Skip to content

Podcast Season 2 Ep. 3 Cybersecurity Costs- Not Being Proactive

Cybersecurity
  • Host: Steve Stedman / Bob Borges
  • Recording Date: 1/15/2025
  • Topic: Cybersecurity Costs and Why Being Proactive is Important

Stedman SQL Podcast Sn 2 Ep. 3 Cybersecurity Costs- Not Being Proactive

Steve Stedman and Bob Borges from Cloud9 Tech Solutions discuss the importance of proactive cybersecurity, highlighting the significant costs of neglecting it. They cite a 2023 report indicating the average data breach cost is over $4.5 million, with 60% of small businesses shutting down within six months of a breach. Bob emphasizes that all businesses are targets, with healthcare breaches averaging over $10 million. They stress the need for comprehensive security plans, regular audits, and user training. Proactive measures include encrypting SQL databases, implementing multi-factor authentication, and continuous monitoring. They warn that breaches lead to direct and indirect costs, including compliance fines, downtime, and reputational damage.

Podcast Transcript

Steve Stedman  00:15

Hey everyone, and welcome to Stedman, SQL podcast, season two. Episode number three, I’m your host, Steve Stedman, and this week’s topic is going to be the cost of not being proactive and not implementing cyber security before we get into the actual topic, though. A little bit of news. Stedman solutions, January is almost over, and that means you have just a few days left to take advantage of our January promotion, which is SQL Server managed services, and we’re offering our normal managed services at 12 months for the price of 10, which is roughly about a 16 or 17% year one discount for new managed service customers. Our managed services, we can help you take care of your SQL servers so that you don’t have to hire a DBA. Or we can help out if you have a DBA, and help keep you from having to hire that next DBA. Also. Do you want to be a guest on our podcast? Do you have something related to SQL Server or other tech topics that you want to share with our listeners? You can reach out to my assistant, Shannon at Stedmansolutions.com, by email, the schedule, or you can go to the podcast page on Stedmansolutions.com and there’s a link there to sign up as a guest if you’ve got something. We’d love to hear what you have to offer and consider you as being a guest on our podcast. So speaking of guests, I’d like to welcome this week’s guest Bob Borges. And Bob is with Cloud Nine tech solutions, and they are a partner of Stedman solutions, which means they’ve joined our partner program, and we have kind of joint offerings that we do together with our services and working together to help each other out. Welcome, Bob. Can you tell us a little bit about Cloud Nine tech solutions and what you do?

Bob Borges  02:04

Yeah, thanks, Steve, and thanks for having me on. Really excited to be talking a little bit about cyber security. Always happy to have these conversations. So at cloud nine, we’re a full spectrum managed service provider focusing on driving customer success through proactive services and strategic thinking. So in addition to providing the typical system monitoring, alerting tech support, we employ very methodical, proactive process to minimize unplanned downtime, identify risk to the organization. We also provide strategic planning to leverage technology to meet those business drivers. So we work with mid, mid sized, small business companies throughout the US, working remotely. We have the best talent from different geographies, and we have a lot of flexibility. So really excited to be talking more today.

Steve Stedman  02:54

Well, welcome. I think that it’s a great synergy there between your company and our company, and being able to better support all of our customers and all of your customers as well. So one of the things was, we jump into the topic of cyber security. There’s a lot of misconceptions around it. We’re going to talk about some of those. But as the listeners, did you know that the average cost of a data breach in 2023 was over $4.5 million and for small businesses, 60% of that are 60% of those who get hacked shut down within six months. And that’s, well, chat GBT was the source of that quote. So it’s a collection of data that put that together, apparently. But either way, even if it’s not quite that extreme, it’s still pretty darn bad, and this is something that we’ve seen a lot of. Unfortunately, I’ve seen the side where people call me and my first contact with them is after they’ve been hacked, and there’s not a lot we can do at that point. So being proactive, I think, is really key here. So why don’t we take a look first at why companies ignore cybersecurity? You have any thoughts on that interview?

Bob Borges  04:03

Yeah, there’s a lot of reasons why companies ignore cybersecurity. I mean, implementing security is not, is almost never free, right? So it there is a direct cost to implementing things. But the key thing to understand is there is, there are direct and indirect cost to not implementing cybersecurity, which we’re going to talk a little bit more in a while. But it’s easy to think that it’s not going to happen to me. It’s going to I’m not a big target. Maybe I’m just a bread Bed and Breakfast type of in and I’m too small. We have two employees, and we would never be at risk. Well, there’s a whole cyber there’s a whole group of bad guys out in Russia right now that are specifically targeting Bed and Breakfast POS systems. This is all they do, day and night, and looking for all those systems that have the default username passwords on them. And tried to siphon off credit cards, and they do it in a really, really smart way and methodical way, so that most companies never realize that they’re actually being hit, that they’re being breached. You know the thing, the thing is, everybody is a target, whether you’re a big company, like we saw with Sony A few years back, target before that, or a really small organization, especially in healthcare, and you were talking about the cost of of a breach healthcare industry, the average data breach, I think, was about over ten million per breach last year, which is just incredible, because, I mean, that’s an immense cost. And not every healthcare provider is a big hospital or big conglomerate. These are oftentimes independent doctors offices and specialists. So this is one of the reasons why healthcare costs keep growing and growing and growing. It’s not just the direct cost of drugs and services and the expensive equipment and insurances, but also that cybersecurity cost that goes along with that, when cybersecurity is an unnecessary expense instead of investment, is kind of that wrong way to think about it. It’s the, you know, Penny smartphone foolish type of mentality is, I don’t want to spend this today unless I absolutely need to. And we’ll talk more about why that’s not the right way to think about it. But yeah, there’s, there’s a lot of there’s a lot of that in conversations that I have. And one of the biggest misconceptions is in me talking to small businesses, especially, we’ve never had a security problem in the past. But how do you know? Did you have any ideas? I you know, intrusion detection system, intrusion prevention system, that’s actually logging network activity. Did you have somebody going through those logs? Did you have anybody actually collecting those in a in a log collector, like a SAM seam? How do you pronounce it? But anything that is actually aggregating those logs in, somebody going through them, looking for security events, looking for any evidence of an actual breach. You know, having antivirus, yeah, that was, that was really important at one point, and it still is. But security really needs to be thought about as being in layers and, you know, there’s, there’s a lot of steps that really need to be thought out.

Steve Stedman  07:22

Yep, yep. I think a big impact on that is a lot of people, they think of it as an expense instead of an investment. And I think that where we run into that, I mean, it’s like, I don’t know if you just went bought, I don’t know. Let’s say you got a fancy new Corvette. Gee, I’d love to do that one day. And would you drive that Corvette off the lot without having insurance on it? Well, it’s just one of those things that you know you have to have it insured because it’s too valuable to lose. And unfortunately, a lot of people don’t think of their business that way, where instead of insurance, you need to have your cyber security in place. And it’s just as important, because there’s nobody out there who is too small or too big to be a target, for sure. And then as far as that, I mean, one of the things I see is that the role of the IT staff. I mean, a lot of a lot of small businesses don’t have that specific IT staff. And I mean, we see that where, with the SQL Server expertise, we come in, for instance, and help them with the cybersecurity side of the SQL Server. I’m sure you see the same thing with just the general it on the cybersecurity side. But if you don’t have that local in house talent, it can be very expensive to go acquire that if you’re gonna try and bring a new team member in, or if you’re gonna try and teach your current people that. And I think that’s where outsourcing some of that can be more cost effective. I mean, have you run into that with what you’ve seen with clients you work with? Oh, absolutely.

Bob Borges  08:49

You know, on the larger side, you know, the large enterprise, you might see a chief information security officer, CISO or an information security manager in ism, but in smaller organizations, mid sized businesses, especially small businesses, they can’t afford to have those, those, you know, 200 to $300,000 a year salaries on payroll, because they are really expensive, expensive people. But for a good reason, they’re thinking about compliance. They’re thinking about all their regulatory needs. They’re thinking about all the steps to get there. So if you’re in that situation where you can’t afford to have that expertise in house, there’s a lot of outside resources available to you and through consulting and other services. But tools are never the sole answer, and that’s the key thing. Is you want to build that strategy moving forward so like, what regulatory compliances apply to your business? You may know about some of them. You may not know about all of them. What risks and responsibilities does your business have for your data, for your employees, for things like, well, I talked to a lot of businesses that. Never heard of 201, CMR, 17.00 where companies need to take responsibility for data for their employees, social security numbers, resumes. You know, that kind of data that needs to be stored in an encrypted manner, they need to be taking responsibility for protecting, backing up and securing that and keeping it out of prying eyes, but most businesses don’t really think about that. PCI, DSS is another good example of one that a lot of companies think about. I, you know, I’m taking credit cards and I’m taking it over the phone and I’m trying to follow, you know, the certain set of requirements, but they might not be thinking about the big picture. What is really like? How are you taking that data? How are you securing it? How are you preventing anybody else from misusing that data and really, really preventing it, you

Steve Stedman  10:50

know. And an example of that that I think of is I had a plumber had to do some work on one of my properties a couple days ago, which is always an unfortunate thing, but when he was done doing the work, he phoned me up and I gave him my credit card. Over the phone, and he obviously wrote it down somewhere and kept it somewhere so it could be used again. Because when I called the office to follow up with a second appointment, they said, Well, would you like us to just put it on that same credit card that we have in your file here? And I’m thinking, Well, isn’t that kind of a violation of some of those PCI rules around keeping that credit card around? And I know when this guy called me from his truck saying it was done and that he didn’t have it logged into their main computer system somewhere, it just, yeah, we come across it every day and all kinds of business. And I mean, there’s a perfect example of someone who needs some help in that area.

Bob Borges  11:40

So absolutely, I worked with a company, a small business a few years back, and I would say they were somewhere between 25 and 50 employees. They would take credit cards by phone and write down the credit card numbers. Now they figure they’re going to write it down and put it in a safe. About five people had access to that safe. But what they didn’t realize that they were actually in violation of the PCI DSS rules. They didn’t have the necessary network security in place. The way they were processing it was not appropriate, the way they were storing it was not appropriate. But they did not have a clue that they were they were breaking the rules. They thought that they were following the intent of the regulation. But the, you know, sometimes a little coaching from somebody that’s a little more verse in it, and somebody that’s looking at the full intention of what their regulation is, is saying, not just the bullet points.

Steve Stedman  12:30

And having been through a few PCI audits with different companies I’ve worked at over the years, I’m very familiar with that. I know like it Stedman solutions, one of the things that I’ve done with the team members, specifically my bookkeeper and people on that side of it, is we never write down credit we never keep credit cards anywhere. I mean, everything we do is through QuickBooks, and if somebody gives us a phone credit card number over the phone, we just key it right into QuickBooks and never store it anywhere locally. And that’s part of the process, is making sure that we never have any of that locally and anywhere, even on a piece of paper or an app and you write it down on wherever it may be. And I think there’s a lot like that that people can learn through this process, all right, so, yeah, so I guess moving into kind of our next topic, I mean, there’s a lot of different costs involved in not being proactive. I mean, like, the example of a new car and you don’t buy insurance. Well, the cost could be that you use your whole vehicle in an accident, but what, what are the costs that could happen with the business that that we’re that we might want to consider here?

Bob Borges  13:39

So there are some direct costs. There are some indirect costs whenever cybersecurity is not implemented. So in the case of, let’s say, a ransomware attack, you could, you could have those financial losses where you’re forced to pay large sums of money, hopefully using an intermediary to make sure that you’re not breaking any international rules and funding any you know, terrorist organizations or other you know, other

Steve Stedman  14:04

groups

Bob Borges  14:06

like that, but there are cases where organizations legitimately need to pay that ransom that protects the data that was siphoned off and is being threatened, not just to get their data back, but to prevent the bad guys from posting it out on The Dark Web, because it could be highly sensitive data that is not for the public eyes, due for either health security, medical record security, privacy, or maybe national security. But there could be the stolen credit card, stolen customer data that leads to fines and other, you know other you know negative impacts like that, but you know you could, you do have those initial direct financial losses dealing with compliance issues. GDPR is probably the biggest one everyone’s talking about right now, CCPA and others as well.

Bob Borges  15:06

that is a significant initial hit to an organization. And in some circumstances, it could be up to, I think it’s 12% of their annual revenue in that country. So it is a it’s a big deal whenever you’re dealing with those legal costs, never mind the cost of the attorneys and your whole legal team on top of that, but the direct costs for those compliance infringements. Of course, downtime is a big piece of it. If you’re down for 12 hours, 24 hours, 48 hours, what is your cost there? And you’re not able to invoice, you’re perhaps not able to generate revenue. Your users are sitting around with nothing to do. You still have to pay those employees, and hopefully people are getting systems up and running as quickly as possible. But that’s their downtime, which has a significant cost in most businesses. That could be a tricky one to calculate the cost of. There are some calculators out there to help. But if you don’t know what your acceptable downtime is for your business, I highly suggest you take 30 minutes this weekend and figure that out using some of those great online tools

Steve Stedman  16:21

on that downtime, I mean, there’s, there’s different things to consider there too. I mean, like, we always have our recovery time and recovery point objectives that we talk about, but that’s kind of a whole different world than like, if you get hit with ransomware, I mean, maybe some of those RTO and RPO scenarios don’t come into play because you have to rebuild so many systems and in that and I mean, that’s one of those where I like to ask people that, if you were hit with ransomware and all of your computers, all of your servers, all of your websites, whatever is part of the system, if all of those were down for 24 hours, what? How would that impact your business? And usually that’s a pretty catastrophic kind of answer. And then you say, Well, what if it’s down for three days? What if all of that’s down for a whole week? And having seen people get hit with this very rarely, and except for when people have got really solid backups that are off site and things like that, rarely have I seen people recover it from a ransomware attack in less than a day. Usually it’s closer to a week. And what would that mean to you, to your business, to your clients? There’s a whole lot can add up there an example of this was a Regional Hospital. This was like a more of a rural hospital called me up and they said they’d been hit with ransomware. They paid the ransom, and unfortunately, the ransomware software developers didn’t do a real good job on making the ransomware decryption piece work great on large files and SQL Server Data Files are some of the largest files in anybody system, and even though they paid the ransom, they were not able to decrypt those. They completely lost all of their patient records. And could you imagine if you had a surgery schedule at that hospital tomorrow and you walked up, walked in and they said, Hi, we don’t know who you are. We don’t know anything about you. What are you here for? That would be a big, massive impact on the I guess, just the trust of that hospital.

Bob Borges  18:31

Tough, tough spot to be in, for sure, absolutely and with ransomware and Steve, that was a great example. Ransomware has two halves to it. First is getting back up and running because your data has been hijacked from you. How do you get your systems back up and running? Your systems restored? The other piece is, if they took the time to exfiltrate your data, and it’s usually outside the US borders, getting that data, getting access to that data, wherever it is, can be a trickle tricky legal process for the FBI and other law enforcement agencies. There was a medical based nonprofit in the northeast, I won’t name here, but they did run into a cybersecurity incident where they’re there. They did have some ransomware that was deployed. It was a targeted attack. This was a multi stage targeted attack, their data was exfiltrated, including patient data. It was a unencrypted SQL database that was exfiltrated with patient records and whatnot. Outside of the US, the whole white paper was written out about this, and the FBI was able to take down the criminal organization, luckily, but this organization had data out there from multiple, multiple companies that they had hit, and there was that potential for client, patient data to be made publicly available to whoever wanted to, you know, pay for it on the dark web if this company wasn’t willing to pay the ransom. That’s a scary scenario, because you can control your systems. You can get your systems back up if you have a good business continuity disaster recovery plans in place, but once it’s left your four walls, how are you protecting that data? Can you protect that data? And Steve, I’m sure you could talk for hours on the benefits of always encrypting your SQL databases. But in the real world, we’re seeing that a lot of organizations do not have every database encrypted. Their path to those databases not always encrypted, and they’re not always following best practices. And this is happening even with a lot of software vendors, as far as especially with older software and yeah, so it can be really difficult to recover from those type of situations. And it’s not Yeah, and sometimes that is reputational, a reputation cost and some other indirect cost. In the case of this particular nonprofit, after they get up and running and they were hit multiple times, it was a three phased attack, but once they were finally up and running and everything was finally patched to prevent future attacks, they would then hit with a class action lawsuit, which is going to likely go on for years, but in being immense cost to them.

Steve Stedman  21:18

So yep, and that’s certainly some of those indirect costs, but one of those things on encrypting your database, I just want to add to that a little bit. That a little bit. I mean, with Microsoft SQL Server, it used to be that to have your databases encrypted that you have to have Enterprise Edition, or what a lot of people refer to as expensive edition. But since SQL Server 2019 encryption is included in standard edition, so there’s no reason that anyone running SQL Server 2019, or newer, and again, that’s six years ago now that anyone shouldn’t, would have reason to not encrypt their data in today’s world, it’s there. And we tell we help a lot of people with that, and we know that there’s a little bit more pain involved in your backup and restore process, because you have to have all the certificates and keys and those kind of things. But those are the things that you need to do in order to keep it safe, so that you are protected in the event of that breach. Maybe they do get your data file so they can encrypt them, but doesn’t mean they can use them unless they have those right keys and certificates. So and then, I mean, the other thing is, like you mentioned, the class action lawsuit. I mean, that’s goes into those indirect costs around like reputation damage. I mean, if that, if that lawsuit is going to go on for many, many years, it’s a continuous reminder to their customers how bad things were, and it’ll keep damaging their reputation down the road, rather than just that initial hit.

Bob Borges  22:38

Absolutely, that can certainly affect their ability to get funding in the future. If it was a publicly traded company, then stock prices could absolutely be affected by that. It’s really tough to rebuild your reputation once it is tarnished in a way like that, it takes a while for people to forget, especially in our field, we think of companies like Target, TJ, Maxx, etc, and breaches like that kind of stand out in our memory, although we’re in the industry a little bit. But if you were a patient of an organization and your data got compromised and you’re part of this class action lawsuit, how likely are you to ever return and have any, any medical work done at from that facility ever again? If you could help it, it’s really difficult. And that’s on the nonprofit side. On the for profit side, it’s, you know, much more, much more impactful.

Steve Stedman  23:36

Yep, absolutely. So then, I mean, the other thing around that too, is like employee productivity and, I mean, let’s say you’re, you’re some type of a, well, I guess almost any kind of business that, whether you’re a healthcare facility or you’re a manufacturing plant. I mean, if your systems are down that are preventing your employees from doing their jobs, how much revenue is going to be lost because your employees aren’t able to do their work. Doctors aren’t able to see patients or do surgeries. Factory that’s generating some kind of whatever product they’re making isn’t able to make that product anymore until the systems come back online, because the computer, the IT systems, are all integrated into those manufacturing systems today, so they’re not able to ship their product because they don’t know who to ship it to, because their systems to, because their systems are down. Yeah, there’s definitely a lot of impact there on the on the cost as well.

Bob Borges  24:29

You know, a few years back, I had worked with a construction company. They had probably 15 computer users, really small organization in the scale of things, but they knew that they needed to implement cyber security, and they put it off for all the reasons we talked about earlier, right? We’re not going to be a big target. We, you know, it’s, it’s not likely that we’re going to get hit in the next year or two, while we’re thinking about this, you know, the expensive things and planning out, budgeting and whatnot. Well, unfortunately, they were. It, and somebody came right in through the front door, meaning they came into they had a terminal server that was available port 3389 the most widely scanned port on the internet, consistently, month by month, they had open to the internet a somebody cracked a password for an administrator account coming in that way and deployed some ransomware pretty effortlessly. And it wasn’t, you know, it was through the tools that we would refer to as someone like a script k, right? So not an advanced hacking organization. This was somebody that could have had some free tools available to them, packaged them up and deployed them with very little effort. Now that meant that they were down for close to three weeks, completely down where system, they didn’t have good backups. They didn’t have their data. Unfortunately, they didn’t know they didn’t have good backups until they tried to restore and the restores failed. And, yeah, their existing IT person stopped taking the calls for, you know, when these things started, not going well. So they were really in in a painful situation now, where we work to get, get them up and running, and, you know, work with them to, you know, recover from this. But, yeah, it was, it was painful all around they learn the hard way how important cybersecurity is to have in place, why all those layers really matter. And it’s not just having antivirus, not just having a firewall, not just having, you know, a company that’s that says that they’re securing you, but actually going through and having some operational maturity around that security, you know, having real policies, having real a real plan, a disaster recovery plan if something does happen, a business continuity plan for when things fail, because life happens. Disasters happens, right? We have floods, tornadoes, hurricanes, other things, not just cybersecurity issues, although they are more and more common every year, at least 40% growth year after year for ransomware, for the like, the last 10 years straight, minimum. So these things are happening exponentially. But yes, it’s it is super painful for that downtime, and that meant three weeks that they weren’t able to collect revenue because they didn’t know what their invoices looked like because all that was lost. Their estimators weren’t able to get quotes out the door for new projects that they were planning six months out, their architects weren’t able to. They lost work. They lost weeks worth of work or months worth of work because they weren’t able to. We weren’t able to recover that. So it was, it was very, very, very difficult for them, and they thought it was a hard lesson learned. I hope no company needs to go through that, you know, the same way they did.

Steve Stedman  27:51

And part of the reason for sharing stories like this is so that other companies don’t have to go through that same thing for sure. So how about if we go into what it means to be proactive and the importance of being proactive. What does proactive cybersecurity really look like to you?

Bob Borges  28:11

So having a plan is definitely in the first step right where? What are we trying to solve for? Are there regulatory requirements? Does your company fall under D far, cmmc, any of the Do you have requirements around NIST, 801 71 do you have PCI, DSS, HIPAA, high trust requirements, or things like that? Those are, you know, the obvious starting points, having a plan around that, but implementing that, having some operational maturity, implementing things like your policy sets, talking about what you should be doing, who’s responsible for what, and then starting to put things controls in place to meet those policies. There’s a lot of really, really good frameworks out there, even if you don’t fall under any of those regulatory compliance requirements that you know of CIS 18, the Center for Internet security. It puts out their framework for free, as does NIST has the 801 71. 853 800 207, those are all around, securing your environment, secure, implementing things like zero trust. And those are all, those are all like, company product agnostic. So if you’re a Microsoft customer and you like to be on Microsoft, fantastic. There are Microsoft solutions for this. If you love using best of breed solutions like Okta or Huntress and other, you know, platforms like that, perfect. That’s all still works, whether you’re feeling like you’re, you know, a sassy solution, where it’s all one vendor or multiple vendors. There’s no one right answer for everyone. You can make all of these work, but it’s important to really look at all the controls, have a real plan, and then execute against that plan, regular security audits, making sure that you know you’re identifying. Apps like one common thing that I’ve seen a lot of network printers, right? Network printers, especially when they have fax software, network connected fax machines, that is actually an attack vector, believe it or not, where attackers will use malicious faxes to rewrite some of the firmware on the fax machine, and now they have a point of entry into your network. So it’s a bizarre thing, but that is actually an attack out in the wild, especially with certain fax machines.

Steve Stedman  30:33

Yeah, and fortunately, I’ve moved on from the 1980s don’t actually have a fax machine anymore, but yeah, I can see how that would be a vulnerability there.

Bob Borges  30:41

Yeah, in the medical world, in the insurance world, not just medical insurance. I mean, I’m talking about like car insurance, home insurance. Faxing is a daily thing for these businesses and that they can’t yet move away from, or it’s very difficult when they move away from. So those machines that are vulnerable. Yes, absolutely. We all love Voice over IP handset because that makes it super easy to deploy phones throughout a network. Well, if you’re not segregating that from your rest of your network, either through V and land encapsulation or having that on a completely isolated network, those phones could be vulnerable access points, attack vectors for your for your environment. So there’s a lot of things to think about. That’s where those vulnerability assessments come in, and whether you’re doing pen testing or whatnot, yeah, just the settings on network printers, oftentimes they have SNMP configured with plain text passwords for their SNMP credentials, that means that, yeah, somebody could probably guess that really, really easily and potentially attack your network through a printer. So there’s a lot of things like that, but that’s where those assessments come into play really minimize identify any of those risks. Training your users and user training is probably the most effective way to protect they some InfoSec professionals will say that if you send six or seven emails out to any organization, there is a near 100% chance that one person will click on the link that you set right. Yep, having Yeah, a good fishing, smishing fishing, type of social engineering training in ongoing testing is really important. There’s a lot of great companies out there for that know before is probably one of the most famous ones right now, but there’s a dozen others that are, you know, at least as good, but having services like that where your users are being constantly trained, not just annually, but hopefully quarterly, having that ongoing training about what does a security event look like, what does a phishing spear, phishing attack really look like? And retrain them constantly to be vigilant about not just clicking on something blindly that Oh, UPS, couldn’t deliver a package I need to click here to have it redirected. And yeah, people, by the way, people who should know better, like network engineer security engineers, do fall for those as well. When you stop being vigilant and you start trusting your email too much, so having that constant reminder and those constant tests to make sure that we’re on our toes always. But then we have the network tools, the cyber security tools, firewalls, disk encryption, the ongoing monitoring, because we want to not just trust that the systems we put in place are protecting the systems we want to expect breach. Essentially, that’s how we need to plan, is to expect breach. So we need to monitor for that, collect those logs, ideally, and then having somebody reviewing those logs, or system reviewing those logs. There are some AI capabilities today, so we do AI has been, you know, huge, a huge talk over the last 18 months especially. But I was reading a stat this morning that companies that are deploying AI and automation as part of the cyber security process typically can identify and contain breaches up to around 108 days faster than those that are not leveraging those technologies. So there’s great there’s good and bad uses for AI. I would say this is an excellent use of AI if you’re implementing it the right way, or at least flagging things for a human.

Steve Stedman  34:27

108 days faster. That’s 108 days of somebody being in your system. Wow. Yes, exactly.

Bob Borges  34:36

We all read about the Sony breach that happened a number of years back, and the attackers were in their in their environment for months, slowly siphoning off data, data from their networks before anybody realized it was happening. In fact, I believe it was a SQL database tool that I that caught the, if I’m not mistaken, that actually caught that.

Steve Stedman  34:57

I don’t know, on the Sony hack, but I. Do know that there’s been some that have been caught by Weird database activity? And, yeah, and that’s the thing. I mean, if you get into, if something gets into your system and you’re limited on bandwidth, I mean, it might be months that they’re slowly siphoning data off, if not indefinitely, depending on how they’re using it. So okay, so how about I mean, as we move down, some of the more of the benefits of the pro of being proactive. And, I mean, I think some of these are pretty obvious, but just kind of recapping some of I think can be good here too, for instance, like the cost savings from avoiding breaches and downtime. I mean, that’s obvious that, yeah. I mean, that could be millions of dollars to small businesses that can have massive impact improved customer trust and business reputation. I mean, like we talked about, if, if you’re Yeah, if somewhere you deal with has been hacked, are you going to continue to use them? If they’ve been hit with ransomware or exposure data, are you going to continue to use them? Probably not. I mean, few years ago, that was one of the things that well, that I with a banking business, that I was used, that I was using, that I actually switched and started using a different bank because they were too flaky on their IT side, and they couldn’t even just keep their systems running. How could they possibly be protected against ransomware and things like that? And then the other benefits are the regulatory compliance with GDPR and HIPAA. I mean, I’ve been more experienced on the HIPAA side, because you have a lot of healthcare clients, but if patient data is exposed, there’s a lot of fines and penalties associated with that for the medical facility. And, yeah, you think our medical expenses are bad enough now, imagine we had a few more of those fees, and when it’s going to do that. So tying some of this back into SQL Server, I mean, one of the things that a lot of the IT companies out there, or maybe not companies, but it individuals, they don’t necessarily know how to properly secure their SQL Server. So it might be that their whole system has been secured really well, but their SQL Server can be a vulnerability because they don’t know how to lock it down. They don’t know how to do these things that help close extra ports or change common passwords, things like that. And that’s one of those things that neglecting that can really lead to some pretty big breaches. Fortunately, the ransomware attacks that we’ve seen haven’t started with SQL Server. They’ve usually come from somewhere else, but it is possibility there. So we like to work with our clients, is to do what we can, to be proactive and lock down that SQL Server as much as possible. And sometimes it’s a balancing act, because you want to lock it down as much as you possibly can, but you also want to make it so that they can keep using it, keep doing your business appropriately. And I think that that’s where, with database health monitor we we monitor that, and we keep track of those vulnerabilities, and if something pops up, we let our clients know about it. And that’s kind of tying that back into our managed services there as well. I mean, part of what we do with our managed services is we take care of your SQL servers, and when we take care of those, we take on that that job or that role of having to deal with making sure everything is secured, and that can be a very time consuming task there. So I guess this is where we kind of talk about, kind of our approach and how we can help. And I think that when I say we, I mean Stedman solutions, and with Bob and cloud nine, what we can do together there. And it sounds like there’s a lot that you can help with on the general cyber security front, but where we can help with is on the SQL Server front and making sure that that those best practices are done right. And I think one of those big ones is encrypting databases, and that’s where I don’t know, having seen this happen a lot the first time somebody encrypts with SQL Server transparent data encryption, for instance, they encrypt their database. They don’t necessarily know they’ve done it right. And there’s a lot of concern there. And I think that’s where we can help, because we generally get in and help. I mean, we take care of that for our clients. We make sure that their certificates are backed up. We make sure that their backups can be restored properly in the case of that, and that their keys are stored appropriately so they can use those in an emergency. And then the other thing is the continuous monitoring that we have, where, with database health monitor and our daily monitoring, I mean, we have a check in there we just worked on recently, where, if you have transfer, if you have data encryption turned on, and suddenly a database pops up on your system that’s not encrypted. Well, we get an alert on that. Oftentimes that happens when somebody adds something new to the system and forgets to do the encryption, and then again, with that, regular audits to identify vulnerabilities before they become a problem. And when you look at. All of this. I mean, whatever we’re charging, or whatever Bob’s company is charging, is far, far less than what a breach would be. And I think that’s where being proactive can save a ton of money in the long run there so, and I guess with that, I mean, you want to talk a little bit about what, what your company there like, how you help with that specific situation?

Bob Borges  40:23

Yeah, so that’s great, Steve, and you’re absolutely right. I can’t tell me how many times I’ve come across unencrypted SQL databases auditing client environments. It’s such a common thing, but such an easy thing to fix now, and such an easy thing to change that there is really no good excuse for that ever being the case anymore. There was a time where it was a difficult process, but not, not any longer. So to your point, having monitoring in place, and having a building, a plan and executing against that, that’s, that’s what we want to really focus on, is not just blindly implementing tools and cyber security random lay in well, we all know we need MFA. We all know we need, you know, strong passwords. We all know we need certain things, but, but that’s not, that’s not cyber security, that’s implementing a tool. Imagine building a brand new house you wanted to make really secure, and you put bars up in the windows, a million dollar camera and alarm system in your house, but then you forget to install doors so that anybody can walk in or out, right? You know, there’s obvious things that need to be addressed, but everything needs to be addressed, right? You need to secure every aspect of everything, not just the most common things. And I’m not saying that MFA and everything and secure passwords aren’t important, because they really are super, super important, but so is 1000 other things. Having a firewall is really important, but making sure you don’t have some, something called any, any role in place, is really critical where traffic can be just coming inbound. You don’t want to have those inbound ports open, if you can help it at all. Only you want to control that traffic as much as possible. You want to have intrusion detection at the minimum, intrusion prevention, at least. You want to do deep packet inspection, DPI on your firewall level. Just that’s just the firewall piece you could spend. You could spend days looking through firewall configurations just to double check everything and make sure that you know, routing is done correctly, and that you’re if you have the systems out in the DMZ, can they access important systems on the inside of the network that they really shouldn’t. If I’m an attacker accessing this, you know, think of it through that lens. What things could I potentially see by accessing anything that’s publicly visible, right? If you’re walking into a building and in do Is there a conference room available with live network jacks? I mean, there’s 1000 things that that we see regularly. In fact, in reception areas, it’s very common to have a few extra network jacks in the wall that may be live, and if I plugged my laptop into them, Am I going to see your network? Am I going to see your servers? Am I going to see anything I shouldn’t be able to see? If the answer to that is yes, then you’ve missed something in your plan. And it’s worth taking a step back, picking your head up, and saying, all right, we have obviously missed at least one thing. What else have we missed? Because you always have those, you know, those known knowns, the known unknowns, and then the unknown unknowns. And it’s that third category that is always the one that catches you. So, like I said, planning. You can never do enough planning. You need to execute on that plan. But you can never do enough planning and monitoring and rechecking and constant, be constantly vigilant. And like I said, plan for breach.

Steve Stedman  43:46

Yep. And I think with that, I mean, we get a lot of people who call us up after they’ve been hit, needing help, and it’s too late at that point. There’s usually if someone’s been hit with ransomware or some type of breach, there’s unless you’ve got good backups, there’s not a lot we can usually do to help you at that point, but being proactive is the key, like we talked about there, and one of the clients that we worked with a manufacturing company, they I’d been working with them off and on, helping them out with their SQL Server for A couple of years, we had really good backup procedure in place, and in fact, they had great off site backups that were immutable storage, meaning it can’t be changed in the event of any type of a cybersecurity attack. They got hit. Their SQL Server got taken out because one of the desktops in their environment that was compromised, and from that desktop, it had access to the SQL Server, and it took them down. And in order to get them back up and going, they had, of course, had to do all their work on all their desktop servers. But as far as getting their Server, SQL Server back online, we built out a brand new SQL Server, a new virtual machine for them, restored those offside. Mutable backups, and in just a couple of hours, we had their SQL server back up and running, compared to what might have been days for that manufacturing facility had they not had those backups in place. So that’s how important being proactive is at this point.

Bob Borges  45:14

Absolutely. And remember if just because you got hit with an attack and because you didn’t implement security, cyber security, you’re not just planning all the direct, indirect costs that we talked about earlier. You’re also going to be paying for all the implementation that you avoided to begin with. So you’re still you’re still going to be implement, investing in that cyber security you were trying to avoid in the end, to prevent an additional Attack, because once you’re attacked, once you will be attacked a second, third, fourth, fifth time, either by the same attackers or they’re gonna they love to brag on the dark web and share where they went, how they got in, and you’ll have copycats as well. So yeah.

Steve Stedman  45:59

So I guess at this point, just to kind of summarize some of the key points here. I mean, we’ve got, we’ve talked about the hidden costs of not implementing cyber security, and then all of them, from employee productivity, productivity to data loss to, I mean, even just the trust of your company. Talked about why being proactive is critical. And really the key there is there’s no other option than being proactive, unless you get hit, because once you’re hit there, you can’t deal with it later. Kind of like the time to buy a smoke alarm for your house is not after your house burns down. It’s when you first move in. Same kind of things with cyber security, and then with this, with Stedman solutions, or with Cloud Nine tech solutions. I mean, we have the expertise to help out where you need it. And if it’s on the SQL server side, we can help with that. But if it’s anywhere outside of that, it sounds like Bob with Cloud Nine can help that as well, and we’re there as a team to be able to help you. So I guess then at this point, one of the things we want to remember is that cyber security isn’t really a cost. It’s more of an investment in your business’s future. And the point there is don’t wait until it’s too late. So but at this point, say, Bob, thank you for coming on the podcast today. I think we’ve got a lot of really interesting stuff, and hopefully some of our listeners will reach out to you and consider some of your services and appreciate you being here today, and thanks everyone for listening. I’d like to say, don’t forget to subscribe to the podcast on YouTube and Spotify if you want to get more episodes and more SQL Server and it best practices anything. Final notes before we close out?

Bob Borges  47:46

No, thank you, Steve. I hope we didn’t scare everybody too much with these doom and gloom stories, but there is, there is a path forward.

Steve Stedman  47:58

All right, everybody, yep. Thanks for being on the show. Have a great day. Thanks. Thanks for watching our video. I’m Steve, and I hope you’ve enjoyed this. Please click the thumbs up if you liked it. And if you want more information more videos like this, click the subscribe button and hit the bell icon so that you can get notified of future videos that we create.

Getting Help from Steve and the Stedman Solutions Team
We are ready to help. Steve and the team at Stedman Solutions are here to help with your SQL Server needs. Get help today by contacting Stedman Solutions through the free 30 minute consultation form.

Contact Info for Stedman Solutions, LLC. --- PO Box 3175, Ferndale WA 98248, Phone: (360)610-7833
Our Privacy Policy