• On July 22nd, Kaseya obtained a universal decryption key for the ransomware attack from a mysterious "trusted third party" and began distributing it to affected customers.
• Before sharing the decryptor with customers, CNN reported that Kaseya required them to sign a non-disclosure agreement, which may explain why the decryption key hasn't shown up until now.

On July 13, CrowdStrike successfully detected and prevented attempts at exploiting the PrintNightmare vulnerability from Cogni and Magniber Ransomware groups, all in south Asia, protecting customers before any encryption takes place, They have seen almost 600 submissions in the last 30 days (July 12-Aug 12th).  Also, Vice Society ransomware, which targets small and midsize schools.

This Week's Security Tip:
It’s scary what kids can see online. Here are some little-known ways to see if your kid is doing things and visiting sites you don’t want them to:

1. They’ve deleted their browsing history. What are they hiding?
2. The ads showing up are questionable. Marketers use retargeting to get you to come back to their websites. So if you’re seeing ads that make you go “hmmmm,” that’s a sign they’ve been visiting those sites.
3. They hide when using the device. A good rule of thumb is NO devices in bedrooms, or in any room that is not out in the open.

Today's Headlines:
On Tuesday, just over $600 million in cryptoassets were stolen from Poly Network, a system that allows users to transfer digital tokens from one blockchain to another.  The threat actor who hacked Poly Network's cross-chain interoperability protocol yesterday to steal over $600 million worth of cryptocurrency assets is now returning the stolen funds.  He then sent multiple transactions to the same with text embedded in each transaction, he included a Q&A explaining his motives, including the line "why hack? For fun 😊"

Sentinel One has detected another AdLoad malwarevariant that Apple's YARA signature-based XProtect built-in antivirus undetected for at least 10 months, and currently still undetected.  Variations of this strain have been detected since 2017, and is used to deploy various payloads, mostly adware and PUAs (potentially unwanted apps), and harvest sytem info.  

• To put things into perspective, Shlayer, another common macOS malware strain that has also been able to bypass XProtect before and infect Macs with other malicious payloads, has hit over 10% of all Apple computers monitored by Kaspersky.

Next Week's Teaser:
NEVER use the same password twice

Call to Action: Book a 10-minute Discovery Call right now. I’ll ask some key questions and give you a quick score. If you’re doing everything right, you can sleep better at night. If there’s room for improvement, we’ll discuss options. NO PRESSURE, NO STRINGS. JUST BOOK THE CALL!

www.mastercomputing.com/discovery 

With so many access points, from cell phones to laptop and home computers, how can anyone hope to keep their network safe from hackers, viruses and other unintentional security breaches? The answer is not “one thing” but a series of things you have to implement and constantly be vigilant about, such as installing and constantly updating your firewall, antivirus, spam-filtering software and backups. This is why clients hire us – it’s a full-time job for someone with specific expertise (which we have!).

Once that basic foundation is in place, the next most important thing you can do is create an Acceptable Use Policy (AUP) and TRAIN your employees on how to use company devices and other security protocols, such as never accessing company e-mail, data or applications with unprotected home PCs and devices (for example). Also, how to create good passwords, how to recognize a phishing e-mail, what websites to never access, etc. NEVER assume your employees know everything they need to know about IT security. Threats are ever-evolving and attacks are getting more sophisticated and clever by the minute.

UPDATE to last week's Headlines:

• Kasaya VSA breach – has been on their CVE for 3 months, also upon a third party security incidence response evaluation, they found their billing and customer support site, portal.kasaya.net, was, and has been since July 2015, susceptible to CVE 2015-2862, a "directory transversal attack – basically, even without credentials you could access server files and locations, including the web.config file, which includes usernames, passwords, and locations to other sensitive information..  Kasaya had updated their customer portal in 2018, but left their legacy portal alive.

• Microsoft issues Emergency patch for PrintNightmare – We briefly mentioned this last episode, but the story goes:

  A security researcher publicly announced the initial vulnerability, allowing for the print spooler, which by default runs on all Windows versions by default with kernel level administrative rights, could be maliciously used to run remote executable code, potentially take over the entire domain.   In the next update, Microsoft issued a weak patch that only addressed the point of concept, but didn't really address the actual vulnerability.  Another research team then publicly reported a point of concept they too had reported to MS: a different CVE than the other, which in summary was an active exploit – so basically they published a how-to on a zero day.  SO then MS had to patch both the first CVE and second as fast as they could, and finally after a couple days did offer an out of band update which covers both

• WD – to recap, A flaw for all WD MyBook external drives of a zero-day exploit was reported in 2020 prior to Pwn2Own Tokyo, but WD replied that the bug had been resolved in their new OS5 software.  The research team then posted a video of the proof of concept.  Go figure, tons of them in the wild were then (and probably still are) being wiped by malicious hackers. WD's initial response in March was to advise eveyrone with a MyBook on v3 upgrade to a dvice that can use v5 (basically a new one), and that they would not update the old versions with security patches.  Facing a backlash of angry customers, Western Digital also pledged to provide data recovery services to affected customers starting this month. “MyBook Live customers will also be eligible for a trade-in program so they can upgrade to MyCloud devices,” Goodin wrote. “A spokeswoman said the data recovery service will be free of charge.”

Next Week's Teaser:
What the heck is an AUP…and why do you want it?

Call to Action: We talk a lot about stupid (nothing bad ever happens to me; head in the sand; too busy; I’ll do it later). So what’s smart? Taking this seriously TODAY. Book a 10-minute Discovery Call right now. I’ll ask some key questions and give you a quick score. If you’re doing everything right, you can sleep better at night. If there’s room for improvement, we’ll discuss options. NO PRESSURE, NO STRINGS. JUST BOOK THE CALL!

www.mastercomputing.com/discovery 

This Week's Security Tip:
10 easy tips for mobile phone security:

1. Lock your device with a PIN or password, and never leave it unattended in public 
2. Uninstall apps you don’t use 
3. ONLY download apps from trusted sources 
4. Keep your phone’s operating system updated 
5. Install antivirus software 
6. Use your phone’s “find me” feature to prevent loss or theft 
7. Cover the camera with a camera sticker when not in use 
8. Back up your data 
9. Encrypt the data if you have sensitive info stored on it 
10. Don’t click on links or attachments from unsolicited e-mails or texts

Today's Headlines:

• Western Digital MyBook users urged to unplug devices from the network - malicious hackers are remotely wiping the drives using a critical flaw that can be triggered by anyone who knows the Internet address of an affected device.
• Quickbooks Online opts users in to share payroll info of 1.4 million small businesses with Equifax, who has been and will be hacked again. (To disable sing-in to QBO, go to Payroll settings, uncheck "Shared Data.")
• Eight unsecured databases were found leaking approximately 60 million records of LinkedIn user information. While most of the information is publicly available, the databases contain the email addresses of the LinkedIn users.
• HSE, socialized public healthcare system of Ireland, breached in May and 700GB of patient and employee data, orders Virus total to reveal 
• Briefly mention PrintNightmare, security vulnerability that affect every version of Windows.  Much more in depth next week.

• Kasaya ransom: $70,000,000 for universal decryptor ($5mill per individual compromise) 
  • fewer than 40 customers worldwide, though all MSPs with over 1000 clients
  • Supply chain attack on on-prem servers – all from US based hosting servers.  CISA and Biden announce almost immediately they are investigating and blame Revil/Russia.  This all comes weeks after FBI/DOJ seized ReVIL/Darkside servers.
  • Was allegedly a known exploit that Kasaya was in the process of patching, before the zero-day attack was carried out.

Next Week's Teaser:
What the heck is an AUP…and why do you want it?

Call to Action: We talk a lot about stupid (nothing bad ever happens to me; head in the sand; too busy; I’ll do it later). So what’s smart? Taking this seriously TODAY. Book a 10-minute Discovery Call right now. I’ll ask some key questions and give you a quick score. If you’re doing everything right, you can sleep better at night. If there’s room for improvement, we’ll discuss options. NO PRESSURE, NO STRINGS. JUST BOOK THE CALL!

www.mastercomputing.com/discovery 

Darkside sends message that they are now closed, after servers seized and money transferred.

This Week's Security Tip:
Social engineering is big business. What is it? Figuring out who you are and then using that information to make money off of it.

People list password challenge and identity verification publicly on their Instagram, Twitter and Facebook pages and feeds without giving it a second thought. Maiden name? Check. Favorite pet? Check. High school? Check. Town they grew up in? Check. Favorite or first car? Check. Throwback Thursday is a social engineer’s dream! They love this stuff.

Combat this by A) not posting that information online anywhere or B) always giving false password and identity challenge and verification information to the sites and services that require it. Keep the answer file offline. Remember, if it’s a handwritten list, you can still take a photo of it.

Today's Headlines:
JBS & Pilgrims meat processing hacked – ransomware that the FBI attributes to REvil and Sodinokibi

Amazon sidewalk goes live – Amazon Sidewalk creates a low-bandwidth network with the help of Sidewalk Bridge devices including select Echo and Ring devices. These Bridge devices share a small portion of your internet bandwidth which is pooled together to provide these services to you and your neighbors. 

6 years ago, Microsoft promised Windows 10 would be the last OS, being "refreshed" twice a year forever.  A couple days ago, Windows 11 has been leaked. Some features – taskbar is centralized, similar to Mac vs. Curtrent left-side, no more tiles in start menu – instead , windows will be rounded, like MacOS, overall, a very MacOS vibe.

Next Week's Teaser:
These easy tips will keep your phone safe

Call to Action: We talk a lot about stupid (nothing bad ever happens to me; head in the sand; too busy; I’ll do it later). So what’s smart? Taking this seriously TODAY. Book a 10-minute Discovery Call right now. I’ll ask some key questions and give you a quick score. If you’re doing everything right, you can sleep better at night. If there’s room for improvement, we’ll discuss options. NO PRESSURE, NO STRINGS. JUST BOOK THE CALL!

www.mastercomputing.com/discovery 

This Week's Security Tip:
While most businesses understand the importance of backing up their server and files, many forget to back up their website!

Most sites are hosted on a third-party platform like HostGator or WordPress. However, these hosts have limits on what they back up, and the Terms and Conditions you agreed to most likely waive their responsibility to preserve and back up your files and data.

Therefore, if you’re posting a lot of new content, you should be backing up your site weekly if not daily. Hackers can (and do!) corrupt websites all the time. If you don’t want to have the cost of a down website and the cost of rebuilding it, back up your website!

Today's Headlines:
Darkside Ransomware breach on Colonial Pipeline 

The first DarkSide ransomware attacks were all owner-operated, but after a few successful months, the owners began to expand their operations. On November 10, DarkSide operators announced on Russian-language forums XSS and Exploit the formation of their new DarkSide affiliate program providing partners with a modified form of their DarkSide ransomware to make use in their own operations. 

It’s worth noting that DarkSide actors have pledged in the past to not attack organizations in the medical, education, nonprofit, or government sectors. At one point, they also advertised that they donate a portion of their profit to charities. However, neither claim has been verified and should be met with a heightened degree of scrutiny; these DarkSide operators would be far from the first cybercriminals to make such claims and not follow through.
  

DarkSide Operators Likely Former “REvil” Affiliates

Flashpoint assesses with moderate confidence that the threat actors behind DarkSide ransomware are of Russian origin and are likely former affiliates of the “REvil” RaaS group. Several facts support this attribution:

• Spelling mistakes in the ransom note and grammatical constructs of the sentences suggest that the writers are not native English speakers.
• The malware checks the default language of the system to avoid infecting systems based in the countries of the former Soviet Union.
• The design of the ransom note, wallpaper, file encryption extension and details, and inner workings bear similarities to “REvil” ransomware, which is of Russian origin and has an extensive affiliate program. This shows the evolution path of this ransomware and ties it to other Russian-origin ransomware families.
• The affiliate program is offered on Russian-language forums XSS and Exploit.

Timeline:

This Week's Security Tip:
There are two mistakes we see with usernames and passwords, even if they are GOOD strong ones. The first is using the SAME password across multiple sites. The second is using the same e-mail usernames and prefixes across multiple free e-mail services. For example:
jimmy67chevy@aol.com
jimmy67chevy@gmail.com
jimmy67chevy@yahoo.com
jimmy67chevy@icloud.com
 
When you use the same password and the same username across multiple sites, you make it easy for a cybercriminal to compromise multiple accounts of yours. With the first part easy to figure out, they can get access to other online services and data or even spoof your e-mail addresses to others. Variety is the spice of life, so make sure you’re using UNIQUE, strong passwords along with unique usernames on free e-mail accounts. 

Today's Headlines:

• 2 Google Chrome zero-day exploit dropped on twitter last week, both remote code executables, affects Chrome, Edge, and other Chromium-based borwsers
• Google announced plans to roll out a new privacy-focused feature called Federated Learning of Cohorts (FLoC), Vivaldi, Brave, DuckDuckGo, and now WordPress reject it.  - Thousands of browsers with identical browsing history (belonging to the same "cohort") stored locally will have a shared "cohort" identifier assigned, which will be shared with a site when requested.  - "At Vivaldi, we stand up for the privacy rights of our users. We do not approve tracking and profiling, in any disguise. We certainly would not allow our products to build up local tracking profiles," says Jon von Tetzchner, Vivaldi CEO and co-founder. 
• Signal CEO and founder Moxie Marlinspike slams Cellebrite (company that police and gvmt uses to unlock Android and iOS phones ) after they say they can now access Signal data.

Next Week's Teaser:
Here is what you should do with your data on your laptop..

Call to Action: We talk a lot about stupid (nothing bad ever happens to me; head in the sand; too busy; I’ll do it later). So what’s smart? Taking this seriously TODAY. Book a 10-minute Discovery Call right now. I’ll ask some key questions and give you a quick score. If you’re doing everything right, you can sleep better at night. If there’s room for improvement, we’ll discuss options. NO PRESSURE, NO STRINGS. JUST BOOK THE CALL!

www.mastercomputing.com/discovery 

This Week's Security Tip: Keep sensitive and important data off DEVICES and in the cloud

If a laptop is stolen or lost, and the data is not backed up, you just lost it all. Worst of all, even if you had it locked with a strong password, it’s very likely to get cracked. Once the thief succeeds, any private data that is unencrypted is free for the taking.

One solution: keep sensitive and important data, files, pictures, contracts, etc., on a secure private cloud service, so it’s never on your employee’s hard drive in the first place. By storing this information in the cloud, you can immediately revoke access when a device goes missing.

Side Tip: If you have important family photos, store it in Shutterfly or some other photo-storing cloud application so those are backed up as well.

Today's Headlines:
U.S. Agency for Global Media (USAGM) breached by Phishing attack, exposed information includes full names and Social Security numbers of employees and possibly their beneficiaries and dependents.  Account compromised 4 months prior to Phishing campaign.

USAGM operates broadcast networks, such as Voice of America, Radio Free Europe, Office of Cuba Broadcasting, Radio Free Asia, and Middle East Broadcasting Networks, to deliver news and information to people worldwide.

Vulnerable Dell driver puts hundreds of millions of systems at risk

A collection of five flaws, collectively tracked as CVE-2021-21551, have been discovered in DBUtil, a driver from that Dell machines install and load during the BIOS update process and is unloaded at the next reboot.  Pushed updates are blue-screening computers across the country/locking TPM chips.

Next Week's Teaser:
Are you sure that it’s handled? You may think it is, but it’s not…

Call to Action. We talk a lot about stupid (nothing bad ever happens to me; head in the sand; too busy; I’ll do it later). So what’s smart? Taking this seriously TODAY. Book a 10-minute Discovery Call right now. I’ll ask some key questions and give you a quick score. If you’re doing everything right, you can sleep better at night. If there’s room for improvement, we’ll discuss options. NO PRESSURE, NO STRINGS. JUST BOOK THE CALL!

www.mastercomputing.com/discovery 

This Week's Security Tip:
Here’s a disturbing, but very real, tactic for hackers: spying on you via your device’s camera. Some simply watch you for fun. Others attempt to catch incriminating photos and then blackmail you by threatening to release the photos or video (which they have) to all your Facebook friends, LinkedIn connections or e-mail address book (which they also have) unless you pay a ransom. If you pay, they can come back and ask for MORE because they now know you care AND that you’ll pay. If you don’t pay, they will release that picture of you doing, um, well…

As always, follow the various security strategies we’ve been sending you via these tips. As a backup, you can buy stickers that cover your camera with a slider so you can uncover it when you want to actually use it to take a picture or join a web meeting. These are really inexpensive and can be found on Amazon for under $10. Search for “webcam cover slider.”

Today's Headlines:

• 533million Facebook user data, including phone numbers, leaked the data, which was allegedly obtained by exploiting a vulnerability Facebook advises they rectified in August 2019
• Fortinet VPNs are being exploited by new CRING ransomware, Fortigate firewalls, though patch exists made back in August of 2019.  So many went unpatched, Fortinet has warned customers 4 times since, the latest this month.  They have had at least one report every day so far this year.
• CISA released tool, dubbed Aviary, to analyze Azure and O365 post-compromise activity.
• Windows 10 1909 reaches end of service next month

  Your computer will still work, but it could become more vulnerable to security risks and viruses because you won’t receive new security updates or other quality updates

Call to Action: We talk a lot about stupid (nothing bad ever happens to me; head in the sand; too busy; I’ll do it later). So what’s smart? Taking this seriously TODAY. Book a 10-minute Discovery Call right now. I’ll ask some key questions and give you a quick score. If you’re doing everything right, you can sleep better at night. If there’s room for improvement, we’ll discuss options. NO PRESSURE, NO STRINGS. JUST BOOK THE CALL!

www.mastercomputing.com/discovery 

• Early January Microsoft was made aware of active exploits; patch available in March
• Made free patch available to Exchange Server 2010, both showing flaw is in base code 10yrs old, and how prevalent this is
• Confirmed 30,000+ US servers, 100's of thousands worldwide have active backdoors.
• CISA announces “widespread domestic and international exploitation of Microsoft Exchange Server flaws.” campaign blaming China, saying it's a China state-run exploit.  Security researchers confirm at least 4 other state actors currently exploiting, including Russia and North Korea
• 82k US servers still not patched as of Friday, backdoors still in patched servers
• Concern that second wave of backdoor use still to come

This Week's Security Tip:
So you have a big file you need to get over to your printer YESTERDAY and you can’t get it to “send” via e-mail because the file is too big. What should you do? The right thing to do is contact your IT department (us!) so we can assist by installing a secure, commercial-grade file-sharing application. What you shouldn’t do is download a free copy of Dropbox or some other file-sharing software without telling us. Dropbox and other free apps come with a price: SECURITY. These applications are known for security vulnerabilities and hacks. Plus, if we don’t know about it, we can’t manage it or secure it; so the golden rule is this: NEVER download any software or application without checking with your IT department first!

Today's Headlines:

• US DOJ indicted CEO of Sky Global (Sky ECC encrypted messaging app) for allegedly aiding criminal enterprises avoid detection by law enforcement."According to the indictment, Sky Global’s devices are specifically designed to prevent law enforcement from actively monitoring the communications between members of transnational criminal organizations involved in drug trafficking and money laundering. "As part of its services, Sky Global guarantees that messages stored on its devices can and will be remotely deleted by the company if the device is seized by law enforcement or otherwise compromised,"
• Latest Windows 10 update causes BSOD when trying to print for all versions (1803, 1809, 1909, 2004, 20H2)
• Molson Coors (Coors light, Miller Lite, Blue Moon, Killians, Foster's) March 11 ransomware attack, causing signifigant disruption to operations.

Next Week's Teaser:
It’s disturbing but very real. It’s creepy.

Call to Action: We talk a lot about stupid (nothing bad ever happens to me; head in the sand; too busy; I’ll do it later). So what’s smart? Taking this seriously TODAY. Book a 10-minute Discovery Call right now. I’ll ask some key questions and give you a quick score. If you’re doing everything right, you can sleep better at night. If there’s room for improvement, we’ll discuss options. NO PRESSURE, NO STRINGS. JUST BOOK THE CALL!

www.mastercomputing.com/discovery 

• FireEye discovered a new "sophisticated second-stage backdoor"(SunShuttle) on the servers of an organization compromised by the threat actors behind the SolarWinds supply-chain attack.
• If you're keeping track – 1.SunSpot (Orion backddor) 2. Sunburst (second Orion backdoor), 3.Teardrop (memory-dropper for Cobalt Strike beacon installs) 4. RainDrop (TearDrop alternative if it didn't work) 5. SuperNova (delivered through Orion trojan)

This Week's Security Tip:
If you do online banking, NEVER access your online account with a PC or device that you use to log in to social media sites or free e-mail accounts (like Hotmail) or to surf the web. Since these are all highly hackable, keeping one PC dedicated to online banking reduces your chances of getting a bank-account-hacking virus. Of course, that PC should have antivirus installed, be behind a well-maintained and well-monitored firewall, have a strong password and be monitored for suspicious activity.

Today's Headlines:

• QNAP devices are being hacked to mine cryptocurrency - 4,297,426 potentially vulnerable QNAP NAS devices online.  Need to be patched with firmware after August 2020
• Microsoft Exchange (2013, 16, and 19) servers patch 4 zero-days, at least 4 state-sponsored hacking groups now exploiting published un-patched machines.  30,000 confirmed US exploits (100's of thousands worldwide), including hospitals, banks, telecoms, utilities, police.

Next Week's Teaser: It’s tempting to do this and think it’s ok...

Call to Action: We talk a lot about stupid (nothing bad ever happens to me; head in the sand; too busy; I’ll do it later). So what’s smart? Taking this seriously TODAY. Book a 10-minute Discovery Call right now. I’ll ask some key questions and give you a quick score. If you’re doing everything right, you can sleep better at night. If there’s room for improvement, we’ll discuss options. NO PRESSURE, NO STRINGS. JUST BOOK THE CALL!

www.mastercomputing.com/discovery 

• SolarWinds hackers had access to over 3,000 US DOJ email accounts 
• A website named 'SolarLeaks' is selling data they claim was stolen from Microsoft (source code and repositories $600k), Cisco (source code multiple products $500k), FireEye (security tools – $50k), and SolarWinds (source code and customer portal $250k), or everything for $1mill.
• Microsoft security teams release report on how Solarwinds hackers stayed hidden (nothing new)

This Week's Security Tip:
In a recent incident reported in US news, an office secretary unknowingly gave some of her law firm’s most private data to a gentleman who had bought a Comcast Cable polo shirt off eBay. He dressed in khakis with a tool belt, and told the secretary he was there to audit their cable modem specifications and take pictures of the install for quality assurance. She had no reason to suspect he was part of a now-extinct hacker ring who would gain access to a business’s private network by going inside the office and noting the configuration details and passwords for their firewalls and cable modems. In some cases, they actually built a secure VPN private backdoor they later used to steal data. If someone dressed up in a utility-provider uniform, would you let them in?

Ask for identification and who they have spoken with about the service they are performing, and be “gracefully suspicious,” as they say in the South. Keep company policies about how visitors are allowed in the building, if such policies exist. If those kinds of policies don’t exist, work to define them. We can help, if needed – but this is a real problem your office needs to address.

Today's Headlines:

• Ticketmaster fined $10mil after hiring competitor's employee, then used his credentials that were still active to "choke-off" business and steal one of their high-end contracts
• Nissan NA source code leaked after server hacked using default admin/admin login
• Ubiquiti – security breach may have exposed all user data – sent mass email to reset pw – force you to create cloud login, which portal was breached,  instead of local account
• Hacker leaks full database of 77 million Nitro PDF user records (email addresses, full names, bcrypt hashed passwords, titles, company names, IP addresses, and other system-related information
• VLC Media Player 3.0.12 fixes multiple remote code execution flaws – very poular traffic cone icon for playing media,  "could trigger either a crash of VLC or an arbitrary code execution with the privileges of the target user."

Next Week's Teaser: Bank online? Do this ONE thing…

Call to Action: We talk a lot about stupid (nothing bad ever happens to me; head in the sand; too busy; I’ll do it later). So what’s smart? Taking this seriously TODAY. Book a 10-minute Discovery Call right now. I’ll ask some key questions and give you a quick score. If you’re doing everything right, you can sleep better at night. If there’s room for improvement, we’ll discuss options. NO PRESSURE, NO STRINGS. JUST BOOK THE CALL!

www.mastercomputing.com/discovery 

One thing is for certain: NO ONE is immune to cybercrime. In fact, one in five small businesses fall victim to cybercrime and that number grows every year. Plus, half of all cyber-attacks are aimed at small businesses BECAUSE they make themselves low-hanging fruit with sloppy or nonexistent security protocols.

And one more critical point to ponder: If YOU aren’t giving IT security the attention it deserves, how do you think your CLIENTS would feel about that? If for no other reason, you need to do it to protect your clients’ data, even if the only information about them you store is an e-mail address. If YOUR system gets compromised, hackers will now have access to your CLIENTS’ e-mail and can use that for phishing scams and virus-laden spam. I’m sure your clients want you to be a good steward of their information and privacy, so stop lying to yourself and get serious about putting essential security practices in place.

Have questions about cybersecurity or the technology at your company? I’m here to help. Fill out a form here to book a quick, 10-minute call with me.

Show Notes:
If you’ve ever said this, you’re ASKING to get hacked!

“We’re small nobody is going to hack us” 

“Nobody cares about us or our data”

“We’re not big enough to be hacked” 

THIS is the #1 reason companies get hacked. Not because they’re small, but because they use that as an excuse, thinking you’re too small to get hacked. It’s stupid and irresponsible and you’re asking for trouble.  

Thinking you’re “too small to get hacked” is stupid. 

There are 2 primary targets: 

1.     The low hanging fruit 

2.     Great big names

It’s way easier to get the low hanging fruit, because if you’re the company that says “we don’t need that”

FACT: 1 in 5 small businesses fall victim to cybercrime every year. 

The last time one of our clients got hacked was over a DECADE ago, and that is when we changed our security ways. We are living proof that if you put security measures in place you can mitigate the risks, at a minimum you can mitigate the risks.

No one is immune from cybercrime…

·      1 in 5 small businesses fall victim to cybercrime every year

·      ½ of all cyber-attacks are aimed at small businesses BECAUSE they make themselves low-hanging fruit. 

·      Non-existing security protocols

·      You don’t have policies in place

·      The whole culture is backwards, generally it starts at the top. Meaning if you, as a business owner, don’t care about cybersecurity, then I guarantee your employees don’t care. Another thing to consider you get hacked, now you are responsible for all of your clients’ data

What’s Irresponsible: Irresponsible is to not have information about whether your stuff is being monitored and maintained. 

Somebody needs to know what kind of firewall you have so when something bad comes up you can go patch that firewall.

Whoever is responsible for security for this company should know this information. I’m looking from a business owner’s perspective. The owner of the company may not know what hardware he has in the IT closet, but better know the name of the person who is monitoring it, patching it, and making sure that guy is doing his job.

Coming up next week: Wait until you hear the story about what this sectary did…. 

That’s because employees’ actions can subject the company they work for to monetary loss, civil lawsuits, data theft and even criminal charges if they involve disclosure of confidential company information, transmission of pornography or exposure to malicious code.

Two things you can do: One, create an Acceptable Use Policy (AUP) to outline what employees can and cannot do with work devices, e-mail, data and Internet. That way they know how to play safe. Second, implement ongoing training (like these tips!) to keep security top of mind. We can also run phishing security tests and score your employees. That will truly show if they know how to spot a suspicious e-mail, and will make them realize how easy it is to be duped.

If you need help with setting up an AUP or employee training, give us a call at 940-324-9400.

Have questions about cybersecurity or the technology at your company? I’m here to help. Access my calendar here to book a quick, 10-minute call with me. 

1. Maintain a STRONG password of at least eight characters with both uppercase and lowercase letters, numbers and symbols. Do NOT make it easy, such as “Password123!” While that technically meets the requirements, a hacker could easily crack that.

2. Make sure the device you’re using to access the application is secure. This is an area where you need professional help in installing and maintaining a strong firewall, antivirus and spam-filtering software. Don’t access your cloud application with a device you also use to check social media sites and free e-mail accounts like Hotmail.

3. Back up your data. If the data in a cloud application is important, make sure you’re downloading it from the application and backing it up in another safe and secure location. That way, if your account is hacked, if the data is corrupted OR if the cloud company shuts down your account, you have a copy.

Have questions about cybersecurity or the technology at your company? I’m here to help. Access my calendar here to book a quick, 10-minute call with me.

First, contact your IT department (us) IMMEDIATELY. The faster we can address the attack – and determine the extent of the data, applications and machines compromised – the better your chances are of preventing much bigger problems. We’ll go to work on containing the attack and conducting a full scan of your network.

Based on what we discover, we may advise you to contact the local FBI office and your attorney. Your legal responsibilities depend greatly on the type of data accessed. For example, if medical, financial or other confidential records were stolen or accessed, you are legally responsible for notifying affected individuals that their data was compromised (your attorney can best direct you on what you need to do and how to do it).

Cybercrime is at an all-time high, and hackers are setting their sights on small and medium businesses who are “low hanging fruit.” Don’t be their next victim! 

Have questions about cybersecurity or the technology at your company? I’m here to help. Book a quick, 10-minute call with me here.

Are you subject to them if you take credit card payments over the phone? Absolutely! If you have clients that pay you direct by credit card, you’re subject to these laws. However, there are various levels of security standards – but thinking you don’t process enough to matter or that “no one would want to hack us” is dangerous. All it takes is an employee writing down a credit card number in an e-mail or on a piece of paper to violate a law; and then you’ll be left with legal fees, fines and the reputational damage incurred when you have to contact your clients to let them know you weren’t properly storing or handling their credit cards.

Getting compliant – or finding out if you ARE compliant – isn’t a simple matter I can outline in a 1-2-3-step checklist. It requires an assessment of your specific environment and how you handle credit card information.

A great resource is the PCI Security Standards Council, or www.pcisecuritystandards.org. If you want assistance in figuring out if you’re compliant, call us for a free assessment.

Have questions about cybersecurity or the technology at your company? I’m here to help. Access my calendar here to book a quick, 10-minute call with me.

Show Notes:

[00:00:30] Hey, everybody, I am Justin Shelly, CEO of Master Computing,

[00:00:34] And I'm Joe Melot, CIO of Master Computing.

[00:00:37] Welcome to Episode 15 of Stupid or Irresponsible. Joe, most important thing to happen to you this week?

[00:00:48] That's a good question. I probably should have prepared.

[00:00:50] Well, let me talk while you think about that.

 So, listen, it was last week or the week before, maybe both. I talked about getting stood up for a podcasting interview because I've had people start reaching out to me and want me to be on their podcast and stuff like that, which just makes me feel special. And they stood me up. Well, then they came back and they apologized profusely and set the whole thing up again.

[00:01:19] I rearranged my entire schedule so that I can be here and do their 15-minute prescreening, meeting, Web meeting or whatever.

[00:01:28] But I mean, we've been planning this thing talking about it sounds like now also last year they had a really dialed in process. And I mean, I'm at the doctor with my kid shuffling that shit then I get here for this interview. And within 30 seconds they're like, oh, well, we're not interested because the we had the wrong number of employees. And I just thought, are you kidding me right now that with all of the process you had in place, you couldn't have asked me this key question from day one and saved me about four weeks of fretting and hours and hours of prepping and whatever. So, I was I was pretty upset. But I'll tell you what, it it made me realize the importance of process and made me look at my own process as I bring guests and to, you know, some of our other podcasts. We've got DFW rock stars. I'll plug that real quick as we're trying to get more. I mean, that was one that struggled. We haven't had a lot of guests. So, building that back up, getting the process dialed in. But that was the most interesting thing to happen to me, is just yet again getting stiffed by this company that I am not happy about it. So, I hope that gave you enough time, Joe. You still got to come up with something on your end.

[00:02:39] Oh, yeah.

[00:02:40] I guess just this week is kind of playing with the old Christmas ideas of, you know, a lot of our clients are out of the office during this time of the year. So, getting everything set up there, you know, we're a little short staffed here at the office. Even so, just making sure everything's covered. Everybody's got all our rules, make sure all security for all our clients are working and, you know, make sure we're on the pulse. Everyone has time to play catch up, right. I wouldn't call it catch up so much. It's really, you know, move our oranges from one basket to the other, make sure everything's taken care of. Yeah. No rest for the weary.

[00:03:15] Yeah. And I know you already talked about it, but you've got the new house you're getting in. You're settled. You've unpacked all your boxes.

[00:03:20] Oh, yeah. They're all total impact that usually. I think I told you that usually takes me about a year. Well, that's good because we're on pace for about a decade, so.

[00:03:28] Yeah, but it's got to be cool, man. Oh yeah. And the new plants really love it. All right. Excellent. All right.

[00:03:34] Well, let's jump in, Joe.

[00:03:37] You know, we kind of gotten into the habit of reminding people why we call this podcast's Stupid or Irresponsible comes from the marketing campaign. We've already talked about that. But I mean, the gist of it is we ultimately as business owners, executives, managers, we are responsible for the security of our organization. And it's a responsibility that should be taken seriously. And sometimes it's not.

[00:04:03] And, you know, we went on the traveling the speaking circuit for about a year. We're giving away free stuff where we're just begging and pleading people to take this seriously and not getting a great response from it, you know, because unfortunately, if somebody has not had a cybersecurity incident, it's really hard to get them to take it seriously. And so, you know, I went from this kind of coddling, you know, we're all victims here of crime. And it is stupid because we are one of the few places where the government prosecutes the victims. You know that that was kind of my whole pitch before. Like, this is it. If you get broken into in your home, nobody comes in calling you stupid. But if your business gets hit at, you kind of get close to it. You know, I've changed my tune a little bit and there is a level of stupidity to just not paying attention and taking this seriously. So, you know, there we go. The reminder of why we call it that. I don't really think people are stupid, but I do think people get distracted.

[00:05:00] You know, I'll go out on a limb. I guarantee there's a lot of stupid. Well, listen, yeah, you're right. You're right. There absolutely are.

[00:05:11] Maybe we all just have our areas where we're stupid, you know, as I'm kind of trying to defend business owners who have so many things on their plate, you know, and it's easy for me to just jump on here and say they're stupid and they're going to be mad at me and run away and cry or whatever. I don't know. But, you know, there's just there's a lot going on, especially covid like. The world burning down, we've got so many problems, man, we can’t ignore this one. No, no. Yeah, absolutely not. I mean, people get hit. They we'll talk about it. I've got one. You go out of business like it's not recoverable. This isn't you don't get a do over. It's not a video game where you can reset. You know, it's like this is it. If we don't take this seriously, if you get hit hard enough, you're out of business. So there it is.

[00:05:52] Security tip this week, Joe, we're going to talk about, you know, some of these things ar...

A firewall is a device that acts like a security cop watching over your computer network to detect unauthorized access and activity – and EVERY business and individual needs one.

However, your firewall is completely useless if it’s not set up or maintained properly. Your firewall needs to be upgraded and patched on a continual and consistent basis, and security policies and configurations set. This is not something you want to try and handle on your own – you are best served by letting the pros (us!) handle that for you.

If you’re a managed services client, we’ve got you covered. If not, you should call us immediately to correct the error of your ways: 940-324-9400

Have questions about cybersecurity or the technology at your company? I’m here to help. Access my calendar here - www.mastercomputing.com/discovery - to book a quick, 10-minute call with me.

• Intro. 

Hey everybody, welcome to episode 14 of Stupid or irresponsible! We have host, Justin Shelley, CEO of Master Computing and co-host Joe Melot, CIO of Master Computing back with some updates, tips, headlines and more!

• What’s the most interesting thing that happened to you this week?

Joe:

• Different for sure. Been diving into CMMC Framework, excited about that for the SPRs for the DOD. Basically, a new PCI, stuff for the Department of Defense contracts, contractor vendors and that kind of stuff. Nothing exciting there. A lot of pencil pushing a lot of paperwork. My personal life, fixing things in the new house, fix some broken shit, some fun, some not so much.

Justin:

• The most exciting thing that happened to me last week – was I got stood up for a podcast interview!

• Reminder why we call it “Stupid or Irresponsible”. 4:50
   
  • It started with an ad campaign, saying how when you get hit or WHEN You Get Breached, Are They Going To Call Your Stupid…or Just Irresponsible?? 
    • I used to subscribe to the victim mentality, but that will get us nowhere. Also, I tried for a full year to give this away free of charge and very few took me up on the offer. That is stupid. If we are not giving this our full attention, we are stupid. We should know better. We should be ashamed of ourselves. Even BASIC security measures could be the difference of going out of business or not. 

• Stupid Update. 
  • Justin’s stupid update “You’re looking at it…” I clicked on a stupid email this week, and sure enough it was a phishing email. 
    • We broke down phishing scams a few episodes ago and talked recently about just how outrageous they are becoming, and here I am, falling for one. Fell for the subject like “Check Number 01328” and I opened it. It got through numerous spam filters, It came from someone who I am acquainted with, and their email got breached. So, then open email and an there is this image of a check that is small enough that you do not really see it, so I click on it trying to figure out what the hell it is, and now THERE WE GO. The portal to login to your Microsoft account…stupid move on my part. 
    • LUCKILY, we have been talking about this week after week during our podcasts and I was able to save it before it went any further. It could have been just as easily a link that I clicked and downloads malicious payloads, but luckily it was not. 

• Security/Productivity tip. 9:45:  
  • Joe, we are talking about firewalls today and the title is kind of interesting. Your firewall is useless. Start Joe, break it down for people. What's a firewall? 
• What is a firewall joe?

So, Firewalls. It is a device that kind of acts like the security cop that watches over your network. This is going to be like the very end of your network, logically and literally everything. Every Internet activity that happens within an organization of building your house, you name, it goes through this. That is the cop that is watching everything that is going back and forth. 

The deal is, though, that your firewall is completely useless if it is not set up if it's not maintained properly. If it is not, you could buy the most top of the line firewall. You might also hear the word router that is kind of street lingo. But really, this is a router, But the technical jargon now is UTM. Basically, it's just the cop. Making sure that only the good stuff comes in. 

But now all the bad guys are coming in. None of the good stuff's going out. You have got all kinds of problems, so it's worthless. What is the point? Why even spend the money in the first place? -  If you are not going to maintain it, you're not going to get it set up properly. If you’re not going to keep it patched. These things hackers are always looking for the biggest vulnerability, and then once they get, this is basically your front door. If they get in through your front door, they have got full access to all your bedrooms. 

• So, making sure that it is up to date that it has got the newest patches got the newest updates. It is set up correctly. You have got the right filtering engine, you have got the right, you are blocking the right things, etc.

• Stupid Headlines:
   
  • Spam email campaigns – they are just going crazy. Like all over the place. I've been scouring all of our client’s spam filters kind of seeing, you know, because the fact that it got to your mailbox, it just that intrigued me. That is interesting because we have got so many filters, is so many blocks and stuff. But these guys are getting so smart. The latest thing they have been doing is having a website where it's just a link. There are no malicious payloads. There is no anything. All it is a redirect. 
    • Problem is - You cannot make hyperlinks; you know warning flag for your spam filter. 
    • Why? -  Because half of the world uses in their signature. They have a link to their Facebook, their website, you name it. 
    • How hackers do this? - A lot of this times they are like legitimate links. Maybe it's a OneDrive. Or maybe it's, you go the OneDrive, and then THAT is the actual fake. So, it has been a breached OneDrive, page or OneDrive document that they make the look like a page really is just a credential steel or something like that. Asking you to log in.
• How do you fix that? 
  • So, it is really down to user training. End user training. 
    • We have really been pushing that hard and again speaking to what I was talking about earlier. What I have been jumping into is, this CMMC this Department of Defense contracting stuff, and they require

Have questions about cybersecurity or the technology at your company? I am here to help. Access my calendar here to book a quick, 10-minute call with me.

Subscribe:
Spotify | Apple | Google Podcasts

Show Notes:

• Intro.  Hey everybody, welcome to episode 13 of Stupid or irresponsible! I’m Justin Shelley, CEO of Master Computing and my co-host Joe Melot, CIO of Master Computing. 
• Get to know us. Joe and Justin share a quick window into their personal lives, personality, what makes them tic, this week...  
• Justin reminds listeners of why we call it “Stupid or Irresponsible” 
  • I used to subscribe to the victim mentality. But that will get us nowhere. Also, I tried for a full year to give this away free of charge and very few took me up on the offer. That’s stupid. If we aren’t giving this our full attention, we’re stupid. We should know better. We should be ashamed of ourselves. 

• Stupid Update - [9:00]. We are introducing a NEW segment to this podcast called the Stupid Update. The update here is we are going to follow-up on any previous episodes where we might’ve left you hanging. For example, last week's episode there was an issue, and we promised we would follow up. So here it is:  
  •  UHS, a Giant Hospital System in America – Since last week, Oct. 12, they said they got all systems restored, users confirmed phones working again! However, does not say if they paid the ransom, a third party is believed to have paid the ransom for them. Because of this, a big announcement was made by OFAC requiring you to get permission through them, and if you go through third party – they are going to prosecute.   

• IT Security/Productivity Tip of the week - [15:12].  Don’t just close your browser! 

When online accessing a banking site or any other application containing sensitive data, make sure you log out of the site and THEN close your browser. If you simply close your browser, some of the session information that a hacker can use to gain entry is still running in the background. 

Have questions about cybersecurity or the technology at your company? I’m here to help. Access my calendar here to book a quick, 10-minute call with me. Go to: MasterComputing.com/discovery

• [21:30] - The different Layers of Security: 

1. Have an antivirus 
2. Have a spam filter that’ll block spam from even getting to your email in the 1st place! 
3. Make sure someone is monitoring that, and that it is blocking the RIGHT level of security. Make sure someone has your back and watching this 24/7 (like us!). 

Stupid Headlines. Guys, we are a security company, we eat, sleep, and breathe this stuff. Here are a few recent headlines / events that resulted from stupid behavior.  

• EMOTET and the Trickbot campaigns are on overdrive. 
• Iran is going nuts, they hacked the BIG DOGS and have been sending the same email spam campaign 
• So much spam going on right now, trying to trick people into giving credentials, and succeeding.  
• Whale Phishing attack – this is a certain type of spear phishing   
• Vote from Home Ballots – if you know someone's mailing address and last name... you can change their vote. Print it out, mail it in and change their vote. [24:20] 

We’ve been covering this Layered approach to the technology / security aspect, but you MUST have the user education aspect also if you want any hope in not being the next victim of cybercrime.  

• Stupid Teaser [ 26:10]. What’s coming up next week. The next stupid thing we’re going to break down is your router!  What to do, what not to do, and why you may have a giant false sense of security going on. 

• Joe’s Key Takeaways [ 26:45]: Turn on two-factor authentication! Keep your eyes peeled for these spam emails, they are EVERYWHERE. Unless you have someone like us blocking spam and monitoring the security levels, then probably just don’t open your emails...  

• Smart Call to Action [27:35]. We talk a lot about stupid (nothing bad ever happens to me; head in the sand; too busy; I’ll do it later). So, what’s smart? Taking this seriously TODAY. Book a 10-minute Discovery Call right now. I’ll ask some key questions and give you a quick score. If you’re doing everything right, you can sleep better at night. If there’s room for improvement, we’ll discuss options. NO PRESSURE, NO STRINGS. JUST BOOK THE DAMN CALL! 

Like it or not, device manufacturers LOVE to stuff your brand-new PC, tablet or phone full of “free” applications (they get paid to do it, so you’ve got a slim chance of getting one without a side of spamware). But clutter is the enemy of a speedy PC, and outdated apps are a breeding ground for hackers; so if you’re not using a particular software on a regular basis, it’s best to REMOVE it completely. That way you don’t have it sucking up processing speed AND leaving the door open to hackers and malware.

Resources
Book A 10-Minute Discovery Call

Backup Plan #1 - Use this FREE tool at www.virustotal.com

IT Security Tip
Here’s a sneaky trick used by many hackers: they purchase and set up a fraudulent website that is a close misspelling of a legitimate one. Example: www.faceboook.com (extra “o”) or www.dropbox.net (instead of .com). All you have to do is accidentally fat-finger ONE letter in the URL and up pops a very legitimate-looking fake copy of the site you were trying to get to – and the login and links are full of keylogger malware and virus landmines waiting for you to click on them. This is particularly important for any social networks you belong to.

Two Tips: One, bookmark key sites you frequently visit. But even better, have us install a web gateway security product that BLOCKS sites that are suspicious and fraudulent. That way, even if you click on a link to a phishing site, get directed to an infected site or accidentally type in the wrong URL, the site will be blocked, protecting you and your employees.

Show Notes 

[2:00] - We are going out of order today. Rather than end with our offer, we are going to start with it. The reason is, I feel like over the last couple episodes I’ve gone soft...  

Justin asks Joe some questions: 

• What’s the title of this podcast?  
• Do you remember why we name it Stupid or Irresponsible? 

• [3:35] - When I decided to call the podcast “Stupid or Irresponsible” I did it on purpose. To be inflammatory with the topic. I wanted to get people's attention, because this is one of those things we CAN’T take lightly.  We can’t just sit around and hope we don’t get hit with ransomware, hope we don’t get hacked by criminals in China and Russia.  

• [5:10] - Here’s what’s stupid: Putting fire alarms in your house AFTER having a fire. The most frequent sales of fire alarms are after people had a fire. 
• When we are selling cybersecurity services, unless someone has had some sort of a cyber security event, they are very unlikely to buy...   

[5:25] - What's STUPID is waiting for the event to happen and then taking preventive measure to prevent the event that just happened.  

[9:50] - If something doesn’t cause emotional response in us, we don’t take action. So yes, listeners, we are trying to scare you but trying to scare you in a way that will PREVENT something that is catastrophic. 

[11:10] - When I started this off, we are going in a little reverse order, before we even dig into our topic today, we are going to talk about this offer for a free Security Assessment.  

How do I get my FREE Business Security Assessment?    

• Book a 10-Discovery call – jump on the phone, spend 10 minutes with Justin Shelley, CEO of Master Computing.  

During this assessment, I will ask you some very key questions, and in just 10-minutes I can tell you what we need to do... A roadmap to success. 100% free.  

• What is a Key Question I will ask you in this Discovery Call? 
  • One of the very first questions I ask is if you are doing a regular consistent end-user education? Are your employees constantly going through some sort of cyber security program, and if they are, who is running it? When was the last time you went through an employee training program?  

Go to www.mastercomputing.com/discovery and book a 10-minute call before it’s too late! 

[13:00] - Justin give Joe a POP QUIZ:

• How much does this Security Assessment I offer cost?  
• How many strings are attached?  
• Will we try to sell you something you don’t need? 
• Does anyone ever complain about me, Justin, being a high-pressure salesperson? 

[32:55] - What is stupid: Buying a fire alarm after your house is burned down. Guys don’t wait. Please do not wait until you’ve been breached, hit with ransomware, until your business is vaporized. Because a lot of businesses aren't coming back from these attacks. They’re brutal. 

A few simple measures. We can provide a roadmap that can protect you from 97% of this stuff.  

• Take 10-minutes go to www.mastercomputing.com/discovery we’ll write a custom plan for you and we will help you put it into place if you’d like.  

Apple | Google | Spotify

The “Dark Web” or “Deep Web” is a part of the World Wide Web we know and love that is ONLY accessible via a special software that allows users and website operators to remain completely anonymous and untraceable. That’s why it’s the playground for hackers and cybercriminals.

Because hacking IS a for-profit business, there are criminal entities who steal, combine and sell personal information on the Dark Web, like passwords, social security numbers, bank account information and credit cards. There is a VERY HIGH probability YOUR information is being sold on the Dark Web – so how do you know?

Call us for a free Dark Web scan for your organization. You can also have us monitor the Dark Web so that when the login credentials for someone on your team are “for sale,” we can notify you so you can immediately change your password and avoid a breach. Also, be careful going to various sites OFFERING a free Dark Web scan. Many are scams designed to get your e-mail and potentially verify that your password is correct, where it’s active, etc.

A phishing e-mail is a bogus e-mail that is carefully designed to look like a legitimate request (or attached file) from a site you trust in an effort to get you to willingly give up your login information to a particular website or to click and download a virus.

Often these e-mails look 100% legitimate and show up in the form of a PDF (scanned document) or a UPS or FedEx tracking number, bank letter, Facebook alert, bank notification, etc. That’s what makes these so dangerous – they LOOK exactly like a legitimate e-mail. So, how can you tell a phishing e-mail from a legitimate one? Here are a few telltale signs…

First, hover over the URL in the e-mail (but DON’T CLICK!) to see the ACTUAL website you’ll be directed to. If there’s a mismatched or suspicious URL, delete the e-mail immediately. In fact, it’s a good practice to just go to the site direct (typing it into your browser) rather than clicking on the link to get to a particular site. Another telltale sign is poor grammar and spelling errors. Another warning sign is that the e-mail is asking you to “verify” or “validate” your login or asking for personal information. Why would your bank need you to verify your account number? They should already have that information. And finally, if the offer seems too good to be true, it probably is.

Subscribe

Apple | Google | Spotify 

In today’s episode Justin and Joe get into ransomware. We’re on episode 8 of Stupid or Irresponsible and for 7 episodes now we have been breaking down ransomware. Last week’s episode we talked about the ransomware attack on Garmin Connect, this week we are talking about one that is a little bit older (not making headlines anymore) but still very much out there in the wild. WannaCry Ransomware. 

In this episode we discuss...

• What NOT to do if you want any hope at protecting against ransomware.
• The background story of this virus (P.S. this is almost as interesting as the actual exploit itself) 
• How ransomware works - paralyzing machines and demanding bitcoin ransom, WannaCry jumping from one machine to the next
•  and the 5 different stages of this malware spread 
• Why cybersecurity researchers named the worm "WannaCry"

Not too long ago, the WannaCry ransomware attack was all over the news, infecting over 400,000 computers. The threat was fairly straightforward: Pay us or we’ll erase your files. 

Ransomware, like the WannaCry attack, works by encrypting your files to prevent you from using or accessing them. After your files are compromised, the hackers behind the attack then pop up a demand screen asking for payment within a set time frame (e.g., 72 hours, three days, etc.) in order to get the key to decrypt your files. WannaCry forced many business owners to lose data or pay up since there was no other way to decrypt the files – and many paid without getting their files back.

Obviously the best way to foil a ransomware attack is to be incredibly diligent about IT security; but with hundreds of thousands of new attacks being created daily, there are no guarantees that you won’t get infected. Therefore, it’s critical to maintain a full, daily backup of your data so you never have to pay the ransom – AND your backup needs to be a professional-grade backup that is impervious to ransomware since hackers write their attacks to infect BOTH your PC/server AND your backups. 

Show Notes:

• 5:00 - Joe tells the story of WannaCry Ransomware 
• 5:50 - How did this worm get the name "WannaCry"?  
• 6:10 - The background story of this virus (listen - this is almost as interesting as the actual exploit itself!) 
• 6:25 - How did this virus start? (Hint: your employees are your weakest security link!)
• 6:50 – The different stages of ransomware: 
  • 1. Initial access
  • 2. Execution 
  • 3. Escalation 
  • 4. Defense evasion – hiding around from your antivirus  
  • 5. Then the exploit, the impact
• Stupid: When it comes to cyber security stupid is thinking you can DIY. Thinking you can protect your business from these hackers by yourself. “Thinking you can do this yourself, that cyber security is a DIY type activity is flat stupid” - (16:00)
• Irresponsible: Is trusting your IT company / cyber security firm WITHOUT VERIFYING. - (16:55)
• The DIY approach to security - we are going to talk about DIY first to make the point we are giving this formula NOT as a formula to do it yourself, but to rate your current support system. Then, if these things aren't happening you know you’ve got to do something different now! - (20:00)
• 20:17 – If you can't easily answer these questions about the things happening in your company YOU HAVE A PROBLEM!
  • For example – Is your backup running? Are there test restores going on? 

• Top 9 ways to protect against ransomware: - (21:40)
• #9 - Data Backup (test restore) 
  • Have a solid backup  - this used to be #1 most important on the list and the get out of jail free card
  • Now a backup alone is NOT ENOUGH!
• #8 - Get a good, enterprise-grade firewall  
  • Get a good firewall, that is current, up-to-date security subscriptions, somebody monitoring the firewall. Get a good firewall make sure somebody's watching it. 
• #7 – Password Management in place  
  • (Listen to Episode 1: The Stupid things people do with passwords) 
• #6 - Policies and Procedures
  • If your IT company isn’t doing this for you and doesn't have this place then you’ve got some questions to ask! 
• #5 - Two factor authentication (2FA) in place
  • If your IT company isn’t annoying you to death, then they aren’t doing their job!  
• #4 - SOC 24/7/365 
• #3 – Behavior-based anti-malware
  • You have to have a behavior-based anti-malware in place, but all this does when it finds something suspicious is it raises an alert. Which goes back to our point that someone needs to be watching this, getting alerts all day every day!
  • Most businesses don’t have the capacity to do this on their own, both in time & expertise.  
  • Generally, this is something that is outsourced. 
• #2 – End User Training 
  • This is the 2nd most important thing you can do, it is CRITICAL! (28:30)  
  • Things are changing every day. Something new is going on, something changed, hackers are getting smarter (28:30) 
  • By training your end-users, employees, this creates a culture of awareness and gives them refresher.
  • Phishing simulated attack – we have a security piece that will send us a fake email that says click this link – when we do click on it, it locks our computer down and makes us take a training course 
  • If you don’t have that in place you have questions to ask your IT company guys 
• #1 - 3rd Party Review
  • This is the NUMBER 1 thing you NEED to do that is absolutely critical to protecting your network. Have a 3rd party audit and extra set of eyes checking others work. (30:10) 

Show Notes:  

In this episode we discuss... 

• A confirmed WastedLocker Ransomware attack on Garmin Connect  - A GPS software, they run GPS infrastructure for a whole lot of devices all around the world
• We are going to reverse engineer this ransomware attack on Garmin Connect and tell you exactly what hope we have for preventing this! (5:10)  
• Joe is going to break this down for us with inside info from a couple discrete cyber security forums that he’s in. (3:30) 
• Disclaimer: Official word from Garmin was that they’re having a network outage, doing some emergency repairs, something like that - 
• By default, we are not inclined to talk about our dirty laundry nobody wants to do that. But the tragedy in the industry is that we don’t get to learn from other’s mistakes because it’s always so hidden.  
• Listen as we reverse engineer this situation with insider information and find out what went wrong and what can we do, what could Garmin have done to prevent this.

So that is the value for me in trying to reverse engineer this situation and find out what went wrong  

• What most people will say in a case like this is: “Well if Garmin is going to get breached, and they have all the resources in the world what hope do I have?” (4:30) 

We are going to give you some hope – we are going to talk about what you can do... What COULD Garmin have done to have prevented this outage? (4:50)  

ABOUT THIS RANSOMWARE ATTACK 

• Confirmed WastedLocker ransomware attack - the new fancy name for this strain of ransomware (10:25) 
• They engineered this software for Garmen – it was a personal, TARGETED attack. It was so targeted that they knew specifically what users they were targeting. (11:00) 

Why you should NEVER click on popups: 

• They knew specifically what users they were targeting - This particular hack is from clicking on a java script code (so a pop-up on a website) and they knew this particular user would go to this particular website pretty frequently and would possibly click on a popup. (11:10) 

POP QUIZ: if you see an alert to update something what do you do? (12:30)  

Ransomware In the U.S.- We have sanctions in the US against paying ransomware – we can’t pay the ransom to a foreign entity, specifically Russia, and SPECIFICALLY we cab't pay the ransom to this guy - (hint: he created Evil-Corp)  

BACKUPS: why the normal restore from backups does not cut it anymore. (19:00) 

• What you normally do is restore from backups, but this was intelligent enough to get in and wipe out their backups too (19:00) 
• Cool thing about backups, if you are doing it right there are other, additional preventative measures that could have prevented this attack.... 

How offline backups could have PREVENTED this attack: (19:15) 

• Offline backups – this is an additional preventative measure that we take here at Master Computing and therefore this would NOT have affected us or our clients. Because we keep offline backups for them.  

TIPS After Breaking Down This Attack:  (20:30) 

1. Don’t do updates that are pushed to you – go to the website/app directly and do it from there – initiate it yourself. 
2. It starts with the site that they clicked on – so, make sure you have security on your website and someone looking out for these things.  
3. When you are hiring an IT firm to do your security – you may not want to go to the cheapest bidder - (23:55)   
4. Communication is KEY for the IT security world.  

To the theme of our podcast - 

So how do we deal with it? (26:55)  

• Put a plan in place,  
• Follow industry standards,  
• Follow best practices, 
• If you do this, then you’ve got to know what they are and stay up to date on them.  

“We can't do the head in the sand approach; this attack was PREVENTABLE” 

• This attack was preventable – with the right software, it was PREVENTABLE – So, get a plan in place, check your plan on a regular basis  and for the love of all things, get someone else to check your plan. 
• You CANNOT ASSUME that even if you hire the best IT company / Cyber security company out there that they know what they’re doing. You better get somebody to check their work.  
• At a minimum get someone to come in to look at what you're doing for security, your plan, your approach to protect your network, your customers, your employees.  

Go to www.master-computing.com/discovery book a 10-minute call with me, Justin Shelley, and we will break it down and show you where the glaring holes in your security are, then give you a road map for success. (28:10) 

Resources:
Go to www.master-computing.com/discovery and book a 10 minute call, and we will talk about this, we will create an action plan for you.

Join our FREE Security Webinar Here

Show Notes

• Today’s episode we talk about this article by an info security magazine study.  In this study they show that 100% of law firms have been attacked or targeted between January - March of 2020. [2:30]

You are probably thinking "100%? That is B.S." right? Listen now...

• In this study they are talking, specifically, about the Legal Industry is under attack. They make it sound like more so than anybody else. [3:40]
• We could do our own study and show that EVERYBODY is under attack 100% of the time 

It is a matter of time before they get in, that’s the bigger point here.

Interesting statistics from this study: [4:07]

• 15% of law firms were likely compromised (that’s a lot)
• Nearly HALF of law firms had some other form of suspicious activity on their network.

 Problem #1: The problem we face in security is that it is just rampant, the attacks are everywhere. They are automated. They are relatively easy to pull off. [5:58] 

• “If I’m an amateur hacker and I want to break into your network what do I have to do? How hard is it? What is the learning curve on this?”[6:25]  

[7:30] – Problem #2:

“As a business owner (theoretically say I do not own an IT company or have any experience in IT). Maybe I own a law firm and I am the managing partner of the Law firm. Maybe I’m the primary doctor or physician at a local clinic. Maybe I own an accounting firm. I am the guy, I started it, I filed all the paperwork and my specialty is in my craft… How do I prevent a cyber-attack, Joe? “

What to look for in IT support:

•  Businesses operate on some pretty slim margins. So, when I’m out looking for tech support and 3 people show up at my door saying hey, we can all do the same thing, how do I choose? [8:20] 

Point #1: I as a business owner of any industry outside the IT world, I DON'T KNOW HOW to pick a good IT company.

Point #2: Just because I found a good IT company doesn’t necessarily mean I found somebody that knows anything about security. 

• “Like Joe said in the beginning, statistics could be made up, could be manipulated, BUT Every time I look at the statistics it’s about 20% of businesses get hacked.”
• I’ve seen it a bunch of different ways, but...The reality is, if you play the odds long enough, the real likelihood of some sort of a breach is probably approaching that dreaded 100%.

"The problem here like I said in the beginning, I don’t know how to vet an IT company, and I sure as hell don’t know how to vet a cyber security firm." [13:07]

[13:25] – Let’s say, we hired this firm to come and protect our company. If we were going to make sure they were doing their job properly, what should we be looking for? 

• How do you vet an IT company if you don’t know anything about IT? 

[14:00] - So let’s give them a formula:

• NOTE: If you try to implement this yourself, that is flat stupid. Because you can’t. It is like me trying to do heart surgery myself. Please for the love of god don’t do that. 

The reason that we are going to lay this out is so you the listener can understand or hold your guy accountable because we don’t know how to pick them. We don’t know how to vet them, and we sure as hell don’t know how to hold them accountable. What do we really know about holding these guys accountable? [14:25]

[14:57] – Let’s go through a basic checklist of what should be happening behind the scenes to protect a company:

Starting at the top:

• We want to make sure they have strict policy on of use of company devices.
• Procedures – have a document in place 
• Have some sort of regular training or education for employees for safest and best practices.
• Ongoing education
• Letting the client know if information has been compromised immediately.
• You SHOULD have an incident response plan for if and WHEN you get hit. What are the proper procedures? 
• Constantly updating security and hiring digital security firm if needed. 
• Like we mentioned earlier, if you have an IT guy that’s great, but you NEED a security guy. 

You have got to have somebody or some entity that is looking out for security, that stays in on this, that is just living and breathing network security all the time. Like us!

• If you were to be compromised: 1. There should be a policy and 2. It should be enforced. [18:05]

We’ve got policies, procedures, ongoing training, what are some other things that might be maybe more on the technical side? [20:00] 

Quick point about Two Factor Authentication:

• If your IT guy if your security guy isn’t talking to you and beating you up over Two Factor Authentication (2FA) then you probably better find a new one!

[20:40] – Here is a great litmus test: If you aren’t annoyed as hell at your IT company for all the security stuff and hoops you are jumping through…you better find a different one!

[21:45] – Justin’s sign off:

• The stupid answer here is to not be prepared. To not be paying attention to this. To thinking that you are invulnerable. 
• To think that this isn’t going to happen ...

Subscribe to Stupid or Irresponsible Podcast
Spotify  | Apple Podcasts | Google Podcasts

Resources:
Please to take a second and go to: www.master-computing.com/discovery and book a 10-Minute Call with me, Justin Shelley, and we will make sure that you guys are properly protected. We’ll make sure you have a plan in place. And that you will be able to sleep at night knowing that your company is safe, your data is safe, and your people are safe. 

Show Notes:

In previous episodes, we’ve broken down some dumb things we see people do. We’ve talked about dumb things we’ve done ourselves, we’re not immune to that. But this episode is a little different.  Today we are going to talk about working from home environments. (1:30) We’re going to break down the ramifications of this massive migration to a work from home environment

Here we are. Today as we record this it is June 30th, 2020 and it has been a hell of a year, am I wrong?

• "Initially when the COVID lock down hit everybody just did this mad dash to work from home… Our clients all wanted to work from home immediately, and many of them are still doing it." (1:40) 
• "Nobody saw this coming – so it’s not that we couldn’t have done a better job at pushing people into the home, working environment. It’s that there wasn’t TIME. And a lot of time there wasn’t resources – cameras for example you still can’t buy a webcam – not a good one." (2:33) 
• " We’re going to break down the ramifications of this massive migration to a work from home environment" (3:10)

[3:20] - Talking about how they were attacked this morning

• We are a security company! It’s we eat, breath, and sleep this stuff. We’re always talking about it. We record podcasts on it, and listen… When we do this, we’re taking our own notes, improving our own security every day. At least every week we’re meeting about it, talking about it.

BUT we’re still potential victims to it… Even Master Computing, Managed Service Provider for many Medical Facilities. 

[6:35] - Step 1: What are the events that led up to this thing, what happened when it did Blue Screen, and is that something that we need to patch fix, repair?

• Port Scanning – looking for holes and exploit vulnerabilities.
• Geo-blocking: We generally Geo-block meaning we can block separate countries with our firewall, we have an enterprise grade firewall that can block stuff from Russia, block stuff from the known perpetrators. [9:02]

• So, I just wanted to point that out. And I wanted to publicly thank you, for taking this seriously and digging in and protecting, not only our network and our business but the work you do behind the scenes for our clients. So that, people can rest at night knowing that this has been taken care of" (11:00) 

[12:04] - DDoS: Stands for Distributed Denial-of-Services

• DDoS: When you have a large collection of computers (very large – that’s what makes it a DDoS vs just a DoS) a large number of computers that just try to ask your server or network questions – they just ask billion and billions of questions until your computer can not handle any more. There are vulnerabilities when something is at MAX capacities. 
• Botnet Attack: a large collection of computers that are trying to just, you know, bug us. And trying to slam our systems. 

[14:30] – Vulnerabilities in your networks: 

• Turns out there WAS a vulnerability – call a “zero-day patch” – meaning it’s exploitable today, it’s known, and it’s out in the wild in production. This very well could be going on with Office 365. Any of your normal day-to-day applications. 
• "Any of your normal day-to-day applications. They could just throw a new update out on the web, expecting you to look at it. But, if you don’t and have no idea about it then you now become the most vulnerable target in the world just because of that. " (16:30)
• You can definitely imagine that a freeware version – maybe Google Chrome, Firefox, any of those kinds of things. Keep your eyes open! 

[17:00] – The point is: We are an IT / Security Company. This is what we do night and day.  And STILL here we are, victims of at least an ATTEMPTED attack.  Did they get through, steal any information, did they breach our network? NO… WHY? Because Joe is a badass.  

[17:27] – Why you should invest in IT services:

Justin: I’m just going to make this point really quick. I know technology to some extent, I own the company, I started off as a technician, I’ve got the background. I still don’t do my own IT work because I don’t have time. 

• I cannot put the time, energy and focus into doing what you do Joe, because of all the distractions I have.
• When I’m out talking to business owners who tell me they do their own IT… Guys THAT is stupid. 
• (17:50) - "You do not have the time, the ability, the experience, the day-to-day, in the trenches, knowledge. To be able to do this on your own. You just don’t!

[18:05] – Example of an Attorney and why you CAN'T mess around when it comes to Security. The guy is $400/hr is his billing rate and he does his own IT work. That’s stupid. I’m sorry, that’s just flat stupid. 

• (18:05) "What’s smart: hire us, hire somebody (like Joe!) who is always in the trenches, sleeves rolled up, preventing this kind of attack. 
• This could’ve been bad had it gotten through. It could’ve been life ending for the business if it weren't for Joe.

[18:55] - We wanted to talk about this mad rush to work from home and the additional security challenges that were introduced to it. 

[19:30] –Today  we’re leaning on an article that we read that supports this theory that is was not really the best move to push everybody to the work from home environment so quickly even though there wasn’t much of an option. But there was a company that did this and they were hit.. Financial management company 

COVID hits, like everybody, there’s this massive rush to tell everybody to take your work home with you. 

(21:05) – What happened to this comp...

Subscribe to Stupid or Irresponsible Podcast
Spotify  | Apple Podcasts | Google Podcasts

Resources
Security Webinar -  Stay ahead of the game! Sign up for our Security Webinar today. We give you FREE tools, FREE training, and we WILL hold your hand throughout the process. BUT when you don’t take our help or our advice that is stupid.

Schedule Your Discovery Call - If you know you've got a problem take us up on this offer! Book a 10 minute call with myself (Justin Shelley) and we’ll go over what we can do to help, get you started on a path to have a solid plan in place, constantly reviewing that plan, and just making sure you are doing the right things to minimize ALL the risk we possibly can.
 

Show Notes

[1:50] – Justin shares what started his love affair with technology and how he is shocked to be spending most his time fighting crime...

• Justin’s love affair with Technology began at the rightful age of 12 with the Apple 2E 

[2:26] - “I got into computers at the rightful age of 12 but did not see myself fighting crime…”

[2:36] - But here we are… Master Computing is an IT company we really pride ourselves of fast response, on processes, on client education, but man we spend most our time fighting crime! Who knew!?

[2:59] The title of this podcast Stupid or irresponsible 

• Title Background -  We send out the this letter called the “Stupid or Irresponsible” letter and people got offended or squeamish about calling someone Stupid.. So, they would play it down to sound less harsh. But the fact is, not taking basic security measures and educating yourselves, employees, then you are stupid. 

[3:50] - Justin came to this conclusion when making this title - If you don’t care enough about your business to care about your business to protect it from cyber crime, I can’t care about your business more than you do. SO, take the advice, take the tools we’re giving YOU, or don’t but if you don’t and you get hit... sorry YOU’RE STUPID. 

[4:08] – Today we are going to talk about a BEC Attack that cost a very intelligent very established businessman $400,000 that he DID NOT RECOVER.

[4:20] – What's a BEC Attack?

• BEC Attack – Business email compromise attack:
  • It’s when someone has access to or is faking that they have access to your email account.

What does it mean? What can it do? 

You are going to want to Keep listening!

• A BEC attack begins with cyber criminals hacking and spoofing to gain access to your email. 
• If they have access to your email or at least the end user they’re talking to (which could be your bank or any financial institution you name it) … If they think they’re talking to you and your email account, the hacker, now they’ve got your world. 

“So, if you want my bank account and you aren’t me but happen to have my email then you pretty much have it all.” 

[5:47] - So that’s what a BEC, a scam is – it’s when somebody (aka a hacker) gets access to your email by impersonating you or someone in your business.

What is “Spoofing”?         

[5:57] - If somebody can PRETEND to have your email address, we call that “spoofing”

[6:09] – Unless you have security set up it’ll look exactly like it’s coming from you 

[6:17] – We’re talking about scary stuff “we can’t really get through life believing every little bad thing is going to happen to us.” 

[6:30] – one of the human defense mechanisms is to believe that bad things cannot happen to us… Today, in this podcast, we are here talking about things that HAVE happened. 

Listen as we shine light on the importance of this growing threat.

[8:00] - Above was talking about Spoofing 

• A “spoofed email” would set off alerts, but if you logged into my email account it’s NOT triggering those alerts – THIS is what we really must be careful of. 
• We have all kinds of protections we can put against spoofing but sounds like we’ve got to work on our email... 

[8:16] What Joe recommends to anyone, especially people who have any kind of personal Yahoo or Gmail account: Setting up one or both of these two things:

1. MFA 
2. 2FA

The most basic of those would be Multi Factor Authentication (MFA). You might also see 2FA out there. Recommendations from Joe: 

•  I would highly recommend anybody, if you have any kind of Yahoo, Gmail, personal account, you name it!
• I would 100% set up MFA – It will save you so much time, headache and effort. 

[8:35] – So let’s get into the nuts and bolts of this one - we are going to talk about a guy named Verne Harnish

STORY

[9:04] – Verne Harnish got hit. But he is not stupid, he had protections in place.

He was in a foreign country, doing a big presentation to 3,000+ CEO's, executives, entrepreneurs. In this article Verne says he used a “public network” and in that process somebody was able to sniff out his emails and now is when the attack begins. 

1st – they hack his email, then they start impersonating him 

Note: They are not spoofing him. They are actually INSIDE his email account. They are him. 

Inside his email account watching messages being sent between Verne and his admin (communicating about wiring money...)

They sit and learn this stuff until they are able to very accurately impersonate him THEN they make the attack. Wiring money to 3-4 different places. By the time Verne (or anyone) figures it out, it’s game over… the money is GONE.

[12:15] – Joe, let’s talk about what Verne did RIGHT what he did WRONG

• Rule #1: Just don’t get on public WiFi. 
  • We highly suggest that if you do get on public WiFi you’ve got a proxy VPN, or a VPN set up. 
  • Why? If you don’t have that, any hacker is reading words verbatim off your computer. 

So Joe, "DO or DO NOT use Starbucks WiFi? 

• NO do not… 
• Safe alternative like the VPN set up is to 100% use your mobile hotspot if you need WiFi.  

So what could Verne have done as extra security to possibly prevent this?
 

[15:00] – What could they have done to possibly prevent this? 
The BEST thing they could have done: 

• In this case one KEY component that was missing is – 
  • Don’t ever allow money to be authorized over email. 
  • Or at least not over the initial form of communication. 
• Example:
  • If email is where it initiated, get another form of communication in there (like a direc...

In Episode 3 of Stupid or just Irresponsible Justin Shelley, CEO of Master Computing, and Joe Melot, CTO of Master Computing discuss the stupid things we see out in the wild. Last week we talked about slow computers. Today we play and expand on that and talk about outdated software. When is software out of date? In this episode we put a timeline on software.

Subscribe to Stupid or Irresponsible Podcast
Spotify  | Apple Podcasts | Google Podcasts

[4:35] – Using out of date software 

• Additional problems introduced when you use old software
• As far as hacking is concerned, software is the Name of The Game!
• Hardware, hard to break into without having to deal with the software behind it
• Software side has to be CONTINUALLY updated because with every update to this thing and that thing can cause security vulnerabilities to any given software at any given time 
• The name of the game for hackers is to figure a way to get into software, to get into computer to steal your stuff

[5:35] - Look at Microsoft office (this is what we are going to dig into today) – when do you have to replace it? The end of life?

[5:50] - Oldest version of supported Microsoft office today:

• End of life Office 2010 is October this year (2020) 
• So “technically” it is still ok today…
• But if you are running windows 7 you are so much more likely to get hit with a virus than windows 10

[6:45] - When should people update their software?

• Joe always advises to upgrade “on your own terms”, last thing anyone wants is to be smashed into a corner
• Doesn’t make sense financially, everything is always going to break, so many roadblocks
• Financially, it costs SO much more to wait until last minute
• Don’t wait until you’re painted into a corner… 
• Want it to be on your terms, so you can prepare, and when those roadblocks come up you have wiggle room, and probably end up saving you some money. 
• Have a plan, get some solid advice!

[9:00] - QBR – (Quarterly Business Reviews)

• Once a quarter we go and talk to the person who makes business decisions
• Discuss future of your company looking like
• Do we Expect any grand expansions?
• I noticed your phone system is going out of date, maybe last year I would’ve come to you saying we need to upgrade office 10 

[10:04] - Budgeting is #1 want to be able to spread that money out, it always costs less, it definitely costs less to do it right once, then do it wrong 2 or 3 times… 

[11:43] – Email migrations: Story from a fellow IT guy

• This company has been neglected for 10 years
• Still running exchange 2010 and Office 2010…
• Exchange is the actual office mail server itself (done back in January, no longer supported by Microsoft)
• Stupid – using exchange 2010
• Irresponsible – using office 2010 

[13:15] – Still Using Exchange 2010 

• Can we migrate exchange server from 2010 to the current version exchange server directly? The answer is NO.
• Have to have a 3rd party
• Download all emails to hard drive
• Convert to other form
• Upload those into the cloud
• There is not a direct migration path from 2010 to a newer server 

This is perfect example of this costs way more ignore versus just to do it up front and do it right. 

 
“Server 2003 still existed in this company… Windows 95...” That is just stupid. 

[17:00] - Ransomware, bank fraud, now they have your exchange system, they are faking your emails to any and all of your contacts..

[17:30] - Paying an IT guy and he is promising the world, but how do you know he is giving sound advice, as far as strategy is concerned? 

[18:15] - Schedule your online meeting today!
Go to www.master-computing.com/discovery to book your 10-minute discovery call. We'll ask some key questions, you can ask questions, and if we're a match made in heaven we'll build you a custom technology roadmap. Don't wait until you're painted into a corner, take charge of all things technical within your organization.

SHOW NOTES:

Today we are going to talk about slow computers, get a little more into the productivity side of things!

[1:25] - People pay a SIGNIFICANT amount of money, then, when we give them advice (sound advice btw!) they’ll think “oh you are just trying to sell me something…” Guys, we’re here to take care of your network, to help your business grow, to help you be more productive, and make more money yourself! We’re NOT trying to rob you when giving you advice I promise you that…

[1:54] - Today we are going to talk about what’s SMART when it comes to technology, and finances in general. What’s smart is to not spend money just to have a cool gadget! I don’t ever recommend that to any of my clients or even do that to myself.

[3:00] - Another thing we do not advise people to do in the course of doing IT consulting… You probably don’t need to stay on the cutting edge of everything of everything. 

[3:17] - The smart approach here is to develop a solid strategy for your business and spend exactly the amount of money required to execute on that strategy. Buying right. 

[3:45] - Stupid is saving money at all costs… What I mean by that is I’ve watched people spend a small fortune just to save a few pennies… 

How do we tie that back to slow computers?? (Keep listening)

[4:03] - It is not a smart decision to operate on ancient equipment. Period. 

[4:14] - There are at least a handful of Windows 7 machines still out there in the wild… 

[4:26] - Fact: stores stopped selling those (Windows 7 machines) back in 2013. Over 7 years ago, and we personally still find them EVERYWHERE if not in the whole operation.  

[4:50] - Another fact: Microsoft is no longer supporting it, so unless you’re paying Microsoft a premium right now to have them come and specifically look at your machines, then you’re NOT getting any of those security patches and hackers are just living and thriving in those Windows 7 machines! 

[5:25] - What you DON’T SEE – what’s not working anymore – is the security features. App developers aren’t making any apps for Windows 7, your printer won’t work next week, etc…

[7:20] - What is the age we recommend for a productive workstation, in a business, trying to make money, keep clients and customers happy? 

We recommend 3 – 5 years in a professional, business environment. 

[8:20] - We extended it “to 5 years” because people will give push back when trying to tell them what they really should have. 

But the reality is, beyond 3 years you will start dealing with frustration from your end users. 

[8:45] –  3 to 5 years is irresponsible but after that, a computer that is 5+ years old, that’s STUPID. 

[9:37] - The largest expense in most organizations is YOU the employees, is the largest expense I have to deal with month-in month-out 

[10:10] - DOING MATH: 
For a Minimum wage employee in the state of Texas asks for 2.4% raise is that worth somebody’s happiness? (The answer is YES) 

[11:50] - The lesson to point out here is that it’s a matter of perspective. We understand that we have to watch every dollar we spend, but man, only 2.4% to make a difference in somebody’s life and the emotional distress they’re going through. 

[13:40] – MORE MATH: 
For someone who earns $50,000 a year as a percent of their payroll, a DECENT computer for them is 0.9% of their payroll.

[14:27] – Now, if we’re talking about these guys that are pulling in 6 figures $100,000/year doing it as a % of their payroll, now we are at 0.3%. ONLY 0.3% of their payroll. This is a rounding error to give people good technology… 

[15:17] - The guy whose time is worth the most is stepping over dollars to pick up pennies…

[15:26] - We talked about the emotional impact, productivity impact, and technical challenges introduced to not have adequate equipment, treating our employees the way they should be treated is such a SMALL percent of the investment that we make in these people

[16:02] - The SMART thing to do we highly recommend getting a professional evaluation of where you are at, what you’re trying to accomplish with your business, then the formula with the right tool set to accomplish that! 

Master Computing will do that for you in a 10-minute phone call. No charge, no strings attached!! We will simply tell you where you’re, what you need to do with that, and the right tool set personalized for you to accomplish it!

Book your 10 minute Discovery Call today!  Go to: www.master-computing.com/discovery 

• At [5:30] we talk about the #1 thing people do we wish no one did when it comes to passwords...Is this you?
• At [5:50] we talk about a CEO that we saved $20,000 that could have very easily gone the other way. a mistake and we share a story where a CEO used the same password and if it weren't for us he would 
• At 7:00 we talk about your credentials becoming available FOR SALE on the DARK WEB and the reason Justin changed his password he had created 15 years ago after finding out his were for sale on the dark web and how his credentials were for sale 
• At [10:05] we talk about some simple things you can remember when creating a password that can help protect your information. 
• At [15:25] we talk about the #1 best way to stay secure and why this prevents any kind of hacker to fake being you and stealing your identity