Navigating Cyber Threats in the Digital Landscape with Clayton Riness Ep. 609

Howdy, welcome back to another Front Field episode of the Unknown Seekers of Internet Marketing. My name is Matt Bertram. Today, I have a special guest for you, Clayton Reines, 15-year cybersecurity expert. Clayton, how are you doing today? I'm doing well, Matt. Thank you for having me on. Well, you know, you and I met, I think, mutual friends over the Christmas break, right? That's correct. Yeah. It's great to get to know you. It's funny. You know, this year, really, I don't know if it's an election year or what, but cybersecurity like attacks and DLS attacks, and we have a hosting company, and there's just a lot of activity. We've seen some, I think it's called Zero Day, like things with e-commerce that we've had to turn over to the cybersecurity community. And you know, I just thought it'd be good to have you on. We have a lot of web developers that listen to this. We usually touch on marketing, but I thought, you know, to bring you in would be valuable for people that listen to this podcast. Yeah. Sounds good. Definitely. And the numbers are certainly high going into the election year, so there's a lot of activity out there happening. Yeah. Well, everybody that is listening, I am going to do a solo podcast next. I've been getting a lot of questions, technical questions related to SEO, and really the format with guests hasn't been conducive to that. So thank you all for your questions. Keep sending them in. We'll get to it and answer them. Just know that the next podcast I do, I will focus on that. There's been a lot going on with some of these algorithm updates, but I thought it would be really important, Clayton, to have you on because of all the cybersecurity stuff that we're seeing. So tell us a little bit about yourself just to kind of set the table. Yeah. Currently, I'm principal consultant at a consulting firm called Tavora, and we do all cybersecurity consulting. I've been there for about 13 years, but

before that really cut my teeth in doing IT and cybersecurity work for private companies. But today, I really oversee our technical delivery practice areas that we have. That's all of the penetration testing, incident response, cloud security, and security solution integration and advisory work that we do. So really see what's happening at our clients, our customers, emerging threats, and actually testing and validating controls on a regular basis. That's something we do every day across really hundreds of clients every year. Get to see a good swath of what's working, what's not working, and help people really across all kinds of industries. Yeah. Well, I definitely want to get into WordPress. That's used by just a lot of businesses as well as marketers. But before that, phishing attacks, ransomware, social engineering, I'm seeing a lot of social engineering attacks through text message, click on this link, emails. They're not just targeted at maybe like the elderly generation. I mean, they're very advanced. They're targeting me. They have different, I guess, our data is out there. There's been so many cybersecurity attacks. All our data is out there, so they know stuff about you. I know one of the things that I do a lot is ask them for their email callback, like the main number. Try not to never click on links, but maybe you could just speak to, in general, some of the common cybersecurity threats, like those phishing attacks, ransomware, social engineering, that sort of thing, and maybe some preventative measures. Yeah, sounds good. Those are really crimes of opportunity, right? So people think, well, I'm not a target, I don't have anything important, but your stuff's important to you, your data's important to you, and you may be willing to pay money to retain interest in that information that you have, right? So these are basically blasted out. You can get phishing attacks really from all sides, and it's pretty easy to build a profile on someone, right? If I'm really targeting you, I can probably find out where you went to school, where you

went to high school, which high school mascot is, who you have relationships with. I mean, let's not forget, there's data breach databases out there that have tons of information, and the LinkedIn data breach from years ago still bears a lot of fruit because I can see all your relationships, I can see all of your passwords that you've used, right? I can really get a sense for what you're all about, and there's automated ways that people go and just create crafted emails or spear phishing attacks against specific people. So phishing's broad, spear phishing's direct at you, where I can build a profile against you, right? And really get something that looks and seems legit, like I know who your internet provider is, I know who you're using Google, right? All these things can help me really craft something that's really interesting and compelling for you to get that click, right? And even initially, it's about, hey, can I get you to click, and if I get you to click, can you, what are you going to do when this pop-up happens, and can I get your password, and where else are you using that password? Oh, I can tell where you work. Oh, they only have single factor, right? So you sort of unwind from a very innocuous sort of email into something very, very critical to you personally. Yeah, definitely, I mean, that's certainly not going away, because again, the cost is low to execute, so feed attacks happen, and let's see what happens, right? Even if they get a 2% click rate, that's 2% that they'll run with, right, and use against you. And then, Clayton, there's a lot of, as you look at social media, certainly when you said two-factor authentication, and I think we should cover that briefly, but I would tell you there's been a lot of social media handles, like a Twitter of a politician, or some kind of news that's going to be released, people hack into that and release it early, is what I've seen recently with, well,

the Bitcoin ETF, which had huge implications for people trading in the markets. I mean, there are social media handles, and what you could say, and publish something that could be damaging, it's not just Viagra ads anymore, right, or whatever. There's real damage, I feel like, that people can cause by accessing someone's social media. Also, if you could talk to, I really don't understand this completely, but there's people on LinkedIn that say that they work for our company, but don't. There's a lot of people that create Facebook, which maybe they're trying to get a job, I don't know, right, or whatever, but I'm like, I don't know who this person is. And then, certainly, which that's something I think the verification process is helpful for because there was no way to defend on that. You could just say whoever you were, whatever you did, right? There's a lack of verification with that, but also, even on Facebook, I mean, really the weird questions, hey, do you have a second, can you send me money, sort of thing, I think it's getting overdone, and people are seeing that, but why are people still creating fake profiles? Someone actually just created a fake profile of one of my family members and then friended me, and I'm like, wait, I don't know what necessarily is the end goal. Certainly, sometimes the people show who they really are. There's certainly guys that are acting as cute girls online. I don't know. Can you kind of speak to this world because from somebody that maybe is not involved in it every day, can see what they're doing, but don't really understand the whys, right? It looks innocuous, right? It's like, ah, why are they doing that? Maybe I would have thought first, everything on social media is like a sales kind of bent that, okay, maybe they're trying to get a list to send people some kind of spam to buy something. I don't know, but it seems like it's more than that. Yeah, that's certainly ... I mean, the genesis

of the internet is full anonymity, right, which is gone, partially gone, right? I think there is value in having some of it, right? You want to be able to speak freely, and sometimes that may jeopardize your employment situation or something else, right? But there's certainly a method and a reason why those fake accounts are created, and it's really about building that reputation, right? So sometimes what we're looking at as well is how long has this profile been there, right? So they want to cook things for a while. We had someone that created a profile where I worked, Tavora, and we were like, who is this person? And it turns out it was years ago, one of our pen testers had created this profile specifically so they could burn it later, right? So you want to get these things created. You want to have them be around for years if possible, and tied to, say, a cell phone account that's been around for a while. Cell phone number reputation is a big thing too, because, I mean, I got the same number. I've had it for two decades, right? But if you get a new number, we can tell it's a new number, a newly issued number, and that's a red flag. So you want sort of old profiles with old numbers that have been around a while. That's great for reputation and just believability on these fake profiles. That's sort of why they're done sort of as a hedge, right? They're creating them ahead of time before they may need them, before they get burned. What do they do with them? Oh, I got you. Yeah, it's just like you experienced, right? So someone tried to friend me, like, well, what if you don't know? You work at a large enough firm, you're like, yeah, yeah, I worked with you in this whatever department. You're like, oh, okay, maybe, right? And then you sort of just friend this person, and then they start sending you other stuff later, right? Sort of the long game, right?

But they want to appear legitimate. They want to build your trust, ultimately. That's the goal. So they just want to get past that initial barrier, and as time goes on, it looks like a regular profile that you're connected to, like, certainly, I think, like on LinkedIn, they've done a good job now. You can only send a certain number of friend requests. But in the past, like, you know, like, it was just very noisy. Everybody would connect with everybody, because then you could see other people's connections. And it's certainly, I'm sure, I'm certain there's a lot of people that are under the radar in a lot of people's quote, unquote, networks, right? Which are just sleeping to do something nefarious at some point. There's some people on my LinkedIn that I look, I don't remember where we met. Oh, we met, it may have been a vendor I met one time, you know, 15 years ago. We're connected. Like, what if he did something, you know, you can get profiles like that. They're sort of like, well, I think I know you, but maybe I don't. You're sort of in this gray area. That's certainly a risky place to be. Okay. So, you know, just what are some general tips in just the general arena of, you know, the social engineering, the phishing tax, or maybe what are some of the common types of things that you're seeing that are getting people that are still working? Because I know I look every time at the email, like, where did that email come from? Because many times there's like, Amazon's going to shut down your account or, you know, Apple's going to do whatever, whatever. And then it's from like some crazy number. And so, you know, there's telltale signs that you're looking for, but maybe you could just share if someone's not up to date, because I think technology is moving quite rapidly. Right. And I think a lot of people listen to this podcast because digital marketing continues to change. SEO continues to change and

you need to stay up to date with it. I think it can be easy to get bypassed in other areas. If you're not like, I call it like riding the technology wave, like you got to stay up to it and it's easy to stay up to it. But if you let that wave hit you and you're underneath it, it's just going to pass you by and it's very hard to get caught up. But what are some best practices maybe to, you know, insulate yourself from some of these things as we move into other topics? Yeah. Best thing is I basically don't trust SMS or text messages. Right. And I get plenty. Right. Everyone's been to Instagram and you click on a vendor and they hit you with the, hey, sign up and get 15% off. Hey, sign up with your cell phone number and get 20% off and then you get the text message. Right. Well, the text message can be spoofed. Right. It's just basically caller ID and caller ID is basically sender driven. You can just set what it is. Right. So you can impersonate someone pretty quickly and easily over SMS. So the trick is don't like click on those SMS links, just log in straight to the site. Like, oh, I got a notice that there's a sale happening or whatever. Let me just, I'm not going to click on that link, but I'm going to go to the website that I know. And then you kind of come in the front door. Right. That's sort of short circuits that like just clicking on random links to get texted to you. Even if it seems legit or there's a whole history of them texting you previously, usually just shy away from that. I kind of avoid that entirely. When you get email marketing or anything that looks maybe spammy, a lot of it is just, hey, mouse over that link and hover on it. What does the URL look like? Right. Is it Bank of America? Something, you know, that's obscure

that like that doesn't look like the right domain name and domain names are, are, are, are, are secured. Right. So people will get ones that look very close to what you're... Like the letters off, you know, you got to be really careful. I mean, some of them, some of them are better than others. Right. Like some people spend a lot more time crafting these things than not. Yeah. We, we had, we did, we did an attack on one client and they had an M in their domain name and we replaced it at the end. There was a domain register that had an R and an N replacement of the M. So if you look like just briefly in the URL line, it looked almost like an M, it was an R and an N. So you can get little nuances like that that just trick people. And it doesn't need to happen to everybody, just enough people to get them to click and what have you. So you know, the email spam filters are pretty good. If you're using Gmail or use the Office 365, it's, it's not a hundred percent. I still get some, but just hover on that link and see where does this thing really go? Right. And if it isn't like, Hey, log in here and check it out, don't click the link. Just log into the front end and ignore the email and see what you get. Right. If it's an alert, you'll see it when, when you log into the site. Okay. Quick question. You made me think of this QR codes. How do you feel about random QR codes? Scan this QR code, right. And we'll take you to the website and everybody's putting QR codes on everything. There's no way to scroll over that link to see where it's taking you. If it could take you somewhere, redirect you somewhere else. Like you don't even know that your information, there's like a man in the middle attack essentially. Right. Yeah. Very skeptical. Some QR codes. I mean,

it used to be, you just scan them. It wouldn't even give you a preview URL, but if you do it on an iPhone now, it kind of shows you a little bit and same, same logic would hold there. Like, is this a URL that makes sense? But even, even so it's like, Oh, I go to this restaurant. There's this QR code. They're not hosting the menu themselves as with some third parties. It has some weird URL. And you're like, I don't really know. But normally, I mean, you got to look, is there a sticker over it? Has it been covered? Partially covered. Right. There's always that physical security element. I mean, it's sort of the same mentality. I think is when you're looking at, you know, card skimmers, it's still happen on, on, on card readers. Right. So you go to that, you go to that gas pump and you're looking like, is there a skimmer here? I mean, sometimes we've, we've done a task where we create those custom skimmers and 3d print the plastic and put it in place. So that's as low tech as those can be. Those are still prevalent. Right. And I think QR codes sort of the same way. Like, has this been added to as a sticker or what, what's going on here? So on the card skimmers, I haven't seen it and I'm not sure how good they are on the actual gas pumps, but certainly like when you go into the store, you know, now they have like kind of those protectors, certainly at the grocery store, they have the protectors. Yeah. Cause for, for those of you listening that don't know what a card skimmer is, it like sets on top of, uh, the, the actual kind of, um, you know, a keypad and it looks identical. Like you can not tell the difference. There's just kind of like this little gap, uh, in the back. And I mean, once they get your card, I don't know what I've seen. A lot of it is,

is that they start adding like random charges, like, you know, 10 bucks here reoccurring per month. Like where you don't even know that you're just slowly, you know, getting money stolen. I mean, what, you know, what, like, how are the, what are the things to look for in physical maybe card skimmers, but also, uh, I'm worried e-commerce. We've seen some really interesting things with plugins, which we can move into next, uh, not being updated on e-commerce sites. When a new site comes to us, nobody's been maintaining that site. No one's been updating any plugins like, you know, and then, and then they want to like, Hey, we want you to host us now. Can we transfer to you? Like there, there's a whole bunch of steps where we kind of pump the brakes here and let, let, let's look at what's going on. Maybe you can start that. That can lead into what we can talk about on websites as far as card skimmers to e-commerce. Yeah, it makes sense. I normal, uh, standard operating procedure, I would say for looking for skimmers is well, most prevalent is really ATMs. Uh, we have some banking clients that we do that we work for. And normally it's because they're sort of bulky and old school and you fully insert the card, right? So that little section that, that plastic that takes the card, right. Give that a good tug of the pole and you can pull on it pretty hard. I always do that before I insert anything. And usually the ATM is, is more prevalent because one, they want, they want your debit card and pin, which is more interesting than just a card. Right. Number one. Number two is you're normally kind of distracted. Like you're looking in the mirror, like, is there's anybody around? Like what's going on? Like, I don't want to, you know, you're not really looking carefully at the device where you're inserting your cards. That's really just give it a good tug, right? Good pull. Uh, in cases like

when you're using your credit card and if you have like the NFC, like you can use the wireless tap. That's much better. Right. Anytime you've got to dip your card or insert it to use the pin, right. You're inserting it in something that's, uh, that's, you know, it's a little harder to get like, it's a smart card, basically hard to get like smart card readers or skimmers, but anytime you're swiping like gas pumps, you put it in and then you pull it all the way out. There could be a mag. The tapping is actually safer. Can people pick up, uh, that like through Bluetooth or Wi-Fi? If you're close enough, like within, you know, three, three to five feet, you can, depending on the reader, you can pick up that card. A hundred percent. Yeah. Should you be keeping your stuff in like a little fair day bag or something like that? Some people do that. I, I, I have some stuff that I put in storage in a fair day bag. It is helpful. Um, it, it can, you have to get pretty close to someone to, to sort of passively read like their, the cards that they're using for their office. But even that is within a few feet, but that's not hard to do. If you're in like the food court at a business somewhere and you can brush up against somebody, you can get those cards, right? You can get a flipper zero. That's a, you know, a reading device and you can do that pretty, pretty readily. But credit cards, at least normally, I mean, the merchant absorbs that risk, right? So, uh, even if it is, even if I do, you know, scan the card, I'm in the gas station and someone picked it up and someone replayed it. I wouldn't necessarily be on the hook for that. I wouldn't go crazy for card credit card security, debit card security. Absolutely. I basically don't carry it with me. Right. Me either. Yeah. Once you get the debit card and

the pin, like you're sort of on the hook. So if someone goes and transacts and they pull cash out, you're done. Like there's really no recourse that you have. But, um, credit cards, most of the time, I'm not too worried about credit cards getting out there because the fraud protection is pretty good. And even if they don't detect it, right. The merchants on the hook. So if you're taking cards, I'd be more worried. But if you're using cards, it's, it's, it's sort of less of an issue. Okay. So there's a lot of small businesses out here that are using like a WooCommerce plugin or Shopify. Um, you know, I've seen on WordPress websites, WooCommerce actually plugins that were really keystroke logging tracking. Like it was, it was basically, uh, somehow got in there. And if you're on that website and you're punching in your, your, your credit card information, it's capturing that. It was pretty sophisticated. I mean, what are the things in e-commerce that, that you can see if you're a merchant or you're actually, uh, a developer, you're building a site or, or even a customer, maybe kind of touch from all angles. Yeah, there's, there's always the, uh, sort of where did the software come concern, especially in e-commerce. And if you're using, using WordPress, WordPress has a lot of features, obviously in a lot of plugins. Number one issue is, you know, just updating your plugins. There's a constant, just be ready, right? There's a constant treadmill of just like this plugin is outdated. It needs to be updated. Is it going to break something? You got to be sort of committed to detecting and updating those plugins on a regular basis. And beyond that, there's a lot of third parties that these plugins even use. And there's, there's a big cyber incident around, you know, Magecart and that Magecart. So basically what Magecart was a plugin to track certain elements of your browsing experience, like where you're hovering with your mouse, right? They want to know kind of how the

ergonomics of the site are working, right? But that, some of their downstream stuff that they linked into was hacked. So there's sort of this like almost software building materials that you need to understand, like what is actually running on this site. And it's amazing. I mean, we do pen testing, we profile some sites and sometimes there's like dozens and dozens of third party libraries, third parties that are tying into, right? And a lot of dependencies for your feature set that you're relying on may not be fully controlled by you or even the plugin that you're using. So you've got to be pretty vigilant in making sure that that's updated on a regular basis. And I think WordPress in particular is a target because it's so prevalent, but it's not insurmountable, right? I think if you get to a point where you're doing good security testing of your site, right? Hopefully through some sort of means, right? But also just updates, updates alone will get you 80% of the way there because most people aren't, right? Especially on the smaller sites that are hosted by a third party, right? They're just, again, it's a crime of opportunity, right? If you're unpatched and there's a vulnerability, guess what? It's your lucky day, right? But if you're patched, you're doing better than most. Gotcha. Okay. I mean, going into it a little bit deeper, there's now a lot of sites like Shopify, which has a payment processor built in. We've personally seen with small business sites because of all those updates, security being one component of it. Usability, you know, you talked about CRO, like there's a lot you can do, but I've found that because everything's open source, many times one plugin could break another component of another plugin. And, you know, the more kind of balls in the air that you have, there's more opportunities for stuff to break. We've ended up taking sites that were like WooCommerce, and when it was kind of time to rebuild the site every couple of years, it's good to

rebuild the site, refresh the brand. We'll build a Shopify store, okay, for the e-commerce component, and then we'll maybe put on a subdomain, like a WordPress instance, or we'll do the SEO in Shopify. But it's just, it was the best combination of e-commerce cart, usability, that's what it's meant for. And then, you know, all the flexibility, and also if you have other team members, freelancers, stuff like that, everybody's familiar with WordPress, you can even separate those, right? So then if you're bringing somebody in on a permission standpoint, they don't have access to client information, which is good, one. But two is, you're not having to worry about all these plugins talking to each other, like you talked about all the third-party data, you don't know who it is, it's kind of essentially, hey, Shopify, just like Apple, right? This is your app store, this is your responsibility, and then it's all in one place and they can manage it. We found that to be an effective solution. Just curious what your thoughts are on maybe something like Shopify, is that maybe a better way to go or how do you view the world in that regard? I think so. You mentioned Apple and Apple's philosophy is have the walled garden, right? It sort of works a certain way and take it or leave it, right? And the Shopify is of the same ilk. And I think the benefit is when you're customizing, it's not really cut, you're just, there's a configuration exercise that goes through for your customization versus customizing and almost coding or do some light coding. You don't want like custom stuff because that's where you're going to introduce uncertainty and errors and problems, right? You want something that, hey, this is built to work a certain way, I'm going to change the way the page looks and maybe the colors and the logo, but I'm using the Shopify functionality straight through. That's where you're going to be successful because you're relying on Shopify to go through and do that, right? You're not

off in the weeds sort of cobbling together a collection of features via plugins that may or may not all play nicely together, right? Because that's the biggest security problem is just complexity, right? I just don't know. And how many businesses just don't know what the level of stuff that's out there because it's too complicated to understand, right? So if you can reduce your complexity, kind of de facto improving your security. No, I really like that point. And I like how you put it too is customization. And there's a lot of people that will add custom code, will build custom sites. You know, you don't have the history and longevity of like, this is tried and true, this is tested, this is off the shelf because everybody wants that kind of customization. But you're saying, hey, you want a configuration of a standardization that you know is safe, right? Versus the customization and that delineation between those two are quite different. But some people when they say they want customization, all they're really wanting is a custom configuration, right? And I really like how you put that. You know, storing customer data, right? And like data privacy, DDRP, speak to that. Speak to that, tell me what your thoughts are surrounding some of those things. So data privacy, obviously mandated by certain governments. So GDPR is big in Western Europe, right? The idea here is you should have forgettability, right? You should be able to say, I want you to drop all of my information that you have about me, my purchase online, whatever, right? So you have to have one, a data classification program. Then you have to have a way of basically confirming like, yes, here's all of your data. And yes, I've disposed of it. And there's a closed loop, right? Pretty difficult to do in certain instances where you've got sort of co-mingled data. In cases where there is a, I would say, a compliance need, there's ways where we can sort of help basically have data stores based on whatever privacy

requirements you do have. I mean, generally speaking, privacy is kind of dead, especially in the United States. You've got data breaches for all the major companies have probably been breached at some point or another. We can find those breach databases, right? There were some large ones for credit reporting agencies for 22 million Americans. I can probably find your full credit history, right? So part of the rub, I think, with privacy is the expectation that you still have some privacy, but you probably don't, right? As defeatist as that is, that's sort of the reality of it. But there are ways that you can kind of protect your own information from misuse and everything from credit reporting and people use the LifeLock, but the really LifeLock does stuff like it just basically blocks people from opening credit cards until they get authorization from you. If you're a little more savvy about how you treat certain critical transactions in your life, you can do a pretty good job of protecting yourself. But the privacy issue, I think, from data security is, I mean, I still have my personal stuff. It's just backed up. Yes, it's in the cloud like everyone else's stuff, but the critical stuff is old storage, right? It's offline, right? It's available to me. You know, a cloud is just somebody else's database, right? Like when they were coming out with like, what is the cloud? Like Microsoft, I remember all their ads. I mean, it's essentially, hey, you know, even like Apple, right? I back stuff up, people hack, can I hack Apple? And you might've taken a screenshot of something that, you know, was sensitive or whatever, and then they back it up and then someone hacks that. I mean, you just talked about like air gap or, you know, having your own servers, which there are ways to do that. But just putting something in the cloud means you're just like you're putting something in the bank. It's somebody else's responsibility. And from what you just said, like every major, let's say

70%, 80%, 90% of everybody's information has been in a database that has been exploited at some point. And that's out there on the dark web. You know, cloud security. I mean, you're just trusting somebody else with your information, right? I mean, there are companies and stuff out there that will go try to scrub your information. But, you know, people stored these databases offline, you know, like, I mean, it's gonna be hard to, you know, once Pandora's out of the box or whatever the analogy is, like it's hard to put it back in the box. What you're saying is any kind of sensitive information you have, never put it on the cloud, put it on maybe like a hard drive that is encrypted or has a key code password or a punch password to put stuff on it. I mean- Or even just a little touch. Get an external drive and put it in your safe, right? That's fine too, right? I think just having some resiliency there, not relying solely on the cloud provider is key. You mentioned something that piqued my, well, piqued my interest on there is, you know, you mentioned iCloud. I'll tell you the biggest, the juiciest part of any penetration test or attack that we would do if we get into someone's iCloud, it's iCloud notes, right? Because what do they put in notes? They put passwords in things, right? If you've got that, that's, it's usually they're aggregated somewhere. Like I just jotted this note down and now it's a password for this thing or this is the recovery key, right? That stuff, just print it out, put it somewhere, right? That's okay, it's low tech. Low tech is fine. If it's offline, you're good to go. Don't keep that stuff in iCloud if you can help it, right? So as much stuff as you can spread out, that's really what, that's really the ticket for personal security stuff. Well, what should businesses do, right? Like, you know, people's, you know, information when they're hiring, right? Like there's a

lot of information, like there's payroll stuff. There's all this information that companies are responsible for and, you know, things are exceedingly becoming more remote and virtual. And so how do you manage that? Like is there, I know y'all go in sometimes to companies, evaluate them, do audits and suggest they do things a certain way. Can you maybe speak to like a small business, some of the things you're seeing? I know even one of the hacks we haven't talked about yet, but I was sitting next to a pen tester on a plan. They were like, hey, no one ever updates their printer, right? Their printer driver is, and if that's on your network, that's one of the easiest ways in. But like, okay, there's a ton of small businesses out there. I've seen even, I was even seeing large businesses and we won't even talk about like license, like people operating on like the proper licenses, like these big businesses. Like we're not going to go into that. I'll not call anybody out, but I've certainly seen like, and I want to talk about SharePoint too, before we go, like intranet. But like businesses of all sizes, okay? I'm not just saying small businesses of all sizes have bad habits, like bottom line. They just have bad habits. Maybe talk about some basic structures or some recommendations, like actionable steps that if someone's listening to this, that runs a small business or is helping out a small business in a capacity beyond, even maybe they're managing a website or beyond that, like what are some things to look for? There's a lot of CMOs that listen to this, that work with IT and IT professionals as well, so. For small businesses, especially around HR information, there is, I think, a tendency to sort of keep too much. And that may be not just HR information. There's like, well, I may need this, so I'm going to keep this, right? And there's sort of this hoarding of, almost hoarding of information. Like you may go into a

business and they've got background checks from people that go back 10 years. Like, well, why is this even here, right? Oh, well, we didn't know how we want to keep it. Would you even need it? Well, no, right? So it starts with how long are we legally obligated to keep this information, right? What's the policy around data retention, data classification? So you don't have to go overboard, but a little bit of thought around, do I need to actually keep this? And we advise a lot of clients in some cases, they want to keep everything. And I want to go back as far as I can. I don't want to have any issues. But even legally, sometimes that can hang you as much as it can hurt you, right? Isn't it like two years, right? Or something like that on average? Something like that? Two years, yeah. Sometimes, or even one year. And some things tax-related, obviously seven years even for businesses. But don't keep it longer than you have to, because sometimes the legal ramifications can even be worse if you do have it, and it can be subpoenaed, and you have to recover all of that. So a lot of what we're encouraging people to do is just keep less, right? Especially if you're a small, mid-sized business, right? You're working with the HR information system, HRIS, just outsource that stuff and have it handled by a dispassionate third party, and have the background checks go through their platform and keep it off your stuff, right? That's a great thing to have hosted. You should not be emailing out, you know, W-2s to each other and all that stuff. That should not be in a SharePoint anywhere, right? Put it in an HRIS, you can pay a reasonable fee monthly, and it's just handled, right? It's sort of the same philosophy as a Spotify, right? Just they're good at that use case, just have them use that use case, and then it's off limits for your team. Talk about that really quickly. Sending sensitive

information. Like certainly tax accountants sometimes are better about it. That's what I've seen of like zipping information in a encrypted file and sending it. But I have seen so many businesses send passwords, send, you know, billing information, send all kinds of stuff, HR information, just in an email, like just in an email, like constantly. There's gotta be better solutions out there that can easily be implemented. I mean, what are some recommendations? Because that's something I, 90% of businesses that I see are sending sensitive information, I believe, just by email. Most people, it happens because it's convenient, right? And there's not a good way for them to actually send secure emails. So there are some platforms that you can basically do secure link drop, like I wanna send this person encrypted message, and it just basically sends them a link, then they gotta authenticate into that link, and then download that. There's, you know, even large commercial pieces of software that do that. But if you make it convenient, people will tend to use it. And there's even ones that, you know, give you like an outlet plugin, right? Like, oh, I just wanna send this secure, doesn't send the actual email, just zips it up, basically puts it on the web portal, sends the recipient a link, and they can download that link, or it's single use, or it's only good for 90 seconds or something, right? But if you make it convenient, people will tend to use it, which is, you know, I think what we're ultimately after. But there's other ways to do like end-to-end encryption and PGP and other ways. It's sort of clunky, right? If you want like fully encrypted email to be sent all the time to all of your recipients, it's almost so much to manage that you don't wanna deal with it. Do you think ProtonMail or something? I've seen people use that. I think that that's their marketing. I've heard different stories about that. What's your? It's probably fine. There's some folks that I know that rely

on it, but it's not really, I mean, you don't know. I mean, I guess, I think it's hosted in Western Europe, but who has access to it? I don't really know, right? But you can get to a point where if you're managing your own encryption keys and end-to-end so-called encryption, you're not relying on the vendor or the provider in any way, that's where you're gonna be in good shape. But it puts the burden of key management on you and the recipient, which, you know, most unsavvy people will not be able to handle. Like, oh, I gotta share keys with Matt. Oh, Matt, send me your private, your public keys so I can encrypt it. It becomes more of a burden, but that's really the only way to really secure any transmission is you've got to basically have a key exchange, public-private key exchange, and you encrypt it, and you handle encrypto yourself, right? Yeah. Well, there's multi-sig. There's multi-sig that you can put different people, and you have two different people putting their keys together to do some of this. You know, like VPNs, it's funny, like VPNs, right? So someone is still seeing your information. Okay, like it's just a different service provider that your information is going through. People think when they use a VPN, all their information's safe, and that's not necessarily the case. It's just a different email provider, right? Or a internet browsing provider that is seeing your traffic flow, right? It's not completely anonymous. Someone is seeing it, unless... 100%, yeah. It gets de-encrypted on the other end, and that traffic is seen. It looks just... It's in the clear at that point, right? They know what you're browsing, what you're up to, right? So if you're doing crazy file sharing and torrents and all that stuff, they're going to see all of that. But what it does provide, the VPN, it provides your current ISP plausible deniability on what you're doing, right? They just go, I just see traffic. I don't have any legal obligation to act on

it. I don't know what they're up to because they don't want to spend the time, money, energy basically fighting all those fights, right? So... But getting good anonymity online is difficult and takes several layers. And even if that's impossible, people do VPNs, they do for-browser and all kinds of other ways to sort of become anonymous. And maybe it works, maybe it doesn't. Maybe those systems are compromised, maybe not. Maybe your VPN provider's compromised. Hard to know, but just know that it will just get you basically anonymity from your ISP that you're having at your house or business. Wow. Well, I... Hopefully people kept up with this conversation. Certainly, I think that this was actually a pretty much cybersecurity 101. I don't think we went into too much detail. And if you were not keeping up, right? Maybe Clayton, Cher, are there places for people to go to educate themselves to dig into this further? Definitely should have you back on and we can dig into things a layer deeper. And then maybe talk a little bit about what you and your company does, how they get in touch with you, how you might be able to help people because I'm sure there's somebody that was listening is like, okay, I feel like they're talking to me and I need to take some kind of action. Certainly a few years ago, I was in the same place. And so maybe talk a little bit about just some general education, best practices, what you do and how to get in touch with you as we wrap up. Yeah, sounds good. As far as where to start, cybersecurity is a very broad topic and you can take a very academic approach and like, hey, I wanna learn how to be an electrician. Well, here's some physics lessons. Like, oh my gosh, right? Too much theory, right? When it comes to actually understanding what things are practical, if you're non-technical and or small business owner and are in the marketing space, right? There's the CISA, which is basically part

of the Department of Homeland Security. It's really around, it's basically a government resource to help exactly this use case, right? Small businesses understand what attack scenarios are relevant, how to protect against them. It's very accessible and it's part of what, it's a government program. So it has plenty of resources and things you can read up on and basically increase your knowledge in this space. I would start there. There's also ISACA, I-S-A-C-A, which is basically, it's a community of auditors, right? It's an association that does a lot of publishing of original work on topics that are relevant to cybersecurity for businesses, right? It has a compliance angle, but that may be exactly what you want, especially if you have compliance needs or you've got GDPR or PCI or ISO or HIPAA or HITRUST or any one of the other acronyms out there. If there's any sort of compliance draw, then ISACA may be the best way to go to get started on some of these resources. You can always, I mean, I'm ultimately a consultant, so you can always call me, contact me. I mean, I'm at, again, the company I work for is Tavora. I have counterparts that handle other parts of our business and other practice areas as well, but you can always contact me. And yeah, I'd be happy to have a conversation and help out where I can. All right, well, I'll, give me some of these resources. We'll get your LinkedIn profile and put that in the show notes. This was awesome. I think for a lot of people, it might not be top of mind, but it should be something that that you're thinking about and you should have some of these best practices in place as you move forward. So Clayton, thank you so much for coming on. It was a pleasure. We'll have to have you on again. Until the next time, bye-bye for now.