Cyber Business Podcast

How You Can Increase Your Company’s Revenue Using CyberGuard360 With Al Alper

Written by Matthew Connor | May 5, 2023 9:00:00 AM

Al Alper is the Co-founder and CEO of CyberGuard360, a cybersecurity solutions and services provider. As a technology and security visionary, Al is passionate about providing his clients with the equipment necessary to support and protect company software and data. He is an award-winning speaker and cybersecurity and compliance expert. His best-selling book, REVEALED!, provides information on how business owners can protect their companies from cybercriminals. 

 

Here’s a glimpse of what you’ll learn: 

  • Al Alper shares how CyberGuard360 provides value to its clients 
  • The products CyberGuard360 offers — and their purpose
  • Advantages of running a penetration test 
  • How CyberGuard360 administers its penetration test 
  • Al outlines the three pillars included in risk assessments 
  • How managed service providers (MSPs) have an opportunity to launch a new stream of revenue 
  • The future of cyber compliance and how you can prepare

In this episode…

Most businesses don't prepare for the possibility of falling prey to a cyber attack. Without proper security in place, your data could be breached at any time. You can mitigate that risk by installing a security system before it’s too late. But with countless cybersecurity companies available, how do you know which system will maintain your company’s security? 

Being proactive concerning your company’s safety will save you time, money, and worry. Risk assessments and penetration tests are tools used as a defense against cyberattacks. By evaluating the administrative, physical, and technical elements of your business’s processes and conducting a mock cyberattack, you can decipher weaknesses in your security — allowing you to ready your defenses before it's too late.

In this episode of The Cyber Business Podcast, Matthew Connor welcomes Al Alper, Co-founder and CEO of CyberGuard360, to discuss how his company’s products provide value to its clients. Al thoroughly explains the purpose of each program, the advantages of running a penetration test, the three pillars of a risk assessment, and the future of cyber compliance.

Resources mentioned in this episode:

Sponsor for this episode...

This episode is brought to you by CyberLynx.

CyberLynx is a complete technology solution provider to ensure your business has the most reliable and professional IT service.

The bottom line is we help protect you from cyber attacks, malware attacks, and the dreaded Dark Web.

Our professional support includes managed IT services, IT help desk services, cybersecurity services, data backup and recovery, and VoIP services. Our reputable and experienced team, quick response time, and hassle-free process ensures that clients are 100% satisfied. 

To learn more, visit cyberlynx.com, email us at help@cyberlynx.com, or give us a call at 202-996-6600.

Transcript:

 

Matthew Matthew Connor here, host of the Cyber Business podcast, where we feature successful business leaders, top law firms, green energy companies and more. Today, we're joined by the Amazon best selling author, award winning speaker, the charismatic and gregarious CEO of Cyber Guard 360 Al Alper. Al. Welcome to the show.
Al Thanks for having me. I saw your eyes following everything you had to say yesterday.
Matthew I'm not great with the teleprompter, so I read my words. I got this.
Al Damn good job.
Matthew I can read, check.
Matthew Okay.
Matthew So before we get into the show, a quick word from our sponsors. This episode is brought to you by CyberLynx icon, that cyber and ex-con CyberLynx is a complete technology solution provider that ensures your business is not only the has the most reliable and professional i.t service, but also has the right cybersecurity solution to ensure your business stays productive and safe.
Matthew All right. And now back to our show. Our thanks for coming on today, buddy.
Al Pleasure's all mine. Thanks for having me.
Matthew Of course. All right. So you are the, as we said, charismatic and gregarious CEO of Cyber Guard 360.
Matthew Can you.
Matthew For those not now familiar with it, can you give us a rundown? What is cyber guard 360.
Al Oh, man. So we're the be all end all. No, just kidding.
Matthew That's right.
Al So we are a cybersecurity solutions platform that companies like CyberLynx and others avail themselves of to make their clients and customers safer, more secure and more compliant. In a nutshell, how's that for you?
Matthew That is a.
Al Very good.
Matthew Nutshell. Love it. And you know, it's CyberLynx. We we use Cyber Guard 360. Love it. So if you could, let's let's break it down because there is so much packed into cyber guard 360 that really does allow companies like like CyberLynx to to provide a lot of value to our clients that's otherwise really difficult for them to do.
Matthew I mean, they they're always so busy with their day to day that if they don't have some way of doing a lot of the compliance stuff, a lot of the security stuff, it just doesn't get done. So a lot of that is in in Cyber Guard 360. You guys do a great job of that. So can we you can you start breaking it down for us.
Matthew How does it work.
Al So so when we start with like the beginning in the beginning it was Adam and Eve. My version of that story is in the beginning we had this idea of, of bringing all of the moving parts of all the cyber solution space, right? So if you look at the if you look at the plethora of vendors out there that provide cyber security solutions, it is, you quickly see a couple of of glaring problems and holes in the space.
Al First and foremost, not every solution covers all aspects of what it's designed to do, not because they're not good solutions, but because, you know, they have a very narrow focus on what it is they're trying to accomplish. They more typically than not do a good job at it. But there are some fringe elements that they don't necessarily touch upon.
Al The other thing was, is that they don't talk to one another. And so for a company like CyberLynx, as an example, if you were to assemble all of the moving parts of Cyber Guard, you'd have to have solutions from about a dozen vendors cobbled together that you as a provider would have to learn a dozen different uses. And you exs a deal with a dozen different support organizations and pay the additional burden of overhead for all of the OP acts associated with all the dozen companies that come with it.
Al And so necessarily for you to bring a complementing solution to market cobbled together from other vendors, your costs would be 8 to 10 X of what you're paying from Cyber Guard. And therefore you'd have to charge 8 to 10 X and you would quickly become noncompetitive. Worse than being noncompetitive is that your customers would shy away from some of the products and therefore they would be less secure.
Al And that's really for us, the big that's the big problem, Mike. We want businesses safe and secure, not just because we want them using our product. Yes, we want them using our product, but because we believe the only way to stop this, I almost cussed the only way to stop it. So that B.S. from hackers is to make everybody safer.
Al And the sooner we can participate in securing as many, as many businesses as humanly possible, the better off everybody is, because a safer community is a better community for everybody that participates in that marketplace. And so our goal with Cyber Guard was to solve those problems. How do we make it affordable to secure your clients and therefore we built all of our own solutions from the ground up.
Al How do we make sure that we capture the fringe pieces of solutions that a lot of our competitors in those silos don't necessarily address, if you would, because they're looking at the low hanging fruit as a way to generate revenue and then really the £800 gorilla that nobody addresses but us, frankly, is how do you look at all of that data at a 30,000 foot level and say, okay, when when users behave this way over here and this way over here, this is what happens over here.
Al And so if you as a site using cyber links as an example, if you were to do that with a dozen products, you would have to export data from this one and this one and this one and this one and this one. Dump it all into Excel. Spend an a weekend doing spreadsheet masturbation on the numbers and come out with like, okay, this is, this is my client's problem.
Al And you have to do that for all your clients. And by the time you've finished doing it, they've had days and days of new business, of new threat intelligence coming in from all vectors of their organization and all your data is outdated. And so our our job, our goal really, and what we believe our job is, is to take all of these moving data points and and triangulate them so that we can form an opinion as to the risk posture of all of the moving parts of an organization, the users, the policies, the the culture of the organization, the end points, everything so that your clients CEOs can look at what we call our employee
Al vulnerability index. It's really one of our many KRIS scores that we have. Kris stands for Cyber Risk Index score and say, Oh, these employees are an element of risk for our organization that I need to mitigate. As a CEO today. Your CEOs can't do that by using competing products. It just can't be done. There's not enough information. And so we provide that what I call visit, I call it solving the visibility problem.
Al We provide visibility for CEOs that they just can't get by assembling other other competing products.
Matthew That's fantastic.
Al So a lot of.
Matthew It is a lot. I mean, and to be fair, you know, cyber guard does a lot. So how do we break that? Can we, you know, kind of go through it? Let's let's go. Because, you know, if you look at their, you know, the Cyber Guard website, right? Let's say you're brand new to it and you're looking okay, You've gone to Cyber Guard 360.
Matthew You see the different products. I mean, let's start with that. Let's break down the products, see how this all applies, you know, and how does this how does an MSP use these individual products to create that holistic, you know, security solution that you mentioned there?
Al So let's let's just take a let's take a look at the variety of products that we have, and then I'll sort of using what I just talked about, how you know, visibility and show how there are those moving parts sort of convey that information. Right. So we do dark web monitoring. We do we do breach analysis, we do simulated phishing.
Al Our policy management modules are rock star. We do penetration tests, we do vulnerability assessments, we do awareness training, we do micro trainings, we do our risk assessments are also rock stars. Our cyber resilience assessments are rock star. So we've got those are those are a lot of the moving parts of the platform. There's some other other things that are under the hood.
Al There are less sexy than that, saying it out loud. It's not going to mean much to the audience, right? So if we talk about visibility, let's talk about how how we're able to convey the riskiness or the vulnerability of a user better than other solutions out there. So, yes, you can you can give them awareness training as an example, right?
Al Awareness training is is, as it says, ubiquitous, ubiquitous as air and water. Everybody and their mother offers user security awareness training. The problem with security awareness training, as we see it, is twofold. First and foremost, it's a state in time evaluation of an employee, which means nothing. Because and why I say it means nothing is and I'm sincere about it, is because it's just like high school calculus, right?
Al I got an A-plus in calculus in high school. That was long before the GRE in my beard, which by the way, I'm only 26. But this is what marriage will do to you. So long before the grit and I got an A-plus in calculus, I couldn't tell you a damn thing about calculus today. And it's not because I have a crappy memory and I do it because I don't use it.
Al And so even if you got a perfect score and awareness training test, I would guarantee in three or four months that user that got a perfect score probably would fail again if you gave it to them. Cold on the spot. And that's because they use it or lose it. They never use it and therefore they lose it. Right.
Al And so that's why we also offer micro trainings, which are these weekly security shorts, we call them, that get sent out an email and we track don't do the users, open them, open that email, because by way of email, do they open them? Do they actually watch them or do they just ignore them? Do they speed through them?
Al And so we use that to see are they keeping security top of mind? So if they got an 80 on their security awareness training test in January and they've watched none of our security shorts and we're now at the end of April, the chances of them passing today or zero approach zero if they have been watching the shorts, they'd probably do well as well or better than they did in January.
Al And so that's that's that's part and parcel of that. We also monitor the dark web. So part of that training is, listen, you can't use company assets off of company property. And if they're email, email, address and password, show up on the dark web, which, by the way, is owned by your client companies and not by their users.
Al It shows up on the dark Web. Two things are true about that. One, they have not paid attention to the training the way they should have because part of our training tells you why you shouldn't release your credentials in in the on the Internet and never give it away. And you should rotate and things like that. But also our policy module, if they've attested to an acceptable use policy that says that they're not allowed, they by they are by company policy, not allowed to use assets off company property and their email shows up on Ashley Madison, then they are in violation of company policy, in fact, and we highlight that.
Al And that actually makes them in a far riskier employee because not only are they not paying attention to the training, they're now directly violating what the company has told them to do. h.R. Loves that because h.r. Now has recourse. But more importantly for a ceo who gets that information and that all gets factored into the employee vulnerability index.
Al For a ceo to have that kind of visibility because the likelihood of a user to break policy to do anything they want is very high. That means if their superiors tell them what to do, the chances of them doing it are very low or lower than the average employee who otherwise follows company policies. And so they become a very risky employee to the organization in the company.
Al And that level of visibility, this gives a CEO the actionable intelligence they need to do something before this employee caused them to be breached or before the employee goes sideways, as I call it. And that is that to me is utterly invaluable because I've never met a CEO whose primary concern was whether or not there was hot water in the bathrooms.
Al Their primary concern is how do I mitigate risk because it's them that own it and we provide the visibility for them to mitigate at least the the the visibility to make some decisions about risk that they don't get anywhere else. And so but maybe I don't know if I explained that well.
Matthew But.
Matthew Actually I think it's great. And the thing that I really like about that is I think it it can be really challenging, you know, from let's go from my perspective, as you know, you know, from CyberLynx perspective, trying to to communicate that to to a business owner who is always, you know, while they're they're constantly weighing that risk, mitigating risk, they're also weighing that against against, you know, their their bottom line.
Matthew So they're trying to keep costs down as much as possible. And if you can't clearly articulate, you know, how you mitigate this risk, what the risk is and how they can mitigate it, how this empowers them to have better visibility and and empowers h.r. When when you've got a high risk employee who is like i've been looking to, you know, they they've been causing trouble in other areas.
Matthew Great. This is this gives us teeth now. So I think these are great things. Yeah, sure. Maybe that doesn't apply to a small business with five employees or ten employees because they don't have any department. But for those larger companies that do, you know, to empower them. So I think this is great. You know, honestly from the MSP side, this is great sales material.
Matthew This is great education for guys like me as to, hey, how can we I'm always looking for that magic combination. What is what is the magic combination words? I have to tell this business owner for them to understand the risk and take action. Now, because I can't tell you how many times we've had we've had clients come to us and then we're like, Yep, you need to get this, that and this.
Matthew And they're like, Okay, yeah, but now's not really the time. We're really busy with this stuff. Let's circle back in, you know, a little later, okay? But you really need it. We will. Low and behold, we get a call a few months later, be like, Oh, shit. Okay. And now they want to do it because there's been a problem.
Matthew And if only I knew that magic combination of words, they could get them to realize that it's now not later fear mongering. Right? Because that's that's the other thing you're always trying to balance is, you know, trying to scare people into security. You want to empower them and give them those tools and make it make sense for them.
Matthew So I like what you're saying, and I think it helps a lot of MSPs to present that. So what you've currently presented now, that was the you know, the, the, the PII portion of it, right? That which which product are we talking about there? So when they go to the product page, they're looking at CP 363.
Matthew 60
Matthew Which by the way I don't know what they standpoint, oh I do with cyber prospecting but I don't know what it stands for. It's not under there. So I'm always like, what is I going to ask? I'll at some point that's an OB 360.
Al I know it's a border.
Matthew They'll get excited. So we're going to have a.
Matthew Few more questions. Bringing it that shirt off maybe. So if you could. It's Friday.
Al Okay. I should have a can. Have a beer.
Matthew Yeah, please.
Matthew By all means.
Matthew That's very well planned to have a party in my office.
Matthew There you go. So which product was that that you were you were just talking about? So when people go there, they can. They can see. Oh, okay. That's covered under the.
Al Yeah, that's so that's, that's part of our core PGY 360 platform. All of those are part of the core plan and that's really the that's the, the single pane of glass through which all the other moving parts of our of our solutions. So we've got four different platforms, so to speak, presently. PGY 360 is is the portal through which all the other their sister platforms communicate because that's also the aggregating point of the data.
Al And so we inform we so OB which, which, which is our technical tool suite for pain testing, vulnerability assessments, breach, probability engine, things like that that sits in.
Matthew OB You're not going to tell us what AUB stands for right now. You're just messing with me.
Al It's not an obstetrician, by the way. I think it's.
Matthew Whole new to it. I guess.
Al Well, penetration testing.
Matthew So you heard it here first, folks.
Al It is Friday and then Ora, which is where we do CMC assessments and HIPA assessments and and FINRA and I, Tara and all the other things that that are in Ora and then C.P, which is our prospecting platform. So where you can where where MSPs can use that to, to prospect this really new business so to speak. And this you know breach breach Darkweb searches and cyber assessments and there's actually an element in there of Chris which is our Chris zero which is our breach probability engine.
Al So you could you can evaluate the exterior of an organization and and determine the likelihood of a breach based on their their external posture. It's actually a really powerful tool. Not enough MSPs avail themselves of it, but it's an incredibly powerful tool and incredibly powerful prospecting tool as well.
Matthew Now, which one are you talking about, the vulnerability assessment or.
Al That's. No, that's Chris. And so in in the prospecting tool set, which is which is part of PPG, it's it's a separate platform, but it's built into PPG as well. So there's one of those prospecting tools is Chris. It's Chris zero actually. It's our first rendition of Chris, which is that cyber risk index score and it is a breach probability engine.
Al So we we evaluate. So if you were to give us a domain or an IP address or something like that, we actually want both. Frankly, we would evaluate and and give a score of Michael like score from from 300 to 850 just like cycle. And we did that intentionally because everybody knows cycle right.
Al As to the likelihood of you being breached. So we evaluate we evaluate thousands of data points, but in in simple terms, we look at externally available information from anything from S3 buckets to to bankruptcy, to Darkweb to to the vulnerability posture at the perimeter. And then we triangulate that and try to try to break in and using the assets found in the public forum.
Al And if we're successful or the level to which we're successful and the time it takes us to be successful. So we can tell you how long it would take somebody to break into your organization and therefore we can determine the probability of that of that breach happening. It's actually it's a really it's a really it's a great tool.
Al I mean, really.
Matthew I know it is. And I was going to say that we we recently ran our first one just a few weeks ago, and it was actually really fantastic. And I was like, I should have been doing this, you know, before. It actually creates a really great report that you bring to the prospect or client. And it it's really great.
Matthew And the fact that it is that FICO like score I think is is fantastic as people really get that it makes it makes perfect sense. Oh, I'm sitting there. Oh, crap. All right. Time to start paying my bills on time.
Matthew So.
Al Well, the funny thing is, you said two things that are really interesting. One is it creates a really nice report you give to your clients. So that's I mean, that statement says a lot about what we do, because if you notice and I'm sure you have every report that's created in our platform is not technical, like engineers hate our reports and they hate our reports because they don't have technobabble in it.
Al They want to know which Bitton bite went sideways. CEOs could give a crap less. They want to know if it went sideways. That's the only thing they care about and why That's it. And so that report, you can literally take it as is to a CEO because it's written for a CEO. Is that written for you? I'm you know, I love you back.
Al But no, it's not written for you. It's it's designed for your customer to say, oh, crap, I got to do something. And so that's and that's true for all of our reports. Everything we generate is generated with your customers in mind and not you. And I can tell you that some of our partners don't like it. They wish it was more technical.
Al I'm like, Listen, well, I guess you're going to have to create your own report.
Matthew That's right. I got to disagree with them because, you know, basically, you know, from from my perspective, I feel a little bit of data. I push a button and out comes a great report that's already it's got our our logo on. It's got our name on it. It's got the clients information on it. It's got, you know, the you know, the the pretty you know, the pretty graphs.
Matthew Right? You're pretty. Chris Score, score. I love you know the colors are fun it works nicely and people and it's it's much more an executive summary that CEOs are going to say I get it cool they you know they don't want the details you know I don't want to bore them with it because then you're like Charlie Brown's teacher.
Matthew Mom, mom, mom, mom. They're being polite and waiting for you to shut up. But come on. And there's none of that in this report. So, yeah, no, it's it's actually really cool. Very powerful. And. Yeah.
Al Yeah, I just I mean, I recommend running it at least once a year. I mean, it's, it's, it's a, it's for, for people that don't do regular penetration tests, it is a it is a tremendous value proposition and a phantom tastic alternative for those who don't want to go through the cost and or proctology exercise of a pen test because you can get an enormous amount of information out of that.
Matthew And let's get into that because that is also something you you offer those those proctology exams. So let's let's dive into your your pen. What some.
Al I'm not talking about my weekend activities but.
Matthew Yeah.
Matthew Every week at the so it's just excessive. I'm sure your practice just loves it but still excessive.
Al I'm the one that wears the white coat.
Matthew Sure.
Matthew I know. But seriously.
Matthew So let's. Let's get.
Al To.
Matthew Your pen test. What's it like? What's it do? What are you testing? How is it different from, say, your Google pen test? There's you know, there's plenty of groups that offer it. What's the what's the advantage here? What are we looking at?
Al Sure. So so let's start with the an understanding that there's no there's no hard definition for penetration test just doesn't exist. If you look at if you look online, you get a lot of opinions which likes fingers. Everybody has one. They all stink, right? But there's no heart. A penetration test is is nothing. In layman's terms is nothing but an attempt to a legal attempt to break in and try to and try to harvest information.
Al That's the extent of it. There are the purists and I'm not saying they're wrong, there are the purists that for a penetration test has to be a whitehat hacker who is a whitehat hacker for anybody who doesn't know is is a professional hacker. But they don't they don't do it to for it to steal. They do it on behalf of companies for good to show them where they have holes in their architecture.
Al Okay. And so it's a whitehat hacker with an arsenal of tools that that attempt to break in all of every one of those tools they use, just about every one of those tools themselves are arguably pen tests. They just do it. They just do certain types of penetration tests. And so I'm having that discussion for a reason because there are going to be people who see this podcast simply, well, that's not a pen test.
Al Again, it may not be the pen test in your mind, because for you, it's a it's a guy in a white hat who has 50 tools that they use and they try to break in and they they use their own manual skills to do that as well. And yes, we've done those as well. So I'm not saying that that that's not a great service.
Al And for those who really want to go deep, you need them. That's not what we do. So we're an automated pen test and our tools evaluate individual assets typically by an IP address. That's how all assets that touch everything on a network, whether it's the Internet or a private network or at home or in the office, including your cell phone when you turn on your hotspot, is a is an asset and we and get something called an IP address.
Al I know you know all this, but again, for anybody who might be listening and that IP addresses their address and then we look at that address and we try to find every open door and window in that house. And then when we find one, we try to break it. And if we get in, we stop and say, Hey, we got in and this is what happened.
Al A pen tester will go much deeper. They'll go in, they'll look for more holes. They'll do so. That's what that's where the Whitehat hacker comes in. And again, depending on where you're going with depth and what you're looking to do, definitely recommend hiring somebody like that and happy to give you names of people that can do that. And several that I know that do a phenomenally good job at it.
Al And our tool would be one of the tools and their toolbox, frankly. And as I said, they have a suite of pen test tools. So we do that. You, we, we look at the address, the IP address with that house address of the asset on on the network. And we will attempt to we will we will look under every nook and cranny to find any possible opening that there is.
Al And then we will try to break in Nice and if we're successful, report it out.
Matthew And now we're not.
Al We'll put that out.
Matthew Absolutely. And so then you get to let's say you get to define that in, you know, as the person requesting the pen tester. You could say, hey, I need you to try to I need a pen and test for this particular IP address. So let's say it's the office there, there firewall right there. Correct. Or they're their website maybe.
Matthew Right. Or maybe it's both. Right. And generally, you know, people want to know, is my website secure? Is my email secure, Is my office secure? That's kind of the extent of it. And now with the, you know, I suppose since COVID and really the office has become a lot of home offices and the office. Right. A lot more so than it used to be.
Matthew So do you do how do you go about that? Let's say you've got a client who has. Yeah, they've got an office and that needs to be tested. But then they've got a number of employees who work from home. How do you go about getting that? You just get the IP address of that and you know, their home address and do that at that.
Matthew You know, when you've got that? Or do you have a an agent that you you send out, what are we looking at.
Al So I'm not going to wear my cyber guard had now because that's that's up to the MSP how they want to do that. So I'm going to wear my hat as if I were a1i were you. I was an MSP. How would I do that? So first at first and foremost, you know, running pen tests on home IP addresses are going to find a million holes.
Al That's just a fact. Those home routers are the worst. And and so, you know, any any any any MSP worth their salt and no disrespect if it's not used so I don't mean it in any way shape I don't know your answer so I'm just to say my opinion right and we've already established how much is an opinion's worth.
Al So any, anybody working from home should be operating through the office's VPN just what they should be doing and if and it should not be in a split tunnel for those that don't know, what that means is that if you're in a VPN, the only internet you can use is the internet from the office. You can't use your home internet and the internet from the office.
Al The minute you're on a VPN, all internet traffic goes through that office firewall that by definition will cut down. That will shrink the attack surface dramatically. The attack servers are all the exposures on the Internet that you have. Right. And so if that's happening, you only need to test the firewalls. The point the problem with testing, the first of all, it will get very expensive very quickly, testing everybody's home IP address and they are all guaranteed to find major problems.
Al And no one at a home office is ever going to mitigate those those problems. It's just it's too expensive. And so it's really an exercise in a very expensive, expensive exercise in futility.
Matthew Yeah, well, and you know what? And that makes it great. You know, argument for the this is why you have to have, you know, all of your employees who are working from home on that VPN. That's not split tunnel right. So you've got to have something set up too where it's all secure and coming through your network and you have control over it versus them just willy nilly.
Matthew Okay, excellent. So that is your pen testing. We've gone over the privacy, you know, the PGY 360, a little prospecting. So now risk assessment. Okay. I am still curious what Oby stands for, but I'm going to let it go.
Matthew At some point.
Matthew So the risk assessment. All right.
Al 360 So so and obviously our stands for risk assessment. See, I gave you all I did nine.
Matthew And two GS on there to see.
Matthew Is there.
Al Maybe at the end of this will get everybody to stick around till the end.
Matthew Go That's about.
Al So. RG three So that is a those are enterprise grade risk assessments. And so if think about so if you think about a HIPA assessment, right, let's use that as an example your your basic pediatrician obstetric and GP doctor's office. Even if there's multiple, maybe if there's multiple practitioners, your typical hippo risk assessment for an office that size will be about 90 questions long.
Al And there's a variety of things and there's a structure to that. Soraya Security risk assessment is what sorry stands for that you're obligated to meet as you become a bigger health care entity, entity and enterprise. You've got to take a much more deliberate and diligent risk assessment. So an enterprise grade risk assessment for hospitals and health care providers is of scale are about 1100 questions, and they are significantly more detailed.
Al They are quite literally are a proctology exam of every orifice in that business. And it is it is lengthy. It takes hours to complete just the administrative pillar. So for the audience, there are three pillars to a risk assessment administrative, physical and technical. The administrative assessment, which evaluates the company's posture and culture, is what that Q&A is, and it evaluates what the company believes to be the security posture of their organization and evaluates policies and evaluates employee evaluation and evaluates everything as part of that administrative pillar to determine what is the company culture of security in organization.
Al The physical pillar is actually a physical inspection of the plant. Are doors locked? Are there security cameras? Are are screen screen what you're talking about? Protect your privacy screen. Are they on there are screens facing windows or or hallways that people can walk by. I remember I did a R.A. was of that scale and I walked into the lobby.
Al And when the CEO came out to meet me, I told him he failed while he was shaking my head. He's like, What are you talking about? You just got here. I'm like, Look through that door. And the conference room was open, which opened to the lobby and opened into the claims center. And I had three screens facing me and I could read the health records of everybody on the screen.
Al Now that is a violation. And you will be shot. You will do the perp walk for that.
Matthew Yeah.
Al And so, you know, these are the things that apply. A physical inspection is required to go through and evaluate. And then lastly, you have the technical inspection, and that's where, you know, that's where you'll go in with all the tools in your toolbox and you will evaluate the technical posture of the organization, everything from firewall configurations and logs to the hardening of the endpoint to the switch routing and everything in between.
Al Right? And so those are the way that risk. So when you think about an enterprise grade array that is that is a I mean we've done those in a in a previous life, not in my cyber guard life because we're not a service level organization, but I've been involved in MSPs in my life. So I can tell you from my own experience that, I mean, I've done half a million, three quarter of $1,000,000 raise, you know, for national organizations that require physical inspections and and you've got to go in.
Al So we did a we did a 600 was a little more than 600 location bank. And we needed a statistically significant sampling of plant in order to make and to extrapolate what the physical posture was. And so we visited I think we visited nearly 100 branches. And so that's that's physical boots on the ground. I mean, do the math, right?
Al At $3,000 a day plus today, it's not an inexpensive effort. So but that's what that's what our is. It's an enterprise grade risk assessment. We've got a cyber resilience assessment in there as well, a ransomware readiness assessment in there as well. And that's really designed for for MSPs and MSPs and CEOs, frankly, to to go in and do a a serious due diligence assessment.
Al More typically than not, they're obligated to some compliance regulation like CMC, like HIPA, like ITAR, like D, FA, like like CC, like some larger regulatory requirements that demands that they do that level of assessment.
Matthew Well, let me ask you then. So the the a360 in terms of let's say CMC, because I think you know, probably more often than not MSPs get more clients that have CMC requirements than, than a lot of others. I mean. HIPA Sure, but I think a lot of people have kind of stopped it that yeah, and they're more on that.
Matthew The CMC side, people are like, You know what, I'll take the HIPA. Fine. I think it's more, more what's happening on the smaller side. And then as you get a little larger, those, those, those practices are gobbled up into the bigger organizations. So it's really tough for those small medical practices, I think. But the on the CMC side, so in our a360, do you have a specific CMC audit?
Al Yeah, we do specific CMC. I mean that is CMC tool, so it's the current version of that, believe it or not, the most, the most the single biggest vertical for which rays are done is in financial services.
Matthew I could see that.
Al And that's because the every state in the Union and the federal government have requirements for financial services. That clue to risk assessments. Yeah you know be the very first one in the nation started in New York with with the New York State Department of Financial Services regulation 23 NYC rr5 hundred. Sadly, I know that by heart and that that was the very first cybersecurity regulation in the nation and it mandated a risk assessment.
Al And every and every state in the union has picked that. And Texas has Title seven part four. You know, just every state requires it and it Department of financial Services in an interesting way. I don't mean just in New York like all of the state financial divisions of that of those governments require it excuse me. And that's because the you know, the the sensitive data they hold and also because of the FTC regulations for safeguarding data, which is section 314 of the oh my God, Section three.
Al I know a lot about this stuff. I'm not even sure why requires that financial institutions have a risk assessment and do penetration tests and have a cyber policy for cyber for for for protecting consumer data. And so the merge the lion's share of risk assessments, not just on our platform, but but writ large are for financial services organizations.
Matthew Well, so I.
Al Would even though hip has been around forever.
Matthew Right. Yeah, exactly. So You know, this is not something that we've done really anything. And so, you know, this is kind of interesting. And I think, you know, a lot of my piece is maybe that a lot of the smaller ones at least, are probably in a similar situation. So I'm curious, does this then open up armed with, you know, 360, does this now open up a whole new branch of business, a whole entirely new revenue stream for the the MSSP?
Matthew Who could then say because these companies I'm sure let's say that let's say it's a bank and they use a, you know, some MSSP fine Well that MSP probably shouldn't also be doing the risk assessment as well. You can't write they're not auditing their own stuff. Be like, Oh, we're doing great. Says who? Says, Well, okay, that's great.
Matthew I believe you. Right? So does this open up that that door? You know, at least on the risk assessment side and the security side, to say, hey, look, independent third party risk assessment. Let's see how your current, you know, provider in your current situations doing is is that.
Al So far so I mean you could certainly so the the the risk assessment for financial for the smaller more traditional financial service. So I think insurance companies and agencies think mortgage companies and brokers and title insurance companies, etc. they don't need in great risk assessment because in the PPG platform is also a risk assessment and it's a nice base risk assessment.
Al So that's perfectly suitable for those. I would say if you are sub 250 employees, sub 50 million in revenue, you could get away with that, that risk assessment and that's in PPG. If you start going above that or you have multiple you know, if you have more than a dozen branches, I would, I would encourage you to look at Aura as a as an assessment tool instead, because you'll tend to be audited by a large or more powerful government body.
Al And therefore they're going to want to see a more deliberate assessment.
Matthew So just to clarify, they're not not to interrupt you, but I suppose to interrupt you. So to interrupt you.
Al To do my job.
Matthew So would you say the position then on CMC, though, would you say R.A. 364 for a CMC?
Al Now CMC, a whole different set of requirements because CMC has has very specific questions. Well, let me restate that for sure. So CMC three has two, has three of, of of of requirements if you would read maturity. Thank you. Seamless. He actually said that the cyber security maturity model. Yes and so level one which is the self assessment levels the PGY, the PG risk assessment is perfectly fine for level two.
Al You should use the one in aura. And that's because if you're a level two, you are at or near the prime contractor level and they are going to want to see a more deliberate risk assessment that go through the 110 controls of this 171 And so that's why you're going to four. For those that are that need level two, you should use RSA.
Al For those that don't need level two, that need level one to self assessed. And nobody should self-assess by the way, they should always have a third party do it strongly encourage that. And any MSP could do that. By the way, if they just you know, they, they and maybe I'll actually do a webinar on how they could do it because I think I can that they just I think they're just afraid of it.
Al They don't understand it, but they actually can do it. So to get but to get back to your question, is there an opportunity? Yes, there's an opportunity. I mean, there are well, first of all, I don't subscribe to the belief that you shouldn't audit yourself first, because as long as you're honest, then you should if you're if you're not, you should.
Al And that doesn't mean that those who don't aren't honest. But but the reason is, is that by by doing an assessment, you become liable if you're also doing the work. And so I discourage MSPs from doing their own assessments when if they look in the mirror and say, all right, I might shave here and there if you're shaving here and there, you should not do your own assessment and that's because you become liable.
Al Right? You've said this. I got an assessment that, said you, you doing it, and now Mr. CEO will sue you and you did you this circular firing squad that you created for yourselves going to shoot you in the rear end. And so and again, that doesn't mean that if you're if you're using a third party, you're dishonest. It merely because there are people like you that believe that you should do your own.
Al And I get that completely. I just you know what? In my MSP life I looked in the mirror and I, I gave when I did a risk assessment and came back with a crappy score. I said, Listen, we dropped the ball. That's it. We dropped the ball and here's what we're doing to fix it. But not everybody does that.
Al Yeah. And so I so anyway, having said that, it's a tremendous opportunity for, for MSPs who are, who, who feel confident in their ability to provide cyber compliance services to go out there and assess other I mean in in my other life in the MSP, you know we have hundreds of clients that have other MSPs as their providers that we provide cybersecurity compliance services for because those I.T providers don't understand the regulations well enough to be able to counsel their clients.
Al And so, so yes, it's a huge opportunity, but the whole thing is a huge opportunity for MSPs, either for an MSP to be a third party for another MSP or a third party to actually go ahead and.
Matthew On a percent you know. Yeah. Not, not a I was kind of seen it more as a you know, not the should you not audit your own stuff. I think you absolutely should. So you know where you're at. You should definitely assess your own stuff, make sure that you're doing your your clients a service not a disservice. Right.
Matthew But at the same time without necessarily even going and, you know, let's say taking, you know, a business from a competitor or friend or anything, you can go out and offer those third party assessments, Look, we don't want your business. We're just going to do this. And it's interesting because I got, you know, clients who came to us just for that.
Matthew They you know, they're in another country and we can't I don't want that business. I don't want their I.T. business. And, you know, because their employees speak another language, you know, primarily. And but they've got a local, you know, I.T. But they wanted that third party, you know, assessment. Where do we really stand? How are things? So, you know, I see that as a whole, another revenue stream to set you know, for my total ISP to say, look, we've got this this whole area that we can do for you and security for auditing and assessing and pen testing is is a great, you know, part of that.
Matthew And so, oh.
Al Yeah, it's definitely I'd say, as I said, you know, absolute logic has. Hundreds of clients, almost all of them have their own IT providers. All it provides is cyber compliance services. That includes pain tests and risk assessments and policies and and and all of that that goes into it because a lot of MSPs don't. Yes.
Matthew Basically that basically cyber guard 360.
Al Correct and and and and the MSPs don't want to do that because cyber compliance is scary. Yeah it's scary.
Matthew Let me ask you this, because I think we've got a pretty good overview of of cyber guard 360 still going to show up on OBE but but let's go into the speaking of of scary where do you see you know you know coming down the pike in terms of you know compliance and what from your perspective what's the future hold what should people be looking, you know for looking at down the road?
Matthew What should we be preparing for to Yeah, let's go with that. What should we be preparing for.
Al For cyber compliance or cyber compliance?
Matthew Let's say cyber compliance.
Al Awesome. No, no, because. Because what I was going to say is they're actually converging. Your cyber security, even though was all the rage eight years ago. Right? Like everybody was like, you got to do the cyber security. I mean, entire marketing companies change their marketing strategy. You know, it service marketing companies change their marketing strategy around campaigns, around cyber security.
Al The reality is that about really a year ago, there's been a significant convergence between security and compliance, so much so that I suspect in the next within the next 36 months, probably less that significantly less than that. But let's say 36 months, cyber cybersecurity will be cyber compliance. And the reason I say that is there's two there's really two factors that that have been driving.
Al There's three factors that have been driving that. But one is a subset of the other. So at the at the 300,000 foot level, you have government and from the federal government and and in other countries, their national governments down to the state governments, they are all enacting cyber security compliance regulation more actually, they've all enacted some form of a cybersecurity compliance regulation.
Al They tend to be narrowly confined to some verticals, but they are expanding the verticals. New York State Every business has to comply with the Shield Act, California. Every every business has to comply with CCP. In between the bookends of the country, you've got more narrow verticals, but invariably they're all going to adopt the same regulations and every business is going to have to be in it.
Al So that's the first piece. The second, so that's that 300,000 foot level. At a 30,000 foot level, you've got CMC seems see obligates every single business involved in the DOD supply chain. So that's from prime contractors like Lockheed to the cleaning company that cleans the subcontractor of the subcontractor of the subcontractor of the subcontractor, Right. Has to be CMC compliant.
Al That accounts for 2.6% of our economy or $550 billion in commerce a year. And so that's a significant number of businesses that are going to be audited. That's the difference between like New York SHIELD and CCP. There's no teeth in those. CMC has teeth. And what the government did, which is really smart, the DOD did was smart, is they didn't say, listen, the DOD is going to come in and audit you.
Al They said, no, the budget ordered the prime contractor and the prime contractor better make sure every sub has been audited. And so they've pushed the audit to the Prime and the Prime pushes it down the supply chain. It's a brilliant move by the DOD. And so every one of those businesses is going to get audited in one form or fashion or be liable.
Al But there's no way a Lockheed or a Boeing or a you name them are going to lose a quarter of $1,000,000,000,000 contract because some schmuck in a truck who services a C no disrespect to the AC servicing community out there look hooked up his laptop, didn't have security controls infected the sub who infected the sub and infected and got to the end.
Al And all of a sudden so something went sideways. And so that's the second thing. But the big as big as all that is the biggest is now you've got the private sector enforcing cyber compliance. And what happened last year, this is where it gets really interesting. Really, really fast. That's why I said 36 months. It's it's I'm certain it's going to be significantly less than that.
Al But 36 months of the outside, you've got the insurance market now saying to businesses today, if you want business loss insurance, not cyber liability, business loss insurance, and you want that coverage, if you suffer an outage because of a breach, you have to have these cyber controls. And if you don't, we don't pay you. That's a huge change in the economic landscape for businesses because today, if you look at a breach today, you unfortunately also know a little bit about insurance.
Al So if you if you look at what happens in a breach level breach, takes one of your customers out. Assuming they have cyber liability, they get some they'll get some money for that. That will cover forensics, that will cover clean up, that will cover. It's not going to cover loss of income. That's your that's your that's your business loss coverage under your property and casualty.
Al Right. So that piece of insurance is what's saying, hey, you want us to cover your loss? Your loss revenue? To do that, you need these elements of cyber and every business. All of a sudden they're having an oh shit moment that says what am I going to do now? They don't read their deck pages. And so we MSPs have an obligation to go out there and say, Hey, let me see your deck page.
Al You see this? You need this. I'm this is not me selling you what you don't need. You're going to get ransomware. And when that happens, these guys ain't paying you.
Matthew Actually, that's a really great point. I mean, who's ever even thought to go in and ask, be like, Hey, let's go ahead and look at your policy. Make sure we've got what you need in order to be covered, because it's starting to happen more and more where there's, you know, business email, compromise. You know, you're not even your client, your your clients, you know, a partner, they they got their email got hacked and then suddenly a ton of money is you know, is in the wrong hands.
Matthew And everybody's like, yeah, it was you, it's your fault. Okay? Then it comes down to insurance and legal. And that's a great point about the insurance. I mean.
Al Another huge opportunity.
Matthew Huge opportunity to literally go to all of your clients. Everybody's making notes. Oh, wait, I'm recording this. Never mind. So, I mean, but for every. You're welcome. I mean, this is that's actually really that's a really great thing for one, not just the MSP, but also for them. It's a it's great for them because they because when it happens, you don't want to be like sticking your head in the sand and then suddenly, you know, something has wiped out your whole body.
Matthew And that's what's going to that's what's going to happen if somebody is not reading the fine print. I also funny because I saw earlier today, interesting because we've got a client who again, it was their their partner who, you know, there was an issue and they're like, man, who's who's to blame? And we're looking at some stuff. And it's interesting how how these insurance company you got to read the fine print as to exactly you know, was this social engineering, was this was this a technical a hack?
Matthew And depending on how they're defining those, how this thing plays out, you have to read the fine print and give it some actual thought beyond just making sure that that you're doing the proper, you know, things cyber wise. Otherwise they're just like, Oh, you didn't do this. We're not covering it anyway.
Al So exactly. Because they're in the business to make money, they make money by not paying that they collect premiums and don't pay. That's literally their their job in life. And I respect that. Listen, they're betting is never going to happen. You're betting it is so you pay and they're betting if it does that you probably didn't read the fine print so the likelihood of them paying approach zero and so that's why that's why I said cyber is is what is where that convergence is.
Al And I think it's happening at a pace that almost nobody is paying attention to. And I've been watching this for the last year. I mean, I started talking about this not that I'm smarter than anybody again, I just have my fingers in a lot of pie. And I started talking about this last August when I saw the traveler's application for insurance.
Al And I'm like, Holy crap, there's 12 things in there that are squarely in the realm of cyber. And this looks exactly like two of the regulations I know, which means everybody's drawing down off the safeguard language in the FTC, and that's what's happening. And so cyber compliance, trust me on that. Like if you bet on anything better.
Matthew That's the only.
Al Thing. I think the only thing we have to talk about is orange box.
Matthew The orange box.
Matthew Or I will be going up here. Yes, yes.
Al So this is what I saw. I'll tell you the story about Orange Box, and that's actually what Obi stands for. But I was there. So as we were building these tools and the team was really operating in secrecy and they were because we were trying a bunch of different things as we're building our pen testing tool and vulnerability assessment and Chris And there's a lot of stuff in there that just, you know, it's basically a black box.
Al And so that's what we started calling was black box. And, and Steve and my partner is a pilot.
Matthew Yeah.
Al And the black box at an airplane is orange.
Matthew That's great.
Al So they can find it in a crash.
Matthew That's right.
Al And so that's how it got to be name, Orange Box.
Matthew Fantastic. You know, that is as good a place to end. This is as ever. All right. I tell you how I think people know where to find you, but if you could tell people where they can find out more about you and what you do.
Al Well, I'm personally I'm on LinkedIn, so feel free to look me up. Alper, CyberGuard360.com. That's our that's our. That's our home. That's our web page. We are a we're a cybersecurity SaaS solution for I.T. Service providers for them to offer to their clients. And like all SaaS companies, want a subscription basis. And so I MSPs subscribe to us and they offer bits, pieces and or all of our platform to their customers and if you're an MSP, check us out.
Al We'd love to have you if you're a if you are a business owner and you work with an I.T company, turn them on to it. If you don't, you should be using and he'll deploy our solution for you. And he didn't ask me to make him that commercial, by the way.
Matthew That's right. Now. But I appreciate it. And no to anybody who's not you definitely check out Cyber guard 360. We use it. Love it. It's great for our clients. It's just it's fantastic all the way around. All right. It has been a pleasure having you on today. Until next time.
Al Pleasure's all mine, sir.
Matthew All right. Thank.