“Why Business Owners Need To Take IT Security More Seriously” with Michael Hammond of OCD Tech

Jeffrey (1s):
Well, hello everyone. And welcome back to Radio Entrepreneurs. We constantly stream our stories on the web, across all our channels. And we have had over a million people connect with all of our stories, trying to show and demonstrate to people how entrepreneurs are succeeding and surviving in this very fast changing economy. My name again is Jeffrey Davis. I’m the host of Radio Entrepreneurs, our next guest, first timer, Michael Hammond principal at OCD Tech OCD. It’s not obsessive compulsive disorder.

Michael (34s):
It’s not, it’s a, so we’re part of a public accounting firm, a O’Connor and Drew. And so they they’ve had that name, the domain name, ocd.com for decades now. And so being part of the technology group, we had a tech to the end. And so that’s how we ended up with OCD Tech.

Jeffrey (55s):
Clearly. I’m sure when everybody is being told they’re OCD, it’s told they’re OCD, they’re going to be quite shocked when you guys come up on their web browser,

Michael (1m 4s):
We get offers for the domain names all the

Jeffrey (1m 6s):
Time. They’re going to think how’s an accountant going to help me with my OTD. Exactly. So why don’t you tell us about your practice and I’ll stop joking around? Sure.

Michael (1m 17s):
So O’Connor and drew the public accounting firms been around for 75 years now, the it practice, the, the firm never had it audit and compliance testing, and knew that their clients needed to ensure that they had good controls around it. And so some of the partners asked me to come and start the it audit group within their firm. So that was about 10 years ago. So 10 years ago we had zero people. Now we have 35 here in the U S and we just launched a OCD Tech, Mexico group as well. We’ve got another 15 down there, so, and just 10 years, we’ve got 50 people now between both entities.

Jeffrey (2m 1s):
Wow. And what’s your background

Michael (2m 4s):
For coming to O’Connor and drew? I was a vice-president at state street bank. I worked in all different groups there in it, both doing deployments and operations, then moved over to service delivery for awhile. Got out of it, worked more with the business, then moved into the internal audit space. So all different about every two years, moved around to different target, learn more about the business as a whole. And then prior to that, I was in the air force for four years as a paralegal.

Jeffrey (2m 40s):
Wow. Do you get frustrated seeing companies that aren’t protecting themselves?

Michael (2m 49s):
The, so in the 10 years that we’ve been doing this, we still suck. We still see the same findings that we saw 10 years ago. You know, I just gave a presentation to an industry group about a month ago and you know, working on the slides in 2021, I pulled up the slides that I lasted for them back in 20, 19, 2 years earlier. And there wasn’t much that I had to change in the slides. It was still, they’re still not using two factor authentication. They’re still not checking to make sure all the doors are locked. They’re still not patching the systems like they should be. So it doesn’t surprise us when we see a security breaches in the industry and in the news, there’s just too much out there for attackers to be able to hang on to.

Michael (3m 36s):
And so it doesn’t surprise us.

Jeffrey (3m 45s):
You know, I, I kinda want to dig a little bit deeper into that because you’re saying you’re still seeing it. It’s 10 years later. What do you tell people? What do you do to try to motivate them to do something about this? Cause I know most people know there are a lot of things on the horizon that can affect us, but people don’t do anything about it until it happens.

Michael (4m 4s):
All right. You know, we, we talk about that. Change changes coming in the industry, you know, we’re seeing, we saw a big wave of people, not doing anything, pushing it off because they said, well, I’ll just get insurance. You know, I’ll get an insurance policy. It’ll cost me $2,500 a year and I’m covered. And now starting this year, maybe the end of last year, there’s a change in that where the insurance providers are dropping their customers. One, the, they continue can continue to pay out these claims like they’ve been doing. And then two, they’re saying, you know, if you don’t have good security practices, we’re not going to insure you anymore so much, like going to a doctor and you know, you get lower premiums.

Michael (4m 49s):
If you’re a non-smoker and healthy, the same thing is kind of happening in the it security space where insurance companies are saying, look, if you don’t have two factor authentication on your office, 365 or Google email, we’re not going to insure you. And so they’re dropping clients that don’t have good security. So, so we see that happening. We also see a big change in unfortunately government’s involvement in enforcing the rules. So whether it’s Biden’s new executive order for government contractors and the agencies that they work with having to have good security and audit those, or recently the FTC just changed the rules for the anyone that’s a financial institution, including auto dealers.

Michael (5m 36s):
Even, you know, if you’re financing your car through them or they’re connecting you to, to a finance, you know, they’re in scope for financial regulations and the FTC for years with glib said, you know, you have to have good security practice. And now they’re saying, you know what? That’s not enough. We’re going to actually tell you what to do. So they’re coming out with these 14 new rules on, you have to have two factor authentication. You have to have logging, you have to do patches. You have to have a pen test. So, you know, we’re seeing these changes where it’s not enough to just sit back and say, yeah, we’re good. You know, no one’s going to get us. Whether it’s government or insurance or other industries, they’re kind of come in and start saying, you know, we’re going to be very prescriptive now.

Michael (6m 21s):
And we’re going to check on you because it’s, it’s, we’re getting, we’re getting hacked way too much from either other countries or even just internal, you know, bad actors all around. It are stealing too much of our data. And they’re taking companies out and it’s, it’s costing us money and jobs.

Jeffrey (6m 42s):
You know, the government’s aware of these, these security breaches and everything. And they can’t seem to keep up with a big organizations, have security breaches. How do you keep up with the technology? I’m sure it, there’s no way you can learn as fast as these people develop new technologies. Isn’t, isn’t it a tough race to fight?

Michael (7m 5s):
It’s constant. The, the, I tell my team all the time, I joke about that they should have these passion projects. And I, then I say like, look, if you want to come in on a Saturday, I will help you with your passion project because we have to just constantly learn, you know, but nine to five during the day, we’re working on our normal job. And then after work and on weekends, we just have to figure out, learn more that I, I T itself changes so fast and it security changes even faster. You know, we talk about either just needs to be one, you know, we, the defender has to be right all the time. And then we say the attacker only has to be right. Once, you know, we only have to find that one hole in someone’s network for us to be able to get in and then move around the network.

Michael (7m 50s):
Whereas the defender has to have those holes plugged 24 7, and it’s a unbelievably stressful, always on job.

Jeffrey (7m 59s):
Well, again, I’m not, it’s sort of like a cold, I mean, I’m not saying you don’t, you can’t prevent 90% of all viruses, but if there’s 10% out there that are unique, you just, isn’t a part of it. Also got to keep your fingers crossed. You just hope it doesn’t cross your path.

Michael (8m 16s):
Oh yeah. And it’s the, the other analogy I use all the time when we talk to people is it’s, it’s like the thief going through a car parking lot. You know, they’re gonna jiggle on every door handle to try to find that open door and I can sit there and smash windows and break into cars if they can just find that one door that’s unlocked. And so attackers are constantly scanning the network, looking for those open doors. Cause that’s, it’s, low-hanging fruit. It’s so easy to find that one open door to get into and then move around your network versus having to craft some special spear phishing campaign to target you specifically. They’re literally going to just go out and the easiest way in, you know, it’s really low cost to do that.

Jeffrey (8m 60s):
I just figure if someone decided to break into my computer, they would go how boring and leave.

Michael (9m 6s):
Yeah. More likely what’ll happen is they’ll use your computer to attack someone. Else’s, you know, if we don’t find anything, we’ll use that one. You know, the, the firewalls

Jeffrey (9m 18s):
Are the days of apple being more protected than a PC or the other is that the bygone days,

Michael (9m 25s):
There are more apple devices out there now, you know, we still see a lot more break-ins and vulnerabilities in windows than we do in, in apple devices and Linux devices, your numbers. Yeah, just by sheer numbers, you know, more often than not nowadays though, it’s things like office 365 and Google in the cloud, you know, it’s a lot more cloud-based breaches than, than just regular computers. And in the cloud, it’s, we’re still talking to clients that don’t have to factor on their office 365 accounts. And so we can sit there all day long, trying to guess passwords again,

Jeffrey (10m 3s):
You know, Michael, I would probably give my right arm to get you to come back regularly and talk about different viruses that you’re finding and how they’re working and how they break in. Almost like, you know, we have a reporter who comes on and talks about his security checks with employees, you know, just talking about all the different ways. I think it would be quite interesting, but we hope you come back to Radio Entrepreneurs. And if you don’t and if you do, if someone wants to find you, how would they do that?

Michael (10m 31s):
So you can get to our website, OCD dash tech.com or email me at N Hammond at OCD Tech dot com

Jeffrey (10m 40s):
And remind everybody, this is Radio Entrepreneurs.