Season 1 Episode 45: MFA is the perfect way to stop thieves from accessing your stuff
This episode has been lightly edited for context and clarity
Ruthy You’re listening to the Team Nerd Tech Show with your hosts, Tim Gillen and Ruthy Kirwan.
Tim Well, hello nerds, Tim Gillen, Terrapin Networks, Traverse City, Michigan, your team nerd, head nerd for the Team Nerd Tech Show. Thanks again for joining us this week.
Every week here, we give out a little small business tech digest on all the tech news and tech tips of the day.
Oftentimes we do that with someone that we chat with. We have a guest today, which will be fun, and we’ll be getting to Rob Prichard in just a minute, but we want to remind you that this little text digest we do is primarily for small business, small companies, the small office.
And we define ‘small business’ down to 15-20 computer users. So a lot of you in Northern Michigan and around the country and around the world have small companies and wanna utilize technology in a proper way, an efficient way, an effective way, in a safe way. To really optimize your staff in order to keep your company both small and profitable.
A lot of us as smaller companies like it that way. And one of the ways that we can stay small and still grow and still stay on top of things and still safe, is through technology.
So that’s what we’ll talk about with our guest today, who right now is in France, but hails from England, so we have an international flavor today. Please welcome Rob Prichard.
He is the founder of the Cyber Security Expert firm. Which is a great domain, the cybersecurityexpert.com. That’s a good domain!
And he’s also on Twitter, @thecybersecexp. We’ll have all those links on our show notes at the teamnerdtechshow.com.
Before I get too far in though, let me introduce our co-host and producer from Queens, New York, here with us every week, Ruthy Kirwan. Hi, Ruthy.
Ruthy Hello, Tim, how are you this week?
TimI’m fine.
Ruthy Good. I’m very well, thank you. Like you said, this is episode #45, and we’re going to have all the show notes and any links to help you get more information on Rob or anything else that we speak about in this episode teamnerdtechshow.com.
And, you can always also give us a call or leave us a voicemail. If you’ve got a question or an issue, about any episodes that you listen to, our phone number here is (231) 668-9175 or you can send us an email at teamnerd@terrapin.tech.
Okay, so I’m going to hand this back on over to you and you can welcome Rob into fold, and we can start our episode right there.
Tim Good. Rob, welcome.
Rob Hello.
Tim Hello. Thank you Rob Pritchard. Tell us where you’re sitting now. You’re in France right now.
Rob I’m in Chamonix in the Alps.. I love the way Americans say Chamonix. It’s very cold, and I’m looking at one window, very heavy snow falling.
Tim Wow, that’s great. I’ve never skied at Chamonix. We’re skiers up here, but I understand it’s just out of this world.
Rob Yeah. It’s great skiing. It’s really good. We’re famous for it. So yeah, it’s a good start to the season actually.
Tim Terrific. So, you’re from the Cyber Security Expert, based in the Midlands area of England. Why don’t you tell us a bit about your firm and what you folks do and your location and so forth.
Rob The company’s UK based, but we have a French company as well, with the same name, same domain, just two registered companies.
Although we do a lot of work in the UK, I also do quite a lot of work around Europe and even all over the world in fact, with training, things like that.
So we do a range of things. We have a range of services. It’s small businesses around security monitoring. We do consultancy where we go and help people with cybersecurity issues, whatever those may be.
We’ll help them get started and help them build a strategy or get accreditation if that’s what they’re doing. And we do a lot of training as well, including capacity building, things like that. We’ll help companies train, join their staff, or build security operations centers and things like that.
And it’s more of that type of work which takes us all over the place.
Tim So you have a staff that also, just from looking at the website here at cybersecurityexpert.com, and do both remote training as well as on-site training them.
Rob You see on the site, it’s not a very big company. We work with a sort of broader network of consultants at other companies. We also do some remote trainings and remote awareness training for the onsite experience.
Tim Have you done much work in the States?
Rob I haven’t. I do try. I used to work and travel to the States quite a lot back when I worked for the government, but I haven’t since then.
Tim But obviously, your remote stuff would be just as applicable for us here in the States, especially on the small business side.
Rob Yeah, absolutely. That’s the whole point.
It means I don’t have to travel, but it’s also more cost-effective to deliver to small teams and people who live all over the world.
Tim So, one of the things I want to ask you, is about politics and cybersecurity. As a point of reference for our listeners, yesterday were the parliamentary elections in the UK, and of course, the overarching thing of it all is Brexit, with the Remain side and the Leave side, and so forth, regarding leaving or staying in England or the European Union.
My question for you is, with your government experience and with the recent elections, especially considering that we’re having an election here in less than a year here in the States, do you see much difference between parties in your neck of the woods?
Do you see much difference, in the way different parties deal with the governmental side of cybersecurity and the focus on the business side? Is there much tension there or do you see a pretty good level of agreement on the cybersecurity side of things?
Rob So in the UK, in terms of cybersecurity, it’s a big issue for me in particular, of course. It makes headlines when people get hacked, and many voters are at some point involved. So that is often their first thought when they are working in walking into the polling station.
When I joined the government in 2005, we had Labor in charge of Parliament. They’re the equivalent of your Democrats. They were, they were in power and they had been for quite awhile.
At that point, they were the very well established incumbents by far. Whilst I was there, cybersecurity became a bigger topic. Certainly by 2009, the Labor government had a cybersecurity strategy.
And then in 2010 when there was another election, the Conservatives won. Although they haven’t, I mean… since then we’ve had a Conservative government and they’ve continued that approach.
Every 4 years, they’ll have a cybersecurity strategy. And the approach may have changed over the years, but I don’t know that it’s all driven, necessarily, by the party ideology.
This is really down to the sort of expertise in government. And what I will say that I think the government in the UK has done well.
For the last sort of six or seven years, at least, probably longer, but certainly for that period with their creation of the National Cybersecurity Center. That the people who are the senior directors and in front and center of the public eye.
In that organization are people who’ve been around the space a long time. They know cybersecurity and there are different government approaches for probably 30 years or more. So they (those who created the Center) know what works. They know what doesn’t. And I think the strategy has, for the most part, been pushed forward regardless of the administration.
Ruthy What was the organization that you just mentioned?
Rob It’s called the National Cybersecurity Center, or NCS.gov.uk. Actually, I would recommend it as a fantastic resource for small businesses.
Tim Is that a government organization, or is that a completely private organization?
Rob No, it’s government-run. One of the things that over the years that the government has struggled with, including the tim that I was in there, was dealing with walls.
You know, we were quite good at talking to defense companies about cybersecurity and critical infrastructure, like electricity companies, things like that, and manufacturing critical manufacturing about cybersecurity.
This includes probably 10% less than that of the company in the UK, maybe 5% or something, which encompasses a huge swath of the people.
Typically these companies get no guidance from government. And the National Cybersecurity Center has put a lot of stuff online. Some aren’t complex, some are more complex, but it’s helpful for a lot of immature organizations that don’t have a lot of resources.
So it’s a really good place to grow and have a good size.
Tim Now, on the consulting side, would you say you deal more with small and medium-sized business, with a lot of really small companies, or are they mostly larger companies? Or do you deal with a little bit of everything?
Rob So, sector-wise, really anything. It’s really small companies that are doing a lot of manufacturing, more than larger ones.
My background is government, but I worked in cybersecurity and finance before that, so it’s not like I’m especially tied to any particular sector.
Really, anybody who wants advice, we’ll give it.
You’ve got to be large enough, to, you know… I have to make a living! So yes, you’ve got to be large enough to be in need of consulting.
As for anyone, I try -although I fall behind occasionally- to stay up-to-date with blogging.
I keep best practice advice at least available on the website.
Tim So talk to me then as a person who still deals with that. Would you say that by and large the issues are usually the same whether it’s for a small company or a large company?
What I’ve found is, there are often a lot of the same issues and risks that companies, no matter the size, will deal with. Do you find the same?
Rob Yeah, I mean, the size of your company doesn’t always necessarily mean anything to the people who are spreading ransomware. They are more equal opportunity. It doesn’t matter your size, but they will all trick you into sending invoices.
There are definitely the same sort of threats, and when you’re in there, you see all of the same issues.
In some ways, it’s almost easier to deal with security issues with a small company, like a startup or a small office.
In small companies, it’s often easier to get to grasp what’s going on in there.
You know, if you’re talking about 1500 people, it can quite hard to unpack the comings and goings of every person in the business. So a small company has the advantage of being able to see just what’s going on.
I think you probably see this in manufacturing more often, because many business owners will buy an expensive piece of manufacturing or a machine that runs on Windows XP, and they’ve spent a lot of money on this, so they don’t want to waste that and may keep it running long past when it’s truly viable for the company.
So really, managing what’s referred to as “legacy equipment”, that can be the first place a company runs into trouble with security.,
But the good thing is, it’s relatively easy to manage that.
But I think broadly the problems people face are truly the same type of things.
Tim And those legacy issues truly can be a real issue. The whole point of that early on was to make it easy to make simple communications, and now that’s easier to be exploited.
I bet that can be kind of hard to unwind, isn’t it? I mean, on the consulting side, in the discovery part of your business. It can be hard to come in and quickly diagnose exactly what the problem can be with these sorts of legacy pieces of equipment.
Rob Yeah, it is. I’ve seen some companies with equipment running on old Netware, the software that hadn’t been updated since, and I caculated this, I was in college.
Tim I’m sure you’ve got some stories of some of the worst types of things you’ve seen in some of the businesses you’ve gone in to. I’d like to hear one or two.
Rob I think the thing that I see that worries me the most, and which I’ve seen bite people really badly, is the lack of two-factor authentication on office.
And I just cannot emphasize enough how important it is to enable multi-factor authentication, because people will use the same password that they’ve used 100 other times, half of which may have already been hacked by somebody and who might use those credentials on a public domain
Ruthy Tim and I are kind of laughing over here because you’re the third interviewee we’ve had in a row who has answered the same way, that the number one thing that they see is people using a lack of proper multi-factor authentication and weak passwords in general.
Tim Which actually came right after we did an episode of just Ruth and I on the importance of multi-factor authentication. And it’s such a key point to remember. What’s that site? youvebeenpwned.com
It’s a great site where you can go out there and put in your email, and it’s gonna tell you if your credentials have been hacked and sold, what passwords were used.
You’ll look at that and your jaw will drop sometimes because you realize, Oh my gosh, I still use some of those passwords.
Rob Absolutely. I was recently speaking to a colleague while we were in the breakroom of an office making coffee, and he said, offhand, Oh, my Amazon account got hacked recently.
And I said, well, do you use that password anywhere else?
He said, well, probably. And he gave me his address. I pulled my phone out and we put his email address in. And I tell you, I have never seen a person more “pwned”. His address must had been on 8 or 9 sites. He was just horrified.
Tim Anyone who asks, how can I prevent my passwords being hacked and found on sites like youvebeenpwned, I would make sure your passwords are secure, and use a password manager so you don’t have to remember it, and don’t use a formula that you just use over and over again.
Those formulas are pretty easy to get through, too.
When we have a real expert on the line, and again, we are so grateful for your time. Can you tell me what’s the takeaway for a small business owner – and let’s maybe boil it down to a smaller company – what’s your main takeaway?
Even if we say multi-factor authentication is the first takeaway, what would you say is the second takeaway?
Rob I would say, asset management is important and often overlooked. Keeping them patched and up to date, having some sort of anti-malware on them.
Tim We say this all the time, too. That it can seem like a hassle at the start to do all this sort of thing, like protecting every single device, but once you’ve got it established, it’s really easy to keep up with.
Rob, thank you for being so gracious to spend some time with us.
Rob My pleasure, thank you, Tim, thank you, Ruthy.
Ruthy Thank you!
Tim Thanks, Rob, thanks Ruthy.
Timestamps:
3:48 What Rob’s company does
6:30 How Rob thinks the new Parliamentary government might change cybersecurity in England
9:06 The National Cybersecurity Center of England, where Rob recommends small businesses can go for a lot of helpful information
11:36 The types of companies Rob’s firm deals with
13:13 What similarities does Rob see across the sizes of companies he often works with?
15:00 The problem with “legacy” equipment, especially when it comes to manufacturing companies
18:24 What does Rob see as the number one threat to small companies? (hint: this is a must-listen!)
20:22 The site youvebeenpwned.com and how you can use it to see if your password and info has been compromised
23:23 Rob’s number one takeaway for a small business owner who wants to keep their data protected