Top 5 Cybersecurity Tips for 2024 & Beyond

Show Notes

Tara Thurber sits down with Will Shu, CIO and Matthew Buehlmann, Director of Cybersecurity at Riverstrong, a company dedicated to delivering essential managed IT and cybersecurity services for small-mid-sized enterprises.

Together, the group discusses the facts behind the global Microsoft shutdown in July and how companies can better manage and maintain their cybersecurity into the future.

Top 5 Cybersecurity Tips for 2024 & Beyond Set One - Will Shu

1. Get close to an IT/cybersecurity professional
2. Know your risks & exposures
3. Be willing to invest time & money
4. Be prepared if & when disaster strikes
5. Never trust any links

Top 5 Cybersecurity Tips for 2024 & Beyond Set Two - Matthew Buehlmann

1. Access control is crucial 
2. Patching vulnerability management
3. Security awareness training
4. Utilize a framework to implement cybersecurity for your organization
5. Adaptability

Transcript

Will Shu: 0:00

Hey everyone. Welcome back to Top5 brought to you by DefineTalent. We are a results driven service, working with clients to connect them with quality talent, as well as working to make an impact within the recruiting industry. We talk straight about today's professional world with real world professionals, experts in recruitment, job seekers and business owners alike, have a question for us, send it in, and you might spur our next conversation. I'm Tara Thurber, co founder and director of talent partnerships here at DefineTalent. And joining me today are two super special guests. Will Shu CIO and Matthew Buehlmann, Director of Cybersecurity from Riverstrong. Hey gentlemen, how are you today? Hi, Tara.

Matthew Buehlmann: 0:47

Doing well, thanks.

Tara Thurber: 0:48

Awesome. Awesome. It's great to have you both here, and I would love it if the two of you would introduce yourselves and just give us a little professional background. Will, can we start with you?

Will Shu: 1:00

Sounds good. Thank you for the introduction. So I'm Will Shu Iam CIO of river strong. My background has been in IT for quite some time, many decades. At this point, I've been head of IT for organizations from small businesses to mid market to enterprise. And my recent work has led me to develop and manage and build a new MSP called Riverstrong, where Matt and I have developed a managed cybersecurity program that we love to share some aspects of

Tara Thurber: 1:31

Excellent. Thanks, Will. Matt? How about you? today.

Matthew Buehlmann: 1:36

Yeah, so I kind of have a varied background, but I've been in the security space, probably for about the last eight years, and IT in the 10 now, at this point, I've worked a myriad of different jobs. I've done a lot of contracting work. I previously was an independent contractor for private organizations, public organizations. I worked as an auditor, consultant, a VC so a security engineer for both federal and private organizations. So a lot of hats have been worn over the past several years, but generally, sitting in the security space and doing what I can to help improve client infrastructure.

Tara Thurber: 2:15

Wonderful. Well, we're super excited to have you both on today. I'm going to jump right in here, because we've got to talk about the elephant in the room, and the recent Microsoft shutdown that caused global infrastructure shutdown. What happened and should we be worried this will happen again?

Matthew Buehlmann: 2:36

You want to take this to start.

Will Shu: 2:38

Let me, I'll start. And please, Matt. Matt has a very Matt, and I have a great side views and different perspectives of a lot of these topics. And I would love to hear what his side is as well. But it was, I guess, I wouldn't call it Microsoft shutdown, but I guess it was blamed on Microsoft, but it was a another security software company that released some software that conflicted with the Microsoft operating system, which caused the computers and desktops and servers to crash. So it is it wasn't malicious or mischievous. It wasn't a bad intent. It was a mostly an accident, from what we can see as what's happening in the industry, but it is something that happens on a daily basis, for the most part, and it is something that it's hard to avoid. Updates on software is a everyday thing when developers and programmers find holes, bugs and issues with their software, or updating the detections or algorithms always being pushed to update and to make things better, right? This time, it didn't make things better, unfortunately, make things a little bit worse and some of the ramifications of it. But will this happen again? Most likely, yes or not on a professional side, because these things will continue to go. There are mitigation methods, and for example, don't take the most immediate releases of software, plan a period of time before you implement that into your environment, so you can see what happens in the wild in this situation. But it'd great to just hold on these updates. So there are there are laser steps, but all these things take planning, and it needs to be well thought out a little bit prior to as we were all coming to find out.

Tara Thurber: 4:24

Excellent. And Matt, what are your thoughts on it?

Matthew Buehlmann: 4:27

Yeah. So, yeah, Will's got a pretty spot on there. I'll expand a little bit on, you know, it was CrowdStrike, which is actually like a managed detection and response provider, so a pretty critical security tool, and obviously widely adopted, which is part of the reason why we're talking about it right now, is such a huge impact across the world, really.

Tara Thurber: 4:46

Right.

Matthew Buehlmann: 4:46

And essentially, because of the types of services that software offers, it has to operate at a very low level of the operating system, so something called the kernel. And then, without getting too technical, there's like a user space and a kernel space. And the user space is where we're at interacting with on our computers on a day to day basis, the kernel space is areas we don't really touch, but for a company like CrowdStrike, it gives them a lot of insight into the way that the computer is functioning to help catch malicious actors. So the update to that area of the operating system is what caused this issue. So it was like a logic error is essentially what it is at a very high level. And the kernel is again a core of the operating system, so it protects the integrity of the computer. So once that portion of the operating system space was corrupted, essentially from that update that will was talking that Will was talking about. That's where we get that blue screen of death, which is actually like a protection mechanism. So it's saying, Hey, I can't operate in the capacity that I need to to ensure the continued functionality of this computer. So we're stopping right here. So yeah, it's I agree with Will too about it inevitably happening again. Maybe not CrowdStrike, but another organization. I think that probably a lot of organizations are taking a good hard look at their update processes and procedures right now to make sure that they're not exposed on the news.

Tara Thurber: 6:15

(laughs)

Matthew Buehlmann: 6:16

But I was watching some I've watched a number of different panels, about the Crowdstrike discussion, read some articles, and there's this really interesting concept I heard called like a black swan event. So it's an event that's rare, has a massive impact, and it's only predictable in hindsight. And I think that that's really what we're dealing with here. Is this black swan event. And you can't really predict what the next Black Swan event will be, you just know that it will happen at some point. So I think that making sure that you're operating from a point of resiliency. So when this does happen, how are we going to bounce back? Do we have an incident response plan to address this type of outage like Will said, too. This wasn't malicious. It was just a corrupted update. So making sure

Tara Thurber: 6:58

Awesome. And I think, too, big questions I Right. that you know an incident can be a lot of different things. Be malicious. It could be unintentional. It could be, weather, you know, like an act of God, you know, it could be a flood. So making sure that you're moving your point of resiliency, and you know, general third party risk management are you betting your vendors to make sure that they have the appropriate controls in places? Kind of, what I think is coming out of this a lot. would have would be for businesses, how to vet those people or those companies properly, and just for knowledge basis, when we're thinking about what would you say? Now, in your opinion, both of you Will and Matt, what are the top three cybersecurity threats facing businesses today?

Will Shu: 7:51

I'm so curious to hear what Matt's three are.

Tara Thurber: 7:54

(laughs)

Will Shu: 7:56

I did take some notes for myself. So for me, top three for me is account hijacking, and that's a daily occurrence across the board, and happens almost daily, sometimes, depending on what's happening across of our managed services customers. Alerts do happen quite often, weird configurations, forwarding rules, access connections are happening across many, many, many companies, and it's only a couple ways that we can define and figure out and to discover these things. And that's where my second tip is,is really asking the right questions or having access to the right professionals, right? If you're we go to doctors because we do not know the specialties of medicine. Technology is another specialty that you need professionals in your corner to protect you, to look for your best interest, look for your business's best interest at heart. And that's really the that's my biggest tip, right there, is that that's the biggest threat, in my opinion, is not having professionals around near you to be able to help you ask and answer the right questions. This leads into what you were saying before. How can small businesses ask this question? It's really hard without being in the industry, and that's why the industry is so getting larger and larger that now trap gets bigger and bigger, and you need professionals on the other side to fight these traps and to ask and answer the right questions for you. And the third risk, for me is it's account hijacking. Someone takes over your account when you log into it, but the other side of it is remote control, or access to your computer or back end access that you're unaware of. And that's how the events and where events start. That's how malicious acts start by having no control behind the scenes to a computer in your organization. So those are my top three.

Tara Thurber: 9:48

Wow. Matt, what do you have over there?

Matthew Buehlmann: 9:51

Yeah, I think, you know, Will and I are actually aligning on some of these, which is to be expected.

Tara Thurber: 9:57

Yeah.

Matthew Buehlmann: 9:58

And you know. Riverstrong, we predominantly focus on small, medium sized businesses, and that's the majority of the threat research that I've done. So I do want to just put that caveat in here, that this is where that's coming from. But what we're seeing there's a couple of trends. One, the big one, is this exploitation of legitimate tools and native system tools. So things that exist on your computer by default, things like PowerShell, Command Prompt, Dynamic Link libraries can be used in ways that are malicious, but the software, in and of itself, isn't malware. And in that same vein, like legitimate remote access tools, so like what was alluding to there, as an MSP/MSSP, we have remote monitoring management tools that we use to assess the health of systems remote in if we need to, provide technical support. And that's all well and good, but if, again, a malicious adversary is able to load one of these remote monitoring management tools, remote access tools onto your computer that's not inherently malicious, so a traditional antivirus isn't going to detect that, but the way that it's being used can be again, for nefarious purposes to deploy malware, ransomware or try to enumerate and get access to other systems. The other one is right in line with what Will was talking about account hijacking and business email compromise. So there's a new term, identity threat detection and response, and it's taking a look at the identities that exist. And when I say identities, I mean user accounts, those being in the cloud. Now it's very accessible to the broader internet, as opposed to maybe sitting behind a firewall or traditional account that would be internal only infrastructure, traditional Active Directory environment. So yeah, trying to take advantage of those accounts, like Will was saying for data, data exfiltration, using it as a springboard to try to target maybe other accounts of the organization, high, more higher profile or higher value accounts or areas like human resources or accounting, where the debt, where the data lives. Yeah, we're even just using that account to

Tara Thurber: 12:06

Yeah. launch more phishing emails. So that's definitely a trend we're seeing, and it's on the rise. There's a Verizon data breach report. This is from 2023 and I think that it the number of instances of business email compromise or pretexting, which is very similar, just about double. So definitely something to be aware of. And the last thing I had was ransomware, which is nothing new. Everybody knows about it. I almost didn't want to put it on here, because I didn't see much of a gimme.(laughs)

Matthew Buehlmann: 12:34

But we're just seeing the ransomware networks expand. It's becoming more prolific. It is profitable, and there are criminal organizations that are springing up specifically with the goal of providing ransomware services. They're like, either offering ransomware for hire, we'll take at, you know, ransomware company for you, or even just ransomware as a service. So the same way that we use, like office 365 or QuickBooks, or these other services in the cloud. They offer their ransomware service. They have, they go as far as have, like, bug bounty programs. So they'll say, Can you give us, here's our code. Can you figure out a way, you know? Are there any glitches with it? Can you make it better? Can you make it faster? Can you make it harder to resist? They have marketing efforts to try to reach out to potential clients.

Tara Thurber: 13:17

Wow!

Matthew Buehlmann: 13:18

And they're like, releasing updates for their software. It's like a it's like an actual software tool that we use, but it's ransomware. So we're seeing more and more of that, and the barrier to entry for conducting ransomware attacks is getting lower and lower. So it's definitely something that's that's big in the space right now.

Tara Thurber: 13:36

Yeah, do you think too, with so many companies going remote, that's why there's been a big increase? And I feel it's even become more dangerous for some companies, because if you don't know, or you're not connected with professionals, it could be detrimental to somebody's business, if the if they're all remote now and virtual.

Will Shu: 14:07

There'sa different way of looking at and upgrading the So your data is your key, and what you're trying to business.

Tara Thurber: 14:09

Right. protect and keep. So the more holes that you allow access to your data, the more risks that you expose. So having your employees out in the world, needing to access data from a central location creates more risk in that inherent structure. So t's a very, very different way of looking, and you need do need to ask the right questions as to we work in this phase in an office today, but now everyone is at home. So how do we protect the data, what are the processes that or policies as well, that we expect our employees to adhere to when they're not in a protected environment? So it is questions to ask them to make sure that you're that you understand as a business owner, and that you accept some of these issues, or you work to mitigate it, right? Right.

Will Shu: 14:57

So it's taking a look at. At how you're working and who's doing what.

Tara Thurber: 15:03

Well, and I think too, even if an individual brings their laptop to a cafe and they use the cafe's Wi Fi, that can be very risky, too. So it's also making sure employees know, yes, you may be working from home, but going out and utilizing open Wi Fi networks can be very dangerous as well, right?

Will Shu: 15:26

Correct. It goes to the policies and the processes, because there are technology ways to prevent a computer from connecting to a public Wi Fi.

Tara Thurber: 15:35

Okay. Okay.

Will Shu: 15:36

Can implement that, people do. Companies do, but it does create problems for employees, right? Oh, I can't go to the internet, then therefore I can't work.

Tara Thurber: 15:45

(laughs) Yeah!

Will Shu: 15:45

So you have to find that middle ground, but it does take communications, training and policies and enforcement of these things to make it safe. But Matt, if you had another perspective.

Matthew Buehlmann: 15:58

No, I think you hit on it right there. And for the policy piece, I think there's the probably the hardest part, actually, I take it back, creating policies is difficult, so making sure that's in place is hard. But then making sure that people are aware of those policies, and then you're actually putting eyeballs on the things that you want them to see, is maybe even more difficult. So, but yeah, creating those guidelines is the first step, because I think for the most part, people want to do the right thing. And maybe that's naive of me to say from the security world, but I think especially for small businesses, when we've got skin in the game, we have stake here. And if you give a legitimate reason and a

Tara Thurber: 16:33

Yeah. good way for them to work within their environment, then generally, they'll meet what you're trying to get across. Right, right? So what would you say, both of you, Matt and Will, what are the essential steps, I know, processes, procedures, but policies. What would you say essential steps businesses should take to protect themselves against cyber threats? And I'm going to stack it with another question of, How can small and medium sized enterprises improve their cybersecurity measures on a tight budget as well?

Will Shu: 17:16

I'll let Matt go first this time.

Matthew Buehlmann: 17:18

Yeah, so I think that, again, focusing on the SMB space like a key thing to understand is you are not too small to be a target. And data continually, continually, like represents this. You know, there's a Forbes article that businesses with less than 100 employees are 350% more likely to receive social engineering attacks. CISA, which is a cybersecurity and infrastructure security agency, said that small businesses are three times more likely to be the target cyber criminals than larger companies, and that Verizon data breach report from 2023 that I mentioned when they compared incidents from small businesses and large businesses, there was a 41% increase in incidents and a 68% increase in confirmed data breaches for small businesses when compared to large businesses. And the reason I'm bringing all this up is because, there's this disparity here where there's a lack of resources, kind of like you alluded to through your question there, Tara.

Tara Thurber: 18:15

Yeah.

Matthew Buehlmann: 18:16

Less people, less time, less money.

Tara Thurber: 18:18

Right.

Matthew Buehlmann: 18:18

But the types of attacks that are targeting enterprise clients, and the types of attacks that are targeting small businesses are getting more and more similar. So there really does have to be, taking a step up in the level of security for your organization. And, antivirus is not enough. That's like one of the big key things I do want to kind of drive home. So you need to have some sort of enhanced detection mechanism to not just do signature based analysis. So essentially, taking a look at a file and saying, We know this is bad because of its fingerprint, we need to take a look at that the behavioral aspects that are happening on a system. What are, what are like process insights, what are, what's actually happening, maybe with some of those legitimate tools that I referenced earlier on, and can we determine that it's malicious because of the way that it's being used, not just because what the program is? So the cloud can't be ignored, is another one I wanted to harp on again we talked about, what are the key threats business email compromise like Will said, account hijacking is huge, so making sure that that is an area that's being addressed is definitely important. And then from the budgeting perspective, outsourcing can be beneficial. When you think about the cost behind hiring a full time employee, especially when you start to get into the senior level like CISOs or senior engineers, senior security analysts, those are expensive recurring costs. So outsourcing can give you, a lot of expertise for a much more manageable cost. So that's something that can definitely be used by small businesses to supplement or even augment their onset on premise IT staff. So those are just some thoughts. I have.

Tara Thurber: 20:01

Awesome. It's crazy when you think about the account hijacking. I have a friend of mine that started a business a couple of years ago, and she was completely taken out. Somebody got in and took out her website, all of her social, her email, everything, and she lost everything. She had to shut everything down. And eventually slowly, start all over and rebuild her business. And she's an individual that took years to grow what she had created, and then ended up starting at square one. And it must be so frustrating, even for the small businesses, or the startups even that are just trying to start the business and get it out there to then be hijacked, so to speak, and have to hit restart again.

Matthew Buehlmann: 20:56

Yeah, absolutely. And I think I don't have the exact stat off top of my head. But the amount when small businesses are targeted, or the victim of, like a ransomware attack, for instance, which is kind of a worst case scenario, there is a much, much smaller percentage of bouncing back from that, as opposed to, like, large organization, obviously, we're working on smaller margins. So it is sad, and you know, Will, and I actually just launched some client business last week. You know, you see these people small businesses, and you really kind of get invested in who they are and what they're doing. It feels, it's not just this big, amorphous enterprise.

Tara Thurber: 21:28

Right! (laughs)

Matthew Buehlmann: 21:29

It's like, it's Sally down the street.

Tara Thurber: 21:33

It's family all of a sudden!

Matthew Buehlmann: 21:35

So it is sad and scary, and that's why I think there's a lot of value I see in protecting the SMB space. That's my two my two cents on your thought there.

Tara Thurber: 21:46

Excellent.

Will Shu: 21:46

So we also work with a lot of nonprofits, and the work that they do for their communities is really heartwarming, and we help them. They're also on tight budgets because they are nonprofits and we do go and help them. So to answer your question on, how do we do this on a tight budget? There, if there are standards that we create and that has standard protections, much like the old adage of you must have antivirus to be secure, there are similar, newer technology stacks that you should have and includes MDR and other other tools that we can help deploy, but in the as you get further, though, all businesses are different, right? Every day, business is a different organism, and each

Tara Thurber: 22:25

Right. organism, or each patient or each prescription needs to be tailored for your business. So we have some basic everyone can take an Advil, and we could all be safe. But as your symptoms, as your organism gets more complex. We need to sit down and look at what is there, and to really be able to determine what data what's happening and how do we protect these things? So we we look, we speak with professionals, and we look to define what those differences are, and then look for the best, cost efficient way to to manage, protect and to deal with that those things so, so it's not a and I hope that folks are talking to the security firms, or they just want to sell you everything and every tool under the sun. You may not need it all depending on your situation, but or you may need even more, depending on your complexity and your situation. So it is a taking back to the need to speak to a professional to get a good diagnosis, to get a good understanding of your current posture, what are your risks today, and to then be able to prescriptively and use your budget wisely to address the most impactful, biggest bang for the buck, or low hanging fruit, those buzzwords come into play to get the most out of your That makes total sense. It's a lot too for

Will Shu: 23:38

Go ahead, Matt. I'm curious. budget. individuals and founders to think about, but it's also one of the top things that individuals, founders and small businesses alike, need to really focus on. It's amazing, amazing. It's wild. So I'm going to switch gears just a little bit, because we like adding a little fun question for all of our guests. And in honor of the Olympics, our question is, if you could turn any mundane activity into an Olympic sport,

Matthew Buehlmann: 24:13

(laughs) Yeah, I, I had two thoughts on what would you have a good chance at winning a medal in? this one. One is, I'm pretty good at flipping eggs without breaking the yolk.

Will Shu: 24:34

(laughs)

Matthew Buehlmann: 24:34

I think I could kind of hold my own in that. But best in the world, you know, there probably are some chefs out there, you beat me. I was thinking that catching things that fall off shelves. I'm also pretty good at. Random, random hand eye coordination activities. So I think either those, I could give a run for a medal.

Tara Thurber: 24:51

I love that. Cat like reflexes, Matt (laughs)!

Matthew Buehlmann: 24:53

Yeah, right. It's not all just behind the computer screen.

Tara Thurber: 24:57

Right! (laughs) Will. What do you have for us?

Will Shu: 25:01

The hard thing to try to come up with some mundane thing that I'm good at I live in New Jersey with Tara here.

Tara Thurber: 25:10

Yeah.

Will Shu: 25:11

And when the spring and the summer season comes up, the weeds that come out of the grounds that we're trying to always remove is tremendous. So, you know what? I'm really good at picking leaves, apparently.

Tara Thurber: 25:22

(laughs) Weeds!

Will Shu: 25:22

Weeds. I travel across my yard and really, really quick, kind of a mindless gardening kind of a thing. But I think I will kick ass in weed pulling (laughs).

Tara Thurber: 25:34

(laughs loudly) Will, I love that. And it's funny, I love pulling weeds. It is such a meditative act, and especially in the spring or in the fall when you're doing gardening. But I love that too, both of you. I like what you brought to the table today.(laughs).

Matthew Buehlmann: 25:53

Thank you.

Tara Thurber: 25:55

So Matt and Will, what would be your Top5Cybersecurity Tips for 2024 and Beyond?

Will Shu: 26:04

All right, I had written down five because I did think this through prior. My first one is get close to an IT and cybersecurity professional. You need someone in your corner to protect you and making sure that you're doing the right thing for your business. Second one is, know your risks and exposures. You should know what's at risk, and then we can deal with that exposure. Number three is, be willing to invest the time and money into it, like every other thing that you need to do when it's good for you, takes time, money, effort and the will to work at these things. The fourth one I have is knowing what to do if and when disaster strikes. That's actually one of the biggest tips that I have. Is a lot of organizations that we meet, they do get ransomware, and they don't know where to start. They don't have any plans in place, and it all this is about time and reaction, being able to address things knowing where things are and what the recovery time objectives are for each of these things. This way you can add an expectation of when you're back in business, know how much revenue you're losing because your business can't operate. And these things really help you understand what investments should go into these things. So that's my, my fourth one, and the fifth one is a easy one, never trust any links. Just don' (laughs).

Matthew Buehlmann: 27:23

(laughs)

Tara Thurber: 27:23

(laughs)

Will Shu: 27:27

If you get an email from Chase to go look at your account, go to chase.com, and log in with your account, just don't click any links. Don't trust any links.

Tara Thurber: 27:35

Love that. Love that. And I'd say, would that be the same thing with text messages? I, for instance, I just got a text message the

Will Shu: 27:41

Yes! other day from TD Bank saying that my account has been used and they've put everything on hold - contact - And there was a link, and I, I didn't click on the link on my phone, but it goes for phones too. It does Never trust a link.

Tara Thurber: 28:02

Okay.

Will Shu: 28:03

Doesn't matter where it is, to be honest (laughs).

Tara Thurber: 28:05

Got it. Got it. Thanks. Well, Matt, do you have a separate top five to bring to the table?

Matthew Buehlmann: 28:11

Yeah, yeah, no, I definitely, I really appreciate Will's there. I'm very much plus one to the link, not clicking links and not opening attachments, too.

Tara Thurber: 28:19

Yeah.

Matthew Buehlmann: 28:20

But yeah. So my mine are in no particular order here, but access control is crucial. So that's how we're controlling how we get into all of these sensitive services. So implement multi factor authentication wherever you can, and if possible, not just MFA, but phishing resistant MFA and CISA, that cyber security and infrastructure security agency I mentioned earlier, has guidance on that. You know, instead of passwords, use pass phrases. And even better than that, use a password manager, if you can. So you don't you only have to remember one long, secure password, not all the other ones, and then, yeah, just making sure the admin rights are under control. You know, if you can control access in an environment, you know the access roles that exist and the objects they have access to, that's a good start for securing your system. Kind of to Will's point. My second one was patching vulnerability management, so exposure management, so, you know, proactively patching systems is one of the low hanging fruits that you do to make sure, like Will talk about a little bit ago, but to make sure that you're protected against threats, and so that's partial part of that is, you know, addressing these zero day vulnerabilities that come out, but also making sure that you're covering legacy vulnerabilities that exist. Threat actors aren't only going to use the most recent version. If they see, you know, you're running on a SQL Server. You know, 2008 or server, 2008 or two you know they're gonna, they're gonna try to exploit the vulnerabilities of these legacy seat models. So making sure you're aware and addressing that. Security awareness training again, kind of in line with the not clicking links, is a really good way to, you know, you. Raise awareness and create like a culture of security in your organization. That's what you really want. You want people to care and be invested in it. So raising that baseline level of security comprehension is definitely a good way to combat social engineering attacks, which are generally pretty successful and pretty lucrative. My fourth one, if we're keeping track here, as use a framework to implement cybersecurity for your organization. So a lot of times when we're building a security program or trying to do security in an organization, it's kind of just throwing darts of board. You know, I'm going to buy this tool to do this, and I'm going to make sure that we, you know, put MFA on some accounts, but not all of them, if you use a security framework. So that's things like NIST cybersecurity framework, or the Center for Internet Security has sets of controls, or ISO 2700 it's basically a roadmap and guidance on how to effectively implement security in your organization. So we're partial to NIST cybersecurity framework at River strong, but there's a lot out there, and it just gives you a more structured approach, and maybe helps you think about some things you might not have been considering.

Tara Thurber: 31:07

Okay.

Matthew Buehlmann: 31:08

And the last piece of advice I have, as far as you know, for implementing security 2024, and beyond, is adaptability. So we're always going to be in this cat and mouse game of the malicious actor has new a new vulnerabilities discovered, and that's then we patch it, and then a new tool is created, but then we create detection mechanisms to figure out when that tool is in use, and that's just constantly going to be going on for the rest of eternity, so which is kind of exhausting to think about. But you know, if you develop the processes,

Tara Thurber: 31:38

(laughs) procedures and safeguards and controls to protect your organization. If you take the steps to implement defense in depth, making sure that you have multiple controls to cover different areas, you're going to put yourself in a better position to be resilient and adapt to the new threats that come out. You know, we think about things like artificial intelligence, we haven't necessarily seen that actively being used in the wild for malicious cyber attacks yet on a widespread scale. But as that type of thing comes in the future, you know, again, when we're building that system and security program that's centered around adaptability and resilience, that's going to really help to make sure that you're prepared for today and tomorrow starts. Wow. Thank you both for sharing all of these tips. I mean, I think everything that you both have shared today is extremely valuable for all of our listeners. So I thank you both for joining us for our Top5 Cybersecurity Tips for 2024, and beyond, Matt and Will, thank you for taking your time out of your busy days today, day today to meet with us. And we're excited to get this out there to our audience.

Matthew Buehlmann: 32:57

Sounds good. Thanks for having us. Yeah. Have a good rest of your summer!

Tara Thurber: 33:00

Alright, you too. We are DefinedTalent, a DefinedLogic service coming to you at Top5.