Safeguarding your business is not rocket science, but you may want to seriously consider hiring experts to do it, even if you have an IT team on your premises. Join John Riley and George Usi in this episode of Navigating Cyber Risk as they engage with Ryan Grimes, a seasoned IT professional with a unique passion for both cybersecurity and growing fiery peppers. Together, they explore the cybersecurity landscape, discussing cloud adoption challenges and the evolution from on-premise servers. Ryan shares his entrepreneurial journey and the importance of work-life balance in the tech industry. The conversation also provides actionable advice for business leaders, emphasizing the need for expert guidance, even if you have an in-house IT team. Tune in for an informative and entertaining discussion, complete with Ryan’s advice for his younger self that may resonate with your own financial choices.
Watch the episode here
—
Cybersecurity And Business Leadership: A CEO’s Guide To Protecting Their Business With Ryan Grimes
In this episode, we have a guest. His name is Ryan Grimes from the Indianapolis area. He’s got a wonderful organization. We’re going to talk a little bit about cyber risk as we do in our normal series. We have a little bit of a shift. We retitled our show. We’re excited for anyone that is joining this one. We had some issues with our other title not coming up in search.
Hopefully, this one will give us a little bit more traction. We’re excited to have you here. We’re going to get straight into our questions. First and foremost, we have an opening question here that addresses cyber risk. I want you to explain the difference to me. How would you explain the difference between cybersecurity and cyber risk?
Risk is the chance of something going badly. That’s how we talk to our clients and prospects about it. Cyber risk is when you’re doing a thing on your computer. Whether it’s opening an email, clicking on a link, or opening a document, there is a small risk that something will go bad. As you become more complicated, the world becomes more global, and we are more dependent upon technology, that risk increases significantly because bad people are trying hard to compromise you and your company.
It could be through the new intern who gets sent an email from the boss saying to buy gift cards or someone in HR getting emailed like, “I need to change my payroll bank account.” What cybersecurity does is it tries to block those things from happening to begin with but also to educate people on how to recognize when things might be a little bit sketchy or something bad could be happening before they fully engage with the subject matter. It’s like driving a car. Cars are safer now than they were several years ago but you still have to pay attention and know what’s going on around you at the same time because the car is not going to save you from driving straight into a brick wall.
It is the old-fashioned information superhighway reference that those of us who are growing gray here might know. That’s what we used to call the internet. The car analogy makes a lot of sense. Every business is on a journey on the road. For the most part, their employees are the ones that are driving. It’s a great reflection of some of these things that could happen because who knows who might crash into your business while it’s online? It might not even be a hacker. It may be a customer with their contract. For the most part, it’s hackers that we worry about. Those cyber risks are plenty but getting to the hacker side of things, what do you think is the most significant cybersecurity threat facing companies?
From what we’ve seen with prospects that have come to us and clients that we’ve helped navigate these things, the biggest risk is the human being not paying attention because you’re in a hurry. You’re like, “John sent me an email. He needs his information. I got to run and get out the door.” You’re not engaging with the technology. You take your eyes off the road and a deer runs in front of the car. That’s where the bad things happen.
We’ve had prospects come to us. They say, “We have all these security measures in place. Somebody wasn’t paying attention to what they were doing. They were in a rush.” I didn’t want to paint a bad picture but the person was not young either. They didn’t grow up in this digital world. They were of the age they were vastly from before the digital world came in. They didn’t grow up with technology. They didn’t understand a lot of these things. He wasn’t paying attention. He said, “I need to reenter my password.” He walked out the door on a Friday afternoon, thinking he had taken care of something great and only bad things happened after that.
A lot of times, it’s a distraction. People are people. There are life distractions that happen. It could be a fight with the kid, the significant other, or whatever piece it is but their mind is distracted. It takes that one moment of taking your eyes off the road to watch for deer. If you’re not watching them, something can happen. It happens in the blink of an eye.
You don’t know what’s happened. It’s not like someone came in and stole the TV off your wall. It’s like, “Where’s my TV?” That stuff can be gone and you’d never even notice. The huge thing that a lot of executives don’t understand is it’s not like someone’s stealing your car or you walk out and your car is gone. No. They’ve got your bank information, PII, and any medical stuff that you have going on. It’s gone. Somebody else is going to do something bad with it but it doesn’t look like anything’s gone.
For our readers, especially if you’re an executive, PII is Personally Identifiable Information. There are some states that are classified as a personal email address and a full name. That’s it. All of a sudden, you lost and that is cascading down on your business. That’s why a lot of your contracts are probably in that position. Nevertheless, that’s a CEO problem.
One of the most frustrating things in the technical industry, if you’re a supporting technology, is that you don’t necessarily code the software but you’re acquiring it. You don’t get to see how that’s working if something is broken. These emergencies and distractions are one of the challenges in the origins. There might be a perception that technology people can jump right in, look at the code, and fix a problem. Most of the time, they cannot. They have to depend on the maker of that software.
That causes distractions. One of the things that stands out for me the most is the origin of the distractions. Some famous scientists indicated that. They were like, “We’ve got some bad programming out there in software.” It’s the origin of the headache of a lot of IT work in my experience. It’s an executive issue. There are all these cascading cyber laws. That impacts the CEO. How do you think a CEO should prioritize cyber risk, knowing that they are being chased by regulators and lawmakers?
The first thing I’d do if I were the CEO of a company is I would go to the vendors that were buying products from, show me their cyber risk insurance coverage, and go through the contracts we have signed with them. If they get breached and my customer data is out there in some way, shape, or form, what can I do? What’s the recourse for their sloppiness?
As a B2B IT services company, we don’t work with everybody. Not everyone is a great fit but some people flat-out say, “We don’t even believe in cybersecurity. We’re not going to do anything to change what we’re doing.” My first response is, “What would your customers think if they knew that?” If you’re the CEO vetting products, you need to talk to their CISOs and CTOs and get documentation on what their security procedures are for when they are breached and have an incident.
That was exceptional when you said, at least it stood out for me when you have that mindset from an executive of, “It’s not that important to me.” The response was saying, “What would your customers say if they heard that? What would they think?” That’s phenomenal, Ryan. I don’t know that people consider that. That’s something that folks in technology can learn from in terms of how to talk to executives and leaders. That’s always a challenge, especially when it comes to the cybersecurity laws that are looming and cascading down to all businesses. What I’ve learned is that there’s got to be a Beantown or somebody with an abacus. What is that role, John? Who’s that financial person in every company?
The CFO.
They have a tough job. They’re as analytical as your typical IT worker or leader. In experience, they’re going to think analytically but anything with a blinking light may not be their sweet spot. How do you think the CFO should handle cybersecurity and cyber risk-related budgeting?
That’s always a fun discussion because we can cite facts, figures, studies, and recommendations. At the end of the day, it can all be thwarted with a now or good. I don’t have access to it but there’s a Gartner study out there that says, “Mature companies should spend between 5% and 8% of their annual revenue on technology.” What does that look like for a company? That includes SaaS products, hardware, network infrastructure, and everything they need to do the technology in their company.
We start with that number. We talk to them about their revenue because our risk is dependent upon how badly they do things. We need to mitigate and minimize risk. The risk profile of a $5 million company is vastly different than that of a $20 million company. Their fee structure and the technology stack we use to protect them should accommodate that.
What we do is break it down for them into things they can understand. I said, “If you were down for a week, here’s what your cost would be based on the average payroll for an employee in the United States of America multiplied by the amount of employees.” The fact that they can’t take, process orders, and deliver orders and their reputation after the fact.
We run the numbers with them in the room. They come up with whatever number. It could be $50,000 or $100,000 of lost revenue. I said, “Let’s start with that in terms of what you should be paying and continue the conversation from there because those are the real things that happen.” In 2023, you get companies that don’t understand that they have to do these things. They will be like, “No, we’ll be good.” They won’t be. Eventually, something bad will happen.” If they don’t want it to happen to them, we need to have serious conversations.
Most CFOs get it by the time. I’m like, “Here’s what a week of downtime looks like. Is this okay for you to have?” They’re like, “No, that’s a month’s worth of payroll.” I was like, “Let’s take care of that.” The ones who understand the business and numbers get it. The ones that are like, “We’ll take our chances,” we’ll close if that happens. It’s no big deal.
Some people do have that mindset. It depends on the business and what you’re doing but every business that is growing is a successful business. It’s not my words but you hear it over and over again from business leaders throughout the years. “If you’re not growing, you’re dying.” That has a lot to do with emerging trends that help a business go faster or somehow improve things to be more competitive. What emerging trends do you believe in the area of tech that will have a profound impact on cybersecurity in the near future?
One of the things we’re seeing is the globalization of even small businesses. For instance, your company can be based in the United States but you have employees in the Philippines, Asia, South America, or Europe. How do you control what they can and cannot do? It’s not just they’re not in the office and working from home but they’re working six time zones away from your main office. How do you control the experiences with that?
That’s been driving hard in small business in the last few years because it’s hard to find good talent here in the United States for everything we need to do. It’s impossible. We have outside resources we pull in because we need human beings to work off hours. We need that level of resources for our clients. We recognize and control that. What businesses need to do is understand that the globalization of the small business is legit and it will impact how they have to secure their technology.
I imagine that as businesses evolve, especially small businesses, and become global, that may inevitably mean more cyber disasters. In the context of an exercise, we call it a pre-mortem. A lot of CEO peer groups talk about doing something like this. You’re having a cyber disaster and you’re on that journey. The hacker succeeded and they stole sensitive data. What does that journey look like in the CEO’s head or even the executive team? What do you think that journey might be like if you had to take it from like, “They’re in and we think they’ve taken things?”
We’ve been on that journey with an ex-client who became a client. It was a small law firm. They decided that they were intelligent individuals. They went to law school. They can do their IT after we quote them some services. They’re like, “No, we got this. We’re good.” They had an incident. It was devastating to them. Not only did it happen but they didn’t even know it happened for almost a month afterward. They were very patient.
It’s not like someone’s going to smash into your front door, grab your TV, run out the door, and things happen immediately after the incident. What happens is that they’re patient. They’re waiting for data, collecting your inbox, and sitting there waiting for clues as to how to maximize what they can take from you. It was a simple thing where internal communication was one lawyer sending him an invoice saying, “Can you have so and so to pay this?” She’s preauthorized up to $50,000 via ACH.
They waited a couple of days, replicated the email, changed the billing information on the same invoice, sent it over, and said, “We got another one. We need to pay this one.” They paid it and nobody knew until a month later when their accounts went, “What’s this invoice for? I’ve never seen a $49,000 invoice twice in a row.” They’re like, “What happened?” All of a sudden, everyone had their you-know-what moment.
They started back tracing what happened. They finally figured out that one of the lead attorneys got the email saying, “It’s time to change your password. If you want to keep your same password, click here.” That’s all it took. There was no multifactor authentication or verbal confirmation in-house like, “George, you sent me this invoice for $49,000. Is this real?” It is just a phone call. That would’ve saved them $50,000.
The CEOs should be planning if something bad is going to happen. There’s no way to get around it. Something dumb is going to happen. Someone is going to do something stupid. You have to minimize the possibility for it to happen. Have simple things like internal checks to verify amounts for invoices over $1,000 or make sure you’re consulting with security experts on how to keep up-to-date on these things and outsource it if you have to.
I understand that we work with some companies. We’re not Level 1 or Level 2 IT guys. We’re the people who are making sure those people aren’t making mistakes and we’re overseeing their cloud infrastructure to make sure that things are being respectfully treated and not just like, “We’re sharing this entire Box Drive out, Google Drive, or Microsoft SharePoint folder.” Have separate eyes on it that are experts in their fields. That will stop it from happening in the first place.
One of the reasons for cloud adoption and slower cloud adoption over the years is that they like to see that data, not just the data but the spinning drives to know that’s where my data is. I always thought that was the slow role of being able to get off-exchange servers and have those SaaS providers take over some of those things. Is that still an issue you’re seeing out there with the CEO, especially the older CEOs, saying, “I want to see and touch it. I want to know if the data is there,” even though the entire data could be stolen from underneath them and they would never know?
We’ve had CEOs and presidents tell us, “If it’s not out there in the cloud, it can’t get hacked.” That’s why they have it in-house. I’m like, “No, but okay.” There are certain protections in place when you have things on-premises. Unplugging the server and running out the front door with it is not going to happen and you’re not sharing anything on-site.
How technologically efficient is your company? How are you sharing things back and forth between your vendors and clients? They were like, “We’re attaching 120 MEG files on emails and letting it rip.” I’m like, “That doesn’t make any sense.” There’s a fine line. It is with a lot of older presidents and CEOs that we’ve seen that are like, “We’ve always done it this way.” If you’re sitting here at your desk using your computer, your phone and computer only work here, and once you leave, you can’t access anything, that’s certainly one way to do it.
It’s the old cash-under-the-mattress philosophy.
How do you hire young talent?
It is a difficult challenge. We’re talking about late adopters and traditional brick-and-mortar businesses. I remember once upon a time, there was an executive who we were talking about their data. They should back it up and move it out. This is years ago. The new CEO, who picked up his pencil, was like, “Here’s my backup and disaster recovery plan. We’ll write it down. That’s how we used to do it.”
It was feasible for them at the time in that particular industry. They’ll remain unnamed because there are considerations. There are some businesses that are using compute to some degree administratively. They don’t realize how serious their issue is until they realize the thousands of employees they may employ, even though none of them may be touching tech, which is unlikely these days. That’s still sensitive data, especially HR workers’ comp. All that information collected when somebody gets injured is personal.
The challenge with on-premise, as we would say in the tech industry, is it’s not as common in what I’ve seen but it still happens. Ryan, we’ve learned a ton from you in some of the questions we’ve asked but we would like to learn a little bit about you. Can you tell us about your journey, who you are, and how you got here? Tell us a little bit about your company.
As most business owners, it’s been a wild and crazy ride. We started in 2004 when I got the idea. I was working at Apple in one of their retail stores back then. I was like, “This is fun and great. We’re doing cool things.” Apple came out with the iPod Mini, which was the little colored version. Overnight, everything went haywire. We sold every single one we could find. I said, “This is not fun because it’s boring. We’re just selling widgets.” Widgets are great. My 401(k) loves Apple but working there was a challenge and retail was a challenge. I decided, “Let’s move to a different state and start a company.”
Back in 2004, you and your spouse want to mortgage. They’re like, “Do either of you have a job?” We’re like, “No.” They are like, “Here’s a couple of hundred thousand dollars for a house.” We moved to Indiana from the Chicago area and started our company. I’ve got three kids, 2 cats, 2 dogs, and a wonderful spouse who puts up with me on a daily basis and understands small business ownership. She’s like, “You’re going to miss dinner tonight because you got to go do something. Fair enough.”
We also have the ability to prioritize family and take vacations together. We go stuff because burnout is real. Our industry is brutal. Owning a business in this industry is exponentially harder than everything else in the known universe because we’ve all had those phone calls on Friday night from someone who is like, “I can’t find anything. I’m locked out of my email. Someone is asking for Bitcoin.” Your weekend goes down from there.
Luckily, our business is all contract-based. We protect everybody and everything that’s not negotiable. Knock on wood, those incidents are few and far between. Mainly, we deal with people forgetting to tell us that somebody quit. They still have access to their email a month later and they’re still paying us for it. In my spare time, I am probably gardening because that’s my non-technology hobby.
I’m an avid pepper aficionado. I grow 50 pepper plants ranging from the cute little snacking peppers that are all different colors to this, “It makes the air burn by being in the room. Please make it stop,” pepper. I make our seasonings. We made our hot sauce and salsas. That’s what I do when I’m not doing this. Our fall is very busy because that’s when everything comes into play. We can harvest and produce stuff. My house appears. We have the windows open. Sometimes, it smells like tear gas in there.
I had a friend who was growing peppers. The dual-pane windows reflect the sun and his peppers were somewhere near that. What would happen is the sun would hit them and reflect down to the peppers. He ended up with these small black peppers that were fire. They had taken in the soaked up so much sun that it was like eating the sun. There’s something for you if you ever need that extra heat on those. Put them within the reflection range.
I have this vision of what your garden looks like. You probably have some onions and cilantro growing. It’s going to be a peak of de Gallo feast.
That’s a great thing. My neighbor grows all that stuff. I only grow peppers. I’m great at peppers. I know how to make them grow great. He’s great at tomatoes, onions, and cilantro. We trade back and forth. I’m like, “I’m going to grab some tomatoes.” He’s like, “Go nuts. Do you have any jalapenos?” I was like, “Yes, here you go.” The great thing about salsa is you don’t know how hot it’s going to be until after it cools down. You’ve already made it and you’re stuck with it. You’re like, “Please, God. Don’t melt my face.”
I imagine there are some hot items growing in your backyard. You have to deal with the pets when you’re harvesting. I imagine that’s a bit of a challenge. I’ve started growing my jalapenos. We’ll see how it goes. We like to end our episode with an action item. As a leader and executive, what’s the one piece of advice or tip that you might give them to reduce cyber risk, whether it be regulatory-related or in the trenches of cybersecurity warfare? What would you recommend?
The first thing I’d recommend is, even if you have in-house IT, consult an expert on this. Even people like us don’t want to take the jobs away from your IT guys. That’s not our goal. Our goal is to educate. If you have questions about whether something needs to get done or not and your guys are saying, “No, we got this covered,” always get a second opinion because we’re human beings and human beings suck.
Sometimes, we’re wrong about things. Get a second or a third opinion. Sit down with your team and say, “Here’s what we’re finding and adhere to. Are we doing this, yes or no? If they’re not, figure out a path forward.” There are a lot of bad IT people out there, in-house or outsourced. Get a second or third opinion on things and make sure that you are doing the appropriate compliance-related restrictions, monitoring, and security for your technology, industry, and business.
That’s some great advice for the readers. We tend to talk a little bit technical from time to time in this show. Listen to what Ryan is saying. I don’t think it was too technical what he said. Get a second opinion. We did cover a couple of technical items. We talked about PII, Personally Identifiable Information. The other one is something called MFA or Multi-Factor Authentication. We understand that most of you were like, “What does that mean?”
For those of you who are new as a leader, if you bank online, which most people do, we’re going to assume that you log into your bank and they send you a text message that you have to enter a code. That’s what multi-factor authentication is to those of you who weren’t sure when that was said. We want to see more of that happening. You should be doing that within your business because that adds that additional layer to make it more difficult for people to take over your business and bring it down or abscond with all of your sensitive data. With these new regulations out there, you have to be careful.
That was a great recommendation, Ryan, the second opinion. We appreciate you taking your time to navigate cyber risk. We are excited about when this episode gets released. Thank you so much for your time. If you’d like to learn more about Ryan, we are going to have some references and things in this episode. You can reach him at his LinkedIn account or his company website, MyITIndy.com. We have to ask you. I would like to close with one more question. It is more of a personal question that everyone needs to consider in their lives. If you could go back in time and give your younger self advice, what would you tell yourself? What would that be?
Back when I was in early high school, I worked during the summer. I had earned $1,500. My parents came to me and said, “Ryan, you have a choice. We can give you this money in cash or you can invest it.” I did what every 13 or 14-year-old did back then. I bought a Nintendo. The other option at that time was buying Apple stock.
Back in the late ‘80s and early ‘90s, I could have probably bought my house with what that stock would’ve been worth. What I’d have to tell my younger self is don’t buy dumb things and invest your money because as I get older, having money to do vacations and stuff is a lot more important than having that Nintendo back when you’re a teenager and you don’t know anything.
That Nintendo was a good purchase because I spent hours in front of mine.
It was great at the time but they die and they don’t work anymore. You’re like, “I wish I’d had that $1,500 back.” Apple stock was $8 or $9 a share back then with 14 splits ago. It would’ve been scary.
Ryan, thank you again so much. For those that are reading, if you did learn something or you laughed or smiled, please tell somebody about our show. We are covering topics that are generally technical but we’re trying to make sure that they are non-technical as much as possible. Thanks to the audience. It’s been a fantastic episode. Thank you so much, everybody. Ryan, we do hope that your peppers and salsa turn out wonderful.
I’ll send you guys pictures.
We have a friend up in Indiana. We might come by.
Come on by because the FDA does not allow me to send it out of state.
Thank you, Ryan.
Important Links
- My IT Indy
- LinkedIn – Ryan Grimes
About Ryan Grimes
I started in technology back in the early 80’s when I got an Apple II with 64K of memory. No hard drive. No user interface. No operating system. If I wanted to play a game on the computer I had to write it myself. I spent the next decade taking apart computers, rebuilding them, and learning all about them.”