Uncle Marv interviews Ann Westerheim from Ekaru about her book "Cybersecurity for Main Street" and discusses the importance of cybersecurity for small businesses, recent incidents, and the value of ASCII membership.
In this episode of the IT Business Podcast, Uncle Marv interviews Ann Westerheim from Ekaru at the ASCII EDGE event in Boston. Ann discusses her book "Cybersecurity for Main Street, Cyber Fit in 21 Days," which aims to simplify cybersecurity concepts for small businesses. She emphasizes the importance of basic security measures like multi-factor authentication and explains how her book has led to speaking opportunities.
The conversation examines recent cybersecurity incidents, including the CrowdStrike update issue, and how these events raise awareness among businesses. Ann and Uncle Marv stress the importance of incident response planning and testing, as well as the need for continuous cybersecurity education.
They also discuss the challenges of convincing clients to invest in cybersecurity measures, highlighting the need to frame the conversation in terms of business risk and potential financial impact. The interview concludes with Ann sharing her experiences as an ASCII member and the benefits of attending industry events.
Key Takeaways:
Links:
=== Show Information
Website: https://www.itbusinesspodcast.com/
Host: Marvin Bee
Uncle Marv’s Amazon Store: https://amzn.to/3EiyKoZ
Become a monthly supporter: https://www.patreon.com/join/itbusinesspodcast?
One-Time Donation: https://www.buymeacoffee.com/unclemarv
=== Music:
Song: Upbeat & Fun Sports Rock Logo
Author: AlexanderRufire
License Code: 7X9F52DNML - Date: January 1st, 2024
[Uncle Marv]
Hello friends, Uncle Marv here with another episode of the IT Business Podcast powered by NetAlly presenting live from Boston as we are at the ASCII EDGE event and I'm here with yet another ASCII member and another female as the Godfather Rob Ray walks by and interrupts the show. Ann Westerheim from Ekaru is in the house. Ann, how are you?
[Ann Westerheim]
I'm doing very well.
[Uncle Marv]
All right. So we last spoke, was it one year or two years ago?
[Ann Westerheim]
Probably a year ago.
[Uncle Marv]
A year ago. You had just put out your book, Cybersecurity on Main Street.
[Ann Westerheim]
Yes, Cybersecurity for Main Street, Cyber Fit in 21 Days.
[Uncle Marv]
Okay. And how has life been since then?
[Ann Westerheim]
Yeah, it's been great. I'm really passionate about getting the cybersecurity message out to small businesses. I think people see the headlines, they think, oh, I'm not a Fortune 500 company, that's in the news, so I'm not going to be a target and trying to give people really simple and straightforward strategies to improve cybersecurity.
It doesn't have to cost a lot of money.
[Uncle Marv]
All right. Ann, I'm assuming book sales are good because you're on the Amazon and you've got a couple of other places. So sales are going well?
[Ann Westerheim]
Yeah, sales are going well and I've actually gotten a few speaking opportunities out of it.
[Uncle Marv]
Nice.
[Ann Westerheim]
And so then I'm bringing the books to the speaking opportunities, which has been great. It's a really good conversation opener. And I've also talked to a lot of people in the community who've mentioned, oh, yeah, I'm thinking about writing a book and highly encourage it.
It opens up a lot of new doors.
[Uncle Marv]
Well, let's talk about that. Forget ASCII for now. Let's talk about that.
So when you went out, I don't know if I asked you specifically when you wrote the book, if it was truly targeted for small businesses for you to obviously get more business or if it was just in general.
[Ann Westerheim]
It was just in general. I'm really passionate about the topic of getting technology out to the last mile of users. So a lot of times bigger organizations have full IT departments, they have large budgets, and then small businesses can wind up falling behind both on the competitive advantages of technology and also falling behind on the risks that come along with technology.
And I've kind of wanted to write a book about making technology simple for a number of years. And finally, it's been on my to-do list, you know, I want to do this one day. And then finally, I got so annoyed with myself, like, okay, I'm finishing it.
I'm doing this now and blocked out a lot of time on my calendar. And I just said, I came up with the concept of 21 days, kind of like a fitness book. And then just block time every day and I'm going to write.
And then I'll go back and edit and fix it. But that's the hard part, getting something on paper.
[Uncle Marv]
Now, have you done a revision that has published since?
[Ann Westerheim]
I'm planning on doing a revision in April, and now I'm saying it out loud. I've got April, September, what's the month that comes after August, September. And what I want to do is incorporate a lot of what's going on in AI.
So AI, everybody's talking about it now, and there's huge implications within cybersecurity. So it used to be, you know, you can spot a phishing email because it had really bad grammar. Now anybody can just write something with chat GPT that sounds really good, sounds compelling.
And that's making phishing a lot more sophisticated. And that's, you know, what comes in your email box, that's like 90% of cybersecurity threats originate because there's something in the inbox.
[Uncle Marv]
I just had a user yesterday, so a law firm, of course. Yes. We finally were able to implement 365 Defender for their tenant.
And one of the attorneys was annoyed with the little message banner that comes up saying, this email originated outside of your, you know, you don't receive. And he's like, can you turn that off? And I'm like, no, we're turning this on to protect you.
And we have to make sure it works.
[Ann Westerheim]
Yes.
[Uncle Marv]
So even little things like that, people are still resistant to even the little things that can protect them.
[Ann Westerheim]
Yeah, and I think that that's the core message I have. There's a few strategic and very simple things that you can do. So that little banner at the top that says it's from outside your organization, maybe you'll slow down a nanosecond before you click on that link.
You know, so it makes a difference. And multi-factor authentication. So, you know, the Microsoft reports 99.99% of security incidents on 365 happen on accounts that don't have MFA. And MFA is free. But we hear the same thing, like, oh, no, there's no way. Our CEO, absolutely not.
They don't want to have to put in another code. And then there's also the folks out there who think that, well, I don't want to enter code every time I send or receive a message. It's like, well, that's not exactly how Microsoft 365 works.
So there's misconceptions out there. So, yeah, you introduce a little inconvenience. Not a lot of inconvenience, though.
Yeah, people get over it.
[Uncle Marv]
Yeah, it's not as bad as they think. And they're doing it in other places. You know, they're doing it when they sign into their bank now.
They're doing it, you know, when they know they have to be secure with their bank information. And I tell them, look, this is your business. You have to be just as secure, if not more, than your bank.
[Ann Westerheim]
Yeah, absolutely. And I think also one of my goals with the book was trying to explain things in plain English to basically give people confidence about not being intimidated by MFA. You know, what's all these three letter acronyms that that are out there?
People get intimidated and then they shut down. And so trying to empower people with some knowledge, like, OK, I get this. Like, I understand my password can get leaked out there through no fault of my own.
But if I got the second code, it's a lot harder for somebody to break into an account. And then it's like, ah, the light bulb goes off.
[Uncle Marv]
Yeah. Another great example with another client that we turned on their two factor is they got the little pop up and they're like, wait a minute. I'm not even using my email.
[Ann Westerheim]
Oh, yeah.
[Uncle Marv]
And I'm like, well, there you go.
[Ann Westerheim]
Yes. That means somebody tried. So and if they got to MFA, that means they had your password.
[Uncle Marv]
Right. So now it's so can we change your password? Can we turn on conditional access?
[Ann Westerheim]
Yes.
[Uncle Marv]
Because there shouldn't be anybody logging into your email from Hong Kong.
[Ann Westerheim]
Yeah, yeah. Definitely.
[Uncle Marv]
So they're like, OK, and it's a shame we have to, you know, have to have something happen to retroactively go back and protect.
[Ann Westerheim]
Yeah. But I think it makes the it makes the threat real. Otherwise, it's hypothetical and human nature is it's not going to happen.
Of course, people say that if a hurricane comes through a tornado or whatever, I never thought this would happen to me. And that's human nature as well. So when something happens, that's a close call.
It's a wakeup call. Or maybe, you know, now what we see more and more is somebody like, oh, yeah, my best friend, you know, their law firm just got hit with this. What are we doing to prevent that?
So it's more and more in the conversation.
[Uncle Marv]
So the closest that we've had, my wife, her son, my stepson, works at a company in Ohio. They their parent company got hit.
[Ann Westerheim]
Oh, wow.
[Uncle Marv]
They're just a packaging company.
[Ann Westerheim]
Yes.
[Uncle Marv]
They, you know, corrugated packaging.
[Ann Westerheim]
Yeah.
[Uncle Marv]
And they were shut down for a week from an event that didn't happen at their office. It happened at their parent office and shut down multiple plants for a week. And so all of a sudden, she's asking me all these questions.
I'm like, you've lived with me and worked with me for how long? You never had any interest in this.
[Ann Westerheim]
Yeah.
[Uncle Marv]
And all of a sudden, my son can't work.
[Ann Westerheim]
I'm like, well. Yeah. And it's, you know, so for better or worse, that at least brings it into the conversation and gets people thinking.
I think a lot of people on Friday were asking, what's CrowdStrike?
[Uncle Marv]
Oh, yeah.
[Ann Westerheim]
Having managed to tech respond, extremely important as part of a cybersecurity plan. So you can't go without it. But yeah, then you do add complexity.
There's more patches and updates. And then one of them went really, really bad. But the flip side is you're at way greater risk to not have the protections in place.
[Uncle Marv]
Did you get any calls at like 5.30, 7.30 in the morning?
[Ann Westerheim]
So we're lucky that we use a different MDR. So but it could have gone either way. It could have been the one we use. And Microsoft occasionally has a bad update.
So what we got was so fortunately, nobody was down in our direct community. But we did get a lot of questions like, is this going to happen to me? Like, should I not reboot?
And so we did an email blast in the morning to let people know. And I think, you know, CrowdStrike immediately, the CEO went out there in the media and said, this is not a cyber-attack. This is a known issue.
And they had a fix in place. So I think they did a good job communicating. But it was interesting people because what people heard is Microsoft is down.
[Uncle Marv]
Well, they heard Microsoft and they heard government.
[Ann Westerheim]
Yes.
[Uncle Marv]
Airlines.
[Ann Westerheim]
Yeah.
[Uncle Marv]
And it was like, oh, goodness, we are under attack. And that was the call that I got. We didn't have CrowdStrike implemented for them either.
But they just, you know, assumed I said, no, if you check back on the news, it's already been determined it was an update, not a cyber-attack. But it did spark a deeper conversation where they asked, OK, so what if we have a bad update? You know, will we be able to keep working with our redundancies and our backups?
I said, well, we have two different things we're talking about. So he's like, all right, well, let's set up a meeting in a couple of weeks to discuss our resiliency, not just cyber wise, but business wise.
[Ann Westerheim]
Yeah. And we did we do our weekly team meetings and we had a mini incident response conversation this past Tuesday. You know, what if it had been the software product that we use?
[Uncle Marv]
Right.
[Ann Westerheim]
What would we do? And it was good to think, you know, get the whole team thinking about it. A big fan of incident response exercises and they can be super simple.
This was just a conversation. It could have it could have been our tool. Then what?
And getting people talking about that and thinking about it, because a lot of incident response is like, OK, if one customer is impacted, what do you do? This is OK. If all your customers are impacted at the same time, what do you do?
A little different conversation. Yeah. But better to think about that in advance, build some muscle memory, muscle strength, you know, because, you know, who knows, one day you have to face that.
We've heard the stories in the industry and.
[Uncle Marv]
Yeah.
[Ann Westerheim]
Scary thought. I don't like to think about it, but better to have do some planning.
[Uncle Marv]
It is. And getting the customers to realize, you know, somehow we need to test this to make sure it works.
[Ann Westerheim]
Yeah.
[Uncle Marv]
That's always the kicker.
[Ann Westerheim]
Yeah.
[Uncle Marv]
You know, you mean we got to be down as well? Hopefully not if it works according to plan. But we have to try.
[Ann Westerheim]
Yeah. And I had, you know, we've anybody in the MSP space has had a lot of funny conversations. I had a guy like total firecracker, high energy guy.
So, well, if we're ever down, I'm just going to drive to Staples and buy a brand new server and we'll be back up again right away. Like, yeah, that's not a plan.
[Uncle Marv]
First of all, no servers at Staples.
[Ann Westerheim]
Yeah. It's like, oh, gosh. But people have these misconceptions.
So I'm in a talk I've done recently, I talk about how our cybersecurity conference conversations are like public awareness conversations about, you know, no smoking. You don't have one conversation with somebody telling one smoking's bad for you. And that's it.
You know, there's Smokey the Bear. And, you know, only you can prevent forest fires. I think you need repetition.
You need people to think about it. And then one day the light bulb goes off. And many years ago, we had a law firm that we work with get hit with an incident and we were able to recover them quickly.
But they didn't. They could not get the BDR, the backup disaster recovery server, in place fast enough after that. And he said, Ann, I know you've told me a hundred times I need to do this.
But whenever you said disaster, I thought, well, we're on the second floor, so we're not going to have a flood. And we're in a brick building. I don't think he's like.
And it's just funny because he told me he said, I know you told me a hundred times.
[Uncle Marv]
Yeah.
[Ann Westerheim]
Yep. And then he couldn't act fast enough because now, you know, rest assured you can fail over when you need to while the other systems are offline.
[Uncle Marv]
I think that's one of the hardest concepts to get across. And I'm in Florida. So the only disaster that people think about is hurricane.
Yeah.
[Ann Westerheim]
Yeah.
[Uncle Marv]
And only if it's a cat four or five.
[Ann Westerheim]
Yeah.
[Uncle Marv]
They assume a cat one. They'll be fine. However, we have been lucky where some cat one storms have come out and knocked out power for 10, 12 days and redefine what they thought disaster meant.
[Ann Westerheim]
Yeah.
[Uncle Marv]
So disaster can mean so many things. And trying to anticipate all of them is the hard part. And the bottom line is just plan for everything, anything to go wrong that can affect your business.
[Ann Westerheim]
And then, you know, you talked about your son out there not able to work for a week. What's the impact on a business? So it's not a lot of times we talk about the technology and I'm having a phone call tomorrow with a client said, well, you know, this overlaps with that.
So we can save some money by taking this one piece of protection out for the amount of money that this one thing costs. I would not take that risk. Like, why add a huge amount of risk to your organization?
It's about 365 security alerting. Why take on that list in exchange for saving a really tiny amount of money? OK, think about the risk.
And that's how I think that's when people realize, OK, bring this to your board and talk about like, do you want to expose your organization to this risk? What did you say in your cybersecurity insurance questionnaire? Yes.
Did you say you have this protection in place? Because, oh, by the way, you won't have coverage. You won't have the coverage you think you have.
But getting people to reframe it and because, you know, sometimes it makes sense to have built in suspenders, you know, just reduce risk any way you can.
[Uncle Marv]
Yeah. The best way that I came to explain this to one of my customers where when they wanted to cut a cost and I said, OK, well, how much is this in relation to your budget for the year? And they were kind of like, well, this is this is like, you know, point zero, zero, zero, whatever percent.
Yes. And I said, OK, so what I'm charging you, how much is that in relation to your income for the year, the revenue that you generate? And they're like, well, there's only this this is minuscule this, you know, probably we can make this up in an hour.
[Ann Westerheim]
Yeah.
[Uncle Marv]
And I said, OK, but what if you couldn't work for an hour?
[Ann Westerheim]
Yeah.
[Uncle Marv]
How much would it cost you? And then it was like, well, OK, so we make this much per hour. And I'm like, OK, and then you have to pay employees during that time.
[Ann Westerheim]
Yeah.
[Uncle Marv]
And they're like, oh, OK, well, that makes a huge difference.
[Ann Westerheim]
Yeah, definitely. So trying to reframe it into things that people can that they understand. So maybe if they're a finance person, they understand.
Like if you go beyond the simple math of, oh, I'm going to cut my expenses like that. Well, you know, you do have to watch your expenses. Budgets are not infinite, but you have to weigh that against the risk you're taking on.
And I think that's sometimes hard to get through. And I remember one conversation I tell my team about it wasn't about cybersecurity risk, but working in the medical office, we wanted to swap out some access points because they were just constantly having dropouts. And it was a pretty low cost.
It wasn't a huge facility. It was a pretty low cost solution. Practice manner.
Nope, nope, nope. Because she apparently was graded on keep costs down, keep costs down, keep costs down. Finally, I got to just quickly in two sentences explain it to the doctor.
Oh, this is going to this will reduce my dropouts. Do it right now because he sees the bigger picture of what the impact is. When a lot of the EHRs, I don't know if you work with medical offices, but I did.
[Uncle Marv]
And I had that same Wi-Fi discussion.
[Ann Westerheim]
Yeah, because some of the applications, the EHR applications, do not gracefully react to just a blip of a drop that you wouldn't notice with any other application. Yeah, like I got to log in again. But it was just interesting when you can frame it in a way like what's the impact on your organization to have these dropouts that because of how this software solution is architected causes you have to re-log in.
But the person responsible for it, you know, cut costs, cut costs, doesn't get that.
[Uncle Marv]
Yeah. The way that I was able to resolve that was to upgrade their Wi-Fi. They didn't understand until we talked about, OK, you're trying to upload x-rays during the day that you can't.
So somebody is actually staying after hours when the network performance is low, people have gone home and somebody is staying an hour every day to upload x-rays. If we could take away that hour and they were like, oh, I don't have to pay overtime.
[Ann Westerheim]
Yeah. Yeah. Yeah.
[Uncle Marv]
There's some discussion. So.
[Ann Westerheim]
Yeah.
[Uncle Marv]
All right. Well, and we kind of went down a rabbit hole. We didn't think we'd talk this long, but I'm glad we did.
I had wanted to get back in touch with you after the book to get an update. So thank you for that. I still have more questions, but I want to at least since we're here at the ASCII event, ask you about your time in ASCII and just recap, you know, one, how long have you been a member and what have you gained from the experience of being involved?
[Ann Westerheim]
Yes, I've been a member of ASCII probably 10 years.
[Uncle Marv]
OK.
[Ann Westerheim]
So like, OK, this is important industry organization. We should be members. And, you know, I'm really happy that the many conferences here in the Boston area because it's local.
I can just drive in here and I'm just reminded of like, oh, there's all these things I got to check out that I sort of like I knew they were there. So it's kind of just sparked me to reignite my interest in engagement and all the different resources. And there's some financial benefits, little perks that you get from vendors with the buying power of ASCII, which is great.
I probably was told or knew at one point I just reminded this morning about the peer groups that they have and consulting and a lot of marketing resources found out just before we started talking. There's a women's group that you mentioned. And so I love that it's here.
And I was able to attend and get reconnected. And I think the other thing is there's different ecosystems within the MSP community. So if you tend to be mostly in one, you don't always get exposed to what's in the other ones.
So, yeah, really happy it made the time to be here.
[Uncle Marv]
I'm surprised they hadn't tagged you for one of the spark groups.
[Ann Westerheim]
You know, they probably have my email inbox has gotten completely out of control. So I'm sure they've mentioned it to me and it didn't register. And sometimes maybe that's like when we're talking about our clients, when the light bulb goes off, like, oh, yeah, you have all this value.
And they're probably thinking, you know, we email you, we call you, we tell you all this stuff. But, yeah, good reminder for us when we're talking to our clients. But, yeah, really refreshing to be here.
And I thought the talks, I missed the first part of yesterday, but was in for the afternoon. And I thought the talks were really good. Saw some vendors I didn't really know a lot about that now I want to check out a little bit more.
Had some really great conversations at the table. That's always my favorite part to meet people because people are so willing to share information. Like we kind of like we all know we live in the same world.
We know what we can tell our stories and they get it.
[Uncle Marv]
Yeah. Much different than sitting home at the dinner table with the spouse who doesn't understand. Right.
[Ann Westerheim]
Yeah. Yeah. So the you start hearing the story and it's like, I know exactly what's going to happen next because that just happened to me.
[Uncle Marv]
All right. Well, Ann, I want to thank you for stopping by again. We've talked longer than we thought, but I appreciate it.
Thank you very much. The same thing that happens at the table. Right.
You get involved in a conversation and you got to stop to go to a session.
[Ann Westerheim]
And I'll reach out. So now I've said it out loud. I'm going to do my version 2.0 in September. So now I've got to hold myself accountable and get it done.
[Uncle Marv]
I will do that. I'm going to send you a reminder to let me know when that's released and I'll push that out for you and maybe get some insights on, you know, what revisions you made and why.
[Ann Westerheim]
Yeah.
[Uncle Marv]
And all of that stuff and the feedback that you've gotten. Yes.
[Ann Westerheim]
Yeah. So.
[Uncle Marv]
All right. Thank you much. And thank you, folks, for listening to another episode of the podcast.
Again, we are here live in Boston for ASCII Edge, one of the great events in the industry. They do nine on a regular basis. So they are near you at some point.
So head over to events.ascii.com and check them out and check back in here for another live show that we'll be doing. And we'll see you then. Holla!
President
Ann Westerheim, PhD is the Founder and President of Ekaru, a Technology Service Provider of cybersecurity and IT services for small and medium businesses in the greater Boston area. Ann is an accomplished technology innovator and leader with three engineering degrees from MIT. She has twenty years of high tech experience in research, advanced development, product development, and as an entrepreneur. Her career has spanned a vast range of technology endeavors including research in thin film semiconductors and superconductors, microprocessor fabrication, development of early Internet medical applications, and now focusing on the application of technology in business. She has an avid focus on the "last mile" of technology and decreasing the digital divide.