 Next week. Welcome back to Protected Trust. My name is Steve Goodman. Joining me again is Ingram Leedy, CEO of Protected Trust. And welcome to our final pillar episode. We've gone over five previous pillars. Ingram, if you would like to. And I should probably mute your computer. Mute my computer. There we go. If you want to go through the talk here. Yeah, so for everyone who may have not seen the previous live streams, let's go over the previous five pillars. So just again, our pillars are the ideas of most businesses. And this is our story is these are the things that we ran across in our business and every client we've talked to seems to fall along the same areas. But we talked about fixing our wireless first. This was a big area of just trying to get connected. The next thing we did is we went upgraded our computers and set them up on an automated deployment so that they were just you've got them out of the box and the computers just worked. A big area I almost put in together is just working together. It's just how do we create files, share them, make sure they stay secure. Also has a component of the communications like the Skype for Business and telephony and things like that. Then there were the business line applications. And we talked about this is the Azure where it might be a business line application that we're putting in the cloud. Or it might be just that you have the need to buy servers and custom developed software that you made that to put it in the cloud. So you can buy all these servers by just by clicking a button. And then today is staying secure. And the security of being, I think people are worried about being in the cloud. So staying secure is kind of where I think our specialty is, is we deal with regulatory compliant companies. There's always some sort of compliance need or just people want to feel the safety of staying secure in the cloud. It's understanding how to use these tools. The training, which is your big part of. Telling our clients what it is that you can do with all this technology. But the main thing is really security. I mean, going to the cloud is a scary thing. And you just want to make sure you don't make a mistake and do the right thing when you go. Right, I think that stems from, because people who've been in their business for a very long time, at least past 15, 20 years, they don't want to release the control of what's in their closet. It's like we built this, we're confident in what we built and we're very gun shy about moving it anywhere. And so we have to kind of say, it's okay to move it because there's certain mechanisms in place to make sure that not only there's fail safes in place, but that your data is protected as well. It's a scary thing. I mean, did the idea of change is scary. And then putting it into this thing called the cloud, which is really just another closet, but just run by people that have specialties. And you were just, you were telling me a story right before we started, it was about honing your craft. I don't know if you want to kind of see if you can. Oh, you want me to do that? Try to digest that a second. Okay. Let's see if I can do this well. So there is a Netflix movie called Jero Dreams of Sushi about a three Michelin star rated sushi chef who, I think at the time, he was the only sushi rated Michelin award winner chef. And his restaurant isn't anything fancy. In fact, it's in a subway station. And without a doubt, anyone who's ever been there says it is by far the best cuisine they've had. And there's nothing special about it. It's fish, it's rice and soy sauce. But people say that this is the best sushi that they've ever had. And the point is they say in the documentary, one of the chefs says, you know, our secrets, we don't have any secrets. We use the same techniques that everyone else uses. We just do it a lot better than they do. It's like every day we focus on honing our skill, how we can make this better and better. And so I think that has a lot to do. It relates to our company in the same way where people can go out and they can do this themselves. Office 365 is out there for you to go on their website and for you to sign up. But you need an expert there to kind of guide you there. And I think that's kind of, you have a story you like to tell about, you used to work at Andy Thornells. Yeah, like a clothing store. A clothing, oh, look at that, a clothing store. Yeah, right out of high school. Right, so people, novices would come to you. Say like they want to go on a journey. Well, their whole thing was it's gateway to adventure. It was like they could outfit you to anywhere in the world that you want to travel to. So it was kind of this neat mystique that, well, I could go to the store and if I was going to a tuxedo event or a business meeting, going to a climb a mountain, a Boy Scout thing or just any adventure you could think of, go snow skiing, they could outfit you to go anywhere to go. And they had experts there that could have done it and show you the right kind of gear and equipment you needed. And so I've used that in our story a bar of that idea is that we're just guides as all we are is we're guiding you to the top of the mountain and we're gonna teach you how to fish so that you can climb the mountain too and we've been there before so we can guide you and get you up that mountain. Right, I think it was in our upgrade computers pillar where you discussed, you can go down to Staples and you can go get yourself a $300 computer and you could get it with the spyware protection and all that stuff and you could set it all up yourself. It's like, but at the end of the day, is that really what's gonna protect your organization? Is you doing it by yourself with no expertise? Yeah. With no one to guide you really. You can certainly do it and it's just like climbing the mountain. You could go climb Mount Everest today but most likely you would die probably go into Mount Everest. Right. And it might be a good idea to start at a hill and then climb your way up but if you choose these options which they do work that they necessarily aren't the best way of doing things and you always, I guess a lot of our people that we start to work with, everyone thinks they're an expert in the beginning or they understand enough of it and we have people that have been in the computer industry a long time they all think they can do things and including myself, I feel like I can do a lot of these things but as you find out as this industry is so fragmented that when you get into a specialty there are just really good people that know these things really well including in our business there are people that work with us or work for us that know this stuff better than I do. So those are the kind of people we want working for us so that they specialize in these areas and so that we can extend that arm out to the client to help them up the mountain. And some people may say like, oh, well we have an IT guy, but this is new frontier for the IT guy. What they do, they do very well but Office 365 is relatively new and it's taken our entire organization to get it how we want it. To set up the path so that when someone comes to us we're like, we know the direct path, we've seen it all. Yeah, and the first time I can remember the first time I saw 365 is that there was a little waffle icon you clicked and then this huge menu of all these things came down it was really overwhelming and it took us to dissect and go through each of these components one by one understand and really be good at it or for us to explain to somebody else. And also a big thing in our company is dog fooding. The idea that we're gonna eat our own dog food, we're gonna live the same experience our clients do. We're not trying to do something that we haven't done first. So everything we have vetted, we have tested, we have hammered on, we understand it, we know all the ins and outs. We have the ability to see things that happen at a scale level because so many of our clients are using the same technologies. We see problems before they see problems. So we've leveraged all this experience over the last 15 years into what we call trust care which is us, it's training, it's supporting the clients and also to me, one of the biggest pieces is just having like a security posture is understanding and staying secure in this environment is to make sure that everything that they are doing is at a level where they feel most comfortable being in the cloud with the proper security controls around them. And so when we deal with regulatory compliance, organizations in any kind of industry like healthcare or banking or finance, government, they all have these regulatory compliances that we can adapt the services and these controls to to put a checkbox, a green checkbox and all those different things. That's right. So I think that brings us to secure score. Our way of keeping track of if an organization is doing everything that they should be. And I think you have an example on your screen here. Yeah, you have a screen here. This is just an example of something we do is I call it a security posture is that we wanna know where you sit in the security space of your organization. So in this particular example, this tenant has 206, a score of 206 out of 364. And if you look at those, this bar in the middle here, I think I can draw the screen here, is this tells you your security posture, whether or not you wanna be more to the left or more to the right. And so as you move to the right, it means you wanna be more secure. And security is necessarily not something, like wearing seatbelts in your car is not something I want to do, right? I mean, I guess now it's such a habit to just do it, right? But it's cumbersome. You gotta put the seatbelt on, putting airbags in your car or things that add costs to the car. But they're necessary to stay secure. And in such an accounting environment, you wanna be more to the right. But it also creates a little more complexity or more kind of, I don't know, more things you have to go through. An extra thing. I think a good example of that is when we rolled out MFA internally. What's MFA? Oh, sorry, multi-factor authentication for those of you not in there. Or it's also called 2FA in some places as well. Which is, it's a security check. So with some of, is it under advanced threat protection? We're, so that's a lot. It's a part of identity management. But the idea is to verify who you are and make sure that you are who you say you are. Right, and so the way it works is it makes you sign in and it makes you have a second layer of authentication. So most people would use their cell phone number, right? So I have it, so it's set up that I have an app and the app will notify me and I can either click approve or deny. And so if it sees that I am trying to log in from Bangladesh and it's like, you've never logged in from Bangladesh before, it will ask the person who's trying to sign in for that second layer of security. So that person knows my password, obviously. Somehow they brute force attack you. Somehow they got to this point. They read your post-it note on those computer screen probably. Don't look at that. But because I have second layer or multi-factor authentication, if I don't click that approve button, that person's not getting it. That's right. And it notifies and lets us know that there's been a typical situations happen to, or an event that's happened to your account that we can then do. That's right, yeah. It has AI technology to monitor all that for you. One neat thing about that is it can determine whether or not you can even travel those two distances in that time. So it may be that you actually drove your car across town and logged in somewhere else like a coffee shop, but it can calculate whether or not that's a atypical location you could actually log into within a time. It's impossible travel is what it would tell you in some of those things. Or if you're logging in twice in the same, logging in at two different places at the same time, it can detect that. So there's all really kind of cool things like that. So basically it takes like a room, if you've seen in like movies from like the early 2000 rooms of people like going over data and blah blah. It just does it all for you, it gets rid of that room. An interesting thing just to bring that up, I mean, we dove right down into the solution, which is multi-factor authentication, but the idea is that what is it that we're trying to protect from? And I think a lot of people talk about compliance or security controls and they just say, these are the things you need, not really understanding the why. And the why is actually what is that risk? Or what is the, what's the risk and what's the impact of this threat? And so one of the threats that are out there is brute force attack. There's systems out there, automated programs that are just testing your account, it gets your email address, starts banging away at your password and eventually it's gonna find your password. And especially these computers are so fast, they're trying every combination and they're obviously trying the real common things and they'll eventually break your password. And so the way to prevent that is to have a control in place that would then do this multi-factor and then determine that there is some sort of weird activity going on. So with this platform, it can detect, well, someone's brute forcing you too, so it'll put that into its analysis of like something's going on with your account. But every threat there exists, there's like brute force attacks, there's fishing is a really big one, which we have a big program around that. All these things, it's like the likelihood of these things happening and then what's the impact if it's compromised. And so there's some really, I have myself, I have the top 10 threats and how to prevent those things from happening. So using these tools like this and having a security posture back to the screen is once you determine, let me pop off this thing here, safe changes now. So anyway, when you choose your, that's repression. Okay, so you choose your, if you wanna be more of an aggressive security posture, a more balanced, or if you wanna be more basic, you can determine, and we can help clients determine which one you wanna do and I don't recommend starting way here on the right either. Right, that's a big change. But what it starts to tell you is all these different things that you should enable to enable MFA, which is what you just talked about and the reason MFA is on the top of the list is because it's probably the one, it's preventing the one most relevant threat that exists, which is brute force attacks. Right. And people steal on passwords. So, but you can see there's a long list of other things that could be enabled and these are tools like this will help us determine your security posture and where you wanna be and also in correlation with other industries that you're in. So, if you're in like say manufacturing and you have a lot of like maybe patents or intellectual property that you keep secure, there are probably different controls that you would put in place than if you were a just a retail operation or a bank. So, everyone has got their own thing. Law enforcement, government, the list goes on. Everyone has their own tailor thing and from our experience as we work with all these different types of clients is that we can tailor their 365 control set or settings to tailor that client or that industry so that they can be most protected from the different types of threats. Right. And especially if you're moving all your data to the cloud like you were talking about in the beginning, the fear. It's like, it's all, they think it's out of their control but there are mechanisms for you to still have tight control over it with. Absolutely. Tight control using whether you're using secure score or using the features from anti threat protection. Like if I could circle back just a little bit, you talked about our phishing training, right? So advanced threat protection has a, we call it ATP so I always have to remember the long term. We all have these acronyms. Right, exactly. It has two things in it called safe links and safe attachments. And so the point behind that is if you have a user who just clicks on anything they get, safe links will temporarily put it in a sandbox, open it up, check it and confirm that it's okay. And if it's not okay, then you don't get to see it. Let me take you through that example. So like what will happen normally is a phishing attack, someone will target you. They could either be an automated target or a very specific targeting. So there are different types of phishing attacks. I would say that if I was trying to target you, I know information about you, I could really get you. I know I could get you. Yeah, yeah. And we've done it too. We've tested our own clients and tested ourselves. But let's just say that you, I send you a link to click on something. That first time you click the link or right when I send it through any kind of system that scans it, it may be safe. There's nothing malicious about it at all. But in 30 days or two weeks from now, that link that was in there, the page that it goes to has changed its content. And so the idea of the safe links technology, it will scan the link as you click it. So it goes into its database, it scans it, looks for the website, sees if there's any malicious about it, then it presents it to you. As well as the attachments, it does the same thing. The problem with antivirus and malware today is once there is some sort of payload, like an attachment that has some sort of thing that compromises your computer, what happens is a lot of people have to get this. And then the antivirus providers out there finally get a hold of it too. It has sort of wide adoption of this virus. And then they recognize it and they write an identity for it so that they can detect it. So then they have to publish that identity to all the different systems that they have. So all that takes time. I mean, first of all, just to have a computer engineer look at it, understand it, and then how to detect it is like, could be months or even years sometimes. And some things that exist that aren't even known about that haven't been detected yet. So what another technology that exists is a thing called zero-day attacks, is there are events that are happening so fast. In fact, you can go on a website now and create these zero-day attack payloads. And I mean, there are sites out there that show you how to do all these things. Yeah, if I could interrupt just for a second, I saw a webinar where they talked about how it's almost like a legitimate business, being a cyber criminal. There are companies out there making money, creating payloads to attack companies. And they have their own support departments for you to pay them. And they try to make the experience of them robbing you as pleasant as possible. What's scary about ransomware or these malicious payloads and these businesses is that what has happened is they've taken this from being like a kid in his basement playing or his bedroom playing with stuff to a legitimate, well, not legitimate to a business. There's a monetary value associated to it now. Exactly. So now it's become big business. And it's organized crime. It could be a lot of different types of people that are doing this stuff. But it's like ransomware as a business now. I mean, you can make money putting ransomware or payloads out. Yeah, they sell you the software. Or they may give you the software for free and just say give us a cut of whatever you bring in. That's right. It's just that easy. Especially if you know someone better, you can do more tailored phishing attacks to get them to respond to something. I saw something the other day that just was a very, I mean, I'm always impressed by people that can get past my guard and not saying to test me or anything. But I saw an email that was a PDF attachment from, it looked like it was from somebody they knew. And it said in the attachment, it said click here to unencrypted message. So you're like, oh, yeah, they sent me an encrypted message. I need to click it. So you click it, it goes to a website. The website shows you, it says, oh, can you log into your 365 to get the message? And you're like, oh yeah, okay, I'll log into there. So you type in your username and password. Well, then the thing went in. Now it captures your username and password and it logs into your 365 account and then it manipulates your account and does bad things. It like either downloads all your email or deletes things or it like puts all these rules in. And it was a very sophisticated, very simple attack. So even the advanced threat protection stuff wouldn't necessarily catch that because there was no payload that was suspicious. It was in a PDF and it doesn't really scan inside the attachments. So the only way to prevent that is to have some sort of multi-factor policy in place that says when you see the suspicious activity happen, in other words, this website was logging in and you were logged in at 365 at the same time. There's no way that can happen. It would then, it would challenge the credentials of the user logging in, which would have been the malicious website. Right, so which is why it's sometimes called two factor authentication because you're supplying that other, besides just the password, you're supplying that other thing to prove that that's you. And it may ask you, another policy might be that it says, just go ahead and just change your password. Change your password, we're gonna multi-factor it. So this system, this, these set of controls will make it where the management of all these users becomes somewhat automated. So now you can protect your user base but with using these type of controls. I know that before. Towards my head, there's so many things that are really cool and I love talking about it. But it is, it's almost like, we get the client on board. We have to, we sort of take these baby steps and getting them online. You know, just the idea that you can share a file and like maybe co-author on a file, it's really cool. But then all this stuff, and it's backed up now, it's got revision control, it's all this really cool stuff. But now the security, the cloud part where you're scared of, they're real things, but people put that security thing way on the back burner. They're like, no, that's like wearing a seatbelt, I don't really need it. You know, I'll need it if I was in a car accident, maybe, but I'm not getting in a car accident. Well, the car accidents happen online and so it's really important as part of your process is to really pay attention to your security posture. Yeah, and you know, you brought it up before with Secure Score, the more, the higher that your point is, or then... Your score? Yeah, yeah, how about calling out what it is? You know, the higher that your score is, you know, the more kinda hoops you have to jump through. Yes. But what I think is that they're making those hoops a whole lot easier because it used to be to protect against, you know, someone having your password compromised. You had to have a password policy where your passwords were reset, you know, every so often, so I think the standard may have been 90 days for some people or more or less for others. It's considered that sort of an obsolete control nowadays. Exactly, because what happens when you're changing your password constantly? You add another character on the end or something to it. Right, so either you're adding just the at symbol at the end of it, or you're writing it down because you have to reset your password for all these other websites. For mutation of your other password, right. Right, exactly. So you're not making yourself more secure, you're just making it so I can't log in because I forgot what my password was this time, or I have to write it down somewhere so someone can see it. I don't know how many times I've been on site and I've looked under the keyboard and I've seen the passwords that people use. One of my favorite things right now is on my computer I'm using a Surface, which is as the Windows Hello, which is really, I think, only available on the Surface right now and the reason why is because the Surface has a 3D camera in it. But just like, and you've seen the new iPhone X, I feel like I'm advertising for the iPhone sometimes. But it has a 3D camera in it as well. So when it looks at your face, it does like a texture map of your face and uses that as your login credential. So to me that's really cool because that doesn't use a password. So I love walking up to my computer looking at it and it just logs me in. And so all that is the same protection as using a password, but better because I don't have to remember my face, it's just my face. Right. So there's a lot of these technologies that are happening, you know, what I like to see is hopefully eventually we get rid of passwords. Right. And these things like two-factor or hello, recognition are gonna be just the way you use your computer. Have you had a piece of paper to the camera and see it with your face on it and see if that works? Yeah, it doesn't work. It doesn't work? Okay. Yeah, off I wear a hat sometimes with some sunglasses, it will not log me in. I'll have to take all that off and have to look at the computer. I'd say that's the problem with it right now. It's really good stuff. Yeah. So they have a whole bunch of mechanisms in place to make sure that the cloud is not only a non-scary place, but it's still an environment that you have total control over your data. Yeah, you know, the thing of going back to being a hone in on your skills is, you know, yeah, you can host a server in your back office or you can run your own email server or you can run your own file server or you can build your own network, but there are people that do this like us that are just experts at this stuff and we've been doing it for so many years and we've seen all the things that can go wrong and all the things that can go right and the things that clients like to use and don't use and we're human beings too and we use it ourselves is we're not trying to make things harder on ourselves. We're trying to make it simpler and easier. So it's a balance of trying to find out being secure and what's not to reduce any kind of productivity. And another analogy I'll use is like a house. I mean, a house is a great security thing you're trying to protect. The contents of your house are things you want to keep safe. So what do you do to protect your house? Well, you lock your door and you have windows and they close and lock, but what else could you be doing while you could put a security alarm in? You could dig a mode around your house, I suppose, but does that seem reasonable and cost effective? Right. You know, so some people, maybe you do need to build a mode around your house. Maybe there's something you do need to protect that much or put a guard dog in. So the ability to identify a threat, detect it and respond to it are really big key components in a security program. And we're just talking about the technical features. Like you said before, we also have training so that you shouldn't be at the point where you're just solely relying on the technology in order to save your data. Right. At some point. We've got to understand how to use it. I mean, it's... Your users have to smarten up and recognize what's a legitimate email and what's not. Right. Like our phishing training is we have a program where we teach people what a phishing email looks like. We test the users, we kind of get a baseline to see how susceptible they are to phishing attacks. We do some targeting attacks. We get some baselines and then we go back and remediate and we try to show them how to fix it. We don't really... We're not trying to make someone stand out, but we go in and just try to get a baseline of how high the level is that they're understanding of phishing. Yeah. What's your cybersecurity awareness threat or score? Right. That's what we do. We score it out and then at the end of the day we try to make the number of people who fall for the phishing examples, we try to make that zero is our goal. So we've got sort of like that back to sort of my gateway to adventure is that we have the fly phishing... Should we get you a safari hat? We should. We have the fly phishing school every Saturday where we teach you how to do these things and you can do them yourself. And two is like, okay, so you've been to our trading and you learned all these things, but you also, if you get stuck, give us a call because we have people here that can deal with any kind of problems you have or issues you have just on the fly. So we have kind of a longer term training, kind of a support incident if you have some sort of real problem like right now. But the biggest thing you have is just the guide of getting there is like a roadmap of where to go, how to get on this stuff, how to use it, what makes sense? I mean, there's some stuff in 365, we've been evangelizing 365, we have other stuff that we do too, but there are things in 365 that I think are not useful. There's some tools in there that I don't necessarily believe in yet or maybe they're still trying to test them all out, but we have that experience and we have the experience of our clients as well. They're giving us feedback and we're listening. So we use that information to kind of just make a better community for all of us. We've been to the top of the mountain and not only that. Yeah, we're still going, it's, we're still ahead. I like to say we're gonna get to the top mountain. The top of the mountain is maybe not achievable, but we will always strive to be there. It's like it's going to the moon. We're gonna always be striving to go somewhere. The mission to Mars. And maybe we should end on this note going back to the Jiro Dreams of Sushi. He says, I haven't mastered this craft yet. That's what I feel. I definitely have not mastered this craft. He's like every day. And that's why they call it Jiro Dreams of Sushi because at night he dreams of better ways to make sushi. It's gotta be a link in the bottom of the video here for this now. I don't know. They should give us some money for that, but I think that's a good note to stop on. And so this brings us to the last of our pillars, but I would sure love to have you on again or maybe discuss some. Our story here is to keep talking about these pillars. This is our six messaging pillars. It's, you know, to take us, we're gonna take it through each one of them. We'll keep talking about them. You'll probably come back on and re-talk about them again. We're gonna take a deeper dive into each one of them a little more. We may get real technical on some of them, but we'll just go back and forth and up and down. And, you know, I think it'll resonate with people that are interested in listening to the story. Right. So not only do we talk about it, but we also have the tech bench set. Yes. Where if maybe some of you have seen it where we've gone over this Skype for Business. We didn't really go into like a showing it, but we did a teams one where we actually showed how to create a team. Is it like in the 201 level class, right? So you're at college and you're taking 200 level classes. That's a good point. So not only do we do these live streams, but we also create these videos that actually teach you how to use the software. And they're short, because the worst thing, yeah, the worst thing that you could ever see is a video that's like 15 minutes long and you just want the answer now. So we try to focus on exactly what people are looking for and we just show them what it is. So we may have like a level one, level two or level three, 300 level types of classes. Right. So what's talking about the overview, that's a level one. Just grab the concepts of it. So the takeaway of this is, we have mechanisms in place to make your organization secure in the club, right? And then a level two class may be focusing, well, here's how you use MFA. Like I got this notification on my phone and so. And then a level three class, we have Javier, I don't know what that would be. That's drilling down the weeds for sure. Yeah, for sure. So that'd be really. Maybe a little longer video too. Yeah, yeah, I would assume so. But Ingram, thank you so much for showing us these pillars and everyone, thank you so much for joining us again. And as a reminder, if you like our videos, please click the like button and click the subscribe button if you would like to be reminded when we do these videos. It'll send you a notification once we're live or once a new video has been produced. And thank you to our clients who allow us to make these videos and live streams. Thank you so much. Thank you.