On this edition of the Advisory Accelerator Podcast, I connected with Shawn Long, the CEO at ViLogics, to discuss how his firm partners with CPAs to help their clients better manage their cybersecurity infrastructure.
The threat is real, and there's quite a bit of accounting firms can do to help their clients mitigate this incredible risk. So take a listen and learn more about what it takes to accelerate your firm's advisory potential.
- Shawn Long, CEO of ViLogics, shares his company's approach to providing businesses with a turnkey solution for protection against these threats.We explore the landscape of cyber threats and discuss how AI and automated hacking techniques have made it easier for cyber criminals to target businesses of all sizes.
- We delve into the importance of multiple layers of protection in cybersecurity, using the metaphor of a fortress with firewalls, VPNs, and endpoint protection as various layers of defense. We also discuss the role of social engineering in cyber attacks, using the MGM Las Vegas attack as an example.
- We navigate through the complexities of assessing compliance and risk requirements, a crucial first step in understanding the scope of cyber threats.
- We shift our discussion to the economics of cybersecurity, examining endpoint security pricing and packages and the shared service model as a cost-effective approach to high-level security.
- We tackle the challenges of recruiting and retaining cybersecurity experts, highlighting the importance of having a team of specialists available 24/7 to monitor and respond to threats.
- Sean introduces us to ViLogics three packages - TSO Light, TSO Standard, and TSO Enhanced - which are designed to meet a variety of needs. He explains how the pricing model works and how it offers flexibility for businesses of all sizes.
- We emphasize the importance of cybersecurity and monthly governance in maintaining a secure digital environment. We also highlight how ViLogics assists organizations in getting onboarded and safeguarded from cyber threats.
- We discuss how cyber criminals are able to target unsuspecting organizations, regardless of size, and the serious repercussions of their malicious actions.
- We delve into the steps that organizations can take to protect themselves from cyber threats, with Sean providing insights on how to create a fortress of protection through different layers of security.
- We conclude the episode by exploring how the pricing models associated with cybersecurity services can work for businesses of different sizes, and the process of getting in touch with a sales representative to learn more about ViLogics' services.
(AI transcript provided as supporting material and may contain errors)
Jeff: Well, hello again everybody. This is Jeff Pawlow, and I am the president of the engineered advisory family of companies and your host for the advisory accelerator podcast, a show that works to help CPAs become more advisory minded in their practices. On today's show, I am happy to welcome Sean Long. He is the CEO at ViLogics, who will help us navigate the incredibly complex world of cybersecurity and how technological threats are becoming more prevalent and worrisome. As a CPA, I'm sure that you've had clients who have turned to you for advice in this area, so I'm really looking forward to the conversation today. Sean, welcome to the advisory accelerator podcast.
Shawn: Oh, thank you very much, Jeff, and I'm looking forward to this conversation.
Jeff: You know it's interesting how often I am hearing CPAs talk about how often they are hearing their clients approach them about some help in the cybersecurity area. So maybe we can start today with you giving a little bit of background of your firm, what the need was in the market that you sought to fill, and then we can get into some of the nuts and bolts of what's actually going on in the threat environment out there today.
Shawn: Oh yeah, sure. So originally I started back in 1996. We actually first got into the IT business being a actual healthcare claim processing at a clearinghouse. So back in the early days we're still using modems and dollops and all that stuff that some people might not even be familiar with today. Security wasn't really a big thing. Right, it was a password because there wasn't any internet, there wasn't any true exposure to what we have today. And so having that understanding of healthcare and how, even before HIPAA was around and the security around it, that kind of how we, how I, developed this into ViLogics, as always being a kind of a security mindset first approach for anything that we do related to IT, and it really is a mindset, isn't it?
Jeff: And I think that's evolved, where I think in the past it was like, hey, you hire somebody to kind of manage this and you forget about it, and the complexity of whether it's a phishing scam or some type of active hack or anything that's going on there just becomes more and more sophisticated.
And you've got the stuff that's kind of cringy meme worthy where our entire organization received a message from me that I needed them to run out and buy some Apple gift cards, and I think everybody's to the point where they understand, hey, that's not legit, right?
Although I did have a few people reach out to ask me how many I needed them to get. But then you've got the stuff that is just uber professional stuff that even somebody that has a mindset and I think I'm pretty savvy on this there was one that was set out from my bank and it was so well done in terms of the email address masking and the quality of the email that I received. But I just kind of thought at the end of the day, well, I don't think they would reach out to me for this in an email, and I called and sure enough, it was a scam, but I'll tell you what that's me and I'm paying attention to it. I can't imagine how many people actually get caught up in that. So maybe talk a little bit about just what you're seeing in the threat environment out there and educate our CPAs on what their clients might be experiencing.
Shawn: Yeah, so obviously the whole threat vector we call this tax surface as you refer to it, which is the technical terms, obviously is evolving faster than as we're speaking. It's evolving right. So what I say, even on this call, will probably be different by the time we're done with this call. And one of the biggest things we're seeing, which is really the scariest piece, is the use of AI, artificial intelligence. So we're getting to a point now where, you know, traditionally there was some team of people or could be a lone wolf type of hacker out there. Now it's really just being done automated, which is kind of scary in itself to think about.
So obviously the only way to fight fire is with fire, right? So we're saying that you know all these, you know ransomware attacks and so on, and the mindset of I'm too small to be of a valued target. Well, that's not true anymore, because the fact that they can just do gross canopy, you know hack deployments, be it whatever fishing, spyware or you know, you know directory harvesting it's irrelevant because they're using just the volume approach. If I submit 10 million attacks and 3% hit, it's a good day at the office for them and you could be just a small, you know 15 person organization, be whatever, a warehouse or a small bar, restaurant, and it affects you, right, if you were out of business for two or three days or a week, it affects somebody small at that size a lot more than does even larger because, just as simply as a you know, they're living that day to day operational cost. Right, they don't have cash flow like some of the larger organizations.
What we're seeing is right is how do you bring enterprise solutions that they need at a cost point that is effective for even the five person organizations? And that's kind of where we focused on them was how can we make this very complex, very dynamically, very fluid situation as easy as possible and consumptional as possible for the customer? And that's where we come out with what we call TSO, total secure office, and we kind of give them the you know the turnkey solution saying hey, how can I get protected and what's my cost? And we've broken that down into a simple you know so many dollars per month, per endpoint, and so hopefully it gives them a very fixed costs, fluid, you know or dynamic cost also so they can grow or shrink with it as they need.
Jeff: And that's interesting because the CPAs work with clients that are of all different shapes and sizes, so the ability to kind of scale up and down based on a solution that would make sense for the revenue volume of a particular client makes sense. Let's talk about what you do inside of that environment. Obviously, data management would be a big piece of that. I know you do some threat protection and the ultimate goal is data loss prevention. So that's a big piece of this.
Shawn: Yeah, I mean, we kind of refer to it the seven layers. Right, we look at this as a fortress, right? Obviously, the whole goal is to not have the enemy penetrate your fortress, but the fact of the matter is right. We have to be prepared that we have multiple layers of protection, be it firewalls and VPNs and people a lot of CPAs or customers were referred to, as you know. Those are all pieces of the puzzle to prevent force entry into your environment. But also, but at the same time, we have to deal with the fact that, you know, 87% of the breaches are still occurring because of human interaction. Right, it's just half, it is what it is.
Right, they get tricked into a clicking on a link. They go to a website that they thought they're going to. It was the wrong website. They enter in credentials into a website that they thought was the right website but it wasn't.
And then it starts, just for example and I'm sure everybody, most people, heard of this the one in Las Vegas. They had a big MGM and them had a huge event and the actually was caused by somebody pretending to be an employed MGM contacting the help desk and were very good at social engineering and actually got the technician or technical support rep to give them credentials and elevated permissions and left them basically unlocked the door for them. So I mean, wow, when those events happen, that's why you need that alter or you need them additional layers, right? So in case that event happens, you still have, like endpoint protection and and syslogs and all this stuff being recorded. So you're seeing an events that, should they penetrate the fortress and should they get inside the castle, you still can have a somewhat of some security level of detecting that somebody is, that's inside of your environment. It doesn't have the ability just to freely roam around inside it.
Jeff: So the fortress is, let's do everything we can to keep them out. But then inside of the fortress, if the window has been left open and somebody has managed to penetrate the system, then let's have some redundant systems that are looking for behavior that might not be routine or what have you, where we can identify something and hopefully stop it sooner than later.
Shawn: Correct. Correct. I mean, one of the biggest things we've seen and I think IBM had it was this is less than a year ago. The average time to detect was almost 240 days. So a lot of these systems and this happens a lot of systems, you know they've been breached and it just kind of sets there like a Trojan horse, right, just sleeping, to be executed upon whatever they feel is the right time. Those type of things happen.
That's where you need to be able to have those additional protection mechanisms in place and be able to say, ok, we know that, we detected, the window was left open, we detected that. Right, that's detecting that there's a gap in security, but also detecting who came through there and what came through there and where did they go. And once we and then we track them. So that's where you get into vectors and start to do detection of like thread hunting. So, ok, not only did I sense which way they came in, I also can tell you exactly where they walked and exactly where they stopped and exactly where they're at today and stop them and then also go back through and make sure that they didn't leave anything behind.
Jeff: So let's walk through the life cycle of building a relationship with the vi logics. So you're working to get to know our CPA firms that are members of the accelerator. You know big part of the conference, nice presentation, and I'm a CPA that says you know I'm getting these questions all the time. I need a partner that I can turn to to help my clients with these issues and I've made that introduction. Take me through what the experience is for that client. Is there an initial assessment, like how does the whole thing unfold?
Shawn: I mean generally. The recommendation would be do the initial assessment, find out if there's any compliance or risk requirements that they're looking to satisfy, be it SOC2 or PCI, hipaa, nist. If there are DOD customers that work with the have DOD. We have a lot of manufacturers. There's a new product or new requirement out there called CMMC, so we try to identify that first right. So, okay, let's work backwards and try to make sure that we understand exactly what your compliance and reporting requirements are. So we've got to incorporate that into it.
The next phase we would say would be, obviously, get a understanding of what your actual layout is. Do you have one location, six locations? Do you have remote users? How many come in? How do they access systems? Do you have stuff in the public cloud? And then we start to formulate basically a solution and then I would say, if they're once, they're really okay, I understand, I got a rough order. You know wrong we call it rough order of magnitude what this would be entailed and what it would cost. We would recommend a true penetration test so we get a true look at your fortress and see if there is any windows open and start to do some analysis there and say, hey, these are immediate stop gaps that we would recommend and then we would talk about. Okay, this is how you know.
Obviously this isn't a big bang theory. You just roll a software package out and it protects everything. It is absolutely a you know, a formulary that's specific to that customer and it gets rolled out in phases because security does have to be turned on piece by piece and tweak, because obviously we can't limit the customer's ability to work, because that's probably one of the number one reasons that security programs that get initiated end up blowing up is because they try to do too much too fast. It impedes on the end user experience and then all the pushback from the business side comes back and next you know you're backing off your security and that's obviously not a win situation for the customer. So that's, it's a very methodic approach, but it's. But it is very I want to say it's boutique, but it is very unique to each customer and it's all based on all these different identified requirements and, as I said, like locations, number of users, number of remote users.
Jeff: See, I think that's a pretty savvy observation as well, because it's one thing to build the fortress, it's another thing to convince everyone to live inside of it, and you know somebody who knows what they're doing. I think is taking that into account. It's not just the physical infrastructure, the fix, if you will, it's also the cultural evolution where, hey, these are the new rules and behaviors that we need to live by in order to make this work. And I think you're right, we've seen instances where people have gone too far, too fast, and I've got to do multiple logins and multiple times a day and people kind of throw their hands up and to say the juice isn't worth the squeeze and you, like you said, you end up backing off of that.
The fact that you kind of take that into account in your engagements. I think is pretty astute.
Shawn: Yeah, I mean, obviously it's only going to be as good as the end user accepts, and obviously you have to have employees, you have to have people be able to do their job, and obviously we can't impede performance, but at the same time so that's the goal of it, right Is to try to make security as transparent as possible but still effective, and there is an art form to it, but it is doable. And the other piece of it, too, is just end user training. Right, doing the phishing trainings and bringing people up to speed on making everybody in your organization be a stewardship they have to become a steward of that security mindset, right, there's no different than the TSA saying, hey, see something, say something. It's kind of that kind of having that idea, playing like I don't live in paranoia, but I also say, ah, you know what? This was a weird email, I didn't like this. Right, I need to send this over for somebody to look at.
And that's what our team does. Right, we always are analyzing customers' data and customers' emails and customers whatever it is SharePoint folders and say, hey, okay, yeah, I see what you're saying, let's go look at it. No, it's good, we validated it. Or, you're right, it's an encrypted ransomware that got infected. And then on top of that, we just don't kill it right. We also identify how did it get there right? So we're looking at the root cause, just not the effective cause.
Jeff: No, that makes sense, and it's amazing how you do have to bring that culture along, because it's not write the check and forget about it. It's write the check and you actually have to go to the gym to do the workout.
Shawn: Yeah, exactly, you're going to have to do the reps.
Jeff: So let me ask you that and you mentioned this early on but the challenge is how do you bring the amount of expertise that every firm needs? I mean, if you're a 15-person firm or you're a 1,500-person firm, the expertise that you need is the expertise that you need. I mean, people aren't coming to the smaller firms and say, hey well, we'll take it easy on you and only use our dated tools to hack you. Everyone's coming at everybody full bore. So talk a little bit about the economics. How does your model price and how do you make that work for a 15-person firm? And the same way, you make it work for a 150-person firm.
Shawn: Well. So basically right, from our perspective, this is almost like a shared service. We have security experts, engineers all the expertise that you would need in a Bank of America Chase Bank environment, and I'm sure they're sitting there managing about 50, 60,000 endpoints. We're doing the same thing, except our endpoints are 15 over here, 20 over here, 30 over here. So to us it's no different, it's still just managing endpoints. Yes, the customer's requirements are a little bit different. They have different applications. Somebody's using a Dropbox, the other one might be using just a box, other ones might be using Azure, some might be just using Google. So there is those caveances, right, but at the end of the day, it's a endpoint or a cloud offering that is managing data flow, and our systems are organically designed that they start to learn the way that each one of the customers data transpires and moves and shifts, and so when it starts to fall outside of those norms, that's when it gets detected as OK.
This is an abnormal event. Let's look at it. It could be just a fluke or it could actually be. There's something going on here and that's where the differentiator is and that's how we can bring that scale of economies to these organizations, to get that Bank of America security posture, obviously at a lot economic standpoint, of only having to pay for 15 versus 50,000. And the point of it is the biggest thing and we're still all struggling with this. Doesn't matter what business you're in. Is the human resource factor right? It's just keep getting people, training people, staffing people, keeping them on. You know, we bring that value proposition that we have the ability to bring these expertise and these higher level engineers that most organizations even of a 2,000, probably have a hard time to not only recruit but retain, and so what I'm hearing is it's really the price, is really a function of the endpoint.
Jeff: It's all based on endpoint. So that's an easy calculation. It's easy math.
Shawn: It really is. It's easy math and that's the whole point of it. Right, you gotta be simple, you gotta be easy understanding. We basically have three packages. We kind of broke it down. So, hey, we got TSO light, tso standard and TSO enhanced. So and here's, you know, here's the matrix, here's what you get in TSO light, and obviously you know it's the bronze, silver, gold package.
Obviously, we're most of our customers. If they start with light, they end up with standard or, most likely, end up with enhanced. If they, you know, are price conscious, they can start with light. At least they're getting something right. They're getting that 70, 80% maybe. At least they're way better off than they were when they started. And once they build a comfort level and say, oh, wow, okay, I get it, I see the value, hey, I like to get this. Yeah, we can protect you for that, and that, you know, and they kind of, it's just a natural progression.
So the whole goal of it is to make sure that we're meeting what the customer needs, not what we're trying to sell them. And you know we've done this long enough that we know exactly what the minimums are. So here's the TSO light. This will get you going.
And then you can always say, okay, you know my requirements have changed or I liked I'd feel a lot better if I had a little bit more. You know better security posture with my organization. You know my data's a little has changed. It's I like to see a little bit better protection or better reporting, and then it can select different plans. But the thing about it is it's all based on endpoints. So you know we have customers that you know they go up to 90, they go up to a hundred and end of season, whatever their business is, it drops to 75, they do a change order and they back. So that's the other value of it is that it does give them pricing elasticity to their organization so they're not married to a, you know a shelf wearer if they had to go out and buy it and then they're, it's sitting there and not being fully utilized.
Jeff: Okay, so if I'm one of the CPAs listening to this and I'm saying you know what I think this would, these guys would be a great trusted partner. Or maybe I met you at the conference, or whatever the case may be, do I reach out to you, like, what's the path? Like, do I reach out to you for that initial conversation? How do you want that to work?
Shawn: Also, so we have sales reps and we have our, you know, account executives and we have our SES, our sales engineers. Generally, what happens is with our other, with any of our other customers that contact us they, you know, they contact us. We schedule a discovery call with them. We kind of go through exactly what we kind of are talking about here packages, what we offer, what are you doing today? Do you have a current partner? Do you have a current provider? Do you have gaps? Number one did you have an event? Why are you on the phone with us today?
80% of the time they had something just happened, right, it's like hey, I just, you know, my girl at the front desk is wired 100 grand to the wrong bank. Okay, we can help you with that, right, can't help you with the 100 grand, but we can help you that she doesn't do it again. That's a tough lesson. And then basically, we just basically formulate an official quote to them, say here's the official quote, they agree to it. And basically we kick them over to a project management team and we start the implementation and that's. You know, they schedule the you know, the agents.
We generally what we'll do is we'll put agents out there. We like to put agents out there for like 30 days and put them in what we call listening mode. Only To my point is we just want to go on there and start cranking you know, putting the crank on all your doors right and not having them be able to open and we come back and say, okay, here's what you look like, here's what your environment is currently at, and if there's right now current issues, you know we can sanitize that for you. We call it, you know we'll sanitize the environment and say, okay, you're clean, you're good to go now. And this is how we start to turn on all the security functions and features.
Jeff: And then we slowly just turn it on over the next 30 days and pretty much you you move into basically run and maintain mode, I think that's the thing that impressed me the most as I started to learn more about the ILogix is just how formulaic it is to getting people set up and onboarded and put them in, and I think that will resonate well with the accountants. They are very work paper oriented in terms of processes and procedures and methodologies and you've got a very similar approach. So you guys are kind of speaking the same language in terms of how you execute what you do as a core competency. So, sean, anything else I mean no, I think it's pretty straightforward.
Shawn: I mean, I think some of our biggest successes have been like the large organizations that had some IT resources in house and are just overwhelmed or over consumed with just that day to day. You know, the printer doesn't print, the Wi-Fi doesn't work, the laptop won't fire up and we have found that we've been a true asset to organizations that can, we can come in and just take that security piece off of their plate and give the owners be it the you know, the partners or the you know or the board members, whoever it is, depending on how the organization is structured that true independent third party piece of mind that they know that there truly is somebody, 24, seven, 365, watching their environment. And I think the biggest thing we bring in we always try to stress this we do a thing called monthly governance with every one of our customers. We're a strong advocate of it because our goal is to make you know the old saying teach you to fish, not feed you fish. We want to make you very and the customer very aware.
This is exactly what we did for you this month. This is how many attacks we stopped, this is how many attacks were attempted, and we have all those analytical tools and all those reports that are. It's like it's very factual, right, it's not to scare you, it's just for them to understand, like this is exactly what's happened, what's been happening on your environment, on your firewalls, onto your email accounts, and you know it's sobering. Right, it's not a threat, it's not scary, it's just like wow, you know, I didn't think I was, I'd be that you know of a target, but you are. If you're on, if you're on the net, internet, you're a target. That's the bottom line, doesn't matter what size you are.
Jeff:And that's the perfect way. Yeah, just a perfect way to wrap things up If you're on the internet, you're a target Period, that's, it Doesn't matter how big you are, you're in the crosshairs.
Shawn: I had a one lawyer firm and with a secretary to front desk and somehow they compromised his email and a wire transfer went through and it didn't go through and so it was not a good situation. And then we had if you've ever heard of Marine Maxx, a big boat broker dealership, working on a case right now, where the buyer bought the boat wired the money to Marine Maxx. Marine Maxx wired the money to the broker, gave him his commission and then went the wire of the money to the seller and he wired it to the wrong place and so the guy that bought the boat wants his boat. The guy that owns the boat's not giving him his title until he gets his payment. So it's just a very ugly situation that can be avoided and unfortunately it's nobody's fault. Right, there's no intent, there's no evilness to it. It's just that somebody made a mistake, wired the money. We're tricked into what they changed the bank account, wired it to somebody that they see what happened. Was they seen the wire come through? They knew that there was a transaction in play. They see the emails go through. So they knew that there was another wire going to come and they basically played right off of it and tricked them into changing the bank account for the remaining balance.
And, as they say, the rest is history. And so that if there's anything to you know, once again you got. You're going to have a bad customer right To a business right. One thing we don't want is bad customers right, and that's a way to get bad customers right. And then who's going to eat that? You know, half a million dollars. I think it was actually more than that, it was like over half a million dollars. Somebody's going to have to eat it. The insurance companies won't pay for it because it wasn't criminal mischief and it wasn't the employee theft, so there's no coverage for it. So it's just a. We try to avoid those situations like that Makes sense.
Jeff: Makes sense. And her Sean thank you so much for taking the time. I think this has been pretty insightful. I know the CPAs are being asked about this. You've got an incredible solution that can help the CPAs help their clients really take themselves off or out of the crosshairs if you will build the fortress that you talked about, and I just appreciate the good job that you're doing for our clients. So thanks for taking the time this afternoon and I appreciate having you be a guest on the podcast.
Shawn: I appreciate it, Jeff, and I look forward to talking soon. Take care everybody.