(Part 2) If you want to land a big money DoD contract, you had better have your cybersecurity ducks in a row. Learn how businesses can shield themselves (and our country) from hackers with nefarious plans, while attaining new levels of compliance that could open doors to receiving lucrative DoD contracts.
We invite Scott Singer, President of CyberNINES, to discuss.
Connect with Scott here: https://www.linkedin.com/in/scottfsinger/
Learn more about CyberNINES: https://cybernines.com/
Questions? Comments? Continue the discussion by requesting access to our exclusive WVF Facebook Group.
Wisconsin Veterans Forward is brought to you by the Wisconsin Veterans Chamber of Commerce, a nonprofit organization that serves veterans and military families by supporting veteran owned and veteran-friendly businesses throughout the state.
On behalf of our members, we serve as an advocate for Wisconsin’s veteran business community and promote economic opportunity for military veterans, military families, and veteran-friendly businesses.
Follow us on all platforms: https://linktr.ee/Wivetschamber
Intro & Outro Themes:
Barry Dallas - I’m Gone (https://uppbeat.io/t/barry-dallas/im-gone)
Noise Cake - Light It Up (https://uppbeat.io/t/noise-cake/light-it-up)
Today on Wisconsin veterans forward. We continue our dialogue with Scott singer of cyber nines . We're talking about all things, cybersecurity compliance and how being compliant in your cybersecurity endeavors for your personal life or your business or whatever. Not only is best practices to keep you and everybody else safe, but it is an integral part of landing, big money, federal and state government contracts. Boom. If you haven't listened to part one, you should probably get into that, but you're probably here cuz you already did. So let's get to part two right now you are listening to Wisconsin veterans forward. Wisconsin's premier audio resource for veterans, military families, veteran owned and veteran friendly businesses. Wisconsin veterans forward is brought to you by the Wisconsin veterans chamber of email@example.com , but I hadn't considered the compliance end of things. Is that relatively new? Uh , at least from a federal standpoint to get those, those , uh , those contracts?Speaker 2:
No. Um, it's not the requirement for , um, being compliant goes for , um, DOD contractors goes back to late 2013.Speaker 1:
Okay. So it's not a new requirement what's changing is that the do O D has found that, well look , there's 300,000 companies in the defense industrial based supply chain. There's about 80,000 companies in the supply chain that handle very sensitive information called controlled unclassified information. Some people might know of it as like I a R for example, as a term, an export controlled term. So this is information, the DOD doesn't wanna lose. Okay . It , it , it's not something like classified like a missile system, but it's one level down from that. Remember I was talking about that aircraft carrier that , um, you know, that flight deck that would, you know, the , the elevator that would take the aircraft up to the flight deck. That's considered I a R so it's not classified confidential, secret or top secret. It's I IAR it's it's controlled on classified information. And if the enemy gets that information, it's gonna help their program quite a bit. Right. It's gonna be easier for them to build an aircraft carrier if they've got right , right. It's not a missile, but it's still important. The joint strike fighter. What happened with it? Um, Lockheed Martin got hacked. We were one of the companies that got hacked from the Lockheed Martin , um , hack . Well, what happens is now you've got basically , um, all these small businesses, all these suppliers, they're making a part, they're making a part for the landing gear. They're making a part for the wing. They're making there's all kinds of stuff. Right, right. But they're making one little part. One company might just be coding something, right? Lots of coding companies out there. So what happens is you have to share these drawings with these companies, these drawings get to all these different companies. And if they get hacked, it's easier to hack these small businesses than to attack one of these large prime contractors. And so they pull, they aggregate, right? They take all these different drawings, put 'em together. And now together it's classified at a much higher level and it helps them get things done. So if you look at the Chinese strike fighter, it looks a lot like our joint strike fighter. Okay . And there's a reason for that. So, so they just , that's where these regulations came from,Speaker 1:
Stole our, our intellectual property and pieced it together and made their own Franken fighter jet.Speaker 2:
They did looked so lot similar to ours and goodSpeaker 1:
Gravy that makes I , I don't know . I can't explain why that makes me so mad, but I'm like, <laugh> angry.Speaker 2:
Well , and that's the reason I , that's the real reason I'm sitting here right now doing what I do cause cuz it really did make meSpeaker 1:
Mad. I believe it. Uh , we had a quick question from Jason over on Facebook, said , how does one get , uh , veteran own certified? And I posted this link business.defense.gov . Um, what you're looking for is the SD V O SB service dis uh , service connected, disabled veteran owned , small business certification that F has , uh , a , a step by step guide , uh , not easy , uh , to get obviously , uh , you know, it's, it's kind of a drawn out process. Well, it's simple. It's not easy. Uh , but it , it may take you a minute, but it's worth it cuz it , it does give you priority in certain scenarios. Uh , thank you for asking that question, Jason. I appreciate it. So, so Scott, how, how often do you, do you deal with active attacks or is it more like you create a barrier that, that just makes , uh , a hacker like, like walk by the fortres and they're like, I'm not even gonna try to storm that castle they're taken care ofSpeaker 2:
Sure. There's at least path of resistance kind of thing there. Um, we are more of a preventative company. Mm-hmm <affirmative> um , we do some incident response post, you know, when something happens, but there are a lot of companies that are , um, better at that than we are. We're much more of upfront . Let's put a program in place to protect this business. Let's put a program in place that meets the DODs requirements. Remember I said it started back in 2013 mm-hmm <affirmative> well , they're ratcheting down these requirements because what they found was all these companies weren't as secure as they should be. And so it's moving from a model of self at a station where companies just say, yeah, we're good. We're meeting the requirement to the do OD as saying, you know, trust, but verify, okay, we're gonna have a third party assessor, come in and say that you are doing okay. That's where this is moving. And right now that's gonna be in place in 2023, probably October one timeframe where you have to have all these requirements done and ready to go. So that's what we're working on. We're trying to move these companies along, put a program in place, prevent them from storming the castle.Speaker 1:
Right? So you , so, so the goal is to create a massive titanium castle with a moat that's filled with alligators and you know , motion activated laser guided Gatling guns. Like you just, you just wanna no , no, not so much.Speaker 2:
No .Speaker 1:
Cause you have either your doors locked or it's not,Speaker 2:
There are too many new threats happening all the time. Okay . You can't, you know, you can't foresee everything that's gonna hit you . So you have to have these good processes in place to react to it when it does happen. Right. Mm-hmm <affirmative> so you get hit by a ransomware attack and ransomware attacks move laterally across your organization. Mm-hmm <affirmative> so if you can catch it early, right. And quarantine that machine, then it won't move to all the other machines and go into your server and go into your backup .Speaker 1:
So if a ransomware attack hits, let's say we've got five people on a business on ,Speaker 2:
We lost your audio , Adam .Speaker 1:
Oh, lost my audio. Can you hear me now?Speaker 2:
Nope .Speaker 1:
That's awfully strange standby . Huh? Folks, if you're watching, let me know if you can hear me. Hmm .Speaker 2:
Oh , gotSpeaker 1:
You . Got you back. Oh , that was strange.Speaker 2:
I dunno . The vagaries of the internet. Yeah .Speaker 1:
So , so let's say I am one of five people on a network in a business and I get hit with a ransomware attack and we're able to quarantine to that one. Computer is everything on that computer just done for, do you just like accept the loss and move on or is there some way to stop it and process I'm not really familiar with it at all.Speaker 2:
So if the machine is hit and it's ransom, they're gonna be, there's gonna be a request for you to pay, to get the machine back. Right. Mm-hmm <affirmative> so ideally a specific machine. We do not want the data stored. That's really important for that company on that machine. We want it to be in a secure cloud or a secure server. That's where the data should be working. And that machine is a tool to access it and be and run things. Right. So if that machine goes down, you don't want it to be the issue. Now reality is people put a lot of files on their local machine and it's gonna be an issue. Right. So , um, what do you do? Um , do you pay the ransom? Do you not pay the ransom? Hopefully you have backups . And again, it's easier to back up data on a cloud or a server than it is to back up five computers, right? Mm-hmm <affirmative> you only have to back up in one place versus backing up in five places. But if you don't have a backup , then you have to make a business deci decision about whether you want to pay a ransom or not. And there's really kind of an unknown issue here is that the, it may be illegal to pay the ransom because the government has what's called an entity list, a denied party list. And that company, that company, that ransomware company, cuz they are companies, they're people and companies. Yeah . They could be on the D the government's list that says you can't do trade interact with this company. So, so here you go and you pay the ransom, right? And now you get in trouble because they're on this no fly zone list, right?Speaker 1:
Yikes. That that's a , a double whammy. So not only would, not only are you a victim of a ransomware attack, but you won't be able to fulfill the terms of your contract or get a contract ever again. That's, <laugh> , that's insane that that's been , uh , that's that's probably the most mind blowing part of this whole thing. I, I had no idea that , um, I guess I had no idea that it was so, so pervasive. So, so my next question is a lot of people have resistance to cloud storage. They think not storing locally is inherently less safe and they hear stories about celebrities getting their, you know, their iCloud photos hacked and, you know, getting sent out by paparazzi or whatever. But from what you're saying is in a secure high tech , like well managed cloud storage environment that is safer than storing things locally.Speaker 2:
Yes. I I've come. I started in this place where I was everything. What we call is OnPrem on premise , you store it local mm-hmm <affirmative> . So if you hear that term OnPrem, that's what that means instead of in the cloud. Um, you have to always remember all the cloud is it is , is a computer someplace else.Speaker 1:
Okay. But it's still a computer. What, what makes the clouds better today than in the past is that they do have whole security teams working to help make these places secure. Now, if you, but it , it it's a joint effort, right. Because if you have a real weak password to get into your email and Microsoft 365 in the cloud, right. Well, you know, it's still a threat, right. So you've gotta do your part and they need to do their part and together you can make a much more secure environment to work.Speaker 1:
So what would you say to somebody who is who's resistant? You know, especially like my generation and older usually like, well, we, we , we have our data files. We store 'em on our computer. I don't want to put 'em in somebody else's hands. I don't care if they have a whole army of people protecting them. How would you, how would you make someone? Uh , let's say I have a family member who I want , uh, to , to store their photos on the cloud. So it doesn't take up 170 gig on their computer. Uh <laugh> how do I get them over that hump and let 'em know. It's more secure.Speaker 2:
Yeah, no, that's a good question because , um, if you can do some things, like I talked about before about, you know, the USB drive and, and kind of like disconnecting it and you can create a kind of a , you can create a pretty safe environment for yourself. It doesn't scale very well. Okay . Right . Um, but you can create a pretty safe environment. So if you take a look again, if you take a look at like a Microsoft Azure, that's the name of their cloud offering mm-hmm <affirmative> or Amazon web services. Um, so again, they have secure facilities, so they're keeping people from being able to walk in, you know, they got cameras and they got everything. So the building is much more secure than your house is gonna be. Okay. Well, most, most houses. Right. And , um, so that's one thing. The second thing is they've got a staff of people that just focus on security. All right . The information is encrypted as it sits at rest in that data center. Mm-hmm <affirmative> okay . Um, the other thing is, for example, with Azure, it is actually making three copies of the data all the time. Hmm . Okay . So it's much more resistant to a ransomware attack , um, having three copies, right. Versus having one copy and then having your, you know, USB connected and all of a sudden it crawl into that and you're dead. So , um, those are just a couple of, you know, general kind of thoughts I have related to that.Speaker 1:
Interesting. Oh man. My goodness. I'm sorry. I should have my phone on silent. Yikes. Bush league on my part. Sorry about that. Well , this has been really interesting and , and enlightening. So if, if I'm a business owner , um, and I'm interested in, in, in , uh , learning more about cyber nines and how I can get my business compliant in advance of the D O D in 2023, making it a no joke, have to have your ducks in a row. We're not even gonna talk to you sort of thing. How would I get in touch with you in cyber nines ?Speaker 2:
Well , um, cyber nines.com is the easiest way to do it.Speaker 1:
Easy enough. I can totally make a banner out of that. Any other , uh , I will make that banner , uh , any closing thoughts that you have before we adjourn for the day here?Speaker 2:
Um, the basics go a long way. I mean, I can just repeat it again is just having good backups , um , having strong passwords, keeping all your systems up to date and patched really is the place to start, regardless of whether it's cyber insurance, or even as you get into more complex things like you wanna be a DOD contractor and trying to work down all the requirements that , um , they need from a cyber security perspective,Speaker 1:
Right on good stuff, Scott, Hey, I appreciate your time today. I'll ask you to hang on the line for just a minute so I can chat with you afterwards. Uh , and folks, you can see cyber nines scrolling across the bottom there. Check Scott out. I know he is on LinkedIn. You can connect with him there as well. And , uh, check out cyber nines.com . Look, cybersecurity may seem like a frivolous thing. Uh , if you're old school, it's not anymore, it is an essential key cornerstone of your business. You have to have your stuff situated. Your cyber security needs to be on point, cuz it's, it's gonna seem like a frivolous thing until you're in a situation where you wish that you had it and then it can devastate your progress. It can shut down your business. It can destroy your personal finances. Uh , if you work for a small business, you are vulnerable. If you work for a nonprofit , you have a lot of data on a lot of people, a lot of their personally identifiable information on your donors. You have to have your cybersecurity stuff situated and then some, and if you work for a medium sized business, if you own a medium or small business, if you're a corporate entity of you're a corporate entity, you probably have probably have a team, but you'all need to have it figured out. And if you wanna get those DOD contracts, like Scott said, even probably state, federal, and state government contracts and corporate contracts. If you want to get into those supply chain pipelines folks, you gotta have this underway. This is like the new, the new bar, the new standard. Get ahead of it and get it situated. Thanks everybody. We will look forward to chatting with you. Same time next week. Thank you for listening to Wisconsin veterans forward brought to you by the Wisconsin veterans chamber of commerce. Please visit firstname.lastname@example.org . Don't forget to subscribe to this podcast, leave a rating and review in whatever platform you're listening through.