Proven Podcast - FBI Cyber Expert Saves Your Business - M.K. Palmore

Episode Date: April 1, 2026

Most people think cybersecurity is complicated. MK Palmore disagrees. With 32 years in the federal government, two decades as an FBI special agent, and executive roles at both Google Cloud and Palo A...lto Networks, MK has seen every angle of the threat landscape, and his message is simple: the basics will save you. Charles and MK go deep on what everyday consumers and small business owners are getting dangerously wrong about their digital security, why a data breach can be the last thing a company ever survives, and how the adversary is quite literally banking on your laziness. MK also gets candid about the tools he personally trusts, the privacy myths that need to die, and why doing a few simple things consistently beats any fancy security stack money can buy. Whether you're a solo entrepreneur or running a growing team, this episode is a wake-up call you didn't know you needed, and a practical roadmap to making yourself a much harder target. KEY TAKEAWAYS: Why multi-factor authentication is still the most underused line of defense for consumers and businesses alike How a single data breach can financially and reputationally destroy a small business overnight The truth about privacy tools, what's worth your time, and what's just noise Why consistency, not complexity, is the real foundation of digital security The devices and platforms a former FBI cyber executive actually uses to protect his own data KEY POINTS: 01:20 – The basics most people ignore: MK breaks down the simple steps that make the biggest difference, while Charles connects them to everyday consumer behavior. 07:45 – Inside a data breach: MK walks through how attacks unfold and why SMBs are prime targets, while Charles unpacks the real financial and human cost. 15:30 – The SMB blind spot: MK explains why small businesses underestimate their exposure, while Charles shares why the assumption of being "too small to target" is one of the most dangerous myths in business. 28:10 – Building a security culture: MK lays out what it takes to get a team bought in on cybersecurity, while Charles explores the leadership gap that leaves most companies vulnerable. 45:00 – Privacy tools, myths, and what's actually worth it: MK cuts through the noise on VPNs, incognito mode, and Faraday bags, while Charles weighs in on his own approach to personal data protection. 56:55 – The everyday carry of a cyber expert: MK reveals the exact devices and platforms he relies on, while Charles reconsiders his loyalty to Microsoft.

Transcript
Discussion (0)
Starting point is 00:00:00 Welcome to the proven podcast, where we don't care what you think, only what you can prove. Imagine your data being protected on the same levels of the United States Marine Corps and the FBI. That's what today's guest brings in. MK tells us all about risk assessments, how to protect our data in an ever-evolving world, and how even with AI you can remain safe. The show starts now. All right, everyone, welcome back to the show. MK, I'm really excited to have you here.
Starting point is 00:00:24 Excited to be here. Appreciate it, Charles. So for the four or five people on the planet who actually don't know who you are, Can you kind of give a little bit debrief what you are, what you've done, how you got here? I'm sure there's more than four or five. But M.K. Palmore, I'm a consulting leader of a firm called Apogee Global RMS. My career spans a career in government, 32 years in the U.S. federal government. I'm a U.S. Naval Academy graduate, United States Marine Corps officer.
Starting point is 00:00:51 I then went on from the Marines to spend 22 years in the Federal Bureau of Investigation as a special agent. retired from the FBI as an executive leading the largest cybersecurity team that the FBI has here in FBI, San Francisco. And then I went on to work for two Fortune 500 companies, Palo Alto Networks and a Fortune 5 company, Google Cloud, as essentially a field chief information security officer. So great experience working at the enterprise level and then broke off out on my own in order to support SMBs and the global public sector through Apity Global. So there's a lot to unpack there. And as much as I want to dive right into the intense stuff at the end of the enterprise and the SMB, let's kind of slowly get out there. We know that data is being hacked every day.
Starting point is 00:01:39 We know that we have things that are being, be it WhatsApp or signal or own personal stuff with identity being stolen across the board. The audience always going to ask me, what is the first thing I can do right now? Like, okay, I get it. You've done it on the exceptionally high level. You've done it with the FBI. What is basic stuff that most people get wrong every single day when it comes to their data and the protection of what's going on in the world.
Starting point is 00:01:58 It's the basic stuff. You know, apps will oftentimes come to you with default settings that make them easy for you to utilize. And that ease of use is what the adversary relies upon in order to gain access to your digital footprint and your private information. And so I would ask people to take that extra step. And that extra step is not hard. It just simply means enabling things like multifactor authentication and the applications that they use or the SaaS. applications, the portals for which they gain access to. It doesn't take that much time. People will deride things like SMS as the second factor for authentication, but some authentication is better than
Starting point is 00:02:38 none at all. And so I would encourage people to, yes, utilize SMS if that's the only available resource that you have, but there are a number of authenticator apps out here now that use a higher level of encryption and provide codes for you to gain access to your email or application. and that's probably at a baseline for consumers. One of the best things that you could be doing is just simply doing the basics. Make it harder for an adversary to gain access to your information. And then if you want to take a few extra steps, there are things like monitoring your background, your credit, all of those things.
Starting point is 00:03:16 You can actually set it up in Google so that if your personal results happen to show in Google, they will send you an email saying that your personal results like your address are showing up. on this particular website, and you can go through a process to have that information removed. It's not that hard to do. And again, these are simple things that everyone should be doing in order to reduce their exposure and decrease the risk of their digital privacy being violated. Are there certain apps that you just wouldn't install? This one's too invasive.
Starting point is 00:03:47 We know this is kind of a gatekeeper to things that cause problems. Not for me. So I'm a heavy user of social media, one, because I use it to amplify my business brand. And then once you've exposed yourself to social media, you know, very few of us, me included, have read all of the legal agreements we seem to agree to when we download applications and we allow them to gain access to our digital footprint within our phones.
Starting point is 00:04:15 I think we're giving up quite a bit when we do that. And so there's a push and a poll associated there, pros and cons. You just have to understand that you're giving up some amount. of your privacy and then again, take those minor steps that you can, going into the settings of these applications and then limiting the amount of access that the applications have to the rest of your digital footprint and information. The only other thing I would encourage is that the likes of Google through their Play Store, Apple through their store, go through very exhaustive steps to make sure that developers go through a pretty rigorous process. And that is a
Starting point is 00:04:52 continuously monitor process. The applications, when they drift or fall outside of the regulations of those platforms, they essentially are given warnings and then nearly taken down immediately, essentially if they don't follow the framework for which Apple and Google established for being able to use applications or deploy applications on their platform. So I would say for the most part, try as best you can to use those. You know, if you're using a Android device, the Google Play Store is where you want to get your applications. If you're using an iOS device, obviously the Apple stores where you want to get your applications. Try and avoid downloading applications from sites that you're directed to because those applications may not necessarily have been embedded.
Starting point is 00:05:38 Gotcha. And then there are things out there that, you know, they scrubbed in that. They look for saying there's these softwares or this extra layer that people do. Things like whatever incognito or things of that nature. Is that something you would recommend on the consumer level? Is that just overkill? Not necessarily. It depends on what kind of footprint you want to have.
Starting point is 00:05:58 Some people may need to go to several extra steps in order to create a different persona for themselves. Maybe you as a business owner want to create a purely business persona of yourself, which means you have to be very diligent about which browser you're going to use that identity with, what information that you ultimately are going to put into the browser that's going to tie back to your business. business, is that going to tie back to a physical location for you? So you have to, you have to be diligent. I think the problem that, you know, establishing those kinds of parameters and barriers for yourself isn't hard. The hard part is the consistency of use of actually doing it every time that you use a particular application or every time that you're doing business for your company to only use a particular browser and to ward off the temptation to say, well, you know, I'm out and about and I've got my iPad with me.
Starting point is 00:06:51 Maybe I'll just use this to access that account that I normally only access via my safe desktop computer. So you just have to be consistent, diligent about the process, and it can be very hard. But there are ways, programs, applications, and things that can help you with that consistency. It just depends on how much you want to layer your own privacy and protection. Yeah, growing up, I was a Microsoft certified trainer and we built IT structures. What we did was instead of worrying about it forward front on the machine, we put our personal stuff into a trust. So anything I own privately is hidden inside a trust. It's based out of the Cook Islands.
Starting point is 00:07:25 It's good luck trying to penetrate that. It's different phone numbers, different addresses. I am the poorest person on the planet if you look at my actual numbers. There's whatever's in my wallet is all the money. I have. Everything else is inside trust. It's inside protected environments. That's what we did because I knew I couldn't compete against what was happening on the computers, which is obviously this is a very different method when we get into business environments. When we talk about this thing's business we're about to do, you don't have some of the luxuries of that. understand how the data breaches can happen. So to talk about that when we get into the SMB world, when we get into small businesses, I don't think the consumer truly understands
Starting point is 00:07:59 how devastating a breach is. Could you kind of walk us through how absolutely catastrophic could you be when someone does have a data breach? Yeah, let's look at the relative size of organizations, enterprises that, you know, have thousands of people, thousands of digital resources are able to issue out devices to folks, provision those. devices, they take very, very deep steps in terms of ensuring that their digital environment is protected. The SMB space may not be as well resourced, but guess what? They have to operate at exactly the same level as the big folks on the block because from the vantage point of the adversary, they really don't care how big or small you are. What they care about is whether or not
Starting point is 00:08:43 there's an exploit available that will allow them to gain access. And if you fall prey to whatever channel or methodology that they choose to use the avenue of attack or approach, it's a win for them, because access to the information is the first step for success for them. And then once they've obtained the information, there are a myriad of things that they can do with the digital information of any one particular individual, much less a large-scale business. And so think about those resources in terms of the requirement to respond. There are laws on the books. If you suffer a breach, you have to notify all of the individuals for whom you have digital records for. That's the first step. Even just that notification can be troublesome and a challenge for organizations
Starting point is 00:09:30 that aren't prepared for it. Then, guess what? You're likely opening yourself up to some level of liability. So hopefully you've gone through the process of doing a risk posture assessment. Hopefully you have cyber insurance and you're actually able to pull in resources that will allow you to both respond from a digital forensics standpoint. In other words, you respond through your insurance carrier. They likely have one staff or a panel organizations that can help you from a digital standpoint, write the ship, so to speak, get your technical organization back in order. But then there's all of the follow-on activity that has to happen. And there are costs associated with that. We have leveled out now somewhere between three to five million dollars is the on average cost of a
Starting point is 00:10:17 digital breach. And that's been pretty consistent for a number of years. And that number may not sound big, but at the same time, again, for a small to medium sized business, could you rebound or recover from a $3 million hit to your business? The short answer to that, I'm sure, for most small businesses is no. And we have seen historically breach. that have gone as high as $270 to $300 million paid and used to mitigate the effects of a breacher impact on a business or organization. And so because of that wide range, the last thing you want to do is leave yourself open to potential victimization by an adversary because the damage that they do is so devastating to organizations that sometimes the financial component associated with it
Starting point is 00:11:10 makes it unrecoverable from a business standpoint. And we want businesses to thrive. We want you to get out there and get your wares and your products and things out there to the consumer marketplace. My proposition is that nearly every business today is a digital business. And so taking time to understand what your digital footprint looks like and making sure that you secure your footprint is just a part of business operations today. And that's part of the reason that we're in business. Well, I think one of the things that doesn't get talked about enough is a reputation as well. When you have to reach out to your client base and say, hey, congratulations, I've had a data breach. This is one of the reasons I left my cell phone company. They were breached. The first time I was
Starting point is 00:11:51 like, fine, it's a lot of work. Second time they got breach, I left. And I was like, we're done, we're leaving. So I think there's that reputation hit that even if you do find a way to mitigate, hey, I've protected you from this one. It's kind of like the first time someone ever cheats on you. You're never going to trust them again, no matter what you do for the rest of your life. There's always going to be that issue. There were things that you went over that most fall business owners have never heard of it before. They're like assessment insurance. What are you talking about? They're going to be like, what? I'm just trying to sell my widgets, dude. What are you doing? So let's try and get some of these people up to date on what are these assessments? What is cyber
Starting point is 00:12:25 insurance? Because a lot of things you went over because, again, this is, you come from a world where it was literally life and death. It's just, that's your world. You keep people alive. For these people, yes, it might be life and death of your organization, but they've never heard. heard of any of this because most of them are just struggling through day to day. Because you and I both know, to get to the 10 million, you could do it for brute force. It just means that you're probably not thinking about all these other things in the back end. Exactly. What are these assessments and what are these insurances that they're running into?
Starting point is 00:12:52 What does that entail? How long does it take? Let's start at the top of the pyramid. Risk management is a discipline that essentially came to fruition because businesses realized that not everyone has unlimited resources. In fact, no business will have unlimited resources. It requires you to prioritize how it is that you devote those resources to business operations, sustainability, and resilience.
Starting point is 00:13:17 Cyber has grown to be part of the risk management profile, and I would proffer to anyone that's listening that your cybersecurity is in all likelihood a critical component, and by critical, I mean it's a path to failure for your entire business operation if you are not taking steps. to reduce the risk or potential exposure by adversarial activities to your enterprise. And so starting at the top of that pyramid, every business should be conducting a risk assessment to determine what their digital exposure is. In other words, have we done the right things in order to mitigate, not completely remove, because that is impossible, but to mitigate the possibility of a cyber attack having a devastating or critical impact on our business. And notice that
Starting point is 00:14:05 I did not say completely exclude the possibility of having an attack happen. Because part of the challenge in our industry is that we have to get folks over the hump of bad things are going to happen to you from a business standpoint, maybe even bad things in your digital environment. What we try and do as an organization is help businesses understand that resilience is the key. We want to help you understand, okay, things are going to happen, but we're going to take steps to make sure we reduce the possibility of that happening, but the work that we do is about resilience. How quickly can we get you from that point of failure back to full business operations
Starting point is 00:14:43 and then help you fully recover so that the impact, the blast radius of that is extremely limited and it's actually manageable and something that you can deal with? And that exercise contains a myriad of things. And the assessment is merely one of the many things that you should be doing. Cyber insurance is is another thing. You know, businesses, I think, especially if you're operating probably, if you're doing five to 10 million in revenue per year, even I would say even go as low as the million to three million more. If you're doing a million plus in revenue, you should have some kind of liability insurance
Starting point is 00:15:20 in place to ensure that you can recover digitally from a potential attack. Again, adversaries don't care how big or small you are. They care about the probability of their exploit landing and in the intended victim actually being put in a position where they have to make decisions. I'm sure we can get into a conversation about ransomware, which is one of the most malicious types of attacks that you can be victimized by. Because there's so much out there on the landscape that you have to be cognizant of taking these steps in a risk management review, a risk assessment review are prejudicial essentially to business. operations. And I would proffer, again, if you're in the zone of a million plus in revenue, and certainly if you're in the neighborhood of 10 million plus, you should annually be doing some kind of assessment to ensure that you've taken the steps cyber insurance. Your digital
Starting point is 00:16:17 environment is orchestrated and constructed in a way that makes it difficult for an adversary to get done what they need to get done. And that doesn't even get you to the compliance and things or the regulatory aspects of adhering to particular vertical compliances, say, financial services, healthcare and other industries that have particular baselines that make it increasingly more difficult to obtain those certifications and to be able to operate. But it's all sort of this big, I won't call it a mess, but it's this big masala of things that you should be thinking about and our businesses to help organizations think about these things in a way that's constructive and substantive and puts them in a position so that they can reduce risk to the overall enterprise.
Starting point is 00:17:04 Most people think that, hey, I'm going to buy a new router or pop a new VPN on and I'm good to go. That's about the equivalent of throwing a mosquito in front of a semi-truck trying to stop it. It's not going to do a heck of a lot. When you talk about these assessments and when you do it specifically with your clients, where do you start? You start with the people. Do you start with the hardware? What does that look like and how long does an assessment take? So one of the things that we've done as an industry is that we've gotten pretty good at establishing frameworks that will guide folks through the process of evaluating themselves.
Starting point is 00:17:38 These frameworks, some established by NIST, the National Institute of Science and Technology, other frameworks established, say, by the Center for Internet Security, the Critical Controls. These frameworks are pretty good. They provide a great amount of oversight and advice. The difficulty is walking through the frameworks and actually answering the questions and aligning your operations to the guidance that's provided by the frameworks. And that is what we do. We select the framework that's appropriate for your level of business or the vertical that you happen to be operating in. And we walk through the hundreds of questions and steps associated with them. And in an honest exchange, providing both documentation and verbal answers, we essentially walk you through the process to make a determination as to what
Starting point is 00:18:26 your digital footprint looks like. And then once you have that in hand with some curated advice that we then pour into it, we help you prioritize the gaps, vulnerabilities, and figure out exactly what your current posture is, we help you create a roadmap that essentially will allow you then to take steps to reduce the overall risk in a systemic way, instead of just saying, hey, let's go get some name brand firewall or router and implement it into the system and assume that everything is okay. And I can't tell you the number of times I've gone into conversations with even folks in my lane, the technical personnel. And instead of talking strategy, they want to talk about products. And we are product agnostic, thankfully. And we have a litany of partners that we partner with in our
Starting point is 00:19:18 organization, but we want to be in a position to be able to meet the customer where they are. So our solution base is immense and extensive, and I want to be able to identify exactly which solution is right for that particular customer, and that means that I can't just align myself to a particular product, because some are great and do exactly what they're supposed to do, but not all of them. And you may have already made technical investments that, prohibit you from actually getting the benefit of maybe the name brand product that might be part of the solution set. So maybe there's an alternative that gets you partway down the road and get you to where you need to be. And we want to be in a position to make that kind of advice.
Starting point is 00:20:02 So I like that it's not dictated by the product. So the router that you bought 30 years ago, the blue and black one that's sitting in the corner is probably not going to save your tuchus. But sitting down and breaking down, you know exactly what I'm talking about. When you talk about it, the framework, most people who are, doing this, especially SMBs, they have no idea what an IT framework. They don't have a protection plan framework. They don't understand when you say, hey, the framework matters more than the product. I think conceptually they'll get that. But when you say, hey, there's a framework that we have to do that you might as well be speaking Sanskrit to them. What do you mean when you talk
Starting point is 00:20:36 about a security posture that's based off a framework? What does that mean? So the technology industry through government identification and partnerships with civilian organizations have created essentially best practices that any organization can follow to ensure that they are taking all of the necessary steps that an organization can take to protect itself. That is a very, very oversimplified way of saying, are you doing all of the right things that you can do as an organization? That sounds pretty simple, but the challenge is that as organizations grow, scale, and expand, every business wants to increase revenue.
Starting point is 00:21:14 They want to increase the exposure of their product or their services across the market. And guess what that means in today's language? That means that their digital footprint is likely changing and evolving exponentially, especially if you're a global firm and you have services or products that you want to deliver globally. Guess what? You have third parties that are part of your ecosystem, part of your channel that are connected to your digital footprint. There are enough historical examples of breaches of using third parties. suppliers, that now we understand that not only are you responsible for your digital footprint,
Starting point is 00:21:50 you're responsible for everything that you are connected to. And that can get to be really, really challenging. And oftentimes, because your technical staff on hand is just dealing with the day-to-day, the tyranny of the now, it is helpful to bring in external advisors who can take a step back and give you that outside-in perspective that you desperately need so that you can then action on behalf of your organization, the things that need to be prioritized and get done. And so what it means is it's not that these organizations aren't capable of doing these things themselves. They just don't have the time, capacity, or resources to do it. They are concentrating on running the business, getting the business to the point where it's profitable and doing all the things they need to do to satisfy their customers.
Starting point is 00:22:37 And the truth of the matter is that investments in security still to this day are oftentimes deep. prioritize, and especially in SMB environments, I can't tell you the number of times I come across, quote unquote, the security team of three people for a multi-million dollar business. And the security team is three people and they're expected to do everything, the governance risk of risk and compliance. They're expected to be the IT backbone of the organization. They are also expected to be the security of the organization. And while these people may be immensely competent, there is no way that they can operate at both the strategic and tactical level without the appropriate help or resources to do that. And oftentimes the security teams are some of the most under-resourced teams
Starting point is 00:23:26 within a business. We're talking about technology is the critical factor that's going to keep you in business. And the fact that we don't spend more money, more time, more resources on security still to this day amazes me. And again, that's part of the reason why I established Apogee. I want to get in a help organization, scale that problem. Right. The problem is IT has never seen as a profit center, even though we are the backbone of it, we're just not a profit center. So when we come into it, and a lot of issues that we have in this environment is most
Starting point is 00:23:58 IT guys don't speak human. It's a completely different conversation. We speak geek. We're going to sit down and we're going to break things out. We're going to get all excited about it. And the other person, it's kind of like having your accountant talk to marketing. They don't speak the same language. The accountant in the marketing team do not speak to it.
Starting point is 00:24:13 They never have, they never will. So I'm trying in this one, when we talk about framework, because most of the people are listening to this are small business owners, they're going, what the hell is an assessment framework? What does that even mean? Do I, do I give my blood type? Do you need my sperm count? Do you give me the model of my computers?
Starting point is 00:24:28 Like, where am I? Because I'm trying to break it down so they can understand that. So when we talk about framework and an assessment framework, how long does it take? What does it include? Are we, how do we trust the person coming in? What do they take away with them? Are they there on site?
Starting point is 00:24:43 What does that look like? So starting with the last part of what you're saying. So every engagement has NDAs associated with it. You basically are an extended arm of the company operating on their behalf when you engage in a consulting agreement. The information provided belongs to the company that is providing it always and it is maintained and retains the property value of the information or access that's provided. That framework, that assessment essentially is a step-by-step process of analyzing through question and interrogation and document collection, what steps you have already taken to secure your applications, to secure your identity measures within the environment, to ensure that you are patching on a regular basis, the technology. Patching is a way of identifying and changing vulnerabilities or gaps that may be inherent on the hard tools that you're using or even the cloud-based tools that you're using. Every digital cycle is dominated by multiple domains within the technology spectrum for which cybersecurity, again, has its own domains.
Starting point is 00:25:58 And an assessment will essentially walk you through in a step-by-step process, whether or not you have, done or adhere to the principles of that particular domain. And it's not just simply a yes or no. You want to give companies credit for the amount of effort that they've put into some areas. It works on a gradient. Maybe you've knocked it out in the park. So yes, that's a complete full fulfillment of that particular aspect of, say, identity management. But maybe you've done a little bit, but didn't do quite enough to get a four-star rating on that particular question. You get credit for what you have done, we identify the gap between where you are and what excellent looks like and then tell you, here are the things that you need to do to get to excellent in this particular
Starting point is 00:26:44 category. So as you're going through all of these and you're working through a team, what are some of the issues that you run into with people who haven't done this? When you walked in, you're like, okay, we did the assessment. You're crushing it over here, but good God, this is dangerous over here. What does that look like? What it looks like is, again, a resource challenge. because the teams are underinvested and small, you get a lot of nods. You know, folks saying, yeah, we're kind of doing that. Or yes, we've taken steps to do that. And then when you'd ask the natural follow-on question, have you documented that somewhere?
Starting point is 00:27:18 You always get either the blank stare or it's in draft. You know, we were going to get to that. But they haven't prioritized it. And so what that looks like in practical terms is what you find is that most businesses are doing some things related to their security posture, but they're not doing all of the things that they could be doing. And that, again, is where an outsider's view coming in and giving you that unvarnished opinion on where you are can be immensely helpful. And it's not that the internal people, again, don't understand it or are going to give you misinformation.
Starting point is 00:28:03 They may just not, they give themselves credit in areas where maybe credit is not quite due by simply saying, hey, we got that covered. And that's probably the worst expression that you can hear. If one of your technologists tells you, if their answer to everything is we've got that covered, you probably should be digging a bit deeper because that simple answer is not enough. And you touched on something that's super, super important, this language that technologists use when communicating business concerns. is the area of risk. And if technologists are not talking in business language and the language of risk, believe me, the folks, the stakeholders on the other side of that conversation do not understand
Starting point is 00:28:45 a word that you're saying. Oftentimes, even if they've come from technology backgrounds themselves, once you are in that operating circle where everything is about risk, risk exposure, risk mitigation, that is what needs to be communicated to the C-suite and the board of director so that you then enable them to make a decision about where they're going to prioritize the resources of the company. You mentioned that they don't speak the same way. I've never heard this word document before. I have no idea what you're talking as an IT die. We don't document anything. It's bad. We just don't have time. We're like, we're trying to just keep things operational and you want me to sit down and do that what I did. I'm like, you're out of your mind. Yeah, we just don't have the bandwidth to do it.
Starting point is 00:29:28 So that's, and that's someone I've done IT for longer than I'd like to admit. I can't remember. I remember the first time I had to sit down and write a white paper out. I was like, what the heck are you talking about? At the time I was advising, I was working with Microsoft. They're like, you want me to document all this? I'm like, I've got fires to put out. I'm like, I've got to deal with Susie who hasn't remembered her password for the 19th time today.
Starting point is 00:29:49 And you want me to sit, we just don't have that. So that is what it is. When we talk about risks, what is a real risk? Give me a real example of a data breach that calls. some real problems that you had to come in and you had to save. Let's talk about ransomware because ransomware to me is not only one of the most malicious types of victimizations and experiences that an organization can have. It's pretty insidious when you think about it, that an adversary uses a normal channel
Starting point is 00:30:21 of exploitation, which is typically email. And let's take note of that. still to this day, 26, email is still the best avenue of attack for an adversary because it's the highest probability of access by malicious links, other information that then drives users to maybe watering holes where they go to a malicious website. There aren't enough protections enabled throughout the enterprise on the browser and say, you know, John from your enterprise is actually able to go to a malicious site, clicks on some link that says, hey, here. a report that's dealing with your industry download and read the report. PDF, right? What could be
Starting point is 00:31:01 wrong with a PDF? Downloads the report and the next thing you know, the actor, the threat actor, has access to the environment. Ransomware and the way that it works is it then, a couple of things, it could sit on a time hack. In other words, sitting and waiting for a particular period of time to be exploited or it could get to work immediately, basically attempting to find route access or ground access to a system or environment and then slowly begins to encrypt important files that essentially it's been designated to encrypt that ultimately will cripple the organization. And there have been thousands of victims worldwide of ransomware incidents. And when I say malicious, I think it's malicious to take someone's own information and then make
Starting point is 00:31:51 it unusable to them or not have the ability to access that. information. We say that you'll use the term encrypted, which means it's garbled in a mathematical fashion that then makes it unreadable or unusable. And the mathematical key that's necessary to unlock the information and return it to you often requires you to pay money or some of money through Bitcoin or some other cryptocurrency in order to be able to gain access to the stuff that you already own. So pretty malicious. And there are certain business verticals that still are and prey to this. Healthcare jumps to mine as a particularly vulnerable vertical that's still, especially small regional health care entities that haven't taken the steps to identify where
Starting point is 00:32:37 their gaps in vulnerabilities are, relying very heavily on technology. If folks are paying attention, you know, the healthcare space relies as much on technology today as any vertical, which means they should be investing in security and technology. The thing about ransomware is that they're are a couple of different types of ransomware adversaries out there. There are individuals who may have bought an exploit or a ransomware kit off of the dark web and are just going to town on their own using it, setting up their digital wallets and collecting money for ransom. But there are also ransomware gangs in the organized crime realm. You could find yourself the victim of a ransomware answer to that. And they might just provide you an international phone number to call
Starting point is 00:33:24 so that you can get help with your ransomware incident and they will walk you through the process of providing them money so that they can potentially provide you the decryption key for your own information. And I say potentially because there is something nowadays called, you know, sort of the double impact of ransomware. They're now threatening to release your data or information. So there's double payments associated with it. And there are known instances of where the ransom has been paid and they have still never provided the decryption keys, which means you have to start from zero if you haven't taken the steps from a resilience fashion to make sure that you have backups that are immutable and protected and can't be hit by a potential adversarial activity. So there's a lot involved just in that short conversation.
Starting point is 00:34:22 I barely touched on some of the areas that you could go very, very deep on. But the assessments that we provide would have essentially determined whether or not you had taken the steps necessary to buttress a potential attack like that. Or, as I like to say, again, limited the blast area so that you can rebound and recover from a potential attack like that. And you won't know that unless you have actually gone through the steps of a risk assessment and made those determinations. please do not just take the nod from the IT guy who says, yeah, we're good to go. We can recover from that. That's not a good answer for the board of directors for a company.
Starting point is 00:35:03 I think there's so many important things you just said where we talk about that there's a time delay. Now, for those of you who are playing at home who don't know IT, the time delay matters because our default reaction as IT guys is like, oh, we'll just restore the backup. We got breached five days ago. It's five days of data loss. It's not the end of the world. We'll just restore it back then because we keep back.
Starting point is 00:35:21 that are six months old. The problem is, let's say your hack happened to you five months ago. And again, well, we'd have backups that date back a year. Congratulations, you just lost a year of data. Can you survive that? And they're like, wait, what? So that's why we have time delays in the situation. And people are like, oh, my God, I'm not, I'm not ready for that.
Starting point is 00:35:40 What do I, well, how long should my backups be? It's not a question of how long your backup should be in that environment. I think it's more of the question of, have you done the assessment? How have you done the things to protect yourself? because one of the tests we, and again, this is 20 years ago, we would send emails to people like, hey, here's a PDF. We would spoof the email. In other words, make it seem like it's coming from your internal department.
Starting point is 00:36:00 Write it to you. Click this link for this meeting we have coming up later today. And then just see how many people click the link. And the majority of people click the link. And my favorite was when the C level, when the C suites, they would click the link. They're like, oh my God, I can't believe Susie from HR did that. She's stupid. Really, sir, CTO?
Starting point is 00:36:18 You clicked on it too. And they're like, oh, I'm like, yeah, you're an idiot as well. So the problem isn't every, it's universal. It's just in the process of our day, we're just so used to this clicking and firing. And this is why, again, to your point, your three or four guys that are elite, unbelievable individuals who are running your IT organization, you can't, this isn't 300. You can't expect 300 guys to stop the entire army that's coming at you.
Starting point is 00:36:42 You got to get them in sources. You've got to get them hell. Now, I want to talk about the introduction of AI. Now, AI, we already know, doesn't mean. artificial intelligence. We already know it means always incorrect. We're still using it and we're still uploading vast amounts of information into it, which is an absolute nightmare from a security part to us.
Starting point is 00:37:01 It's a nightmare. What do you tell the organizations you're working with? They're like, hey, yeah, I know you want to work with open, you know, open claw or you want to work with Claude or you want to put Codex or you work with Manis and they're like, hey, why don't you just walk outside naked? What do you tell the people in that environment to protect them who are? because we're becoming an AI first world. We weren't in that first world.
Starting point is 00:37:21 Now we're an AI first world. How do you protect them in that environment? There's a couple of different things that we do. One, I've assembled a partner network that has a variety of solutions that meet customers' needs as it relates to the adoption and implementation of artificial intelligence in the business environment. And I've aligned myself with these potential technology providers because I love their technology and it does what it is that they claim it's able to do. That's part of the challenge.
Starting point is 00:37:51 We, from a standpoint of making sure that there's a knowledge transferer, that we acquaint our client with the challenges they may be facing and using AI, have built a internal process that will allow them to take the steps in a diligent fashion and make sure that they aren't just simply opening the gates and allowing their employees essentially to give up the companies, goods through the use of these tools. It requires a lot of diligence. It requires companies to take steps like creating a change committee or an artificial intelligence committee for which they do in evaluation of the potential impact of these solutions on business operations. In other words,
Starting point is 00:38:33 each business leader might have to contribute what kinds of information they intended put into this system and then what their expectations are for what kind of access the bots, agents, other aspects of AI will have throughout the enterprise. All of that needs to be governed in a governance risk and compliance fashion. And it requires you to stand up committees. And yes, take very, very diligent steps that will allow you to assess whether or not a particular solution can be helpful, but then implementing it in a fashion that is safe and secure and then ultimately helpful to business operations. And so it requires you to think about it. It's not just a matter of going to the site signing up and just assuming that that technology provider is is going to provide you all
Starting point is 00:39:20 of the security measures and default settings that you need in order to protect your enterprise. You have to take extra steps. And that is thinking through those extra steps is what we do as an organization. We help organizations identify how they think through those steps. We bring experts to the table who can explain the risk associated with any one particular solution and give them a general approach that will allow them to reduce. the opportunity of any particular adversary to exploit their system and or just make bad use of AI. There are gaps in the use of artificial intelligence. I heard some interesting stories recently
Starting point is 00:39:58 about AI or large language models that have been given, you know, widespread access to enterprise information. And in doing that, because they only understand, you know, language props have gone out into areas and retrieved information and presented it to users. And that user didn't have access to that particular information from their role-based access within the company, but the bot had access to it and provided the information. These are all challenges that are fixable, but they're only fixable if you are taking the preemptive steps necessary to make sure that you're protecting your digital information wherever it may reside. I think
Starting point is 00:40:40 assuming that whoever you're working with, whatever software it is that's trying to protect you, it's not doing that. It's evolving too fast. And the best example I can give of this is, for those of you playing home, I created, I had a box that had none of my personal information in it, and I created a VM board. I created a little virtual machine
Starting point is 00:40:56 inside my box. I then loaded a version of that inside called OpenClaw. And I wanted to see, I'm like, I'm going to give me the resources, it has none of my personal information, and I watched it. OpenClaw figured out that it was is inside a VM and inside a virtual machine. And then it was like, huh, I need more resources.
Starting point is 00:41:14 It then penetrated out of the sandbox to try and get more resources from my parent OS. And I was like, okay, no, we're done. I'm going the whole OS out. I was like, we're done. I've never seen anybody do that before. I'm like, I don't want to play anymore. Goodbye. But I'd never seen, and it wasn't doing it at the time, minuscelessly, but I've never seen
Starting point is 00:41:31 a piece of software break out of a VM and then go out at the parent OS. I was like, what that? How is that? Yeah. I'm starting to hear more stories like that because it's interesting. You know, computers and technology does what we tell it to do. And if you tell it to do a task, it then assumes that it has to complete that task. Yes. And it has all of the variable things available to them to include what might be considered malicious behavior to achieve the task that you've given it. And so these are important elements that we need to be thinking about. I heard a very similar story in the context of, um, RSA that occurred this week in San Francisco of an AI agent essentially executing a exploitation in order to gain access to information to satisfy the original task that it was given, which is crazy to me. But guess what?
Starting point is 00:42:24 It makes sense. You told it to do that. And it thinks that it has all of these things available to it. You didn't tell it that there were boundaries. And these are things that we're going to have to learn as humans that oftentimes not only do we have to give it a task, but maybe we have to give it the limitations for which they can execute that task. Right. I tell people all the time, AI is a tabber at this point. If you're like, hey, I need you go build a kitchen and it needs wood. It will tear down the rest of the house to get the wood for
Starting point is 00:42:51 that rest of that kitchen. Because it doesn't understand, oh, you didn't need the rest. Oh, you need the rest of the house. You just told me to build a kitchen. I knew there was wood somewhere. I went and found wood. You're like, whoa, stop. The next problem you run into, and I don't think people understand and it's really on a tech level, as much as we picked on tech guys, the opposite occurs as well. When we IT guys show up and you don't understand what we're talking about and we're really dorky, the culture has to change in your org. We're like, listen, these are your vulnerabilities.
Starting point is 00:43:18 We did this assessment. These are the problems. There's only so much we can do. Here you go. This is going to happen. And then your C-suite or your SMB or whatever it is. It's like, dude, I got to get these widgets out the door. I don't, you have to have a culture change.
Starting point is 00:43:33 When you run into that for your clients, how do you pivot the entire culture to get them to understand? This is part of the reason that we operate across multiple variables of the risk spectrum. So we are an enterprise risk company in terms of our advisory work. I believe in my heart that no single solution like a digital widget is going to solve the problem that you're actually needing to solve. And so when I think about people processing technology, which is sort of the consulting, mantra, we do all three. We come in and we may, we may help you identify the digital solution that's helpful to you. And then you may come back to us and say, well, I'm still short on people. Well,
Starting point is 00:44:16 guess what? We have interim resources. We can add to the solution so that you can have a period of having folks that have the expertise available to them to ride along with you to help the company continue to grow. And then you can take the time to plan how you're going to hire a permanent person to do the job that this interim person is doing. And they're doing it in an excellent manner. And maybe the solution is for some limited period of time to have it be that adjunct person, or fractional, as we like to call in our industry, be the person that's going to ride along with you for that phase of your growth and development. You will get to a point where, yeah, you want to hire someone permanently. And that's where we also come in with, okay, now that we've provided the
Starting point is 00:45:02 fractional technology talent to help you grow and scale to a new phase of your company's operations. Now we're going to go out on the field through our broad network and actually help you identify who's the right person to do a longer-term engagement here, multi-year, maybe even become part of your FTE workforce, and give you that person. And guess what? We've been on part of the journey with you up to that point. So we now understand the company culture, what's going to work best, not just from a skill set standpoint, but who's going to be a good fit for your organization, for the next phase that you're moving into.
Starting point is 00:45:39 And so we want to be supportive across that entire people, process, and technology cycle. So I want to dissect this model a little bit more. So when I was doing this, again, a while ago, we were what was known as an MSP, which is a managed service provider. We would come in and we would provide small and medium companies' IT departments.
Starting point is 00:45:57 And it was really simple. It's like, you can pay this guy, 120k a year or you can pay me two grand a month, which is like $24,000. And we're going to do 90% of what you need. You don't need that full-time person at $180,000, $200,000 a year because most of the time in IT, we're going to just be surfing the internet and goof it off because things don't break every 37 seconds. So just let's be honest. So you don't need someone full time. I think what you need is you need that elite level of support. You need that elite level of experience that comes in and says, okay, I'm going to do what's going to take somebody else who has no idea.
Starting point is 00:46:32 I'm going to do it about an hour. I got this. Here it is. This is what you need to do. Now, you have to figure your culture out and you have to do all that. We're going to advise you. But I think most small businesses are like, you know, they hear MK and they're like, Jesus Christ, this isn't going to cost me a half a million dollars.
Starting point is 00:46:44 I'm not going to be, oh, my God, and they freak out. Like, whoa, this is fractional. The model's important to come in and say, listen, here's an expert. We're going to sit with you. But I don't think, and correct me if I'm wrong, my experience with this is it's not a problem of we doing, us doing the assessment and us giving you the expertise. It's you now sitting down and pivoting your culture. And this is where if someone who's got the experience can say, okay, we just found out we're exceptionally vulnerable. Now, you're not going to give it to your C-level CEO who's
Starting point is 00:47:12 never logged into anything other than their Gmail. You're going to have to have someone hold their hand. But it doesn't have to be those cost prohibitive thing in the world. Is that kind of the same model you guys are still using or have I just outdated myself at this point? No, no. It's the model we're using, but maybe I'm taking even an extra step to explain it. Let's just use some notional figures and a notional scenario. Say you determine as an organization that you're ready. We need to hire a security executive to champion our security expertise and the things that we need to be doing from a security standpoint. Guess what? Security persons with deep experience and knowledge, like myself, come at a high price for permanent personnel. I did pretty well. I did. I did.
Starting point is 00:47:57 pretty well working for a couple of Fortune 500 companies here in Silicon Valley. And so even at the SMB level, you want that level of expertise, but you're not ready to pay the same amount that, you know, the likes of Google or Palo Alto Networks is going to pay. So why not hire a fractional person that you can get at essentially a fourth of the price and still get the expertise and level of engagement that you need? And you get to go through a period of evaluation. quite frankly, to determine if they can do the job. Because oftentimes what happens is that they make these high dollar value hires, and the person doesn't even work out.
Starting point is 00:48:36 And so they've essentially wasted time. Here's the other component I'll tell you that I think is fascinating. You hire a CSO, and let's just use a CSO because that's sort of the go-to persona, if you will, for technical expertise at the C-suite level. You hire a CSO, they are immediately going to want to build a team. So you aren't just hiring one executive. You're hiring an executive who then is going to build a roadmap to building a team that's capable of executing because I don't care, even the most technically minded CISO doesn't want to be the person actually developing and shipping security within the enterprise.
Starting point is 00:49:17 They want to be spending time on the strategic measures. So they're going to go out and hire that great security engineer that they worked with at company X. They're going to go out and I'd identify that person at GRC that they worked with a few years back who was just excellent at documenting process and making sure that the team stayed on point in terms of policies, procedures, and keeping all of that stuff updated. And before you know it, you've got, you know, your one person higher has ballooned into a 50, 60 person team that cost an immense amount of money for talent. again, for a fourth of that, you can have an expert team come in, operate in a fractional capacity, and then help you in a slow, mature fashion, identify the long-term resources that you're going to need.
Starting point is 00:50:05 Or, quite frankly, maybe you determine that the fractional model, which is becoming super relevant today, I can't tell you the number of technologists I know that are on the bench by choice, because they would rather operate fractionally rather than do long-term projects. They want to take their expertise and go from project to project because they don't want to work for a large-scale enterprise as a permanent person because they like the freedom associated with, hey, I got expertise. And like you said, what might take you 10 hours to do? Because I have the expertise, I can come in and do it in an hour and a half.
Starting point is 00:50:40 And it's done in an enterprise level fashion. And then guess what? I have the rest of that time available to me to go do other projects or do something else that I intend to do. In my case, I get to go run the other aspects of a business, which means that the fractional experience and engagement that I need in order to get that customer to where they need to be, I can parse that out and give that to 10 companies at one time as opposed to one company at a time. I agree a thousand percent. And I've said this again 20 years ago. You do not need a full-time IT department, period, full stop. You do not need a full-time C-Sysau. You don't. This should be outsourced.
Starting point is 00:51:18 You should be hiring. I would rather you spend for the expertise than the time because the expertise is going to save you that time. And having somebody that's sitting there for half a million dollars a year sitting there who's going to build out an entire team just going to drain your revenue streams. Having someone who's got the experience that comes in and says, hey, these are next five things you need to do. We're going to do this. Let's sit down and talk about it. You will not only be more protected, but you will also have. have saved an immense amount of money. The reason I say that you're more protected is because
Starting point is 00:51:47 he's not experiencing it just at one client anymore. He's now experiencing a hundred clients at a time. So the experience of one breach that's happening at client Q is now happening for help out client A. And I just don't think small business owners understand that. There's this ego that like, no, they have to be mine. They have to do that. You're not getting the best expertise and you're wasting an immense amount of time and money in order to do it. So just don't do that. For those of you guys who were playing at home who are small business owners are like, listen, this is this is Sanskrit to me. I don't understand any of this. Look at a fractional environment, be it MK or anybody else, but on any level of your IT stuff.
Starting point is 00:52:23 And I'm sure I'm going to get some nasty grabs from the IT guys. You don't need to be full time. Be honest. We're all just browsing YouTube way too much anyway. So, you know, get off of that. And it just is what's happening. So having that. So if the people are watching for home, and I have two questions I want to ask you.
Starting point is 00:52:39 One is what are the things, if they never. run into you. If you get eaten by a Purple Dragon today, you disappear or you win the lottery and make $100 billion and you put your phone in a blender, what are the five or six things that that's five or six things that they could do right now, like, okay, I need to do this. There's this online tool or there's this thing that I could do. Or what are the things that I can do right now to protect myself on a personal level and then the things that I could do for my business environment? We provide a risk assessment that folks can take freely at our website. That risk assessment will walk you through some basics to give you a high-level understanding of where it is that you may have not made the proper investments in the reduction of risk to the enterprise.
Starting point is 00:53:24 And we cover multiple domains. Again, we're a people process and technology advisory firm. So I would say at the very least, take some time. to assess where you are as a company. And you can do that with us. You can do it with others. We think we bring not just an immense amount of experience, but a special expertise based on my experience and those of my executive team and the others that we have engaged. But do something, evaluate where you are as an organization and bring in folks who have experience, broad-based expertise, and will give you an unvarnished opinion as to where you
Starting point is 00:54:03 stand as an organization. Take the time to make the investment in that effort. And it doesn't happen overnight. A typical risk assessment is likely a six to eight week engagement if done correctly. Just aligning time schedules going through the process of asking all of the, there's probably 180 to 200 plus questions that get asked during the course of the assessment. You do those in chunks. You don't want to do those all at one time. There's a gathering of data and information in terms of documentation or the absence of the documentation that needs to be noted. So the process takes a while. So it gets started. From a personal standpoint, there are several things that you can do to just sort of evaluate where you are. Just Google your name, for starters. Going to an incognito browser
Starting point is 00:54:48 and Google your name and see what information comes up in a Google search. And then Google, how do you get Google to remove your name and personal information from searches? And it will tell you the steps that you need to take in order to essentially give Google the information that it needs to be looking for and it will come back and tell you. I do it myself. I get probably an email every three weeks or so. Hey, your personal information was found on this site. Would you like it to be reviewed for removal? I click yes. And 99% of the time, you get an email back says it was removed. Every once in a while there's some site and because of the way that the information was collected, that they're unable to have it removed that one percent of time again.
Starting point is 00:55:33 It's about limiting your footprint, limiting your exposure to risk. It's not about eliminating it. If you want to completely eliminate digital risk, don't use digital products. Correct. That's it. That's the only way to do it.
Starting point is 00:55:46 That's the only way to do it. But if you're like the 99.9% of the rest of the world who has a phone and wants access to this digital information, there are basic things that you can do to protect yourself, do the basics. and that at least gets you on the right path because most folks aren't even doing the basics. And that's what the adversaries are going on. We talk about something in the military all the time about everyday carry.
Starting point is 00:56:10 One of the things you carry every day, be it from operational, from military, side arm is, whatever that is. When it comes to this, what is your everyday carry for the stuff in your world that you use on the tech side? Are you like, okay, I use Android or I'm going to be a Google guy or I'm going to always have a flash drive on me or whatever it is? because I keep a flash drive in my wallet that I use very specifically that can breach me into any machine. I've had it on me for 20 years. It's just, I'm like, oh, I get an enemy machine that I ever get locked out of. It's just a habit. I always have it inside my wallet.
Starting point is 00:56:40 What are the things that you have on your world that, like, these are my everyday carriers. I'm always going to have this on me or this is what I use all the time because through your immense experience for the FBI and the Marine Corps and the Navy. And thank you again for your service. What are the things like, you know what? This is the one we use. This is the case I'm going to use. This is because those are the things that. People are like, well, what does he use?
Starting point is 00:56:58 He's got this experience. What was he taught? They want to know those things. So what is your kind of your everyday carry? Let me answer it this way. So part of what I bring to the table is a level of communication that can be helpful at the strategic and executive level. So I'm a communicator by trade. That's what I get paid to do in most instances.
Starting point is 00:57:20 It's what I get paid for in enterprise. And it's a skill set that I've developed over time. In terms of my tactical carry today, because I had such a wonderful experience at one of the biggest technology companies on the planet, I'm a Google workspace user through and through. I love the products. I love the ecosystem. I know the story behind the preferential use of zero trust in terms of the principles that were used to build out the environment.
Starting point is 00:57:48 And so guess what? I'm a Chromebook user. I like telling folks the story that I love Macs just like everybody else. The look, feel, and presence of a Mac is unmatched. But if I'm traveling for business, guess what? I got my Chromebook with me. It's probably a safer platform to use. There have never been an instance of a Chromebook being violated via ransomware.
Starting point is 00:58:13 The probability of it happening is actually zero. I use a pixel phone because it's tied. uniquely to the Google ecosystem. Do I have Mac products? Absolutely. I will tell folks day in and day out, I'm an iPad user because I don't think that there is, I have yet to see in tablet form something that is as useful from a utility fashion as the iPad. If you attach a keyboard to an iPad, there's almost nothing that's restricted to you to be able to do. I mean, it is part of my go-to-carry. And yes, I have a tech bag or whatever you want to call it that I carry with me for business travel and when I'm out and about meeting with customers and clients. But from a tactical fashion, I'd say my everyday carry is that when I walk away from my home office, I'm going to have my Chromebook, I'm going to have my iPad, I'm going to have my pixel phone, and a tech bag that's going to essentially allow me to get in front of folks and carry on whatever kind of conversation I need in order to either develop business or, quite frankly, just to help them understand what I'm seeing and the challenges on the environment and landscape.
Starting point is 00:59:23 Dang it. I have to start looking at Google Workspace again because I'm a Microsoft guy. And I learned it, so I'm going to have to transition. Yes. Oh, you bastard. What are some of the tools out there? I'm sobs. I'm going to have to pivot because I'm such a Microsoft guy. And it's worked.
Starting point is 00:59:38 And I hate, what is it? Sheets. And I'm like, can I just put it in Excel? And they're like, no. I'm like, oh. There is such parity and operability between the Microsoft Office capabilities and Google workspace today that it's almost 100. percent seamless. So you'd be surprised. The transition may not be as hard as you might think of this.
Starting point is 01:00:03 Oh, God. Okay, I'll work on that. I promise I'll work on it. The next thing, what are certain things that you're like, dude, that's just a waste of money. Like they have these little stickers that you put on cell phones that reduce EMI or EMF and they don't mess with your break. What are some of the things you're like, please stop buying this? What are you people doing? Like, are there anything out there that you could think of that you're like, no.
Starting point is 01:00:30 No, I don't want to disparage the use of any kind of technical. product, you know, I do think that, you know, things like most people don't have to worry about, you know, RFID readers, the common consumer. But I noticed that, you know, there's even a stretch of folks out there that are selling like Faraday bags to people that, who now think they need to keep their technology in a Thursday bank. And I'm just, you can go too far, I think, with some of this stuff. I'm not that guy. I'm not the person who's going to tell you that, you know, every time you know, don't use public Wi-Fi. You know, be careful when using public Wi-Fi. You know, there's still validity to the use of VPNs.
Starting point is 01:01:20 Most phones have VPN systems built into them. Turn on your VPN when you're out of public or at Starbucks using Starbucks Wi-Fi or when you're traveling and you go in a hotel. you know if you don't want to use a hotel Wi-Fi buy your own Wi-Fi puck and use that when you travel so that you can have safe, secure, communicate. Like, you know, there's, so you don't understand how much pain you want to, you want to inflict on yourself. So do you mean the shoebox that I have in my house that's wrapped with aluminum foil is not a good idea? Is that what you're saying? I shouldn't. All right. With that said.
Starting point is 01:01:55 Okay. There's a bunch of people out there who are going to like, all right, I need to talk to someone. It needs to be on a fractional environment. How do people track you down? How do they get access to you? How do they ask questions to kind of to lead themselves and protect themselves in a world that's getting more and more risky? Yeah, a couple of different things. One, I would tell them to visit our website at ApogeeGlobalrMS.com.
Starting point is 01:02:17 You can see the full suite of services that we offer as a company. There's some stuff about our background. And there's some information from a thought leadership standpoint in terms of our approach to security. enterprise risk and all of the things that came up in conversation. I think that's a great starting point. From an individual perspective, we have both a company presence and my personal presence on LinkedIn. I'm a heavy LinkedIn user.
Starting point is 01:02:44 So we can give a nod to Microsoft in that way, if you like. You know, they own LinkedIn. So I'm a big believer in LinkedIn. I think it's a great professional social network. I keep in touch with lots of people on LinkedIn. I'm there as M.K. Palmore, if you look me up, I'm pretty sure I'm the only M.K. Palmore on LinkedIn. I'm open to outreach. I can't tell you the number of folks who reach out to me sort of blindly that I've had the opportunity to actually connect with and have conversations with. So you can see a lot about what we're doing as a company and what I do individually for my own personal brand, which amplifies the company brand, either at our website or on LinkedIn. Perfect. And if not, we'll put your direct phone number, your Social Security number, your bank account, and your home address,
Starting point is 01:03:29 In the show note, M.K., I appreciate you. Come on. I really do. Thank you for sharing all the information that you did with us. Security isn't about having the fanciest tools. It's about doing the basics every single time. MFA on, permissions locked down, stay consistent. That's it. MK. Made it clear today. The adversary is counting on your laziness. Don't give it to them. As always, thanks for tuning in. Stay safe out there, digitally and otherwise. See you next time.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.