84. The Vendor You Trust Most Could Be Your Biggest Security Risk

Speaker 1: Welcome everybody to episode 84 of UnHacked. This is the tenth in our little mini series. Mario, I'm not sure it's so many. We've been talking about this for what seems like forever. Speaker 2: Over two months now. Over two months. Speaker 1: Yeah. And don't forget, these are the basics. I'll probably keep saying that. Jesus. So, let's do some quick introductions. I think people if you're listening, you already know this, you're bored out of your mind. But so what? I'm Justin Shelley, CEO of Phoenix IT Advisors. And at our company, what we like to do is help businesses use technology to build their wealth, build their business, get more clients, make more money, and then protect that from the infamous Russian hackers. The government fines and penalties because they've always got to have their peace. Then the class action lawyers who are come out along and you know, hoover up whatever's left after your whole world's blown up. So we like to prevent all that because it's a really bad day. Mario, tell everybody who you are, what you do, and who you do it for. Speaker 2: Yeah. Mario Zaki, CEO of Mastech IT located in New Jersey, right outside of New York City. We specialize in giving business owners peace of mind, knowing that their businesses are secure. And we do work with small to medium sized businesses in pretty much nationwide, not only protecting them from those Russian hackers, but from all other hackers, lawyers, and the new type of ambulance chasers. Speaker 1: You're non discriminatory. Equal opportunity hacking. I don't know. All right. So like I said, we've been going on about this because I Mario, do you remember? It's been a while. I think it might have been two years now. We did a like a month long. I think it was October Cybersecurity Awareness Month where we're like, let's break it down into, I don't know, three or four parts. Protect your data, protect your people, protect your technology policies and procedures, right? And I'm like, that's it. It's simple. And now we're kind of revisiting that, doing a little bit more of a deep dive. So we've already done nine of these things. And I'll be honest, when we've started this thing, I kind of expected our audience to drop off because it's boring. But as we mentioned last week, we've actually been seeing exponential growth and downloads and interaction. And so I'm glad that people are finding this content useful. I'm just going to make a shameless plug right now. You know, if you know business owners who need the information, please share, help us get the word out because I mean, really, there's nothing in it for us financially. We don't, you know, we just sit here week after week and we educate and we try to help the community. Help us do that. Help us not have to spend a bunch of money marketing because it's all good, good information. All right, pitch over. Today's topic, we, you know, last week we talked about cloud and software as a service security. Today, again, is going to be a little bit of a repeat, we're talking about vendor risk and third party access. This is not the first time we brought it up. Repetition is by design. But it does definitely fall as one of the key components of basic cybersecurity. So Mario, I'm gonna, I'm gonna throw this to you to start with. And I just want to ask you, have you ever done this for your clients? Have your clients ever come to you and asked for any version of a vendor assessment? Does that ever come up in your conversations? Speaker 2: I mean, I I off the top of my head, I don't remember last time they wanted us to analyze a vendor. They usually will do, you know, their due diligence and checkout and maybe demo the product and stuff like that, but they won't necessarily they come back and say, do you think these guys are secure? What we do see a lot is, you know, we have customers that will reach out to us and say, hey, we're looking to work with this company or prospect or subcontractor or, you know, general contractor, and they've sent us these vetted questions. Can you help answer the IT questions that they're asking for? And they're pretty much saying like, you know, how often are they updating? How, you know, is 2FA, you know, enabled throughout the company and so on. Speaker 1: Yeah, I don't know that it's every client, but I'm with you. Several of our clients have come to us with this questionnaire and they just kind of throw it at us and say, hey, you know, my insurance company or this vendor or that client is asking for this information. Don't know, fill it out, you know. I can't speak for them, but I can speak for my perception of their, you know, like this just seems like an annoyance. But what I what I would love to do today is, you know, teach the audience that this is kind of your golden opportunity to follow the example. If if people are vetting you or us collectively, it tells you that there's something to this and that this is probably pretty important. We should probably start turning this on its head and taking that same questionnaire or you know, our own version of it and pushing it out to our vendors, our contractors. Because you know, I should have pulled the number. I was looking at statistics and I wanted to use it but then I saw that the it was from 2019. So I'm like, I don't know, can't use that, but I'm gonna anyways. What saw was that the average business, I'm assuming we're talking about very large businesses, but the average business has 89 vendors that have direct access into their network and or their data. Now, here's the pop quiz. I'm throwing this out to the audience and I'm going start putting this stuff out on social media. Really would love to know your feedback on this. How many vendors in your business have access to anything proprietary or personal or otherwise you know that what data that should be secure? I'm not gonna, Mario, I'm not gonna ask you to answer that on the spot. Because I'll be honest, I don't know my exact number, know, but I definitely know my key players. We've got some key players that if they were breached, we're cooked. Like that's that's a bad day for all of us. Do you do you remember episode 34? Speaker 2: Yeah. Yeah. With the coffee, right? Speaker 1: With our good our good friend Robert Trophy. Chofie. Chofie. Chofie. I, He taught me how to say his name and then I just butcher it every time. Hopefully he's listening. Great guy, great guy. But he went through the most nightmarish thing that any of us can imagine. And, you know, we in this industry have to be especially careful because if we get breached and this is the stuff that I'll be honest, and Mara, I'm gonna out you a little bit. We're talking about this before we hit record and it's like, do we talk about this? Do we admit that you know how vulnerable our industry is? And you, dear business owner, dear customer of MSPs, do you understand how dangerous the relationship is with your MSP? And if you don't, that's probably more scary than knowing the reality of it. So I do wanna hit it on the head. And you know, going back to episode 34, I am so grateful that Robert was willing to come on and talk about his story. You know, you know what, Mario? I'm gonna punch you because I feel like I'm talking a lot. Just in like, give the elevator pitch thirty seconds. What happened to to Robert and his business? Speaker 2: So he is an MSP and one day he came in and found out that not only was all his computers encrypted with a ransom note, but all their all his customers were encrypted with a ransom note. So his remote management software got breached by a hacker and they ended up pretty much going in, pushing a code using his tool to all his customers, you know, and it wasn't just, like, something that you could easily just push a button and undo. Yeah. They they had they had spent, I think, said weeks, if not months. Speaker 1: With, you know, Trevor. Like, he a lot of, you know, I love to say this about our industry that you know, we can come together in cases like that and a lot of what we might call competitors, You know, other other IT companies, other MSPs in the area, out of the area rallied around him and that's one of the things he's done moving forward is is he's working to build a community of MSPs that that do come together in cases like this. So again, my hats off to him. But what I love about it is that he was able to come through this. He came out the other end stronger. Was it a nightmare? Absolutely. Is he in a better place now? I would say yes. I think he would say yes if he was here. So I want to make this example of how dangerous our vendors can be and how important it is that we vet our vendors. I will say in this case, you know, because I'm never gonna scare people without giving them a, you know, like how do you fix it? And know what I asked Robert, was like what did you learn? What was the lesson? Because it's not like he was working with a vendor who he hadn't vetted. This is a very well known security vendor and there's other examples of security vendors who have been breached. SolarWind was one. It was breached by, I don't know how many people up the supply chain, how many companies up the supply chain where that vulnerability was introduced. But when I asked him, I said, Robert, what you learn from this? Could you have prevented it? What would you do different? His answer was frameworks. It was just one word. And I have lived and died by that ever since. And part of the frameworks, know, so I've got a platform where I can go through all and by the way, a framework is just a list of kind of questions, guess, or things to check off as far as security goes. These are the industry standards, the best practices that we talk about frequently. And one of the assessments that comes with my pack of you know frameworks is a vendor assessment. And I've used it. I'll tell you the first time I used it when I started asking the vendor to document your order to provide documentation of their security. They went quiet. There there was no response. They had to run it up the legal chain. They had to run it up the flag over here and the flag over there. And I never got anything back from them. So I refused to do that integration. And it was it got a little tense with my client because they're just like, we'll accept the risk. And I actually had them sign off on it that they would accept the risk. It's like, I still can't do that. I still cannot do that for you. So I went and I built my own integration. At least I know what's going on and I know where that data lives and I could protect it because this vendor wouldn't do it. Speaker 2: What Speaking speaking from, like, a a vendor or developer, you know, point of view, and and we I've you know, I think I've talked about it on the show a couple times. You know, we we spent some time developing, a system that we're, you know, sending text messages for patients and stuff like that, like a patient reminder. And, you know, the first phase is kinda getting everything together, you know, making sure it's working, testing it, and trying to get as many people on the platform and stuff like that. Secured, you know, that's your main focus, is pretty much getting people, you know, you've invested money and you're trying to get people on or or companies to purchase the product. And then later on, you'll go back and improve anything, fix some bugs. One of the things that we and I don't wanna say I purposely did. I did I definitely didn't purposely do it, but looking back at it now, and this is something that I did, like, you know, many moons ago. Like, if I were to do it now, the first thing that I would be focused on is doing it securely, making sure that everything is secure. And now, you know, the big thing right now in in 2026 is AI, you know, and people are, you know, programming, developing stuff. I mean, we're doing it ourselves. You know, we're doing different platforms and and building stuff for customers. The first thing that I'm putting into AI is this has to be done securely with, you know, proper, you know, encryptions and stuff like that. You know, we the stuff that we're building, we're using like Microsoft, you know, single sign on so that way easier to track, you know, look at previous episodes that we've talked about this stuff. But, you know, in your example, those people probably all that, know, they're probably new, they probably reached out to your customer, you know, the price was probably right, it was probably resolving a, you know, pain point for them. And the fact that they weren't actually easily answering, you know, security questions is probably because they didn't give it much thought. They probably thought as long as we put in a username and password, we should be secure. But Justin, as you know, there's hundreds of other factors that go into it. Speaker 1: Well, in this particular case, and I'm I'm not I don't know if you're talking, who didn't give it much thought? Was it the client? Was it the vendor that I was? The vendor. Okay. So the thing about the vendor is when I started probing, they were pointing to a third party. Like they didn't even develop their own software. And I mean, was nuts. It was crazy. And I have to be careful what I say. Here's what I'm going to say. I had another experience recently where a different client came to me and they had been evaluating platforms. They wanted to make some changes and it was a file sharing platform that they need. They're a financial institution. So this is something that's very sensitive, right? Very, very sensitive. And I love that the first question was not, hey, set an appointment with this company to get this up and running for us, which was the previous example that I gave. This because that other company that already signed a contract, it was like they were mad that this wasn't getting done because it already signed and paid. So the pressure was on huge for me. That's why I got a little bit tense. In this other case, he came to me and said, hey, is this company secure? Here's what we wanted to do. Here's what we were evaluating and why we're wanting to make a change. But his first question wasn't how do we implement it? It was, is it secure? I love that. Speaker 2: That's true. Speaker 1: And as we started talking here again, and this is the nice thing about where we're moving in the world of technology is we decided that we could probably build something just as secure and less expensive in in another platform. So we're gonna kind of build it out ourselves in I won't I won't give the details. Speaker 2: The fact that he asked you that question, he must listen to our show. Speaker 1: I would imagine. I mean, everybody does Mario. The numbers don't lie. Exactly. So, you know, the point here is, you know, we always, you'll hear me talking about the weakest link is this, the weakest link is that. In the security world, it really can be said that the weakest link is your least secure vendor. And the problem is, it's really, really hard to know. So I mean, so let's let's go with that. How do we know that the vendors we're working with are secure? Mario, what are your thoughts there? Speaker 2: How do we know? We don't know unless we ask and we ask the correct questions. Speaker 1: I mean, there it is. So step one, ask the right questions. Let me if we go back to some of our earlier episodes in this little mini series, we've talked frequently about if we don't know what we have, we can't secure it. So this is another example where step one, I mean, maybe this is step half, you know, have to know what vendors have access to our systems. And Yeah. You know, if if nothing else, you sit down with a pencil and paper and you start writing them down. What different applications do you use? And what kind of data do they have access to? And have you vetted them from a security standpoint? Speaker 2: Well, I mean, let me circle back to, you know, a couple of seconds ago or a couple of minutes ago, you know, we were talking about and we were hesitant, you know, we weren't sure if we wanted to mention this about, you know, Robert Coffey, I'm gonna say Coffey, but you know, Choffey. We're gonna spend half of the episode talking about his name. But you know, other IT companies or IT guys or MSPs, the problem in, you know, what we see a lot is whenever we're working with a one man shop or, you know, I was a one man shop for a long time, problem is, you know, investing in the right tools, you know, so your IT person company has access to your servers, has access to your Microsoft three sixty five, to all your computers and stuff like that. What are the, you know, even when, even if you're vetting a new MSP or you're, you know, wanna during your quarterly business reviews with your existing IT person, you need to ask that you need to vet and say, okay, well, what are you doing to keep our existing data secure? Yeah. You know, because, you know, me and you were sitting there talking and we were like, okay, well, you know, do we talk about this? Do we wanna, you know, call out anybody else? And, you know, we decided like, well, we know we're doing it because we've seen, you know, a colleague, Robert, do it and he put in some safeguards in place and, you know, he has the proper checks in place and we did the same thing. You know, we know that in order to access any of our customers information, you have to be in our office, you know, you can't just remotely, you know, I'm sorry, you can't just log in from anywhere, you know, we, yes, we can use the VPN and connect to it and stuff like that, but you can't just connect, you know, to any of our customers' computers just randomly from like a Starbucks, you know, do you have, you know, does your existing IT person have that? What kind of MFA, you know, connections do you have? You know, how are you, where are your passwords stored and stuff like that? Because, you know, unfortunately some of these smaller IT people, they invest in that stuff until they start making, you know, more money or they are required to do it by certain customers and they don't really put that into place. So they will, you know, a lot of times we'll talk about how's your IT person connecting? Oh, he's got TeamViewer installed on all the computers. And by like, right away, that you know, you see that you you know, when I see that, I cringe right away because, you know, TeamViewer is one of those systems that if it's not, you know, installed correctly or not used the paid version of it, can be very, you know, unsecure. Speaker 1: Right. And as you're talking and realizing we probably need to clarify a little bit because this is very similar to what we talked about last week. We talked about cloud and SaaS security, software as a service. There's a whole lot of overlap here, but this is like you just mentioned, this is when we've given other people access into our systems. So TeamViewer is a perfect example and we've talked about that one in the past, especially in the world of manufacturing. It's really common for a vendor to come in and install their remote access software so that they can keep the plant up and running. I mean, that's important. But then they either forget it, it wasn't secure in the first place, whatever, but that becomes just a wide open door for somebody to get in. And so, you know, this is kind of the homework for you as a business owner on this episode is to look at all the places where you are exposed to the outside world where they can get into your system. And as we've already said, it's really complicated right now to define that system. Where are the boundaries? I don't know. You know, you do have to that's why there's so much overlap. Is it your your HR software? Is it your IT company and how or any outside support that has remote access into your system? I mean, every time we go do an assessment, Mario, we find remote access that somebody has that's been left open. Right? I don't think I've ever seen it not be there. Speaker 2: No. I I've never seen it not there. And sometimes I've seen it from the IT companies prior to them and even prior to them. We I've gone I've gone on to, you know, you know, done assessments or, you know, new customers, and we've noticed they've had LogMeIn, they have TeamViewer, they have, you know, you know, Ninja, they have they had so many different softwares. And then when you ask their existing IT company, how are you remoting in? They're like, oh, well, we're using Microsoft Word Connect. Then we're like, who the hell is using all the other ones then? You know? Right. And there's some cases where it just sits there lingering around because it was not properly uninstalled when they the other IT company took over. And guess what happens? Either one of many things could happen is somebody still has access to it or it's a software, a remote access software that over there that is not being monitored and patched. Exactly. I was gonna say that. The biggest problem is if it's not patched, it can be a huge issue. Speaker 1: Yeah. And and here's okay. So this is and I'm I'm a little aggressive with this one, but my personal philosophy on this when I find a remote access system of any sort, if it is not documented, shut it off. Like let them complain at least then I know who's using it and for what and I'll go back in and put it in the right way or you know, check into it. But it's it's a little bit intimidating, I think, to go in and just start slashing software that you don't know, you know, what's it being used for. If it's not documented, it's unsafe. Get rid of it. Speaker 2: Yeah. What I'll do is I'll ask like the office manager or the owner like, hey, I noticed you have this. Do you know what that's used for? If he says no. Okay. Speaker 1: It's gone. Yeah. Speaker 2: And yes, in some cases it's a couple days later, somebody will say, hey, this person is trying to work from home and they can't connect. Then at least then we know we document it. We're like, okay, they're using this and this and this. Right. Speaker 1: All right. So Mario, this one, I wanna keep intentionally short today. We're all long winded, short is relative. But do you have any anything else you feel we've missed? I think we've said it all, but do you have any any closing arguments for today's episode? Speaker 2: Pretty much just emphasizing like what we talked about before. You you know, a lot of times people are asking you questions to see how secure you guys are or what, you know, do you have in place that is gonna protect them, you know, if they partner with you. You should be doing the same thing with your customers, your vendors, your partners, or even subcontractors or anything like that. You know, like, we work a lot with the construction industry and we see a lot they they'll work with, like, a small, like, shop, like an electrician or something like that. Those people never have the security in place that they need, and that's where they may have access to shared documents or SharePoint or even just sending you an email because that's going to come right through spam filters. They may use them as a springboard to get to you. So you need to vet the people that you're partnering with on a regular basis. Speaker 1: Yeah. Yeah. Absolutely. And I'm gonna repeat what I said and and I've said it on several episodes because it it just continues to be the the place where we need to start is. And I mean, I don't care if you legitimately are using a pencil and paper, or a spreadsheet or whatever. But write down every vendor that you have. And and maybe we've got a column for do you even know what access they have into your system? And I'll say if you don't know, you're not alone, because most businesses don't know it. This is one of those things that creeps and sprawls and gets out of control. And it's got to be rained back in. So step one is just write it down. And I don't know, you know, you can bring your IT partner, your MSP in into this because they can run a report on all the software that's installed throughout your entire network. These days, it's pretty easy because you can take that list and throw it into AI and say, spit out a list of all of the remote access, anything that needs to be secured, know, you can you can kind of throw that into AI. And you know, because otherwise, it's almost impossible. If I run a report on what software is installed on even a small network, it comes back with thousands of of applications. Yeah. Because it includes everything that Microsoft builds, everything that Adobe builds, every you know, it's like it's a very unwieldy list. Speaker 2: But you could also with using that same tool, you could also tell it, let me know which ones are outdated or significantly outdated. Yeah. And then and then you can, you know, narrow down the list. Like, We don't need any of these remote tools. This stuff is outdated. And that's where you may wanna have a conversation with your third party or sorry, with your, like, IT company, MSP or whatever. Like, find out are you doing third party patching? You know, why are you not updating QuickBooks or updating, you know, Adobe and stuff like that? And maybe it's something more that they can do for you. Speaker 1: Yeah. And and I would say, you know, that's this is this process as to how to find the stuff that you don't know about. Also go through and I use this process to backup data for our data backup and retention policies. As we just go through the business operations. How do you bring clients in all your sales and marketing process? What software is used for that? How do you deliver your services? What software is used for that? How do you bill? How do you do all your admin work? What software is used for that HR, finance, all those list all those things out. And then you run some sort of a risk assessment on them, or at least a column that you check off. Do you know, yes or no, what access they have and what access they don't have. And then just start closing those gaps. Right? That would be would be my best advice. And I apologize. Obviously, forgot to mute all my phones before I started recording. Got this goddamn ringing in the background. So And, Speaker 2: you know, Brian is not here, but this is also something it's, you know, that I wanna say it's not a setter or forget it. It's it's, you know, it's something that you constantly have to do, you know, little by little build up. I you know, you know, one day you're doing your the software is on your computer. One day, you know, the who has access and what applications have access to your Microsoft three sixty five. You know, that single sign in that doesn't just magically because you have a three sixty five account, it works. It actually has to link into your three sixty five platform. And you're able to go in there and see what applications or it's called enterprise applications that actually has access to your Microsoft three sixty five. Some maybe one of your employees is using it, you know, without your knowledge. Speaker 1: And Right. Speaker 2: You know, and knowledge is key. If you don't know, then you can't protect it. Speaker 1: Yeah. For sure. All right, Mario. I said we're keeping it short. We're at thirty minutes. It's a little short. Speaker 2: It's not bad. It's one of our smaller ones. Speaker 1: It's it's a yeah, a little bit. So I'm just gonna say what I always say here. Get a third party assessment, bring somebody in to help you with this stuff. Do your own due diligence as a business owner, because a lot of this stuff you need to be tracking on your own. But the stuff that's harder to find, where you need somebody to run an inventory on your your entire network, bring in your MSP and hold their feet to the fire a little bit. That's that's your best bet here. So kind of wrapping this up with the question of, you know, as a business owner, do you know, all of your vendors? And do you know who has access to what? Again, I'm gonna I'm gonna throw this out on social media, and I'm gonna try to get some feedback on that. Just kind of get a gut check on what's important to people and how we can better help. That will all be available on unhackmybusiness.com. Go there for today's episode. Go there for the surveys that we talk about all the resources. That's where those are going to live. If they're not there yet, we're working on it. And this is not my day job, I am admitting I'm a little bit behind on some of this stuff. But there is good content there. So Mario, go ahead and say goodbye. I'll say goodbye and then we're gonna get out of here and we'll see you guys in a week or so. Speaker 2: All right guys, thank you for joining us. And just remember if you need peace of mind, if we've worried you enough and you need peace of mind, reach out to us and we'll be more than happy to help you narrow down your list and point you in the right direction. And Justin has never said this and I don't think we've ever said this, but like and subscribe. Speaker 1: That's right. Help us get those numbers up. Listen, we are trying to provide a free service to community. So all that help is appreciated. With that, I am Justin. Remember, listen and take action and keep your businesses on UnHacked. UnHacked. We'll see you next week.