Ron Shoe, and Andrew Burke with SIP Oasis, and Anna Sullivan Price with Insurance Facilities talk Cybersecurity with John Mountz, and what businesses need to consider to combat this surging threat.



John Mountz: [00:00:01] You're listening to Viewpoint Alabama, a public affairs program from the Alabama Radio Network about the people, places and events that impact our state. Cybersecurity seems like a complex issue, but there's aspects of it everyone in Alabama should be familiar with. Hello, I'm John Mountz. And this week on Viewpoint Alabama, we're talking with Ron Shoe and Andrew Burke, along with Anna Price from SIP Oasis and also Insurance Facilities Inc. about this important issue. Gentlemen and ladies, welcome to Viewpoint Alabama. Thank you.

Ron Shoe: [00:00:31] Thank you very much for having us. Good morning.

John Mountz: [00:00:32] First of all, let's talk about something everyone's very familiar with the attack on the Colonial Pipeline because, you know, at first we heard about that. We thought terrorism. We thought, you know, something broke. But it turns out it was technical. It was actually very complicated. It was cybersecurity. And that's the reason why we're talking today. So let's back up. What exactly happened with Colonial Pipeline?

Ron Shoe: [00:00:54] Well, it was very bad, obviously, but what happened was it exemplifies the difference between cybersecurity and, say, twenty eighteen versus twenty twenty one. It's a much more multilayered thing now than just having a firewall and virus protection. And you know, it's becoming a very much a matter of hygiene. It's almost like your health. It's not a matter of buying a thing and turning it on and walking away from it anymore. It's a matter of constantly asking questions, constantly testing things to see if you can get in this way or get in that way. Because now there's a thing called an attack framework that the bad guys use. We're not going to use fancy words, but there are 300 or so more known exploits this year than there were last year. Just to show how good the bad guys are and how creative they are and how much time they have because they have all the time in the world.

John Mountz: [00:01:48] And they also they're all over the world. That's the other thing. It's even though it happened in Alabama, it came it could have come from Afghanistan or it could have come from Alabaster. It could have come from anywhere, right? That's correct, because we're all connected up.

Anna Price: [00:02:00] And there's no way to track down where they're coming from because what they're demanding is most likely bitcoin. So there's no way to track them.

John Mountz: [00:02:08] So it would be to their advantage that we don't know where they are and that they can't be tracked, right? And I think that's kind of the case for the most part with these things is they're not there's they don't really leave much of a signature, I guess, where it came from. We've heard Russia, I think, was was the last I've heard on that. In this situation, we bring up with Colonial because we think that's a big company and that can't happen to me. But really, it could happen to any company.

Ron Shoe: [00:02:31] Right. That's that's, you know, I look at the Colonial Pipeline thing and think it should be a wake up call to small businesses because everybody thinks, "hey, it ain't going to happen to me. I don't have anything." And the reality is, if we're debriefing and we're learning more about what actually happened with the Colonial Pipeline attack is that they were not really targeted. They happened to get some credentials that were reused from an old employee that were published on the The Dark Web. And if they had managed passwords a little bit better or if they had closed that guy's account when he didn't work there anymore, or if they had enforced good hygiene with not using the same password on multiple things. There are a lot of ways to to stop the guys from getting in, but you know, we've got to be right on all of them and they've only got to be right once.

John Mountz: [00:03:19] So it's not just an issue then of, you know, equipment, it's people. It seems like the real problem is it's people. And sometimes, as you said, they don't practice what was the word you used? Password hygiene?

Ron Shoe: [00:03:32] Yes. Password hygiene.

John Mountz: [00:03:33] Right, exactly. Wash your password three times a day, right?

Andrew Burke: [00:03:36] So, yeah, so passwords get us into all of the areas of our life that we're involved in today. We're shopping online. We're banking online. So if you have a simple password, everybody knows your ID because if they have your email address, they have your log in and a password needs to be complex.

John Mountz: [00:03:57] It can't just be password?

Andrew Burke: [00:03:59] It could be. But you're you definitely have a lot of risk...

John Mountz: [00:04:03] What if I steal a password with with the numbers zero? Doesn't that make it more secure? Maybe use an at sign for the A?

Andrew Burke: [00:04:08] That's one step better. Two steps better. That's true. So, yes, anything that involves some complexity to your password, more length. Definitely. Characters will will help out in that situation.

John Mountz: [00:04:21] And maybe dollar signs for the for the S's. Right?

Anna Price: [00:04:24] Something and one app. There's several apps that will automatically generate passwords for you. I use the LastPass app, but it'll allow you to just keep up with one password and then it will automatically generate all the other ones for you. And they're very... you can be as complex as you need them to be, so.

John Mountz: [00:04:41] And that's a good that's a good point, Anna, you know, because I have we all have a lot of different stuff from our bank accounts to our work stuff to our email, a zillion different accounts, and they all have different passwords. And as you said, they should have different passwords. And furthermore, you almost have to because they all have slightly different rules. This one must have a number in an uppercase and lowercase. This has to be all lowercase. You know, there's all different rules, so you really couldn't get away with using the same one anyway. But the problem I get into is I can't remember a lot of my passwords. What's a good way to keep up with all the passwords for the hundreds of websites we have to get into sometimes website you only get into like once a year, like your IRS one where you file your form. So how do you how do you keep up

Ron Shoe: [00:05:22] Like Anna said, with a password manager. There's there are a lot of them out there now. Dashlane is one. Lastpass is a good one that we deploy to our clients. And what it allows you to do is you don't have to remember any password, but one, the password to it. You have one password to rule them all.

John Mountz: [00:05:37] But what happens if somebody else? Because is that not the same thing is just having one password if you have one password? How can somebody get into your password management thing and then get all your passwords?

Ron Shoe: [00:05:48] Yes. So you want that one to be the super-duper password that is impossible for anybody to guess.

John Mountz: [00:05:53] You also. Changes a lot, I would assume,

Ron Shoe: [00:05:55] Yes, phrases are good, like using actual phrases or putting words together that don't make any sense that people can't guess. You know, you don't certainly don't want to use your mother's maiden name or you're the street you grew up on, or your favorite singer.

John Mountz: [00:06:09] Do you ever see those things on on Facebook or social media where it's like, "Hey, here's a crazy quiz. 10 questions: #1, What's your mother's maiden name? And people go through and they answer all that stuff, and then they put it on on social media for the whole world to see.

Ron Shoe: [00:06:22] Yep, that's the human firewall, we call that, because that really is where the rubber meets the road. It doesn't matter how good your defenses are. If somebody's going to go out of their way to click on the thing you're, you're only as good as they are.

John Mountz: [00:06:37] Now you mentioned the Dark Web earlier. What is the Dark Web? Sounds sinister.

Ron Shoe: [00:06:42] It's been used for sinister purposes. It was originally created for privacy, so it's a it's basically an encrypted version of the internet that you have to use a special browser to get to. And, you know, like with with bitcoin, it didn't take long for the bad guys to figure out they could take something that was inherently good and use it for their own ends. And so they take the advantage of that privacy to be able to twist it. And they've turned it into a place where you can buy everything from child pornography to heroin to people's credit card numbers and medical records.

John Mountz: [00:07:16] So in other words, the stuff that goes on in the Dark Web very often is dark stuff like that. And that's why they use cryptocurrencies like Litecoin and Bitcoin and all those, there's probably 100 of them. And that's why they use that stuff, because it's less because they understand that uses something called blockchain technology to where it creates a record of transaction to make it legitimate. But at the same time, it also encrypts it so that nobody knows who exactly started the transaction, right?

Ron Shoe: [00:07:43] So there have been cryptocurrencies created specifically around privacy. Now there's one called Monero, because with bitcoin, you actually write it does write the transaction of the blockchain like you were talking about, which is immutable so anybody can go and look and see that transaction and verify it, any third party. So it's not very anonymous once you find out who the owner of the address is, but there are newer ones like Monero that are purely private and untraceable.

John Mountz: [00:08:09] This is a viewpoint Alabama on the Alabama radio network. I'm joined today by Andrew Burke, along with Ron Shoe from S-I-P Oasis. Excuse me, SIP Oasis? Is that not an acronym? SIP?

Ron Shoe: [00:08:20] It is.

Andrew Burke: [00:08:20] It is. But yes, we go by SIP Oasis.

John Mountz: [00:08:23] Gotcha. SIP Oasis, which is a Birmingham based company and you handle cybersecurity for all sizes of businesses from from small. I guess you don't. Do you handle the really super duper big stuff or no?

Ron Shoe: [00:08:36] We're generally our sweet spot is in the small mid market. It's with the folks that typically don't have enough resources to have their own internal IT staff. So we generally will take over their entire technology platform and run everything from their phones to their computers and servers and security and all that and act like an in-house IT department for them and security.

John Mountz: [00:08:56] That's an interesting thing. You brought up phones because we all carry around these little computers in our pocket and it's a computer, and I never really thought about it. But should our phone in our pocket, should it have some sort of cybersecurity software or something like that on it to protect because I can, from my phone, I can remote into our business systems here at the radio station. I would imagine a lot of people's phone have similar capabilities, so that's a point of vulnerability. Is there anything can be done about that?

Ron Shoe: [00:09:21] Absolutely. And you make a great point. And this is sort of the cat and mouse that we're playing with. All the bad guys is, you know, who would have ever thought that a phone your iPhone could be a conduit to destroy your life? Well, they did. So now we are having to deploy security tools on phones that we never had to do before. The phone is also becoming a security tool through multi-factor authentication, which is a must-do. Do it on everything that you have. If you can turn on multi-factor authentication, do it, if you take nothing away from this from this conversation. Because even if they get your password, they still can't get into your account.

John Mountz: [00:10:05] Now, multi-factor authentication, that's the thing where you go somewhere and it says you try and log in and you put your password in, but then it says we're going to send a text or whatever to your phone. And either either it's a push thing where you hit a button on your phone or it's a number or a code or whatever you type back in.

Ron Shoe: [00:10:20] Precisely, precisely. It's one more thing that they have to have right. Now they would have to have your username, your password, and your phone.

John Mountz: [00:10:28] So what happens when you lose your phone?

Ron Shoe: [00:10:30] You can reset those, you can reset them with a reset through your email and all that. But then you have to go back and re authenticate because they want to make sure that it's you.

John Mountz: [00:10:40] Is there is there a possibility you could use multiple, like two different phones, like maybe your phone and your your wife or husband's phone as the phone that you know, if yours doesn't, you know, like if you can't get to yours or yours is the battery's dead or whatever.

Ron Shoe: [00:10:54] No, they're unique. So there's a unique the thing that makes it more secure is that there's a very unique encryption thing that goes on between the two, between the whatever you're trying to log into and the app on your phone.

Andrew Burke: [00:11:07] That's where the inconvenience of having to be secure comes into play. It's just the nature of the beast right now is, yes, you lose your phone, you lose a lot of productivity,

John Mountz: [00:11:17] Your access to everything. Great. Ok, so let's let's talk about what happened not only with Colonial, but with any business. When let's suppose something, something happens. It's too late that somebody was sloppy and they left. They had a pet. They didn't practice, what we say, password hygiene and and now somebody got into the system and they've done something. And they've first of all, what is it clearly obvious what they have done? Like, do you know, what's the difference between somebody getting in, just looking around and somebody getting in and, say, actually taking something or worse, somebody getting in and locking everything up? What happens?

Ron Shoe: [00:11:51] Most often today all of those things happen. So generally in the Colonial Pipeline's, for instance, you know, they established a foothold on that one computer. You know, they got in that one account through that one guy. And most of the time before ransomware is ever deployed, the bad guys have already been in your network looking around for weeks or months figuring out what they've got, because most of the time some poor schlub clicks on the thing in the email, and now the hackers are in. But they don't know, is this Colonial Pipeline? Is this Chick-fil-A? Is this the Department of Defense? I don't know.... So the first thing they do is try to figure out where am I, and what are my options? Am I going to get $1000 out of these people, or am I going to get $5 million out of these people? And they look to index everything that's there, learn what the opportunities are, and most importantly, spread to other devices. So they spread from computer to computer to computer. And that's where the real damage gets done. Because, you know, in the case with Colonial Pipeline, they spread to every computer on the entire network. So then when they deploy their ransomware, it's literally shutting down every single computer that they had. So just from the sheer operational impact to that to recover from it is enormous because I'm sure they had backups there, had an enterprise IT ` department. I'm sure they had very solid backups. But the time that it takes to restore a computer from a brick, which is basically what ransomware is. It could be called "brickware," because you click on it, and it turns your computer into a brick. You can't do anything with it except pay the ransom. So once they spread across everything, they've locked everything down and to restore all those computers would have taken their IT staff weeks. And meanwhile, they're running $3.5 million a day through that pipeline. So that's why they paid the ransom. Most people assume when they paid the ransom that they did it because, oops, they got caught with their pants down. They didn't have backups and they had to recover their data and paid the ransom. That's not actually the case. In fact, that was a business decision that was the fastest way for them to get back in business and get that $3.5 million in revenue again. And you know, one of the little known fact is they paid the ransom the first day. So as soon as they got deployed, they said they made the business decision to pay the ransom. And as you'll recall, the outage still went on for five days. And that's just because it took that long for them to apply the decryption key to every single computer on their network. And it just takes a lot of time.

John Mountz: [00:14:20] Now with the ransom. Is there any because it's not like you're dealing with a reputable company here? Is there any chance that you pay the ransom and then nothing happens?

Ron Shoe: [00:14:30] There's a chance.

Andrew Burke: [00:14:31] There is a chance. And the interesting thing out there is there's there's almost an organized rating system for the cyber criminals. They they act in gangs, and they develop a reputation almost like a Google review. And there might be an 85% chance that that the cyber criminals from the X Factor will return your your encryption keys to you.

John Mountz: [00:14:59] So it's like honor among thieves here. There's a "code."

Ron Shoe: [00:15:01] Exactly.

Andrew Burke: [00:15:02] That's right.

Ron Shoe: [00:15:02] That's right. It's bad for business. You know, people think they're not going to get their stuff back, they're never going to pay the ransom. So there's a certain marketing fulfillment component.

John Mountz: [00:15:12] Even they have a marketing arm. Yeah.

Andrew Burke: [00:15:13] So there's there's sometimes no rhyme or reason also as to what the actual ransomware you know, cost is going to be. It could be millions of dollars for a huge company. We've seen small businesses that pay $600. Maybe they had a rookie hacker. We've seen other small businesses pay $22,000, so it's just all over the place.

John Mountz: [00:15:37] Have you ever heard of? I think they call them White Hat hackers who they look for vulnerabilities and then they actually present the company with a "Hey, we broke in. Here's how we did it. You probably should watch out for for this."

Ron Shoe: [00:15:48] Absolutely. I mean, these are the things that we're having to do now for our clients. Again, it's not a "set it and forget it" world. It's becoming more like a military campaign, actually, if you're going to go into a foreign country, first you're going to establish a perimeter around your platoon, and you're going to dig in. Then maybe you do barbed wire, and then while you're building better defenses, you've still got to have somebody who's making sure the barbed wire didn't get cut by the bad guys. And meanwhile, you've got to repel an attack. But again, it's a process. And that hygiene, like I talked about again, because if you think about that same military example, a year from now it's going to be a much more well-defended position. It really can take a year to get up to where they need to be. And then it changes every week.

John Mountz: [00:16:32] You know, that's one of the things you mentioned the military a couple of times, and that's one of the things I always thought about because we have, you know, the Navy and the Army and the Marines. We have military that defend the United States that take care of... Shoot, we have the Space Force now to take care of some outer space, but it seems like we need almost like a cyber military or something like that to defend our interests here in America. Because we're not just talking about even the Colonial Pipeline. We're talking about, like the the the infrastructure that controls our electricity and national defense, all those things. And is there something like that? Does the government have people who are hard at work protecting us on the internet?

Ron Shoe: [00:17:08] Absolutely. Yeah, they certainly do. And the way that the industry as a whole is responding to this or with various what they're calling frameworks like the NIST or framework is a popular one, or HIPAA is another one that applies to health care. But these are our guides, so to speak, of saying this is these are the minimum requirements on all of these things, and it's constantly growing. So if you want to do business with the government, for instance, you have to be able to prove with documentation and certification and such that you fulfill all the requirements of those frameworks or you can't get a government contract. And so those frameworks are starting now to get pushed down more and more to the smaller people that don't even deal with the government because of the insurance companies. I mean, the insurance companies have figured out, "golly, we sure are paying a lot of claims on these cybersecurity insurance policies, so we better start cracking down on these things," because just like, you know, if you have four DUIs, you've got a hard time getting, you know, getting car insurance. Yeah, cyber insurance is becoming no different, and they're going to start requiring adherence to some of these frameworks as a fundamental requirement for getting coverage at all.

John Mountz: [00:18:24] So, Anna, since since we're in that lane, we're talking about the insurance thing. I didn't realize, I guess I should have, that there are companies that provide insurance, cyber insurance. Explain exactly, you know, how that works. Is it a premium and the company pays it? Or how does all that work?

Anna Price: [00:18:40] Yeah. So there's a ton of different levels on it, and it would definitely be something that you would speak to an agent to directly about how it would best benefit your company. Because the application, it went from two pages to now it's like 18 pages. So it's based off of who your clients are, who your employees are, what what information you collect from your employees, what you collect from your clients, how you store it. Do you have a service provider like SIP Oasis that will, you know, control it for you, manage it for you, keep it secure? Or is it just an IT guy in your department. All of that will affect pricing for cyber security insurance.

Ron Shoe: [00:19:19] Actually, we've even seen... we had one recently that a client presented us, and it said "if you don't have multi-factor authentication enabled on everything, don't apply. You do not meet the minimum requirements for coverage, period." Throw it away.

Anna Price: [00:19:32] And it's, I mean, it's not really astronomically priced. I mean, we have a client that I just wrote it for, you know, maybe $3 million in payroll, $6 million in sales, but it was $2500 for the year. Of course, there are a number of different levels, and he did have, I think, SIP Oasis as his IT provider. So it's definitely something that every business should have, only because it's it's not when it's I mean, it's not if, it's when. It's definitely inevitable for companies to have a, some kind of cybersecurity attack, be it from, you know, not knowing multi-factor authentication, or now from people working at home. Their VPN is not, you know, it's not authenticated or unsecured, I guess VPN. So there's so many different avenues that people can get into now.

John Mountz: [00:20:28] And working from home is a new problem for everybody. I don't know anybody throughout this last year and a half with the pandemic that has not at some point transition, some of what they do to doing it from home and using what was a home computer that used to just be used to, you know, check your Facebook. Now, all of a sudden, this is your business computer running there from your bedroom. But yet, you know, you don't really have the latest and greatest on your home computer, so. How do you prevent people with just a home computer now that they're all accessing your system? How do you prevent that from infecting your system and is that is that where you've got to use the multifactor authentication and VPN and all that other stuff?

Ron Shoe: [00:21:07] Of many things, yeah.

Andrew Burke: [00:21:08] It's a good example, but it's yeah, it's one of maybe a dozen things. So it's a multi-layered approach to network security, and we're used to securing the walls around a physical office and location. But once that employee, you know, starts to work from Starbucks or their home computer, like you mentioned, then we start losing more control. So there are tools that are made to help, you know, help with that and some of those controls. But you know, we also have to just educate our our clients that there's different ways to do it and it's more expensive and it's a little bit tougher to manage. But it's going to create an environment that's going to be more productive and more secure.

John Mountz: [00:21:52] Now, terms that get kicked around a lot in the cyber world, and I'm trying not to, as you said, geek out with this stuff. But we hear words all the time and I, whenever I need a good gauge of how the general public views things like this, I always talk to my mother who, you know, she, you know, has a computer and, you know, accesses the internet, but really doesn't exactly understand what she's working with. So you hear words like cookies and you hear words like adware and spyware and ransomware, and these are all different things. What what are cookies and adware? Are cookies bad, or are they evil? Or are they going to take my data? What's a cookie?

Ron Shoe: [00:22:31] A cookie is not inherently evil. It's like a it's a it's a tool that can be used -- it's kind of like the dark web. So it was it's a tool that's intended... it was originally intended to provide a better customer experience. So when you go to Facebook, they give you what it's called a cookie and your web browser saves it. And then the next time you go to Facebook, they can see that you have their cookie from before and they go, "Oh, I know who this is," and then they give you a better experience because they know who you are.

John Mountz: [00:22:59] So you don't have to, in other words, keep logging into a lot of like it's already kind of keeps you logged in. So when you go there, it's it's there. You don't have to put all that stuff back in?

Ron Shoe: [00:23:06] Correct, but there are privacy concerns with that, too.

John Mountz: [00:23:10] Right, oh sure. Now the different... You mentioned your browser, there's different, all different browsers out there, everything from from Google Chrome to Firefox to Silverlight, which I guess used to be or what's the one that Microsoft Exchange Edge? Yeah, it used to be called Explorer. Now it's Edge. Is there a better browser? What's the best browser for security or is there one?

Ron Shoe: [00:23:32] Personally, I like using one called Brave, which is one that's designed around privacy, so it blocks ads. It blocks a lot of the tracking that friendly or unfriendly websites want to do to you. And it's free. It's based on Chrome. But they took, you know, the reason that Google made Chrome was so that they could see every website that you go to and everything that you do, so that they can then serve you ads and make you, you know... They're building their folder on you so they know how to sell to you. And they and that folder is valuable and they sell it to other companies. And that's where Google gets all of their bajillions of dollars. So Brave allows you to kind of control that a little bit more as to who is tracking me, who is knowing what's going on because security and privacy are kind of becoming close to the same thing. And like that password thing, you know, that's kind of privacy, but it's also very much security.

John Mountz: [00:24:34] So another thing I heard years ago was, you know, a Mac is a much more secure computer to use because it doesn't get viruses. Is that still the case that that Macs are... Macs can get viruses, too?

Ron Shoe: [00:24:43] Sure.

John Mountz: [00:24:43] What about if you have like a like a like something is not a Mac or like a like a Linux machine or something like that?

Ron Shoe: [00:24:49] Yes.

John Mountz: [00:24:49] They all get viruses?

Ron Shoe: [00:24:52] Everything. You know, they can all get compromised. I mean, so that's, you know, basically, let's say you click on the thing, and the first thing that they're going to figure out is what kind of computer it is. Ok, so this is a Linux computer that's running version whatever of Linux. And now they've got an enormous playbook. Ok, what all can I do to that version of Linux? And they just go, just like, you want an answer to something? You go and you Google it. They can do the same thing.

John Mountz: [00:25:15] They Google it... {laugh} they're all using Google. What about what a lot of people, they have an internet provider like maybe some cable company or whatever, and then they have a a router in between that box and their computer, and the router has some form of a firewall built in. But that firewall. That's not that doesn't really protect you from anything, does it?

Ron Shoe: [00:25:36] It's one of the layers we talk about. So, you know, a firewall keeps people on the Internet from getting to things on your network. Like they can't... They can't see your your your Nest Thermostat, for instance, from Russia, unless they get inside your network and then they can see it.

John Mountz: [00:25:56] Oh, as in Fahrenheit, they wouldn't understand it. They work on Celsius. Right, exactly. So in other words...

Ron Shoe: [00:26:01] But you can Google Fahrenheit to Celsius....

John Mountz: [00:26:03] Yeah. So in other words, the firewall kind of protects people from they might be able to see your one instance of your router or your your cable modem sitting out there, but they can't see each your printer and all the computers and stuff like that, and the computers can talk to each other without having to leave your house and come back

Ron Shoe: [00:26:19] Correct until, you know, once they can, they can scan your firewall, figure out what kind it is and oftentimes what the version of the software is. And then it's the same thing, like we were saying with Linux. "Ok, so this person has a Netgear firewall and... Oh, goody, they haven't updated the firmware in six years since they bought it," which is normally what people do. Meanwhile, Netgear has come up with 150 software updates that solve...

John Mountz: [00:26:42] How do you do that? How do you update? I mean, I don't think I think I bought mine and plugged it in. What does it do it on its own? Or do you actually have to go into it?

Ron Shoe: [00:26:49] Generally not. You have to usually have to go and there's a log in if you look at your manual or you can Google it. You can figure out how to log into your router and you want to have a good password on that guy too, you know, like we were talking about. And then there's somewhere in there as a place for updates where you can search and see, just like with windows or anything else, there's an update schedule. And that's a big part of the hygiene because the firewall has an update schedule. Your laptop has an update schedule. Your phone has an update schedule. Your Nest Thermostat has an update schedule. Your printer, your your phone on your desk. Everything is constantly being beat on by the hackers, and the people who make these things are constantly coming up with, "Oh crap, we never thought anybody would get in through that. Now we've got to close that," and they do that with a software update. So if you didn't install the software update, you're still wide open.

John Mountz: [00:27:37] Wow. Ok, so SIP Oasis, you said you do with clients mostly medium and small sized businesses. Do you do anything for the individual consumer, or is it it's a company that you do work for?

Ron Shoe: [00:27:48] We're just business to business. You know, I... I weep a little bit for the solo practitioners because the costs are rising so much in the security world because, to your point, the NSA and the U.S. government has big cyber operations, and people retire from that and go into private industry, and then they become our vendors because we need those those skill sets as well. But I can't afford a quarter million dollar, you know, former NSA guy right now. So we use vendors for that. But you know, the people is what's the most expensive part. And it's it's a challenge for a solo person to have that, to be able to have people going and look. Over their shoulder, and we think this is what it is, but let's test it. So they just have to be all the more vigilant and try to be responsible for their own cyber hygiene like they are their own health. You know, they brush their teeth, they floss, right? So you don't get cavities, well... now you've got to change your passwords and you've got to, you know, turn on multifactor authentication. Eat your vegetables is good for you.

John Mountz: [00:28:53] Yeah, sure. Well, OK, we're about out of time. But if people want to know more about your business, SIP Oasis. What I guess you Google that too?

Ron Shoe: [00:29:04] Just go to

John Mountz: [00:29:10] Great and Anna. If people want to find out more about insurance, cyber insurance to protect your business, where where do they go?

Anna Price: [00:29:16] So our agency is located out of Gadsden. I work out of Birmingham. It's Insurance Facilities Inc. Our website is, as in ask Insurance Facilities.

John Mountz: [00:29:25] Well, I'd like to. I'd like to thank all three of you today for being on Viewpoint Alabama. I hope you have a good rest of the day and for everyone out there, change your password. Maybe get a couple of them right? This is Viewpoint Alabama on the Alabama radio network.