Small Business Cyber Security Tips: Scott Schober
Guest: Scott Schober
Podcast Release Date: 6/10/2021
Welcome to Trulyfit the online fitness marketplace connecting pros and clients through unique fitness business software.
Steve Washuta: Welcome to the Trulyfit podcast. I’m your host, Steve Washuta, co-founder of Trulyfit and author of Fitness Business 101. On today’s podcast, we have Scott Schoberg. Scott is a technologist, a family business owner and author, a podcast host, and an inventor. But most importantly, he is an expert on cybersecurity and an analyst on cybersecurity.
Scott is the CEO of Berkeley for tronic systems. He is here to talk with us about not only small businesses but also personal steps that you can take to make sure that you are not a victim of a cyber security crime. Scott has been on CNN and Fox and Al Jazeera actually, routinely he’s on these channels talking about large-scale cybersecurity issues, but I really try to hone in again to the more personal and small business fitness-related cybersecurity issues. This is a great one. Okay, Scott, thanks for joining us on the Trulyfit podcast. Can you give me an introduction to what exactly it is that you do in cybersecurity, and how you got into it?
Scott Schober: Yeah, absolutely. Basically, I’m running a wireless threat detection company, we make wireless tools that keep DLD agencies safe fortune 500 companies safe from any type of wireless hack that cybercriminals might be propagating.
In about 10 years plus ago, my company was basically targeted and hacked for $1,000. Stolen from our checking account. It really got me annoyed. So I learned a ton of things in the process. I realized, geez, if a security company, a cybersecurity company can’t keep money safe, it may be challenging for everyone.
The things that I learned were a lot of common sense best practice things that really apply across the broad spectrum of all small businesses. Things that I’ve learned that I share with other people and I teach with speaking and writing my books and, and great shows like this, and podcast where I could share these, these things that I’ve appreciated so they can have a better cybersecurity posture and stance, and fight back against cybercriminals. Although nothing’s 100% we all got to do what we can do to at least keep safe.
Steve Washuta: I’m really intrigued to hear about those tips in small business cybersecurity, especially me running a small business and a lot of the listeners running these fitness small businesses. But first, what are the typical issues that you deal with in cybersecurity, and then maybe some of the more outlandish special cases
Scott Schober: We talk about it all the time, and we hear about it all the time, we’ve kind of got some level of cyber complacency in passwords. That comes up again, and again, and again. We always ask ourselves, jeez, do we haven’t figured out yet.
I think we do know how to create long, strong passwords. Many people still are not and are still using common words found in the dictionary, your pet’s name, so on and so forth, which is a big No, no. But even more important to that point, we keep reusing it. As the general community, small business owners, reuse the same password across multiple websites. That’s a fundamental mistake because once you’re compromised, and that cybercriminals, get your password, they have automated tools now that they can actually go into all the common websites and try your password till they can actually get in.
So a really important point, don’t reuse your password across multiple things. Have a unique password, and of course, a strong one for every single site. Now, the back end of that is what’s important, nobody can remember all that it’s impossible. So you either got to write it all down diligently in a book, which I do part of my passwords, but it’s a secure book secured in a safe secured in a locked office lock building with alarms, cameras, and so forth.
So layers of security, protect my passwords. I also use password managers. A really good password manager I personally use is dashlane easy to use, affordable and has a nice balance between security and convenience. I think just if you address that level of password management and secure passwords, that will put you way ahead of the average small business owner. So that that’s really important just to get that to sink down and ask yourself, do I have a good password management plan?
Steve Washuta: It seems obvious, but most people are not doing it. I think part of the reason why is kind of the psychology of things where people don’t want to admit to themselves that there is a likelihood there is cybersecurity out there and that they could be the next victim so they go Oh, don’t worry about it. I’ll just enter the same password.
No one’s coming after me personally but it is not worth losing your business. Like you talked about how you were, you know, they took $65,000 out of your business account. You don’t know who’s coming after you and it very well could not be personal. You could just be an easy target.
Now I want to move to some other small security measures a business can take. I know that you know, VPNs and firewalls and fingerprint technology are some things that I’ve been involved with fitness businesses, are these, the norm? Do you recommend them? If so, are there particular companies or versions of these that you do and don’t recommend?
Scott Schober: Yeah, and that’s a really good point you bring up they’re talking about VPN, for example, what is important is that you do use a VPN and that you use one that you actually pay money toward it kind of goes contrary to a lot of the things I say where a lot of cybersecurity things you can do are free VPN that many people do use.
They provide a layer of protection. But what do they give you in trade, when you get something for free, you give away something and they actually sell what your pattern is on the internet’s you’re giving away your privacy because they’re selling it to advertisers. So don’t use a free VPN, regardless of what strings are attached to it. Within the world, they promise you because probably, they’re selling your information.
Instead, you can find one very affordable some are $5 a month some it’s a flat fee that you pay for the year, and then there’s some that you pay once for life. So there are lots of really good ones out there. But the key is that they’re properly encrypting the data, and they’re going to do a good job at keeping you safe and secure. If again, you’re paying a little bit of something for it. So that’s really the one caveat you got to look for when you’re selecting a good VPN.
Steve Washuta: That makes perfect sense. You know, there are always cybersecurity issues going on in the news. I know that the sexier topics or you know, the Russians are the pipelines or the meatpacking plants and the ransomware and things of that nature. But it’s specific for this conversation. I want to get to the fitness news and I know that President Biden tried to bring in a peloton to the White House and that was denied for cyber security measures. Can you elaborate on that?
Scott Schober: Yeah, absolutely. It was very interesting as I started doing research on the topic learning more about an interview on the inside edition on it, and you don’t realize it is something like a peloton bike. First of all, an incredible product, it really gets somebody to get into the workout and why it’s because they can actually have that Internet of Things, that connectivity where they can actually have somebody that can motivate you, like a personal trainer and having those videos, the music and keeps you going.
The problem is the trade-off. When you have all that interactivity and you’re plugged into the internet, you open up a potential for things and what are some of those potentials and what some of the researchers proved is they can take a standard peloton bike that’s plugged into the Internet, and they can push certain things into it to actually turn a microphone on. So without anybody realizing it, they could use drop. So the worst-case scenario theoretically is to imagine President Biden is got that in his area where he works out.
Somebody simply discreetly turns that on and starts listening to confidential classified information that’s being discussed in earshot of the peloton, bike, and right away, then all the red flags go up. And any tool any tools, any equipment, any presence, anything that comes in for personal use, or even business use into the White House house has to be vetted. It will go through the Secret Service and other specialty groups where they’ll actually rip it apart and search it to make sure it doesn’t have secret microphones in it and other types of things that could be used for eavesdropping or, or bad purposes.
But in this case, it’s really just off-the-shelf standard stuff that’s slightly modified in a peloton bike really through firmware, and it was really through the operating system that they could bypass and do these types of things. So, unfortunately, it didn’t make it into the White House. Similar things happened in the prior presidency. Actually, Michelle Obama wanted a peloton bike and you basically have to turn it into what I call a “dumb buy” to deconstruct all of the bike, just to bring it in there. It’s kind of rendered useless.
Steve Washuta: Yeah, and there’s a lot of apps in the personal training industry in the fitness industry that I wouldn’t say are unregulated, but they’re not looked at from a cybersecurity perspective, although they have a lot of data. So I know, you covered another issue, which was Strava. Most personal trainers are gonna know what Strava is. But a lot of cyclists and runners use it to map their runs. They kind of send that data out publicly, hey, I ran around Central Park, and this is the time I did it in and this is how many calories are exerted. But having that data out there and I think it is also associated with a heat map could be dangerous.
Scott Schober: Yeah, yeah. Especially if you think about a particular case, and again, I’m trying to exaggerate and think like worst-case scenarios, which is typically what I tend to do just to keep people safe. But imagine you’re in a park or Central Park in New York or somewhere else. And perhaps you’re a female runner, and you’re running it off times or this or that, and it’s getting dark. You might be more prone to being attacked and hacked by something else, by a bad guy.
They could easily track your whereabouts and follow your pattern on a daily basis. Then they can grab you, Rob, you do something else. As a bigger topic or bigger picture, we have to back up from it and ask ourselves, if we’re using apps like that we have to balance kind of the risk versus the reward when we download it and just understand the implications.
When we are downloading this, we’re giving away something typically, it’s our privacy, our geolocation, maybe stats about our workout, in this particular case, a heat map, and different things like that, that somebody could use to rob us compromise our data, rob our house at the time, who knows what the bad guys are trying to do.
But those are some of the balances and checks, we have to do that I have learned and share. Oftentimes when I’m presenting about cybersecurity topics to a more general audience, if you analyze the average phone’s got over 50 apps now. The smartphone has downloaded and analyzed those 50 apps and read all the terms and conditions that we opt into and agree to. I download it because I like candy crush, and am thinking about playing it.
Except it would take the average smartphone user in the United States over three months to actually read and agree to those terms and conditions. It’s absurd. Do you know anybody that actually spent three months of their life reading the terms and conditions of all the stuff they downloaded on their smartphone? Absolutely not? I don’t know anybody.
So what it is, is that it’s telling us the legalities that are written in there and what we’re opting to agree to allowing these apps to share our personal data, geolocation, photos, anything we type into the browser, the actual URLs. So now they can take that and sell it because they have access to our contacts, they can take our contacts, you know, people that we know love and dearly trust, they can take their information, and we’re giving them clearance saying this is okay. And that’s the problem.
Steve Washuta: Dang COVID pandemic, a lot of us in the fitness and health industry had to shy away from big business because unfortunately, they were shut down, they didn’t have the money to be open. We had to go off on our own. During that time, those of us who are naive to technologies had no choice. We didn’t have a gym, we had to use something like an individual, PayPal, individual stripe, and Venmo things of that nature. For those who are continuing to use those things are there concerns? And if so, how do you avoid set concerns?
Scott Schober: Yeah, I think there are concerns there, there were and there are concerns now. Not as much with the specific payment method or paywalls, such as PayPal, Vimeo, a lot of the others, they’ve gotten much safer.
The area, though, that you need to be concerned with if you’re setting up a remote POS, Home Office, this or that is, are you doing it through your Wi-Fi? The answer is probably yes. Therefore, your home Wi-Fi needs to be as secure as may be the Wi-Fi that you set up at your gym. If you did set it up securely, or you had a third party come in to set it up, ask yourself, are you using the default credentials that set it up? Admin password 123, so on and so forth.
Hopefully, you create a long strong password there and a username. You’re not broadcasting your SSID out to the world. So they could all see this as John Smith’s gym or whatever. Also if you’re using good encryption, WPA two or WPA three, encryption is really strong, really hard to break. Has it been broken? Yeah, sure. But it’s only by advanced cybercriminals that aren’t going to spend the time for targeted attacks or trying to take a lot. But for the average home user, make sure you have the basic encryption set up on your home Wi-Fi network. If you’re not comfortable enabling or configuring get help from a buddy that knows it or somebody that knows a little bit more about Wi-Fi and security just so you can make sure your home office is secure.
Steve Washuta: That’s great information. Just to go back to something you said earlier when harping on the terms of conditions. Are there any other telltale signs about a website or a company that you would be concerned, and that you would pass along for us to be concerned with? Are there any slightly alarming websites that you may want to stay away from?
Scott Schober: Well, unfortunately, I’m generalizing here, but the brands that you have never heard of, New to the market, use extreme caution. Hey, if you’re going to use Pay Pal, if you’re using Amazon using Apple Pay Google pay, those are names and brands that have billions of dollars behind it and they’ve got good security measures in place. If they are compromised, you’re breached or your information is breached.
You’ve got a company that stands behind it that can back you and help you uncover the mess. If these are new startup companies with low fees that claim to be simple to use, yet you’ve never heard of them, shy away and just use a lot more caution there. What your equipment is that you’re using to beat your smartphone, your tablet, your laptop, your desktop, your running current operating system, that you’re enabling the current security patches and upgrading your applications on a regular basis. If you wash your car, once a month, make sure you’re upgrading your computer, your smartphone everything else once a month, and at the same time, backing up that data and disconnecting it from your device. disconnected from your laptop, your computer network, whatever you have, and take that put it on a USB stick if you have to.
They’re cheap and they’re easy to dump the entire hard drive on a huge USB stick, could be a terabyte, and put it into a safe and lock it up. That way if and when you become a victim of something like a strain of malware, which we hear about in the headlines now with it with colonial pipeline in the meatpacking plant (It can happen to us personally, especially small businesses when they target different sectors) that way you could revert to your backup, wipe your system clean, and restore everything. Now you’re back in business instead of trying to deal with an insurance company or trying to deal with cybercriminals and learn about cryptocurrency and Bitcoin and negotiating it. It’s a disaster, it’s probably not going to end well because again, you’re dealing with criminals, that’re not honest.
Steve Washuta: You’ve given a lot of great tips so far. For someone like myself, I have worked at a low-level position at a hedge fund and I’ve had a Commodore 64 in my room when I was growing up, right? I’ve always been on computers. So I can take your tips and Institute them into what I do now. But for the average trainer who’s nose to the grind and they’re in the gym all day long, and there they’re not that technologically savvy, they might want to outsource the cybersecurity when do you think it’s a good idea to outsource the cybersecurity and how do you go about that?
Scott Schober: Yeah, actually, it’s not bad. People shouldn’t feel ashamed about outsourcing and getting some help in there from a cybersecurity standpoint, and get some basic good recommendations. Could they do the research on their own? Absolutely. Can they read books and watch videos, attend seminars virtual or live and learn a lot? Yes, they can.
But at the same time, bringing in an outside third party that has expertise specific to your business or your computer network may be money well spent. That’s a lot of times too, especially if you’re a small business, and are considering cybersecurity insurance, that’s a nice mixture there. What I recommend there, is to bring a company in that will actually provide you training and help us configure and make sure that your entire organization is cyber secure, strong, and they will help you implement some of these best practices.
Why did they do that? Because they don’t want to have a claim that they have to fill if you’re a victim of ransomware. So they’re going to actually help you build your cybersecurity do that. So if you’re looking at cybersecurity insurance, ask them: what kind of help can you give me? Can you bring a third party in that will educate and help configure my network so that I can make sure I have a really strong cybersecurity stance? If they say yes, and they go down that list, you got a good company that you’re working with.
I think that’s really fundamentally important. Especially if you’re a small business, you don’t have to spend a lot of money to do this. Big organizations, they’ve got millions of dollars to spend the JP Morgan’s of the world and others, and they do spend it in the right area. But they have teams that know where to do that. Small business owners don’t. It may be you and maybe one guy that knows it a little bit. So get that outside help from the insurance company or somebody in the world of it, bring them in, it’ll be worth it in the long run.
Steve Washuta: That makes perfect sense to me. Even if like you said, Scott, you bring people in on a one-time payment to say, Hey, can you set everything up and then teach me how to handle this, and then I will reach back out? If and when I believe there’s a problem or I need to take the next steps.
I think it’s well worth saving potentially, your entire business and just the headache from having to deal with a cyber-attack and all those next steps that would come with it. Yeah, definitely. So that was very specific to the small businesses and small businesses involving fitness. But I want to get a little selfish here and I want you to answer some things that I’m intrigued about. So we’re gonna give you a rapid-fire. I’m gonna say a phrase or a word and then you can give me 30 seconds on how you believe cybersecurity plays into this topic. The first one is artificial intelligence.
Scott Schober: I think artificial intelligence is being used, unfortunately, by cybercriminals, as well as by cyber security professionals, but it’s being used to quickly identify these advanced threats so you could immediately be alerted if somebody is trying to get into your network. Artificial intelligence can identify them, flag them, and sandbox those threats before it gets past the firewall and into your computers causing havoc and damage very effective.
Steve Washuta: Cryptocurrency
Scott Schober: Cryptocurrency currency is an unbelievable technology. I love it. I can’t say enough good things about it. But the downside is, too many bad guys are using it. It’s closely tied in with ransomware as far as a payment method with Bitcoin. Unfortunately, it’s the commonly accepted currency that’s used throughout the dark web, mostly for a lot of illegal activity. So I think as it becomes more regulated, the SEC gets in there, and certain federal regulations where they’re trying to collect taxes. I think the cryptocurrency market is going to probably shrink a little bit before it can actually grow and become wider spread acceptance as far as a means to buy and sell things.
Steve Washuta: Baby monitors.
Scott Schober: Hey, I had one. But I used to be able to listen in to my neighbors when they had their baby. They’re not secure. It’s using what’s called industrial scientific medical bands, which are basically open and free. It’s not a licensed spectrum. Easy to hack, easy to jam, easy to eavesdrop, probably want to just avoid those, you’re probably better off using something like a wise cam or something like that. That’s a low cost of $30. Set it up and use the Wi-Fi and encryption in place. And you get even better experience recording alerts everything you could do
Steve Washuta: Huawei phones
Scott Schober: Unfortunately, Huawei has been branded kind of taboo in the United States, and now other countries. So I would run from that. Huawei owns about 60 to 65% of the infrastructure billed for building out the 5g network. Now there are countries such as the United Kingdom that are spending billions of dollars removing all of this going to shrink and shrink and shrink because that opens up the pipe for eavesdropping collecting our content and actually data mining and monitoring our whereabouts. So I would avoid Huawei in every certain way that you can
Steve Washuta: Last one here and feel free to plead the fifth, if you believe there’s no way to not get sort of semi-political here. But do you believe the government should get involved in what is considered private ransomware attacks?
Scott Schober: I stay totally neutral when it comes to politics. But that being said, it’s going to require the government public, and private sectors to work together sharing information to thwart and combat ransomware attacks.
A perfect example is a colonial pipeline recently, when they discovered that they were compromised, they quickly reached out to us DOJ, and they reached out to the FBI and law enforcement and they shared information the sharing that information quickly led them to access to the blockchain and hunted down where the payment started and ended in the world of cryptocurrency that case Bitcoin and it allowed them to actually guess what stop it and get back the money. Even though Bitcoin plummeted at the time, they got back the majority of the money that was actually paid out in a ransom.
So there’s one case of success that you could point to when a private company shared information work together and it was a winning case. Good example to look forward to and business use case for all of us. If we’re victims of cybercrime. We should report it and work closely with the authorities the sharing of the information is paramount.
Steve Washuta: Scott, let the listeners know where they can find your podcast, get your books, and any other information concerning you.
Scott Schober: Yeah, absolutely. Certainly, my podcast “what keeps you up at night” is a weekly series that I put out and share with talk to business leaders, cybersecurity researchers, and influencers. That’s out on YouTube you can just search “what keeps you up at night” and type in Scott Schober Cyber and you’ll see a pop-up and you can subscribe to that if you want on my YouTube channel.
You can also go to my website it’s simply ScottSchober.com and I have tips and things that you could download and videos of how to pick up on cyber things. Then if you want to buy any of my books, the easiest way is certainly Amazon “Hacked Again” is my first book. “Cybersecurity is everybody’s business” really targets small business owners and then my third book just released is called “Senior Cyber: Best Security Practices for Your Golden Years” and that’s about the use of technology, the internet, and smartphones so that they don’t feel intimidated or beat by scammers. Also for those that are caregivers supporting the elderly. They could find tips to help their older parents or grandparents or those that they’re helping.
Steve Washuta: I will list all those links connected to the podcast release here. Scott, thanks a lot. For your time, I really appreciate it.
Scott Schober: Oh, thank you so much for having me. Really appreciate the interview.
Thanks for joining us on the Trulyfit podcast. Please subscribe, rate, and review on your listening platform. Feel free to email us as we’d love to hear from you.
CLICK FOR AUDIO OF PODCAST