309: Data Security and IT as a Small Business with Ron Cervantes
Time to Pet. Go to timetopet.com/confessional for 50% off your first 3 months.
Pet Perennials. Go to https://petperennials.com/pages/gps. Enter ‘PSC’ at registration to get $2.00 off of any packages sent in your 1st 90 Days.
Summary:
Are you securing your client data correctly? What security holes do you have in your business? Running a business in the 21st Century means we must consider data security in everything we do. Ron Cervantes, owner of C Solutions, shares how every business can be more secure. From password managers to avoiding phishing scams, we have to stay alert and make sure we’re using good tools and services to run our business. Ron discusses how to properly use your personal phone for running your business and also how to keep your and your client’s data secure in a more connected world than ever.
Topics on this episode:
Phishing scams
Common security holes
Securing client data
Getting help with IT
Main take away: You have obligations to protect your client’s data and privacy, so start implementing some data security fundamentals to protect them and yourself.
About our guest:
Ron Cervantes is originally from Kenosha, Wisconsin and is a huge Green Bay Packer fan. He has a Bachelor's degree in Busness with a concentration in Management Information System. He also has a Master's degree in MIS. Around 2000, Ron moved to Orlando, FL and became the sole IT support for a local trailer leasing company supporting the corporate office of 20+ employees and 13 remote branches across the country managing IT support for over 80 users. He also served as an IT instructor for an online college for almost ten years. Around 2010, Ron’s position at the trailer leasing company wound down and saw how he supported that business by himself and thought “why not do this for other small businesses?” and C Solutions was started to support small businesses in the area with their technology needs focusing on growing those businesses using technology as an asset, while implementing secure solutions that give business owners peace of mind.
Links:
Email Ron: ron@csolutionsit.com
Check out his website: https://csolutionsit.com
Have I Been Pwned: https://haveibeenpwned.com
1Password: https://1password.com
Lastpass: https://www.lastpass.com
Bitwarden: https://bitwarden.com
Keeper: https://www.keepersecurity.com
Pwpush: http://pwpush.com
Authy: https://authy.com
Google Authentication: https://support.google.com/accounts/answer/1066447?hl=en&co=GENIE.Platform%3DAndroid
Yubico Key: https://amzn.to/3ubxZKY
Story of LifeLock CEO: https://www.computerworld.com/article/2469192/lifelock-ceo-loses-grip-on-his-identity.html
Credit lock vs credit freeze: https://www.experian.com/blogs/ask-experian/whats-the-difference-between-credit-freeze-and-a-credit-lock/
Kanye West's iPhone passcode: https://www.theverge.com/tldr/2018/10/11/17964848/kanye-west-iphone-passcode-trump-iplane-apple-meeting
Darknet Diaries: https://darknetdiaries.com
Give us a call! (636) 364-8260
Follow us on: Instagram, Facebook, Twitter
Subscribe on iTunes, Spotify, Google, Stitcher, & TuneIn
Email us at: feedback@petsitterconfessional.com
A VERY ROUGH TRANSCRIPT OF THE EPISODE
Provided by otter.ai
SUMMARY KEYWORDS
password, business, service, people, breach, email, account, password manager, data, information, secure, security, clients, pet, app, concerned, company, pay, terms, ron
SPEAKERS
Collin, Ron C.
Meghan 00:10
Hello, I'm Meghan. I'm Collin. And this is Pet Sitter professional and open and honest discussion about life as a pet sitter
Collin 00:17
brought to you by type two pet and pet perennials. as small business owners, we wear a lot of hats doing things to make sure that our business stays running and is operational and meeting our clients expectations. And running a pet business in the 21st century does mean that we have to be concerned about data security, because recognize it or believe it or not, you do have a lot of sensitive client information that you have access to, and that it is now your responsibility to make sure that it is secure. So today, we're really excited to have Ron Cervantes on owner of C solutions to talk all about small business IT data security and how we can implement some industry best practices in our business without having to have a full IT team. On our side. Let's get started.
Ron C. 01:04
Yeah, absolutely.So thanks for having me. Yep. So I've been doing it. That's pretty much my most of my adult life, I graduated with a degree in Management Information Systems, I obtained a master's in Management Information Systems. For quite a long time, I handled it for a transportation company here in Orlando, Florida. I was, you know, there were a couple of people of us that did it and ultimately ended up being just me. And I managed an entire company of about 75 employees with multiple, maybe 12 remote locations across the country. And it was just me. And the company was bought out, they moved headquarters to a different state. And at that point, I kind of already started dipping my toes a little bit into helping small businesses. And I said, I did this for this company, I could do this for quite a few small businesses. during that transition, I also started teaching for an online university as an adjunct instructor, and then I able was able to get a professor position, it kind of helped me off till I was able to grow the business side of my IT support. But there's, I mean, there's always a teacher in me. And so this is kind of an opportunity to expand on that a little bit. So that's a little bit about my background.
Collin 02:26
That's fascinating. And I want to ask a quick question about the management information systems. That sounds pretty big and scary for a lot of people, especially for the topic that we're discussing today. And do you think people need to have a degree to understand what we need to be doing best and, and how to approach these these questions and it and our businesses?
Ron C. 02:49
Oh, God, no. No, and even the degree that I have, it was more of a business generalist degree, I suppose. While there was, you know, we're talking in the just right, yet running around, right around 2000, I suppose. And, you know, things were just still getting going with a lot of networking. And cybersecurity really wasn't even a concern back then. as much of a concern, I should say. But yeah, I think anybody who's inquisitive, reads news, plays with technology, you know, that anybody can really dig into it a little bit and educate themselves for sure. Now, you did mention
Collin 03:30
that you've been in tech for basically all of your adult life. So from, from your perspective, how have things like business security, and it changed over the years? Yeah, I
Ron C. 03:42
think, you know, we're, we're a lot less, you know, long time ago, we were a lot less connected. Operating systems were less complex. And as things have gotten more complex, they become harder to secure. And as we see in the news, attacking operating systems, companies, things like that the security pays. And so those threats are only going to grow, you're only going to get more inventive and trying to protect ourselves, we always feel like we're one step behind the bad guys, right? You think of the evolution of spam, we used to have email, and then all of a sudden, people started sending spam emails. And we would get, you know, unwanted unrelated mail that we don't want. They might contain keywords like Viagra or celebrity prick pics, and so that we could, you know, click on a link or something like that. And then you could start to block those keywords. And the spammers would change their tactic. And they would actually just embed an image with the actual text that they wanted you to see. And then so then we started to restrict the images that could come through. And then we came up with additional blocking techniques to protect the email coming in basically verifying, hey, who is this person coming in? Do we want this email? What are the contents and we came up with a rating scale to rate spam. There's just constant adjustments. And now, if you fast forward from what spam had was to what it is now, where they would just send it to anybody, now you have targeted spear phishing, and that is a focus term, meaning that you are receiving an email where information is already known about you. So for example, Colin, you could get an email, that, that there's something perhaps maybe something related to maybe a pet rescue, right. And it's attempting to get you to do something like, Hey, I know that Colin is in this industry, he does these types of things, he might be interested or susceptible to something like this. And it might be something that looks legit, something that might maybe elicit an emotional response from you, and attempt to get you to click a link to take you to do something, or input some sort of credentials that they might try to use in different services that you might use. So it's gotten quite sophisticated in terms of how attacks can come through.
Collin 05:54
When you said that word emotional response. And to me, I don't think that's a component many of us factor into these ideas, we're used to looking at, you know, maybe, how does the sound is this seem weird? I'm obviously not going to put my password in a random pop up box. But that emotional response that you mentioned, just how complex some of these are, is that were they really targeting those, those individuals with the data that they have about you? And so, when, when you think about that, what's the so you'd mentioned spear phishing? What's the what's the relationship to just a phishing scam? Or? Or how did those things get put together? And where does that data come from, that they use against us.
Ron C. 06:35
So most of it is just a compilation of so many breaches that have happened, and a lot of that data. So people will just sell that data. Basically, on the dark web, you think about the Equifax breach that happened, that's a big source of the data that's sitting out there. There is a site that anybody can take an email address and input it in, I promise you, it's safe to input your email address in there. That is a very reputable site, and it is called left to put up by give you some show notes on it, but it's have I been PW N E, D, it's basically pronounced have I been poned. And so h i, V, I'm sorry, can you spell here HAVIBENPW and ed.com. So you can go there, and you can actually input an email address that you have, it'll tell you whether or not that email address is involved in a breach, it will not tell you, you know what password was associated with it or anything like that. But it'll tell you if it is involved in any breach that has been discovered there. And there are dumps into that information database, which is open source, meaning anybody can go look at it. And so the idea behind it is just to provide people an ID to know whether or not any of their data has ever been exposed. And if the service that's listed that you're aware of, perhaps you can close it, or change the password if you hadn't changed it since. Or just just being aware that hey, this is my date has been exposed in some form. And I just need to watch out for it.
Collin 08:06
I will say when you go in and your into your email into that into have I been poned website is that it comes up with this kind of read, if you have been an instance can be a little bit scary. So you mentioned a little bit about getting out of that service, changing passwords. What other things should we be concerned about if we feel like or if we are alerted to the fact that we may be susceptible to a breach?
Ron C. 08:28
Sure. So there's a lot of things that can go with that. I think for one, you just need to really evaluate your cybersecurity habits, I think that a lot of people will choose a password. And they will use that password for many common sites, people have to just have their own systems. And for some it might be working. Some it's just, you know, again, being safe and secure, is not related to convenience, right, they don't go together, there's nothing that's convenient about being safe, you just kind of have to deal with it. It's a world that we live in. But people have their own systems. Some would like to use family members as passwords or things that you know, little things. And they it's just it's you have to have a system that's going to work but still be secure. And so oftentimes, people will say, Well, I can't remember all of these different passwords for all of these different services. And that's where a handy password manager comes into play. The key thing with the password manager is that you have one master password to get into the entire collection of passwords that you have. And that password can't be anything that you've ever used before. And it can't be a password that you ever use with any service currently, right. It needs to be unique. And so what I often tell people to do is pick a phrase pick something long. Pick a whole phrase, like, you know, my first ride on a roller coaster was and maybe In a city or something like that, just like a whole statement, something that you can't forget. And that becomes your master access to that. And then you let the password manager, pick a password for you for all of your services, you'd go into your services, it'll recognize that you're changing the password, they'll say, Hey, I see you're changing your password, do you want us to help you change it and just say, Yes, I don't know any of the password services that I use, they're super long, super complex, I don't know what they are, I don't care. All I know, is the main password to get into my password manager that I that I use on a regular basis, you
Collin 10:34
mentioned that we are in that interface between convenience and security and right, they don't really equate but having something like a password manager, whether that's one password, or LastPass, or use a built in feature on iOS to generate some of those same passwords. And if someone's listening to this going, I don't need that. Well, if you have, I assume a bad password manager, Ron would be like a text file on your computer, or maybe a notebook on that you keep on your desk or on your person at all times.
Ron C. 11:04
Yeah, I mean, you know, if you write them down in a book, and they're safe somewhere, that's not it, that's, you have to think about it, you're the only one that has access to it. So if it never leaves your house, or if it's in a safe place, that is a possibility, right, obviously, if you had some sort of a disaster or flood, but again, you have to pick the method that works for you. And that you're, you're assuming risk for anything that you do. Now, you know, to your point of of having that, yes, people who, who, if you lift up the keyboard, they have little stickers underneath it, or they when they put them on their monitor, I see that so many times, you know, putting them in an Excel spreadsheet that is not locked, and I wouldn't even do it if it was locked, right. And just making simple too easy a password, you don't want to use anything that's ever been used in a dictionary. And you want to make them long and complex. So as we, you know, as the future comes, move it along, computing speed has gotten better and better. So it used to be that you wanted to have like a minimum of eight characters and special characters and things like that. And now we're at computing power, where that can be, those can be cracked, and you know, and much shorter time than it used to be. And so the longer you make the password, the more secure could be in terms of not being able to decrypt what the password value actually is. So in terms of passwords, size definitely matters for sure.
Collin 12:36
I, I do think I need to take one step back here because we got talking about data breaches. And I would like for you to talk about the difference between a data breach and actually being partly being part of a data breach and actually being hacked, and where those two line up and kind of how they're related to each other.
Ron C. 12:54
Yeah, so if you think about a data breach, that would be some sort of a service that you use, or where your information was stored in. Dropbox was a big one that came out there. There's so many that happened on a regular basis. I mentioned Equifax already. So that's where they upped they the the bad Dewar's right? information was obtained, and it could contain, it could contain just personal information, such as address, first name, and last name, and nothing else. So it depends on once which is reached. And like I said, that site will actually detail what was entailed in each breach. But it could include some personal information, such as social security numbers. And then of course, username and passwords are always hot topics. And so again, you don't want to reuse the same username and password across different services. Because let's say, for example, that, you know, there was a breach in Facebook. And so they have your username and password. And if they decrypt the password itself, they can say, Oh, hey, let's try this, and Dropbox has tried to send Gmail, let's try this in office 365. And if they get a hit, then they can, you know, then they have access to all these different services. Now, getting hacked would be more of a one to one type of a deal where someone just uh, you know, takes over a certain account of yours. Maybe impersonates a certain or impersonate yourself on a service that you might use. And, and perhaps you may have fallen into a trap, or some sort of they've gotten through some sort of security loophole and operating system, or you clicked on a bad link in an email or a website, all of that stuff, and where they are trying to obtain information from you. They might try and scare you to call a number and then they might ask for money in some form. There's lots of different ways that can do it. And of course, there's always the ransomware that's sitting out there where they will encrypt your hard drive and you can't view anything except the text file of them saying call this number and which is it's amazing thing that they truly have It's been talked about that they have good customer service, believe it or not like, you call them up with like, Yes, I'm very sorry, this happened, let me help you with this. And it's just, it's amazing. But that's what they do. So yeah, that hacking would be like a one to one type of a deal where someone has taken control of an account that you possess of some sort, through, sometimes perhaps an action that you've taken, sometimes perhaps something that you are unaware about that is going on in the background, I just want to explain exactly what happens with the, with a breach. So oftentimes, if data is exposed, whatever it is, and they say it's usernames, passwords, they don't actually get your password, right, they don't realize, Oh, I know exactly what this password is, it was, you know, I got pulled it out there, they're always they should be there should be all encrypted, you know, with the service so that you can't, they're just hashes so they, they can decrypt them. And so that's why it's important to have a longer length, right? So if it's a short thing, they can decrypt that in a matter of seconds, the longer you make it, which could be if you do a web search on, just say, How long should a password be, they'll have statistics on how long it would actually take a password to be cracked, if it's this long, if it's this long, if it's this long, and it will go from just a matter of seconds to a number of centuries based on the length of it, which right now, it's probably around 14 to 16 characters, something like that. And so like I said, longer is better. And that's why longer is better, right? Because it would take them longer, they would die before they actually, you know, decrypted your password. That's the idea. So I just wanted to make sure I was clear on on what actually happens when data is breached in terms of that.
Collin 16:45
Right? And again, not if they don't get direct access to your account. And I know that is really confusing for people because they see oh, this data is breached, they immediately think have I been hacked? I think the question, even though the responses, well, maybe depending on how secure you have your account set up and what information they actually got. But it's also important to note that maybe it wasn't the password, but they get all that other identifying information. So they can send those spear phishing emails to you that are really focused on information about you. So it makes it personalized, so that you didn't the social engineering comes in and think okay, well, they know all this information about me. And I need to respond to this. But they got it from this breach of some of other companies and other kind of putting it to use to actually get into your
Ron C. 17:26
your accounts. Absolutely. And the key word you have there the phrase is social engineering, because that is probably the biggest culprit for for phishing, breaches, PACs, all that stuff that comes through there.
Collin 17:40
Well, and for us, we have a little bit of added weight to us, we're running businesses, and we do actually have data for our clients. And so for us, what are some of our maybe obligations for securing and maintaining our clients data?
Ron C. 17:56
Yeah, so again, client contact info is always going to be important to protect, you know, their name, address, numbers, things like that. But when you think about, again, payment information, you know, credit card info should never be stored. So that you could just pull it up and view it yourself. Because if you can, then it wouldn't be that difficult for someone else to do it. So, you know, I would, I would like to think that most people are using some sort of a merchant service to accept payment. And that service would be as well as yourself that the organization would be beholden to meeting PCI compliance requirements, so that they would trickle down from the merchant server to, to the to the business itself, do your due diligence on choosing a merchant service, you know, obviously, rates are going to be a concern. But think about the peace of mind that they will give you in terms of protecting your, your client data, right? Make sure you go with one that's going to give you confidence that the customer financial data that you are transmitting is secure in transit, and that they do require PCI checks for your, for your service, all that stuff. And so as a business, I don't, I would never recommend to record credit card numbers on a file or any like that. If you do for the sake of having to manually input a transaction of some sort, you would just want to make sure that you do shred that immediately. Which is another PCI requirement, just to say that you do do that. But that would be one of the biggest things I would, I would, you know, be careful with, again, you think about, I think that I'm sure there's quite a bit of email marketing that goes around. And if you're using some sort of a mailing service, like Active Campaign or MailChimp or something like that, that you do protect your account. Because you do have data in there. Obviously, if you're gonna be sending out that you can protect your account, those services should have multi factor authentication, which I'm sure we'll talk about that in a second. I'll elaborate on that. But just turning on whatever six add features that they are that are available. Making sure again, the password manager is something that's a secure password to access those services. And don't share them. Right? They're definitely don't share them with if you have employees, have them have their own account. So you can shut them down. Just so you don't you don't you're not letting credentials get away from you.
Collin 20:22
Yeah, we really have to be thinking about where this information is coming in, how it's getting out, and really how it's being used to you mentioned the whole, not writing down credit card information, I can't tell you how many times clients have been traveling. And maybe their car gets clear, their card gets declined or discontinued or whatever. And they want to send me a photo of their credit card, or they want to text me and I just break out into cold sweats because now all of a sudden, it's like, no, I don't I don't want any of that on any of my devices for any reason. But you want to get paid. Yeah. Right. Right.
Ron C. 20:55
So where do you where do you balance it? And and so in those instances, there's Yeah, I would say. So there are there can be services out there that, you know, obviously they send a picture, you can say, look, Alright, I'm gonna delete this, when you send it to me, you know, and it's a matter of you wanting to make sure that you're conveying that, that you're going to protect this information for your client, like, Hey, okay, if you really want to send it to me, I would like to get paid. To send a picture, I promise you, I'm going to delete it, or you should delete it from your end, you know that you're saying the right things here. But you could also use the there could be free solutions out there, there's one that I use quite a bit called PW push PW P U S h.com. And so basically, what you can do is you can input information into a textbox and then send it as a link to the recipient. And you can set it so that the link expires after a certain amount of days, or hours, you can set it so that the link can only be viewed X number of times. So that there's just less of a of an instance, you know, again, if someone sent you credit card info in an email, and eventually so in your email gets hacked, and you forget they sent it to you and it's been six months ago, and someone scrolled to your to your email, they'd see someone's credit card info, as opposed to a dead link. That means nothing after 48 hours.
Collin 22:18
Have you heard of time to pet Chrisann from raining cats and dogs has this to say
22:24
becoming a time to pet client has been a game changer for us. We can give our pet services clients real time cloud based information they never imagined they'd be interested in. And most importantly, to me personally, I can better manage my company and look forward to more and not a small thing, time to pet is responsive to my requests for new features, and modifications to existing ones. If you were looking for new pet selling software, give time to pet a try, listeners of our show could save 50% off your first three months by visiting time to pet.com/confession.
Collin 22:59
You also mentioned about making sure we have secure and using good services like the credit card processing, merchants making sure that they are reputable. And that yes, we may pay more. But there's peace of mind there. And that when we use an email marketing campaigns, yes, we may pay more. But there's, there's there's peace of mind there. But it still cost us that if we are setting up an account to use that service, we have to do our due diligence to also protect ourselves from being vulnerable to things because there's a lot of, like you said, of the contact information and things that are going out to clients that we don't want to expose them to. So we are part of that chain of not just our own data security, but also the data security of other people around us.
Ron C. 23:41
Absolutely. And just to your point of talking about that there might be free services that can do certain things, but you might pay more for that peace of mind. There's a there's a saying that goes if you are not paying for the product, then you are the product. You know, in that case, you know, hey, this is free. Yeah, but you know what? I'm sure there's something in their terms that says they can share info about you not necessarily your data that you have in there. Or maybe they do for all you know, you don't you if you read the terms, maybe they have a you know, some verbiage in there that says they can. And you probably just clicked yes to and just proceeded. But again, you know, there's a lot of things a lot of services we use, I mean Facebook, we are the product they are they have our information, they are constantly remarketing to us, you know, all of that stuff. And so you just then the world we live in, it's hard to get away from a lot of that. It's not like you're going to a disconnect completely. But you also don't want to be you know, not sign up for every little service that's out there. Because you're just kind of having a you're increasing the surface area to attack in terms when it comes to your digital profile.
Collin 24:56
That's a really good point. I know when the password manager that we use it You can scroll down, and it will alert you to if that if something has been found or emails that are associated with different accounts with if there have been impacts or hacks to different services. And after using a password manager for phi, I think we're going on like six or seven years at this point, actually, I'm shocked by the number of little small accounts that have just accumulated over time. And we forget about them. And so as a as a general practice, you know, how, how do we do a good review of the services that we should you know, or even Is that Is that something we should be doing as part of data security of looking at where are exposure is
Ron C. 25:37
no 100%. So, yeah, that you could be forgetting about services, you don't use any more. So when it comes to that, if there are stuff that, you know, if you're going through a list of passwords you have, it's like, Oh, I haven't used that forever. And well, maybe you cut off the payment for it, they often will hold on to your data, eventually, they may or may not delete it, if you don't know, many services, if you go log into the account, you might have the option to close the account. And hopefully, then at that point, eventually the information would go away. So if you do have that, it's worth looking in to see what options are available for saying, hey, what can I do to to just get rid of my data off of your service, some might make it easier than others, some would just be that they just kind of go away, it's hard to say, but data can linger out there. And that's often where some of the breaches come out where a breach happened, you're like, Oh, I haven't used that service in five years. But here all of a sudden, you know, they've got some information that's out there. So yeah, it's a great point to always look through all of that stuff. And just circle back on the password manager out there. I think, you know, you mentioned some names of LastPass, one password. I was a previous user of LastPass. Myself, I bet word is a fantastic option that I highly recommend, which is free. And then if you are sharing passwords within an organization, I really do like keeper, Keeper is a nice, a nice way too. So for example, if you've got a team of people, you could have all these passwords. And then you can share them, or share individual ones to other people. And it won't even expose the password to them. So it'll automatically fill in the information without them even knowing what those credentials are. And the nice thing about that, too, is if they leave or you can always pull them back and take it back. Or if they leave, you can transfer their actual individual account, you don't have to worry about what does this person know, they're taking all this knowledge with them. If it's all stored within a password manager, you can say, Look, I'm going to transfer their entire account to the new employee, and they can hit the ground running.
Collin 27:45
And even if we don't have employees, if we have people who we work with, like, you know, a CPA or tax accountants or any other anybody else who is assisting us in our business, if you have a virtual assistant that does social media posts for you, yeah, things like that. You might think, Oh, it's just easier if I give you my business account. But there's another, you know, huge hole that you are making and leaving open to you. So being able to give these people individual passwords to what they need access and what they only need access to. That way you're protecting yourself. And that if something happens to them, they don't have access to the entirety of your system as well. Right? Absolutely. Absolutely. We mentioned password managers. And earlier you did mention that and say the phrase multi factor authentication. What what is that? And why should we be so excited to implement it everywhere?
Ron C. 28:35
Yeah, so multifactor authentication, also referred to as two factor authentication, depending on who is using the term. But it basically means is what it means. It means something you have, which could be a phone, something, you know, something personal about you that you might know, something you are, which could be your facial recognition, fingerprint. So it's those it's a combination of those three things. And so what it is, is when you log in, even if someone had your username and password, if you go to attempt to log in, it asks for one additional authentication requirement. I think people are probably most familiar with getting a text sent to their mobile device of a code, right? So Texas, okay, I would say an authentication app is better. There have been there have been tests proven tests done that the cloning of SIM cards can be done where that text could go to someone else that is not you. So text is better than nothing, but an authentication app is better. And there are a lot of authentication apps out there, such as Google Authenticator. LastPass has their own authentication app. Google, Microsoft does as well. But I think one of my favorites is probably Authy au th why You can install the app on your phone, if you want to, you can install the app on a desktop PC. And basically, what you do is it will generate a rolling every roll every 30 seconds, a different code, same type of code that you would get texted to, if you are logging into a service. It's very easy to set up very simple. And instead of doing the, you know, it says you want to set up a service for multifactor authentication, it usually gives you options if the service provides that option. So it will it will often say SMS or text, or use a mobile app, and you would just choose mobile app, you just kind of walk through the little wizard process, very easy to do, you. Often, it's a matter of just scanning a QR code with your mobile device and you're done. And it will just be able to keep all the different multifactor services within your app. And you'll just pull it right up and be able to, to input that code there. So it's very helpful that way. Another thing that if you really want to take a next step would be to use a multifactor, like a hardware device, meaning you have these little USB keys, they look like a little mini flash drive. For example, there's a brand called UB key that I personally use. So it has to be plugged into your phone, or it actually can read your phone with the NFC chip the near field communication if you just tap it to the phone. So again, that's something that you have, and it will authenticate you. So it plugs into USB drive, or you can touch it to your phone. It's just another layer of security that you could implement if you wanted to. Not every service provides support for hardware device. But I do believe that's coming not far down the road.
Collin 31:50
And again, the workflow for this is you want to sign up for a new service. They have an option for multifactor authentication, you choose, do I want to use an authentication code in my app? Do I want to use that text message to want to use a physical key? And then every time you go into login to that service, it's going to ask for that other piece of information. So it's going to ask you, Hey, enter that code that's in the app, or it's going to look for that USB key or it's going to send you that text message. Again, it because we're trying to basically prevent a third party because most likely, again, what we're trying to prevent Here is somebody from accessing they've got your password, they have your email, but do they have that key? Do they have that authenticator app? Do they have that text message? And again, bringing the it's all about securing and having as many factors in place as possible? It's Yep, it's all about putting in those layers. Right?
Ron C. 32:41
You know, if you if you didn't have to do that code, would you be able to log in faster? Yeah. Yeah. But I mean, again, that with that speed, and that convenience, it they don't really go hand in hand. And it's, you know, it's a necessary step to, to just, again, have that peace of mind, you, maybe something terrible happens that this is breached. And like, Oh, my goodness, I use that service. But I think I would feel better knowing, hey, I've got an authentication code on my app that they can't get in even if they have a password, of course, you'll go in and change your password to do the doubly safe, right. But there's a certain peace of mind that comes with that, like, well, I have that enabled. And so
Collin 33:23
I feel a bit more comfortable when you work with small businesses and how you interact with them. And one of the things that you mentioned, you see a lot are the the post it notes on people's computers and at their desks, what are some other security holes that that as a small businesses we need to be aware of and trying to fulfill?
Ron C. 33:43
Yeah, I think I would definitely go back to forgetting about services you don't use anymore, for sure. Because the data lingers out there. Close, but you don't need receiving get the vendor to to delete your account, again, using the same password for all services, sharing user accounts, because you don't want to buy another license. I mean, it's it's been a little lazy and a little cheap, unfortunately. And I know that again, small businesses are always going to look for ways to to just you know, to cut corners, but it's a little tough with that sometimes, again, not enabling multi factor authentication is always going to be a risk. It should be enabled, anywhere it's offered, check your accounts, go to you know, always typically it's everything we know where everything is upper right corner, you choose your little head or your name, check your account profile. And there's going to be a security section to see what's there that you can actually enable to to increase the security on it. And again, using free services and not realizing the privacy and security certain concerns. Those are a lot of the security holes that that would come up in terms of of small businesses that I see. For sure. And I will say along the lines of the password manager And I know that the browser's do this out of convenience. And I often will go into the settings of a browser, whether it's Firefox or Chrome or Edge doesn't matter. They all store passwords for you. Right. And while that I am conflicted, because it's just not the best thing. Again, if someone had access to whatever account that you're signed into on that browser, they're going, they could, they could pull up all of your passwords in that account. So what I will typically do again, pushing that password manager thing, again, is, when you install it, it will say, hey, I want to check your browsers for passwords, you would say, Yes, it'll pull everything that it sees in there. And then go into your passwords that are inside your browser, delete, delete, delete, delete, delete, delete, delete, delete, and then tell it to never ask me again, to save a password. So that would be the way to, to cut that cord of your browser saving in the passwords.
Collin 35:57
As businesses, we get emails all the time that just look, I mean, they're just scam Central. So what what are things that I should look for in like an email to verify and confirm whether this is authentic or not
Ron C. 36:09
many small businesses, they have a website, and it's some sort of a domain name, they have that already. But then their email address is like a Gmail or AOL account. And if you have the domain already, get yourself a business email account that matches that domain, you have a lot more control over the email that comes in and out and all of that stuff. So back to your your phishing point. When you have a business email account, you can set up security settings. And if you're not sure how to proceed, find someone who can assist you with it. But you want to make sure you enable D Kim, SPF and DMARC settings. And we'd have to get into what those actually mean. But basically, they they control and say, Hey, is this person that sending the email who they say they are, right. And so it can run some of those tests. And with the business account, there are a lot more spam and phishing protection settings that you can implement. But if something slips through, you want to do a couple of things you want to look at who is it coming from? And so you look at the address. And if it says, Hey, this is an Amazon delivery, whatever, but it's coming from xyz@gmail.com. It's like, well, Amazon's not going to send me an email from Gmail, you know. And so you have to know who it's coming from. Is it? Is it reputable? Do you know do you recognize the email address? And then of course, always dead giveaways are misspellings. Right. And they often misspell it on purpose. Because if they put some of those keywords in there that they think they're going to get blocked. Or sometimes it's just someone who's not of the language, and they just misspelled period. If there are links in the email that you see, you can hover over them, and it will show you where it wants to take you. So take a look at that. Does that kind of does that link that where it's going to take you kind of match up with what that link actually says? And of course, in the same breath, I would say don't click anything you don't know. So don't do anything at all. While the email address can be from a strange email address, the actual name could be a name, you know, because they can do that. So I would always at that point, contact the potential Senator directly pick up the phone. I know we don't do that. We don't do that. Maybe we don't talk to you what talk someone in person hear their voice? Why would we do that? But pick up the phone and contact them? Did you truly send this to me. And if there's any doubt, or if you're one of those that don't want to hear someone else's voice, and just delete it, if you're unsure, just delete it. Because if it's truly important, the request is going to come again,
Collin 38:47
which is something we tend to not think about of oh, this is here. I need to do something with this. I need to get off my plate. Let me click click click Exactly. Yeah, everything's actionable. Yeah. Well, they're kind of relying on that, again, this emotional response. They're this this, you know, psychological almost warfare that they have against you of like, how do people process emails? What kind of stress are they going under? Will they really look into this as in depth as I can. And I love that idea of the phone call. Because, you know, we talked about doing multifactor authentication for ourselves. That's, um, that's making a phone call is a great one, as far as another multifactor for that company to make sure that everything's okay.
Ron C. 39:26
You know, we talked about information that gets breached. So it could be your name that got breached, it could be a name of a child or a relative or something like that. And so there were actual emails that were being sent saying, Hey, I caught you looking at adult sites. Do you think insert child's name here would approve of what you looked at and it is jarring to see that to see like your child's name and an email in a threatening thing like that and it's like, Hey, pay this money, or I will do this or something, you know, but there They're naming names and you're like II? I mean, it's jarring to see that. So, again, we're going back to that emotional response. I mean, that's going to work better than then than anything else.
Collin 40:10
Yeah, and again, just doing it that due diligence, and I know, calling them but then ultimately just deleting it if you have no idea because there's no harm in that if it's actually legitimate, you know, you're gonna get a follow up. It's gonna it's actually going to be what you expect, or they're going to try and get a hold of you another way. Absolutely. Yep. You already know that pepperoni also makes it easy for pet sitters to send sympathy and other milestone gifts. But did you know they've designed a new line of car air fresheners, these integrate long lasting car filling cents with adorable animal designs and hover expressions that deliver a little inspiration while you drive? They actually did send Megan and I a set of these and we've been using them in our cars and I have been using the cat your perfect design, which our daughter absolutely loves. And Megan has the hamster enjoy the little things because strawberry is her and our son's favorite. You can give an air freshener to new clients or send something small for birthday or holiday gift order a case of your favorite designs for a buck 99 Or half that perennial, send it as a gift package to your client with both a handwritten card and gift wrapped for 1275, which does include shipping, check them out at Pet perennials.com. And be sure to register for that free business account to unlock the all inclusive discounted package prices and access to the wholesale catalog. You only pay for what you ordered. One of the things that you started off by talking about how different it and Business Solutions has changed over the years. It's just how complex and how connected things are. I know one of the growing parts of that. Are all of our connected devices, our Internet of Things. How concerned should we be about that? And actually, as I was preparing for this, I started thinking about our clients homes that we're walking into and how connected they are. So how do we what are some best practices around connected devices and the Internet of Things and the world that we're living in the reality that those have?
Ron C. 42:05
So how concerned should we be I don't want to be like a tin foil thing. But there are there's definitely concerns for sure. We have so many things that we forget that are connected to Wi Fi. My water heater, for one. I mean, it's a strange thing. It's connected to Wi Fi. And you know, our doorbells, our cameras. All of our you know, the the Google homes, the a lax A's, right? And nice. So there's all these things that are sitting there. And it's a convenience for sure. My recommendation for people at home would be to, again, this gets a little bit more on some technical know how, depending on the equipment that you have, but you can if you can create a separate wireless network, you just create a separate one, and you keep it segregated from your main network. So basically, like for example, when I set my water heater, or even my camera at my front door, they have no reason to talk to any other devices on my network. So I put them on a separate network. And because basically what they do is they go out, and then they just come right back in, they don't go from they always go out to the internet, and they come right back in. And that's all you need to ask them to do. They don't need to see my TV, they don't need to see my PC. So you keep them all separate. Many newer firewalls have, you know, wireless segregation, I don't know that they have different terms for it, I don't know if they'll say IoT or a separate wireless network, but you're looking for something that will actually have that option to, hey, do you want to put this out there and then when you go join devices to it, you just choose that wireless SSID from the list that shows up. And it'll be set, you know, segregated from everything else, as long as you're getting it to kind of pay attention to what it's telling you within the setup, that you want that wireless network to not see maybe isolated, segregated, separate, whatever that that were that they're using there. In terms of going to other people's homes. You know, the devices are always listening, whether they say it or not, in fact, I mean, obviously with the the smart devices that are coming from from Amazon or Google, they said they weren't listening but then you know, there's been an incidence where there's been like, maybe a domestic disturbance than they were able to pull up to what really happened during it. I mean, they can do all this stuff. It's always listening. So you know, if you are at a you know, if if you ever if you're at a home that you were, you know, kind of maybe watching that if you don't want it you can always just press the button to turn the mic off. You could unplug it if you want to, you know, if you're concerned about what it's actually you know, listening to or anything like that. You know, it just all our stuff is out there. We all have it. It's a matter of how much you deal with it. all doom and gloom right
Collin 45:06
now. But we have we have, we still have a lot of agency and control over that, right and being mindful of the kind of information that we are sharing it because again, as I'm thinking about this, like clients leave notes in homes all of the time, and now sure, that's more information that say they may leave additional phone numbers and people's contact information on there. Yeah, make sure that we are not sitting on our phone scrolling on through our our emails, or other sensitive data in front of a camera, right of understanding where those things are, just so that we are exerting and pushing back a little bit on, on how we're handling this. And there is, it's not a Oh, you did something wrong. So now your data is out there. Because things happen all the time. Like, like, yeah, right, like you have experienced yourself. Like it's a yes, it's a what are some always be in that mindset of, I'm aware of how my actions are, or could impact myself and others. And knowing at the end of the day that we can only do so much?
Ron C. 46:05
Again, you want to minimize the risk as much as you can, it all comes down to what risk risk? Are you willing to accept? And are you? Are you interested enough in minimizing that risk, and so you can really do baby steps, I think that someone listening to this, like, oh, my gosh, there's so many things I have to do. Take some baby steps, you know, you if you if there's certain things that you're you know, find out where you kind of fall, I think some people will be listening to this, like, Oh, my goodness, I have so much to do, I think others might be listening saying, I do that I do that, oh, I need to do that. So just kind of take notes of hey, I can make some baby steps and change some changes. And and, you know, get used to implementing different processes, different ways of doing things, and that will become the norm for you. Right?
Collin 46:54
I know, for most of us, one of the devices that we have on hold our hands all the time, or our phones, and many of us, I'm gonna say most of us don't have a business phone and a personal phone. What are some best practices around using one phone for both personal things and running our business on?
Ron C. 47:12
It's a challenge. It's a challenge for sure. What I would say is that, again, when you're using your phone, you're going to be using apps. And so with your accounts, keep your app separate. Meaning if you're using a personal app, use your personal email. For correspondence. If you're using a business app, use your business email. And that goes back to making sure you do have a business email account, you kind of keep them separate. And with the apps, you know you have a mix of personal and business but make sure to log in is associated with the correct account. Don't just sign up with your personal for Business account, just because it was simple or easy. Just really make a conscious effort to keep them separate. And don't cross those lines. Definitely lock your phone with a strong pin. There's a funny, do you remember when Kanye West was in DC, President Trump and made the news and he was sitting in there? Yes, I do. Yeah. Okay. So the camera was on Kanye West. And he's talking, talking, talking, talking. And he pulls up his phone, and he wants to show something to Trump. And so he hits six zeros in a row right on camera. So pick a strong pin, so the whole world knows it, right? Pick a strong pin. And of course, you've got the facial recognition as well, you know, but make sure the pin is strong. You should be able to also encrypt your phone as well, there should be a feature on there as well that you can turn on. But yeah, I mean you're carrying two phones is is I don't know that that's all that realistic, unless you really want to be able to disconnect from your work life after hours and just turn it off and then turn it on when you're on you know, but mixing apps is going to be another whole whole thing on a larger scale with with larger businesses, what they'll often do is they will create a separate partition on a personal phone. And so they'll they'll, your phone will check into that business network. And they'll create a separate partition. And if you leave the company, they'll have the ability to wipe that partition off to protect their data. Right. So there's a way that's that's basically getting into what they refer to as bring your own device to work, where you're using a personal device for business purposes for a company. And it's like, Sure, you can do that, but you need to, and you basically set a baseline for the health look, you have to have a strong pin. It can't be 1234. And we will have to encrypt your phone. And we're going to create a separate partition and you have to accept all of that just for the sake of using your personal device for business purposes. But it really it just completely separates the whole thing. And if the device is lost, the moment it sees anything if you can put a call out to it from whatever service you're using, and it will have the ability to you Your wipe the entire device, or just the company data
Collin 50:03
you mentioned about in larger companies will have this partition and stuff and everything that we've been discussing, so far has been kind of me, the business owner and things I can control. But we get beyond that at some point. So from your perspective, Ryan, when should somebody start seeking out help from for our it concerns, and our data security for our business? Yeah,
Ron C. 50:29
I think I think your gut will tell you, I think that you know, that there's gonna be some people that are more comfortable than others that where it's, maybe it's fun for them, or they know it, and there's gonna be others like, I don't know, and they're freaked out by it. If that's the case, if there's some, some some concern or hesitation, then then definitely reach out to somebody, talk to other people who they might use. And, you know, oftentimes, if it's if it's a small business where maybe like, five or less, many times there's, there's maybe the owner can handle themselves, you get around 10, you get to a point where like, Hey, I got an onboard and off board people for, you know, employee purposes or for hiring purposes, set up different accounts for them, there's all these things that go with it, and just running it more like a well oiled organization, that's usually when they really start seeking out regular help as well. So sometimes related to size, sometimes it's comfort. Sometimes you have a an employee that you hire, that that is good with tech. And I see that all the time where ultimately, that person was not hired to do the technology related aspects of the business, they were hired for something else, but they kind of fall into it. And then they grow. And that person is unable to let that go. Because they don't have someone to do that. And so I often like to reach out to those people and say, I can step in and let that person do what they were hired to do. And, but that person will also be my contact to be able to be in the know of what's going on if they need to, and will also be kind of like my eyes and ears within the size of the organization, which is always helpful.
Collin 52:09
Again, when I start not being able to wrap my brain around fully of all the things that are interconnected, or maybe I just don't have the time, because of the complexity or I'm being drunk in other places. We make those decisions all the time in business, right? Hiring a CPA hiring an accountant hiring a virtual assistant. And I really do believe that as our businesses grow, having good data security needs to needs to be top of mind more and more, especially as we're more interconnected. We're more reliant on software, we have more people working in and around and through us, that if we can't put attention and focus on those issues, definitely having somebody who can is really going to help us our business, you know, stand stand apart to because we really can say what we're doing and how we're operating in best management practices.
Ron C. 52:58
For sure. And again, when you're looking for someone, you know, go with with with the vibe that the person gives off, do you think it's going to be a good fit? I think that tech people, can they have a reputation for being condescending? Right? So try them out? Is it a good fit to the you know, do they feel like you know, what they're doing? How responsive are they? I think a price should be the last of your concerns, really? You know, try out what else? What else is going on? If you're, you're you're choosing the cheapest, you're probably going to get what you pay for. Right? So go with with the, what's your gut kind of tells you? Is this person to make you feel comfortable? You know, are they understanding? And are they responsive, and all that stuff. And I think that'll lead you in the right one right direction.
Collin 53:49
Yeah, being responsive, be willing, being willing to teach and share, not just tell so that you can be making good because ultimately it is your business. You need to know the underpinnings and how things are functioning or not functioning so that you can decide to make the proper changes. And if you have somebody who is withholding information, not intentionally, but just because of how they are, if anything, again, this goes from tax accountants, to IT specialists for your business. hiring good people who can communicate and teach is really going to help you make the best decisions for your business and for
Ron C. 54:20
the people around you. I have nothing to do with this site. But I will give it a little bit of a plug. Since this is a podcast, I would plug it on the other one. There's a podcast I listen to regularly called Dark Web diaries. It's a fun podcast to listen to that talks about maybe famous breaches breaches you wouldn't know and how they actually do it. And they actually do a lot of stories of of people doing penetration tests where they actually will and they'll perform social engineering where their job they were actually hired to go into like a bank or secure building and see how far they can get and see what they can do without getting caught. And they have permission to do so from the company itself by just a couple people that know what they're doing. But the entire So the company does not. And their goal, their job is to go in there and get paid for it, which is ridiculous. Sounds like such a fun thing. I mean, basically just going into rob a company, you know, and they're getting paid to do it. But it's just it's a fun podcast to listen to. Okay. Well, that's
Collin 55:13
great. And Ron, I will have that link in the show notes, as well as everything else that we've talked about today. And if you have more that you want to include, please send those over, because this is a an information, rich discussion with a lot of different services and software's and possibilities for us to look into solutions for our business. And because it is such a big topic, and sometimes can be very burdensome or worrying into more specific questions. So Ron, how can people get in touch with you and start asking some questions and start having a more secure business and personal life?
Ron C. 55:50
Yeah, absolutely. Probably the easiest way would just to email me directly. It's Ron at C solutions. it.com. So that's C Sol, ru, T IO, n s, I t.com. I do have Twitter, I do have Instagram. I never post I'm much more of a voyeur there. So what else is out there? I mean, I don't I don't have a tick tock, and I don't have a Snapchat. That's pretty much about it. And of course, my website, on my website on C solutions, it.com. I blog posts regularly for topics that are out there all over the place. That just I think that are topics that are current, that might give people some insight on on things that they would learn a little bit more about things that can help their business. So that's a pet blog post, every month, all month, long, multitap multiple times a month. So it's a good resource.
Collin 56:45
Awesome. And I really encourage people to go check out those those blogs because it's constantly changing. And there's a lot of information to kind of cipher through and sift through to make sure that we are again, doing those best management practices and, and this conversation was very much a 30,000 Maybe 50,000 foot view and touching on a lot of different points. And, and Ron, I definitely want to have you back on to dive into some of these maybe, you know, very specific topics or, or scenarios as as a business to break into those and understand what we can be doing better. And I've just thoroughly enjoyed this conversation and really appreciate your time and all the information that you've shared today. It's really been a pleasure, Ron.
Ron C. 57:24
Yeah, same here, I'd be happy to visit again. So thank you very much, Colin,
Collin 57:28
as a business owner, you have obligations to the clients to serve to protect and secure their information that they give to you. Whether that's door codes, address or payment information, have good high quality policies in place. Choose good companies to partner with so that you can be 100% certain that their privacy is being maintained. We want to thank our sponsors today time to pet and pet perennials for making today's show possible. And thank you so much. So, so much for listening. We can't tell you enough how much we appreciate you. We hope you have a wonderful rest of your week and we will be back again soon.
