Navigating the Digital Landscape: Cybersecurity Best Practices Artwork

The Reminger Report: Emerging Technologies

The Reminger Report Podcast: Emerging Technologies examines how innovations in technology and business models affect our daily lives, and how the law is adapting to respond to these changes. View video versions of our podcast here https://www.youtube.com/@remingerFor more information about Reminger Co., LPA, visit https://www.reminger.com/

All Episodes

The Reminger Report: Emerging Technologies

Navigating the Digital Landscape: Cybersecurity Best Practices

January 09, 2025 • Season 3 • Episode 57

In this episode of The Reminger Report Podcast on Emerging Technologies, host Zachary B. Pyers speaks with Nathan Whittacre, CEO and founder of Stimulus Technologies, and author of The CEO’s Digital Survival Guide. The conversation delves into key IT challenges facing modern businesses, emphasizing the importance of cybersecurity, effective IT maintenance, and the evolving role of technology in the workplace.

Key Topics Discussed:

Stimulus Technologies & Whitacre’s Journey
IT Maintenance as Business Infrastructure
Cybersecurity Threats and Social Engineering
Bring Your Own Device (BYOD) Risks
Future of Technology and Cybersecurity

Takeaways for Business Leaders:

Regular IT maintenance is as essential as cybersecurity for preventing breakdowns and vulnerabilities.
Educating employees about social engineering tactics is crucial to reducing risks.
Implementing structured IT policies, such as controlled BYOD practices, can significantly enhance data security.

ZBP

Welcome to the latest episode of the Reminger Report Podcast on Emerging Technologies. I’m very excited today to have a special guest, Nathan Whitacre, with us today. He is the CEO and founder of Stimulus Technologies. Am I saying that correct?

Yeah, you are.

ZBP

Oh, great. And he is also the author of The CEO’s Digital Survival Guide which you see sitting in the background. Nathan, thank you for joining us today, and if you would, before we kind of jump in, because I did have a chance to read your book. I’ve got a series of questions to ask you both about your book and cybersecurity as well as other questions, kind of, as your role in technology, talking about, like, the future of technology, kind of where we see this going. But if you would, take a minute and kind of tell our listeners, you know, your experience in the tech industry. I’ve read your book so I’ve got some idea as to kind of your background, but it is an interesting background nonetheless, and I’d love for you to kind of explain how you got to where you are and where you are for our listeners.

Well, thanks Zachary for having me today and thank you everybody for listening this morning. As he mentioned, I am founder of Stimulus Technologies. We founded the company almost 30 years ago. It was my brother and my dad that founded it in my brother’s garage like a lot of great tech stories. We have evolved over time from a break fix IT repair company up to a full managed services company, and when we say managed IT services, we’re talking about taking care of all of the IT infrastructure for other businesses so everything from network infrastructure, hardware, cybersecurity, everything related to how the computers function inside the businesses. So we take care of companies nationwide. We’re based here in Las Vegas, Nevada, and we have five offices across the country. And my experience, my background is actually in computer science. I have a Bachelor’s and Master’s degree in computer science, so I know a lot about the programming side of the business although we don’t do that anymore as a company, but we, I understand how that relates and software engineering relates to actually using the systems down the roads. That’s my background, and I wrote The CEO’s Digital Survival Guide a couple years ago to help answer questions that CEOs often ask me. You know, I believe that as business owners, we need to really understand all aspects of our businesses, whether it’s on the finance side or operations, but IT is such a big part of business today, I think it’s really important that CEOs at least know how to talk about it with their IT team and know the direction that they need to go with technology to better their businesses so that’s why I wrote the book a couple years ago.

ZBP

So, and I told you before we started, I actually read the book and I thought it was immensely helpful, and one of the things that I thought was really helpful to, especially to somebody who doesn’t speak tech by nature as it relates to the hardware and software necessarily, I thought it was helpful because you’ve got definitions of so many things in, throughout the chapters, that sometimes I even found it helpful in talking with my own IT department because I’m like, oh these are the terms that they’re talking about. This is why they’re asking these questions or how these terms are being used, so I actually found it immensely helpful. One of the things that you talk about in your book, and I kind of love this analogy, but you talked about IT and the infrastructure that it relates to, kind of like taking care of or managing a fleet of cars as a business would, and I really like that analogy because it not only I think is applicable to businesses but even people who have personal technological devices - cell phones, watches, laptops, tablets. We have all of these devices around our homes and in our personal lives and, frankly, in our professional lives, and the idea that we need to kind of take care of and manage our electronic and/or technological devices in a similar manner to managing a fleet of cars, so walk me through when you explain this analogy, what you’re thinking because I’m sure that you’ve used this analogy when you’re talking with business owners about the importance of your services and how you relate these two concepts together.

I think we’re so used to maintaining our cars, you know, taking them in for oil changes, rotating our tires, replacing tires, I think we have in our heads that cars need regular service to function well, and if you’re not servicing your vehicles correctly, you end up on the side of the road broken down at some point. I mean, you might still anyways but the likelihood of a well maintained car breaking down at unexpected times is much less than a car that you’re not taking in for regular maintenance. And that’s kind of in that mindset because we do, I think generally most people have that mindset. We’ve got to take care of our vehicles. Our computers need the same maintenance to function well, and this discussion of cybersecurity that we’ve had so much recently I think is overshadowed a little bit of the need of just general IT maintenance that’s so required. And I get some points in the book talking about developing software and hardware life cycles of computers, making sure that we’re replacing them in a regular manner, making sure that there’s updates. We have a big one coming up, speaking of updates, next year. Windows 10, which a lot of businesses are still running on Windows 10, is going end of life next October and so it’s important that we’re, have a plan to update computers to the latest version of Microsoft Windows 11 if you’re in the Microsoft world. And if we don’t do these things, it leaves the computers either frustratingly slow, which irritates our employees, reduces productivity and also leaves us susceptible to cyberattacks so if we’re not updating the systems, if we’re not keeping all our software current, even our line of business applications. If you’re running a piece of software for an engineering firm or for a law practice or whatever it may be, keeping that software up to date, we’re just opening ourselves up for potential problems with those cyberattacks. And so the IT maintenance kind of gets overshadowed by the cyberattack that we hear on the news all the time, but really it’s a core infrastructure making the network well, keeping your employees happy and productive and then protecting you in the end from these potential cyberattacks.

ZBP

I agree. When you think about the cyberattacks and you were talking about the news cycles, it’s a lot more exciting, right, to talk about a cyberattack than talking about somebody updating their operating software to the most recent version. I get it. One of the things that you talk about, too, in your book, and I think that this is an interesting fact, is that one of the biggest threats to any IT system is people and I think you talk about it throughout your book and in various examples about the risk that essentially people are to your own IT systems. I know this is kind of a large open-ended question, but where do you see these threats coming from as it relates to people being the threat to the systems?

You look on the FBI’s annual report of reported cybercrime. The top four are generally related to somebody doing something stupid, usually an employee. Clicking on a bad email, falling victim to a financial fraud crime. It’s almost always somebody being convinced to do something they don’t necessarily would do normally, and we call that social engineering. So a hacker uses social engineering techniques to convince your employees to do something they wouldn’t necessarily do. It could be clicking on a bad link. It could be accidentally wiring or paying a vendor to a wrong account, you were convinced that somebody changed an ACH or a wire account number. It’s doing something that you wouldn’t normally do and some social engineering attacks, I mean these attacks are very broad. We generally call those phishing attacks and they just throw out a net and see who enters the net as they try to catch them, and some of them are very targeted that they go after a CEO or they go after a CFO or somebody inside the organization that has some power to make some big decisions. But in the end it’s all about somebody making a mistake and that’s what hackers want to do. They want to create the sense of urgency. They want to convince you that you have to do it right then and there to resolve a problem for a customer or a vendor and they do it very convincingly. And that’s our biggest threat is because people are the ones using the computers and most cyberattacks, most problems today are because somebody made a mistake at some point along the line.

ZBP

So I will tell you that I actually had what I would equate to being a social engineering phishing attack occur to me very very recently and it wasn’t just me, but so when we have the Federal Courts here in the United States, especially the trial courts, the District Courts use something called the Electronic Court Filing system ECF, and it’s very common and used in every District Court, Federal District Court in the United States uses this same software system and last week there was a phishing attack sent to thousands and thousands of lawyers across the United States that looked like an ECF notice from this automated blast and it said we had 24 hours to fill out some form and that there was a problem with a recent filing. We had 24 hours to fill out some form and then, but then it didn’t actually have a link. You actually had to respond back to get more information back and forth, and luckily for me, I was used as an example within my own firm because I received one of these emails, sent it to my IT department, but I will say I got notices from every single court system which I’ve ever filed with telling me, hey by the way . . .

Don’t do it.

ZBP

There is this social engineering. So luckily, luckily there was a warning from the ECF system, but I thought, how many lawyers clicked on this link thinking I’ve got to get a form filled out, I’ve got 24 hours to do it, creating that urgency you talked about. And it looked, I don’t want to say it looked exactly official, but it looked official enough that if was hustling and busy and trying to get everything done, I understand how some people could have responded or clicked a link or did whatever they needed to do. And we talk about social engineering in the context of these phishing attacks, but really when I started to think about it, these sort of social engineering things have gone, I mean, the scams, right, that, which is what it is, these kind of things have been going on before even the use of technology. People have been running similar scans, creating a sense of urgency, trying to urge people to do something they normally wouldn’t do, but it does become more prevalent, and I think it, I think it, the people are more bold or more risky because they’re not actually the ones on the front lines doing it. They’re doing it now anonymously through the computer oftentimes, which I do think creates a whole host of other, of other problems as we talked about with these social engineering issues.

And I agree with you. I mean it’s, it’s something that I think has been around since the beginning of time. I mean, you think a couple hundred years ago it was a snake oil salesman that would come into town, convince everybody that they needed to buy this magic elixir and it was, but it was a one-on-one sell, you know, it was somebody doing something to maybe a group of people, but it was an individualized one on one sell or convince to that people. Now, you know, with the power of technology, it can go out to every person that’s ever filed, like your example, to the ECF system. And what’s worse is AI is making this much more powerful because those, and you just mentioned it, that the email looked quite convincingly right, and that’s what AI is doing, is it’s, it’s taking all this information that, maybe a hacker in Russia couldn’t form an English email quite as convincingly but AI sure can. And that’s what’s happening is, is AI with the power of that technology to gather information and produce very convincing wording, convincing-looking emails or targets or websites or whatever it may be, it’s becoming worse and worse today. It’s kind of, in that world, I get, I get nervous and scared because it’s, it’s, it’s really crazy, some of this stuff. I have a webinar I did a couple of months ago that we dove into some examples that AI is generating from a hacking standpoint and it is getting very scary out there.

ZBP

One of the other things that we, you talk about in your book, and I can’t help but think about is the use of bring your own devices or BYODs that we talk about, and I don’t know for everybody but I can at least speak for myself that since the pandemic, I always had kind of a remote flexible work option, partially because of the way my practice is set up and designed. I practice in multiple jurisdictions so it’s, there’s often times I’m not physically in the office because I’m somewhere else, and so we’ve had that flexibility but we’ve seen a lot of other roles and individuals and I know as soon as I say this, I know there’s going to be a push to get people back into the office by a lot of major companies and industries, but we still see a lot of work from home and we still see a lot of people using bring your own devices to work from home. They’re using their personal computers and logging in various ways or people are using a personal cell phone but got their work email on it. How are these risks, how do these create risks for the company because I, I know they do and then what can companies kind of do to kind of address those risks or mitigate the risks when we, we’ve got this kind of flexible work environment with bring your own devices and it kind of just gets, the lines between work and personal kind of get blurred.

It was definitely scary. You know, COVID sent people that were unprepared to work from home and that’s, that’s what caused a lot of problems in our industry is people were working on their kids’ laptops they might have received from school just to get their work done. I struggle with the BYOD, bring your own device, from a corporate standpoint. I really don’t, I don’t subscribe to companies allowing individuals to use their own devices from a laptop perspective, laptop or computer perspective. Phones are okay because there’s a lot more control that we have over the apps on the phone and the data that can be stored and downloaded there, but there’s, there’s so many issues with individuals using an email program or doing work, Word or Excel work or application work on their own devices because that data is stored on those devices and you don’t, as an organization, you don’t have a security policy that you can build around that device. So working, my recommendation for businesses is to give people company-owned devices that can be controlled in the company infrastructure and protected that way. And we’ve seen so many instances where that has not happened and data has leaked, whether it’s Social Security Numbers from the federal government employee downloading millions of Social Security Numbers on their individual devices. I mean that’s happened multiple times. I feel like every year we get a story about that in the news. But it’s, I think for businesses it’s also scary. When you think about confidential data that businesses have, whether it’s employee data, potentially customer data, things like that that could be stored on laptops, and people say well it’s in, it’s in the web browser, it’s in the application, but how many times can you, say, print to PDF and suddenly you have a PDF document that’s stored in your downloads folder of confidential data and so to protect that from an IT infrastructure is very difficult if you don’t have those tools on all the devices you’re running on. So if you, if you are allowing people to use their own devices, my recommendation is to set up a virtual environment and allow users to remote in to those virtual environments and then keep the data stored in that, in that virtual environment. Microsoft has done a great job of bringing this down easy enough that all businesses can afford it through their _____ virtual desktop. That’s our recommendation. IT businesses, departments can set up that environment pretty easy and then you just pay as you go, pay as you use it. And that way you can remote in even from a web browser. You can get your own desktop. You can have that protection around that virtual environment and then there’s no data that’s stored on the computer that you’re accessing it from, so that’s our recommendation if you, if you really want to allow bring your own devices, set up a virtual environment that where work is, and when that, once that’s disconnected, then there’s no data that went back to the other computer so that, you have that protection in place, that, that disconnect. So that’s our recommendation.

ZBP

Now one of the other things that you, you talk about in your book is we’re talking about working from home and remote work options, is that there had to perceived at least general problems with remote work in the industry, and you see it as (1) kind of a lack of productivity and (2) difficulty with team engagement. And I know at least with the first one, the lack of productivity, sometimes people think if you’re not physically here, then you’re not working, and so, which I know is not necessarily always the case but there is at least that perception, and then there is an issue with team engagement because you don’t necessarily have the same talk around the water cooler or on the trip to the bathroom or bumping into somebody in the hallway. How do you kind of see organizations and your own clients and then you as a business owner, right, who may have some of your own employees working from home or working remote, how do you kind of grapple or wrestle with these challenges?

Yeah, that’s a great question. I’m actually speaking to a couple of groups of CEOs this week and we’re going to spend a bunch of time on the remote work in those workshops. It is a, it is an interesting thing because a lot of businesses have kind of a little bit of whiplash of, okay everybody can work from home or hybrid and now we want everybody back into the office. And in these workshops, I try to bring in latest articles and studies and Harvard Business Review just released one that I thought was very interesting. A company called trip.com that’s an online company did an A/B test of a group of workers and the A group had to work 5 days in the office and the B group could go hybrid. They had to still work, come to the office a couple of days a week but the other days they could work in the office. They did this over an extended period of time and they found, two things they found that were interesting. One is productivity was actually higher with the group that could work hybrid, so it was about a 2% improvement in productivity with those that worked in a, from home when they could or went to the office, which was, I think that statistically it’s probably equal. I mean a 2% increase in productivity is not dramatic, but it didn’t fall off. I think that’s the biggest takeaway from it. The one that I thought was interesting was they had a 35% better retention of those that were allowed to work hybrid. And I think as business owners that’s, for me that’s one of my biggest concerns is retaining great talent and being able to source talent in multiple locations outside of our normal headquarter area. I mentioned in the beginning of the call that we have 5 offices across the country. Technically most of my staff is remote from me. I mean, I, I have about a third of my staff based here in Las Vegas, but I, I work from home and a lot of my staff work either from home or hybrid, and, but everybody in one of my remote offices is remote from me and I still have to manage a lot of team members. I recently hired some key positions inside my company, a new CFO, some network engineers, and I decided to open the search up nationally. They weren’t, I didn’t need them any specific place. I needed them to be able to travel if needed, so I wanted them close to a major airport so they could travel but I didn’t need them in my office anywhere. And I got better candidates and I found the people that I really wanted to work for me and they were all in locations I didn’t have offices but it’s working just fine because of that. So I think as business owners, we, we need to be open to a hybrid environment. We certainly can’t have manufacturing done in people’s houses unless you’re building little small toys that you can send them packages and they send them back potentially, but there’s certain jobs that you just will never be able to do. Customer service, retail sales, manufacturing, construction, those have to be all done at a certain location, but the knowledge work, I think that it can be done in, in this hybrid or remote environment just as successfully but it takes intentional effort and that’s what I preach is, as leaders of the organization, we just have to be intentional about how we manage the teams, how we work with the teams, how we collaborate together, and as long as you’re intentional about it and you’re building the right programs in place, the right communication systems in place, I think it’s very powerful and you can have a happier workforce because they can develop a little bit of work/life balance, especially maybe taking kids to school. You don’t want to lose a great employee because suddenly they have to pick up their kids from school at 2:00 o’clock in the afternoon and it’s just not a possibility, but giving that flexibility of allowing for that and say well if you pick up your kids at 2:00 o’clock in the afternoon but you work from 5-6:00 o’clock in the evening or you just get your work done, that the expectation is get your assignments done, I, I find that it’s just as effective but you have to be intentional. You have to put a program together that makes sense, and if you’re not intentional it doesn’t work, but as long as you develop that system, it, it can work really well for you.

ZBP

I have seen, especially over the, the recent years, a similar kind of trend I would say that you’re talking about with the hiring because especially with, I’ve seen certain firms especially if they’re very large firms here in the United States, open up their searches that you’re talking about where they, they don’t even have offices. This firm may have offices on the West Coast and East Coast or vice versa and they’ve got no offices in the middle states but they’re starting to recruit people to work from home entirely because they don’t necessarily need these lawyers to be in meetings or they don’t necessarily need these particular lawyers to be at hearings or if they do, they can always, they can always travel like you said for those limited purposes. But we’re starting to see some firms recruit entirely remote workers out of jurisdictions that they wouldn’t normally be looking for, and then you’ve seen other firms who, of similar sizes, saying hey guys we want you back into the office. And so it’s kind of this whole trend, but I do wonder and we’ve, we’ve talked and a lot of people in the legal industry have talked about how do you, ‘cause what you happens is we start to compete for much, with much, much larger firms who may be hiring a remote lawyer here in Columbus, but they’re working, they’re technically working out of the LA office. And now all of a sudden we’re competing with those LA firms for talent who’s sitting here in Columbus, so it, it does present challenges but also opportunities, which I think is wonderful. Now one of the things I know that lawyers have talked about extensively from our perspective over the last 10, 15 years is cyber liability insurance. It seems to be a huge topic, (1) because as lawyers we’re risk adverse to just about every thing, so when it comes to our jobs, we, we’re worried about having our own cyber liability risk, and then there are, when you have insurance, usually there’s a loss, and sometimes lawyers get involved in helping clients deal with the loss or potentially prosecuting when somebody does have a data loss or a data breach, and so it’s one of the issues that you talk about in your book and if you could, from your position in the tech field, explain, kind of explain to me and my listeners or our listeners about how you explain cyber liability insurance and the importance to your own clients who may be inquiring, with the understanding I know you’re not an insurance broker, you don’t run an insurance company, but I know it’s one of the things you talk about in your book.

Yeah, I talk about it because the, it’s the last stop, right. You know, because we, as cyber experts, as IT professionals, we can’t be a hundred percent. If somebody comes along and says I’m going to protect you a hundred percent from hackers, they’re going to be lying to you because there’s just no way. There’s Euro day attacks that we, things that we don’t know about that hackers know about that they can take and cause problems with, so cyber liability and employee theft insurance are essential for businesses to have a lot of today and it’s, it’s now more important, I think, than general liability insurance because the likelihood of your business building burning down is much lower than you getting hacked today. So protecting yourself properly from these cyber attacks and employee attacks, employee mistakes, is really important so again I’m not an insurance broker. I’ve talked to a lot because we have to fill out a lot of these forms. Our customers call us up and say hey I’m renewing my insurance policy, my broker sent me this form, help me fill it out. And I’m grateful that they call us and say please help me fill it out because some companies go, oh yeah I think we do all this stuff and check all the boxes and, and then they sign this out to a station saying that they’re doing all these IT measures and they may or may not be doing them, and so what we’ve seen in the industry is a reversal of insurance companies just being willing to pay out and take care of their clients to going in and saying were you really doing these X items that we require to give you this insurance. Were you performing updates on your computers? Did you have next generation antivirus? Did you have a multifactor authentication policy implemented across all your systems? Were you encrypting all your data? There’s a lot of questions on there that are major IT infrastructure requirements and if you’re not doing it, (1) they may not pay out your claim, but (2) they may turn around, I think as you were alluding to, and sue the company that filled out that attestation for insurance fraud, and we’re seeing a lot of lawsuits. I’ve never had a client do, do this but there’s a lot of news articles if you do a quick search. You’ll find that insurance companies are suing their clients for insurance fraud for filling out those attestations incorrectly and saying that they’re doing these things just to get the insurance and then they’re not. So it’s really important (1) to have the insurance, but (2) to back it up with the actual work that’s required to do that insurance, and these insurance companies are getting stricter and stricter each year on renewals. Before it was just a, you had to have a password policy and you’re updating your computers, and now to even get almost basic cyber liability insurance depending on the industry you’re in, you have to have top of the line cyber policies and systems in place to protect the environment from, I’m going to throw out some acronyms here but EDR, which is enhanced antivirus; MDR, which is managed detecting response; a 24/7 security operation _______ during all of that; two factor authentication which I mentioned before. These are things that are really good IT policies but now they’re becoming required because of cyber liability insurance and compliance. We’re seeing that compliance is getting deeper and deeper into different industries. There was a big thing a couple years ago that the Gramm-Leach-Bliley Act was implemented across car dealerships. The FTC came in and said that car dealerships now are treated as banks and they have to implement all of these things that banks have to do, and so we’re, we’re just seeing from a compliance perspective, from insurance perspective, that companies are now more and more required to implement these policies and systems to keep their networks safe because insurance companies are tired of paying out claims for lackluster work that IT people are doing, which companies are doing. IT people, I think, want to do the work and sometimes it gets expensive and the companies don’t want to pay for it ‘cause it is expensive to do this stuff.