SignalsAZ.com Prescott News Podcast - Out of The Dark | IT Cybersecurity Podcast
Episode Date: February 28, 2025Send us a text and chime in!Sometimes we love technology, sometimes we hate it. Artificial Intelligence (AI), cyber attacks, and phishing emails bombard us, our businesses, and inboxes on a daily basi...s. It's time for a local expert to talk to us about information technology (IT), cybersecurity, AI, the dark web, and all those other tech things we love and sometimes hate.This March 2025, http://www.CAST11.com, the Prescott Podcast Network, will launch its newest podcast, "Out of the Dark," hosted by Niles Benghauser, owner of Sentry CTO.This SignalsAZ.com News Podcast introduces Niles and his new show. A big thanks goes to Pinnacle Bank Arizona, which is helping to launch the podcast, bringing critical IT and Cybersecurity information to us all in central Arizona.Check out the CAST11.com Website at: https://CAST11.com Follow the CAST11 Podcast Network on Facebook at: https://Facebook.com/CAST11AZFollow Cast11 Instagram at: https://www.instagram.com/cast11_podcast_network
Transcript
Discussion (0)
Niles, welcome.
I've been wanting to have you in because you are like the, you are the regional IT slash cyber guy that I've been wanting to tap your brain.
So thanks for coming in.
Yeah, I'm excited to be here.
I want to talk about, okay, first off, your company is Century CTO.
Why don't you give a real brief rundown of who you guys are and what you do.
So this is no kind of what we'll be talking around today.
Yeah. So Century CTO, I founded it in 2017. And I wanted to address a big issue I was seeing in the IT space at the time is that a lot of companies, especially smaller businesses, were sometimes being given the wrong advice by the IT provider. More than that, they were not being given advice at all sometimes. So they were kind of left to scramble and figure things out themselves. And no one wanted to have that hard conversation to talk about, hey, you should.
should be doing this or think about doing that.
Your cybersecurity needs to be improved by doing this, things like that.
And so kind of fast forward to today, we have a mission that to help every business,
big and small, be able to utilize technology to its fullest with confidence.
I think that's the key is having confidence in what you're using technology for.
And a big part of that is educating the community.
And so that's why we're talking about,
launching a podcast with you at the Castle Evan Network, calling it out of the dark. So it's all
about education and not being afraid to know, right? Yeah. Going from that ignorant state,
which I'm in all the time, to an educated state, especially in an arena that is now changing
even faster than ever in terms of managed IT, cybersecurity, that backdrop, I should say the looming
backdrop of AI, which I'm sure we'll talk about changing every day.
We talk about walking the dogs and the AI comes up.
It's getting annoying.
So thanks for coming in and I'm really hoping we can really build a column on our news channel
to help educate folks on all the stuff because it's changing, as I mentioned, just so fast.
Every single day.
And some of the stuff I'm going to be highlighting throughout the podcast is
things that people aren't really talking about.
And it always surprises me that you think about the technology and all the technical stuff
and you have an IT guide to take care of that.
But what's my role?
If I'm the CEO, what am I supposed to be doing in my company to help protect it?
Yeah.
So let's give me some examples of what you think people aren't talking about, whether that
is a sole proprietor, one man shop, or if it's a company, say, up here in Central
Arizona with 20 employees. What are some of the things that people aren't talking about and how is that
a problem? Well, number one, cybersecurity cannot solely be the job of your IT department.
And so sometimes you'll hear things like, oh, we've got your IT taken care of. You got your
IT manager or whatever. They're like, we got it taken care of. You're good. The truth is that a large
part of cybersecurity is actually about culture, company culture. And that can, that has to come down from
above. So that's that's one of the big things that I see happening is that piece of culture
and what managers need to be doing to develop that culture. It's often missed. So when you say
culture, you also talk about within communication, education, education, communication,
putting things down in writing, policies and procedures, right? You write those out,
you communicate it to your team. Now everyone's on the same page about what their role is.
So being the devil's advocate, I know that policies and procedures firsthand don't always get followed.
Yep.
We educate our folks on SOPs to add and operating procedures.
Our folks are very busy.
And then sometimes those habits change.
It's almost as if something took them over and we have to retrain them.
So how do we keep people on track in general?
when you talk about procedures and policies when it comes to managed IT and things like that.
Yeah. Policies and procedures are possibly one of the hardest things to nail in any business, I think.
Right.
Maybe you'd agree there.
It's frustrating.
Yeah. Yeah. It's difficult.
But not avoid the mindset of this is set it and forget it.
Okay. So day one, you write the policy. You get it finished. It looks pretty.
you print it out and you stick it in a drawer and everybody forgets it exists.
That's the typical scenario I see with with a lot of policies and procedures.
So instead, all right, you got this fresh new policy, SOP, you know, those various documents.
Okay, you educate the team on it.
Okay, now we're talking.
Everyone knows it exists.
They know what's expected.
But now let's take it a step further.
Every year, go back and review your policies.
Reeducate your team on them and open it up for discussion.
You know, it's not about, oh, who's not following this so we can punish you.
No, let's review.
Let's make sure that you know what's expected.
And if you don't, then let's give you some more training to do that.
How do we, how do you guys assess a company's ongoing recurrent trainings?
Because that's what I think I hear.
Are we auditing on a frequent basis, our individual team players, to find out who may need recurrent training more than, and that's not to be.
critical of any one team player, but I think we all go through weak points or changes or we get
busy and we need that reminder, hey, make sure you log out, make sure you do this. Is that what
you're talking about? When you talk about education, maybe some of its recurrent training and
testing? Yep. And this is in everything. So whether it's cybersecurity or not cybersecurity or
something else, recurring training is important. Everyone needs reminders. Everyone needs a refresher.
You want to track and make sure that people have ongoing
tidbits. The way we set up our cybersecurity training is that every year you have a bigger training.
So usually it's some sort of online training that takes maybe 30 minutes. Everyone does it.
And then on a monthly basis, you might have these quick little five minute trainings just to keep
it fresh. Okay. So beyond training, I want to, I'm just really curious because I know the public is
on what's going on out there. I what companies or I don't want to call out names, but
What type of companies have been hit up here in central Arizona?
How did they get hit if you know it?
What are some of those stories to help the CTOs of the world?
Or maybe it's a small company and it's a one man show or one gal show.
What happened?
What's the most common way people are getting compromised, I guess, is what I want to ask.
Yeah.
So it always comes down to people.
One way or another, somebody let the hacker in the door.
almost every time.
Gave up a vital piece of information,
gave a password away, something like that.
The most common
kind of introduction of a hacker
into your systems is through email
and through phishing emails.
Okay.
So they're going to send you an email that says,
maybe they send it to the HR person
and they pretend to be an employee,
hey, I need you to update my payroll information
or my direct deposit information.
Something like that is where it begins.
Next thing you know, there's a dialogue between the bad actor and your employee and vital information is given up at some point.
Next thing you know, they're in your system.
They're targeting other employees, something along those lines.
Okay.
Have there, we hear these stories of companies held hostage.
Has that happened up here?
and can you give us a synopsis of that story?
Again, I think people, when they can relate to a neighbor or a local business,
and they're not any better or worse than any one of us that hasn't been compromised,
want to make that straight because it could happen to any one of us.
You know, what happened and what did it cost them?
What's the average cost of something like that happening to a company and how they get out of it?
Yeah.
So first thing that comes to my first thing,
mind is there was a small medical clinic here in town about 10 employees. We were talking about that
earlier. They got hit with a ransomware attack. So basically one of the employees had opened up an
email. It had a PDF attachment. It didn't open correctly. So they just deleted the email and moved
on. A few days later, they come into the office and no one can access any of the files on their
server. They can't access any of their medical records, years and years of data. They're locked out of.
they get a note that pops up on their computer, it says, hey, pay us X amount in ransom in the form of Bitcoin, and we'll give you your data back.
So there's a nuance there that I want to cover. The differences between previewing an email, for example, in Outlook, you have all your emails over here on the left, at least on my screen. I don't know if you can personalize it or not. On the left, I have all my emails.
If I single click on that, I get like a preview of the email on the right.
If I double click on it, the whole window opens and now the email is open.
Is there a difference between preview and opening?
Like, for example, if I just open an email but I don't click on anything, have I now opened a door or a Pandora's box to issues?
I think some people may not.
I learned this the other day.
It's why I'm asking is opening an email.
Could that open me to an attack or something like, does it open up a door?
Yeah.
So that's a great question.
And I tread lightly on this topic because I don't want people to freak out and be overly concerned.
But, you know, let's dive into the can of worms.
So just clicking on an email has the potential to.
compromise your systems and cause a data breach.
Okay.
So even like that single click where you get the preview on the right side, just that act
has potential of causing harm.
So if you run into that, it's always a good idea to report that to your IT department
or your manager and get it checked out just to be safe.
Right.
But the typical scenario that we see most commonly involves you either opening an
attachment or clicking on a link.
those actions are typically where the actual infection happens.
So I,
everybody gets these emails, right?
They are getting better and better at looking like Microsoft update or one
of your software programs or it's an invoice.
You get a lot of invoices that are fake invoices.
And I noticed that the attachment isn't necessarily a PDF or maybe a Word doc or Doc X.
it is an HTML file.
So would that be considered like a executable file that if opened up, it's more or less a
webpage?
Yeah.
That's a big, I know those are issues.
Yeah.
So that's something that can kind of clue you in to if it might be legitimate or malicious
or whatever.
But at the end of the day, the specific file type doesn't really matter because they have
tricks they can use to make all sorts.
to different files act maliciously.
Right.
So that can help you identify it, but it's not kind of the,
and I'll be all clue or anything.
And so that's the most important thing that I learned was I thought I had to really open
that email.
It's really if you're previewing it, it could potentially be an issue.
And if you're getting a lot of those, I guess you're recommending whoever's
in your IT to call them and say, hey, would you blacklist that sender? Is that the best thing to do
in those scenarios besides notifying IT? Yeah, more commonly, you're seeing these emails get sent to you
from all sorts of different emails. Every single time you receive a phishing email, it's probably
coming from a different email address. So that's why it's so hard for us to be able to block those
things. But so when you have that instance happen, you accidentally open one of those emails,
you report it to IT, what they're going to do for you is investigate if any infection has happened.
That's their main priority there.
They can't really block the email just because of the nature of it.
But we can use different spam filtering services and things to help reduce those coming through.
It's a tough game to play, frankly.
So I mentioned it earlier.
So we're going to get into it because it's inevitable on the AI side.
What I always think about is as the AI programs get better, and now they're talking about
these agents, these AI agents that will literally carry out tasks, multiple step tasks.
I'm guessing that the bad actors are adopting that as quickly as the good actors are.
Absolutely.
And that eventually all the stuff that we're talking about, I mean, I've even heard that on the
dark web, you can buy hacking kits. So if you're a bad actor and you want to get into the business,
they have hacking kits to start carrying out crime, basically. Is that true? It's affiliate marketing.
So you pay a fee to use this hacking toolkit. You yourself don't have to have a ton of technical
knowledge. You only kind of need the basics. And they give you instructions, okay, here's how you deploy
cybercrime. And then when you get paid from the victim, that company you bought the kit,
from gets a cut of it. Wow. Smart. And AI definitely is going to cause a huge influx. We're already seeing a
huge influx of attacks that are coming against us. Less sophisticated people are going to be more
easily able to deploy the attacks. It's basically just making a problem we already had a lot
worse. Now, the other side of that, the light side obviously is as the bad actors adopt the new
technology. The good actors are doing the same. And it's kind of this game of attritioner,
if you will, where we each keep raising our game, so to speak. And the good actors will also
have AI agents that are essentially constantly blocking the attacks. So it's really the same game,
just done at a different speed. Yeah, we have different tools available, the quantity of attacks and
defenses that we have to have is increased. But at the end of the day, the really, really positive news
that I see out of all these stories and all these attacks that happen is that it's usually a failure
to practice good basics of cyber hygiene that are at fault. What are those? So we, yeah, it means
we can do them. So use good passwords. Now, what a good password is is a little bit different. So my birthday is
not a good password.
You know,
I don't,
I didn't hear that.
You do,
you want to avoid personal information.
You know,
your dogs,
your first dog's name shouldn't be in your password.
I don't even remember it.
You know,
spot one,
two, three,
four with an exclamation,
not a good password.
But having a long password.
That's the most critical piece.
So you want something,
depends on who you ask,
but at least 12 characters
long minimum.
Yikes.
15 or 20 is even better.
The way you can do that, think of a favorite song lyric that the world doesn't know is your favorite.
Right.
And modify that a little bit, so it's not exactly the quote.
Those are good ways to make a nice long password.
Now, here's the other key.
You have good strong password.
Now, do not use it anywhere except for one website, one account.
Nobody does that.
Some people do it.
Right.
You need to get a password manager.
And as a business leader, you need to get your whole team a password manager.
The password manager, you have one master password that lets you into it.
And then all the other passwords you can actually just generate random passwords for.
And you don't have to remember them.
So all you know is your master password for your password manager.
And that resides on your device.
It's not a shared password manager on a shared browser.
Right.
Right.
Yeah.
Yeah.
everybody needs their own individual password manager, their own license or, you know, what.
Right. Yep. I think that's key because I think some companies use a specific browser and setup and account, especially from the cloud. And then they're all using cached passwords. And I think that causes an issue too, yes?
Yeah. So when you start sharing stuff, usually there's two reasons that that happens in the first place. One is that,
you just don't know better. You don't have an IT person or an IT department guiding you on it.
And you're like, well, I need to get this work done. You set it up. You share it with your team.
Okay. The other piece, though, is sometimes it's because of cost savings. The company or the department
doesn't want to spend extra money on some of these other tools. But the cost of a cyber attack is going to be
much higher than whatever that tool would have cost. All right. So we'll talk about the. What is the average
cost of, say, a ransomware attack? So the latest report that I read,
showed that the the average cost to remediate the attack, so you're paying IT people to do that,
you'll often need to pay for digital forensics to be performed. That's usually a different company.
Pay for a lawyer to kind of walk you through all the legalities involved. That lawyer is called
a breach coach. They're also going to help you write the letter to all the people who are
affected and make you sound as good as you can in that letter. So these are all the different
that come up, the average is $4.5 million.
Okay.
For one incident.
That's $4.5 million.
Now, there's that other basic cost.
I think I was talking to you about earlier, it was like almost a quarter million,
which is just like basic lawyer fees, time down, lost time, all that stuff, right?
Well, that one's hard to quantify because every company's a little different in that.
Sure.
But usually you actually add those on top of that $4.5 million.
So that $4.5 million is your hard cost.
That's like actually paying people to deal with it.
But what about your reputation if it gets, you're going to have to notify people.
People are going to know this happened.
What's the reputation, especially if they find out you weren't doing what you needed to to do your best to protect the data?
That doesn't look real good.
You got downtime.
You know, you still got to meet payroll.
Are you going to lay people off and now you're short-staffed when you're back up and running?
Are you going to eat the cut?
Like, what are you going to do?
Those costs are on top of that.
So the first thing I heard in terms of the basics is strong password.
Don't share passwords.
Don't use the same password on multiple platforms and a good password manager.
Yeah, password manager is going to make doing those things a whole lot easier.
All right.
What else?
Education.
So we're coming back to education.
Okay.
Train your team on a regular basis and remind them about just all these good
cybersecurity measures.
So train them on that at least annually, but we recommend little, you know, maybe briefer
trainings throughout the year and also training them on your policies and write the policies
if you don't have one.
I think you mentioned earlier, which made a lot of sense to me, was incorporating your
managed IT and your cybersecurity into your culture.
Yeah.
Right.
So it's not a second thought.
It's not a reaction.
it's built into your whole ethos, right?
We lock our doors at night.
Right?
Every time we leave the office, we just do it.
And getting people to that state where it's just, it happens like a need jerk.
You're logging out, your passwords, you're changed.
It's something that happens that is expected and actually they enjoy doing it after a while
because the habits are hard to create and break right.
90 days to really get somebody to use a software program appropriately or correctly.
Do you find that a challenge in new clients where people aren't changing passwords or
using the appropriate password after being educated?
You have to kind of remind him and remind him and remind them until become second nature.
Oh, yeah, of course.
Yeah.
It's a continual effort.
Nothing is going to change just because, okay, you wrote a policy.
said this is how we do it. You got to break those habits, like you said. It takes time,
takes effort, and it takes leadership staying on it, saying, okay, this is how we're going to do it,
reiterating it, reiterating it, helping everyone form those new habits. So shifting gears to the lighter
side, what's the dumbest thing you've seen somebody do? Oh, boy. That caused a compromise of an
organization or just a small company or even somebody's local computer at home.
Oh, boy.
I'll say dumb.
We'll say, what's the biggest mistake?
Yeah, it just makes me bang my head on the table sometimes.
I know you got one.
Don't have to name names.
Well, so what comes to mind, I don't know if this takes the cake on everything I've seen over the years.
but overconfidence is a nasty thing.
I had a client, they were in the tech industry,
but they weren't like IT people.
So they had us on to help with their cybersecurity and everything.
And it was kind of a perfect storm.
One of the employees who was actually working,
they lived and worked in another country.
And so it was typical that a lot of their communication with the owner
was through like email or WhatsApp, you know,
those various like text messaging and stuff.
Well, they got an email from a scammer posing as the owner saying,
hey, I need you to buy some gift cards for this.
And they had a dialogue back and forth with the scammer being like,
okay, yeah, let me get these.
Thankfully, at the last minute, they stopped and contacted us and they're like, wait a minute.
They didn't fall for it completely.
But I think, I think they were a low overcom.
Because they're in the tech industry.
They were familiar with these things, and they just, they didn't have the idea that it could
happen to them.
Do you think that the bad actors will target companies like that because of the built-in
confidence, like they're a tech company, so they think they're invulnerable?
100%.
Yeah.
The scammers are really clever.
They are smart.
They are good at what they do.
So they're seeing these patterns.
I'll take you back to what happened with M.
GM, the casino. This was 2023. So they got hit with a ransomware attack. They lost millions.
I think they paid the ransom if I'm not mistaken. But the way the attack started is that the
IT department allowed them in. So the scammer contacted the IT department to get a password reset.
And the IT department did it. They didn't verify who they were talking to. Yikes. Yikes. Yikes.
So out of the dark, new show on CastleEaven.com podcast network with Niles Banghouser of CenturyCTO.
Your website is CenturyCTO.com.
Yep.
And if anybody wants to call you, they can call you at 928-3508069.
That's correct.
We are looking forward to, we haven't had a show on IT, on tech, latest business software, really running the gamut from A to Z.
we're looking forward to you sharing on a regular basis with Central Arizona.
Oh yeah, I'm excited.
Diles, Beghauser, Sentry CTO. We will see you soon.
Thank you.
Welcome.