Host: Jeremy Cherny interviews Gjeret Stein, Owner of Ultra Scary LLC.
“I started in the IT world in 1994. I started learning computers and an operating system called Open DMS. So anybody who knows about DMS is usually old and has gray hair. In the 2000s, I became an IT administrator for a couple of different companies in the Milwaukee area. Then, in 2007, I decided to strike out on my own. So currently, I run an IT services company (Ultra Scary LLC) for small and medium businesses. We focus on security because that’s sorely lacking in the small-to-medium business space.”
What got you interested in security?
It’s always been something that we dabbled with, we just never saw a reason to sell it. Mostly because I’m not that smart in that world. But one of our clients used to forward their emails from their on-premise mail server to their AOL account because they did not like the on-premise 2003 mail server. However, their AOL account got breached and they didn’t know about it. So the sales manager that was doing this was going on vacation, and suddenly, the CFO got an email from him, stating that a vendor didn’t get paid and was going to pull all of their products until one of their old bills was paid in full to the tune of $34,000. And the CFO was freaking out. He was sure that the bill was paid. But he didn’t want to piss off this huge vendor and was about to hit send on the wire transfer when the sales manager, the one who was hacked, walked in the door and saying, “Hey, I’m on the way to the airport, I just want to stop by and say hi before I hop on the airplane.” And that’s when we discovered that that was not a real email. That was an attack vector we never thought about and so we started to relook at not only our processes but what the processes of our clients were.
How do you stay on top of the latest security threats?
Constant training, constant training, and, and constant reassurance that if they slip up, it’s not that big of a deal. Everybody makes mistakes. One of the worst things I have seen is when there’s a phishing attack or a phishing exercise, and somebody clicks on the wrong link. And then IT comes in and starts berating the user who did click on the link – who made the mistake. All that does is reinforce to that user that they’re going to hide when they do something wrong. Where you go, “Yes, it’s okay that you made a mistake, let’s go find out what the damage is, let’s go fix it.” Then when they do something that they weren’t supposed to do again, they’re more upfront. They’re there knowing that, yeah, it’s okay. I’m not gonna get fired because I clicked on this.
What are some ways that people can protect themselves online?
Different passwords for all of the different sites that they use. We actually recommend going old-school and using a binder to write down what the different passwords are. So if somebody has physical access to your computer – unless you’re in high security or the HIPAA space, you’ll walk into a receptionist desk, and you need to know the receptionist passwords, if it’s not on the sticky on the screen, it’s underneath the keyboard or underneath the mousepad. Right. So we just take it one step farther and have a notepad that is in a locked drawer that has a list of their passwords. And they make sure that each one is different. And each one is a bit more memorable.