Ep 146-147, June 2022:

Adam Braatz - WVCC:

Today on Wisconsin veterans forward today, we are talking about what tech has to do with with, with landing contracts and saving money as a business owner and all these amazing, beautiful, wonderful things that you wouldn't think would have anything to do with tech are cyber security in particular. But they do. I recently learned that if you want to get these big money, giant D O D contracts like these, these legit, you know, they're, groundbreakers like, like these, these are, these are the kind of contracts that really open up things for your business. Enduringly if you want those, you have to check a lot of boxes. It's not just you put in a bid and if it's, you know, the best thing for the least money, you get the job. Like you have to check a lot of boxes. And a lot of that now, a lot of those boxes have to do with cyber security compliance, like the do D isn't going to do business with you or hire you to contract anything or to provide products or services for them.

Adam Braatz - WVCC:

If you are a vulnerability or a liability, or if you are going to make them or their assets or their people, or their process is vulnerable to an attack of some kind to, to to, if it opens up a cybersecurity vulnerability, you're not gonna get the contract. So they have to make sure that you check a lot of these boxes. I didn't know that. And I also didn't know that a lot of insurance companies are not gonna ensure your business in various ways. If you are not at least minimally cybersecurity compliant. And if you don't check a lot of those, those boxes, you may pay higher premiums with less coverage. That's not cool. So not only should you have your cyber security world kind of in order, I've learned in the last week and excited to learn more because obviously it's the safe thing to do to safeguard your company and your assets and your family, your personal assets. But also if you want to save money and get better coverage through your insurance premiums and potentially be compliant for state or federal contracts, you gotta have your cybersecurity ducks in a row. Folks.

Adam Braatz - WVCC:

It's true. I didn't know that. And I'm really interested to learn more.

Adam Braatz - WVCC:

Scott singer is the, the president, the head guy, the CEO of cyber nines. And they're a company that specializes in cyber security compliance, and they specialize in helping businesses benefit, become eligible for contracts. Save money, benefit in a myriad of ways from having their cybersecurity ducks in a row from being compliant. Joe May not sound like cybersecurity and cybersecurity compliance in particular is the sexiest thing in the world, but you know what it is, and it's way sexier than paying higher insurance premiums and getting less coverage. There are few things less sexy than high insurance premiums. Yikes. Folks excited to get into this with Scott from cyber nines, right after this, you are listening to Wisconsin veterans forward. Wisconsin's premier audio resource for veterans, military families, veteran owned and veteran friendly businesses. Wisconsin veterans forward is brought to you by the Wisconsin veterans chamber of commerce at wiveteranschamber.org. Very happy to introduce our friend Scott singer of cyber nine. How are you?

Scott Singer - CyberNINES:

Good. Thanks for having me.

Adam Braatz - WVCC:

Yeah, you bet. So, okay. We'll, we'll cut right to the cybersecurity being a sexy thing that we were talking about that before the, before the show cybersecurity compliance, what brought you to cybersecurity compliance? Were you growing up? And you were like, you know, when I grow up, I'm gonna be a, you know, I'm gonna work on cybersecurity compliance. What brought you there?

Scott Singer - CyberNINES:

Wow. I don't even know how to answer that question. <Laugh> cause it's such a long journey to get to the place where I got to now. So I've got a 50 page PowerPoint presentation, Adam, that I thought I'd bring up and kind of talk through that journey with you. Will that work?

Adam Braatz - WVCC:

You were serious at first? I didn't, it's like, I really dunno how to handle this situation right

Scott Singer - CyberNINES:

Now. <Laugh> no. So you know, I was 30 years in the Navy. I had a couple jobs in the Navy where one job, I was the executive officer for a reserve cybersecurity unit and Pacific fleet. That was really interesting, got me interested in it, but most of my career has been in it. And I spent 16 years with Medtronic, a medical device company around it. And you know, when we started, it really, wasn't a massive thing. You know, just getting hacked in cybersecurity. Wasn't an issue because it, wasn't kind of a sexy place to be, I guess at some point now it's a way to make money and for the bad guys. And so over time I've just gotten really interested in it. The last 10 years I worked for a defense contractor and I just saw the regulations growing and growing and companies getting hit.

Scott Singer - CyberNINES:

Our company got hit really bad from an attack from a certain other country that wanted all of our stuff on how to build aircraft carrier elevators, wow. To take planes up to the flight deck. And so that really, that really got to me to be honest with you, and that's really where this started. So that's kind of how I got to this place. And then after I left my last company about a year and a half ago, started cyber nines with a company in town called five nines. We joined forces and started cyber nines. And we've been pretty busy since then.

Adam Braatz - WVCC:

I believe it are we as business owners or as individuals who use the internet, are we in more danger now than ever before?

Scott Singer - CyberNINES:

That's a good question. I think it goes up and down. I think there's a L a lot more people understand. What happens when you click on an email these days everybody's aware of phishing emails and you know, probably that email from the Nigerian prince really isn't gonna get you anymore. Right. however, the emails have gotten much better too. And they're harder to tell whether it's a spoofing email or not. And so I would say it's kind of been it's a growing, you know, business, unfortunately. Yeah. there's actually ransomware as a service, you know, you've, I don't know if people have heard software as a service or things

Adam Braatz - WVCC:

Like that. Ransomware as a service,

Scott Singer - CyberNINES:

There is a whole market out there for ransomware as a service. So you don't have to be a brainiac these days to really make money with ransomware, you can actually rent it. And the people you're renting from gets the money and the person doing the attack gets the money. So it it's a big problem.

Adam Braatz - WVCC:

That's crazy. Am I, so let's say I live in rural Idaho and I have you know, a satellite internet connection. I've got a small business. Do I have to worry about a cyber attack? It couldn't possibly happen to me. Right.

Scott Singer - CyberNINES:

You know, I actually think they're more susceptible in a lot of ways to getting hit with a ransomware attack. You know, there's different approaches, you know, there's the, the spray and prey kind of attacks that just go out and anybody, you know, lots of people get the messages and they get hit. And then all of a sudden your screen, you know, your computer goes, a screen comes up saying, please pay this $10,000 Bitcoin to this address, or we're gonna delete all your data that happens all the time. And, you know, so those small businesses, the best thing you can do is back up your data. And even if it's as simple as using a USB drive key or mobile, you know, mobile storages device, plug it into your computer, you know, once a week, every other day, however, you know, you have to sort of think about how long can I be, you know, dead in the water without my data. Can I go two days, three days, four days, you know, it depends on your business model. So it depends, you know, if you're taking lots of transactions, you need lots of backups. Right, right. But if you're taking like an order a day or an order every few days, then you don't have to back up your data as fast, but back it up. And then the thing is, don't leave your backup connected to your computer

Scott Singer - CyberNINES:

Because if you get hit by ransomware attack, it's gonna crawl right up that backup.

Adam Braatz - WVCC:

Interesting. My, my backup is always plugged in. It's probably a bad idea. <Laugh> probably a bad idea. I will rectify that right after this. So, so you work with folks on ensuring up their cybersecurity specifically you know, obviously for their, their personal, their business safety, but so they can be compliant and being compliant, having your ducks in a row from a cybersecurity standpoint, so to speak there's actually finan potential financial benefits to that. And we'll talk about, you know, contracting in a minute, but you mentioned insurance as well. Can you touch on that for a bit?

Scott Singer - CyberNINES:

Sure. and this comes back to the, just the number of ransomware attacks that have had insurance companies have gotten better at understanding how to underwrite policies and the risk involved with underwriting, these policies. And they don't want to take on the risk. When companies don't have those good backups, they aren't using multifactor authentication. You know, when you get that code back on your phone that says, put this number into this program, mm-hmm, <affirmative>, that's multifactor authentication. And so if you're not using tools like that, they don't want Toure you. And so there's companies that are just not getting cyber cyber security insurance anymore because they haven't completed these, these items.

Adam Braatz - WVCC:

Interesting. So, so now the, the insurance companies know if you're sured up and if you're not, if you could be a liability, they're just either, they're either gonna charge you through the nose for less coverage or just not cover you at all.

Scott Singer - CyberNINES:

Correct.

Adam Braatz - WVCC:

How does someone then become minimally compliant? I mean, I've got, let's say I'm a business owner. I'm that same business owner in rural Idaho. I have McAfee, you know, virus protection on my computer. Is that enough?

Scott Singer - CyberNINES:

No, it's not gonna be enough. The first thing is that's gonna happen is that when you go try and get an insurance policy for your company and, and keep in mind a lot of these mom and pop businesses that you kind of started with here they, they don't necessarily think about even getting a cybersecurity policy. Mm okay. Tends to be, you know, more of the, the larger to mid-size businesses that even do this. However you're gonna get a form that is the insurance. Company's gonna send you a form when you ask to get some insurance policy and it's gonna have some requirements on it. Right. And the key thing is not to just fill out that form and say, yeah, yeah, yeah, we're doing all that stuff. No, you know, that's not the right place to go. The place to go is most of these companies are also gonna be using a managed service provider.

Scott Singer - CyberNINES:

And that's the place to start, you know, go to your managed service provider with your form. Or obviously you can come to a company like cyber nines too, but, you know, get some help with it. Okay. And you know, it's gonna cost you a little money to walk through these things, but the real basic cyber hygiene items that we're talking about here, it's again, it's that multifactor authentication, it's backups, it's complex passwords, it's changing passwords. It's, it's just things that you should be doing blocking and tackling your cyber security hygiene. And but that external provider, that company that you're using to help with the I T they can help you figure out how to, you know, fill that form out. And it, it shouldn't be very expensive,

Adam Braatz - WVCC:

So it's not arduous and like prohibitively expensive to just make sure that you're protected and people probably should do it anyways, regardless of what size business you have.

Scott Singer - CyberNINES:

Of course I, and you know, one of the couple things I didn't talk about, but it's things like virus, software, firewalls, keeping all those things current, right. It's when you get that request to update your desktop, whether it's windows 10 or windows 11, you gotta do it. You gotta keep all those things current.

Adam Braatz - WVCC:

Right. Make sure you're you're you got all your OS updates, so you're not vulnerable to an attack. And do you need a dedicated it person on staff to, to be constantly on the lookout? I mean, if you have a medium or, or larger size business, I mean, you have to have folks on staff, right?

Scott Singer - CyberNINES:

No, again, the model really is going to outsourcing. There really is a lot. I mean, as the companies get bigger, you see more people on site. I mean, we've worked with a lot of companies and we really don't see onsite it people until you start getting into companies that are like above a hundred people, sixty, seventy, a hundred sixty, seventy people, then we start seeing regular onsite staff. So there really are a lot of companies that are using these outsourced it companies to do that work. So

Adam Braatz - WVCC:

Interesting. Let's so let's talk about contracting. So for we talk all the time about getting veteran own businesses, getting them obviously certified as veteran owned or service connected, disabled veteran owned businesses, getting them into diverse supply chain pipelines, getting them into state and federal government contracting pipelines. So they can land those lucrative opportunities to provide their services or their products to the department of defense, to the state, to the corporate entities. And I, I know that there are things, obviously you have to be able to provide the service that they need at the cost that is, you know, the most cost effective for them, but I hadn't considered the compliance end of things. Is that relatively new at least from a federal standpoint, to get those, those contracts?

Scott Singer - CyberNINES:

No. it's not the requirement for being compliant goes for DOD contractors goes back to late 2013.

Adam Braatz - WVCC:

Okay.

Scott Singer - CyberNINES:

Okay. So it's not a new requirement what's changing is that the do O D has found that, well look, there's 300,000 companies in the defense industrial based supply chain. There's about 80,000 companies in the supply chain that handle very sensitive information called controlled unclassified information. Some people might know of it as like I a R for example, as a term, an export controlled term. So this is information, the DOD doesn't wanna lose. Okay. It, it, it's not something like classified like a missile system, but it's one level down from that. Remember I was talking about that aircraft carrier that you know, that flight deck that would, you know, the, the elevator that would take the aircraft up to the flight deck. That's considered I a R so it's not classified confidential, secret or top secret. It's I IAR it's it's controlled on classified information.

Scott Singer - CyberNINES:

And if the enemy gets that information, it's gonna help their program quite a bit. Right. It's gonna be easier for them to build an aircraft carrier if they've got right, right. It's not a missile, but it's still important. The joint strike fighter. What happened with it? Lockheed Martin got hacked. We were one of the companies that got hacked from the Lockheed Martin hack. Well, what happens is now you've got basically all these small businesses, all these suppliers, they're making a part, they're making a part for the landing gear. They're making a part for the wing. They're making there's all kinds of stuff. Right, right. But they're making one little part. One company might just be coding something, right? Lots of coding companies out there. So what happens is you have to share these drawings with these companies, these drawings get to all these different companies. And if they get hacked, it's easier to hack these small businesses than to attack one of these large prime contractors. And so they pull, they aggregate, right? They take all these different drawings, put 'em together. And now together it's classified at a much higher level and it helps them get things done. So if you look at the Chinese strike fighter, it looks a lot like our joint strike fighter.

Scott Singer - CyberNINES:

Okay. And there's a reason for that. So, so they just, that's where these regulations came from,

Adam Braatz - WVCC:

Stole our, our intellectual property and pieced it together and made their own Franken fighter jet.

Scott Singer - CyberNINES:

They did looked so lot similar to ours and good

Adam Braatz - WVCC:

Gravy that makes I, I don't know. I can't explain why that makes me so mad, but I'm like, <laugh> angry.

Scott Singer - CyberNINES:

Well, and that's the reason I, that's the real reason I'm sitting here right now doing what I do cause cuz it really did make me

Adam Braatz - WVCC:

Mad. I believe it. We had a quick question from Jason over on Facebook, said, how does one get veteran own certified? And I posted this link business.defense.gov. What you're looking for is the SD V O SB service dis service connected, disabled veteran owned, small business certification that F has a, a step by step guide not easy to get obviously you know, it's, it's kind of a drawn out process. Well, it's simple. It's not easy. But it, it may take you a minute, but it's worth it cuz it, it does give you priority in certain scenarios. Thank you for asking that question, Jason. I appreciate it. So, so Scott, how, how often do you, do you deal with active attacks or is it more like you create a barrier that, that just makes a hacker like, like walk by the fortres and they're like, I'm not even gonna try to storm that castle they're taken care of

Scott Singer - CyberNINES:

Sure. There's at least path of resistance kind of thing there. We are more of a preventative company. Mm-Hmm <affirmative> we do some incident response post, you know, when something happens, but there are a lot of companies that are better at that than we are. We're much more of upfront. Let's put a program in place to protect this business. Let's put a program in place that meets the DODs requirements. Remember I said it started back in 2013 mm-hmm <affirmative> well, they're ratcheting down these requirements because what they found was all these companies weren't as secure as they should be. And so it's moving from a model of self at a station where companies just say, yeah, we're good. We're meeting the requirement to the do OD as saying, you know, trust, but verify, okay, we're gonna have a third party assessor, come in and say that you are doing okay. That's where this is moving. And right now that's gonna be in place in 2023, probably October one timeframe where you have to have all these requirements done and ready to go. So that's what we're working on. We're trying to move these companies along, put a program in place, prevent them from storming the castle.

Adam Braatz - WVCC:

Right? So you, so, so the goal is to create a massive titanium castle with a moat that's filled with alligators and you know, motion activated laser guided Gatling guns. Like you just, you just wanna no, no, not so much.

Scott Singer - CyberNINES:

No.

Adam Braatz - WVCC:

Cause you have either your doors locked or it's not,

Scott Singer - CyberNINES:

There are too many new threats happening all the time. Okay. You can't, you know, you can't foresee everything that's gonna hit you. So you have to have these good processes in place to react to it when it does happen. Right. Mm-hmm <affirmative> so you get hit by a ransomware attack and ransomware attacks move laterally across your organization. Mm-Hmm <affirmative> so if you can catch it early, right. And quarantine that machine, then it won't move to all the other machines and go into your server and go into your backup.

Adam Braatz - WVCC:

So if a ransomware attack hits, let's say we've got five people on a business on,

Scott Singer - CyberNINES:

We lost your audio, Adam.

Adam Braatz - WVCC:

Oh, lost my audio. Can you hear me now?

Scott Singer - CyberNINES:

Nope.

Adam Braatz - WVCC:

That's awfully strange standby. Huh? Folks, if you're watching, let me know if you can hear me. Hmm.

Scott Singer - CyberNINES:

Oh, got

Adam Braatz - WVCC:

You. Got you back. Oh, that was strange.

Scott Singer - CyberNINES:

I dunno. The vagaries of the internet. Yeah.

Adam Braatz - WVCC:

So, so let's say I am one of five people on a network in a business and I get hit with a ransomware attack and we're able to quarantine to that one. Computer is everything on that computer just done for, do you just like accept the loss and move on or is there some way to stop it and process I'm not really familiar with it at all.

Scott Singer - CyberNINES:

So if the machine is hit and it's ransom, they're gonna be, there's gonna be a request for you to pay, to get the machine back. Right. Mm-hmm <affirmative> so ideally a specific machine. We do not want the data stored. That's really important for that company on that machine. We want it to be in a secure cloud or a secure server. That's where the data should be working. And that machine is a tool to access it and be and run things. Right. So if that machine goes down, you don't want it to be the issue. Now reality is people put a lot of files on their local machine and it's gonna be an issue. Right. So what do you do? Do you pay the ransom? Do you not pay the ransom? Hopefully you have backups. And again, it's easier to back up data on a cloud or a server than it is to back up five computers, right?

Scott Singer - CyberNINES:

Mm-Hmm <affirmative> you only have to back up in one place versus backing up in five places. But if you don't have a backup, then you have to make a business deci decision about whether you want to pay a ransom or not. And there's really kind of an unknown issue here is that the, it may be illegal to pay the ransom because the government has what's called an entity list, a denied party list. And that company, that company, that ransomware company, cuz they are companies, they're people and companies. Yeah. They could be on the D the government's list that says you can't do trade interact with this company. So, so here you go and you pay the ransom, right? And now you get in trouble because they're on this no fly zone list, right?

Adam Braatz - WVCC:

Yikes. That that's a, a double whammy. So not only would, not only are you a victim of a ransomware attack, but you won't be able to fulfill the terms of your contract or get a contract ever again. That's, <laugh>, that's insane that that's been that's that's probably the most mind blowing part of this whole thing. I, I had no idea that I guess I had no idea that it was so, so pervasive. So, so my next question is a lot of people have resistance to cloud storage. They think not storing locally is inherently less safe and they hear stories about celebrities getting their, you know, their iCloud photos hacked and, you know, getting sent out by paparazzi or whatever. But from what you're saying is in a secure high tech, like well managed cloud storage environment that is safer than storing things locally.

Scott Singer - CyberNINES:

Yes. I I've come. I started in this place where I was everything. What we call is OnPrem on premise, you store it local mm-hmm <affirmative>. So if you hear that term OnPrem, that's what that means instead of in the cloud. You have to always remember all the cloud is it is, is a computer someplace else.

Adam Braatz - WVCC:

Right.

Scott Singer - CyberNINES:

Okay. But it's still a computer. What, what makes the clouds better today than in the past is that they do have whole security teams working to help make these places secure. Now, if you, but it, it it's a joint effort, right. Because if you have a real weak password to get into your email and Microsoft 365 in the cloud, right. Well, you know, it's still a threat, right. So you've gotta do your part and they need to do their part and together you can make a much more secure environment to work.

Adam Braatz - WVCC:

So what would you say to somebody who is who's resistant? You know, especially like my generation and older usually like, well, we, we, we have our data files. We store 'em on our computer. I don't want to put 'em in somebody else's hands. I don't care if they have a whole army of people protecting them. How would you, how would you make someone? Let's say I have a family member who I want to, to store their photos on the cloud. So it doesn't take up 170 gig on their computer. <Laugh> how do I get them over that hump and let 'em know. It's more secure.

Scott Singer - CyberNINES:

Yeah, no, that's a good question because if you can do some things, like I talked about before about, you know, the USB drive and, and kind of like disconnecting it and you can create a kind of a, you can create a pretty safe environment for yourself. It doesn't scale very well. Okay. Right. But you can create a pretty safe environment. So if you take a look again, if you take a look at like a Microsoft Azure, that's the name of their cloud offering mm-hmm <affirmative> or Amazon web services. So again, they have secure facilities, so they're keeping people from being able to walk in, you know, they got cameras and they got everything. So the building is much more secure than your house is gonna be. Okay. Well, most, most houses. Right. And so that's one thing. The second thing is they've got a staff of people that just focus on security. All right. The information is encrypted as it sits at rest in that data center. Mm-Hmm <affirmative> okay. The other thing is, for example, with Azure, it is actually making three copies of the data all the time.

Scott Singer - CyberNINES:

Hmm. Okay. So it's much more resistant to a ransomware attack having three copies, right. Versus having one copy and then having your, you know, USB connected and all of a sudden it crawl into that and you're dead. So those are just a couple of, you know, general kind of thoughts I have related to that.

Adam Braatz - WVCC:

Interesting. Oh man. My goodness. I'm sorry. I should have my phone on silent. Yikes. Bush league on my part. Sorry about that. Well, this has been really interesting and, and enlightening. So if, if I'm a business owner and I'm interested in, in, in learning more about cyber nines and how I can get my business compliant in advance of the D O D in 2023, making it a no joke, have to have your ducks in a row. We're not even gonna talk to you sort of thing. How would I get in touch with you in cyber nines?

Scott Singer - CyberNINES:

Well cyber nines.com is the easiest way to do it.

Adam Braatz - WVCC:

Easy enough. I can totally make a banner out of that. Any other I will make that banner any closing thoughts that you have before we adjourn for the day here?

Scott Singer - CyberNINES:

The basics go a long way. I mean, I can just repeat it again is just having good backups having strong passwords, keeping all your systems up to date and patched really is the place to start, regardless of whether it's cyber insurance, or even as you get into more complex things like you wanna be a DOD contractor and trying to work down all the requirements that they need from a cyber security perspective,

Adam Braatz - WVCC:

Right on good stuff, Scott, Hey, I appreciate your time today. I'll ask you to hang on the line for just a minute so I can chat with you afterwards. And folks, you can see cyber nines scrolling across the bottom there. Check Scott out. I know he is on LinkedIn. You can connect with him there as well. And check out cyber nines.com. Look, cybersecurity may seem like a frivolous thing. If you're old school, it's not anymore, it is an essential key cornerstone of your business. You have to have your stuff situated. Your cyber security needs to be on point, cuz it's, it's gonna seem like a frivolous thing until you're in a situation where you wish that you had it and then it can devastate your progress. It can shut down your business. It can destroy your personal finances. If you work for a small business, you are vulnerable.

Adam Braatz - WVCC:

If you work for a nonprofit, you have a lot of data on a lot of people, a lot of their personally identifiable information on your donors. You have to have your cybersecurity stuff situated and then some, and if you work for a medium sized business, if you own a medium or small business, if you're a corporate entity of you're a corporate entity, you probably have probably have a team, but you'all need to have it figured out. And if you wanna get those DOD contracts, like Scott said, even probably state, federal, and state government contracts and corporate contracts. If you want to get into those supply chain pipelines folks, you gotta have this underway. This is like the new, the new bar, the new standard. Get ahead of it and get it situated. Thanks everybody. We will look forward to chatting with you. Same time next week. Thank you for listening to Wisconsin veterans forward brought to you by the Wisconsin veterans chamber of commerce. Please visit us at wiveteranschamber.org. Don't forget to subscribe to this podcast, leave a rating and review in whatever platform you're listening through.