Founder's Story - The Real Reason Small Businesses Are the New #1 Target for Hackers | Ep 233 with Scott Alldridge Founder of IP Services
Episode Date: June 18, 2025Scott Alldridge reveals the hidden threats facing modern businesses—and why most founders are wildly unprepared. With two decades leading cybersecurity innovation and a hit book series under his bel...t, Scott explains how hackers are evolving faster than ever, why even small businesses are prime targets, and the crucial steps leaders should take to protect their companies. Key Discussion Points: Why most companies fail in under 10 years—and how Scott stayed relevant for 20+ How cybersecurity threats have evolved since the dot-com era The real reason ransomware attacks are skyrocketing (and how they now have call centers) Why AI is both a powerful defense—and an even scarier threat The #1 myth small businesses believe about cybersecurity Behind the scenes of writing a bestselling IT book series How to apply “zero trust” models and build truly unhackable systems Takeaways: If you think you’re “too small” to get hacked—you’re the ideal target Real cybersecurity isn’t flashy; it’s layered, boring, and critical Assume you’ll be breached—then plan accordingly Selling a bestselling book isn't about becoming an author—it’s about creating an ecosystem Closing Thoughts:Scott's story is a powerful reminder that protecting your business starts before the attack—and that founders who ignore cybersecurity are playing with fire. Whether you're a startup or a global brand, the threats are real. The good news? So are the solutions. Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.
Transcript
Discussion (0)
So Scott, something that I've noticed that is a very, very hard thing to get in business is to be in business for over 20 years.
I was reading some stats that most companies fail within two years, five years, and it's like 90 something percent of companies do not exist after 10 years.
What has been something that you've done that's been enabling you to be able to be in business over 20 years?
Yeah, well, thanks for having me, Daniel. And yeah, being in business for 20 years, it's actually been a little longer than that.
I was actually kind of a teen entrepreneur when I started 19, my first business. But the big key there is basically being able to reinvent yourself.
And I think that's one of the challenges that's really hard to do. Sometimes we get into norms and we get very hyper-focused and myopic and we really aren't looking at what is the next potential shift in how we deliver service or.
what services we are delivering.
And of course, in technology, it's an ever-changing world out there.
So we were constantly evolving and figuring out how to deliver the next, you know,
kind of the next generation of services.
So that's been a big, big part of the, I say, success quotient, if you will,
for establishing and longevity of 20 years of business plus.
I imagine if you're in a technology-focused business and technology is advancing at a rate,
that's, I don't know if we can even keep up mentally right now. It's so fast. How do you stay
at the front and at the forefront? I mean, you went through like the dot com era all the way to now.
Yeah, the internet was just becoming a thing when we first launched into some software,
software retail stores, that kind of thing way back in the day. But the idea they're staying up on
stuff is first off when you've kind of lived in the space and it really is your career and it's what
you do. It is a little easier to, you know, assimilate new information, be able to take it in,
understand it. We live in a world of acronyms like a lot of industries. So it's not quite as
difficult to stay up on stuff if you live in it every day for years and years. However, with that
said, yeah, constant research, constant looking for kind of, you know, working with organizations
that do research that we partnered with. I have a little sister division that's called the IT
Process Institute. So we do some research and development, really research benchmarking and
prescriptive guidance, which is a little bit where the books and the thought leadership comes
from. So that helps us stay at the forefront, kind of at the tip, if you will, what is the
latest technology landscape, digital transformation, how are you ready for it? And of course,
in today's world, it's all about cybersecurity and artificial intelligence. So how are you seeing
the coming together now more mainstream? Because I'm sure it's been that way for a while, but it's
becoming more and more mainstream and now you have gen AI and stuff. And I'm sure there's so many
cybersecurity threats that are happening. How are you looking at AI now cybersecurity, those two things
morphing and merging as what could be a challenge or what could be a benefit? Yeah. So not to
oversimplify it, but it's a little bit back to the antivirus days where we'd get an antivirus
piece of software to keep malware off our machines and it would do a really good job, whatever flavor
you use. There were lots of them out there, semantic, you know, antivirus, et cetera. And then, of course,
they have an update you need to do because they figured out, you know, how to inject new malware
that would go around the anti-malware. And so it became a cat and mouse game. And, you know,
that's a little bit where we're at modern day with, you know, cybersecurity and particularly,
you know, AI. The, you know, AI can be used both for the good and the bad. So the bad actors and
the threat actors are using AI in ways they never have before.
They're getting really smart.
They're able to launch multi, you know, tiers and points of attack that they weren't
capable of doing in the past.
And that is definitely creating challenges in cybersecurity and syn up.
However, we also have the deployment of the proactive AI that's actually looking and defending
in a much faster, higher rate.
So we're kind of back a little bit to the, you know, cat and mouse game chasing each other's
to which one's doing what.
But at the end of the day, good cybersecurity really is not necessarily about the
next shiny toy or the next cool tool or even AI per se, even though we're having to get
better about AI itself because even employing AI for other purposes in your organization can
actually open up cybersecurity threats you may not have even thought about. So that's really
kind of the tip right now of cybersecurity is really how do we know that the AI that we're
introducing into our organizations is secure because everybody's trying to use it to be more
efficient. So long answer, but the short form is, yeah, I think we have to utilize the latest
technologies to keep up with the bad actors, but also understand that there are foundational layers
of security. There's no point-based one thing you can do. It's always layers. We use a, we use a methodology
called zero trust, and there's multiple layers as how we deploy zero trust to protect organization.
I think it's good to have a business that is always changing. I think that, you know, if I look
at what companies have survived
over long periods of time. There's a lot
of companies that have been dying the last few years
and they're not really companies that
had changed or they didn't
adapt. They just kind of continued.
But we're seeing, you know, tech companies
and companies that are adapting
very quickly are the ones that
are continuing to survive like you over
20 years in business.
So you're in business over
20 years and you're in
cybersecurity and for some reason
you're like, I'm going to write this book.
what made you inspired to even write a book and how that was going to play into
entrepreneurship or building your personal brand or whatever you hope to achieve from that book?
Yeah, great question.
The reality is that as I referred to earlier, we really had spun back in the mid-2000s,
kind of the IT Process Institute to really research and benchmark and deliver prescriptive guidance.
There's kind of a lack of that.
It's matured over the years to some degree, but there's still,
In IT, it's kind of like Mike does it one way, Sarah does it another way, what is really the best way, what is the best practice?
And so that's really where we camped with our research and borrowed research and partnered with research to find out that there are some foundational controls, processes and how you do things that really drive high performance in IT management.
Interestingly enough, a lot of that came back to this one study that said that all IT failure, downtime, you know, lack of availability or issues in IT is core.
it says 75%, 80%, between them or between there, depending on which study is correlated to some
unapproved, unauthorized, untested change. So the working thesis became, let's do really good
change management around how we do IT and how we implement changes, where we allow them to
happen. And what we've come to find out more recently is that actually no security breach will
happen without a change or a need for a change. Either I convince somebody by socially engineering them
to become them or hack in or I just brute force hack in and I change something to be able to
siphon data to get personal data, you know, confidential data information, that kind of stuff.
So that's the background and kind of living in that world for many years and that research
and kind of having that insight really kept me thinking about how the earlier books and the core
of what we call IT processes and IT process efficacy, which is the third chapter of my book,
still applies to cybersecurity today.
So I had this kind of brainstorm when noodled on it for a couple of years, spent about eight months
to really author the next version of the Visible Op series of books.
We did one called Visible Op Security like over 10 years ago.
This one's VisibleOps cybersecurity because we didn't call it cybersecurity back then.
And in this particular book, I get into some very specific applications, if you will,
methodologies, zero trust as I referred to before, really giving practical guidance for how small companies and large companies can, at both sizes, right,
smaller enterprise can actually use these methods to seriously increase their cybersecurity posture,
make huge advancements. A lot of the things I refer to are kind of 80, 20 rules, if you will.
20% of the effort can give you 80% of the benefit and protection against the bad actors, the threat actors.
Really enhance your cybersecurity. So that's the background on the book, generally speaking.
You write this book series. You got the series now over 350,000 copies, which is insane. Most people sell like 200 copies.
So to sell six figures of copies is very, very challenging.
What helped you in that time?
Because you're not like a full-time author that's only focused on books.
You got this business and then you have the book and then you have all these things,
you know, supplementing each other.
But what has been helping you in terms of getting your book out there and getting it heard?
Yeah.
And, you know, the IT Process Institute and the series of books,
the visible officers really is somewhere of an altruistic goal,
raise the tide that floats the boats in terms of IT management, best practices,
cybersecurity.
We want to help everybody do better.
And so if they can glean something in the book.
So first off, there's altruistic goal, right?
Just we really want to help businesses across the U.S. and the globe really increase
enhanced against the bad guys.
That's the first goal.
The second part of the book and what's kind of helped it is that it really is part and parcel
to the types of services that we deliver.
We kind of are the living, breathing, visible ops organization.
That's kind of how we deliver our practice and our service around cybersecurity.
So it is, it helps my organization, both internally, my people read and learn from it.
We train in it.
We actually have some online certification training for visible ops.
You can actually have access to.
So there's a lot of things that are around the book that kind of feed off of kind of the ecosystem.
But also we early on had partnered with several vendors, larger vendors, HP, Red Hat,
some of those types of vendors to help us promote the books.
And so they actually would buy thousands of copies of them
and help promote them through conferences
and through different activities that they were doing
to promote their businesses.
Because a lot of the principal concepts
and the principles of the book are really very sympathetic,
you know,
Sympatico, if you will.
They complement the service,
the types of software and services around security,
really gives the research and the backdrop
to promote the type of services.
that those vendors actually provide.
So that's the vendor relationships also help really promote the book as well,
besides, you know, being a part of our business.
And, of course, things at some point take on a little bit of a, if you will, viral.
And so my book just became an Amazon bestseller.
It's starting to get a little viral now.
So we're seeing that activity kick up like we've seen with the other books and
hopefully start to really take off over the next few months.
That's a very unique perspective on, on a book.
As many people, they write a book and they hope it builds their personal brand
because maybe they want to speak.
But the fact that you're taking the book and then leveraging that within the organization
and then also connecting that to other corporations, that's a very unique spin.
When you think about cybersecurity, what right now do you feel are like the biggest threats
that businesses need to know about?
So a couple of things there.
I could talk on and on about this one.
But the first thing I would say is that no business is too small.
The last couple of years, they're going crazy downstream to small organizations, you know, companies that maybe only do 500,000 worth of sales, believe it or not.
So a lot of belief out there is, well, we're just not a target.
We're too small.
They wouldn't want.
They're not interested in us, but they are.
And they'll take five grand, tank grand.
The other thing is that they're highly sophisticated, not only using AI, but ransomware franchises is a real thing.
You can actually sign up for a franchise.
They give you a tool set if you're a smart high schooler with computers.
you try to hack in, you get maybe a little bit into their network.
You can then partner with the franchise.
They'll come in and then they split the proceeds on the ransomware.
It's that sophisticated.
Then when you go to pay, they don't just have you pay some way.
They actually send you their call center, and their call center will take your payment.
They want to convert typically crypto currencies into dollars because they don't want to be traced.
So this is the world we live in.
The threats are everywhere, and they're going way downstream.
One of the first principles we talk about with all companies that we work with is assume
breach because if the bad guys really do want to get in, they generally will find a way to get
in, about 99% chance. That's why we see some of the big corporations that have every tool
deployed and all the experts in the world, and yet they're still getting hacked for millions of
dollars. So the point is we start with a soon breach, which means you have to have backup and
restore and what we call immutability, where your backups are not even connected to your network.
They're privately, securely encrypted and stored so that when the bad guys get in, what they
typically we'll do is not only encrypt your current systems, but they'll find where your backups
are, they'll encrypt those, and then people can't restore, and then you're stuck and you have to
pay. So the first principle, and I'll just give the one, is working on true business continuity,
business disaster recovery, business backup and restore with immutability, air-gapped backups. That's a really
important principle. But there's a couple of things right there. No business is too small. That's the
world we live in now. And every business should have tried and true immutable, separated backups that are
I watched these YouTube videos where these hackers hack into these scam call centers
and then they they actually reverted it back to them.
It's very interesting.
Yeah, I'm shocked and I've listened to these calls and the sophistication I've been,
it's happened to me before.
I thought the same thing like, no, I'm too small.
No one's going to reach out to me and they did.
And it took like a year before I even knew that we were setting money,
the money that's going to the wrong person, not us.
it was a disaster so uh scott i could see that not only corporations other IT companies but even
businesses need to read the book and cyber security might be you know one of the things that
we need to focus on that we are not focused on roy's profitability hiring leadership but many times
business owners are just not focused on these threats but sky if you want to get your book
hopefully there it is the visible ops maybe you saw another half a million
and be great yep uh thank you for the time i really appreciate the uh the interhealty
how could people get the book yeah so uh go my author's website is scott aldridge dot com
s co t a l d r i dgge dot com and from there i've got links to the IT process
institute to ip services my company um but you can order the book right there
through an Amazon link that's there.
You can go to Amazon and just type Invisible Off Cybersecurity.
It'll pop right up.
So Amazon's the best way to really get the book.
Scott, this has been great.
Thanks for sharing today.
I learned something.
I'm going to go back now and see what changes I can make.
And I might need to just read that book, Scott.
I think I need to read it.
I hope everyone who's in the industry gets to read it too.
And we can all feel safer and not keep along these people to continue being a threat to us.
But Scott, this has been great.
and thank you for joining us today on Founder's Story.
Awesome. Thank you.