business, people, systems, cybersecurity, company, ransomware, passwords, adversary, breach, hackers, processes, big, working, build, bit, understand, important, bad, damon, days
Bill Palifka, Damon Pistulka
Damon Pistulka 00:04
All right, everyone. Welcome once again, to the faces of business. I’m Damon Pistulka, your host and with me today, I’ve got bill politica. from Simon x. Did I say it right, Simon?
Bill Palifka 00:18
Simon exit is in Damon, thanks for having me here today.
Damon Pistulka 00:22
All right, well, Bill, it’s awesome to get you on. Because, first of all, I don’t have a lot of people that talk about cybersecurity I do once in a while, but not not as often as I would like, but you have some really interesting background and some experience that I think is going to be fun to share with people here. So let’s start out with that kind of tell us about your background and and how the heck did you get into cyber security?
Bill Palifka 00:50
Yeah, that’s, uh, I don’t know how much time we have. I mean, you know, the truth is, is I took a really untraditional path into getting into cybersecurity. Yeah, no, I started off originally as a banker. So, you know, I worked out at JPMorgan. I was doing mid market analysis. And then, you know, I used I used the National Guard to pay for my education. And back in 2002, the guard called me up and I actually spent a lot of time over in Iraq. And yeah, my unit got activated, I was a combat engineer, I was doing logistics planning.
You know, I’ve always liked technology. And, you know, played around with a lot of systems. And when I got back home, my heart wasn’t in it to go back into the banking world. And so I got involved in technology companies, and, you know, I started building websites, I started building bi reporting system, and it just kept evolving. And eventually I got part of a team and we were building applications, mostly in the healthcare industry, and security was really a big concern.
And yeah, you know, I think when we were building these companies up, we always felt like we were one data breach away from being out of business. And so we started developing our program and you know, I think where a lot of what we were doing was early devstack. Ops, we didn’t call devstack ops back then. But today I think most teams would call it dev sec ops and you know, we just said hey, I think a lot of people need these services I hooked up with other friends who were in the cybersecurity community and you know, we decided to launch slime onyx
Damon Pistulka 02:27
Yeah, all right, so I’m on excited I didn’t say it right but I got there we go so good, but you know you said something I think that’s really relevant for people in and hopefully the listeners and by the way, if you’re listening just go ahead and give us a shout out where you’re listening from there’s any questions go ahead and ask but you said one thing bill that I think that that if people didn’t didn’t just stop and think about this a little bit they need to because you said one data breach from being out of business.
This I think is so at this this is the statement when it comes around cybersecurity now in business when you look at the AI, the pipeline name escapes me right now. Yeah. Yeah, only a pipeline you look at Garmin, you look at some of these other big companies and then you look at what was the whole solar whatever that thing with solar winds thing and and you know, okay, so those are big, high profile things that have money, but most that have money to pay ransomware and have it teams that can do these kinds of things. But cybersecurity and ransomware and all other kinds of attacks on small businesses literally literally put them out of business
Bill Palifka 03:45
well Damon You know, there’s some research that’s been done around this and track what happens to companies after they get breached. And for most small businesses like in the SMB market, you know, what happens is 67% of them post a breach and within the next nine months actually have to close their doors forever. And you know, the numbers are just startling when you hear it like that.
And I had to do some double checks and I had to call some friends up. And you know, the research is out there but it’s a frightening thing and it’s a shame because you know, daymond I think what what most people don’t realize is is that you know, hackers are looking for easy entry right? And there’s there’s simple things that everybody can do not expensive things that raise the cost to adversaries. And you know, it really can help protect your business. So yeah, yeah,
Damon Pistulka 04:41
that’s awesome. So let’s just start out because I mean, you You, you, you you get to you get to figure out or get to see what bad guys are trying to do a lot of things. So, for me, the small business owner who got a you know, I’ve got $5 million manufacturing business Then like that, who are the bad guys?
Bill Palifka 05:03
Yeah, you know, I think it really depends on the industry. Right? And there’s, I mean, there’s different categories of people out there, right, you know, you have your hobbyist that’s just kind of playing around and, oops, by accident, they discover an open port and they start, you know, and before they know it, they’re they’re in deeper trouble, right? They have your, your professional hackers, right, you know, the ones that are out there trying to, you know, make money, or maybe they have a cause behind that, you know, making them an activist.
And then, you know, the The next category of bad guys really out there are kind of the well funded nation states and criminal organizations. And, you know, from that standpoint, often, you know, there’s a lot of us in the security industry, you know, our tracking the persistent average adversaries, right, you know, the APTA we name them often right, you know, there’s China, Russia, there’s a host of criminal groups out there. And every one of them have different agendas.
Damon Pistulka 06:03
Yeah, yeah. Wow. When you look at it that way, it’s it’s pretty, pretty daunting. But you say, you know, you say there’s some things that we will talk about later, some things that you can do to get in, you know, to protect yourself make it harder to get in? And, but what are they usually coming for? I mean, what are they usually trying to get from you say, um, that same business? Or again, what are they trying to do?
Bill Palifka 06:28
Yeah, again, I think it depends a little bit, you know, if you’re a healthcare company, you know, they might be trying to ransomware you that might be the main objective. Yeah, manufacturer company, it might have even more malicious intent, right? You know, what we find often is, you know, in the manufacturing sector, you know, they’re not looking to just ransomware your system, right?
You know, they might have alternative motives and want to go further down, and they might want to just steal your intellectual property. And so they’re just sitting on your network waiting and taking information, you know, and that’s their payoff. So yeah, again, you know, I think it, it depends on what your business is, what your crown jewels are with inside of your business, how is that adversary going to monetize it?
Is it going to? Is it going to be for money? Is it going to be for intellectual property set, though they can make money? Or, you know, is there a purpose behind it? Right, you know, is there like an agenda that they’re looking to do so, so again, oftentimes, when we’re working with our customers is, is you know, we help them understand what their profile fits, and then help them build their defenses around an adversary mindset?
Damon Pistulka 07:41
Yeah, yeah, that’s interesting. Because you make it makes you think about it, right? Because you can have people on your systems today, if you have proprietary information, right, and you were just say you were prolific, you’re prolifically generating, awesome, and very valuable information. They could sit there and you not even know it for years and years and years. Yeah. And just take that information out the backdoor, you don’t even know it. And, and use it and use it to whatever means they want? Well,
Bill Palifka 08:13
you know, Damon, just even a couple years ago, it wasn’t uncommon to see the set time on people’s networks be 300 400 plus days, right? Really? Oh, my, it was absolutely an area where, and I will say a lot of it, teams have made a lot of progress. The average average set time right now is usually around 40 to 60 days. I mean, different people say different numbers, but um, you know, it’s come down significantly.
But, you know, if you think about that, it’s sitting there for 45 days, you know, and what you can see when a business is running, right, just think about all the emails you send out in a given day, all of the data that’s moving around internally inside of your company. Yeah, that’s a long time.
Damon Pistulka 09:01
Yeah. Well, and, and I have this probably not it’s sure, certainly not an advanced example. But I have an example of a client that I worked with a couple years ago that they, they somehow the hackers got in to the owners email. And the owner was, as in many businesses, he made large wire transfers, sure, and made large overseas wire transfers because they were buying product and reselling it and, and working with suppliers.
Well, he got an email one day that said, we want to change art, we’ve changed banks, we need to change it to this account. And it was a hacker that sat there long enough to under understand how they, they the conversation went back and forth, it all looked legitimate, and he nearly lost. I forget it was a couple $100,000 doing that and that wasn’t in a huge business. But you know, it’s just, it happens in so many different ways. And it does it when you we went back and looked at the email. We looked at things around, it was very hard to tell. It’s very hard to tell.
Bill Palifka 10:03
And that’s it. And, you know, the truth is is adversaries, hackers, they’ve all become very sophisticated, right? And there’s, they’re preying on human behavior, and, you know, gaps in security with within technology. So yes, you know, it’s kind of like the the challenge with cyber is, is, you could do all the right things from a technology standpoint.
But if you’re not addressing the cultural side of your business, as well, too, with awareness of what is good cyber hygiene, you know, just like you’re the client that you were working with, you could have an adverse event, right, you know, you could just simply be fooled into giving information out that you don’t want to give out, right, and so yeah, oftentimes,
when we’re working with the customer, again, you know, we can’t just address the technology, we have to also address the cultural change management, we have to kind of help everybody understand, almost kind of like that zero trust mentality, right, you know, yeah. And reprogram the business and folks inside of the business to think about how they’re operating a little bit differently. Yeah,
Damon Pistulka 11:11
well, it’s even something as simple as as time that you have to the types of passwords, you have to use the time between changing passwords. I mean, that’s a super in your world. That’s like the the, you know, that’s the that’s the baby, it just was born kind of example. But to some people, that’s a big deal.
It’s a big pain in the butt, they don’t like their wrath to change your passwords, they don’t Why do I have to have all these special characters? or Why do I have to have two factor authentication, like, Oh, it’s the end of the world, but when you look at it, those kinds of things have to be at the core of what you’re doing the basics and scan all the way up have to be people have to understand,
Bill Palifka 11:50
well, you know, those things, you know, they’re they’re low cost things that increase the cost to the adversary. Right? And, and, you know, what, that I mean, if you are working with a true persistent adversary, right, you know, they’ll they’ll get around systems, right. But, you know, for the average, the ransomware attacks this, you know, these things make a big difference.
And, and a lot of times, what we say is, you know, the goal is to get off the Serengeti plains, get back in with the herd, right, you know, again, they’re looking for weak links, and they’re, they’re looking for the easy entry. And so, again, if you’re doing basic things like good password hygiene, and you’re using MFA, and you’re understand all your assets and new kinda like change all the passwords to all those assets, these things make a big difference.
Damon Pistulka 12:49
Yeah, and, and just so people, if they’re listening, don’t know, MFA is multi factor authentication. And, and basically, if you’ve, if you’ve ever logged in someplace, and they have to text you a number to your phone, that’s one method, I bet there’s other all advanced all the way up to you know, in the old days, and they still use some of this, the banks, I’m used to as, as running companies, we would always have the the plugin dongle that you had to have that was your dongle that did nothing to work without that
Bill Palifka 13:17
one touchpad. Yeah, unique keys, these are all all things that can be added to verify that you are a trusted source, and that you should be accessing these systems and information inside of your business. And yeah, and again, I know some people think that these things are painful. But when you have that, that statistic lingering out there that, ya know, nine months later, this could mean the difference of your business being open or closed. You know, I guess those it does help kind of a little bit. changes of viewpoint, hopefully. Absolutely. Yeah. So yeah.
Damon Pistulka 13:53
So, you know, if, if you’re in in a smaller business, I mean, where would you you would start with the like the password hygiene, but then when you start to spend money, where are you going to start to spend money on protecting yourself? Yeah,
Bill Palifka 14:10
you know, I go back even a little bit, right, you know, the first thing that I always like to say to any small business is is Do you understand what’s important to your business? What are your crown jewels, right? What are the real things inside of your business that are so critical that, you know, those are the things you really want to protect, right?
And so, you know, and sometimes when, when you have when you’re building your business, and you’re so busy getting out there and getting at it, you know, you don’t put a lot of time into that type of thinking, right? And so because everything’s important, you’re out there, you’re you’re wearing many different hats, but taking that time and slowing down and understanding what’s important to your business.
That’s usually the first step that we say to any small business if you haven’t done it. The next big thing that we really kind of say to people, you know, You got to go through and you have to understand what assets you have inside of your business. And when we say assets, we’re not talking about financial assets, we’re talking about the software, you use the hardware, you use the, you know those things, that’s the that’s going to be interacting on your networks, it’s going to be the things that the hackers are going to attack, right? And if you don’t have a good picture of what’s in your company, it’s gonna be very hard to defend it.
Right? And then the next big thing is is are you do you have a good strategy around patch management, right? And patch management is so important because that is a software vendor or a hardware vendor saying we have known vulnerabilities we know hackers take advantage of these things. And we want to close the door on them and so we push an update out to you right yeah. And and that update is there to make your business secure.
Right? And I know it seems like a pain and I don’t know if anybody has Apple iPhones I think a few people in the world might have maybe over the last week you’ve noticed there’s been like six big updates and it’s like yeah, every night you’re like I got another update you know, that’s Apple really trying to make your phone more secure and so you know, if you don’t have a good Manat like process for managing what how, how you take those assets or in your business and keep them up to date, then then you’re it’s just like leaving the windows wide open in your business.
And you know, great with those two things right there. You haven’t even spent any money it’s time you’re putting against it’s ending or you can go out and find experts to work with. But in the end those two things are really really valuable they help you you know, just shut the doors you wouldn’t leave for vacation and leave your house with the windows and doors open right? Yeah, you know, the same with your software and your your hardware you got to kind of maintain those you got to keep them locked up.
Damon Pistulka 16:58
Yeah, because I mean, just when you look at the assets, right, he just look in a today just go out into a small manufacturer, I’m in 20,000 40,000 square feet, I’ve got you know, I’ve got 10 2050 different pieces of equipment out there, you know, summer old control summer, new controls summer, you know, and then you look at all the ancillary computers in your business, you look at people have phones, or tablets, whatever connected to all this stuff.
And you you begin to realize that just understanding the assets that are the things that are connected, your just the things connected to your network, that that can somehow be used from someone or the outside trying to get in as a portal is pretty crazy. Because you go in a manufacturing place there’s there’s machines out there that are still trying to run Windows 10 on a computer set and beside them that connects you know, with a with an old serial cable connection into a machine to try to feed it information.
Now that machine that old computer is connected to your internet, or through your system, or it could be to the internet, I don’t know I’m just like, I think about this and that thing, that thing has no support anymore. There’s nothing you can do. And and so as a person, you might not have a choice because your your equipment may not work with anything other than that. So there’s some real challenges here is what I’m trying to say, Oh, absolutely. Just at that level,
Bill Palifka 18:29
well, and then you know, it’s other things that you don’t even think about, right? You know, it’s like your your Apple Watch. It’s your printers, it’s your mouse, it’s your key, but your wireless keyboards. It’s it’s all these like little things that you’re like, Oh, that’s that’s part of the attack surface. And it is right. And, you know, these, these vulnerabilities are constantly being posted, you know, having a strategy for just, you know, we say it’s just so critical. And yeah, and people are not really good at it either. Right? And so it’s, yeah, and so, you know, that’s another thing. The password hygiene, that’s a no brainer, you know, yeah, we say put MFA out there.
One thing people forget to do a lot is when when printers are shipped, a lot of these things have generic admin passwords. Yes, things are on your network. You got to change the generic passwords to any hardware or software that you have right like because you know the first thing a hacker does is the look it up on the internet. They’ll be like, Oh, they got HP printers. Okay, what is the generic password for HP printer? Well, you know, sometimes these things are connected to your Active Directory. Well, your like Active Directory, that’s a big thing. It’s got a lot of all your employees, it’s got all your emails, it’s got passwords in it, you know, these are privileged users, right?
You know, there’s these things we worry about, right? Yeah. Yeah. And so you got to do those things that password management hide Been around your passwords, get a password manager. I mean, like, they’re cheap, right? They allow you to create these. And I don’t know any of my passwords, right? They’re too complicated. Yeah. And so they help you, they help you do these processes. And they’re inexpensive, right? Yeah. But when you start to really start to spend, I mean, there are things right, like, we are big believers of layers of defense for small businesses, right.
And, you know, that’s setting up a good firewall, it’s putting in DNS servers that, you know, are limiting traffic through your company, right? We know where bad people are coming from, there are people there are security experts that are monitoring these folks. And we share Intel, we share threat intelligence information, and we know these are their bad IP addresses, well stop your employees from going to them, you know, blacklist them don’t don’t, you know, have a whitelist of what is approved systems, that employee shouldn’t be on and, and then stop everything else from happening.
And so, you know, there’s these systems, get your antivirus, you know, on your email, on your computer, on your firewalls, right? These these, these layers of defense, they’ll help you when you’re ready to start monitoring to be able to identify if you have malicious activity in your company. And so you know, that, you know, if you’re creative about this stuff, I mean, some of this stuff is incredibly expensive, right?
If you go to a big OEM, you know, they’re spending millions of dollars, they have the best of breed out there, right? If you’re a small business, and you’re trying to do what these big OEMs are doing, it’s impossible, right? But there are creative ways to do this stuff. Working with experts, you know, they’ll help you understand how to digest threat intelligence, they’ll help you set up appliances that will aggregate this information, and there’s open source software or low cost software that, you know, they can deploy to help with this stuff. Yeah. Yeah.
Damon Pistulka 22:04
That’s cool. It’s cool. Because it is it I mean, it is daunting, right? Yeah, a lot. Like it’s just like, it’s like, the the unknown is almost scarier. Going into that, and just, in trying to figure out what you’re gonna do is almost scarier than Well, maybe it won’t happen to me.
Bill Palifka 22:21
Well, and you know, I think talking about that scary thing, it’s funny, because, you know, to be an entrepreneur, you got to kind of have some pretty thick skin, you know, get on risk all day long. You know, it’s not about the scariness. Right? You know, cybersecurity shouldn’t be scary, right? You know, there there are things you do to protect your business, it’s a process, right? You know, it’s just like, when you’re building and manufacturing, right? You know, you start with your process, you implement it, you make some improvements on it, right?
And then once it’s kind of gotten to a good state, then you optimize it, right? Yeah. And, and cybersecurity is no different, right? It we have processes, we approach this methodically, you know, there’s an order of go of things that you should be doing in your business, and you should be integrating this into your business, right?
You know, this is just another process. Just like when you’re making something that you integrate into your business, you spread it culturally across, that’s why a lot of the times, awareness training becomes really important with cybersecurity, because, you know, you want to culturally change your organization. And so, believe it or not, like, Good good folks that are working in cybersecurity are good change management agents, you know, we have to kind of get into the business and, and build it into it. So,
Damon Pistulka 23:42
yeah, well, because it’s not a part of what what if it’s just kind of a bolt on at the end, you’re not going to really do nearly as much or probably an adequate job of protecting yourself. True, it’s got to be integrated in everything you’re doing from, like you said, you know, we don’t have Apple watches in our facility because of this, if that’s if that’s a security threat, whereas if you don’t think about it, it might not be something even you know, that if that you didn’t look down to that level, that someone might do it and not even know and they’ve created a vulnerability that someone exploits and
Bill Palifka 24:17
boom, boom, well, and you know, so that you bring up a point about policies, right? You know, it’s important to have policies around this stuff and be able to educate people inside of your company on why these things are and And oftentimes, we’re working with people to build this into their quality management processes, right? Yeah.
We’re putting in the policies and procedures so people know what Bring Your Own Device looks like right inside of a company or, you know, how do you handle media and storage and you know, what is appropriate use right, you know, while you’re at work and what software is approved today using on company property, right. You know, It, you know, the other thing too is and if you are worried about your company, you know, start with the end in mind, right?
You know, and so have good recovery processes, right? You know that that is something that I often say to people, right? Because in, in cybersecurity, it might not be a question of if it might, it’s more of a thing like when, right. And so if you’re putting energy and effort into what your recovery processes are, right, and how to restore, and you have a disaster recovery system, right, even if you’re a small company, you can afford a disaster recovery system, there are tools out there that you know, for a couple 100 bucks can help you retrieve your data restore systems, right?
And if you’re not looking at those things on the recovery, because that can make the difference of you losing your data forever. Or being down for a couple days. Yeah. Right. And so, you know, we really have to come at cybersecurity from a lot of different angles.
Damon Pistulka 26:03
Yeah, and when you look at disaster recovery, if you even just look at you know, and let’s face it, I’m I’m older, and I’m coming from a time in the past, and a lot of this stuff were in being in being in the businesses and actually in them right and running them and stuff. Other than an advisory basis, like I do now, but you know, back in the day, you have backups, you had those kinds of things and doing that. But realistically, today, even just having backups isn’t good. Because if someone if you just say you’re backing up for a month, and you have and you have a backup sequence that even has once a month, you do a backup, and then you have a year of that, and then you’re doing daily backup for 60 days, just say you got 60 days of daily backups. If someone has been sitting on your network doing planted something in the hallway through it doesn’t do you any good. I mean, I just think of stuff like that. And I’m just like, wow, yeah.
Bill Palifka 27:02
There’s ways though, to set up your recovery systems, right? Okay. Let your restore processes right you know, re imaging machines and Okay, restoring email files and yeah, it’s gotten a lot better.
Damon Pistulka 27:16
Good, good because cuz I sit here and sit here and think about this once in a while. I’m like, How the heck but you gotta eat I know good minds have been working on it. And that’s, that’s good to know. Because, you know, having people like yourself and people that are really focusing in on making it harder for the bad guys just makes me smile every day. Because, you know, honestly, I think you know, ransom rail were not just being a financial suck is really really stinks it really stinks that there are people out there that do this and and you know, people work so hard to create good businesses and then you see something like that happen. It’s just a shame.
Bill Palifka 27:55
Well, and you know, the the bad part about ransomware and ransomware is prolific right now. I mean, they say every seven minutes a company has been ransomware and you know, what we’re hearing on the news with T mobile’s data breach or you know, colonial pipeline or any of this stuff those are just the big ones right you know, we’re we’re not hearing about all the little ones that are happening every day.
And there can’t be anything worse than all of a sudden your your screen coming up and you have a flash thing, Hey, your files are all encrypted and now you have to pay this ransom and you know, you have like four days before we erase everything or we put it on the dark web or you know, whatever. Yeah, whatever they’re gonna do right and you know, yeah, it’s just sad right? And so there are things though to be aware of if these things happen right, you know, isolate the computer unplug right?
So limit the damage right? Call in experts you know, you know there if you have insurance you can get a breach code, but sometimes you want to move quicker, right? also identify kind of what the virus is that has been deployed and you know, you can check these things and see if there are known remediation issues. Sometimes as the security practitioners do have already figured out what the keys are and so you don’t have to pay the ransom they have the keys and they can unlock it. I won’t say that a lot. But you know, you know, you never know and you know if that’s not the case, you know, then you got to escalate through these Yeah, right. Yeah. So
Damon Pistulka 29:40
Wow, that’s Yeah, that is that is Yeah, that just see the big companies they get hit by it and you realize that that’s that’s just the tip of the iceberg is pretty scary.
Bill Palifka 29:53
Yeah, it for sure is an interesting space. Yeah.
Damon Pistulka 29:57
So you mentioned something about the the danger of end of life systems. You know, we we touched on a little bit with your windows seven computer in the corner that’s attached to something, but what are you talking about the dangers of end of life systems? Yeah, yeah.
Bill Palifka 30:19
So the challenge with end of life systems is it doesn’t guarantee that you’re going to get hacked, right? You know, but, but the problem with end of life systems, it goes back to that patch management strategy, right. And what what an end to life system means is, is that it’s now become a non supported piece of hardware software, right? What means there are never going to be any more patches for that software.
And so, you know, the, the community that wants to have that has malicious intent, or, you know, they, they gang up on these type of systems, because they know companies aren’t going to support them, but they know they’re inside a company’s right. And so they find methods to breach the systems and, and because again, the, you know, the the company that is no longer going to support it, there’s never gonna be a system to fix it.
And so, you know, if you have a Windows seven machine, I could look right now on the internet, I could find tons of strategies to breach these systems, there’s paid one, so you don’t even have to be technical, you could pay a couple bucks, and somebody will give you the tool that will breach that system. It in. So it’s, that’s why, you know, having a good strategy on managing your assets, and, you know, figuring out what your capital expenses are, and building that in and forecasting that to replace these systems.
That’s why it’s important because, again, you know, there’s just no solution for an end to life system for and that includes your survey, a lot of times we see people using old servers, right? And it’s like, you know, when you start a business, you’re trying to, you know, pinch every penny, right in, you’re like, Hey, I got this server, and we need a place to store stuff. So let’s use it right? And then, you know, you start getting bigger and more successful.
And, you know, there’s other problems throughout your day, you got to try to find, you know, employees to work your machinery, or, you know, you’re negotiating with your suppliers and trying to get your goods of materials, you know, the cost now, right? You forget that that old servers just out there, right? Yeah. And, and you’re throwing more stuff on it, more stuff on it, and days, just keep going by right. And then again, it’s just out there. Right? That door never gets closed. So yeah, it happens. But it’s something to be aware of.
Damon Pistulka 32:43
Well, we were talking earlier, you you’ve been working on some software, that’s kind of interesting, that helps you visualize supply chain risk. Yeah. Can you talk a little bit about that? I think that’s really interesting.
Bill Palifka 32:55
Yeah, well, you know, I think what we’re working on, you know, is it’s the concept of, you know, everything’s becoming interconnected, right. And the data is out there to see these vulnerabilities and kind of identify where risk is, right. You know, as security experts, we’re always trying to mitigate the risk, we’re always trying to raise the cost to adversary so you know, when in the tenants of security don’t change, right.
And so when you want to see if you’re your larger company, right, you want to see kind of where that risk is even beyond your walls. And so we’re working on ways to help the the small company, you know, flow up what they’re doing in the big companies to receive it, so that they can see what that risk is, right.
And then we also want to support the workflows to really help build a good security program around that and you know, a lot of what the software will do, it will help discover your assets, it will help with that patch management strategy. it’ll, it’ll show the controls and how you start to put the controls in place so that you can feel better about your business and knowing that you’re, you’re putting rigor and discipline in place around cybersecurity and really try to reduce that footprint and risk but then have a reporting system that shares what you’re doing.
Damon Pistulka 34:15
Yeah, yeah, because it is when you start to think about some you know, even just say I’m making you know, the best bicycle in the world with the greatest IP and you know, all the other kinds of crazy just say I just some just radical design that everybody wants to get their hands on and, and I’m making this bicycle, your your, your overall cybersecurity risk is the, the, the least secure piece in that link in your supply chain. Absolutely. And again,
Bill Palifka 34:45
going to the hacker mindset is, you know, not necessarily to work hard, right? It’s to find some of these least paths of resistance. And, you know, for all this information technology systems for all these bots and systems Things that we’re automating, right? You know, they do a lot of good in the world, they’re also being used to do bad. So you know, it’s automating the process of discoveries and finding things and bots, you know, constantly surfing and pinging up against things. So, you know, it changes the game a little bit. Yeah,
Damon Pistulka 35:20
no, it certainly does. It certainly does. Because it’s, it is. So that’s, that’s pretty cool. I’m sitting here thinking about it. So so I’m Damon, I’m making an auto I decided I’ve got my new electric car company that I’ve formed, and I want to make sure my supply chain is, is solid from a cyber security standpoint, if I could, if if all my suppliers, cybersecurity information would flow up through to me so we can look at the entire supply chain, that would really be something. Yeah. And
Bill Palifka 35:52
that’s what we’re working on. Right? It’s Yeah, it’s a really kind of, again, like I said, the data is already out there, it’s how do you start to put it together and visualize it? So you can see in new ways, right? And that’s what we’re helping organizations do and, and again, you know, the regular in some industries, it’s being regulated. Right, you know, there you go into the defense industrial base, right?
Yeah, you work for a company that’s building a next generation airplane system more, you know, we have our commercial space and federal space programs, right, that are all converging together. And, you know, just think of how many, how many companies help support these systems, right? Yeah. Oh, yeah.
Damon Pistulka 36:34
Yeah, you just look at just look at this two names, you know, SpaceX and, and, and NASA, how they work together, and how something like that would be just so hard to Yeah, and add them just to fathom, in one little piece of one little sub unit, how many, just trinkets come from all over the world from a gazillion different suppliers to come together to make this work. And you are, you are at the mercy of the least secure one of them all.
Bill Palifka 37:07
That’s, that’s it, and, you know, in some, some are embedded into critical processes, right, you know, to keep keep these things moving. And, and so that’s why I think you’re, you’re seeing things like cmmc, come up, right? Yeah. If you’re not familiar with that, it’s a program that God has created, it’s really to help kind of, you know, raise everybody’s capability around cybersecurity, so that they can have a higher confidence.
And if you’re working with the god, you’re going to have to hit these standards. And in that standard, you know, isn’t just for the prime contractor. It’s also for all of the other people underneath of them, too. And so you, you know, these things are going to, for some industries, not be a nice to have anymore.
Damon Pistulka 37:56
You make a great point, we hear a lot of people talking about the cmmc. And you know, I know NIST is doing a big push on it now to try the training around it just then the thought and the the talk around it, it’s pretty, that’s gonna be pretty significant. And when is it that people have to be compliant with it?
Bill Palifka 38:15
Yeah, you know, so there’s good and bad with what’s happening with cmmc. Right now, they’re a little bit behind schedule was in you know, that’s causing some fragmentation, right, because everybody’s trying to prepare for it. But we’re really, I think, 90% 95% of it’s already kind of solidified at this point. And we kind of know what’s going to be coming and it’s going to be rolling out over the next five years. Right?
So, okay, know, it. That’s the thing right now, it hasn’t officially come out, they’re a little bit behind, they’re eight, nine months behind where they thought they were going to be for the initial call out, and, but but it’s coming. And if it’s not cmmc, it’s gonna be it’s gonna be something that there’ll be another standard. And in a lot of times what we’re saying to folks, if you’re following NIST, and you’re following this 171, and you’re following 172, and you’re going to be in pretty good shape and be prepared for cmmc. Right?
And because of all these frameworks, they build off of one another, it’s sometimes it’s the order of goes a little bit different. Maybe they’re, they’re mixing technology and the physical world, and, you know, like, they want to be concerned about earthquakes, and are you in flood zones, and, you know, they, they, they mix some of this stuff up a little bit. But in general, the tenants of security don’t change.
Giggle a little bit. You’re saying I had to make some it up? Yeah, that’s, that’s funny, but it’s true. It’s fun.
Bill Palifka 39:50
And that’s why again, we’d like going back to your crown jewels, right? You know, what is really important to your business, right, and, you know, it should be independent of the frameworks out there. You know these frameworks are great for communicating what you’re doing but you know build a program to secure your your what’s really truly important to you right yeah and it shouldn’t shouldn’t only be tied to a moment Damon it’s it’s not we see this sometimes right there’s a check the box I think we’ve seen this with ISO right yeah.
Quality you know when you have audits and stuff like that some people are like we just got to get through it right. But with cyber you know getting through it could have negative impacts if you don’t secure your business again it’s so you know, it’s priorities we know it’s hard for people you know, it’s kind of like a roof nobody really like putting a roof on their house they’d rather have that nice granite in your kitchen but you know, have a rainy season and have a bad roof right? Yeah. And you find that that money is really well Stan,
Damon Pistulka 40:54
that’s for sure. Well we had david commenting he said it’s amazing to think about your risk from this perspective and I’d have to agree it’s when you when you start to think about the amount and the the ways that people can can come in and do bad things it is a little bit daunting, but you know
Bill Palifka 41:15
and that’s why we go back to you know, simplify it right yeah, you do some of these basic things you know, get your foundation in order right you know, just like what you’re doing in manufacturing you just didn’t go out and become a completely efficient machine and everything you know, you start somewhere you get that foundation built, then you go back and you optimize it and optimization usually is like you’re you’re putting your policies and procedures in your you’re doing training with your employees and you’re helping educate right and then you afterwards you after you’ve done that, you want to really optimize it right?
And and when we say that your date your disaster recovery is completely locked in right you you’re running exercises, people are able to know what needs to happen if things are have happened, right? You’re also maybe doing some more advanced things like monitoring log files that come out of your systems out of your email out of your file management, you’re monitoring network traffic and maybe you’re using partners to help that or or maybe you’re at this point in your company where you’re big enough and you’re starting to build your own little system to do yeah and so it’s interesting to watch as as businesses evolve and they get larger and how they how they build these things. So I
Damon Pistulka 42:38
bet I bet I was just writing down you know that disaster recovery exercise is man and and it is I mean you have to practice it’s like doing fire drills you got it you got to do it until you understand it
Bill Palifka 42:50
in these these exercises can be as complicated as like replicated sandboxes with IT systems or or as simple as just a card exercise hey you know this computer has a ransomware what do you do Who do you call What did he you know? And you just walk through these things right and it’s like huh and then you’re like well David fixes that Well David left three months ago well who doesn’t know
Damon Pistulka 43:17
it’s a great that’s a that’s a great a very simple example that every business should be able to do is like you know what happens? Yeah, and it’s it’s really simple. Ah, all right. That that that makes me feel a lot better I mean because when you you know it can be daunting but when you when you go back and talk about like you said the basics understanding your true value, most valuable assets, do good patch management and good password hygiene and maybe use multi factor authentication that’s gonna that’s gonna move you up the chain as far as how easy it is to get in at least and maybe get you going down we call
Bill Palifka 43:59
that raise the cost to the adversary make make it hard put some speed bumps in the way close the doors lock the windows i mean you know like Damon How hard is it to you know knock the window going you know but but just the simple fact that a Windows sometimes locked right your your ports you’re not you don’t have too many things on your you got all the deadweight systems and old legacy stuff off your network so yeah,
you know it’s cleaning your house right you know it’s it’s and you do this on your plant floors right? Yeah, you know you go through your business you got to treat your IT systems you got to treat your data you got to treat your crown jewels the same way Yeah, yeah,
Damon Pistulka 44:43
for sure. Well, Bill it’s been awesome talking to you man. Because it’s just your wealth of knowledge in this and I know I know that you know, you you’ve you’ve seen the bad and you the the road, the Road Rash is there and and it’s a Come out alive. So that’s good. Well, we
Bill Palifka 45:02
we’ve seen the good too. And you know there are people doing some amazing stuff out there and, and a lot of people there to help, too. Yeah. So and I have to say, Damon, thank you very much. This has been awesome. I enjoyed talking with you. And you know, it’s an amazing thing that you do for your community here with the face of business and yeah, just good stuff. I’m happy to be here.
Damon Pistulka 45:25
Well, thanks so much for being here. Again. We got Bill paluska from Canada today the name of your company, so I know right
Bill Palifka 45:33
time, onyx. onyx. Yeah,
Damon Pistulka 45:37
yes, I’m onyx. There we go. I said, thanks so much for being here, Bill, if someone wants to get a hold of you, as is reaching out on LinkedIn, and good way to get a hold of you.
Bill Palifka 45:45
Absolutely. And, you know, and any of your friends and contacts, if they reach out to you, I’ll make sure you have my contact info too. So all
Damon Pistulka 45:53
right. Well, thanks, everyone for listening today. Thanks, Bill for being here. We are actually going to take a break. I’m not going to be on next week because I’ve got some family in town and we’re going to spend a little time together. But we will be back after that with more fun guests talking about different things around business and life and technology. So thanks a lot.