Bert Martinez: Today on the show, Sandra Estok, she is the founder of Way to Protect, author of the inter and international bestseller, award winning Series Happily Ever Cyber.
Today, we’re gonna be talking about ransomware. You guys probably seen what’s happening in Las Vegas. I wanted to bring her in. She is a keynote speaker. She’s a corporate trainer. She’s been in the cybersecurity data world for, like, 20 years. So I’m excited to have her on here so we can talk about ransomware, how it affects your business.
Sandra Estok: Thank you so much, Bert. I’m so excited to be part of your show and to share what’s happening in the world, definitely ransomware because we have seen it in the news all over, and share a moment where we can be more connected with our technology. So let’s do this.
Bert Martinez: Let’s do it. Alright. So What’s interesting about what’s happening there in Las Vegas is that I believe Caesars paid, like, 15 million dollars, MGM has paid nothing. From the information that I’ve seen, they have gotten the FBI involved, but their website is down for 90 hours. It’s been down for several days. Give me your thoughts on this. Did Caesar do the right thing by paying? Is MGM doing the right thing by not paying? What’s your take on this?
Sandra Estok: You know, it’s a hard call, and at the end, it’s a business decision. Now if you think about what the FBI recommends, don’t pay the ransom. And don’t pay the ransom because the more we pay the ransom, the more it becomes a business or it continues to be a business.
And it’s one of the most profitable businesses today, you know, the legal side of cybersecurity, cybercrime, and and, not paying that ransom. Obviously, we can see the consequences of, you know, the chaos. And more about, you know, whether you pay or not, what I will say is, are you prepared for that because sometimes we don’t think it can happen to us. And this cyberattack shows us that anyone is vulnerable. I mean, a corporation that has a revenue of billions of dollars and they have a gigantic Budget.
They probably have different teams and a lot of people that It’s working on their IT and cybersecurity, and still we get to see this happening. And I think this is a wake up call For many, whether you are a business, whether you are an individual, or you are a corporation that you know, the threat is real.
Bert Martinez: Absolutely. And what’s interesting about this, is that there are probably some very sophisticated hackers who are going for the big money.
But you and I have talked about this in the past where, you know, small businesses, for a lot of these hackers, are what do they call it? The daily bread, the daily meal because they can hit a bunch of smaller businesses
And hold them up for a thousand, Five thousand, Ten thousand dollars as opposed to to your point, you going after MGM and Caesars, they do have a team in place. So this isn’t something that somebody just did overnight. This is something that had to be planned.
They were constantly attacking the network trying to find that weakness, but you go to a small business and they have barely any cybersecurity. We hear about a business that was hacked because somebody came in through the thermostat.
It was a digital thermostat that was online. What do they call it? The Internet of things. Crawled through there, shut down that business, and held it for ransom, I think, for only, like, again, five or ten thousand dollars.
So this is just an extreme example, And I think the challenge is, and I want your thoughts on this, is that a lot of small businesses and when I say small business, yes, mom and pop, but also like a hundred person business that’s doing thousand of dollars, they’re thinking, this has nothing to do with me. This will never happen to me because I’m so small or because I have security because of whatever’s in their mind. But that’s not true. That’s a myth. Right?
Sandra Estok: Absolutely. You’re so right. And I love that you bring that because we don’t think that we can be a target until it happens to us. And what I want is You’re not to be there, you know, whether you are a business or you’re an individual. You know, most of the cyberattacks, and you just said it, 43% of the cyberattacks happen to small businesses. I mean, that’s thinking about the big scheme of and this is based on the latest report from Verizon. And if you think about 43% of the cyberattacks, the small businesses, I’m including in their, You know, financial institutions, health care, government, and all the different industries. And still small businesses are that big of a target For the reasons you just mentioned.
And whether it’s we don’t believe it can happen or we don’t have the resources, the challenge is that if you’re not prepared and it happens to you within 6 months, the study That has been done is that most of the businesses will be closed because they don’t have the capacity. Right now, how much do you think MGM is losing every single day without access to their systems, without access to, you know, to their normal. And it’s not just the MGM. It’s the series of hotels that they own. And it’s over eight million dollars a day.
Like, a small business doesn’t have the capacity to lose that much money, and it won’t be a thousand a day, but whatever is that your revenue is and what is the possibility of you recovering from that attack. Because We’ve seen it. It’s been days, and it’s still you know, there are some portions of their system that might be working.
That’s what we see on the news, but we don’t know. I mean, I have been in IT and cybersecurity, and I know how, you know, how intensive the work is, and it won’t end when those systems are restored. because when you have people that have already infiltrated your network, you have to be sure that they are out.It’s guaranteed that they are not gonna attack you in a few months.
Bert Martinez: Right. Well and it and it almost reminds you or gives you that same feeling of dread. like, when you come home and you realize somebody’s been in House. And they’ve stolen some things. And even though now you’re gonna change the logs, you’re gonna put up security, there is still that uneasiness. Of course. At least with your house, there are some physicalities to it.
You can see, okay, I’m putting up cameras. I got better locks. I’m gonna do some things. But in cybersecurity, somebody can plant a virus or a bug or a code, and it can sit there dormant. For months, for years until they come back and say, hey. I want to go back in or something. Right?
Sandra Estok: Absolutely. And that is the biggest challenge because when you have something undetected in your network, it’s like, you know, sleeping with the enemy. It’s like, you don’t know it’s there, but it’s there watching you every move. I mean, imagine that, having that, you know, your space, your personal space, your bets, and that. Something is in there, and something is watching you. Something is Tracking your behavior is looking you know, what is that you care about? What do you do every day? And where and how can I do the biggest damage? And I think that’s when, you know, it’s so important not only to have Technical solutions. But in this case, for both Caesar and the MGM, the way that the attack happened uses social engineering, and it’s being talked about the human factor.
And I wanna touch on that, Bert, because it’s so important. We don’t think it can happen to us until it happens, and we don’t think that we can be that, You know, that reason that a corporation can be in the state that this company is.
Bert Martinez: Yes. Absolutely. Well, you know, I wanna talk about that, and I wanna bring up something that you’ve coined. This is, I think your contribution to the American lexicon or maybe the global lexicon, and that’s cyber monsters because there’s all types of cyber monsters. You know, A lot of people you know, we hear a lot about, child trafficking or predators, cyber monsters out there that are targeting children. And, yes, there’s a lot being done for that, but there’s also people who target identities. People, like, who are targeting this ransomware stuff, who make their living that way, there are a lot of cyber monsters out there, and things are moving so fast they can’t keep up with a lot of these.
So give me your thoughts on this. How can we start? Let’s say for a small business of 2 to maybe 50 people, how do they prepare? What should they be doing now to prepare themselves against some of these cyber monsters?
Sandra Estok: Absolutely. I thank you. Because that is exactly taking the proactive approach, thinking like you just said, okay. It happened to this company. What if it happens to me? Am I ready? And asking yourself that question. Because when you ask like, if you ask yourself that question and you really sit on the question. You will realize, you know, have you you know, how’s you or your organization managing passwords? Who has access to the most important data in your company? Do you know, for employees like, if you have a small business, but you have employees or you have third parties or you have vendors or you have contractors, You know, how do you deactivate them when they no longer work with you, or do they remain active? Like, there are a series of questions that you can ask yourself.
And, honestly, Answer that and realize, you know, why am I prioritizing cybersecurity? Is it really being in my my strategy is really being part of how I care for my customer data, how I care for my finances. Because at the end of the day, you know, if you don’t protect that money, it can go away easily in a hack. So putting cybersecurity and, like, it you could do a re assessment. You could do you know, there are tons of resources available, You know, whether it’s in the SBA. Like, if you’re a small business, there are a ton of resources that you can find. I start working with, You know, that in mind. Now there is a topic, Bert, that before you know, what technology, what things that we implement.
What I will say is do ask this question. Do you really know And care, enough to protect all your assets? And I know the answer. Of course, I wanna protect my assets, I wanna protect. But I wanna ask you this question. Let’s think about the phone.
You’re a small business.How are you using your phone? Are you transacting with that phone? Are you having customer data on that phone? Are you saving your you know, you have your bank account, you have all the information that Says your company CRM or or your company information through that phone. If Any of those answers is a yes.
Then my next question is, how are you protecting it? You know, how strong is your password? How Frequently do you update that phone? How frequently the people you work with take care of protecting the information. You know, how often do you train yourself and train others about the basics of cybersecurity, the basics of cybersecurity, and how often do you really incorporate those practices. So as a small business, that’s where I would start.
You know, asking myself that question and being honest about where I am. And it’s not about guilt or blame or nothing. It’s more about just realizing where you are And taking an action towards making it safer for you, for your company, for your employees, for your customers.
Bert Martinez: Right? Well, I love that. It’s a very simple starting point. It’s becoming aware. It’s the same question you ask if you’re trying to become better at customer service, how can we improve our customer service? Where are we good at? Where are we weak at? And the same thing with cybersecurity. How are we managing our passwords? You know, who has access? Do you know, do we have different levels of accessibility because, again, in some small businesses, I have a client that’s a dealership, And it’s a fairly large dealership. They have, I wanna say, something like 100 different dealerships under their umbrella. And it just so happens, this conversation we were talking about, accessibility, and it comes to find out that most of his employees have access to 80% of his data.
And we weren’t even talking about cybersecurity. We were talking about marketing and and and some of the things that you have to be aware of and, again, back to customer data. You had to secure that. And so I was shocked. This is a large business. It does over a billion dollars in sales. Like I said, they have over a hundred dealerships, and their security was lax, immensely lax for somebody that big who’s dealing with not only just credit cards, but bank info, large amounts of money, wire transfer transfers coming in and out.
But that’s just the normal thing. I think, to your point, most of us don’t think about cybersecurity. Most of us just think, okay. I have a password. I have a secured network, whatever that means. And that’s it. What more do I need to do? Oh, oh, I back everything up every day. That’s the other thing. Because a lot of people don’t even do that. So I have a password. I have a secure network. I back up my data files. I’m good to go.
But that’s the thing that’s the same thing that MGM and Caesars are saying.
Sandra Estok: And exactly. And in that case, I mean, going back to that, you know, to that specific type of attack. If you think about how easy it is for someone, a cyber monster, to go to Lincoln, to go to any social media, to find out who your employees are. You have to go to your website and find out who are your customers, go and find out who you do business with. And now go to find more information about your company. In this case, You know, they call to help us and say, hey. I need to reset my password. And, you know, social engineering is such an incredible Skill Set.
I mean, these people are deceivers by nature. So they, You know, they are trained for you know, to trigger, to, like, push the buttons. You remember that? Red button, you know, pushing my button. That’s what they do, and they are gonna play the motions, and they’re gonna play the victim. They are gonna rush you. They are gonna, you know, they are gonna do all these different things for you to take an action. Whether it’s you as a person, whether it’s you as your own business, whether it’s you as your employees or your businesses.
If we are not prepared to handle that, if we’re not aware, and I love you use that word, awareness. It’s everything. And I use, you know, awareness and the power of being mindful, you know, being present. Because being present means I’m gonna ask questions when something weird comes my way. When that phone call that I have no idea comes, I’m gonna question it, or I’m gonna be like, I mean, you feel it, like, in your gut. Right? You know, we have An instinct. We have what I call the inner cyber. Sometimes we’re so busy, we don’t tap on it. We get distracted.
Bert Martinez: And you’re absolutely right. You get that weird tingling like something’s off. And the easiest example to me is you don’t have to be a psychologist or a psychiatrist. You know when you’re talking to somebody and there’s something off with this person, you’re getting a weird feeling. I wanna say 100% of the time, you’re right.
It’s you know, it’s the old saying, it’s too good to Etrue, something was telling me that this person was weird or odd and came to find out, yeah, you were 100% correct. The same thing. You get a weird email and you brush it off, but you’re getting that feeling, you need to dig a little bit deeper. If you’re getting that feeling, like you said, that it’s your inner cyber going up warning. Warning. Warning. Warning. You gotta start digging in.
Sandra Estok: Absolutely. I mean, think about this. If you are walking on a street, Like, and I was the other day, I I was walking and, you know, when you have this like, something like I I’m not even seeing it, but I can feel like I’m not in the right place walking. Like, this isn’t and it was It was me. I was new in a new city, and I went out of my hotel. I wanted to find a restaurant, but there was something my body Was like, woo hoo. And I could feel it. And I found the restaurant. I went in. And Talking to them, they were like, oh, yeah. There are, you know, there have been, you know, a series of events and people have been mugged And a lot of crime around this neighborhood. Be careful. Just take an Uber. And I was like, oh my god. My sensors were so right. Like, I was sensing that something is not right.
And I took the action immediately to, you know, go and find a place where I could feel safer and then, you know, Find a way to get home or to get back to the hotel. But how many times are we online? And we don’t see any of the signs. You know, we’re just like, oh, you know, browsing, and we see this pop and this other pop and the other And the window and this. And we’re like, nothing. We don’t feel it. But it’s not True. We feel it. We just don’t pay attention to that feeling but I promise it was there.
Bert Martinez: Absolutely. And I tell people this all the time. How you feel is more important than what you know. So you look around. You physically think everything’s fine. I see everything’s okay, but I’m feeling weird. There’s something off. I’m getting this weird feeling.
You need to act on it. You know, many, many years ago, and I remember this because nothing bad happened. But many, many years ago, I’m invited, by a client of mine, to have this year end party in Lake Powell, and he’s renting a bunch of boats and all this other stuff. He’s gonna fly me down there, so we can celebrate a very successful year. And I prayed about it and I got this weird feeling that I shouldn’t go. And so, you know, it kept coming back, and so I decided I’m not gonna go, and nothing bad happened. There wasn’t a boat accident.
There wasn’t, anybody hurt. Nothing bad happened where I could point and say, oh, I was I got you know, what a great confirmation. I, you know, I avoided this terrible thing. No. But I believe that if I would have gone, something would have happened to me. I was the one not supposed to go. Maybe, you know, something terrible woulda happened to me. Who knows?
I would have been in I don’t know, but just go with your feelings because how we feel is so it’s so more important than what we know.
And, again for those who care to believe or not believe, we are spiritual beings having a human experience, an earthly experience, and a lot of spirituality is about feelings. And Again, you don’t have to be a psychologist or a psychiatrist. You can pick up when somebody’s lying. Even with our kids, we know maybe by their body language or by the way they’re acting, something’s weird, something’s off. It doesn’t change when you get into adulthood.
Let me ask you this. Look. Because I wanna move this a little bit further, but okay. So, because your approach to cybersecurity is a little bit different. So when you are meeting with a client and you’re setting them up, how do you start the program? How do you help somebody? Where do you start? Kinda walk me through your basic checklist so maybe some of our listeners can start working on their own cybersecurity.
Sandra Estok: But, you know, It’s identity. I always talk about how you need to identify what matters to you. Like, if we try to protect everything, if we try to protect and boil the ocean, we get overwhelmed. And when you get overwhelmed, there are 2 things that happen.
Number 1, stress Paralyses you, and then nothing gets done.
And number 2, is that without the action, without You lose interest. Any and and so what you wanna do is you wanna build yourself into a cyber mindful mindset. And that’s what I do with my clients. I think, you know, we all wanna have Put an antivirus, Sandra. Put up the firewall. Put this. And I’m just like, yeah. Technology can help you.
But If that was the solution, we wouldn’t have any news like we just had. You know? That’s not the only thing I mean, I believe in cybersecurity. But it isn’t the only solution. So what I will always say is, okay. What are we trying to achieve? What does that really matter to you? Tell me those 5 things that are really, really important. And then, Again, ask the question, how am I? How am I doing with all those 5 things? It’s not different, with an example. Like, if you want to lose weight, if you want to release weight, or if you want to get fit, like, I don’t wanna say I wanna lose it because I don’t wanna find the weight. Again.
But if you wanna release that weight, right, what do you eat? Like, why does it matter to you? Like, okay. What’s important? I have a wedding, and I wanna go to the wedding, and I wanna fit in the dress. It’s important to me because, you know, whatever reason. Now you have a reason. You know exactly why you’re doing what you’re doing. So when you get that cookie, when you get that cake, when you get that ice cream, You think about that dress and you think about that event. You think about what really matters to you, and you can choose whether to eat that cookie or not. It is not different in cybersecurity.
So once you say, okay. What is most important to me, Sandra, is my customer’s data. It’s the most important thing as a business. It’s my you know, it keeps me going. It’s the most important information. Then I will say, okay. If that is the case, what are you doing to protect that customer data? And the next time That you use your computer and you get an email that is weird and that is asking you to click, that is asking you to open this attachment and you don’t know it. Ask yourself, if I open this, am I in alignment with protecting my customer data? Because I have all the information of My customer here, depending on how big your business is, I’m talking about very small businesses too, maybe a large corporation.
So Thinking about why, you know, what matters to you, what are you doing to protect what matters to you, and what actions are you taking that align with that that you care about.
Bert Martinez: I like that. Yeah. It’s very simple. What’s the most important thing to you? What are you doing to protect it? And, you know, I imagine, is it gonna be enough? Because of your point about technology. I mean, look. Everybody has antivirus on their computer, but viruses still get through? I mean, you know, technology helps. Maybe it helps 80% of the time, it’s that 20% that you have to worry about. And what a again, what a simple question.
What are the top things that matter to us? Well, it could be our financial security, our customer security, our employee data. Those are the big 3. Okay. What are we doing? What, you know, who’s got access? Who do we limit it to? How often do we back it up? All that stuff comes into play. And I love this idea of not looking at the ocean. Right? Don’t don’t look at the 100 things that you should be, you know, that you might have to lock down. What are the top 2, 3, 5, 10 things? And let’s get those priorities, then we could worry about all the other stuff that we wanna worry about.
Sandra Estok: Absolutely. Like, if you take 1 action a day like, I love this phrase. I totally love it. You know, an apple a day can keep the doctor away. You heard that before. Right? So my phrase, my coin faith phrase is An action a day can keep the cyber monsters away.
And so what action? So, like, 1 password. Like, I’m not even asking you. Change all the passwords. So change 1 password. Think about your password as what separates a cyber monsters from your bank account. And is that the best password you can have? Is that password unique? Is that password used somewhere else? Because if you use it somewhere else and what else, you know, that else gets in a data breach, and we can talk about it especially right now with MGM because I was in Las Vegas 2 weeks ago. I’m like, what am I gonna do now that I know data is being out? Maybe about my credit card, maybe about my information, maybe my driver license.
Like, how do I, you know, how do I prevent it from taking action? So you could do that. And you could say, okay. Yes. This is the best password I can do. I’m gonna change this password. I’m gonna Incorporate 2 factor authentication, or I’m gonna, you know, I’m gonna do a few extra things, and I’m gonna make a password that really works for me. And maybe I will use a password manager if that’s, you know, an action that I I choose to take. But the thing is pick 1.
And then the next day, pick another one and another one. If you do one thing a day, At the end of the year, you do 365 things. That will put you in a much better place from a cybersecurity standpoint.
Bert Martinez: And what I like about that is it’s not super difficult stuff. So you brought up password managers. Are you a big believer in password managers?
Sandra Estok: Not in all password managers, but in the technology, definitely. Because, you know, It’s like if I need to have brain surgery, would I go to a brain surgery surgeon, or do I go to, you know, trust that maybe, you know, someone that learns or or I Google how to do brain surgery myself? Like, No. Like, you will trust, like, I mean, I trust a company, and you have to be truthful for your passwords.
But they are only dedicated to that information. And, yes, they have been breached to password managers. I heard that all the time. But the likelihood Of a cybersecurity password manager company to get hacked and expose my information is so much lower than me Having my passwords, repeating my passwords, putting my passwords in a piece of paper or in a note you know, note and and sticking it into Inodes or Icloud and thinking that nobody can access that or or creating a password list In Excel or anything thinking I will protect this better. I put in password protection, and the password protection is 123 Because I don’t wanna forget that it’s another password.
So you know, we do this thing. I haven’t done all of those. I mean, I’m not Criticizing anyone because I try those myself. Right. And at the end of the day, what a password manager does is 2 things. 1, It allows me to manage, to see my whole universe of passwords. And on average, you know, most people have about 100 passwords. I mean, nobody can remember a 100 passwords.
You know, if each password is supposed to be different, you will have to remember 100 passwords. Totally impossible. Right. So that’s one thing that a password manager It’s good for. And the second thing is when things happen and when a cyberattack Happens. So like this right now in Vegas. I can go, and I know exactly what password I need to change. I know where they are, and I can implement it so much faster than if I have to find my papers and I can remember this account and, you know, It becomes very overwhelming.
So it’s all about simplicity, and it’s all about finding ways for you to be more Productive with managing your digital life. And when you do that, you reduce the stress and you enjoy the use of technology and taking care of it.
Bert Martinez: I love that. I love that. I have been putting off getting a password protector, but or, yeah, password protector, but I guess it’s time to get one. Because interestingly enough, you know, every now and then, I will get a message from Google where your password to a specific email is on the dark web.
And let me tell you, that’s a pretty spooky, weird message to get, number 1. And number 2, I, you know, again, talking with my group, we have a mastermind that we meet a few times a year, and I brought this up.
And everybody says, oh, yeah. I get those too. And I said, how many of us here have changed because of that message? Raise your hand. Nobody raised their hand, including me.And it’s like then something like MGM and Caesars happens and you go, well, I better do something because it’s gonna happen. We’re gonna get hacked. You know, it’s just like, sooner or later, your computer’s gonna crash. It’s not if, but it’s when. Sooner or later, somebody’s gonna try to attack you. It’s not if, but it’s when.
And the bigger you are, bigger your brand name, the bigger celebrity you are, the bigger you are, the bigger whatever you are, the more attention you bring. And with today’s cyber world with everybody saying, you know, I’m on social media. Look at me. Look at me. You know, if you’re a big enough fish, yeah, they’re gonna look at you. And if all of a sudden you have, let’s say a hundred subscribers or maybe five hundred or a million subscribers on your Instagram or your Facebook or whatever, your TikTok, and somebody grabs that information, they could do a lot of damage in a short amount of time.
Sandra Estok: Absolutely. Absolutely. And, you know, there is also, you know, social responsibility. Like, you have 100,000 people. 1000000 people. Like, some of them could get hacked as a result of you being hacked. So even from that perspective, it’s your responsibility to secure your information so others don’t get hacked. I know many cases where, you know, you get a lot of bots or a lot of fake accounts.
And sometimes people say, Yeah. I get all of them. I reply to the bots, like, to the fake comments, and I engage with them. But, sometimes when we do that, it becomes more dangerous for the real people that you have in your accounts, for the real people that are following you. So it’s a disservice sometimes not to take care. It’s like, you know, I don’t like flies, you know, flies. And every time there is a fly in my home, my husband has to go and take it out. And it’s like a 911.
When I say 911, there is a fly, and he has to, Like, immediately take care of it. Because I had a trauma as a kid. But so I will take that fly out of my home because I don’t wanna be touching my food. I don’t wanna be in my water. I don’t wanna be, like, in, like but it’s easy to take 1 fly out. Like, if I don’t care of the don’t care, then another one comes and another one comes and another and another and another. Like, I mean, imagine a house full of flies. Like, who would want to be like that.
Right. So it’s the same for your social media. Like, if you get some weird random message. Block that. And then, like, once a week or once a month, just go and audit your social media accounts and kick out the things that you don’t know are real. Like, you’ll get messages of people trying, you know, to offer your audience to click on things. Like, when you see those, block them. Report them.
Because that’s the way. Like, you have to take those flies Out of your accounts, like, you know, that it’s our responsibility, especially if you have a social presence.
Bert Martinez:Yeah. You know what? I’ve not even thought about that, but that’s such a valid point that your lack of security could affect your friends, your families, your customers, and it doesn’t even have to be that they breached your business, they could just reach your personal, social media accounts. They could have reached your email and all of a sudden, you know, it’s gonna cause all sorts of problems. Sandra, we’re almost out of time, but I wanted to have you leave us with 1 or 2 words of advice for somebody to take action today. What would be the one piece of advice or the 2 pieces of advice that you would give somebody listening today.
Sandra Estok: 2 words of and I will say 3 words of advice if that’s okay. And it’s intentional. With how you use and when you use technology, be aware of what’s going on around you whether you are online or offline.
And lastly, be mindful when you make a decision, when you answer the phone call, when you click on that link or decide not to click on that link. So be mindful. So I call this the BIM. Be intentional, be aware, be mindful.
And put a stick in your computer on your credit card, BIM, and just remember, intentional, aware, and mindful can make a huge difference for you not to be that next victim.