In this episode of the Pivoting To Web3 Podcast, Donna Mitchell interviews Steven Cook, founder of Strategic IT Services. With over twenty years of IT experience, Steven discusses effective and affordable cybersecurity measures for businesses of all sizes. He covers the impact of AI on cybersecurity, the necessity of proactive security strategies, and the use of tools like password managers. Additionally, Steven emphasizes the importance of disaster recovery and business continuity planning. This episode provides valuable insights for entrepreneurs and individuals aiming to enhance their digital security in the Web3 era.
On today's episode of the Pivoting To Web3 Podcast, we dive deep into the crucial realm of cybersecurity with our esteemed guest, Steven Cook, the pioneering owner of Strategic IT Services. With over two decades of experience in IT, ranging from data centers at Boeing to high-performance computing and simulations, Steven brings a wealth of knowledge to the table. He discusses the accessible and affordable steps businesses of all sizes can take to enhance their cybersecurity measures, the impact of AI on cybersecurity, and the importance of being proactive rather than reactive. Steven also sheds light on the role of password managers and the significance of disaster recovery and business continuity plans and offers practical advice for entrepreneurs and individuals looking to navigate the evolving digital landscape safely. Stay tuned as we uncover the best practices for staying secure in the age of Web3.
About Steven Cook:
Steven Cook delved into high performance computing and simulations early in his career. Recognizing a gap in the market for affordable, comprehensive IT solutions, Steven launched Strategic IT Services about a year ago. As a managed service provider, his company offers a wide array of services including cybersecurity, backups, disaster recovery, and general IT support. From web development to computer repairs, Strategic IT Services caters to businesses of all sizes. Steven's mission is to debunk the myth that robust cybersecurity is prohibitively expensive, providing tailored support for clients ranging from solo entrepreneurs to large corporations with up to 200 employees. His expertise ensures that even the smallest businesses can achieve reliable and cost-effective IT security.
Connect with Steven Cook:
Website: https://strategicinformationtechnologyservices.com
LinkedIn: https://www.linkedin.com/company/strategic-information-technology-services
Facebook/Meta: https://www.facebook.com/strategicitservices/
YouTube: https://www.youtube.com/@strategicitservices
About Donna Mitchell:
Donna Mitchell is a tech-savvy podcaster and host of "Pivoting to Web3," where she delves deep into the world of Web3 technology and its transformative impacts on businesses. With her engaging broadcasts, she provides valuable insights and interviews industry leaders like Steven Cook, who spearheads a team in strategic IT services. Donna's platform features audio episodes and offers a collection of informative videos at http://Web3GamePlan.com. Her mission is to empower her audience with the knowledge and tools to navigate and thrive in the digital age securely and confidently.
Connect with Donna Mitchell:
Podcast - https://www.PivotingToWeb3Podcast.com
Book an Event - https://www.DonnaPMitchell.com
Company - https://www.MitchellUniversalNetwork.com
LinkedIn: https://www.linkedin.com/in/donna-mitchell-a1700619
Instagram Professional: https://www.instagram.com/dpmitch11
Twitter/ X: https://www.twitter.com/dpmitch11
YouTube Channel - http://Web3GamePlan.com
What to learn more: Pivoting To Web3 | Top 100 Jargon Terms
What to learn more: Pivoting To Web3 | Top 100 Jargon Terms
02:17 - The Truth About Cybersecurity Costs for Small Businesses
04:28 - AI in Cybersecurity – Beyond Hackers
06:14 - Cybersecurity Basics for Small Businesses:
07:30 - Choosing the Right Password Manager
10:04 - Why You Should Use a Password Manager:
13:41 - The Reality of Cybersecurity Neglect
16:08 - Why Every Business Needs an External Cybersecurity Audit
17:19 - Beware of Small Hosting Providers*
18:59 - The Importance of On-Site Inspections in Cybersecurity
Thanks for checking in the pivoting to web three podcast. Go to pivotingtweb three podcast.com to download and listen, or web three game plan to check out the videos. Thank you. Good morning, good afternoon, good evening. Welcome to pivoting to web three. Today we have Steven Cook. And Stephen is part of the strategic IT services, and he leads a team of talented professionals who are committed to servicing and protecting companies on the cutting edge. Their mission is to empower businesses to operate securely and confidently in the digital age.
He's been around for two decades. We started chatting a little bit. We have some similar backgrounds. He was on the aerospace. I was in aviation. He's done a lot of great work with AI, and I'm excited to have him here today. Steven, say hello to your audience and introduce yourself. Tell us how you got into cybersecurity, about your company, what you're doing, and why you wanted to be on pivoting the web.
Sure. My name is Stephen Cook. I'm the owner of strategic it services. I got into it working for office depot and staples, fixing people's computers. Over the years, I moved up the ranks and I got working in data centers. I ended up managing data centers for places like Boeing. And so years ago, Boeing passed off some of their technical work, outsourced it to Dell. I was a Dell employee running the Phoenix data Center for Boeing on, on the Dell side.
And then as time went on, I got more into high performance computing and simulations. About a year ago, I opened up strategic IT Services, which is a managed service provider. We do everything from cybersecurity to backups and disaster recovery to managed IT services. We kind of run the gamb, everything from web development to fixing people's computers. And the reason I opened it was because there are tons of small and medium sized businesses that think to be secure from a cybersecurity perspective, you have to spend thousands of dollars and do all this stuff. The message is, yes, cybersecurity can be expensive, but there's stuff everyone can do everywhere from. I have some customers that are like a one person with one laptop, that they do embroidery all the way to larger corporations, over 100 to 200 employees. So the way you have to support them goes down because a little one person shop doesn't need, you know, all this fancy equipment.
Larger corporations need a more robust solution.
Is that something that you would offer in services? Can you give us some insight on what's happening, why that's happening, and what one can do about it to minimize it or avoid it?
Sure. So there's two different things. There's disaster recovery and there's business continuity. So when it comes to disaster recovery, what most people think of are backups. So you want to have a backup in case there's a flood or an actual disaster. That disaster doesn't necessarily have to be like a flood or earthquake. It could be a massive cyber security breach where you get hit by ransomware. In the ransomware example, the ransomware encrypts your entire hard drive, and they say you're not getting access to any of your files until you pay us this amount of money.
Now, if it's a personal laptop, it might be dollar 500 or something like that. We've mitigated some cybersecurity events at large corporations where you're in the tens of millions. Sometimes it's better for a company to actually pay the money, and sometimes it's not. Just depending on the situation. Business continuity takes disaster recovery into effect, but it also comes with a plan. Normally, a business will have a business continuity plan if something happens. It's not only this is how I restore my data, but this is how I get my business back up and running once I have done that. So it's not just a technology piece.
It's across the business as well.
With the intersection of cybersecurity, AI, and everything that's happening with malware, how does AI play a part? Can you explain what the advantages are today that we didn't have previously, since we didn't have AI a few years ago, but it's a major player now.
So one of the biggest differences when it comes to cybersecurity with AI, most people think of hackers using AI to actually get in your systems, but they don't realize we are using AI to prevent it as well. A normal antivirus, if you go back 1020 years ago, basically they have a database of all the known viruses in the world. Itll scan your computer and your files, and if it catches one, then itll go. What newer generation antiviruses do is they go and sit on your computer and recognize your patterns. Then instead of alerted when it finds a virus, it will alert you when something out of your normal pattern happens. So if you just use your computer like normal, and all of a sudden a bunch of files are being copied, a lot of stuff is being downloaded, it'll alert you some things outside of your normal workload pattern. So it's being used on the defensive as well.
That's exciting to know. So an entrepreneur or solo entrepreneur or smaller business, what do they need to do to protect themselves or to enlist services from someone like yourself in your business.
When I go to a business, the first thing I do is I run through this slide deck that I have, and it's the baseline things that you can do without any cost to get yourself at least a baseline share security mechanisms such as having strong passwords, such as setting up multi factor or two factor authentication, those are some things you can do with very minimal, if any, cost, no matter the size of your business, you can actually use that, get more cybersecurity, and if you need to, you can get more robust solutions such as firewalls or work with managed service provider or something like that. But there's definitely some stuff, especially with small businesses, that you can do very easily to secure yourself because still to this date, your network is not being hacked. I mean, as often as people think, most of the time it's people getting their passwords. Credential attacks are still between 60 and 70% of cyber attacks. If someone gets your password, whether it's you clicked on something in an email, they were easy to guess. Or you use the same password across different accounts, like your Facebook is the same as your work stuff, but that's still the most common thing.
So I got a question, because a lot of us talk about this. There's these password managers out there, these applications, and some of them are more vulnerable than others. You can still see the password and some of the applications, you can't see the password. Do any of those password administrators or platforms really work when people are using upwork or fiverr or a freelancer or somebody that they have accessing their account to do any work? I mean, this is a conversation that's taking place, but it doesn't seem like nothing's really working. Can you share some insight on that, too?
Sure. So password, there's real two kinds of password managers, and what you want to use really depends on kind of how, how high your company spans, how many employees. For example, when it comes to password managers, you can have cloud based password managers and then you can have local password managers. Cloud based password manager is great for large teams. If you have teams all over the world, you don't want everyone individually having their own instance on their laptop, because every time a password is updated, then everyone's going to have to do it and stuff's going to get missed and it makes management really hard. So that's when it makes more sense to have a cloud. But if you don't have very many employees, maybe you have 1020 employees. It's a lot more secure to have the local one where you can say, hey, you know, send an encrypted email to the team, say, hey, we updated this password update your password manager.
So there's different ones. Like I said, there's cloud based ones where it's all online and yes it's encrypted and stuff like that. But by design the cloud is easier to get to than something that's behind your network just because it's on the Internet. Anything on the Internet is a lot easier to get into than something that's completely. I know. So there's different solutions. I've used keepass in the past, I used lastpass in the past. There's quite a few of them.
A lot of people get wary because the databases can get hacked. It doesn't happen very often, but it does happen and that's the risk to reward ratio that you go over. Because what's more secure than the password manager that's encrypted and all that kind of thing that someone may get into, you know, maybe once every 1020 years or you know, you just having it in some excel file on you know, your CEO's laptop or something which I've seen in companies over a thousand employees I wish I hadn't. But unfortunately there's still companies have a.
Little book I guess.
I've seen companies where the CEO not only has their like their personal passwords but they have the passwords to like their cloud infrastructure and all kinds of things. If someone all, they wouldn't even have to attack the company's network, they would just have to, if they could get in a phishing email or something to CEO and they could take down that company.
So before we go back to the entrepreneurs, the brands, the corporations, let's think of the personal side. People right now are having all kind of issues. What do you suggest that individual do on a personal note to stay safe in all this digital transformation? Web two to web three, cybersecurity and I. And digital transformation is just so much coming at the normal consumer. What do you suggest individuals do at this stage is stay safe in this world as we transition. Any key suggestions?
So the suggestions are kind of like what we talked about before. You have to have strong passwords and strong password.
Let's tell somebody that this audience learning.
To sure say that my, my rule of thumb is not to use a dictionary word. That is why you want to use a password manager. You're never going to remember a bunch of random letters, numbers and symbol, stuff like that. That's why you do a password manager. And so the baseline is you want to have capital letters, lowercase letters, and you want to have symbols. That's the basic. And the reason that you want to do a random assortment of those and not a word easily remembered is that most of the time when credentials are attacked, people use what's important to them, whether it's birth dates, kids names, their favorite sports team, and that kind of stuff. And that's easily guessable when it comes to social media, people can go on profiles and see support, see what your kid, you know, you put your pictures of your kids, you know, they can do all that.
So it's really easy to guess. For example, you could go on Google and just type in password list, and you could actually see, like, there's list 10 million passwords, common passwords. Even more than that, people can do what's called a brute force attack, which is basically, they just try one. If it doesn't work, try another one, and they can script it out. So it's not like they're doing it, but it'll automate it, and they'll just keep trying different iterations of passwords until it works.
Boy, that's scary. So there's a couple of things I probably need to change now to just speaking about that and some of the conversations that I have been in. Thank you so much for that clarity. Back to the corporations and what you do with your services. So with AI and blockchain technology and cybersecurity and everything that's happening now, what makes you nervous? Where have you raised your eyebrows and said, no, this cannot be true, this cannot be happening? And then I'd like to follow up on what is your wish list? What would you like to see happening?
Decentralizing, I think, is really good as far as blockchain goes. It puts the power back in kind of the user base. For example, one of the things we're looking at are smart contracts. That makes it where you don't necessarily have to go to a lawyer or go before a judge. For example, in the technical field, we use service level agreements and service level objectives. Let's say if a customer doesn't have a certain uptime during the month for their servers, there's usually a fee that the managed service provider has to pay because they're not meeting that contract.
Okay.
But large companies, in your monthly performance review client, they'll say you didn't meet this obligation, and so you might have a $75,000 fine or, you know, whatever you worked out with the client, with smart contracts, as soon as that contract is breached, or if we were designing a website, as soon as the customer approved it, it could transfer those funds and do all this different kind of stuff. So you don't need to wait or you don't need to get, you know, all these different approvals. It's built in. And assume that something hits all those obligations, depending on what your contract is, then it'll automatically go and do whatever is stipulated in the contract.
Is there anything that concerns you that you're seeing out there in cybersecurity? There's a lot the podcast where we share.
So the main thing is, as popular as cybersecurity is right now, companies still are not taking it seriously. 90% of the time that we are called it is reactive instead of pro. It's, hey, I'm going to call someone once I have been attacked. And unfortunately, when it comes to cybersecurity, if someone gets your information, there's no putting that back in the bank. Once your information's out, it's out. For example, I was supporting a church here locally for some pro bono word. They said someone got into our software through our congregation, and they got everyone's, you know, Social Security numbers, and they got their addresses, emails, and they were texting the congregation, pretending to be the pastor, trying to get money. They called me and I straight up called them after I did the initial evaluation.
I said, you know, we can set you up for now on, get you some firewalls, you know, make you secure for now on, but we're not getting that information. Once it's out, there's no taking back. And so that's the problem with security, being reactive versus proactive. That's technical anyway, and not just cybersecurity, but any kind of it thing. It's much easier and better to be proactive than reactive. Not only is it better for a company, but it's also cheaper. It's much cheaper to be proactive than having to deal with it at the time. And a lot of the time, it's exponentially so.
What's proactive? Our audience includes some eight, nine digit entrepreneurs, Amazon sellers, people that have global companies that are running different sectors. What is proactive look like? If they don't know how or what do they need to know to do to be proactive, what should that process look like?
So the first thing is you need to know what your vulnerabilities are as a business. There's nothing you're going to be able to do to know you have to partner with an expert in the field, whether that's, you need to have your website scanned for vulnerabilities, whether you need to actually have someone come in and audit your company. A lot of the time I talk to companies and what we recommend is to have a vulnerability scan of your infrastructure once a year. And most companies have never had one, or they, or they have, you know, someone set up their, they're stuck by their internal it team. And even as a managed service provider, I hire an external auditor to come in and audit my cybersecurity because I'm not all known. We will miss things, just like any business will miss things. That's why it's always good to have an external company find your vulnerabilities.
Can you rely on where you have your website hosted? You have businesses that just host their website. They pay a certain organization, they host a website there. Who's handling the cybersecurity? How does that work?
Normally, your hosting provider will be secure to a certain extent. It depends on how big they are. For example, if you're at GoDaddy AWS, you can be pretty sure that their networks are pretty secure. Does that mean you should not be doing vulnerability scan for your website? No, because it's not only the underlying infrastructure, but it's the code in your website. There's vulnerabilities that come out every single day and so you absolutely need to still be wary. Now, if you're using a site that's not as well known and not as big of a company as say, godaddy, if you're using some of those like Wix and some of those kind of third party ones that you can make a website for kind of $10, $20, then you should definitely be a little more wary because they just, they likely don't have the underlying infrastructure such that GoDaddy or AWS has. But, yeah, so you need to be wary. But they will circulate to a certain extent.
So where does one look for an auditor? You just go and you just go online and look for a cybersecurity auditor. You have everybody listening. They need an external auditor. How do they go about locating a good one? How do they assess a cybersecurity or IT service auditor or what do they end up doing to get someone on board like yourself contact you, but you're not probably everywhere. Or are you? Help us figure that out.
Sure. So a manager veteran likes strategic it services. We support the US, Canada and the UK right now. And as we scale, that'll open up more as well.
So where are you located?
I'm located right in the middle of the US in Oklahoma.
Okay.
And so we can, we can support them and depending on the company and what their needs are, that can determine how we would go about that. I've had some companies where they, they are fully okay with going and having, you know, give me access to their systems and I would remotely actually go in and do a vulnerability assessment. I've had some companies that wanted me to go on site, so I flew either me or a member of my team out and we would do on site inspections as well. When it comes to cybersecurity, it's not just computers or networks that most people think. It could be physical access to the building. What kind of keypads do you use? Sometimes an on site inspection is warranted. Depending on the industry, they may need different mechanisms as well. So if you have someone, I'm sorry, if they're the flat, if you have someone in the healthcare field, for example, you know, they meet, may need us to do HIPAA compliance and compliance.
Which high trust is the technical side of HIPaa? It's how you have to support your privacy and for your clients. Most places have to be PCI DSS compliant, which is for credit card transactions. There's lots of different stuff. Depending on what kind of industry they're in, there might be a certain kind of compliance in addition to everything else that they have to be aware of.
It really walked into my next question. The different compliances that are out there, how is that impacted by the governances in different countries? So you have compliance issues, governance issues, then you have technology advancing, you have the different iris scans, and then you have hand scans, you have all these different technologies going forward. Is that some of the things that you offer in services, what are some of the recent clients that you've had that were really a challenge and how did you offer them solutions?
Sure, I have clients that are one person companies all the way to a couple hundred. And depending on the size of client, it is kind of what their needs are. For example, the mechanism that we use to support a large company that's based out of maybe one office or offices throughout the world, it can be a lot different than, for example, I have a client that's in a well logging business. He sends out his people, let's say they're working with an oil company. The oil company will dig a hole and they will have to send someone out and have their sensors put down. And that's where they measure is there groundwater there? Is there certain amount of oil? What other minerals could possibly be contaminating the area, or what's there? Maybe they could mine. I would have to make it so their laptops are secure, even while in the field. Supporting that is a lot different than supporting, say, moldboxes.
But it just kind of depends not only on the size of the business, but actually what they do for their business. Whether it's a field office in a data center behind a certain amount of infrastructure, or maybe they're mostly cloud based. I have some customers that run in almost exclusively in AWS, for example. So that support is going to be a lot different depending on the situation.
When you look at cybersecurity and everything that's taking place today, are there any concerns that you have that you'd like to express?
So, when it comes to cybersecurity, and we actually saw this during the crag strike outage that happened worldwide maybe a month ago, maybe less, is businesses are not doing proper testing. What I always recommend, and this is kind of industry standard, is you should not have auto updates turned on. No matter the situation, you should have a development environment. And that is where you would push the update to first. And then as long as everything works and nothing breaks and you test it out and everything looks good, then you push it to either a test environment or a small section of your production.
Okay.
And then if something does happen, you have to roll back maybe ten servers, 100 servers instead of thousands in a small environment. It's called a phase deployment. If everything works in that small environment, then you can push it out to the rest if you have auto updates turned on. It's exactly what happened in the crowdstrike. Think they pushed out a bad update? It took down. I mean, multiple airlines were completely grounded. You know, banks, you know, nobody could get their funds because most banks were in windows and it was causing the windows to blue screen. So it took down lots of different sectors.
You always need to have a test environment. I don't know what the percentage is, but I would say most companies don't have a test environment. They just roll stuff out. That's the main thing, not having a proper environment to roll this stuff out.
Let's talk to the solopreneurs and people who have laptops, like me. I got a new Microsoft, you know, for me to do everything I'm doing today. And I have auto updater.
Sure.
You're saying that folks like us should not be running around with auto update. That's how they had billions of devices is that correct? Everybody listening? Okay, so for those of us with this laptop, well, maybe I've got a few others, you know, back here. I'm really a Mac person when I came into the Microsoft world to do business. So for those listening, what do we do? The return portal updates off? What do we do? If you're the Solopreneur, you have any recommendations for the solo prenor with a laptop like this?
Sure. So I would still recommend not turning on auto updates because as most people know, when the update comes out, there's always problems. So Microsoft has something called patch Tuesday. And so basically one Tuesday a month, it'll, they'll go and they'll push out all these updates. And what I typically tell people, unless it is a radical update, you don't want to do it right away. You wait whether it's two weeks, a month, whatever the customer's comfortable with. So if they encounter some bugs they have time to fix. For example, if a company used crowdstrike but they did not have updates turned on, this, this issue was fixed by maybe Monday, Tuesday.
And so if you didn't have auto updates turned on and you waited till the next week, you would not have seen any impact. So it's good to delay that. The thing I always harp on is backups. Always have a good backup before you, before you run any updates, before you install any new software, you always want to take a good backup. That way if something does happen, you can just restore from the backup in your backup.
Okay, well, I'm doing that. I hope everybody else is. So therefore it's almost time to close. What would you like to share that we haven't discussed?
Cybersecurity does not have to be terribly expensive. Proactiveness is the best way to go. While you may not want to pay a monthly fee for managed it services, you just have to remember that if you do that, then when something happens, there's no cost to go out and fix it. So you have a stable income where you actually can budget as a business. So you don't have, oh man, something happened. I have to drop $1,000. You know, something happened. It's a lot easier to budget as a business to do it that way.
And how do people reach you specifically?
Sure. So my website is the best way to reach me on strategic itservice.com and also they can call me at 405-953-3611 what about LinkedIn?
Are you available there?
Yes, we also have a business page on LinkedIn and Facebook as well.
00:26:13 - 00:26:31Exclude
0:00 - 26:32
Thank you for being on pivoting the web suite podcast cybersecurity is important and all the technology and transformations we need to stay ahead of the game. Thank you. And we're shaping tomorrow together. Go to pivotingtweb three podcast.com to download and listen, or web three game plan to check out the videos. Thank you. We're shaping tomorrow together.
CEO/Solutions Architect
Hi, I'm Steven Cook, the proud owner of Strategic IT Services, where we specialize in providing top-tier cybersecurity solutions. With a career spanning almost two decades in the IT industry, I've dedicated my professional life to safeguarding businesses from the ever-evolving landscape of digital threats.
My journey began with a deep fascination for technology and a passion for problem-solving. This led me to pursue a career in IT, where I quickly discovered the critical importance of cybersecurity. Over the years, I've honed my skills, gaining extensive experience in threat detection, risk management, and the development of comprehensive security strategies.
At Strategic IT Services, I lead a team of talented professionals who share my commitment to excellence and innovation. We pride ourselves on delivering personalized, cutting-edge solutions that meet the unique needs of our clients. Our mission is to empower businesses to operate securely and confidently in the digital age.
Outside of work, I am an avid learner, constantly staying updated on the latest advancements in cybersecurity. I believe in the power of proactive defense and strive to educate others on the importance of protecting their digital assets.
When I'm not immersed in cybersecurity, I enjoy exploring new technologies, engaging in RPG gaming, and spending time with my family and friends. My approach to life and work is driven by a strong sense of integrity, dedication, and a relentless pursuit of knowledge.
Thank you for taking the time to le… Read More