraudulent website. It’s an employee problem at its heart through the weakest chain in the link. And yet we don’t train them. Which to me is just mind boggling, you know, at a level.
Nancy: Wow. How, I want to go back to backup. How often should files be backed up?
Michael: Depends on how important they are to you. So you know, if you’re a small and medium sized business, and we’re talking about things like your accounting files, or your inventory, you know, that should happen a couple times a day. You know, my wife’s pictures of the dog should probably happen once a week, right? So you want to make sure that you’re doing it in a timely manner. And I tell you, you really need three copies of the data. You know, the copy of the data that you’re working on, right, the spreadsheet that you might be working on on a daily basis.
You should have a local, you should have a local backup of that. So something that’s, you know, on site that you’re backing up, you know, daily at a minimum, and then you should have an off site backup. And, you know, God forbid, we have you know, Superstorm Sandy again, or you have a, you know, a fire at your business or something like that. You want to still be able to bring that data back, even if it’s a week old. Right? It’s better losing everything.
Nancy: Yeah. I can only imagine what that might must be like, if you lost everything, and you spent so many years in building something. Alright, so tell us more about your company and why Harbor is unique. What what makes your organization great?
Michael: So what what makes us unique, my business partner and myself, you know, have decades of experience in cybersecurity, we worked with the US federal government, the Department of Defense, some of the largest agencies in the government. We work with large financial service firms. You know, for the early part of our career, what we’ve done is taken that knowledge, the methodologies, the consulting methodologies, the processes that large organizations use, and we’ve brought them down and right sized them for small and medium sized business.
I tell people all the time that you know Bank of America, and Hopewell Valley Community Bank, need to comply with the same federal regulations around cybersecurity. The difference is, Bank of America has almost unlimited resources to deal with the problem. Small and medium businesses don’t, right, they just don’t have the expertise. They can’t hire and train people quick enough to keep up with the changing landscape. So what we do is we help small and medium businesses fill that gap. We do do that provide by providing a set of services, that that at its heart starts with that virtual chief information security officer.
Coming in helping them understand the regulations, helping them understand how to implement a security program, writing policies, establishing training programs, really building out a cybersecurity program. Very similar to you know, a part time CFO, or a part time COO that organizations would bring in, we’re doing the same thing on the cyber side. But doing it from a place of, you know, having dealt with large organizations, and therefore, understanding business and understanding that the trials and tribulations of running a small business.
Nancy: Right, you know, what do we do if we have an attack? What’s the first step to take?
Michael: Well, step one is to prepare, right so we you know, if we’re not let’s let’s assume that we maybe haven’t been as prepared as we should. You know, if you do have a an attack, you should have have, you know some Incident Response Plan that talks about, you know, you know, taking the device off of the network, doing some analysis to determine, you know, what has been compromised, what might be at risk, what data might be lost. If we’re talking about something like ransomware, you’ll know when you get hit with ransomware, because you’re going to get a note on your screen telling you oh, that you owe the cybercriminal money.
And they’ll unlock your data if you send them a Bitcoin or two. And if anybody’s followed cryptocurrency, exciting subject, but you know, Bitcoin can an individual Bitcoin can be well over $1,000. Paying two bitcoins to have your laptop unlocked, you know, $2,000, just to have somebody unlock your laptop, and then ultimately, there’s no guarantee that they’re going to unlock it, or that they won’t target you again.
Nancy: Wow. And so we really have no control over that, except for protecting ourselves.
Michael: I think protection, again, backup, I recommend people all the time, don’t pay a ransom, just replace your files from backup. Yeah, train your employees not to click on things that cause ransomware. So you can take some very proactive steps. But again, most businesses don’t. Most businesses wait until something bad happens. Where they’re reactive, not proactive.
Nancy: Interesting, you know, and and having worked with you and in in your space before, there’s all there’s often a lack of understanding in the business community about something that I quoted you on that you believe that cybersecurity is a business problem first, and then a technology problem. Our experience here is that many see it as a technology problem and not a business problem, wouldn’t you agree in in general, and why is that bad?
Michael: You know, so we look at IT or information security is some kind of black art something that you know, we have an IT guy to go handle. And for most most managers, most executives, they have no idea what their IT guy does on a daily basis.
Michael: But yet, when we think about things like operations, or finance, you know, we manage those and we manage them properly. Right? If you’re, if you’re a CEO of a small and medium sized business, I guarantee you, you understand, and you’re monitoring things like accounts receivable, accounts payable, you have annual audits or reviews, so that you understand you know where your finances are. But we don’t bring that same kind of discipline to the IT space. And for life in the I don’t know why. Right? It’s, it’s not that you need to understand every technical bit and bite, you need to understand how to manage, right, and how to make sure that you’ve got a plan moving forward.
Right. So just like anything else, build a roadmap, follow a plan, make sure that you know what you’re you know, information technology information security team is doing. And this is not something you can pass off to an IT guy or a managed service provider. Right? Managed service providers only going to do what you tell them to do. They’re only going to do what you manage them to do. Same what’s your IT staff, you’ve got to make sure that they know what they’re doing. You got to provide them training, you got to provide them guidance. We wouldn’t let somebody go out and run a bulldozer without proper training. But yet, you know, we don’t train our employees on information technology. We don’t train our IT staff on how to remediate these kind of problems.
Nancy: Yeah, wow. Is this something you’d like me to spotlight?
Michael: You know, just the fact that, you know, small and medium businesses are kind of really at risk. And when I talk about the risk, you know, people are like, wow, someone’s going to deface my website, or, you know what, someone’s gonna lock up a computer and it’s going to cost me you know, $500. Well, it becomes a lot more than that. Right? The risk today, if you’re a small law firm, and have to go tell all of your clients that you’ve lost their data that can be catastrophic for your business. If you’re a chain of retail locations and you lost you lost control of your inventory.
Some of that inventory is probably on consignment. Right. Now, you’ve got a tremendous problem with trying to go back and, you know, inventory, your retail shops, to make sure that you know exactly where things are costing you hundreds of 1000s of dollars. We’ve seen it recently right here in New Jersey in Mercer County. You know, Mercer County fell victim to a scheme, right they know fraudulent wire transfer, they sent over $660,000 of taxpayer money. That’s now non recoverable.
Michael: So it’s not a game anymore. This is not something you can stick your head in the sand to ignore. And you know, sorry for getting up on a spoke a little bit on a soapbox. But, you know, I think too many businesses don’t understand the risk, and then wake up one day out of business.
Nancy: Well, I hear it. It doesn’t make sense, why more aren’t implementing a strategy. You know, tell us something that you believe is true that almost nobody agrees with you on?
Michael: Well, it’s, it’s funny, because when you I know, we did a little bit of prep for the show, you asked me that, you know, I don’t know if you recall my response. But I wrote down something that I believe that nobody else believes is, you know, the Eagles are gonna win a Super Bowl in next three years.
Nancy: Hey, but that is optimism isn’t it.
Michael: That is optimism on my part. But again, I’ll come back to the employee training. And really, the fact that you know, you can greatly reduce your risk, your risk to cyber fraud, your risk to exposure, by training your employees. You know, they become the weakest link. They reuse passwords, they click on things they shouldn’t click on, they open attachments they shouldn’t. And at the heart of it, if you can improve your employees’ cyber awareness, cyber hygiene is another term that’s been used, you know, you’ve taken a big step forward, in terms of preventing risk to your business. And for most organizations, that’s not that hard. Right? It’s not expensive. It’s not difficult. You just need to do it.
Nancy: I want to tap on that, though. What kind of a program do you recommend? I mean, how long and you know how long it’s not, you know, it works.
Michael: Yep, a couple a couple things you can do on on both sides. The program we typically implement for our clients has three components. It has a simulated phishing, which is sending out phishing tests to see who clicks on bad things. Who answered enters their credentials into a fake website. Right. So that’s really the testing component. And it allows us to track over time, how well the organization is doing. Second, I believe training needs to be interactive, it needs to be short, and it needs to be monthly, at least. Right? The days, the days of once a year, going in for a PowerPoint session, with doughnuts just doesn’t work. That’s not training, right?
Training is repeated, often. It’s frequent. It’s interactive. And we use a set of short videos on a monthly basis for most of our clients to cover the training aspect. And then I sit, I sit with the leadership team, the management inside your inside our client organizations, at least once, preferably twice a year, to talk about cybersecurity, to talk about the threats to the business. To make sure that your accounting team and your your remote sales team and your operations team all understand what cyber security is, how important is it to the business. So that executive component that executive education is just as important, as you know, training the day to day employees.
Nancy: But you know, it makes total sense. And I’m looking at the clock, I cannot believe we’re almost out of time. This is a conversation that we could have gone on for quite some time. But before you go, how can my audience find you because I think you’ve given us some really good things to think about and be proactive moving forward. So how can they reach you?
Michael: So a couple ways the audience can reach me, obviously, it’s a Harbor Technology. It’s Harbortg, Tango golf.com. They can find me on LinkedIn. And we’re publishing almost on a weekly basis information to LinkedIn. We’re blogging on on a weekly basis to make sure that we’re getting out the best information around cybersecurity issues. You can certainly get me on Twitter, you can get me on LinkedIn, or you can go to our website and connect to me there.
Nancy: Awesome. You gotta help us here. How do you spell your name, last name.
Michael: Last name. It’s Michael Markulec m a r k u l e c. Harbor Technology Group, the web, the URL is harbortg Tango golf.com.
Nancy: Awesome. So once again, thank you all for listening in and a big special thank you Michael for joining the program. You know, everyone remember to reach out to Michael, when you’re looking to get things right. I think what he said makes so much sense. It would be remiss if we didn’t take next steps. Make it a great day everyone and Michael, are you going to come back on the show and keep us updated on what we should do and when and how?
Michael: I will keep you updated. And we didn’t. We didn’t even get into the sales world today. We just got into the cyber security world but right now we’re doing some innovative stuff to get more information, more content out to the small and medium business community. And yeah, I’d love to have that conversation over over coffee sometime.
Nancy: Hey over coffee or another podcast and finally, I’m all about sales. You know what I’m saying? Make it a great day everyone. Thanks again for listening in.
Voiceover: The Conversational Selling Podcast is sponsored by One of a Kind Sales. If you’re frustrated that you don’t have enough leads or your sales team complains that they just don’t have enough time to prospect, we can help. To work with Nancy and her team one on one to help you manage your sales team, install her proven outbound sales process and create more bottom line results, email her now at Nancy@oneofakindsales.com. To learn more about Nancy and her outbound sales secrets, grab your free copy of her book, The Inside Sales Solution at oneofakindsales.com/book.