Working with the government can be very rewarding yet challenging especially when you are under contract. Today, Bob Roark talks to Mike Crandall, the CEO of Digital Beachhead which is a company that seeks to build customer trust and corporate value by delivering Information Technology (IT) and Consulting Services Solutions in inventive economical ways. Mike describes what they do, who their target audiences are, and what they look forward to. He shares how it is working with the government and how they find people to fulfill their contracts. He also talks about cybersecurity including how they protect their clients in this field.
Watch the episode here:
Listen to the podcast here:
Government Contracts And Cybersecurity With Mike Crandall
We have Mike Crandall. He’s the CEO of Digital Beachhead.
It is nice to be here. Thanks, Bob.
Mike, thank you so much for taking the time. Tell us about your business and who you serve.
My company is Digital Beachhead. It’s a term I coined on a performance report back when I was in the military and the commander asked me, “What is a digital beachhead. How dare you to say you can protect it, that you’re in charge of it and then you’re so good at it?” I explained that he has email and that’s what I protected. Instead of a typical beachfront, you have the digital one, which was everywhere. His eyes lit up and he was like, “That digital beachhead is everywhere.” Years later, the Under Secretary of Defense used it in a speech, saying that the adversary had secured a digital beachhead on our network. They went from my performance report to a Wing Award on up. The Pentagon had heard the word and that got incorporated in a speech. I bought the name. We primarily focus on cybersecurity for the federal government, but I am branching out to provide cyber risk management for small and medium-sized businesses.
People don’t understand the designations of many government contracting businesses and you have a specific designation.
I am a Service Disabled Veteran Owned Small Business or SDVOSB.
Going back a little bit, you served in the Air Force and in the Middle East. Talk about a little bit of that experience and how that started to help you start this business.
Back in the day, before we had networks, during the First Gulf War, there were only a few PCs around. I had got in trouble for breaking into one of those PCs. The commander explained how much money they paid to protect them and they had software that was supposed to be secure. There was a two keystroke per entry to get to the DOS Prompt. He effectively destroyed my “I’m in trouble paperwork” and said, “You are in charge of small computer security for the Air Force.” I was one young kid who didn’t know much. They sent me to school. I learned how to do some basic hacking and defensive work, as well as offensive work. In those days, you couldn’t network in to break into a computer so we had to touch them. If the adversary had some computer systems that they needed information off of, we had to go physically to the machine, wherever it may be to gather the data. I got to work with some much more powerful and influential military people. The special forces people dragged me along as their computer boy. I trained with them but I wasn’t raised as one. I tagged along for the ride.
I think about the progress we all take to develop our careers. You had the Air Force time and then you had the time in the field and at some point, you rotate out of the military. Maybe it would be useful for the people that are curious, how do you go from being in the military and doing what you did to be qualified or where to do government contracting? What was your path?
When I retired, I was in almost 21 years. I got out like anyone else and thought, “It’s time to get a government contracting job and work doing the same job I’m doing, but for more money and wearing civilian clothes.”
We used to call it double-dipping.
You’ve got to double-dip for a couple of months while you’re on your terminal leave. I talked at the Air Force Academy a lot. I talked to the people that are getting out as part of their transition class and I tell them, “You can save up three months in that terminal leave.” I thought, “I’m going to do nothing in the first month.” I went to enjoy a 30-day vacation because everyone needs cyber people. I’m not going to get a job right away. I started putting out my resume, thinking, “Here comes to my job.” Thirty days later, I’m like, “I hope I get a job.” They did start rolling in. It wasn’t as easy as I thought. I ended up working for a large firm. I started doing proposal writing and I won a few things that I wrote. They let me manage the contracts. They said, “If you kill it, you can eat it.” If I won the work, I could PM or Program Manage the work. I went from having a few contracts, I was program managing to where they’re like, “We need to hire program managers. You don’t have enough time.” I became the Director of the program managers. I worked up from the guy writing it to be the Director of Operations for the company.
Did you have any of that experience in the Air Force?
None. The only thing I had and I tell the guys in the transition, we are taught to adapt and overcome. We are taught to figure things out. Everything was a process. What is the process? When I first got my program management gig, after the first thing I won, I went to the Senior Vice President and asked, “What do you need? What does this mean?” He gave me the spreadsheets and told me we’re looking about profit margins and this is what the people make. They said, “This is your wrap rate.” I asked, “What’s a wrap rate? Can you explain that to me, sir?” He explained it all to me.
What is a wrap rate?
It is basically what your company puts on for costs, G&A, which is your accounting and running of your company, general expenses and you tack that onto what an employee is making. Effectively, that’s what you’re charging the customer. He said, “Do you want your percentage to go up in what you’re making? You have to do that either by growing the contract, getting rid of employees who’ve been there a long time and hiring newer, fresher blood for less money.” There are all these different ways to do it. I jumped in and the thing in the military taught me was not to be afraid.
I know what crappy looks like. It doesn’t look like this.
My wife always yells at me because I’ve told her many times, I’m like, “Calm down. We’re not being shot at.” Which doesn’t make her very happy at all to say that she needs to calm down because we’re not taking fire. She’s since adapted to that and tells other people, “Calm down. You’re not taking fire.”
There’s no dirt in my food.
No one’s lobbing grenades at me at night. I could face them and ask questions. I wasn’t afraid to ask questions. I learned that in the military, if you don’t ask, you don’t know. Ask as many questions as you can and figure it out. I knew math. I was okay in math and I’m the computer guy. I used to tell my friends, “I did a lot of joint assignments,” and they always say, “We’re the chair force or the Air Force.” I would say, “Our officers or your officers look at you and say, ‘There’s a hill, go and take it.’ You’re not all going to make it, but you’re going to take this hill. As Air Force guys, I will look at our officers and say, ‘When you hop into that plane, sir, I do hope you come back and then I get a meal at the chow hall while they’re all fighting.’” I said, “Which one was the smarter?”
Having been in the army, yes. That was pretty apparent for a long time. You have the military experience. You’re in the computer space. You were on a leading edge of when computers were becoming mainstream. I can remember trying to network computers before networking was a thing.
I go back as far as a Windows 3.0, 5.0 and 1.0, which is where they took Windows 3.0 and 5.0 and Windows 1.0 was the networking component.The hardest part in any government contract is showing you can do it and manage it. Click To Tweet
What was the networking software?
They had Novell. It follows that. I learned on Novell. The Marines use a lot of Banyan VINES. I was fortunate enough that from 1991 to 1992, I worked with General Blaisdell, who is a colonel then and General Skinner, who was a captain then. We developed a barrier reef, which is the whole idea of having a DMZ and a Boundary Protection System and Defense-in-Depth. It was basically five kids that didn’t know anything in a basement building and network with Linux boxes and Cisco PIX. That got passed out to the whole DOD. We were the first and no one cared. If they email it down, commanders had their secretaries printing them out and then writing on it and the secretary finishing it, sending it out or it’s right to your desk and everyone needs it on their phone. I said that the military people now have an issue with the young guys coming in because of everything’s click a box. The software comes and if you want a five email box, they click a box and say, “Five,” and it’s all done for them while we were going into every line of code and saying, “What does this do?” “That was bad. Build it all again and start from scratch.” We got to understand how things work from the bits up versus plug and play.
We were talking before and I said, “How would you get trained to do this? You said you went to work for a company where you did it.” You got OJT on the company for a period of time.
I worked for that large company for several years. They thought foolishly, I was going around to every office pricing and the marketing departments and saying, “Let me help you. I’m writing these proposals and I’m winning a few jobs. I’m managing these contracts, what do you do? How do you do it?” At first, they were like, “Don’t take my job.” I was like, “I’m not after your job. I’m happy doing what I’m doing, but that could help you by doing 90% of your work.” They perked up and thought that it was wonderful if I was going to be supporting them. I learned every position in the company. When I finally moved out on my own, I knew how to price. I knew what the wraps were and how they were divided and created and how G&A is incorporated.
I think about the old apprentice program, essentially. You go through and you apprenticed. Either they make you an offer that you can’t refuse to leave or you already know enough to leave. You were at the breakpoint, you go in like, “I’m considering going to do this on my own.” You finally made the decision when you went home and talked to your bride. What was that discussion like?
I effectively evolved in that since I am a service-disabled veteran. I have a retirement and a VA payment that will cover the house, so we won’t be homeless. We may have to live on ramen for a while, but can I have two years to live on the ramen? I had savings, but the joke was we’ll live bare necessities for a couple of years and see what happens. I was fortunate within the first by a year three, I was at about $1 million in revenue.
We talked about $1 million in revenue. For the people that are reading going, “That’s not net.”
That’s the joy is when you start doing well and winning contracts. I remember that the first contract was $2.5 million over five years. My family was like, “You won $2.5 million? I was like, “I didn’t win.” The company has won a chance to work and earn that money over the next five years. By the way, I have employees. That’s where that goes.
You look at all the overhead unanticipated, if somebody raises the cost of something, it eats into your margin and the government has a narrow view on the margin.
For profit, it’s against the law to charge more than 15%. It is the max by law and now you’re competing with everybody, so start scaling down from there. You’re lucky to get 5% to 8% when you’re doing well.
I think about an increase in rent, utility bills and healthcare costs.
With insurance, we have won a contract for the US Forces in Japan. The one thing you don’t factor in is, workmen’s comp that you paid for insurance in America doesn’t work in Japan. You have to buy something called the Defense Base Act, which workmen’s comp is pennies on the dollar. We pay about $12,000 a year for workmen’s comp, DBA for our overseas employees. It’s a big difference in pennies on the dollar.
You go, “Education is expensive in that world.” You made the decision to take and the wife says, “I’ll put up with you for a while.” You’re sitting there with your business firm, Digital Beachhead. What was the process like to go from day one to, “I’m going to start chasing contracts?”
It was eye-opening. I was ready to chase right away because I already knew how. I was like, “How do I respond to RFPs, which is Request For a Price or Request For Proposal. It’s basically the government’s requirements that you respond to. I knew where to find them. I knew how to get them, but you have to register with the federal government. I had to go through their database to get registered to be a federal employee. To become a Service Disabled Veteran Owned Business, I had to register with the VA so that they could verify. There are two types, you can self identify, which is fine. If you’re VA certified then everybody knows that you’re not just saying you’re broken but the VA also knows it. Those took a long time.
They took longer than I thought. You couldn’t even start chasing work until you had at least the registration with the federal government to be a contractor, then which funds, how do we run this business? We need money. Fortunately for us, we were a service-oriented, so we were trying to win butts in seats. We get a contract, hire the people to do the work. We had no initial overhead of employees or other things to worry about. My concern was when I do win that contract and I have employees to hire, how will I pay them? The government doesn’t pay you if you’re lucky in that 30 days, sometimes 60 days contracts and 90 days.
You can take a bunch of contracts and go broke.
You won’t see a dime for 60 to 90 days. I was going to the bank who said, “What is your collateral?” I had my laptop and my cell phone and said, “This is my business. This is all I need right now.” They’re like, “Thank you. Come back when you have something.”
Did you find a lending institution that understands contracting?
I have. I funded it on my own, at first. You have to put up or shut up and I put the money in knowing that if you win a contract and you have that contract, that money is not at risk. The employees get paid well for the work they did and the government will pay us for that work. Whatever I’ve put into the employees to be paid, even if they cancel the contract after a month, they might take me 30 to 60 days, but they would pay for that month of work. There’s no real risk. I’ve since found a company called StreetShares. They are a veteran-run business and they will effectively pay payroll for you on contracts you’ve won. If you go to them and say, “This is my contract. It’s signed. We’re ready and I need the money.” They’ll turn it around in two weeks. They’ll give you all if you need extra for miscellaneous insurance and other things that can incorporate that too. If all you’re looking for is, “I need to pay my people for three months until the government pays me.” They understand the business and they’re like, “We got that, we cover you.”
It is a good business model for them and a nice thing for the contractor. It is needs-driven.
They have a program if you want to work with them that way, where they charge lower interest but effectively, they become your receipt. The funds from the government go direct to them. They take out that first month for what they paid into payroll and they ship you the rest to your bank account, whatever you put in for your profit line.
They provide the cashflow.
They manage it all and take out their percentage. It’s an easy-peasy handshake deal. Once you get going, you might want to manage it yourself and keep that percentage for yourself, but when you’re one guy in your home office wondering how you’re going to pay a bunch of employees for 60 days.
That’s not been your background.
That was a learning process. I went to every bank in town and asked, “Can I do this? How do I do that? I got a business plan.” I even went back when we won the first contract and says, “Here’s a contract in hand.”
I was talking to an individual here in town about various opinions on business plans and the quality thereof. When you went in with your business plan, had you written business plans before?
Only through college, while I was doing several years with a big company. I also used my GI Bill and got my MBA. All parts of that growing and learning as I was out. I hadn’t written one, but I effectively went in with a pipeline. My business plan per se was simple. Win government contracts and make money. The real meat to me was going into the bank and showing these are all possible contracts that could fit within my relevancy.
Did they understand?
They had a good understanding of that. They’re like, “I had no money. I had nothing.” They literally said, “If you were starting a construction business, we could give you hundreds of thousands of dollars tomorrow because you’d buy the equipment with it.”Corporate entities are both civilly and criminally liable if they're breached for the loss of their records. Click To Tweet
They have collateral.
I tried to explain, “How about if I win a contract? I don’t need your money. I’m asking you for a loan, but effectively, I don’t need that loan until I had my first win and then I can tell you it’s five people. This is the rate of pay over three months.” That does not compute to how they look at their lending, which I understand. It’s not their normal business.
You’ve got your shingle hung out. You’ve got your computer and your cell phone at home. You’ve got to start looking for contracts and your area of expertise, which was what we call cybersecurity nowadays. I’m not sure that’s the right name.
I tend to say cyber risk management because nothing is secure.
It’s somebody else’s less secure go over there.
You manage your risk. You can accept it. Do you want all your doors open? Part of your door open? Locked door with a mail slot? You choose your security method.
You did that and you put out some quantity of responses to the RFPs.
Yes, I spent a good first six months writing a lot.
I’m guessing you’re writing into a vacuum at some point.
You throw a lot of crap against the wall and I hope something sticks.
Do you remember when you got a notification? What was that like when you get your contract?
It picked up in May and I started in November. We got our first contract and it was exciting to know like, “We got one.” Effectively, what that meant was we already have revenue. We can show revenue. All of a sudden, the bank started calling us, “We see that you are a government contractor with no revenue. Do you need money for other startups or contracts?” It was a little upsetting at the time. We were like, “Where were you three months ago?” I was a no one. I still understand their business model. It gave us hope that we could move up to real noodles from ramen. We weren’t quite up to the steak yet. We were thinking like, “You’ve got one.”
The first contract, where you enough to manage the contract? Did you have to get other people to help?
It was 100% and it was falling open. It wasn’t a set aside for a small business. We competed against the big boys and we won, which drove my business model from there. I competed with a bunch of against other small businesses like myself, in the social-economic categories that they put us into being the service-disabled veteran. They’re also small businesses and I recommend that their overhead would be similar to mine, maybe a little more. I was new and if they were further along down the line of business, they might have a little bit more overhead. I knew that Booz Allen, Lockheed, and Boeing. Even the smaller big businesses, the $100 to $200 million businesses, their overhead was a lot and mine wasn’t. I knew that they had bid on having worked in one of those companies, smaller contracts when times got lean. They had 5 to 20-people person contracts. If I could find those that I already have work, so I have past performance. That’s the hardest part in any government contract is showing you can do it and manage it. I could go after them and be competitive and steal them back to the small business world.
In your first year, how many contracts did you win after that May time frame?
I had one other large contract, which was a multiyear contract and then about five service contracts just to do assessments or something. It’s limited in scope.
You had that going and you had the cashflow.
Luckily, with the two big contracts, the butts on seats, that can keep the lights on knowing that you’re making X amount of revenue every month with the little ones to filling in the gaps.
If you were sitting here, how many years have you been doing this?
Let’s say you could take your years of wisdom and talk to you, day one. What advice would you offer to you on day one?
More research upfront.
What kind of research?
Before I jumped, find StreetShares, find people who speak your language when it comes to the financials. Patience because you lose more than you win. That’s the nature of the game. Some people bid very infrequently.If you're a small business, it's not that you won't be hacked, it's when will you be hacked. Click To Tweet
They live and die on contract.
They can say they have a 50% percentage win. They’re bidding for a year and they might win too because they’re very limited in scope, where I would rather bid 20% and win 10% or 5%. To be quite honest, you bid 20%, you’re probably going to win 4% or 5%, not 2%. Knowing the business and understanding where I thought being a small business was going to be a huge benefit and there are ways to work that. When competing with the big boys, don’t be scared. Going back to my military thing, “Don’t be afraid of what’s behind the door. Kick it in and figure out what’s on the other side.”
When you look at the advantage of the big boys versus the smaller boys at, what do you think your advantage is?
Costs. I can pay employees what they deserve with a lower overhead so that our overall costs are less.
I think of your journey. You’re sitting there from May to December. You’re in the saddle, got a contract going and then you go to find people to fulfill your contract assuming it wasn’t all you.
We have people out doing the work.
How did you find the people?
That’s another hard lesson. Luckily, I knew some people. The first few contracts I went after were the ones where I knew the individuals so I could fill them, making sure that the incumbents stay hired. That’s usually how I fill the slots. I take the people who were already there and I do the invisible hand over their head test to the government. If they nod and they like that person then I just won the contract. If they give me a shrug, then I have to go out and find someone that fits. I do that work before when I’m building the proposal. I am out headhunting or using people I know who do headhunting to find candidates to fill the slot, should we need to.
We’ve been talking about your journey from where you started to turn the business on, the function of how do I start a contracting business. I thought we might try to dig into what is your business focused on and what’s the benefit to the contract that you win? What do you do?
For government work, it is a lot of fulfilling whatever the government needs within the cyber IT arena. For the specific contracts, where we’re doing assessments, we focus on that cyber risk management where we go in and try to assess the risk of the entity that we are after, which is why I tried to move and I’m deciding to move from the small business to medium-sized business market. I’m trying to take what I’ve learned in the federal space and go to small business and say, “Putting your head in the sand for cybersecurity, your cyber risk management is no longer worthwhile.”
You mean hope is not a great strategy.
Hope is not the strategy. Colorado passed a very stringent privacy law. Corporate entities are both civilly and criminally liable if they’re breached for the loss of their records. I don’t know if small to medium-sized businesses are prepared for that. When we tried to come up with a fair and equitable cost solution, instead of the full-on, most cyber companies want to come in and break into your system and tell you every port they opened and every door that they could get through. I want to sit down with them and discuss where they’re at and what are their policies like? What are they doing for cybersecurity? That’s much more affordable. It’s actually taking some due diligence. It helps them show steps towards due diligence. A lot of things could be low hanging fruit, having a password policy where they change their password every 90 days. If they tell their employees, “It’s a good idea,” but they don’t have a policy, they’re not meeting their criteria. Coming in and talking to someone and saying, “Do you have that written down?” It’d be wise to write that down.
For the small business owner, you don’t really appreciate it until you have a CryptoBlocker come in and sit on top of your files and then you go, “I backed up.” You still have the brain damage of day or two or whatever you lost.
They got your backups. I know a lot of people back up to an external hard drive, but if you forget to unplug that from your computer, they broke that too. It’s the same with the cloud. People use OneDrive. OneDrive is on your machine and they connect via your machine and everything is encrypted.
If you think about it, there are enough other commercial providers where you can back up to those and it’s a policy, “I understand internal. I got that.” I think about the business owners looking at their risks too, as evaluation of thought process, if a buyer is coming in to look at a small business owner, “What is your cybersecurity policy? What do you do? What’s your process and all that stuff?” They go, “I’ve got a thumb drive.”
The biggest one is disaster recovery. A lot of people might think about backups. You ask them what their disaster recovery plan is and they’re like, “I have a thumb drive.” That’s not a plan to how you get it back. That is a backup. Is your machine totally fried? Do you need to purchase a new one? Do you have the original Microsoft? Those are your files. What about the Microsoft that boots your computer up? Do you have that on a disc somewhere? If it’s a license that came with the laptop that you purchased, do you know where to get that to rebuild your workstation? Most people don’t because it came loaded. They have their data but they don’t have anything to put the data back on.
You’ve been doing some work with insurance companies that are trying to teach their customers how to take and address these issues. I’m a business owner that has done absolutely nothing and yet, I’ve been told that I need to have insurance. What are the chances of me getting insurance without it?
They’ll probably give you the insurance because they’re willing to take your money for the insurance. When it comes time to pay out, it’s like if I got drunk and got behind the wheel, I have automobile insurance but they’re not going to pay out because I was negligent. If you’re in your company and you take no action, you’re negligent. They won’t pay for you to recover your data. A good dollar figure I use is the average that you need to pay for three years of identity protection. Should you lose a record, the average costs are $20 to $25. You have to do that for three years. That’s $720 a year. If you say you have 100 records and lost the small business, 100 customers’ data was gone, the $72,000, that’s a good cost point. If it’s going to cost you $72,000 and there are 100 records on your system, do you want to pay a couple thousand for some insurance? Maybe have someone come in and give you the peace of mind? The insurance will pay.
If you have a robust policy in place. You’ve done some homework and have someone come on board and you talked to an insurance company, do they take that into consideration on what they bill you from what you know?
They’re still learning this whole cyber so they’re trying to figure out that equation. Insurance is basically an algorithm and they don’t have great algorithms when it comes to cybersecurity because there are many different facets. Is it a hack? Did you get Ransomware? Ransomware is different. There are many different factors. Right now, it’s like a general, “How much do you want of insurance?” They have some factor, but I don’t know exactly what it is.
In the news, there is a well-known entrepreneur who got a file from a “head of state” and then exports all of his information from his phone.
One of the first things we do, if we’re to give you a serious pen test at a medium-sized company that has an office block, is I’ll drop USBs all over the parking lot, unless I want to pick it up and say, “I’ve got a free USB, what’s on this?” If I want to entice them, I put something like HR data or raises as a label on it. Someone will put that in their work computer and I’m in their network.
Isn’t that crazy?
It’s simple, small things because we’re human beings and we’re flawed. We all have our failures and our faults and I can take advantage of that to the umpteenth degree.
For you in the government contracting space, there are a number of different contracts that you’ve done, whether it’s an exercise or a location or others. You go and do similar things there as well.
Yes, depending on what we’re contracted or the government wanting us to do. Typically with the federal government, they want us to probe their systems and give them a good penetration test. We have done more physical penetration tests or hands-on, meaning send somebody versus from across of wire, “Can I get something into their network?”
There are a number of movies throughout the years, it was Red Shoes or something like that was out there and others. You think about the sophistication or the lack of sophistication to get it done nowadays and the average PC and iPad user doesn’t understand the level of accessibility to their tools.
No, how and what they’re connected to. You go to a coffee shop and everyone’s on the Wi-Fi. Everything they’re doing, unless they have some security software is wide open. Airplanes are the same. When I go to a conference, if I’m speaking or guest lecturing at a conference, one of the first things I’ll do is I’ll put up my own Wi-Fi. Hilton One or something and see how many people connect to me. They pass through my computer to get to the real Wi-Fi and I’m collecting all their data on the way. I can begin with my speech with, “Is there a Bob in the audience? Did you go to the Chase Bank online?” You always hear a gasp and you’re like, “That’s because you’re connected to my laptop, not to the actual Wi-Fi.”
I was at a meeting and there was a Bluetooth thing for LinkedIn and you could go through it. If you identified yourself in the group as available on Bluetooth, you could connect across the LinkedIn people right there in the group.
Your Bluetooth is wide open and everyone’s sharing data. That’s why I say risk management. That’s a great business tool at a conference if you want to connect with other people and see who’s around and instantly pop on or grow our LinkedIn profiles and our connections. There’s a risk involved in that because it takes one of them to be a bad actor that’s putting stuff on your machine.
People don’t know what they don’t know. It’s not that they’re mean-spirited people. It doesn’t mean that they don’t care. They don’t know on the simple things that they do is weird email, don’t open it. I’m sure you have tips or simple things not to do.
That’s the scary part about now is, “Weird email, don’t open it.” I would say, if it’s not something you’re used to getting, don’t open it. If you have a question, don’t be afraid to ask. With that large company I was with, they got hacked. The CFO supposedly sent an email to HR saying, “Give us all the W-2 information you have on that spreadsheet.” They did for 4,000 employees later. If you take that 100 and multiply it times of 4,000 employees, they had to pay for three years of identity protection. That was a pretty big bill.
The Equifax debacle and you can go, “Wait a minute.”
They did the same. They paid for three years of data for billions of people.
It was one in three in the country.
Now, I have identity protection. Thank you, Equifax.
I had a buddy that says, “I’ll just unplug my computer at night or something like that. I’m not sure that’s enough.” You go like, “What?”
If it’s a laptop and it has a battery of its own and you unplug it, your Bluetooth and Wi-Fi might still be working. It’s not enough.
If you pull the battery out.
Now we’re talking. Basically, you have to unplug it and plug it. Power it down and plugged it and put it in a closet that’s steel-reinforced so that no emanations can go through. That’s why I go back to risk management.
If we’re in an office building like we are, somebody is a bad actor, you’ve done modest work where there’s somebody else that hasn’t done modest work. They’re going to go to the low hanging fruit would be my guess.
I refer to that as the Ocean’s Thirteen or Ocean’s Eleven model is you hear about those big heists. Watching the movie, all the planning and the intricacies and everything it takes can happen. You’ll make your million-dollar haul, but then I’ll ask, “How many times was a 7/11 robbed?” We don’t know, but there were hundreds across the nation robbed and they were low hanging fruit. They didn’t make millions, but they made enough.
Movie Pennies from Heaven. The fractional penny thing from Eddie Murphy.
You do that enough, the percentage is 60% of all small businesses that are a breach go out of business within one year because it’s too extensive both to their reputation, physically and financially, to everything that happens. It’s what they say about motorcycle riders, there are those that have crashed and those who are about to crash or will crash one day. It’s that philosophy. If you’re a small business, it’s not that you won’t be hacked, it’s when will you be hacked.
It’s a matter of time. It is what you know or you don’t know.
That’s the other thing, you don’t necessarily know. The Marriott hack. They were in Marriott for years and it wasn’t until they were purchased and they were trying to hook the two systems together that they realized, “Something’s wrong.”
You’ve got this purchase agreement and all the money in M&A and all the attorneys and everything else. You’ve got an agreed-upon price and all of a sudden you find out you’ve got this massive data breach. What does that really do to the due diligence pricing process? Its discounts.
Who picks up that tab? I sell my house and they realize that I have holes in my roof. They’re going to say, “You need to fix that before we finish this wholesale thing up or give me so much back.”
We were talking about where you’re working on into the commercial space. You’ve been working with some smaller communities and also business clients of various professional organizations.
The biggest threat to small municipalities is being Ransomwared. Baltimore, CDOT. We are here in Colorado. The Department of Transportation paid up to $1.5 million in recovery costs for Ransomware. They even called them the National Guard to help. The IT people in the National Guard have helped them to keep costs down or would’ve cost more. There have been thirteen municipalities in Dallas, Texas that had been hit with Ransomware.
For a small municipality, if you want to take and get started and go, “I need to work it into my budget to get done.” What does it get started and small community size, what should they be thinking about budgeting for that?
Anywhere from $5,000 to $10,000 for a good assessment. It could be less if they’re smaller. It’s the number of nodes, the number of workstation users that leads the price. The more things you have to go out and look at, the more it’s going to cost. The distinct number of ways you connect to the internet. If you’re a small municipality, does your fire station have its own Wi-Fi compared to the City Hall’s Wi-Fi? Compared to the police department’s Wi-Fi? Is there one consolidated city network? There are little nuances but if you wanted an assessment budget anywhere from $5,000 to $10,000, a lot of companies will want to come in and do what they call a penetration test where they break into your network. My advice is to have an assessment first where we can come in and talk to you and see where your holes maybe.
I can break into your network and tell you where your holes are, but that doesn’t help you if you don’t understand why you had them in the first place. I prefer to come in and that’s how I developed a phased approach so that they can afford the initial steps taking chunks. Chunk one is an interview to go over some standards and best practices and say, “Are you doing this and helping them grow into that?” My thing is, “If I know my front door is open, do I pay someone to show me how to walk it, shut it, lock it?” Then it’s like, “Can you get through the door?” Do I hire the guy to say, “Can you get through the door?” It’s open, then get through the door. We know that it’s pretty easy. You didn’t learn anything, so I try to break it out in chunks. That’s what I’ve taken from the federal government. The federal government likes to do everything. We’re going to take the whole ball of wax and try to break in. For a small business, you don’t have that funding.
It is one more tax on your revenue stream. You didn’t do anything different other than you have tools in here that are not as secure as you thought.
I would rather come in and discuss your policies and your procedures and what are you’re doing, then the next step would be, “Let me look at your machines.” Hands-on, “You said your people don’t use Facebook for that.” Every government computer I walked through in your office, they all have Facebook open. Your policy might be in place, but you have no enforcement procedures going on. It is policy versus an actual procedure. Marrying those out and then when you get to the end say, “We’ve done this. We’ve taken all this advice.” Maybe we’ll pay the money to have you try to break in because we think we’ve got it pretty buttoned down.
I think about whether it’s a municipality or business. If they want to reach out to you, how do they find you on social media?
You go in and they contact you, everybody agrees, you come in and do the assessment. What’s a typical time frame that they should allocate for an assessment?
I usually say 1 to 2 weeks for a basic assessment, depending on the size of the organization. The bigger you are, the more it’s going to take you.
I’m in my little hometown in Tennessee and I have a normal quantity of nodes, whatever they are. When you walk through the door to do your assessment, what should I expect you to be doing for some period of time?
To start, what I try to do is I have either the city manager or someone in a position of yay or nay decisions. I try to very much impress upon those people that without that person, your IT people can answer questions and might know the smart answers, but they’re not the ones who can make the decision. I try to have the senior decision-maker and whoever’s in charge of the information technology, your IT. We sit down and we go through. I have a spreadsheet of about 500 questions that we go through that covers all aspects of security from buying a computer or user management to end of life of computers and encrypting where you store your data. The first part is probably 1 to 2 days of interviews. I do external probing, by looking to see if I can see your network from outside.
You got it on your computer and take a look at it. You are not going to stand outside.
Virtually, I will knock at the door. It is not a penetration test, not a big sweep of trying to see what do they exist. I also look through their websites. Many municipalities and small businesses that you’ve been are very proud of. They’re like, “I’m Mike Crandall and I’m the Deputy Mayor. Here’s my email address. Here’s my phone number.” All of that is available to a bad actor. I try to educate them on digital forums or other ways to collect that information you want without publicizing your email address out in the open. There are spiders out there, they’ll grab that. A spider is a computer program that grabs things off websites.
You’ve gone in and done that then you’ve done the assessment. When you go back and there’s a findings report, I presume. You have a findings report and then they go, “We had no idea.” I would guess.
It’s 50/50. They go in and say, “This is where we know we’re broke and we don’t know about this part.” You give them another 50% and you know the answer.
When you do those types of things, are there commonalities of problems that you typically see?
The biggest is having written policies. Most people say they have policies like, “You have to have a nice password.” I’m going like, “What do you mean?” They’re like, “We want it to be at least ten characters and have special characters.” I’m like, “That’s great. What’s your policy on that? Do you have that written down?” They are like, “No, we just tell people when they get their accounts to make sure they do it.” “Do you have anything stopping them from having a password as their password?”
That’s a challenge. There is no written policy. I would assume, no enforcement of the written policy.
It’s the procedure. I explained it to them, you have a policy that you write and say, “This is the rule,” and then have a procedure which helps us, the poor user, do what we must correctly.
When you get past policy and procedure when you start getting into more esoteric stuff.
That’s when I got into social engineering. I sent phishing emails out to all the employees. I have a couple of different domains that are enticing for people to maybe click on and provide me some. I tend to get pretty much innocuous on information but enough to show that they were willing to put up some decent info. I send that to all the employees and then see what percentage we get back. Even if they get a good report as in it was 1% or 2%, I let them know it only takes one for that to bend Ransomware.
That’s a recurring problem that it’s all it takes is one employee. It’s not even a malicious employee. One that goes, “That’s an interesting video.”
When I say we’re flawed, a lot of my stuff is based on you can win, but there’s also a better nature, the better angels in us. Help Bobby with this cancer and click and that’s still wrong. That’s not a malicious act or that someone was trying to do something good for the world maybe, but they shouldn’t be doing it on their work computer. They shouldn’t do it at home either. It is hard to trust them, trust but verify and ask questions.
The freedom part of the computer and the convenience comes with some level of cost. I think about the advent of all of Ring. There’s controversy around Ring.
There’s a website. If you go to Shodan.io, that lists every open a home device in the world and you can view them. If you want to go there and try to find your home address, it will tell you if you can see it in your own house. It is such creepy. On that site, if you click on the one that’s open, you looked at watching someone’s webcam.
For very many reasons, I don’t have webcams in my house. One, I don’t have any infants running around. If you’re at my front door and my dog barks at you, I probably don’t want to talk to you anyways, but nonetheless, an old fashioned one. Do you not get sometimes a little bit overwhelmed about there are this plethora of potential clients. How do you niche down? The challenge with everyone is no one. You went to a fairly prestigious event with regard to contracting and you were recognized. For many of the business owners trying to discriminate, there’s everybody in there, but there’s a lot of “IT cybersecurity” people. For the business owner that’s trying to discriminate not badly but, “I need to pick somebody who knows what they’re doing is qualified,” what questions should they ask a potential provider to make sure? I think the human condition. Curious, typically helpful, and with good intent. I go and, “I wonder what’s going on in this?”
A great example is locally in town, there was a company in Christmas time, the secretary got an email supposedly from the CEO saying, “Keep the secret, but we’re going to give out $10,000 of gift cards because we had a great year. Go out and buy them and make sure you don’t tell anyone. Scratch it off, take the pictures, give them to me and we’ll give them out at the Christmas party.” She did it, but it wasn’t as an email address. The company lost $10,000.
There’s the Social Security scam. The bad actors are out there busy doing their thing and looking for vulnerable groups of people.
In this case, the secretary thought she was helping her boss and keeping this big secret because we had such a great year. How happy that we’re going to give away $10,000 to our employees as part of our Christmas Party. That’s why I say trust but verify. If you get an email like that, call your boss or if your boss is in the same building, please get up, walk into his office and say, “That is awesome.” You want to send $10,000 and see if his face nods or explodes from, “What?”
We could go on for a very long time talking about things that people could do. The last question I’ll ask is if you could put an ad or a banner out on the one message that you would like to offer to the business community and small towns, what would it say?
When you’re worried about cyber to think about risk, not versus security and managing your risk. Take a good look at yourself and know where your risk maybe and decide which ones you can mitigate because you’re never going to mitigate them all. Based on the size of your company, you can’t afford the $10,000 firewall that does all the super bells and whistles but there is something you can do. If you look at it in a chunk of risk management versus, “I need to do this big picture to fix everything because we’re never going to get there.” If you look at it as risk management, “I can do some things. Let me take some steps based on my size,” then you’re doing your due diligence and that’ll help should and when we eventually all get broken into one day. We can show that. We can say, “I didn’t do anything. I took action.”
Is there something that I should have asked you that I failed to ask you?
I enjoyed the interview. Everyone just needs to look inward because we are our worst victim. We are the one that’ll click that link.
The people that are looking, they can AB test all day long and they click on this one.
When we send out the phishing emails. We always get one.
Do you have five-star tips if there’s a USB drive lying in the parking lot that says, “Don’t pick it up?”
If you feel you must, go to FedEx.
When you plug it in, it’s not on your system.
Back away slowly and say, “I’m sorry, this didn’t print,” and run.
With that being said, it’s the people out there, the small business community in municipalities. I would urge you to take advantage of the resource and reach out to take and engage on Digital Beachhead to at a minimum, at least get a starting point.
I’m happy to talk about and talking is free.
The biggest mistake you can make is not making the phone call.
If you do nothing, you’re liable at the end of the day. You have to do something.
I really appreciate you coming in and spending time with us, Mike. It was an interesting journey. Thank you so much for your time.
- Digital Beachhead
- Digital Beachhead – LinkedIn
- Digital Beachhead – Facebook
Love the show? Subscribe, rate, review, and share!
Join the Business Leaders Podcast Community today: