Small Business Security

It's five o'clock somewhere, time for the Security Cocktail Hour. I'm Joe Patti. For over 20 years, I've been working in information security and knocking back martinis all over New York.

I am Adam Roa from Staten Island. Locksmith, EMT, love to box, and on rare occasions, I've been known to engage in cybersecurity. Let's go!

All right, everyone. Welcome to a very special episode of the Security Cocktail Hour. Adam, this is big. We've been looking forward to this. Oh, you're buying drinks? You're buying drinks, yeah. Sure, they'll be delivered. If the doorbell rings, those are your drinks coming for you, all right? No, we have a special guest, our first guest, our very first guest.

That's exciting, don't you think? Well, it's exciting, but you know who I'm chasing down for a second guess.

Oh, don't start with that, please. Yeah.

Can I say, can I say?

No, you can't say because we're not going to get them, first of all. Second of all, we have a real guest here who very courteously showed up and you're talking about someone else. Please don't you have any manners for Christ's sake? Honestly, no. Our guest today is Sal Toner, the owner of FC Chaos Fitness. Is that it?

Cool. FC Chaos Boxing Fitness, guys. Thank you so much for having me on the podcast, especially as the first guest. I'm honored to be the first guest, honored to be here with you guys to talk a little bit about cybersecurity, about small business security, and that kind of fun stuff.

Well, that's the thing. People might be asking, why do we have a gym owner on our security podcast? And you said it. We wanted to do something on small business security, so we got an actual small business owner. which is not either one of us.

I did it for other nefarious reasons.

Well, you think you're going to get a month free, but Sal told me he's screwing you on that, so give it up.

I'm sorry. I actually paid for two months for one month now. Exactly.

No. You know, small business security is kind of interesting because a lot of what we talk about here is what people call consumer grade stuff. The general stuff that you as an individual can get for your home, your family. All that. And there are a lot of resources for that. And, you know, Adam and I, our many, many years of experience are in corporate security and enterprise stuff. Big business, basically. And things are, you know, there's a lot of stuff there. Most of the security products that are available are targeted towards them. And they're expensive. They're really expensive. And even the people who do it are very expensive. And not always realistic, as we understand it, for a small business to hire and to get their things, and they kind of fall in the middle. But we are here to get the real story from someone who lives and breathes it every day.

So Joe, think of it this way, right? It's prohibitively expensive. If you need a proxy or a gateway for your internet to protect yourself, then you need an EDR or an endpoint detection response. For those who don't know what that is, it's like an antivirus. And then you also need maybe a browser that has isolation so nobody can click the wrong thing or go to the wrong place. And then you have to pay for your licensing, for your email. It's really hard for a small business to really pay to protect themselves and they end up with shrink wrap off the shelf antivirus.

Well, also, those are all things that we worry about in the enterprise space and, you know, for the big corporations. But how important is that to a totally different kind of business? So we're talking too much. So, Sal, tell us a little bit. I mean, what does your IT infrastructure look like? I mean, I figure you've got wireless and everything and you must have, you know.

some level of stuff So we definitely do we First of all, this whole concept was kind of very new to me with cybersecurity in general When I first started the gym I had seven customers and I was lucky to have seven customers and I that's pretty good to start Didn't think that that you know, it would ever evolve to a point where I needed to worry about things like that It wasn't really until I met folks like Adam, a couple of my other friends as well, that are in the cybersecurity world, that are in the space, that were like, hey, listen, if you don't put a focus on it now, it could really have an impact going down the line. And I attribute a lot to Adam for kind of helping me put the infrastructure in place, for kind of helping me figure out what's needed, what's not needed, and how important a breach of a magnitude could be.

I like to think... Wait a minute. Adam helped you set up your infrastructure? A little bit. Just giving me some... Good thing you're here. You definitely need help. You came to the right place.

I got to come talk to Joe now. But just to kind of give you kind of an idea of the importance of this. So when I first started out, I actually ran a legal training business out of a big box gym. And that big box gym, I'll remain them nameless. I don't even think they're around anymore, but, um, they would have a huge issue with credit card processing where the amount of people that would come in and say, Hey, after my, my charge got, got processed, all of my, you know, my identity was stolen. My, my credit card was stolen. My, my information that was a thousand dollars charge on my, and this was a reoccurring thing that happened at this business. And your reputation is on the line when you're taking your customers credit card and storing them and all of the kind of infrastructure that needs to be in place to do that properly. And now that I've grown from a small little one person shop to a small but still growing business, I'm able to really have to focus on it.

So let's just ask for a little context. So you have one gym. It's in Staten Island, right? I have two gyms. You have two gyms. Awesome. Wow.

Nice. So I have a small studio over on the North Shore that's predominantly for women. That was the location I started with. And then I have my large 3,000 square foot facility that I beat up Adam in three times a week. And yeah, and I'm around 250, 300 members, give or take. So now with that kind of stabilizing membership, really putting a focus on things like cybersecurity and things that I've never thought about, thanks to Adam, to really kind of take the forefront.

Well, it's really interesting that you say the first issue you bumped up against in the business was credit card processing. Gets right to money, you know, and customer trust. Customer trust.

More of the trust and reputation than just the money.

So yeah, that, that, that transitions into the whole, uh, uh, PCI compliance, which is your credit card compliance. And it translates also into PII or personal identifiable information, uh, that, uh, people might get ahold of. So, um, you gotta be really, really careful because you're right. Right. Not only do you, uh, risk the reputation of the organization. but it also has a cascading effect because other people will find out and uh, it's it's not a good thing. So it's You know people tend to also write down credit card I'm not saying you do people tend to write down credit card numbers on a piece of paper and they put it on a form They don't safeguard those stuff for those paperwork. They don't put it into a lock cabinet it gets to be horrible, so going right from the credit card, right to the point of sale system is usually the best way to go. And not a lot of businesses follow that, but it seems like you have that understanding, which is great.

Yeah. And let me ask, you know, one of the big things in credit card processing is something called the PCI standard, the payment card industry. It's a security standard that you need to follow. Do you have to deal with that at all? Or do you like just get a package from whoever your processor is and they take care of all the security for you?

I do it with the company that I work with for my processing. They handle most of that, which is good. Um, but also there are also some safeguards I kind of put in place, especially as far as just training staff and making sure everything is done properly and making sure if for whatever reason, um, you know, we are complying with, with these rules and we're complying with, you know, keeping our customers information safe.

Yeah, absolutely. I mean, you're going to have information on your customers. I'm not going to ask you if you keep credit card numbers because I don't want anyone coming after you depending on the answer, but it's generally best to frankly keep as little information as possible, especially credit cards. Numbers and things, those are really hard to store, even for the big businesses. And you generally just want to avoid that completely, if you can, and push as much as you can to the processor, to an outsourcer.

So I shouldn't say my best practice is using somebody else's credit card that I don't have?

You know, Adam, I've never actually checked your identity. I could be living a double life here.

Well, we've had this conversation about social engineering, you know, being able to assume other identities, you know, creating fake credit card numbers for those scammers. But I'm not saying I've done any of that. I'm just saying I've heard of that.

OK, so you've got to protect your your customers in terms of their information and their card transactions. Have you had problems with fraud yourself with a lot of fraudulent activities targeting you?

I definitely, definitely have had A couple instances, the business actually had a slight – I think there was a lingerie purchase on the business card.

Well, that makes sense. Adam tells me women are always walking around the gym in lingerie. That's not a business expense.

And that was a conversation.

No, that's not what I said. I said, I bought the lingerie with Sal's credit card and I wear it in the gym.

You got your perp right there. OK.

There you go. But yeah, so that was one instance. And then we had to kind of check everything, make sure our business, everything was intact and we were in good standing and stuff. And then finally kind of switch over to credit cards and all that fun stuff. Um, but, uh, but I've never had a huge identity death break, but I've definitely had some, some run-ins with, you know, having to change my card over and, you know, fraud and, and even maybe falling for, for a good scheme every now and then.

I mean, I might obviously ask when, where, why, but have some of your. Has at least one person presented a credit card that was not of their own? And if so, do you have steps or methods to validate those people?

So no, that has never happened to my knowledge. And it's probably just bound to happen at a certain point. But what's really kind of difficult is With my, my point of sale system is you could sign up from home. You could sign up really with no, with no validation. Like if you're, if you're in front of me and you hand me Jim Smith's card and your name is John, I know that something's going on, but if you sign up online. There's really very little we can do there.

Yeah, and that's not really an issue of you personally or your organization. That's a general issue that a lot of people run into. The more complicated payment gateways, we'll look for ways of validating and checking to see whether or not information does match. purchases I've done online where, you know, my name is Adam and my middle initial is S and I didn't use my middle initial and it would not process the payment through the gateway. So, it really depends on the level of payment gateways who you're using and sometimes it can be cumbersome. So, it's hard like a small business like you to do that. I'm sorry, go ahead.

Yeah, I've heard that the you know, like Visa, MasterCard, whatever you call them, that they, collectively the card companies, that they are not always loved by the merchants because they will push a lot of stuff down to them. But I, you know, I've got to think, and please, you know, let me know. It's like you say, you know, you have a, you know, some ability to, you know, detect things or whatever. But I've got to think that if, you know, you're accepting the cards, if you're doing things, I mean, what I would look for, you know, in the big business and tell them, look, I'm following the best practices. You know, this is what we recommend. This is what you offer. Do you, I mean, do they give you anything there and, and do you get any protection in that regard? Or you just kind of, kind of on your own, they make a decision and they decide if you're going to eat something or not.

Oh, I mean, I would say kind of. We're more on our own and we don't really have that kind of negotiating power that some of the bigger businesses might have when they come to that table. But I mean, knock on wood that it hasn't been an issue just yet. But yeah, I've definitely heard some horror stories from my clients of scams that... I heard one where Uh, scammer fish for an email from a lawyer and they sent him a wire for, for. Tens of thousands of dollars.

Um, you know, we've seen that we've seen that at levels of millions of dollars. So, yeah. So, oh my God, both Joe and I in our lives have seen things where. You know, employees have fallen for the the gift card scam. Hey, we're doing our promotion. I need you to run out and buy 20 gift cards at $50 each. And meanwhile, some of these people have actually gone into like a CVS or Rite Aid and the people behind the counter. are very aware, they're like, why are you buying 10 gift cards? They're like, you shouldn't be doing that. Most likely, we're not going to stop you, but you're probably involved in a scam. Oh, no, no, no. It was from my blah, blah, blah. And it was there from their email, but people don't realize not only does um scams come from illegitimate email sources they also come from legitimate because typically the human being uses the same password and username everywhere so if one site gets compromised people run scripts and those scripts will log into every single merchandise account or email account get access to that email account if there's not something called multi-factor authentication And for those who don't know what multi-factor is, is not only are you providing a password, but you're providing usually a number or some kind of additional way of validating either a push app on your phone that says, did you really log in? Yes. Or can you provide this text number? So it's hard for a business like yours to really accommodate that.

Yeah, it's hard for every business to because there's Adam talked about the gift card scam. There's also something called BEC or business email compromise, which is a fancy term for just someone calls up and tries to trick someone else into sending money and this happens in companies large and small, very large ones, and they'll target like the CFO of a company, the Chief Financial Officer, and say, you know, send to one of his subordinates, say, you know, send a check to here or change this vendor's, you know, account number. We need it changed and they'll end up funneling money. So if any of your employees have the access to move money around, you know, especially in a in a not huge organization. I mean, you know, tell them, don't listen to anything. I mean, don't listen, don't let them send any, take any instructions unless they're in the same room with you, frankly, the way things are going. It's getting really, really bad out there on the technology. We talked a bit about fraud on the technology side too. So you do have some, some stuff set up.

I got one for Sal. He has access control to his office. How does that work for you? Is that, are you concerned about the security with that?

That's definitely. So, so My main facility, my larger facility, is 24 hours, 7 days a week.

Oh, really?

And to get in, it's not staffed 24 hours. To get in, you have a little barcode on your phone. And you scan the barcode at the door, it unlocks the door, and you enter the facility. Now, the only problem with this method, and I'm curious to see, I actually saw it at the Yankee game last week. I'm curious to see if maybe this company would eventually evolve to something like this is you can you can send this barcode to anyone. Of course. So Adam could send it to Joe and now Joe who doesn't pay me a membership could come into my gym whenever he wants at 3 a.m. I do have one of my good friends who's in the NYPD who works nights. who whenever someone enters the gym gets a notification on his phone and he checks up and kind of keeps keeps kind of a log in making sure if one person scans in one person's in the gym and kind of has somewhat of an idea of who the members are. But with that being said it is a huge security risk. Something that I saw at the Yankee game and it's funny because because one of my one of my friends was telling me about How to how to hack the Yankee games and get closer tickets is you just screenshot the ticket and then you edit the in in snapchat you could edit the the not the barcode, but the the seat number and the barcode to kind of get you down to a lower seat and And then and I'm not gonna give any ideas but but the last time I went to the Yankee game now they had a sliding blue bar and going across the barcode so that now you couldn't really do that. I'm curious if they could do something similar to that moving forward.

I can tell you, I saw that too. And it's always a great tradition at Yankee Stadium and elsewhere trying to get better seats and down or something. But I saw people actually going with friends and taking a screenshot of the phone and saving it and you know trying to get in and yeah they have the moving blue thing so that if you take a screenshot it doesn't move and someone was saying like i'm gonna give this to my friend he'll get in i go yeah your friend might get banned for life or they're even arrested for something like that so that's not a good idea to do but but you're right something it would be it would be a really cool way to kind of you know work on the security of that um but i mean for right now as far as what i got you know with with

with kind of my friend watching overwatch and kind of tracking, like I said, at, at that out at those hours that it's unstaffed, do we have a crazy volume of people? No. Um, but kind of just still regulating, kind of making sure everyone's, everyone's, uh, safe and everyone's paying their dues and respecting the gyms.

So there's better ways to do it, but I mean, again, Better ways to do it means it comes at an expense. Typically, when more secure facilities allow for access, they use two forms of authentication. And you can do that a little easier if you want to give somebody a card and a four-digit number. So they have to know both. But yes, somebody can give the card and a four-digit number. But the way, the way multi-factor authentication happens for physical security access is one, it's a card or a pin. And then two, unfortunately, some people are not going to like it. It's biometric. It's scanning your face. It's scanning your fingers. So you can't give your finger to somebody else, really. Yeah, I know the stories about using gummy bears to do an impression on your finger and pushing it down. But then you have to have the right temperature and body temperature. But how far do you want to go, right? Do you want to use facial recognition? People are averse to it. Do you want to use fingerprints? People are averse to it. Go ahead, Joe.

Well, Adam, I know you like all the whiz bang stuff. Adam is really into physical security, especially, much more so than me. But the way I look at it is not that different from getting into computers and stuff. A simple card, even an old school one, access card can be effective. I mean, if it's so old, they're easy to break. You want one that's reasonably modern and not so easy to copy and do other tricks on. But the key thing really, the key things with it are that you know who has it, that when someone uh you know leaves or doesn't pay the bill or even causes some trouble and you gotta lock them out that you can revoke it even if you know you can't take it away from them that you can say this card is dead it can't be used and that they can't be shared or duplicated those are the really important things because because i mean it is a you know i'm thinking your thread is that you have a physical space where it's not like I mean, there is the possibility of theft, but you don't have to worry that much about theft of service. It's more like, you know, someone is going to come in who shouldn't be coming in and make some kind of trouble.

Yeah, the difference is, you're right, Joe, right? If you have a barcode, anybody can copy a barcode. and pass it around electronically. If you have an access card, you can't pass it around electronically, you have to pass around physically. And that requires an inconvenience. Then you have to give it to somebody, they have to give it back, they have to give it, so it actually kind of lightens the, it mitigates your vulnerability a little bit, a lot more than copying barcode. By the way, I'm the only one at the gym, I think, that has a physical card to access the gym. I made it myself.

You made it yourself. Yeah, I did. Did you put a little picture of a flower on it or something?

Oh, I did. I put the logo of the gym and I put the barcode and I laminate it and then these two women are like, where did you get a card from? He starts trouble.

Wait, wait, Adam. Wait a second. Okay, I gotta call you out on it. You put the logo of the gym on. Does it have the name of the gym? It does.

I know what you're gonna say, but I lose it. You're not supposed to put that on the card if you lose it.

Come on, dude, this is basic. I want you to fix that tonight.

Once a boss, always a boss. Not once a boss. We gotta try to help out Sal here.

That is one thing. When you use access cards, you don't put the address that the card is for on it.

You should be more worried about the toilet paper I'm stealing from the gym. Oh man. In any case, so what are the concerns like I mean your infrastructure is minimal because you do have the Wi-Fi You do have the point of sale system and the computer used for the members. You have that beautiful machine that does the assessments of individuals, their weight, their density, their BMI. What about that? Are you concerned about that?

That is actually, there's like four layers of security as far as passwords, keeping all of that information safe.

Wait, what's before you get into that? What is it? So I have a 3d body scanner.

So you stand on it really?

As you can tell I have not been to a gym Many many years so you gotta bear with me.

I want to come check it out in person. Love to have you Joe He's coming for the after-party Oh man, you don't want to see that. So a 3D body scanner, that's pretty cool. You stand on it, it spins you around, it gives you every metric from head to toe. So it gives you your BMI, your visceral fat, subcutaneous fat, your lean mass, your body fat, and then it gives you kind of a breakdown of every metric you need to know to kind of track your progress. So you can see if your bicep grew an inch, if your chest grew an inch, or if your waist shrunk an inch, X, Y, Z, and kind of track that progress over time. Really high tech, spent way too much money on the machine to begin with, but it's a cool way to track progress, but it's also very personal. Sure. Information about people's bodies that, you know, and it's a 3D scan of your body, and you're wearing, for women, you're wearing a sports bra and shorts. For men, you're just wearing your boxers. So, it is a very personal thing. So, we make sure that data is sealed tight. We make sure kind of the computer's off limits, off access.

And also, how does that work? Is it like within the machine itself? Is there a computer or like you have to put a machine into it?

Within the machine, there's a computer that's just designated just for that machine. It's password protected, I think three times over. It's encrypted. Encrypted to make sure that that data is kind of...

So Joe, think about the TSA scanners. It's very similar in the sense that when you go through the TSA scanning, even though you're wearing clothes, that TSA scanner can pretty much do everything you're talking about, even though it wasn't made for that. It can tell you density and everything else and give a visualization of what you would look like with no clothes on. And that was the concern about those 3D body scanners at TSA. People were like, oh my God, you're invading my privacy.

Adam, for a joke, I was gonna tell Sal I'd pay him a hundred bucks for your body scan, but hearing that- I already have a body scan, you can have the joke. I'll pay you a hundred bucks not to give it to me. Oh man, you're too funny. But that's it. Well, you know, you are doing something very simple and very effective to protect that, which is that it's just on one machine. If it's just on one machine. Now, is this machine, I'm guessing it's on the network, or is it totally separate?

It is still on the network.

It has to be, Joe. It has to do the updates and everything else. Yeah. Like I said, when you think about it, Joe, right? And this is, you know, this is for the audience edification. This is no different from going to a hospital and having your records online. It's the same level of medical encryption, the same level of everything else. Hospitals are no different. They have the same connections to Wi-Fi in the hospital, same encryption between the device and the Internet. So it's very similar.

Well, I mean, it's similar in concept and what it does. But the big difference is that in a hospital, even a big hospital, they're going to have some number of IT staff. And, you know, they got a lot of stuff. I mean, I've been spending a lot of time in hospitals lately. And yeah, you can see them, you know, you can see their biometrics, sometimes they go blank, and they say time, this thing is updating again, we hate it. But you know, but that's, but that's it, you know, as a much smaller business. You need to protect, it's the same data. You need to protect that data just as tightly as in these really large ones.

I got one better for you. What about the EMTs or paramedics who show up at your house and they're in an ambulance and they're carrying like a Panasonic Toughbook that's connected to the network via cellular? while it might be a private network with cellular, it's still the same level of communication. Now you have no infrastructure other than the cellular chip communicating back to the ISP via the carrier.

Yeah, that's true. That's how it works. So, so you have some sensitive data, okay, that people would freak out if it got out there, I'm sure. Potentially, yeah. Okay, now let me ask you this then. Okay, say something happens. Say you think we got malware, we got ransomware, or you suspect that someone has, you know, scarfed up the data from that machine or something. What do you do? Who do you? Who do you call? What kind of resources do you have access to? Because I've heard that that's a very big challenge.

Adam, God help you. I don't have a long list of people to call. I have a couple of friends in the cybersecurity space, including Adam, that I would probably tap and just kind of, you know, they're more local, you know, Local organizations, my friend Mike Bloomfield has this organization called Techie Geek. I would obviously tap on Adam who's a savant of his own nature.

But there's... You didn't say the full term for that.

But there really isn't many places to go as a small business for you know, major breaches that might compromise your entire business. And that's kind of a little scary because I feel like more and more small businesses kind of can be targeted.

Um, so yeah, well, that's unfortunate that you are, that you are a target because, um, you know, you're not going to be a huge, a huge payoff, but, and, and, and in fact, the one thing is the bad guys have kind of moved on to the places with deeper pockets. Um, but you know, still you could potentially be in, be an easy one for, for them. So it's tough. Yeah.

So, I mean, I guess the good news in a way is, you know, uh, Because of the size of the business, obviously Sal is not one of those targets where people would go for. The only issue that Sal could run into is a drive-by malware drop. They're not looking to attack him because he doesn't have a level of service sophistication, which is a good thing. But as Sal grows and his partners grow and they build up a bigger organization, they're going to have to figure out how do I leverage the infrastructure moving from smaller to less small. And that's always an issue.

Oh, yeah. Well, I mean, right now, I would say, Sal, you have two likely attack vectors, as we say, which is the way guys would try to hit you. One, as Adam would say, you know, is like the drive-by. Someone who's, you know, in your parking lot or elsewhere in the building who sees your wireless and tries to poke at it. But that's pretty simple. If your wireless is well protected, you know, has a password or has a login, whatever, you should be in good shape there and keep it patched. The other thing is the internet, of course. And you know, again, you're not a likely target that someone is going to go after you. But you might end up being, you know, what we call a target of opportunity, that if you happen to get stuff out there, you happen to get a piece of malware on your machine that starts pinging out telling the bad guys, I'm here, you know, they might say, Oh, Let's take a look at this. Maybe here's where we can make some trouble and make some money. And you don't have to be perfect with this. One of the things that we say in security is you don't necessarily have to be perfect, but it helps if you're better than most of the other guys there. It's like you don't have to outrun the bear. You just got to outrun the other guy the bear's chasing, that kind of thing.

Yeah, there is one other vector we haven't spoken about and that's third parties and and sound has no control over that, right? Third parties they attack the third party POS system the third party System he uses to enroll or keep track of his clients but again, it's like me worried about chase or my medical provider or my amazon products you know i can't control the level of sophistication or security they have so that at least he doesn't have to worry about that as much because usually those level of organizations have pretty good security but breaches are happening every day so You know, you have to have a plan in place.

And, and, you know, that, that's another thing, you know, in the big companies, you know, we have like, you know, vendor, we call it third party. It's your response. Vendor management and stuff where, you know, where we, you know, look at all the suppliers, all the vendors, and we're constantly doing assessments and we do audits on them and all that stuff. You're not going to be doing that on the, on the people you have, you know, but I would suggest at least keeping an eye on them. You know, if they do have a mailing list or a service where they do alerts, will tell you something's going on, make sure you're on that. Maybe follow them on Twitter if they have it. So at least if they do get popped, if something does happen, at least, you know, and maybe you've got to cut them off for a little bit or at least call them up. Know to call them up and say, hey, what's going on? Yeah. Hopefully, they're, you know, a reputable and good enough company that, first of all, they will detect a problem if it happens. And if so, they're going to, you know, disclose it, which they're supposed to. But, you know, a lot of it's beyond your control, but you just do what you reasonably can.

Well, the good news is, right, is that it's not as it's not costly, but it is time consuming. Businesses like Sal's can have a business continuity plan. and they can have a disaster recovery plan. And what I mean by that is, what do I do if I lose access to my records? Well, they can back them up, maybe onto paper, but store that paper in a safe that's locked. Or if I have no access to the internet, what do I do? I turn around, maybe use a MiFi or one of those portable devices that connects to an ethernet cable, and I can throw that on. So it's always good to have a BCP or business continuity plan and disaster recovery plan. God forbid, you know, Uh, it's a little bit harder with the gym because it's not like you're going to have a backup gym somewhere. Um, but you could use my backyard if you wish.

I definitely think that's a great point, Adam. Uh, some that, that I probably could give a little more thought to, uh, just to be prepared. If something does go wrong, how can I can react to it? Um, similar to the sport of boxing, right? You, you, you want to have a plan, but you also have to have a plan when Adam kicks you in the head, you know? That never happens.

Well, you know, that's another thing.

What?

Adam kicking me in the head? No, you would not kick me in the head.

No, I might offer to kick you in the head. I'm saying that I would not kick somebody in the head. Sure. Oh, okay. Good. Yeah.

Um, but, uh, yeah, you know, it's funny, you know, dealing with stuff with incidences, you know, it's incident response. And I've been to so many things where the big thing is plan. You gotta have a plan. You gotta have a plan. You gotta do this. People spend months and years, millions of dollars on these plans. And I say, who was it? Was it Mike Tyson, who said everyone's got a plan till they get punched in the face? Or they get need in the eye. But fortunately for you, you know, it's not that complicated. Because again, really, the primary thing is your facility. You know, and it sounds like you maybe have a, you know, probably with a couple of laptops or, you know, computers, whatever. As long as they're backed up, you know, decently and safely, I think you're okay. And, you know, if your internet goes out, I mean, my God, for a couple of machines, or you have a primary one, you can tether it to your phone and get on the internet if you need to, you know, it's not, it's, I don't think you need a separate, you know, Alternate facility.

And it's funny that you bring that up, Joe, right? Because this is a conversation I had with Sal a couple days ago. You know, Sal has a desktop. But does a desktop make sense for his business? Yes, it's nice to have it on there. But what happens if he, you know, how much money can Sal spend on, you can't buy 20 machines. It's cost prohibitive. It's not effective for him. So maybe it is that he gets a Mac, he gets a Mac docking station, hooks it up to his monitor. So if he has to leave, or if you leave after hours, Who does anybody else need access to that computer? Maybe not. God forbid he has to do some work remotely. He can do that work and he has the ability to do that. It's hard to really think about these things if you're not in that business. When I say not in the business, I mean not in the business of cybersecurity or IT or redundancy. We should probably come out with a cheat sheet for that, Joe. I would love that. And post it.

All right, Adam, sounds like a good idea. You got it.

Wait, wait, does that mean I have to do the work?

This goes back to when we worked together. My favorite management trick is whenever someone comes to me and says, I got this really good idea. We should do this. I'd say, excellent idea.

But why don't what you got? I don't, I don't, I don't work for you anymore, but why do I feel like I have to do it? Because you were my boss at one point.

You see, Sal, there's also a little psychology involved in security. Okay, so we went through a bunch of stuff. Sal, do you have any questions that you want to ask us? Anything? We tried to think of some things we thought would be interesting to you, but anything on your mind?

Before he asks, I have one question for Sal. Am I a better lefty or a righty in the ring?

I think you're better with your feet, because the only time you ever really hit me was with his knee.

Oh, here we go. He's better with his feet.

He's better with his feet than he is with his body. That big guy? He just tackles me.

And then he throws me into my head. I'm calling you Twinkle Toes now. There you go.

I feel like Twinkle Toes. Go ahead. I'm sorry. Go ahead with the question, Sal.

Basically, I know kind of Adam's background. Joe, can you give me like a little rundown of your history in the cybersecurity world, just so I'm sure that there's someone that might be listening to this podcast that didn't catch the previous ones. Give me kind of a rundown of what you do and what you did and kind of that kind of stuff.

Okay. What I do is I've been in security for quite a long time. I actually started out on the technical side and I was involved, I started doing security When I worked for the government and when we started building, like when the commercial internet first started in the 90s, we started putting up websites, like building them ourselves, there was no GoDaddy or anything. So he's doing a lot of stuff like that. Since then, I've become much more of a manager. And I typically have had jobs where I manage a security team and will run it for a company. And that's what Adam and I did together. And I can tell you, it is some days, I wish I was a trainer and was getting kicked in the head by Adam. It would be less stressful and less painful to be doing. It is, it is not a lot of the things we go over in the podcast. We say it is not an easy job there. It is a very imperfect science and there are a lot of really difficult situations and difficult decisions. And that's a lot of what we talk, what we talk about here. Um, You know, and you know, especially, you know, we're trying to, I don't know, I guess for people who are interested or people just want to hear about how we've suffered over the years, I suppose that's entertaining. But no, that's what I do. And very much what we do in security is we solve problems, really. You know, you've got a problem, you've got a business problem, you've got something you need to deal with, we help, we solve it.

And that's why I cause problems.

Yeah, besides the stuff, besides fixing the stuff that Adam causes, we also solve problems. But that's, that's what that's what we do. And that's, and that's where I come from. And Adam and I argue about whether, you know, Jersey or Staten Island is better to we all know the answer to that. But anyway, is that Adam has actually gotten me to drive to Staten Island on occasion, just drive through it or drive to it.

Drive to it, though.

Drive to it to meet him, actually. And I have driven through it occasionally.

Adam, for the fans, can you give a quick little synopsis of your life in the IT world?

Yes, sure. I've probably been in IT for over 25 or more years. Um, started out more on the networking side as a network person, but I mean, my network is setting up something called routers, which is in firewalls a lot that allows the connectivity of the company to connect to the Internet and other and other hosts on the network and then slowly progressed more into. management of those technologies, managing multiple teams, help desks, something called NetOps or the network operations and a network operations center. And then finally, I moved into cybersecurity fully where I met Joe. And my responsibility was more on the engineering side, working with different technologies to protect an international organization. that was responsible for merger and acquisition data, among other things, some of the most sought out intellectual property in the world. And it's a monumental task for me and my teammates, working along with the management team to protect that data. I've had a very diverse career and then just to add, I've also been involved in physical security. What I mean by that is working with organizations, especially large sporting events to monitor the, uh, the activities of those sporting events with cameras and access control and, uh, artificial intelligence looking for threats in those, uh, um, sporting events. So yeah, pretty diverse. I've been known to get in the ring too.

All right. Let's not get crazy now.

I know I've heard a lot about the ring. We'll see. I don't know. We're going to have to talk separately and hear about what percentage of Adam's stories are real or not. I don't know.

Unfortunately, I think more than it should be are real.

Joe, I'll tell you this. I've been known to dance in the ring when the music is on. When I mean dance, I'm not talking about like Muhammad Ali or any of those. I mean, I just mean literally dance.

You mean like Fred Astaire?

I'm not that skilled.

Not that skilled?

More like, you know, wannabe hip hop. That sounds about right.

All right. Okay. So we've been talking for a while. This is the part of the show where we say, it's last call. We're getting to the end. So I normally ask Adam what he wants to, what else might be on his mind, but we have a guest as our esteemed guest. What can, what more can we do for you? What else would you like to say? Anything you'd like to declare, especially if it's about Adam, that's fine.

Oh man. I'm actually just going to say thank you. Appreciate you guys for having me on the podcast. I appreciate you guys for, um, giving me the opportunity to kind of talk a little bit about small business cybersecurity and kind of let me into your world a little bit. I appreciate also your expertise. Adam is always there to help if I need anything. So I appreciate that. Joe, I'm looking forward to kind of growing in our friendship as this podcast reaches 100 million. You guys said you had 100 million viewers.

Oh, yeah, we're short. We're short about 99.

Take the million off.

But yeah, no, I'm excited to kind of see where this goes and excited for you guys on this journey.

Oh, great. Well, Sal, thanks for coming on. We really do appreciate you taking the time and giving us the benefit of your insight and real-world experience. If there is anything we can help you out with, we certainly will be happy to with all this stuff. And hey, get to the end. This is like, you know, radio. Give yourself one more plug. Where's your place again?

I have two locations. One's 10 Brick Court, Staten Island, New York, and the other one is 12 Bradley Avenue. Staten Island, New York. And you can follow us on Instagram at fckasfitness, our website, www.fckas.com. Yeah, thank you for that.

Okay, no problem. And Adam, you do our plug.

You can follow us on something, something, something, Buzzsprout.

We have Twitter, too. It's at cocktail hour.

We have that?

Yes.

Oh, I didn't even know.

This is what, this is what I deal with all day. You know? Nah, we have that.

You think you have it bad? You should see him in the ring with me. He runs out of the ring. He's like, I'm done with you, Adam. I can't train you.

We're on Twitter, and we have our email address, feedback, at securitycocktailhour.com. Please, send us some feedback. If you have questions, need help with stuff, have ideas for the show, or, as I've said, I can't wait to get some hate mail. We're reading it on the air. Nothing could be better than that.

I can't wait to get in the ring with Sal and then put the after-hour party on YouTube. Can't wait. Sal's going to beat the crap out of me. I'm looking forward to that.

We're going to have an exciting after party, a boxing match exposition, whatever. If that all comes together, as long as Adam doesn't chicken out on it.

I might. You might.

All right. Okay. I think we're good then. Awesome. Thank you guys again.

Thank you.

Thank you, Sal. Thank you, Adam. Thanks everyone for listening. And we will see you soon.