The Real Reason Small Businesses Are the New #1 Target for Hackers | Ep 233 with Scott Alldridge Founder of IP Services
15:36 Share

So, Scott, something that I've noticed that is a very, very hard thing to get in business is to be in business for over 20 years. I was reading some stats that most companies fail within two years, five years, and it's like 90 something percent of companies do not exist after 10 years.

What has been something that you've done that's been enabling you to be able to be in business over 20 years? Yeah, well, thanks for having me, Daniel. And yeah, being in business for 20 years, it's actually been a little longer than that. I was actually kind of a teen entrepreneur when I started 19, my first business. But the big key there is basically being able to reinvent yourself.

And I think that's one of the challenges that's really hard to do. Sometimes we get into norms and we get very hyper focused and myopic and we really aren't looking at what is the next potential shift in how we deliver service or what services we are delivering. And of course, in technology, it's an ever changing world out there. So we are constantly evolving and figuring out how to deliver the next, you know, kind of the next generation of services. So that's been a big, big challenge.

part of the, I say, success quotient, if you will, for establishing and longevity of 20 years of business plus. I imagine if you're in a technology focused business and technology is advancing at a rate that's, I don't know if we can even keep up mentally right now. It's so fast.

How do you stay at the front and at the forefront? I mean, you went through like the dot-com era all the way to now. Yeah, the internet was just becoming a thing when we first launched into some software, software retail stores, that kind of thing way back in the day. But the idea there staying up on stuff is...

first off when you you've kind of lived in this space and it really is your career and it's what you do it is a little easier to you know assimilate new information be able to take it in understand it we live in a world of acronyms like a lot of industries so it's not quite as difficult to stay up on stuff if you're living it every day for years and years however with that said

Yeah, constant research, constant looking for kind of, you know, working with organizations that do research that we partnered with. I have a little sister division that's called the IT Process Institute. So we do some research and development, really research benchmarking and prescriptive guidance, which is a little bit where the books and the thought leadership is.

comes from. So that helps us stay at the forefront and kind of at the tip, if you will, of what is the latest technology landscape, digital transformation, how are you ready for it? And of course, in today's world, it's all about cybersecurity and artificial intelligence.

So how are you seeing the coming together now more mainstream? Because I'm sure it's been that way for a while, but it's becoming more and more mainstream. And now you have Gen AI and stuff. And I'm sure there's so many cybersecurity threats that are happening. How are you looking at AI now, cybersecurity, those two things morphing and merging as what could be a challenge or what could be a benefit?

Yeah, so not to oversimplify it, but it's a little bit back to the antivirus days where we'd get an antivirus piece of software to keep malware off our machines and it would do a really good job, whatever flavor you use. There were lots of them out there. Symantec, antivirus, etc. And then, of course, they'd have an update you need to do because they figured out how to inject new malware that would go around the anti-malware. And so it became a cat and mouse game. And that's a little bit where we're at modern day with

you know, cybersecurity and particularly, you know, AI, the, you know, AI is, can be used both for the good and the bad. So the bad actors and the threat actors are using AI in ways they never have before. They're getting really smart. They're able to launch multi, you know, tiers and points of attack that they weren't capable of doing in the past. And that is definitely creating challenges in cybersecurity and set up. However,

We also have the deployment of the proactive AI that's actually looking and defending at a much faster, higher rate. So we're kind of back a little bit to the cat and mouse game, chasing each other as to which one's doing what. But at the end of the day, good cybersecurity really is not necessarily about the next shiny toy or the next cool tool or even AI per se, even though we're having to get better about AI.

AI itself, because even employing AI for other purposes in your organization can actually open up cybersecurity threats you may not have even thought about. So that's really kind of the tip right now of cybersecurity is really, how do we know that the AI that we're introducing into our organizations is secure, because everybody's trying to use it to

to be more efficient. So long answer, but the short form is, yeah, I think we have to utilize the latest technologies to keep up with the bad actors, but also understand that there are foundational layers of security. There's no point-based one thing you can do. It's always layers. We use a methodology called zero trust, and there's multiple layers as how we deploy zero trust to protect organizations. I think it's good to have a business that,

is always changing. I think that, you know, if I look at what companies have survived over long periods of time, there's a lot of companies that have been dying the last few years and they're not really companies that had changed or they didn't adapt. They just kind of continued. But we're seeing, you know, tech companies and companies that are adapting very quickly are the ones that are continuing to survive like you over 20 years.

20 years in business. So you're in business over 20 years and you're in cybersecurity. And for some reason, you're like, I'm going to write this book. What made you

inspired to even write a book and how that was going to play into entrepreneurship or building your personal brand or whatever you hope to achieve from that book? Yeah, great question. The reality is, is that as I referred to earlier, we really had spun back in the mid 2000s, kind of the IT Process Institute to really research and benchmark and deliver prescriptive guidance. There's kind of a lack of that.

it's matured over the years to some degree, but they're still in IT. It's kind of like Mike does it one way, Sarah does it another way. What is really the best way? What is the best practice? And so that's really where we camped with our research and borrowed research and partnered with research to find out that there are some foundational controls, processes, and how you do things that really drive high performance in IT management. Interestingly enough,

A lot of that came back to this one study that said that all IT failure, downtime, you know, lack of availability or issues in IT is core. And this is 75 percent, 80 percent between them or between there, depending on which study is correlated to some unapproved, unauthorized, untested change. So the working thesis became, let's do really good change management around how we do IT and how we implement changes, where we allow them to happen.

And what we've come to find out more recently is that actually no security breach will happen without a change or a need for a change.

Either I convince somebody by socially engineering them to become them or hack in, or I just brute force hack in and I change something to be able to siphon data, to get personal data, you know, confidential data information, that kind of stuff. So that's the background and kind of living in that world for many years and that research and kind of having that insight really kept me thinking about how the earlier books and the core of what we call IT processes and IT process efficacy, which is the third chapter of my book,

still applies to cybersecurity today. So I had this kind of brainstorm, went noodled on it for a couple of years, spent about eight months to really author the next version of the VisibleOps series of books. We did one called VisibleOps Security like over 10 years ago. This one's VisibleOps Cybersecurity because we didn't call it cybersecurity back then. And in this particular book, I get into some very specific applications, if you will, methodologies, zero trust, as I referred to before, really giving practical guidance for how small companies and large companies can

can at both sizes, right? Smaller enterprise can actually use these methods to seriously increase their cybersecurity posture, make huge advancements. A lot of the things I referred to are kind of 80-20 rules, if you will. 20% of the effort can give you 80% of the benefit and protection against the bad actors, the threat actors, really enhance your cybersecurity. So that's the background on the book, generally speaking. You write this book,

series. You got the series now over 350,000 copies, which is insane. Most people sell like 200 copies. So to sell six figures of copies is very, very challenging. What helped you in that time? Because you're not like a full-time author that's only focused on books. You got this business and

And then you have the book and then you have all these things, you know, supplementing each other. But what has been helping you in terms of getting your book out there and getting it heard? Yeah, there's an, you know, the IT Process Institute and the series of books, the Visible Officers really is somewhat of an altruistic goal, raise the tide that floats the boats in terms of IT management, best practices, cybersecurity. We want to help everybody do better. And so if they can glean something in the book. So first off, there's altruistic goal, right? Just we really want to help.

businesses across the U.S. and the globe really increase and enhance against the bad guys. That's the first goal. The second part of the book and what's kind of helped it is that it really is part and parcel to the types of services. Starting your business should be simple. That's why I love what Northwest Registered Agent is doing. You can build your entire business identity in just 10 clicks and 10 minutes.

Seriously, whether you're launching your first company or your fifth, you get more when you start with Northwest. More privacy, more guidance, and more freedom to run your business from anywhere. They've helped businesses grow for nearly 30 years, and they've got your back.

For just $39 plus state fees, Northwest will form your business, create a custom website, and set up a local presence anywhere you need it. Want more? They'll protect your identity by using their address on your formation documents, and their premium mail forwarding gives you a real business address that keeps your home info-private

which I have used this service for many years. Don't wait. Protect your privacy, build your brand, and set up your business in just 10 clicks in 10 minutes. Visit northwestregisteredagent.com founders and start building something amazing. Get more with Northwest Registered Agent at northwestregisteredagent.com

slash founders that we deliver. We kind of are the living, breathing visible ops organization. That's kind of how we deliver our practice and our service around cybersecurity. So it is, it is, it helps my organization, both internally, my people read and learn from it. We train in it. Um, that we actually have some online certification training for visible ops. You can actually have access to. So there's a lot of things that are around the book that kind of feed off of kind of the ecosystem. Um,

But also we early on had partnered with several vendors, larger vendors, HP, Red Hat, some of those types of vendors to help us promote the books. And so they actually would buy thousands of copies of them and help promote them through conferences and through different activities that they were doing to promote their businesses. Because a lot of the principle concepts and the principles of the book are really fundamental.

very sympathetic, you know, uh, is sympathetic. Oh, if you will, they, they compliment the service, the types of software and services around security, uh, really gives the research and the backdrop to promote the type of services that those vendors, uh, actually provide. So that's the vendor relationships also help really promote the book as well. Besides, you know, being a part of our business. And of course it things at some point take on a little bit of a, if

if you will, viral. And so my book just became an Amazon bestseller. It's starting to get a little viral now. So we're seeing that activity kick up like we've seen with the other books and hopefully start to really take off over the next few months. That's a very unique perspective on

on a book because many people, they write a book and they hope it builds their personal brand because maybe they want to speak. But the fact that you're, you're taking the book and then leveraging that within the organization and then also connecting that to other corporations, that's a very unique spin. When you go, when you think about cybersecurity, what right now do you feel are like the biggest threats that businesses need to know about? So,

A couple of things there. I could talk on and on about this one, but the first thing I would say is that no business is too small. The last couple of years, they're going crazy downstream to small organizations, companies that maybe only do $500,000 worth of sales, believe it or not. So a lot of belief out there is, well, we're just not a target. We're too small. They wouldn't want... They're not interested in us, but they are. And they'll take five grand, ten grand. The other thing is that they're highly sophisticated, not only using AI, but ransomware franchises...

is a real thing. You can actually sign up for a franchise. They give you a tool set. If you're a smart high schooler with computers, you try to hack in, you get maybe a little bit into their network. You can then partner with the franchise. They'll come in and then they split the proceeds on the ransomware. It's that sophisticated. Then when you go to pay, they don't just have you pay some way. They actually send you their call center and their call center will take your payment.

They want to convert typically crypto currencies into dollars because they don't want to be traced. So this is the world we live in. The threats are everywhere and they're going way downstream. One of the first principles we talk about with all companies that we work with is assume breach. Because if the bad guys really do want to get in, they generally will find a way to get in. About 99% chance. That's why we see some of the big corporations that have every tool deployed and all the experts in the world, and yet they're still getting hacked for millions of dollars.

So the point is we start with assume breach, which means you have to have backup and restore and what we call immutability where your backups are not even connected to your network. They're privately, securely encrypted and stored so that when the bad guys get in, what they typically will do is not only encrypt your current systems, but they'll find where your backups are. They'll encrypt those and then people can't restore.

and then you're stuck and you have to pay. So the first principle, and I'll just give the one, is working on true business continuity, business disaster recovery, business backup and restore with immutability, air-gapped backups. That's a really important principle. But there's a couple of things right there. No business is too small. That's the world we live in now. And every business should have tried and true, immutable, separated backups that are tested regularly. I watch these YouTube videos where these hackers hack into these scam call centers regularly.

And then they actually reverted it back to them. It's very interesting. Yeah, I'm shocked. And I've listened to these calls and the sophistication I've been

It's happened to me before. I thought the same thing. Like, no, I'm too small. No one's going to reach out to me. And they did. And it took like a year before I even knew that we were sending money. The money was going to the wrong person, not us. It was a disaster. So, Scott, I could see that not only corporations, other IT companies, but even businesses need to read the book.

And cybersecurity might be one of the things that we need to focus on that we are not focused on. We're always profitability, hiring, leadership. But many times business owners are just not focused on these threats. But, Scott, if you want to get your book, hopefully there it is. The Visible Ops Podcast.

Maybe you saw another half. Starting your business should be simple. That's why I love what Northwest registered agent is doing. You can build your entire business identity in just 10 clicks and 10 minutes. Seriously, whether you're launching your first company or your fifth, you get more when you start with Northwest, more privacy, more guidance, and more freedom to run your business from anywhere. They've helped businesses grow for nearly 30 years and they've got your back.

For just $39 plus state fees, Northwest will form your business, create a custom website, and set up a local presence anywhere you need it. Want more? They'll protect your identity by using their address on your formation documents, and their premium mail forwarding gives you a real business address that keeps your home info-private

which I have used this service for many years. Don't wait, protect your privacy, build your brand and set up your business in just 10 clicks in 10 minutes. Visit northwestregisteredagent.com slash founders and start building something amazing. Get more with Northwest Registered Agent at northwestregisteredagent.com slash founders. Familiar. That'd be great. Yep. Uh,

Thank you for the time. I really appreciate the interview. How can people get the book? Yeah. So my author's website is scottaldridge.com, S-C-O-T-T-A-L-L-D-R-I-D-G-E.com. And from there, I've got links to the IT Process Institute, to IP Services, my company. But you can order the book right there through an Amazon link that's there. You can go to Amazon and just type Invisible Off Cybersecurity. It'll pop right up. So Amazon's the best way to really get the book. Scott?

Scott, this has been great. Thanks for sharing today. I learned something. I'm going to go back now and see what changes I can make. And I might need to just read that book, Scott. I think I need to read it. I hope everyone who's in the industry gets to read it too. And we can all be, we can all feel safer and not keep along these people, you know, to continue being a threat to us. But Scott, this has been great. And thank you for joining us today on Founders Story. Awesome. Thank you.

Craftsman days are here at Lowe's with big savings on the tools you need. Save $100 on the Craftsman V26 Tool Power Tool Combo Kit. Now at $199. No matter what the project is, Craftsman's high-quality, high-performance products empower you to build on. Visit Lowe's and check out the full line of Craftsman tools today. Valid through 7-9. While supplies last. Selection varies by location. Maximum initial battery voltage measured without a workload is 20 volts. Nominal voltage is 18.