No Wi-Fi, No Warning, No Excuses: How WBEs Survive Digital Disasters

Intro: Broadcasting live from the Business RadioX Studios, it’s time for Women in Motion. Brought to you by WBEC-West. Join forces. Succeed together. Now, here’s your host.

Lee Kantor: Lee Kantor here with Renita Manley, another episode of Women in Motion and this is a very important one. But before we get started, it’s important to recognize our sponsor, WBEC-West. Without them, we couldn’t be sharing these important stories.

Lee Kantor: Today’s episode is titled No Wi-Fi, No warning, No Excuses: How WBEs Survive Digital Disasters. This is an important topic and we have two great guests coming on board to discuss it. We have Paige Goss with Point Solutions Security and Alaine Fulton with Safe Haven Solutions. Renita, great job putting this together. This is such an important topic of interest for our WBEs.

Renita Manley: Thanks, Lee. It really is. I’ve been actually thinking about it so much lately, but we’re going to dig into it. So in today’s episode, it’s all about digital survival, what to do before, during, and after a cyber attack or internet outage. So, I guess I’m going to break down how to prepare ahead of time, how to respond in the moment without panicking, and how to bounce back fast. Lee?

Lee Kantor: All right. So, before we get too far into things, Paige and Alaine, do you mind sharing a little bit about your background? Why don’t we start with Paige, talk about Point Solutions Security a little bit and your work.

Paige Goss: Yeah, absolutely. And, Lee, Renita, thank you so much for having us on today. Excited for the conversation. I think I agree it’s an important one. So, Point Solutions Security, we are a cybersecurity professional services firm headquartered out of Denver, Colorado. I started the firm really to support the SMB, mid-market on offensive cyber efforts, so those are things like ethical hacking, red team, pen testing. We’ve got a governance risk and compliance division that supports companies that are looking to get audit ready. A lot of times now, companies are forcing down security requirements to smaller businesses, something I’m sure we’ll talk about today.

Paige Goss: And then, recently, we launched Cyber as a Service, which is a VC, so an opportunity for companies that want to basically outsource all of your sort of security strategy. And it’s been a lot of fun, so thanks again for having me.

Lee Kantor: And, Alaine?

Alaine Fulton: Yes. I’m Alaine Fulton, Founder and CEO of Safe Haven Solutions. We just hit a 20 year mark, which is amazing. We are an IT consultancy and managed service provider. We focus predominantly on cloud services, network architecture, and cyber security, more virtual CISO. So, our focus is really kind of securing from a network side your architecture, making recommendations of how to secure your applications in the cloud, and then also working with companies to really help define policies and procedures around what happens during an attack, what you do, what you do post, and how to really get ahead of that. So, happy to be here and looking forward to the discussion.

Lee Kantor: All right. So, let’s, I guess, start at at the top. In the case of the WBEs out there, anybody that has a business, how vulnerable are most organizations when it comes to having their entire system going down? I would imagine most businesses can’t survive very long if that happened. But is that kind of where you begin when you’re kind of assessing the dangers if you’re a business owner in today’s world? Do you want to start that, Paige?

Paige Goss: Yeah, I’m happy to. From our perspective, actually, we sort of look at things a little bit different, not a total outage. That’s rather rare today, unless there’s something extreme that happens. You know, internet outages happen. Lots of companies now have backup systems or redundant circuits that they’ve deployed that help with that type of company wide outage.

Paige Goss: But I would say from our perspective, we really look first at critical data within your environment. And so, what makes you unique as a company? What is critical to your organization sustaining long term success? And really, you know, your clients, a lot of them are pushing these requirements down because the data that you hold in your environment is connected to them. And so, for us, it’s really a matter of what could, one, be a reputational damage; two, could prevent you from making money; and three, I think long term prevent you from doing what you want to do for your client base.

Paige Goss: So, not a total outage on our side, Lee, is not how we start. We most of the time want companies to understand that everybody’s vulnerable. We say often it’s not a matter of if, it’s a matter of when, and how can you recover and how can you protect your most sensitive data.

Alaine Fulton: And I would jump in. I mean, I think from the WBE community, a lot of people think I’m too small, it’s never going to happen to me. And I think that’s kind of the number one myth. Bad actors, they don’t discriminate. If anything, I think women owners are, you know, having multiple roles, managing tighter budgets and resources, and so, it’s really, really important to kind of make sure that you understand what your critical applications are. What does downtime mean to you? How much damage could that do? How long can you be down? Just really kind of understand from a business perspective, you know, what are those critical applications. So, I think any company of any size should absolutely have awareness around it.

Lee Kantor: Now, can you talk a little bit about maybe the myth of these bad actors? One time, maybe the bad actor was in your head, you would picture some teenager in their basement, you know, drinking Red Bull and eating Cheetos. But now it’s way more organized, right? Aren’t there state actors now? This is like a big business where professionals are going into conference rooms with whiteboards and really strategizing to finding vulnerabilities.

Alaine Fulton: Yeah. I mean, from our perspective, I think the scariest thing out there is the AI component. I mean, if you think about your social media algorithms, like TikTok, if you say one thing, all of a sudden it pops up on your feed. They’re using those types of tools to kind of understand and target specifically certain demographics, and who’s going to click on what. And so, these emails are starting to look more real. They’re starting to be more personalized. And all of that can be bots and AI generated. So, the quantity and the smartness around these attacks is way more and it’s just going to continue to grow versus the guy in the basement going after one or two companies. I mean, it is mass, mass targeting, so it’s scary out there.

Paige Goss: Yeah, Lee, I agree. But there are still companies that have, you know, floors and floors of humans external to the United States that are pounding away.

Paige Goss: And I was going to reiterate that AI is changing everything, both from a defensive standpoint and an offensive standpoint. And I think too often companies – I think we mentioned it earlier – think that they’re too small. When reality, your companies might be significantly – your customers – excuse me – might be significantly larger than you. And so, these actors, these bad actors lead to your question, they’re using small businesses to get to bigger companies. So, you’re a risk not only for yourself, but also for your larger customers.

Paige Goss: And we have a bit of work in the Department of Defense, and I think that’s what we’re seeing there, as well as in all other areas, is that these smaller companies that think that their software, their app, their network, their machine shop, whatever it might be, was protected because they were kind of walled off from what the actual customer did. That’s just not true anymore. They’re using small business to get to big business. And I agree, AI makes that a whole lot easier to do and a whole lot harder to protect.

Renita Manley: Paige, do you have maybe like a quick story that you can share about a small business being attacked and how you all were able to help them?

Paige Goss: Yeah, we’ve had several situations. One, I’ll give you just an interesting example. We were working actively or trying to work actively with this company to kind of get them ready for a potential M&A transaction, and so we were trying to convince them to let us do an assessment on where are they, where are they weak, what external network vulnerabilities do they have, et cetera. And they kept pushing it off, saying nobody wants to work with us, we’re a small manufacturing shop and we manufacture – in this case, I’m not going to tell you what they actually manufacture, but let’s say they manufacture pins.

Paige Goss: And it was really interesting, they pushed me off for a-year-and-a half. And then, what ultimately happened is they called me in a sheer panic that they had a $5 million ransom on their head, and it was about to impact everything from their business. They ultimately did business both commercially and with the Department of Defense. It was going to impact their transaction potential. They had all of their sort of critical data and all of their documentation was in a black box.

Paige Goss: And so, I think the interesting part to that is, again, you’re not ever too small, what you do is not insignificant. And that manufacturing pins, in this case, you wouldn’t think that that would be a huge target. But they were going up scale, they were going Defense and they were certainly going to the M&A target.

Paige Goss: So, what we ended up doing, one, we’re not a forensics company, so we sort of wrote on the side with the forensics company trying to help them really, one, recover the data, and then, two, put way better business practices. And I know Alaine mentioned earlier policies, procedures, really just kind of back to the basics on how do you baseline protect making updates to your firewall, running patches. I mean, these are basic things that a lot of companies, I think, they get busy being busy and they sort of go over the top of it. And it’s a critical piece because that’s most of the time how things ultimately get escalated.

Paige Goss: So, yeah, we rebuilt their entire environment for them, putting in controls, putting in a bunch of the cyber practices that we deploy for clients. And about six months ago, they finally completed the transaction. So, it ended up being a success, but it was a lot of work and a whole lot of money. I think they ended up spending 6X on the repair and rebuild versus what they would have spent with us from the very beginning. So, it was a very expensive lesson for you’re not too small and you’re not too insignificant from what you do to, I guess, be vulnerable and be taken advantage of.

Lee Kantor: Now, you mentioned a couple of them, but are there any kind of low hanging fruit, proactive steps that every business can take to kind of prevent some of these things from happening?

Alaine Fulton: Yeah. I mean, from our standpoint, as she said – Paige said, for us, we think of it in three layers. The first layer is people. So, you want to train your people to recognize any type of phishing emails, you know, what to click, what not to click. We have tools where we can push those out to an organization and almost kind of test them, and that way, they can see exactly what they’re looking for.

Paige Goss: The second layer is going to be processes. You know, if you put together just a very simple checklist, is it my CRM? Is it our POS? Is it our email? What are those systems in place that are really going to be affected that we need to prioritize?

Alaine Fulton: And then third is technology. So, you can install an antivirus, but the antivirus is only going to really protect off those big viruses that are well-known. They’re not kind of like that shield, if you will. So, putting strong password policies in for all of your employees, putting in MFA, multi-factor authentication. That’s a free thing. That’s very easy. It can catch a lot of viruses and threat actors. So, yeah, there’s a couple basic tools that we recommend that are just basic security hygiene, I think, is a good step.

Paige Goss: Yeah. Alaine, I agree. I would also say that from a training perspective, train specific to the job because now a lot of these threat actors are getting – Alaine mentioned earlier – AI. I mean, salespeople are a great target. We want revenue. We want to click on everything. I’m a salesperson by background, so the second I see somebody reaching out for a quote, I’m excited. I would say help desk is a super vulnerable area now because most of the time it’s people that are earlier on in their career, they’ve not seen as many things. Same thing I would say with sort of frontline staff if you’re in a manufacturing or food service type.

Paige Goss: So, I think now it’s more important not to just train, but to train job specific on what’s coming up. ACH, that’s been sort of a topic that’s been flowing around for a while now. And I think a lot of this needs to be job specific versus just sort of an overall check the box we do cyber training. It’s really not helpful just as an overall. It becomes a lot more important job specific.

Renita Manley: So, if I’m a WBE listening to this today, what would you tell me – okay. I’m done listening to the podcast. What’s the very first thing that I need to go do right now to make sure, at the very minimum, my website is okay?

Alaine Fulton: So, for your website, I mean, you need to make sure that it has an SSL. So, if you go to any website, you’ll see it kind of looks like a lock box in the corner. That means that it is secure – I think it’s like a padlock. It means that it’s a secure site, so you’re making sure that your patching, your passwords are secure, you know, all of your plugins, your CMS platforms are all kind of up to date. But I would think the number one thing is just to make sure that it’s SSL secure.

Paige Goss: Yeah. I would say, too, if we’re not talking specific website, take away administrative access from as many people as you possibly can. Access control is a really interesting topic in the cyber world right now. I agree on making sure your website is secure and also your run patches. So, if it’s Microsoft upgrades or if you’re on a Mac, if it’s any upgrades or patches that can be run on any of your systems or inside of email, or anything like that, like keep that up to date. That’s the baseline for protection. And without that, it becomes really easy for people to get in.

Lee Kantor: Now, what should I do? Like you mentioned earlier, that client of yours had that ransomware attack, what do I do? What’s my first move if that comes across my screen?

Paige Goss: Do you want me to answer that, Alaine? So, one, I would always argue don’t pay it first. There’s a lot of other options outside of paying. I think depending on the company, depending on the situation, you’re going to kind of have a three-pronged response. One, if you’re sort of a more formal, sort of better cyber hygiene company, you’re likely to have an incident response plan. If you have an incident response plan, you want to launch that immediately. And most people within the org should.

Paige Goss: That’s one of the funny lessons learned, is like make sure anybody listed in your IR plan, knows they’re listed in your IR plan. Too often we go run exercises, and people are like I had no idea I was responsible for this. So, have an IR plan, so first would be to execute that.

Paige Goss: Second, I would shut down any external access. So, make sure that anything from the external facing internet is shut off until you can kind of get a handle on where things have gone awry. And then, I would say the next would be to start a conversation with your insurance broker if you have a cyber insurance policy.

Paige Goss: Now, you could throw companies like Alaine’s and I in there. Yeah, you’re probably going to need us relatively quickly. But I think those three steps of sort of launching your IR plan effectively, shutting any external access off immediately, and then reaching out to your cyber broker.

Alaine Fulton: Yeah, I agree. Got to contain it right away. And also just make sure you’re preserving any type of evidence. You know, you don’t want to lose any type of data, especially if you have a cyber insurance policy, what have you. You want to make sure that you’re not deleting any backlogs or anything like that. But, yeah, contain it. Turn everything off. Get rid of the Wi-Fi. Close down access to any remote. Just shut the house down, basically.

Renita Manley: You mentioned IR plan, for anybody who heard that, what exactly is an IR plan?

Paige Goss: Incident response.

Alaine Fulton: Yeah. Incident response, right. So, it’s kind of what happens during a breach. Who do I call? Who do I communicate with? What are the steps that we need to to take? Who do we need to contact in what fashion? So, it can be a very simple checklist depending on the size of your organization, or it can get very, very in depth in regards to, okay, these are the systems, who’s responsible? Who’s responsible for communicating to our customers that something happened? So, it can get very detailed depending on the complexity of your environment or it could be just as simple as a checklist. So, yeah, incident response.

Paige Goss: The first one – sorry.

Renita Manley: You want to make sure you have a hard copy of that.

Alaine Fulton: Yeah.

Paige Goss: Yeah, absolutely. And I was going to say, too, the shut your house down is critical. So, shut your house down and kick your kids out, so that you can really look and see was it inside or was it outside. You got to sort of shut it all down and have as few people involved as possible from my experience.

Lee Kantor: Now, on these types of incidents or attacks, are they happening kind of in that AI automated way that people are just, you know, kind of poking around and they find a vulnerability and then they get access? Or is it kind of a human error thing that somebody on the team clicked on something inadvertently in order to let this thing in? Because to me, the training on that second one, you really have to be relentless with the humans in your organization, not just shore up the computers in your organization.

Alaine Fulton: Yeah. I mean, I think people is probably 99 percent of how these actually happen. If you’re clicking on a malicious email, that opens the door to get into your organization. But, for example, the MGM in Vegas, that was caused because somebody didn’t patch one of their infrastructures correctly, and so that was a hole that somebody was able to get into.

Alaine Fulton: So, to Paige’s point, you know, making sure that you’re constantly updating your software, your hardware, your patching, all of that, everything is encrypted. So, again, that was kind of human error based.

Alaine Fulton: And there’s a lot of tools out there, and sometimes companies don’t really know how to use the tools or they’re duplicate. So, I mean, there’s a lot of noise in this space. So, again, trying to really simplify and keep it as basic as possible, I think, is key in educating your people.

Lee Kantor: Now, how often should you kind of be testing your team to ensure that they’re not going to inadvertently click on something? Is that something that you recommend happening once a year, every three months? Like, is there a rhythm that you recommend? Because, to me, that’s the weakest link here. You guys want to fight for this?

Paige Goss: Yeah. No. So, every company is different. I think once a year is way too infrequent. Things are just changing in technology so quickly. So, we recommend, we do it monthly with our clients in some form or fashion, so if it’s the accounting department, or if it’s an all hands, or if it’s sales, et cetera. So, we try at least one touchpoint at least a month or recommend that, some being automated, some being more kind of in your face. So, once a month on our side.

Paige Goss: And then, sort of testing it is an interesting one, Lee. And I would say you want to test your humans, but you also want to test your systems. And so, Alaine and I both, I think, would agree that having at least an annual penetration assessment, at least an annual sort of web and mobile, or whatever your business is creating, I think having at least annually, if not twice a year. It’s critical because then you get to really see sort of your current state and you can make updates, you can see where you haven’t patched, you get access to sort of where your infrastructure might be weakest, and then you can call Alaine to have them help you get it all squared away.

Paige Goss: But I think doing the offensive work or having a third party do the offensive work to really give you a baseline is a critical piece to this testing, both humans and systems.

Renita Manley: So, I hear what you said about penetration session and I kind of gathered what that means, but can you explain what that might mean for a small business owner?

Paige Goss: Yeah. So, there’s several ways to do it. A lot of companies sell penetration testing, which really is more what we call vulnerability scanning. So, they’ll take your external facing assets or your external IPs, and they’ll run them through a system to see if there’s any known vulnerabilities out there, so missing patches, attacks on a specific piece of hardware, et cetera.

Paige Goss: What we do is we take that information. We also go to the dark web. We also gather what we call OSINT, which is intelligence data around just the entirety of your system and your infrastructure, your web, et cetera. And then, we actually do hands on keys and we try to attack. So, we’re attacking from the outside, from the web, trying to see how far we can get.

Paige Goss: And the benefit, in our opinion, to doing it manually is it’s a unique environment or a unique set of credentials for all companies. And so, we’re piecing things together and we’re really taking it from a state actor perspective. So, you just get a lot more information and you get a little bit more on how to protect yourself if you do that type of penetration testing. Now, you should absolutely do the vulnerability scanning. That’s a quick and easy win. But doing a deeper dive, I think, once a year at least is really important.

Lee Kantor: Now, do you do drills or do you recommend doing drills as if you were attacked so that people can kind of take the steps that they would take if they were attacked? Like, you do a fire drill. You know, a lot of buildings do fire drills every year. Should you be doing one of these kind of incident response drills?

Alaine Fulton: Absolutely. Absolutely. I mean, that’s critical, having everybody understand, kind of go through the process. And that way it takes out kind of the panic when things happen. They know the plan. They know how to execute it. And we have customers call us and we kind of know the playbook, so we understand that.

Renita Manley: And we’ve also done physical downtime. So, what happens if this server is unplugged? Where are the backups? And actually get those backups up and running. So, really physically testing your environment as well is critical because things – like Paige said – are constantly changing. So, absolutely, you want to run through that plan at least once a year.

Alaine Fulton: And I would even say on the physical side, testing your connections, testing your network and all of that even probably twice a year. But, yeah, that way everybody knows what they should be doing, it’s well practiced, and I think that’s super important.

Lee Kantor: And you want to be doing it when there’s no stakes now. Like everybody’s calm, this isn’t a crisis, so that when the crisis comes in, you already have some repetitions. You have some, you know, experience of having done it. You don’t want the first time to do it when it matters.

Alaine Fulton: Yes, absolutely. And I think having cloud backup or having backups kind of gives people peace of mind as well. You can take the state that you’re in today and you can have backups on a per minute basis, on a 24-hour, on a weekly basis, just really kind of depends on what that downtime looks to you. But then, you can just go ahead and circle back to that old data, so you’ve preserved that. So, having those type of backups.

Alaine Fulton: We don’t recommend on site. There’s best practices around that. But that’s also kind of being proactive. If something happens, you don’t have to pay the ransom. You have all of your data. It’s all solid. And that’s another definitely highly recommended.

Paige Goss: I’m so glad you mentioned this, because this is something we see over and over and over where companies don’t have backups on email, on files, on basic things that help operate your business successfully. And so, as a WBE, as a small business, it’s the first thing I would say to do outside of checking your updates and kind of everything we talked about, is, figure out a backup solution, because then it’s business continuity, it’s disaster recovery, it’s incident response, lack of follow up that you have to do.

Paige Goss: I mean, there’s just so many advantages if you have a good backup solution. And I completely agree, it’s a relatively inexpensive technology to deploy most of the time, which can be just a massive risk aversion technology. But also just sort of this relief of like, okay, it’s not a matter of if, it’s a matter of when, and I’m good.

Renita Manley: You mentioned recovery, so I was wondering, what’s the first step to even figuring that out? Like, as a small business owner, I just heard you talk about disaster recovery, so now I’m like, “Oh, my gosh. I don’t even have a disaster recovery plan.” What should be my first step to make that happen? Let me see. Alaine, you go.

Alaine Fulton: I think, first of all, looking at your network infrastructure. What are your connections? Where are your remote workers? On the physical side, do they have firewalls on their remote laptops? Do they have antivirus? So, really kind of looking at the network as a whole, but then also looking at, again, those critical applications.

Alaine Fulton: Are a lot of your businesses based on a POS? Do you store credit card information? Do you store any type of personal identifiable information? There’s going to be compliance rules around that. If you don’t store that, do you store that with Microsoft or Google? Because even though they’re Microsoft or Google, they’re protected on theirs. That doesn’t mean that you are protected per se. So, what is that information that needs to be protected?

Alaine Fulton: I know companies use Dropbox and all that. Those are great, but you’re still kind of reliant on – I mean, they’re good for SMB. But I would, again, just kind of look at your critical applications, what data. What do you need to function? You know, if you cut your leg off, what would you need? You need a crutch, right? So, really kind of understanding what drives your business and starting to kind of hone down on that. And that will help with your disaster recovery plan is kind of going down the line as priorities in regards to how you can kind of continue your business.

Lee Kantor: So, how do you manage kind of from a human standpoint, the person who clicked on the thing, they’re the ones who set this whole thing in motion. Is there some best practices you’ve learned on how to manage kind of how they’re feeling and their responsible, and how everybody as an organization, the culture of it, how it handles that type of kind of inadvertent mistake that’s really messed things up?

Paige Goss: Yeah. I mean, I think we’ve all clicked on something, right? I own and run a cybersecurity firm and I’ve clicked on things. So, I think it’s just human nature. We’re all moving fast. We get hundreds of emails. So, I think having a culture of we all support each other and this is a enterprise or company wide initiative, not just an IT issue or initiative, not just a risk management issue.

Paige Goss: I would probably argue now it’s becoming a huge sales initiative of where, you know, sales and cybersecurity are becoming revenue adjacent. Where without some of these cyber policies and practices and some of the standards that companies need to now adhere to, you’re not even getting to go to that from a sales perspective.

Paige Goss: And so, I think, Lee, having a culture of this is just who we are, we’re a cyber aware firm and things are going to happen, but our job is to not let it impact us from your reputation standpoint, not let it impact us from a financial standpoint. And I think the more you get people bought into that, the better it is because somebody already clicked on something. It’s just is a matter of if it went anywhere or not, and some did and some didn’t. And so, I think just having an open conversation about the importance of this tied to the long term success of the company is important.

Alaine Fulton: Yeah. The mistakes are going to happen, right? I mean, we’re all human. So, I think when you have a mistake, it’s a learning exercise for everybody. I mean, the biggest thing is don’t hide it. Tell somebody. The quicker you know about it, the quicker we can respond. And that does come down to culture, so I agree, Paige.

Lee Kantor: Now, you mentioned that no company is too small to kind of be vulnerable. Is there a size of an organization or an amount of revenue that they have to be at in order to put in place some of these protections? Because you’re mentioning a lot of things. You mentioned secure backups. You mentioned cyber insurance. You mentioned partners like both of your firms. Like all this sounds very expensive, so what size do they implement some of these more expensive solutions? And then, is there solutions for people who aren’t at that size yet? Paige, do you want to take a swing at this?

Paige Goss: Sure. Yeah. So, I mean, again, every business is different because you can be a ten person company but have extremely critical data. You can have credit card data. You could have CUI, which is for the Department of Defense, et cetera. So, I think everybody’s business, Lee, is a little bit different.

Paige Goss: But I would say just as a baseline, it doesn’t have to be over architected. It doesn’t have to be overengineered. You can do a lot of what we’re talking about with better Microsoft licensing, which doesn’t break the bank. We’re not a Google shop, but there’s a lot of things that are built into Google now that you can deploy.

Paige Goss: And I would say, you know, just have a conversation with other companies in your industry and that are similar size and ask what they’re doing. There’s a lot of best practices out there for businesses of all levels. But start with, again, the basics. Alaine mentioned, there’s some MFA that’s free. There’s some Microsoft licensing that you can get upgrades to. And you can deploy some of these sort of baseline cyber tool sets for relatively inexpensive – excuse me – that are relatively inexpensive.

Paige Goss: And then, I think as you grow, it’s, again, what’s the value for you. So, if it’s important, then the dollars aren’t as hard. If this is something that will either put you out of business or will be a critical piece that you can’t continue to operate like you were. So, I think most of our clients, yes, are a little bit larger, but not large. Like we have lots of companies that are in the 10 percent plus range that we do basic cyber hygiene for. And so, it doesn’t have to be a big company, I think, to have an impact.

Renita Manley: Alaine, I want to ask you this question, what’s like the basic difference? I mean, as we’re all talking, I’m just thinking like what’s the basic difference between a cyber attack and internet outage? And as a small business, do I need to prepare for each of those threats differently or about the same? And I’m talking about a prolonged internet outage, maybe like two days or something.

Alaine Fulton: Right. So, for us, I think the key difference is intent versus impact. So, an internet outage is like a storm, right? You can kind of wait it out. It’s not that critical. You can use like a mobile hotspot or you can use a backup internet connection. There’s ways kind of around that.

Alaine Fulton: With cybersecurity attack, it’s kind of like a break in, somebody’s breaking into your house. So, you have to be a lot more diligent with that. You have to act fast. You have to contain the damage. You have to recover some of your work. So, an internet outage may put you out, but you can go to the Starbucks and connect to any type of Wi-Fi.

Alaine Fulton: So, obviously, large companies that are running infrastructure and data centers, let’s say, they need that 100 percent uptime. So, making sure that you guys have UPSs, that you have some sort of backup, even if it’s like a 4G mobile hotspot, like I said.

Alaine Fulton: So, you know, there’s a lot of easy ways to kind of have some internet backup, but I would say the attack is really going to kind of put businesses to their needs, and that’s where you want to prioritize that.

Lee Kantor: Now, before we wrap, is there a story you can share – we’ll start with each of you – maybe where you helped a client, where they were going through something, and then you were able to help them get back on track, and then maybe protected them for the future. I know that you mentioned that one thing that was the startup that was able to get acquired eventually. But is there another story,maybe, Alaine, you can share that you were able to help a firm get through a rough time?

Paige Goss: We are predominantly more on the forefront, so we do have kind of SMBs all the way up to enterprise. So, we try to get ahead of a lot of this, so our focus is really documenting all of the policies, the procedures, kind of anticipate what can happen. We do have resources, and Paige’s company as well, where we can help after the attack.

Alaine Fulton: But we are really integrated in to, you know, when something has happened, we help them, we walk them through it. We call the providers, we work with that. So, we help kind of quarterback that, I would say, a little bit more than actually doing the remediation. We also rely on penetration testing, and that way we can kind of foresee where those holes are, where those gaps are.

Alaine Fulton: So, I would say we’re more on the the defense – or the offense side, I should say, to protecting environments and it’s been really helpful for organizations. Again, that does come with a cost. But again, it really depends on, you know, the size of the organization and how you’re running your business and what kind of data that you guys keep.

Lee Kantor: So, what is the pain they’re having right before they call you? Did they just have something or they got a scare? Like what occurred that spurred them to contact you?

Alaine Fulton: It was a third party company. So, we also do that as well. So, any organizations that are working with a third party company, we actually do assessments on that. Because, you know, company A, our client, they’re responsible to the end customer. Well, if they’re using Google Cloud or they’re using Dropbox, or what have you, they’re liable for those third party companies. So, it was a third party company that was breached. We had the assessment completed where that third party company said we checked all the boxes, we were compliant. Turns out that they weren’t.

Alaine Fulton: So, I protected my client because we did our due diligence to make sure that they said that they were compliant, when actually they weren’t, and that protected them from a lawsuit or having to pay out any of their customers. That third party is responsible for that. So, we saved them a lot of money in that sense.

Paige Goss: Alaine, that’s such an interesting example. We tend to go the other direction where our clients are getting security questionnaires from their clients. So, we have a lot of examples where they reach out to us, what has just happened is that their sales team gets a five-tab Excel spreadsheet on all of their security for the organization. And they basically say, crap, I have no idea how to fill this out. I have no idea if we have all of this or not. Or their clients are saying, you have X amount of time to go get a third party certification, ISO 27001, SOC 2, CMMC, et cetera.

Alaine Fulton: So, a lot of our business is driven from our customers, their customers pushing down hard core cyber requirements, and we get brought in to help them sustain that revenue and to help them grow, again, like I mentioned earlier, sort of turning cybersecurity into a revenue adjacent initiative, and it’s been extremely powerful. So, we also are on the front side. We don’t do the incident response as much, but more from a client requirement versus a third party risk, which is great that between the two orgs, we sort of covered the entire supply chain from what it sounds like.

Alaine Fulton: Yes, absolutely.

Lee Kantor: So, you’re kind of insurance for them before they need it.

Paige Goss: Yeah, that’s the goal, and really insurance plus. We hope that what they get out of working with us is that they become a lot more competitive in the market, they have these cyber requirements. So, Alaine and her company, as a third party reviewer, our clients don’t have to worry about that. They’re like, yes, we’re good, and here’s our third party attestation, or here’s our third party certificate. So, it becomes a competitive advantage.

Paige Goss: And a lot of our clients, including ourselves, we went in, leaned in even as a small firm, and that’s been extremely helpful. We’ve landed a ton of business because we had these cyber controls already in play and we didn’t have to spend the next 18 months trying to get there.

Lee Kantor: Well, Paige, if somebody wants to learn more about Point Solutions Security, what’s the best way to connect?

Paige Goss: Yeah. So, you can find me on LinkedIn, so Paige, and then it’s P-A-I-G-E, and last name Goss, G-O-S-S. The company website is pointsolutions-security.com. We also have a LinkedIn page that you can visit. And I think my WBE profile is somewhere where you can find me from our recent certification ourselves.

Lee Kantor: And, Alaine?

Alaine Fulton: Yes. I’m also on LinkedIn. It’s Alaine with an A, Fulton, F-U-L-T-O-N. The company is safehavensolutions – with an S -.com. And we are also in the WBE directory, I’m sure, somewhere.

Lee Kantor: Well, thank you both for participating in this. You shared really important information. Renita, anything else?

Renita Manley: Nothing. Just want to remind everybody listening to make sure you come to our Unconventional Women’s Conference on July 23rd. And we also have our WBEC-West conference that’s coming up in October. It’s going to be in Phoenix, Arizona. So, if you’re interested in that, make sure you go to our website, wbec-west.com, go to our events tab and learn more about it.

Lee Kantor: Well, Alaine and Paige, thank you so much for sharing your stories today. You’re both doing such important work and we appreciate you.

Alaine Fulton: Thanks for having us.

Paige Goss: Thank you so much.

Lee Kantor: All right. This is Lee Kantor for Renita Manley, we will see you all next time on Women in Motion.