This week, we’re following up on our fraud and employee dishonesty discussion with an episode focused on one of the biggest threats to your business: cybercrime. Morrelle McCrary of RAM-Tech PC Solutions joins us for this important conversation.
Topics we cover include:
- How cybersecurity has changed and why you need to worry about breaches more than hackers now
- How much it costs on average to deal with a security breach and how many businesses go under after an attack
- The tools that can help protect your data and their limitations
- The process of applying for cyber security insurance and completing an audit
- How you can work with an IT professional to secure your data and your clients’ data
Subscribe for free resources and to be notified of future episodes at contractorsuccessforum.com/subscribe.
Find all episodes and related links at ContractorSuccessForum.com.
Have questions? Need help with your cybersecurity?
Contact Morrelle at RAM-Tech PC Solutions:
[00:00:00] Rob Williams: Welcome to the Contractor Success Forum. Today, we have Morrelle McCrary talking about cybersecurity and how they make it simple at RAM-Tech PC Solutions.
At the Contractor Success Forum, we discuss financial strategies for running a more profitable, successful construction business and check out our show notes below and our show page at ContractorSuccessForum.Com.
You can get everybody’s information there and the information on how you can contact Morrelle. And today we have our other wonderful industry professionals. We have Wade Carpenter with Carpenter and Company, CPAs helping contractors nationwide to become permanently profitable for over 30 years.
And in the other corner, we have Stephen Brown, a construction bond agent with McDaniel-Whitley Bonding & Insurance Agency, with over 30 years of experience underwriting and placing bonds for you as contractors and cyber security insurance, by the way. Okay. And I am Rob Williams, your profit strategist, with IronGate Entrepreneurial Support Systems, driving profit in your businesses with decades of vertical integration as a contractor, a manufacturer, an aviator, and a financial strategist in the construction industry.
So today we’re talking about cyber security and how people like Morrelle can make it simple, but the impact- which I just was listening to our other podcast that we made- the impact of cybersecurity just blew me away of how much theft that goes on and the cybersecurity impact. I was, I’m still just floored. I can’t talk about it. Well, welcome Morrelle. Thanks coming!
[00:01:57] Morrelle McCrary: Thank you for having me. Yeah, guys, it’s a pleasure to be here for sure. I always start out these kind of talks with, cybersecurity has changed. The whole gambit of keeping your IT and your business safe has changed, right? Before, like when I was a network engineer and I was working full-time in downtown Atlanta, the biggest threat we had was making sure that the neighbors in the building next to us weren’t trying to hack into our network with brute force. Or the guys in the parking lot aren’t trying to pile up servers in the parking lot and hack into your network.
That was the old school way of hacking. The term hacking almost doesn’t exist anymore. Like it’s, it’s a breach. And, and it’s a breach now because we’re essentially handing the keys over and then they’re just walking in through the door. So fast forward, now we’re in 2021, heading into 2022, and they’re using username and passwords that are just free out there on the dark web or bought on the dark web.
[00:02:58] Rob Williams: Wow. That’s amazing. Stephen, as an insurance salesman for this kind of thing and underwriting and looking at that, what kind of questions do you have for Morrelle? Who, by the way, does Wade’s–
[00:03:11] Stephen Brown: A lot of our companies are not writing cyber, or they’re going way up on their rates. They’re definitely requiring more internal controls to be in place before they’ll sell you a policy and it’s not the insurance that you want. You don’t want it to happen. Then the insurance might save you from some financial disaster-
[00:03:31] Morrelle McCrary: Right, you want to prevent that.
[00:03:33] Stephen Brown: But just having it happen is a nightmare. We’ve had three of our customers with cyber breaches last year. And every one of them was a blackmail situation to get your data back. It just happened to be that way, but it can happen to anyone. And these are contractors that it happened to. You hear most of this happening to people who have a lot of data on clients, social security numbers, and other vital data that the cyber criminals want to steal, but I think a breach is a great way to describe this. Hacking is beating your way in; breaching is just kind of, almost being invited in. So how do you keep people from being invited in?
[00:04:19] Morrelle McCrary: There’s a lot of different tools out there right now that prevent breaches from happening. But I will tell you, the biggest obstacle we all face is the people we employ or the members on our team, myself included. I was that guy that had one password that unlocked everything. Fast forward, five years now, present date, if you do that, you’re sunk. I mean, you almost need different passwords for every single piece of software or website that you touch. And then you need to turn on multifactor or two factor authentication, which if you guys have a bank account and you log onto your online banking, they send you a text. That’s a form of multifactor authentication.
[00:05:00] Rob Williams: As we get started into this discussion, we’re a cashflow-talking business success thing. Why are we talking about cybersecurity? So, the impact of this just real quick. And we’ll go back into that. What is the impact?
It’s not just a convenience. That’s my, that was my first thought when I heard about cybersecurity. Oh, this is inconvenient if something happens. So why would we be talking about this when we talk about Profit First and cash flows? What kind of impact in this have on a business?
[00:05:31] Morrelle McCrary: Let me tell you it will directly impact cashflow for a business immediately, immediately if you’re breached. You will immediately see a cashflow problem, A, because you have to do damage control. And then on top of that, you have to do reputation management after that. And when I say reputation management, you gotta rebuild your name and your brand back into a sustainable part of the ecosystem, if you will. Right?
So, yes, we got breached. This happened. Here’s how it happened. We took a toll and I’m sure, if, if one of us were to get breached, our customer base is gonna jump ship, most likely. That’s an immediate cash flow interruption in my book.
That said, I pulled statistics on 2020’s data loss. For every individual that you have in your roster- so when I say individual, I don’t mean like company. If you have 50 users at one company, that’s 50 individuals. That’s $146 per individual as a loss of trying to, purchase things to make sure that their data is protected, and the dark web monitoring for that individual, the remediation and the watches you turn on with the credit bureaus to make sure that nobody’s trying to get to their identity. You’re buying all of these tools for these individuals and that tune runs to about $146 per individual.
[00:06:57] Rob Williams: Those are some of the costs that are in my head. And that’s the cost if you do it proactively.
[00:07:03] Morrelle McCrary: Right, right!
[00:07:04] Rob Williams: And that’s actually what I think about when I hear an episode about cybersecurity. Then I started hearing about that. And man, that is dirt cheap compared to the impact of what it does. The direct costs may be hundreds of thousands of dollars, if not millions, depending on the size. And then what kind of multiplicative factor would that be to the indirect costs? I mean, I guess it could put you out of business. I don’t know how often that happens. I have no idea any statistics about that, but we’re talking about for a small business. It may be hundreds of thousands of dollars of cost if this happened, which I just don’t think about that.
[00:07:41] Morrelle McCrary: That number is 46% of all businesses that have been breached do not make it. And that’s as of 2020.
[00:07:49] Wade Carpenter : Did not know that.
[00:07:51] Rob Williams: Whoa. So if your business is worth, a relatively small business, a few million dollars, that that can easily be-
[00:07:58] Morrelle McCrary: Yeah, you won’t recover.
[00:08:01] Rob Williams: That’s just mind-boggling. I definitely don’t think the cyber security conversation gets enough attention. Well, because people like me, we don’t think about it. We think about the cost of the upfront. And then we– just, I don’t know why it’s not more public. I mean, maybe it is in your circle. you’re in the
[00:08:19] Morrelle McCrary: I tell people all the time, you buy a car, right? You take it in for routine maintenance or if you don’t, you’re on the side of the road on 75 and I’m passing you.
[00:08:28] Rob Williams: Yeah.
[00:08:29] Morrelle McCrary: I mean, that’s the same thing with cyber. Same thing with insurance. I buy insurance. If I get into an accident, I need insurance.
[00:08:38] Wade Carpenter : Right.
[00:08:39] Morrelle McCrary: if I didn’t have it, it would be a lot more expensive.
It’s the same concept.
[00:08:44] Wade Carpenter : Morrelle, thanks for coming on. He’s been my IT guy and friend for 10 years and I once joked that he’s probably the only IT guy I’ve ever known that I would take to collect receivables with me. He’s a big guy, but he’s a great guy and he really knows his stuff. So, but I wanted to throw out a story that I recently heard with one of my contractors. He had an attorney that was settling a lawsuit between a subcontractor and him.
And so the attorney sent wire instructions by email, and this was a $10,000 payment. So it got to him and he discovered that they apparently intercepted the email and changed the wiring instructions pretty much in real time. There’s all kinds of things internally, but stuff like that still happens.
[00:09:35] Morrelle McCrary: So I can tell you the breakdown on how that happens, right? We see that a lot. We support some closing attorneys as well, and they are very strict on their process of closing. Make sure you follow those directions, right? Here’s how that process happens. Wade.
Would-be breacher– I don’t even call them hackers. Would-be breacher has access to your email account through username and password. How they get that information. They send you a phishing email that looks like it’s from Microsoft or from Gmail or whoever your provider is. And it looks very legitimate and it asks you to go and log in. right?
It takes you to a link that says your, your mailbox is full or your password needs to be reset. And it looks like a legitimate email, right, to the naked eye. So you go to that link, you put in your username and password, you hit submit and nothing happens. So you’re thinking well, okay. All right. Well, my password is reset and I go on about my merry way, or you get an error message on the website and you think nothing about it and you keep going.
What you’ve done is you’ve sent the credentials to your mailbox to that would-be criminal, cyber criminal, and now they have it and they have access to your mailbox and they can go in and create rules. And they create a rule for every incoming message to forward to an outbound mailbox, and you have no clue about it, right?
And in that rule, they can collect every bit of incoming mail that you have. And if they see something that comes through with wire information, then that’s when they intercept you. And then that’s when they start sending and receiving on your behalf and lock you out of your own email account.
I had a story about a gentleman in Atlanta, he has 15 domains. He does marketing. And he lost access to his GoDaddy account. They compromised his GoDaddy account, took over all 15 websites, locked him out of his account and he had his credit card saved on file with GoDaddy.
[00:11:34] Rob Williams: Wow.
[00:11:36] Morrelle McCrary: So not only he to get access to his business, he got access to his credit card and his identity. So yeah.
[00:11:45] Rob Williams: Do we sell Xanax on this?
[00:11:47] Morrelle McCrary: Right.
[00:11:47] Rob Williams: I’m like, I’m getting a little nervous now. I don’t know.
[00:11:50] Morrelle McCrary: But a simple 2FA would have stopped that. Right? As far as the email, we have tools in our tool belt that will monitor any kind of change from an admin level and report on it immediately if something happens and I can geo locate where that change happened.
[00:12:07] Rob Williams: Wow. Well, one thing I’m really curious about, cause you got me all riled up about this now. I’m, I’m– what does the process look like when somebody brings somebody like you in and then also, what does the process look like afterwards? Tell
[00:12:23] Morrelle McCrary: So, what I do is I normally do a 15 minute phone consult. And that 15 minute phone consult consists of me going through a checklist with the would-be client or person that has a need. And I walk them through, okay, this is what you have for a firewall. This is what you have for protection. And we look at everything holistically. I always, I tell people, you have to almost think like a cyber criminal to protect yourself from becoming a victim from one. So I look at, from the outside down, what are you using? Do you use Microsoft 365? Do you use G suite? Do you use Bell South or Gmail? So I’ll work my way outside and then I come into the four walls of their business.
Okay. What are you doing to protect Sally when she goes home to work? What are you doing with this whole remote half and half hybrid workforce? So we look at every aspect of it and we dissect it. And usually 15 minutes will give me a good barometer of where I need to provide services.
[00:13:24] Rob Williams: Yeah. That’s a hard question. I get audits on my cyber security, and I can’t remember sometimes what it is and I have different computers. It’s one of the bits. Is it bit defenders at the other bit thing or is it, I don’t know. I don’t know how to answer these questions sometimes. Cause they’re working in the background
[00:13:41] Morrelle McCrary: Right, right. And I will tell you a lot of the antivirus companies are just, I mean, I have another application that I use it detects when things slip by antivirus. So it’s insane what you have access to from this seat in the IT world.
But you know, just like Stephen, we have sat on many cybersecurity audits. I think the most I’ve had, and this is this year alone, the most I’ve had was probably 10 in one week, where I’ve sat on calls with my customers and their insurance agent as we process and go through their cyber policies. A lot of it I could tell is just copy paste, copy paste from one vendor to the next, however, it does get the customer thinking. So thank you.
[00:14:27] Stephen Brown: If you answered the questions correctly and you, you get a quote for the coverage, you have some degree of protection in place, or at least the insurance company thinks that.
[00:14:38] Rob Williams: Stephen are the insurance companies, are they rating people with their fees for this, or is it a pass or fail?
[00:14:45] Stephen Brown: They’re either gonna do it or they’re not going to
[00:14:46] Morrelle McCrary: That’s what I see too, it’s or fail.
[00:14:48] Stephen Brown: Always the case.
Now you’ve got to get your controls in place, and then you’ve got to prove to them that they’re in place. And then they’ll reconsider.
[00:14:57] Morrelle McCrary: How did they, how did they check that balance? Because I’ve had some, I won’t even call them customers because they call me and they want me to do a consult, and I give them a consult and I tell them what they need, and then they don’t buy from me, which is fine. That’s their choice. But I know they went back to that audit and answered as if they did buy it.
[00:15:16] Stephen Brown: Well, that’s a good question. How, how do you know they’re lying about it, and they just buy the coverage? I think that for example, Travelers, I know runs tests on their clients. They’re just not going to be giving away money in their policies if the protection isn’t there. And they have so much money that they’re putting in to clients and policy holders and underwriting, that it just blows your mind.
[00:15:43] Wade Carpenter : Morrelle don’t you do actually those compliance audits?
[00:15:46] Morrelle McCrary: We do provide compliance audits.
[00:15:49] Rob Williams: Interesting. So Stephen, is it the chicken or the egg first? Do you get the insurance first do you get Morrelle?
[00:15:54] Stephen Brown: I’m not an IT guy and I’m not a computer person.
[00:15:58] Morrelle McCrary: Okay.
[00:15:58] Stephen Brown: I’ve been around them all my life. And what scares me is my, 86 year old mother and her dabbling around the internet. She can’t stop and she has no idea what she’s doing, but I also think of, of a lot of my clients as being as blind as my mother and me. Just hearing the password discussion scared me. And I have a monitoring through Experian that just mentioned that something on my data I think my phone number or something showed up on the dark web. I had no idea what that meant, but it scared me to death.
[00:16:34] Rob Williams: My password program, I’ve got one of these password programs and it’ll generate, but it was a couple of years before I figured out how to use the generate thing. And all of a sudden, one day I came in there and I had all these red circles on, they weren’t my financial accounts, but it was those, little accounts that don’t seem to matter.
But, I was like you Morrelle, in the old days, I had one password, maybe it had a couple of different endings on the end…
[00:17:01] Morrelle McCrary: Right.
[00:17:02] Rob Williams: I definitely don’t have those in the financial world, but I had those on some of these old accounts.
[00:17:07] Stephen Brown: The elderly have passwords that are easy so that I can’t forget.
[00:17:10] Morrelle McCrary: Let me tell you the preying doesn’t stop on the elderly as well. They’re going about it with text messages and phone calls now. My mother is 72 and she is getting phone calls daily from “Microsoft” about remoting into her computer. And I finally just had to tell her, look, if it’s not me remoting into your computer, nobody else needs to.
[00:17:32] Rob Williams: Yeah. Yeah. My mom’s 83. She gets calls all the time and she’s like, Hey Rob, is this real? Or is this something– I’m just like, if you’re asking me, no, it’s not real.
[00:17:41] Morrelle McCrary: Right.
[00:17:42] Rob Williams: Pretty much it. But now tell me, I’m, I’m curious, what’s it look like afterwards? You know, we were just talking about the before, that’s the easy stuff, which that sounds hard to people, so they don’t do it. So, what does the after look like to motivate us to get this done beforehand?
[00:17:59] Morrelle McCrary: The aftermath of a breach is nobody’s friend. It’s a lot of working with the authorities to deliver information and provide information. It’s a lot of damage control from the marketing side of things. I actually heard a presenter last week say that, take the expenditure that you spend in marketing and shift it to cybersecurity because you’re going to spend it now in cyber, or you’re going to spend it later in marketing. So take from your marketing budgets to spend on cyber because it needs to happen.
But the recovery side of the fence is where nobody needs to be. It’s a lot of damage control and reputation management at that point. And then you’re gonna be calling Stephen to tell him that, Hey, I’ve got a breach. I need help recovering from it.
[00:18:42] Rob Williams: Right. That’s that’s bad. I don’t know if anybody else has any more stories they want to share on that, especially about any aftermath. I just had one that was pretty bad, but luckily she was a really anal retentive person. And luckily I didn’t even have her bank account number here, for me, but it was she tried four times finally the bank told her she had to go somewhere else. They can’t protect her.
[00:19:04] Morrelle McCrary: I’ve got plenty of stories, plenty of stories. It’s just so many I’ll share a quick one though. And this will be my last one I’ll end with. One customer was hit with ransomware where the criminals, cybercriminals were requesting a sum of like $800,000 for their data back.
And they actually paid the ransom and got their data back. However, they thought that they were good and in the clear from that after they received their data back, and that was not the case. They just left seeds and trails behind to reencrypt their data. And take it again.
[00:19:39] Rob Williams: Oh, God.
[00:19:40] Morrelle McCrary: So if that happens, I tell people if you have a good backup system in place, if you have proper tools in place, you won’t have this happen.
Our backup tools, we only use two backups tools here, and they both scrub for ransomware in every backup. If it detects ransomware or any type of malicious software in a backup, we get a million alerts and we shut it down.
[00:20:05] Rob Williams: Yeah. I, cause I thought the backup tools, I was just asking my IT guy this last week and I said, well, the backup we’re automatically safe, right? Cause I’ve got everything stored on the cloud. There’s nothing, that’s only stored on my computer. And I was kind of shocked when he said no, that doesn’t mean you’re safe.
I didn’t know that there was a way to ransomware backed up data.
[00:20:28] Stephen Brown: Another thing is those criminals, they’re going to pick the low hanging fruit first, and as they blow through this data, they’re going to grab what they can grab as fast as they can. And at least you’ve got a speed bump, having these controls in place.
And I mean, I think of it as speed bumps, doing something, but what we’re trying to build is a brick wall around your data. Impenetrable, concrete wall.
[00:20:54] Rob Williams: This is a great show. I know we’ve gone over a little bit. But I, I didn’t want to stop this as just, I went from cyber security, oh gosh. Why are we doing this? To now, I just actually really want to hear a lot more about it. So, I guess next steps, what is the advice to somebody? Contact somebody like Morrelle? Morrelle, what do you…?
[00:21:14] Morrelle McCrary: Definitely. If you have questions about protecting your business, give us a call. Let’s have a consult. Let’s review steps.
[00:21:22] Rob Williams: Tell them how they can get in touch with you.
[00:21:24] Morrelle McCrary: You can give us a call and schedule an appointment with us online. RAMTechPCS.com. Our number is (678) 999-2172.
[00:21:33] Rob Williams: And that’ll be in the show notes too. Wade, anything else before we sign off?
[00:21:37] Wade Carpenter : Well, you guys had so many questions. I didn’t get to ask half of them. But I can tell you Morrelle, I mean, he protects mine. He’s, we’ve gota backup, if it gets encrypted or something it’s stored onsite and cloud and all kinds of things like, we had recently had a situation where one of my employees was installing some software. Next thing I know Cameron, over at his office was like, is this right? And actually in that case it was, but I really appreciated them being able to do it.
Morrelle, I really appreciate you coming on today.
[00:22:06] Morrelle McCrary: I tell everybody we, we get so accustomed to the things we know. Like you buy an office building, you put in an alarm system, you put in cameras, you lock the door when you go home. Do the same thing for your data on your business. That data keeps your lights on.
[00:22:23] Rob Williams: Yeah. All right. Well, thanks a lot. This is the Contractor Success Forum. And we really, really enjoyed having Morrelle McCrary on here today and our other financial and construction industry professionals, Wade Carpenter with Carpenter and Company, CPAs and Stephen Brown with McDaniel-Whitley Bonding and Insurance agency, which provides cyber security insurance. And Rob Williams, me. Your Profit Strategist at IronGate Entrepreneurial Support Systems.
Thanks for listening. Check out the show notes to see how you can get in touch with Morrelle or Stephen and ask any questions. And thanks for listening. We’ll see y’all soon.