0:00

This is Mike McCallow. It's the

0:02

inventor and author of profit first.

0:04

And I have extraordinary news for the

0:06

first time ever. The app is

0:08

here that automates profit first

0:10

entirely around the principles I

0:12

created. I have been involved in every

0:14

stage of the development of this

0:16

app. It has all of the

0:19

principles of profit first, plus all

0:21

of my newest findings. Your business

0:23

is about to be permanently profitable.

0:25

Get the app today. Today,

0:29

right here, right now, this

0:31

is the moment that you

0:33

will finally say, I'm growing

0:35

my accounting practice, and you're

0:37

going to discover exactly how,

0:39

right here, right now, on

0:41

the Grow My Accounting Practice

0:43

Podcast. Welcome back, everyone. I'm

0:46

Ron Saharian, co-founder of Profit

0:48

First Professionals. And I'm Liz

0:50

Sporn, a guide here at Profit First

0:52

Professionals. And you listeners are listening to

0:54

GMAP where we teach you step by

0:56

step how to grow your accounting, bookkeeping,

0:59

and coaching practice. And we're going to

1:01

give you an action that you can

1:03

take right away to grow your practice.

1:05

It's the GMAP Now task. Actually, it's

1:08

not the GMAP Now task because Mike

1:10

is not in the studio today. He's

1:12

still traveling, but he'll be back on

1:14

the next episode. So, Mike, thanks for

1:17

traveling. It's Fred in the Gospel of

1:19

Prophet Purse. And also, we got a

1:21

great guest today. I'm really excited

1:23

about today's guest. Jeremiah Baker is

1:25

going to be joining us, sharing

1:27

a little bit about cybersecurity. And

1:29

of course, thank you guys so

1:32

much for listening. Don't forget to

1:34

subscribe, like, comment, and turn on

1:36

your post for notifications so that

1:38

you never miss an episode. Never,

1:40

never miss an episode. I know we're

1:42

closing in on our 500th episode, Ron.

1:44

Yeah, in this episode today, this

1:47

is brought to you by Impressia

1:49

Bank. Check out Bank Impressia, guys.

1:51

They're profit-first certified, profit-first friendly. They

1:53

do the allocations, all great stuff,

1:56

and they're going to be coming

1:58

up on next episode. or in

2:00

the future episode. So I'm excited

2:02

about that as well. Me too.

2:04

Yeah, Robin and Mary Kate, they're

2:06

just fantastic humans. Great job. So

2:08

wow, Liz, today, technology hasn't been

2:11

on our side, has it? You

2:13

know what though? You know what

2:15

has our Gen X sensibilities of

2:17

we're going to MacGyver this until

2:20

it works. So for all of

2:22

you listeners, we are now coming

2:24

to you live from Zoom, which

2:27

will be the first time we've

2:29

ever done it. So we'll, we'll

2:31

see how this episode works. So

2:33

Liz and I can see each

2:36

other. We can see our guests,

2:38

but it's cameras off because we

2:40

have low bandwidth. So normally, you

2:42

know, and this is, this has

2:45

got to be fun. Everybody's not

2:47

even solar flares. Like, didn't we

2:49

have solar flares last time we

2:51

were recording? And there were just

2:54

things wrong and retro, mercury, retro

2:56

grave, whatever that. Mercury is always

2:58

in retrograde. I feel like. So

3:00

it's either that or solar flares.

3:03

Those are the two reasons. All

3:05

right. Or. Or you've done something

3:07

really bad Ron and it's karma.

3:09

It's not me. I'm an angel.

3:12

It's whatever you have done My

3:14

life is karma. All right, let's

3:16

talk to Jeremiah. This is our

3:19

second time trying to talk to

3:21

this gentleman, and I'm so excited.

3:23

Jeremiah Baker, author of Confessions of

3:25

a Hacker, has spent 17 years

3:28

identifying cybersecurity weaknesses for major clients

3:30

like casinos, banks, and corporations. He's

3:32

been featured in major outlets like

3:34

the New York Times, Wired, and

3:37

he shares his real world insights

3:39

on how cyber criminals operate and

3:41

how stay protected. And I'm still

3:43

curious because one of his unique

3:46

talking points, the unique thing about

3:48

Mr. Baker is he grew up

3:50

in a giant family of 56

3:52

foster siblings. So I would like

3:55

to talk about that. And without

3:57

further ado, welcome, Jeremiah. Good morning,

3:59

Liz. Good morning, Ron. Thank you

4:02

for making a second attempt here.

4:04

And I do believe it may

4:06

be Mars in retrograde. Let's blame

4:08

that. Oh, I'll take Mars. even

4:11

more. I mean, last time we

4:13

said it was straight-up hackers. The

4:15

hackers do not want you to

4:17

talk. I know. I think it

4:20

is a true story. I love

4:22

it. So Jeremiah, what are some

4:24

confessions of a hacker? Sure. Well,

4:26

the title is obviously a little

4:29

catchy, right? Yeah, absolutely. So basically,

4:31

the point of the point of

4:33

confessions of a hacker is 17

4:35

years of spending 17 years being

4:38

hired to hack into banks, casinos,

4:40

hospitals, corporations, and so forth. We've

4:42

seen the same things or similar

4:44

things happening over and over to

4:47

good people. And that bothered me

4:49

so much that I said, look,

4:51

got to sit down, write a

4:54

book, put these stories into a

4:56

book so that people will know

4:58

how they're being attacked and compromised,

5:00

taking advantage of. and then how

5:03

to prevent those same things from

5:05

happening to them. And that's because

5:07

most of the time folks don't

5:09

know how these things are happening

5:12

or what's even happening until it

5:14

does happen. And then it's too

5:16

late oftentimes to have a remedy

5:18

for the attack or for the

5:21

cybercrime. So really, Confessions of a

5:23

Hacker is an awareness book of

5:25

stories. uh, with attacks and. Including

5:27

breaches and wire fraud and theft

5:30

and how to not have those

5:32

things happen to you or your

5:34

organization. Those, those stories make me

5:37

sweaty. My mom, I can't really

5:39

either. Are we also talking about

5:41

personal experience, Jeremiah? Have you been,

5:43

you know, maybe before you got

5:46

into this, do you have any

5:48

experience or family experience by being?

5:50

Oh, sure. Yeah, maybe

5:52

not as much about hat well

5:54

a little bit of hacking but

5:57

mostly scams and that's what a

5:59

lot of these things are they're

6:01

really financial and disruptive cyber scammers

6:03

and criminals So it's like financial

6:06

fraud and things like that of

6:08

course have had things with with

6:10

websites being compromised which could be

6:12

considered a traditional hack and then

6:15

of course the identity theft stuff

6:17

and all of those kind of

6:19

things that that many of us

6:21

have experienced Yes, and the interesting

6:24

thing is over 17 years seeing

6:26

how things were pretty quiet back

6:28

in those early days and how

6:30

they've progressed in frequency and the

6:33

amount of damage that they have

6:35

on good people. Let's talk about

6:37

that because I'm no longer receiving

6:40

the emails from the Nigerian Prince

6:42

in order to, you know, give

6:44

him a hundred thousand and I'll

6:46

get five more back. How have

6:49

things progressed over the years? Where

6:51

are we today? And how can

6:53

the accountants, bookkeepers that are in

6:55

coaches listening to this, fortify their

6:58

organizations or even amplify their knowledge

7:00

to wade through this? Good question.

7:02

I think probably the best way

7:04

to answer that, especially from an

7:07

accountant's perspective, and honestly, it's everyone's

7:09

perspective. Um, maybe thinking about what

7:11

the bad guys, what the cyber

7:13

criminals are after and what they,

7:16

what they want to get. And

7:18

I can share a few examples

7:20

with you that have continuously seen

7:22

over these, over these years that

7:25

happen. Um, a lot of times

7:27

what bad guys are after one,

7:29

of course, it's money. Like they

7:31

want to do some kind of

7:34

fun transfer fraud or including wire

7:36

fraud and a number of other

7:38

things so that they can siphon

7:40

money away from us. And or

7:43

our clients, but they also a

7:45

lot of times will also want

7:47

to do things like disrupt the

7:49

business Make it so that the

7:52

business can't function They may want

7:54

to hold you hostage per se

7:56

an extortion scam to try to

7:58

say hey I have this thing

8:01

of yours and or maybe some

8:03

negative information on you that if

8:05

you don't pay me I'm going

8:07

to make public that could hurt

8:10

you your business You don't want

8:12

the public to know about you

8:14

those things have become quite common

8:16

and And to be succinct one

8:19

of the things that I see

8:21

over and over which is basically

8:23

what I consider modern-day bank robbery

8:26

and and that's really just folks

8:28

getting into let's say an email

8:30

account or some kind of business

8:32

account for someone in the C-suite

8:35

be it like a chief financial

8:37

officer, CFO or a VP of

8:39

sales, someone that has the ability

8:41

to make decisions about money moving

8:44

around. And what the bad guys

8:46

will do is they will get

8:48

credentials either through finding them on

8:50

something called the dark web or

8:53

if there's been a major breach

8:55

and your username and password have

8:57

been and have shared publicly or

8:59

dumped onto the dark web. The

9:02

bad guys will get this information

9:04

one way or another. They will

9:06

then attempt to log into, let's

9:08

say, email accounts. And then they

9:11

start acting as if they are

9:13

the CFO and requesting things like

9:15

wire transfers, fund transfers, and things

9:17

like this. And or... um, redirecting

9:20

a purchase, like a major purchase

9:22

from a large client. And I

9:24

have a few, uh, stories about

9:26

those that I do share in,

9:29

in the talk, Confessions of Acre

9:31

and in the book, um, about

9:33

where things have happened. Like for

9:35

example, as CFO went on vacation,

9:38

someone had sat in his email

9:40

account for about three months or

9:42

so watching how he would transfer

9:44

funds to understand the rhythm. so

9:47

that when they did their attack,

9:49

it didn't look out of the

9:51

norm. They were more successful this

9:53

way. And again, this is the

9:56

modern day bank robbery situations, and

9:58

this happens a lot. So this

10:00

individual is on vacation and once

10:02

the out of office triggered,

10:05

the bad guys knew, okay, look,

10:07

he's going to be out of

10:09

the office for a little bit.

10:12

We are going to instruct someone

10:14

inside the organization that handles wire

10:16

transfers to transfer to a few

10:19

accounts. And that resulted in about

10:21

a $500,000 theft pretty quickly.

10:23

Oh my gosh. That's not uncommon.

10:25

And again, something like that could

10:28

have likely been prevented if that

10:30

CFO, for example, had something called

10:32

multi-factor authentication, which adds a second

10:34

step. They get a code to

10:36

their phone, to an app, or

10:38

SMS text message. Even if you

10:41

have the username password, they wouldn't

10:43

have been able to easily get

10:45

in and they may have moved

10:47

on to another target, the bad

10:49

guys being they. the criminals, but

10:51

he didn't have it. And that

10:54

resulted in them basically being able

10:56

to do whatever they wanted to

10:58

do in this particular case. And

11:00

that's an all too common scenario

11:03

that we've seen. over almost the

11:05

last 20 years. And as you

11:07

can see, that's not necessarily a

11:09

hack, like a highly technical thing.

11:12

It's something that could impact all

11:14

of us, but could have also

11:16

been somewhat prevented relatively easily. And

11:19

even if they did get into

11:21

the account with MFA attached, multi-factor

11:23

authentication, if there was another verification

11:26

method on wires, not being able

11:28

to easily be sent out without

11:30

another person saying, hey, did you

11:32

really intend to send it? here, and

11:34

that would have added an extra layer

11:36

for that wire to not be sent

11:38

out. So none of those things were

11:40

in place, made it very easy. Yeah,

11:42

well, as with profit first

11:45

profit first professionals, we're constantly

11:47

allocating money into various different

11:49

bank accounts on various different

11:52

days throughout the months throughout

11:54

the years throughout whatever. I'm

11:56

sitting here going holy crap.

11:59

How do would I identify

12:01

if somebody's already in the system

12:03

watching me and just waiting for

12:05

me to put on my out

12:07

of office email? But in addition,

12:09

right, we have close to 500

12:11

episodes of GMAP out there. So

12:13

my voice is out there. AI

12:15

is gonna take my voice. So

12:17

how is there anything I can

12:19

do today? To see if somebody's

12:21

snooping on us and yeah Yeah,

12:23

absolutely the first well given that

12:26

we're on a podcast you instantly

12:28

made me want to jump in

12:30

on your computer and take a

12:32

look You know not not a

12:34

funny situation, but that was my

12:36

my instinct. Yeah First things first

12:38

so I would have someone in

12:40

your IT department and or yourself

12:42

Go into first and foremost change

12:44

password on your on your account

12:46

So there's someone is logged in

12:48

and then if you have the

12:50

ability in whatever platform you're using

12:52

to log out all other users

12:55

Just completely make sure everyone's logged

12:57

out and then there are things

12:59

your IT team can do to

13:01

go in and look for things

13:03

like Have there been any rules

13:05

set up? Are there any hidden

13:07

folders or or messages being sent

13:09

out that are then hidden from

13:11

me and there's a whole kind

13:13

of operation that you would do

13:15

to do a cleanup on your

13:17

email account, which is relatively simple

13:19

for an IT person. But then

13:21

I would go back and apply

13:24

at the very least, apply the

13:26

basics, which are getting multi-factor authentication

13:28

with an authenticator app like Google

13:30

Authenticator or Microsoft's product. There's a

13:32

lot of them out there that

13:34

are trusted and you can look

13:36

them up so that you get

13:38

that extra code even if someone

13:40

does have your username and password.

13:42

and then of course having just

13:44

old-fashioned policies on how making a

13:46

little bit more difficult for money

13:48

to be sent around even if

13:50

someone does get the ability to

13:52

start making those requests but those

13:55

are the things I would do

13:57

like right away just to get

13:59

you in a good place. And

14:01

then, of course, there are more

14:03

advanced things that can get applied

14:05

to email, your email platforms with

14:07

filtering and, you know, all the

14:09

anti-mailware and all the checking. But

14:11

that's something that I would consider

14:13

a second step. First step is

14:15

to kind of go in and

14:17

do those initial diagnostics with your

14:19

IT team. Yeah, start with an

14:21

inquiry to your IT department to

14:24

say, hey, guys, just do some

14:26

snooping around. Make sure that there

14:28

isn't hidden messages, hidden folders. Yeah,

14:30

and and if it's helpful that's

14:32

exactly what we've done in recent

14:34

times where I was flying into

14:36

New York into the city and

14:38

When I landed I was set

14:40

to go for a board meeting

14:42

that day for one of our

14:44

companies in our portfolio and I

14:46

received a phone call just as

14:48

I was getting out of LaGuardia

14:50

saying hey I think I've been

14:52

attacked and it was a person

14:55

that runs a finance business working

14:57

with ultra high net worth individuals.

14:59

So you can imagine some people

15:01

worth hundreds of millions of dollars.

15:03

And he said they're getting emails

15:05

from me saying that that I

15:07

have this great cryptocurrency investment that

15:09

I found, and I would like

15:11

to share it with them. But

15:13

they thought a friend of mine

15:15

and a colleague, and I think

15:17

it was even a client, said,

15:19

hey, here's a screenshot. This doesn't

15:21

seem like something you would do.

15:24

Is this really you? And he

15:26

said, it's not, but I don't

15:28

see. I'm not sending these emails.

15:30

But they're coming from me. How

15:32

is that happening? So we jumped

15:34

on with his staff, his IT

15:36

staff, and started digging around inside

15:38

of his email account. We could

15:40

see that, of course, someone was

15:42

logged in acting as him. And

15:44

they had set up something called

15:46

email rules to hide the emails

15:48

from him. So he wasn't seeing

15:50

that traffic of emails flying around.

15:53

Luckily, they had not changed. the

15:55

password on the account. He also

15:57

did not have multi-factor authentication MFA

15:59

on his account for logging in

16:01

and we got really, really lucky

16:03

because we were able to remedy

16:05

the situation within a few hours.

16:07

We had him in pretty good,

16:09

a pretty good situation, but it

16:11

could have gone wrong. If they

16:13

had changed, what if they'd changed

16:15

the password and that, and now

16:17

we can't even log in, that

16:19

would have added an extra layer

16:21

of difficulty to, to fix the

16:24

situation. Not impossible. That's where I

16:26

went. I was like watching the

16:28

fact that they can just immediately

16:30

change the, the. the log in

16:32

and now you're done. It's over.

16:34

Yes. And that did, yeah. And

16:36

that did, that actually did happen.

16:38

I know I'm full of stories

16:40

here, but that did happen. And

16:42

hopefully they're helpful to folks listening

16:44

because that did happen to another

16:46

individual that was an ultra high

16:48

net worth person. He was on

16:50

answering work email in his office.

16:53

He received a message on his

16:55

Instagram account from a contact saying,

16:57

Hey, check out these vacation photos

16:59

that we have. He clicked the

17:01

link. Just not knowing he was

17:03

distracted doing something else click the

17:05

link and what that did is

17:07

there was some malware in the

17:09

Link it took over his account

17:11

in the attacker the cybercriminal then

17:13

changed his username and password and

17:15

started to send out Again cryptos

17:17

investment scams to his contact list

17:19

and it became extremely difficult to

17:22

remedy And again, this talks about

17:24

social media where it's just another

17:26

part of what we would call

17:28

your attack surface, things that the

17:30

bad guys can go after or

17:32

your footprint. And what they did

17:34

then was they changed everything, contacted

17:36

Instagram, hey, can you help? One

17:38

of the remedies, at least at

17:40

that time, this was about a

17:42

year and a half ago, was

17:44

they need to see, they do

17:46

kind of a face scan from

17:48

your phone. Yeah. Make sure that

17:50

it's you. Well, this person never

17:53

put any pictures of himself up.

17:55

being cautious because he didn't want

17:57

to be seen on Instagram. So

17:59

it took a month or more

18:01

to get remedy because there's no

18:03

kind of at that time there

18:05

was no helpline or anything like

18:07

that. It was kind of an

18:09

automated account recovery process. Yeah. And

18:11

he had a very difficult time

18:13

fixing that and and that was

18:15

in particular case a crypto scam.

18:17

It could have been they could

18:19

have sent anything with access to

18:22

that account. So, yeah, it's it's

18:24

scary. You're telling that story. I

18:26

think that's what happened to profit

18:28

first on Instagram. Because we had

18:30

to go like, as you're saying

18:32

that, I'm like, Oh my gosh,

18:34

that's what happened to us. Our,

18:36

our entire Instagram was shut down

18:38

for profit first professionals about a

18:40

year and a half ago. And

18:42

we didn't know why we didn't

18:44

do anything. And they asked for

18:46

a picture of the user and

18:48

it's me. Like I'm the main

18:50

person in there. I'm not on

18:53

the website. I'm not on Instagram.

18:55

We had some reels, but it

18:57

really wasn't me. So they said,

18:59

Nope, you can't get back in.

19:01

You don't have any authority. You're

19:03

not, you're not even real. I

19:05

don't know who you are. As

19:07

you're saying that, I was like,

19:09

Oh, we were hacked. We were

19:11

hacked. Right. We, and they, we

19:13

don't know why they took it

19:15

off. They, you know, we got

19:17

logged out or locked out. It's

19:19

so crazy. Um, so I just

19:22

have a question. So. Jeremiah, your

19:24

stories are horrifying. So thank you.

19:26

It is almost Halloween here as

19:28

we're recording. What are we a

19:30

day away from Halloween? It's timely,

19:32

right? So it's mischief. Nice. These

19:34

are helpful. They are very well.

19:36

And so here's my question. Our

19:38

audience is primarily made up of

19:40

accountants and bookkeepers and financial coaches

19:42

and their whole business. So when

19:44

you said, you know, what are

19:46

they after? Money, disruption, extortion, all

19:48

those things. Our. members in our

19:51

audience, they hold a lot of

19:53

information. Many of them have teams

19:55

and many of them have teams

19:57

who are overseas. So there are

19:59

so many levels of complexity in

20:01

terms of having an overseas team,

20:03

having access to all of your

20:05

financial data, banking accounts, routing numbers,

20:07

all those things. What are some

20:09

of the the most basics aside

20:11

from multi-factor authentication and the, you

20:13

know, authenticator apps, what are some

20:15

of the things that financial firms

20:17

specifically need to, to know? And

20:19

one of the ways you wrote

20:22

down based on what you're saying

20:24

is it's efficiency versus safety. And

20:26

so like in your rubric of

20:28

decision-making, efficiency has to be last

20:30

to me in this universe and

20:32

it has to be safety number

20:34

one. So what are some, what

20:36

are some things that financial institutions

20:38

can do? Sure. Sure. That's a

20:40

good question. So I think the

20:42

way that I would like to

20:44

frame this is think about it

20:46

from the worst case scenario and

20:48

then kind of reverse engineer all

20:51

the way back. So speaking about

20:53

this with folks, it's always what

20:55

are you willing to tolerate? So

20:57

if someone were able to get

20:59

in and essentially, let's say you

21:01

get hit with ransomware, for example,

21:03

and it shuts down all your

21:05

systems, are you all okay with

21:07

that? Can you survive? Or would

21:09

it be better, for example, if

21:11

you had all your data backed

21:13

up and segmented and properly backed

21:15

up, encrypted, and also practice restoration

21:17

exercises so that you can then

21:20

stand everything back up without paying

21:22

a ransom, for example? Which one

21:24

would you pick? I would think

21:26

most people would say I'd rather

21:28

be able to restore my business

21:30

pretty quickly versus not having that.

21:32

And unfortunately, a lot of times

21:34

folks don't have proper backups that

21:36

are encrypted and segmented and go

21:38

through restoration exercises so that even

21:40

if they were compromised, they could

21:42

get back up within a reasonable

21:44

period of time and be functioning

21:46

again without any loss. So to

21:48

that point, to be a little

21:51

bit more specific. I would look

21:53

at the worst case scenario, reverse

21:55

engineer from there. What am I

21:57

willing to tolerate? And then I

21:59

would put Of course, the basics

22:01

in place, which is making

22:03

sure that every account has

22:05

multi-factor authentication on it, preferably

22:07

with an app versus text

22:10

messaging because, yes, phones can

22:12

be compromised and ported out

22:14

and people can intercept your... text

22:16

messages and so saying things like

22:18

that. So scary. Sorry. Sorry. I'm

22:21

sorry. My phone is the only

22:23

thing that is here. It's here

22:25

for me. My concern is now

22:28

as I'm looking into this new

22:30

fancy fancy camera that tracks all

22:32

my movement moves all over the

22:35

place and everything. I mean, am

22:37

I not? I don't I don't

22:39

know if I have, you know,

22:42

special protection for this. camera,

22:44

right? Do I need special protection for

22:46

this camera or is this I don't

22:48

even know anymore? Correct. Yeah. And

22:50

that's the thing that's the thing with

22:52

video and and maybe what I'll do because

22:55

I feel like I got a little bit

22:57

rambling. So I'm going to go back one

22:59

step and just say the basics are make

23:01

sure you have understand all

23:03

the things that exist in your

23:06

environment, your footprint, what can be

23:08

attacked? How are they attacking such

23:10

as the fund transfer fraud? business

23:13

email account, business account takeovers

23:15

and these types of things,

23:17

have those basics in place,

23:19

but then also make sure you

23:22

understand who, from a permissions

23:24

perspective, who has the ability.

23:26

to send and receive finances, for

23:28

example. You need to know that.

23:30

You need to have policies in

23:33

place, cybersecurity policies. Have second steps

23:35

in your fund transfer process so

23:37

that even if someone got a

23:39

hold of your email account or

23:42

had the ability to request a

23:44

wire, it's not so easy to

23:46

just say, please send it and

23:48

then it goes out. There's an extra

23:50

step that gets involved. preferably human to

23:52

human, if not through a known phone

23:54

number where you can pick up the

23:56

phone, call them, you know, send them

23:59

a letter in the mail. Whatever you

24:01

need to do, but just to

24:03

make sure that it's not so

24:05

easy For the bad guys and

24:07

if this is helpful What I've

24:10

seen and heard from cyber security

24:12

insurance providers those who end up

24:14

getting a call post event is

24:17

that about 80% of the claims

24:19

that they're receiving come from only

24:21

a few things and that is

24:23

One, it's these email and business

24:26

account takeovers where the bad guys

24:28

are able to get in and

24:30

access our emails or any system

24:32

that we have be it a

24:35

CRM, an accounting platform, whatever that

24:37

is, and then do bad things.

24:39

And then that then leads to

24:42

the next bit, which is fund

24:44

transfer fraud, which is FTF. And

24:46

that usually is a result of

24:48

an account takeover attack. That's about

24:51

60% of the claims from what

24:53

I read recently. And then the

24:55

remaining 20% in that 80 think

24:57

ransomware. So people are getting attacked.

25:00

Everything's getting frozen down. The bad

25:02

guys request money, crypto, some form

25:04

of payment in exchange to send

25:07

a key to unlock. the files

25:09

so that the company can get

25:11

back up and running. And then

25:13

the remaining 20% is an assortment

25:16

of things such as denial of

25:18

service attacks, traditional data breaches where

25:20

someone got in and we're exfiltrating

25:22

data and things like that. But

25:25

if we look at it from

25:27

the from the large, large perspective,

25:29

80% coming from those three things

25:31

give or take. And sometimes those

25:34

three things have or are often

25:36

have relatively simple methods. For protecting

25:38

against those attacks and and again

25:41

with all of this the challenges

25:43

Once the attack happens or the

25:45

crime happens. It's very very difficult

25:47

to to remedy and It's much

25:50

better to have a little bit

25:52

of prevention on the front end

25:54

and to be aware of those

25:56

attacks. So the basics do go

25:59

a long, long way in this

26:01

case. I'm just thinking our footprint

26:03

is so large now because most

26:06

people are working at two locations,

26:08

home, office, phone, three. Now, these

26:10

cameras and everything, I mean, like,

26:12

I'm not sure if... You know,

26:15

all technology is created or protected

26:17

equal is what I'm getting at,

26:19

right? Yeah, absolutely not. Yeah. So

26:21

what are some of the least

26:24

protected things out there that we

26:26

might want to shore up? Sure.

26:28

Well, again, looking back at the

26:30

risk, least protected, I wouldn't count

26:33

on anyone to, you know, unless

26:35

it's our internal cybersecurity team at

26:37

our companies, but I wouldn't account.

26:40

these third-party vendors, a lot of

26:42

time what happens is people think,

26:44

well, this video platform or this

26:46

accounting platform or this CRM, that's

26:49

a big giant company. They have

26:51

my security and best of mind.

26:53

That's what they're saying. That's what

26:55

they're saying. Well, I don't even

26:58

think they're saying it. I think

27:00

we just assume it. I don't

27:02

think they're saying it. Yeah. Yeah.

27:05

Go ahead. No. Sorry. Take it

27:07

off right now. What into it

27:09

is this global behemoth? Their security

27:11

department has invested hundreds of millions.

27:14

They're so much better protected than

27:16

we are. Right. Yeah. And that's

27:18

why I think it's a good

27:20

idea. We call those third party

27:23

vendors is just get them to

27:25

share what they're doing, what their

27:27

policy is and how they're protecting

27:30

and then always again think what's

27:32

the worst that could happen if

27:34

they were compromised. in a negative

27:36

way. Where does that put me

27:39

from a risk mitigation perspective? Can

27:41

I recover from this? Would this

27:43

be threatening to the livelihood? of

27:45

my business. being very cautious and

27:48

then going back to some of

27:50

the basics that we mentioned here,

27:52

which is, you know, again, the

27:54

multi-factor authentication, having things properly encrypted,

27:57

having them backed up so that

27:59

you can restore if something does

28:01

happen, or even with encryption, making

28:04

it very difficult if someone does

28:06

get it to actually read any

28:08

of the data that sits in

28:10

the files or whatever was taken,

28:13

just making it so hard for

28:15

the bad guys instead of easy

28:17

for the bad guys. And look

28:19

at everything that connected or anything

28:22

that we log into or anything

28:24

where we put credentials into to

28:26

log in a username, a password,

28:29

our phones, even IoT, Internet of

28:31

Things devices such as cameras and

28:33

even refrigerators and printers. I have

28:35

crazy stories that I could share

28:38

around how those things have been

28:40

compromised. But everything that's connected is

28:42

potentially has the potential to be

28:44

compromised and utilized. And we just

28:47

want to make it as users

28:49

in this wonderful world we live

28:51

in, we want to make it

28:54

hard for the bad guys by

28:56

doing the basics. It's so timely

28:58

that you're talking about third parties

29:00

and their level of security. We

29:03

work with banks and we have

29:05

a few preferred banks that we

29:07

work with, Bank Impressia and Relay

29:09

Bank. We went through a lot

29:12

of security protocol checks to make

29:14

sure that their security is up

29:16

to speed. We really, really went

29:18

really deep to make sure that

29:21

these guys were the partners we

29:23

want to choose. Yeah, that's great.

29:25

There's banks out there that are

29:28

saying their profit first, that we

29:30

have no relationship with. There's banks

29:32

in other third parties out there

29:34

that are leveraging not only our

29:37

brand, but other brand. giving a

29:39

false sense of security. So, you

29:41

know, I'm saying all you listeners

29:43

out there, you know, we do

29:46

a great job of making sure

29:48

that our partners are secure, are

29:50

timely and are up to speed.

29:53

Don't work with somebody that is

29:55

saying that we're friendly. We know

29:57

those guys look to make sure

29:59

that the partners that are really

30:02

legitimate partners. I mean, is there

30:04

a way to I mean, how

30:06

do we know that? Yeah, that's

30:08

great advice, Ron, is just literally

30:11

don't trust what people say, validate.

30:13

Right. So pick up the phone

30:15

all. That oftentimes goes a long,

30:18

long way. Oh, I've had you

30:20

all banks and tell them to

30:22

shut it down because, you know,

30:24

they're not, I don't even know

30:27

what their technology is yet they're

30:29

leveraging our name. Yeah. So if

30:31

someone called you and said, hey,

30:33

For example, Ron, are you affiliated

30:36

with these folks? And you're like,

30:38

no, we're not. Yeah. So that's

30:40

validation, validate. And then you go,

30:42

then, unfortunately, you had to go

30:45

to those folks saying, hey, this

30:47

is a misrepresentation of our affiliation.

30:49

Yeah. But validation goes a long,

30:52

long way. And a lot of

30:54

these things as well, just in

30:56

general, is why would we give

30:58

anyone the benefit of the doubt

31:01

and or trust, especially when the

31:03

level of risk is so high?

31:05

Am I willing to swallow this

31:07

if something goes bad? And if

31:10

not, then it's time to go

31:12

validate. You know, it's so so

31:14

I love what we do with

31:17

our partners. We have a special

31:19

partner badge and also a member

31:21

badge that links back to our

31:23

site that validates them that they

31:26

are actually, you know, approved. They

31:28

are a legitimate certified profit first

31:30

professional. They are a profit first

31:32

professional partner. So we do have,

31:35

you know, that stuff that links

31:37

back. Is there anything else that

31:39

we might be able to do?

31:41

to assure that these are our

31:44

ideal partners, that they are safe.

31:46

And just to clarify, Ron, you

31:48

mean to make sure that those

31:51

that are claiming to be affiliated

31:53

with you with D&D are? Yeah,

31:55

I think some of the simplest

31:57

things you can do is, and

32:00

I know this sounds very generic,

32:02

and there are more things you

32:04

can do, but essentially setting up

32:06

kind of if these things are

32:09

done online, where someone's online a

32:11

business and they're claiming that they're

32:13

partnered. is setting up things like

32:16

as simple as a Google alert,

32:18

anytime your name plus organization comes

32:20

up and say, hmm, let me

32:22

validate that. I love the Google

32:25

alert. We forgot about that. That's

32:27

free and easy. So that'll catch

32:29

anything new that comes up. And

32:31

then the next thing to do

32:34

is to continuously, and again, I

32:36

know this is a lot of

32:38

this stuff is not fun and

32:41

or fancy, but it is to

32:43

simply just have someone or individually

32:45

do it once a month set

32:47

of policy, just to scour the

32:50

internet and look for folks on

32:52

Google, for example, that have your

32:54

name on their website. And if

32:56

it's not a partner, it's not

32:59

a partner. and it needs to

33:01

be handled. So it's kind of

33:03

very similar to like when Main

33:05

Street type businesses, restaurants and so

33:08

forth, they'll have Google reviews and

33:10

different review platforms. They're using kind

33:12

of what we consider reputation management

33:15

services to kind of make sure

33:17

that what's being said is genuinely

33:19

true. And unfortunately, this is just

33:21

something we all face, right? We

33:24

don't know. People can say anything

33:26

on the internet. That's the problem.

33:28

Jeremiah, that is the truth. And

33:30

with that said, can you believe

33:33

we're at a time? That was

33:35

fast. I could do that. Really,

33:37

I could listen to your spooky

33:40

stories and your advice a thousand

33:42

times. Like they're so simple. You're

33:44

so good. Jeremiah, where can our

33:46

audience learn more about you? Where

33:49

can they pick up confessions of

33:51

a hacker? Sure. How can they,

33:53

you know, work with you? Yeah,

33:55

absolutely. I think the best way,

33:58

and this is what I enjoy

34:00

doing is, again, my main goal

34:02

is just to help people know

34:05

what's happening, how to not have

34:07

it happen to them. And that's

34:09

why I share. these story formats

34:11

in the book and even in

34:14

keynote presentations around the world, just

34:16

awareness first and then what can

34:18

we all do that are oftentimes

34:20

simple and easy fixes. But the

34:23

best way, and this is what

34:25

I like to do, is connect

34:27

with people on LinkedIn. And that

34:29

way we can use Messenger. We

34:32

can chat. We can, you know,

34:34

if someone needs help with something,

34:36

if I can't help, I can

34:39

direct them in the right direction.

34:41

If I can help them, then

34:43

I'll help them the best that

34:45

I can and so forth. But

34:48

I think that's probably the easiest

34:50

and best way to get in

34:52

touch with folks. It's just Jeremiah

34:54

Baker on LinkedIn. Awesome. Well, also,

34:57

my friend, thank you very much.

34:59

Stacy. Thank you. Yeah, thank you,

35:01

Liz. Thank you, Ron. Yeah, you

35:04

guys as well. Stay safe. Thank

35:06

you. Have a great Halloween. Yeah.

35:08

Oh yeah, yeah, Halloween. That was

35:10

great. Oh my gosh. All right,

35:13

so now it's time for our

35:15

takeaways, Ron. That was great. That

35:17

was delightful. I'm glad it worked.

35:19

I'm glad this totally worked. Yeah,

35:24

yeah, absolutely. Thanks, Jeremiah. So what

35:26

did what did I take away

35:28

80% comes from I mean, I

35:31

took a lot away but it

35:33

comes from three primary sources of

35:35

neglect email. CRM, fraud and ransomware.

35:37

Those are the three things. Make

35:39

sure you guys have your policies

35:41

up to date as well. I

35:43

mean, yes, the basics and so

35:45

simple. I loved the thinking and

35:47

we do this with so many

35:49

things. What's the worst case and

35:52

work yourself backwards? So that idea

35:54

of whether it's income targeting, what

35:56

do you want? And let's figure

35:58

it out. about how to get

36:00

there or for this, what is

36:02

our risk? What can we tolerate?

36:04

Literally, if we know we're running

36:06

profit first in our business, we

36:08

know that we have $150,000 in

36:10

our profit account, is that it?

36:13

Can we stand $150,000 worth of

36:15

extortion? That sounds terrible. Right, and

36:17

also don't trust everybody, don't trust,

36:19

your partners make validate, trust and

36:21

validate. Yeah, Mike, Mike has done

36:23

that. He's talked about that before.

36:25

And, uh, oh my God, what's

36:27

her face as CEO? Yeah, her

36:29

face. Yeah. So my brain is

36:31

broken, but you know, he has

36:34

the code and she has the

36:36

password. Right. So, you know, it's,

36:38

we have all sorts of tripling

36:40

things. Oh, it's so good. Awesome.

36:42

That was, that was really helpful.

36:44

Yeah. Okay. All right. What's that

36:46

now what? The trippy question. Yeah.

36:48

All right. So I have a

36:50

trippy question and I can see

36:52

Jeremiah, he's still here. So usually

36:55

we say goodbye, but I'm going

36:57

to invite him into this one

36:59

because you're curious and this answer

37:01

could be funny. So these are

37:03

just very basic sort of conversation

37:05

starter questions, but what fashion trend

37:07

that you followed was very cool

37:09

then it is no longer cool

37:11

now. Are you pants? I was

37:13

hoping someone would say parachute pants.

37:16

I mean, I would still wear

37:18

them. The Z-cavary cheese, is that

37:20

what you wore? No, I never

37:22

had the Z-cavary cheese and I

37:24

never did the tuck and fold.

37:26

I was a member's only kid

37:28

in parachute. There you go. I

37:30

feel like you still have your

37:32

member's only jacket. I did with

37:34

tanging and microfiber. Of course you

37:37

did. I know you do. Jeremiah,

37:39

how about you? I was going

37:41

to say having a mullet haircut

37:43

in the 80s, but I see

37:45

that that has come back. Oh,

37:47

it's back with a vengeance. I

37:49

love it. Oh, I love the

37:51

rat tails gross the mullet. The

37:53

Malay is delightful. Any other embarrassing

37:55

fashion trend? Shoulder pads. I didn't

37:57

see. I you know what? I'm

38:00

going to stand by all of my fashion

38:02

choices. I'm not going to lie. I

38:04

am a very classic person in general.

38:06

So even when it was like knee

38:09

high socks and Mary Janes, that's still

38:11

cool because it's always, it's already back.

38:13

So I'm standing by all of them.

38:15

There's nothing I wouldn't wear

38:17

right now. Nothing. Right. I don't

38:19

say that very confidently in any

38:21

other realm. I'll get you to say no

38:24

real fur. I'd probably wear it if

38:26

it's my grandma's. I already have it.

38:28

So I'm not buying a new one.

38:30

All right, that's great. Ron, thank you

38:32

gentlemen. What do you

38:34

have as your insider access?

38:36

Yes, please. Yes, this is

38:38

insider access. This is stuff

38:41

that we're doing here at

38:43

Profit First Professionals that you

38:45

can also do with your

38:47

organization. And that is a

38:49

review with your insurance policy,

38:51

with your cybersecurity provider on

38:53

the phone with them. This

38:55

is something that we take very

38:57

seriously and we want to make

39:00

sure that if anything happens that

39:02

we are up to date with

39:04

the insurance because you know insurance

39:06

it's happening all over the place

39:08

and. People are losing their cyber

39:10

insurance. We lost ours like three,

39:12

four times. So we had to

39:14

constantly find new ones, constantly find

39:16

new ones. And each time we

39:18

find a new insurance provider because

39:20

somebody else canceled it, right? We

39:22

have to go through an audit

39:24

again to make sure that the

39:26

team, you know, isn't sitting on

39:29

their loyals because there might be

39:31

a little, little, little, little words

39:33

written in fine print that another

39:35

agency may not have that the

39:37

new agency has. So make it

39:39

priority to sit down with your

39:41

cybersecurity team and your insurance team

39:43

to make sure that you are

39:45

fully covered. Excellent. Boom. I'll do

39:47

that. I was just gonna say

39:49

boom. All right. Well, we're out of

39:51

time, my friend. We did it. Wow.

39:53

That's it. Awesome job, guys. Thank you

39:55

very much, Jeremiah. Thank you, Liz. Thank

39:58

you. Yes, thank you. Yeah, don't forget

40:00

to review subscribe to grow my accounting

40:02

practice podcast and also Liz. What else

40:04

do they need to do? You know

40:06

what, if they are interested in learning

40:08

a little bit more about how to

40:11

work with Ron, how to work with

40:13

myself, how to become a member of

40:15

Profit First Professionals, I encourage you. I

40:17

implore you to go to ProfitFirstProfessionals.com. There

40:19

are two options. Once you get there,

40:21

become a Profit First Professional or find

40:23

a Profit First Professional. If you click

40:25

that become, you'll have an opportunity to

40:27

have a call with Ron or myself.

40:30

We'll share a little bit about what

40:32

membership looks like, the benefits and the

40:34

joy of being in this crew. And

40:36

then we'll also See if it makes

40:38

a match, if it makes sense for

40:40

you as your firm is growing and

40:42

you're looking to bring more advisory to

40:44

your business. So, profitfirstprofessionals.com. Have a great

40:47

day, everybody. Do it now. Do it

40:49

now. All right. Thanks, everyone. Have a

40:51

good day. Bye. Thank you. Bye-bye.