Cybersecurity: It’s Not an IT Problem, It’s a Business Problem
Dominic Vogel is a cyber risk advisor, board director, speaker, and comedian with over 15 years of experience in the cybersecurity industry. He is currently the Founder and Chief Strategist at Cyber.sc, a cybersecurity advisory firm that provides management and expertise to startups, investors, and small to midsize businesses. As an established cybersecurity leader, Dominic has overseen projects including security strategy development, endpoint security, and threat management in a variety of industries.
Dominic is also a cybersecurity speaker resource for TEC Canada and the co-host of the podcast, Cyber Security Matters. He has been featured as a guest expert on Global BC, CKNW, the Vancouver Sun, and more.
Here's a glimpse of what you’ll learn:
- Dominic Vogel talks about his background in cybersecurity
- How different countries approach the issue of cybersecurity and data privacy
- Why small and midsize companies often outsource their cybersecurity — and the consequences of doing so
- The importance of security-focused due diligence when buying or selling a business
- Dominic discusses how he helps small to midsize businesses perform risk assessments
- Who should be responsible for protecting a company’s privacy and security?
In this episode…
Does your company take cybersecurity and data privacy seriously? If not, cybersecurity expert Dominic Vogel has some advice for you: it’s time to start.
Unfortunately, many businesses see cybersecurity as a simple technical task — not a vital part of their risk management strategy. However, cybersecurity isn’t just an IT problem that you can easily outsource; it’s a business problem. According to Dominic, cyber risks can cause businesses to lose revenue and major clients in the blink of an eye. So, how can you start prioritizing cybersecurity in your company and protect your data, customers, and reputation today?
In this episode of She Said Privacy/He Said Security, Justin and Jodi Daniels sit down with Dominic Vogel, the Founder and Chief Strategist at Cyber.sc, to discuss all things cybersecurity. Listen in as Dominic reveals how different countries handle security and privacy risks, why outsourcing your company’s cybersecurity isn’t the best solution, and the vital importance of performing security risk assessments for your business. Stay tuned!
Resources Mentioned in this episode
- Dominic Vogel on LinkedIn
- Dominic’s email address: email@example.com
- Cyber Security Matters Podcast
- Jodi Daniels on LinkedIn
- Justin Daniels on LinkedIn
- Red Clover Advisors
- Red Clover Advisors on LinkedIn
- Red Clover Advisors on Facebook
- Red Clover Advisors’ email: firstname.lastname@example.org
Sponsor for this episode…
This episode is brought to you by Red Clover Advisors.
Red Clover Advisors uses data privacy to transform the way that companies do business together and create a future where there is greater trust between companies and consumers.
Founded by Jodi Daniels, Red Clover Advisors helps their clients comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. They work with companies in a variety of fields, including technology, SaaS, ecommerce, media agencies, professional services, and financial services.
Their free guide, “How to Increase Customer Engagement in a Private World,” is available here.
You can also learn more about Red Clover Advisors by visiting their website or sending an email to email@example.com.
Click For Full Transcript
Welcome to the, She Said Privacy. He Said, Security Podcast. Like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century. Hi, Jodi Daniels here.
I'm the founder and CEO of Red Clover Advisors, a certified women's privacy consultancy. I'm a privacy consultant and a certified information, privacy professional, and I provide practical privacy advice overwhelmed. Justin Daniels here. I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I do that through identifying the problem and coming up with practical implementable solutions. I am a cyber security subject matter expert. And this episode is brought to you by Red Clover Advisors. We help companies to comply with data privacy laws and established customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, staff, e-commerce media agencies, professional and financial service. In short, we use data privacy to transform the way companies do business together. We're creating a future where there is greater trust between companies and consumers to learn more, visit redcloveradvisors.com.
And today we have a very exciting guest on, we have Dom Vogel and he is the founder and chief strategist at Cyber.sc, an organization dedicated to providing cyber risk leadership to small and mid-sized businesses. Dom's cybersecurity career has spanned nearly 15 years covering cybersecurity for the largest and smallest organizations, Dom is a positive troll and comedian in his spare time. So I do expect a few jokes during this show, cause we're heading North of the border Dom is from where you are – from Vancouver. I remember the journey when we flew to Seattle and then drove to Vancouver all in one day with two children. I remember coming very close to, I need to get out of this car in the last 20 minutes of the drive, our kids. I mean, it was a long day. It was long. It was long, long day. They couldn't do it the last half an hour. It was just absolutely pure screaming. We pulled over to the side of the road. I hopped in the backseat to try and help, it was a mess but in other news let's move to cybersecurity. So Dom tell us, how did you find your way, your cyber security and a little bit about what you do today?
Dominic Vogel (02:56):
Goes back to my high school days. I always knew
Dominic Vogel (03:00):
I wanted to do something in technology and IT, my, my dad was a computer science high school teacher. And one day he just, he, he dropped a bunch of magazines on my desk and he says, there's always something in here that interests you because he would always get all these free IT, computer magazines at work. And I would just flip through all of them. And then this one magazine just popped out of nowhere and it said Information, Security Magazine. I was like, what the heck is information security? I never heard that before. I, I just, I read it cover to cover and I still have that magazine somewhere because that's my origin story. So it is somewhere in the, in the mess. That is my house, but it was from that point on, I just got, I got hooked on it. And after graduating from university I, I thankfully got a job in cybersecurity as a security administrator for a large logistics company here in Vancouver. And 15 years later, I'm still in the field and I love every minute of it.
Not everyone can say that they found their career by reading a magazine.
Dominic Vogel (04:07):
I think where we'd like to start today since we're lucky enough to have an international guest is, you know, we talk about cybersecurity. We talk about privacy and a lot of times how people and companies approach privacy and security really stems from well, what is the kind of culture and the country around those two topics. And I'd love to spend a little bit talking about, you know, from your perspective in Canada, working with Canadian companies, US companies, you probably have worked with the European ones. I'd love to get your thoughts around culturally, how you see different countries and their people approach privacy and security.
Dominic Vogel (04:47):
That's such a good question. And it's been, it's really interesting, you know, and especially we take sort of Europeans, Canadians and Americans. You can see that the spectrum basically any of the Europeans I've ever worked with or worked for privacy is first and foremost, it is so intertwined with their culture and, and almost is a basic human right that they, that they lead with it. Canada is right in the middle. You know, in, in terms of, it's not quite as serious around privacy, but the privacy commissioners that we have in this country and in the various provinces that make up the country privacy is, is very much taken seriously. And we can see that in the SMB levels as well. The US again, depending where in the US some States do take it more seriously than others. They tend to be more blue States than red States, but I'll leave that commentary for maybe a political show.
Dominic Vogel (05:37):
But but I have noticed, again, that part of the US is definitely the lagard or when it comes to privacy, you know, unless you're in California or New York or another state that has a more rigorous privacy regulation. You know, I, I've definitely seen, in fact, there's one organization that we were with and I believe they were in an Idaho and, or it was something with an I and we were totally on the concept of privacy was coming up and he said, well, you know what, we don't really, we don't really care, we don't have any state regulation here. I don't really care about privacy, you know? So it's, it's interesting to see sort of the, the different levels of how, like you take a concept like privacy and how you can have such variance amongst people. So it's it's definitely interesting. And you have to, you have to sort of work along those, those nuances the way you would talk to a European about privacy, very different than how you would talk to probably with someone from Alabama about privacy.
The laws in Canada are certainly stricter than here in the United States. Do you, do you feel that the companies that you're talking to take it more seriously because of the regulation or because of just the culture in the view of, I put the individual first. So if we, if we think about Europe, it's, it's a flipped mentality, obviously there's regulation, but just the concept of how they even approach it is individual first, company, second United States exact opposite, unless there's regulation involved. So I'm kind of curious to know, just from a cultural perspective, is it because of the regulations that Canada has, which are more strict in several areas than the US or is it because of just how people believe in it.
Dominic Vogel (07:14):
I say it's a little bit of both, you know, I think Canadians just like, get along. We all have that same view, strict view of privacy with the Europeans, but we don't have that necessarily the lenient view that many Americans have. So we're, we're in this sweet spot kind of thing. So you know, it, it's, it's definitely not like to the same degree as Europeans from a people perspective, but if I was to pick, you know, random, Canadian SMB owners and some random US SMB owners. Canadians, we have a much stricter view of privacy than, than some random SMB group of Americans. So I'd say it's a little bit of both, but like I said, you know, Canadians are all, we always come in right in the middle of for whatever reason, that's who we are as people – we don't like to offend anyone
Talking a little bit more about a lot of the small and medium-sized business with, I want to talk a little bit about the topic and, you know, Solar Winds has brought it up, I'd love your perspective on why consistently you see companies who are going to outsource IT, outsource all these different functions, but really don't take the time to think about my company security is only as good as my weakest vendor, and yet they don't pay a lot of attention to it. They, you know, have inked the business deal, the contract, they get through it as quickly as possible. They might negotiate a nibble around the edges and they go about their business. And then when the vendor has a hack and it, and it's ransomware, and now you don't have access to your data. You're like, holy…
Dominic Vogel (08:56):
The, the, the, the, the short answer. And I'll, I'll give you a long answer. But the short answer is that, especially with small size businesses, is that they're still prevailing myths and misperceptions around security and cybersecurity. So many small – midsize businesses. And I, and I see this both from a Canadian and US perspective, you pick a business owner or a CEO or CFO, or whatever, in a SMB space, they view cybersecurity as a technical task, and they do not see it through a business lens, or you don't see it through a risk lens. They see it as something that can be outsourced. And I cannot tell you how often I still hear it, even, even in this day and age of the, Oh yeah. You know, we, we don't worry about cybersecurity security, or IT service provider handles that, or, you know, we have an IT guy who handles that, or my, my wife's brother handles it.
Dominic Vogel (09:49):
And it's, it's seen through a lens in which it's out of sight, out of mind, and they don't do any oversight due diligence, and they don't see any purpose of, from even a risk management perspective. So it's, it's that mindset. I think that's still perpetuates the problem because unless it's gets seen through a business and risk lens and seen as a true business problem, and not some task that you outsource you know, we're going to keep dealing with this, this problem, you know, and where I am seeing some noticeable change is mainly with B2B organization;s. And this is where I think the Solar Winds incident is going to is going to help things in the long run. So in particular, again, so, so smaller businesses or mid-size businesses that sell to large enterprise organizations, concept of vendor risk management has been around for a while andafter what happened with Target, whenever that was eight or nine years ago, I think vendor risk management became a thing.
Dominic Vogel (10:41):
We get a little more popular, but then it was just basically questionnaires, you know, and if you were clever enough, you could just or maybe not clever, you were deceitful enough. You could just lie on those questionnaires and send it off to a prospect and say, yes, we do all of these things from security, privacy talk, talked it out, right. That because it's often these larger companies would never actually check on that. They wouldn't call the bluff. What I've seen, especially during Solar Winds. It's only been what, two months, I guess, a month and a half. When I've seen is that there's been an increased outreach from small organizations reaching out saying, Hey, you know in fact, this actually was a prospect to reach out to us. They said, we've had this client for, for years at the, where they're small B2B company.
Dominic Vogel (11:25):
And they sold their platform, very large enterprise. They said, this one customer makes up something like 60% of their annual revenue. And they said, this customer is now cracking down on supply chain and vendor risk management. We've been filling out the questionnaire for years, right? We've actually, then they told me, we lie on it every year, and now they're actually, they're actually coming to audit us. They want, they want proof. They want us to see that we're doing what we've claimed that we're doing. And the fact that I'm hearing this more and more, I'm seeing organizations reaching out saying, we're realizing now we can't just, you know, lie or extend the truth on these questionnaires. We need to be able to provide proof. I think that's gonna, what's interesting there is that unlike something like, you know, preventing against a cyber attack or preventing against a data breach, that's so abstract, but selling now when you impact the the bottom line where you, you realize, Hey, are you going to lose out on revenue? You're gonna lose your biggest clients and customers. Now, all of a sudden, there's a very interesting narrative as to why you need to invest in cybersecurity. So the B2B space, I see tremendous growth from a cybersecurity investment perspective. Other areasobviously time, time will tell, but that's, that's an interesting thing that I've noted over over the past few months.
Interesting, because I see something similar in the privacy side from a B2B perspective where companies won't do business, in fact, I talked to someone this morning, smaller company, and they can't sign the deal until they're able to say, yes, we're complying with XYZ privacy law. And so you're seeing that more and more. I think it'd be really helpful for a company to understand if you were to be audited. What does that mean? What are they looking for? So can you share a little bit about, you know, like what is the big company coming to audit and what that means?
Dominic Vogel (13:07):
Yeah. And that's really good question, Jodi. And again, it can take multiple forms, you know in some cases often what they'll say is, okay you know, if we're going to do business with you, you need to be able to engage a third party assessor, have this third party company come in and do a security assessment. And then you provide, us the the report. You know, we go over that and you have to pay the the bill kind of thing. So they won't necessarily send one of their own auditors or assessors often they'll just want to see a third party has done an assessment in the past year or past six months. What the often entails. Again, it depends on the level of depth they want to go to. It could be something as simple as, you know, we want to do.
Dominic Vogel (13:48):
What's referred to as a maturity assessment, you know, let's we want to make sure that you are following maybe a certain framework and often the list industry, best practice frameworks, whether that'd be the CIS top 20 security controls, which is a fairly basic framework for many small businesses. Maybe it's the NIST cybersecurity framework, the CSF. Again, depending on regulations, they may want to say, Hey, we want to see if you are compliant against ISO or or, or ISO 27,001 or 27,002. You know, you claim that you're moving in that direction, let's see where, where you are kind of thing. So it does depend on the, on the, on the industry, certain industries like healthcare and financial services can be put through the ringer a bit more there than maybe other industries, such as manufacturing as a, as an example. So it does contextually depend, but at the end of the day, it's being able to just prove what you claim to do. If you claim that you have multi-factor authentication enabled for all your email accounts for remote access, you better be able to prove that otherwise they will call your bluff.
Hmm. You have a fun, good story on that, don’t you Justin
Dominic Vogel (15:00):
I do love a good story,
Right? So I guess, so a Dom this morning I wrote on LinkedIn. So I was using a password management service and I was having an issue with the service. And basically I was advised, well, you're going to need to re-enter passwords, the easiest way for you to do that is just take a screenshot of every one of them and put it on an Excel spreadsheet. I said, okay. And then Jodi, why might that be some very interesting advice? Well, then you've taken a picture that's in a cloud server somewhere of all your passwords. So, right. So the moral to the story was right from the customer service of the password people. That was the advice that I got. I did fly that one up the chain and say, Hey, you might want to be aware of this email that I received for customer support, that when you dug down a little bit, it was not so supportive. Like when the the HR person will ask for the social security number in an email or that, you know, credit card number. And it's all those, interesting things
Dominic Vogel (16:08):
I guess, categorize as a training issue or training gap.
Yes, yes. The other thing, you know, I, I'm thinking about as we sit here and a chatter away is what happens when one of your customers comes to you either because they're going to be acquired or they're going to be acquiring. Because one of the interesting things that I have seen is when I have a client go out and acquire another company, it is almost never happens that any cyber due diligence is ever done on the vendor ecosystem. And then I've had situations where there is a breach of a vendor in the ecosystem of the company that I bought. And that's when I find out that my liability to my customer is far in excess of what that vendor's liability is to me. And my reaction is, Oh! So could you talk a little bit about your perspective and what you see in those instances,
Dominic Vogel (17:06):
You bring up such an interesting concept and topic there, you know, and it's something which obviously, you know, as secure practitioners, obviously we would want to see that happen more, more frequently, that actual due diligence happens. Again, this goes back to, well, I referenced earlier about the continued misperception or 1995 level thinking of cybersecurity. Again, if it was truly seen as a business risk, just like with any M and A deal, they, they look at all the risks. They look at financial risk, operational risk personnel risk. Why in 2021 is cyber risk still not seen that way. Main, reason it's still many executives and many, you know, business people, sorry for using all these air quotes, but all these business people still don't view cyber risk as being a true business risk. It gets buried under, you know, IT, or it gets buried under some technical thing, which is often overlooked.
Dominic Vogel (17:58):
It's Oh, it's something we can deal with later. You know, so to me, it's, you know, we can talk about, you know procedural stuff, you know, why it needs to be in there. But to me it's still all about mindset, unless the mindset of people in an M and A activities in terms of business executives, in terms of non-technical non-security slash non privacy people, getting them to the mindset that in the year 2021 and into the future, that cyber risk needs to be treated as such as a business risk until we change that mindset. You know, it's, we're just still chattering, you know? So it's, it just, it's, it's so important for that mindset that to change I've seen it changing slightly, I've seen, we've actually had more private equity firms reach out to us during 2020, and then all our previous years combined when they were trying to ask questions, such as we're worried about cyber risk in our portfolio of companies, what can we do to assess it?
Dominic Vogel (18:55):
You know, so the fact that these questions are starting to be asked is a good indicator that we're moving in that direction. How fast are we moving? Not very, it's sort of the, somewhat of the turning around the Titanic, not quite sinking yet, but it's, it's, it's, it's a very slow move as a lot of inertia to overcome. But it is certainly very encouraging to see these types of organizations ask these questions, because I didn't see that as, as little as, you know, late 2019 or 2020. So it's, it's encouraging to see that.
I'm just curious when somebody asks you or if I'm the buyer, and I say, Dom, you know, it was part of my due diligence. I'd like to get access to your network and put sensors and do due diligence on it. What is, what is your reaction to that? Yes. Or no answer for you,
Dominic Vogel (19:43):
But to me, the reaction would be, yes, let's let let's do that. You know and again, to me, when we're talking about doing an assessment, there's two, two, there's two parts to me, there's, there's the let's open up the hood and let's look at all the technical stuff. You know, let's run some technical vulnerability assessments, scanners, what have you, you know, that's, that's, that's important, but equally important is looking at it from a governance risk and compliance perspective. You know, what, what frameworks are, is the organization using? Do they have a security strategy? Is it just, let's just apply random security technologies and see what fits. So getting it from the best strategic, a level of getting it from the tactical and operational level, that to me would be, you know, the, the best way of assessing the, the true cyber risks, then being able to at least tell an organization, yes, you're taking on a great asset or no, you're taking on a huge liability. And here's why.
And so related to that, when you do your risk assessments, I'm curious with your client base of small and medium sized businesses, how often are they engaging you directly versus saying, you know what, I'm going to route this through my outside counsel.
Dominic Vogel (20:44):
Yeah. Good question again, specifically the context of M and A's, you know I generally, we're generally only seeing that M and A stuff come through the, the, or the, either the private equity firm or the acquirer, not necessarily from an organization that wants to best prepare themselves to be acquired. That would always be a great use case, I think, for organizations to be more prepared. But the, the two use cases we're seeing is mainly through either private equity firm, who is either in the, is in the process of bringing that company into their into their portfolio, or they've already done so, and sort of want to do it retroactively, which is, you know, it's not a great idea, but it's it's a, it's it's certainly better than not, not looking at all. So it does sort of depend, but in terms of broader SMBs, why they reach out to us one of the things I've really noticed this amongst small, mid sized businesses, especially during the pandemic is that proactive investment in cybersecurity has plummeted.
Dominic Vogel (21:49):
They are, it's pretty much I'm going to say 90% of the clients. We have been onboarded since mid March, 2020. So the onset of the pandemic have come to us reactively and reactively either because either a, they are mired in ransomware and ransomware as the digital fire, which is destroying many Canadian and US small midsize businesses. I'm gonna say probably a two thirds of the organizations that came to us in 2020 did so, but because of either, they were immediately dealing with ransomware or shortly after ransomware took, took effect, and they were trying to rebuild it, figure out how do we prevent this from happening again. Other organizations reached out because they, there was a potential data breach or others were reaching out because they were needing to prove compliance or prove their security capabilities from a B2B perspective. And these are all reactive situations. We went from in 2019 having a relatively, let's say maybe 60, 40 balanced 40% of the clients that would reach out to us or prospects that reach out to us, they ‘re doing so proactively, 2020, and so far in 2021 is being very reactive. Part of that may be due to the fact that SMBs we're stretched very thin during the pandemic. But it's been very interesting to see sort of that proactive balance just disappear, maybe small and mid-size businesses are purely reacting to cybersecurity investment right now.
I think that there was a significant number of SMBs that were, I think you used the word decimated due to ransomware. And I was wondering if you could share a little bit more about types of businesses and are they truly, are they, are they done? They're not able to come back to life or it's just whatever you can share. So people understand the severity of that.
Dominic Vogel (23:32):
Absolutely, absolutely. You know, and what we've seen, especially during 2020 was the I’ll refer to it being almost like the great equalizer in which this doesn't really matter what sector you're you were in. We saw ransomware effecting organizations in pretty much every sector. We even saw it with the farming organizations, manufacturing, education sector, public, private. It didn't really matter. It truly is a great equalizer that way. And two stories, which are quick stories, which I'll share one of which was, it was a real estate development firm here in Vancouver that reached out to us. And they were the, in the final stages of completing a massive multi hundred million dollar building, but they were unable to get the final documents to send off for inspection, to get final sign off from the city.
Dominic Vogel (24:25):
And their, their server had been hit by ransomware and they had been unable to recover it. And they call us three weeks in and saying, well, we were not able to access this for three weeks. Can you help us? And my first question with ransomware is always what's your backup situation? You know, if it's been three weeks and you have a recovery, anything I'm taking the guess, that it's pretty crappy, but that's always my first question. So they said, we don't know, can you talk to our IT service provider? And I said, sure. So I talked with their IT dservice provider. And the first thing this guy said was, Oh, we backup every night, we have daily backups. We, we back up all the critical data. There's nothing to worry about. And I said, well, why am I here? Why am I, why am I talking to you? Then? He said, well, the last good data backup was actually in February. This discussion I was having was in, in late October. And I said, why didn't you lead with that? You idiot. What would you tell me? You have such a, a great data backup architecture.
That's up to you as a service provider talking to you on the phone. My, my limitation of liability is $20,000. So, sorry.
Dominic Vogel (25:29):
Yeah. And this is where there's, that, that notion too, again, about understanding, viewing it through a risk lens. This, this business, they just blindly trust their IT service provider, right? They didn't, they had, they done sufficient due diligence. Had they done sufficient governance, just something as simple as when was the last time of data backup was testing. Was that test successful, right? We're not asking rocket science questions, right? We're not trying to send someone tomorrow. So this is fairly straightforward stuff had that basic level of due diligence and governance and oversight occurred. They would've known that the data backups were not working, and then they could have, you know, the check that to find out why and how to proper restore process. So without one, there, they were pretty much out of luck and they they as an organization, they refused to do anything about, and they actually ended up paying the ransom to get access back to those files. Again, yeah,
You just mentioned they outsourced it to IT. Soho was responsible for that relationship within the organization since they're in real estate and they don't think they're in the data business, but we're all in the data business.
Dominic Vogel (26:41):
Yeah. How did that work? It was the, it was the CFO. And what happened there, especially with this particular firm, this was a family organization that had been a family run organization for years. The CFO was first close friends with the with the father who handed the reigns off to it to his son. And this, this guy had been the CFO for, for years, you know, and again, he could do no wrong. And that's where, again, when there's a lack of accountability, when there's a and that's why for me, when I assess security, I'll even not ask technical questions right away. First, the first thing I look at and I talk to the CEO, CFO, COO and ask is the accountability is the oversight and governance there. If it's not, I don't need to do a technical assessment. I'm going to save my time. I'll save the money.
Dominic Vogel (27:23):
I'm going to say your organization likely sucks at security, because I can tell just by talking to you, you know, so it's a I'm a firm believer in that and you'll see it very apparently when you talk to talk to the executives and talk to the board, if they have one the other quick story that I'll share with it's a manufacturing firm also based here in, in greater Vancouver, it was a family run organization. It had been started something like 40 or 50 years ago, the, the founder and the person who grew it, he had died about three years ago and he handed it off to his wife. His wife didn't want to sell the company. She wanted to continue it, you know, continue his legacy. And, you know, she, she, she kept running it. And her daughter was also helping her with operations.
Dominic Vogel (28:10):
And they too got hit by ransomware and here because they were manufacturing it affected their, their the availability of the systems, the confidentiality of the data wasn't really an issue. It was that they could not access the systems they needed to, to continue the manufacturing process. They were down for, again, this to come back and call us three and a half weeks. And they were down for three and a half weeks, you know, they hadn't manufactured anything. And she reached out and she said, you know, we're, we're in our final few days here should have, we can't get up and running. We're we're, we're going to lose everything. And I said, well, you should have probably call me three and a half weeks ago, but, but sure. Let's, let's see what we can do. And you know, we have a digital forensic specialist on our team, and I think he was able to recover it and unlock some of the systems.
Dominic Vogel (28:55):
So they were able to, to, to continue. And then when I was sort of debriefing with her and telling her, in terms of you got lucky, you know, here's what we need to do moving forward. I laid out, you know, here's sort of what you need to do from a planning perspective. You know, here's our virtual chief information security officer package. We think this will help you set the right foundational security building blocks to make sure that this doesn't happen again, or at least become more resilient if, if it happens again. And so then she said, Oh boy, you know, I, I just thought security costs maybe two or $300 a month. And I said, and I said, let me get this straight you. Cause she just, before I presented this to her, she told me she cried. She said, I can't believe I almost lost my, my husband's legacy.
Dominic Vogel (29:36):
I said, do you not see the disconnect between what you just said? And the comments about what you are willing to pay? So you you're basically telling me, you know, like ransomware where almost brought your company down for good. It almost destroyed your husband's legacy. Now in the same sentence, you're telling me your husband's legacy is worth $200 a month. Do you not see the disconnect and she didn't. And that's what's so, so worrisome, I think when it comes to small midsize businesses that they fundamentally do not see that that disconnect between surviving as a digital company. And you said, so you both hinted at that in this day and age you're data-driven in digital organizations, COVID has only made that even more. So, you know, companies are much more virtualized, much more digitized. If you're not going to plan for that cyber risk, you're pretty much walking into a, into rapid gunfire and you're not going to last in the long run. So it's those are two stories to sort of illustrate the lack of understanding.
When you said that to her, she didn't kick you out of the room. Cause when I had my way, I get the boots.
Dominic Vogel (30:41):
Well, I have that with generally speaking this year, at least we were able to have some civil discourse in the conversation. She didn't particularly care for my tone, but I would just think I'm so taken aback by by that, you know long story short, she didn't become a client, but it it's It's just time for the time for politeness, I think with organizations is has has come to has, is long gone. You know, we need to increase our tone, you know, with, with these businesses. Otherwise they'll, they'll, they won't survive in the long run.
I have one last follow up question in both of your stories. What were they both doing for three weeks? I mean, the businesses down you can't run. When I deal with ransomware, I get the call on Sunday or whatever they're like Holy…what are we going to do. And then I have to put the team together and you know, for three weeks,
Dominic Vogel (31:34):
Well, first of all, I love the comedic timing between you two. That's perfect. But the, the, and to me, what was, what was so strange again is the, so for the first case with the real estate firm, what was happening there, it was that the IT service provider kept saying to them, we're working on it, we're working on it, we're working on it, we're working on it with that real estate firm. You know, the, because it wasn't the, all their systems that were affected. It was just this one server that was affected. They were at least able to continue operations, but it was, it came to an impasse because they needed those documents in order to pretty much open at that several hundred million dollar building. So they did have some gift of time. There was the manufacturing one similar thing again, blind trust. The CEO, the, the lady was blindly trusting the IT consultant. And by consultant, I mean, some guy who maybe, you know, knows how to use a computer he wasn't really much of an IT person, but he kept saying to her, I'm working on it. I'm working on it. Give me one day, give me one more day. You know, I think that blind trust blind trust leads you down.. The path of destruction
Sounds like a good bumper sticker.
Dominic Vogel (32:53):
I like that
All these stories of what you see all day long of companies doing what they shouldn't be what is your best privacy tip that you offer your family, your friends, closest to you, dogs in the background…blind trust… best personal privacy tip.
Dominic Vogel (33:18):
I think you and I need to go into the bumper sticker business. I think we could do really well, but I try really hard not to be the support person for my family. Sometimes I, I think idiocy around the technology just so I can be left alone. But in terms of, in terms of the controls are not controlled with the recommendations and advice I give to friends and family is mainly really around social media. You know most of my family and friends, their interactions with technology is social media. So everything I point them to is the, you know, the privacy control let's share the privacy and security control best practice controls for Facebook, for Twitter, for Instagram, you know here's what you should be doing. Don't have your profile open to the whole world. So just to helping them go through some of those basics obviously find this is a good starting point because that's often their view of the technologies is through the lens of social media
When you're not in the office making up great bumper stickers, honing your comedic timing. What do you like to do for fun?
Dominic Vogel (34:20):
Good question. The well…I love playing with my with my with my kids, my, my son in particular, my, my three-year-old son, James. So being able to see the world through his eyes, and I spent a lot of time doing on my LinkedIn posts around him. And what I learned as a, as a dad. And it's his level of joy that you see from within, through a toddler's eyes, it keeps you it keeps you humbled and makes you realize that, you know, I, although I do security work for a living, that's not who I am, you know, or the things that I love absolutely doing are being a dad and being a husband, you know, the, the other stuff it's just fun, but the being a dad and being a husband, nothing, nothing beats that, that's what, that's what I do for fun.
So how can people find you outside of listening to this fabulous podcast?
Dominic Vogel (35:10):
Good question. For people who are listening / watching reach out on LinkedIn, I spent a lot of time on LinkedIn. @Dominicvogal, I'm the only one out there please feel free to reach out. I'm always open to, to new new conversations, love meeting, new people, love networking. You can also email me firstname.lastname@example.org. Those are probably be the best two ways of, of reaching me well.
Thank you so much for coming today and sharing your insights about what it's like to do business in Canada and around the world. And, you know, it's really interesting to see that we're all facing the same similar, similar struggles.
Dominic Vogel (35:55):
So it was a lot of fun.
Thanks for listening to the, She said privacy. He Said security podcast. If you haven't already be sure to click, subscribe, to get future episodes and check us out on LinkedIn, see you next time.