“Have a strong password policy”, with Jason Remilard and Andrew Lassise

Have a strong password policy. We all have heard the use strong passwords, at least 8 characters, capital, lower, number, and symbol mixture on a non-dictionary word. The idea behind this, think of a bike lock where you spin the numbers to unlock the code. If each part of the code can be 0–9 then […]

Thrive invites voices from many spheres to share their perspectives on our Community platform. Community stories are not commissioned by our editorial team, and opinions expressed by Community contributors do not reflect the opinions of Thrive or its employees. More information on our Community guidelines is available here.

Have a strong password policy. We all have heard the use strong passwords, at least 8 characters, capital, lower, number, and symbol mixture on a non-dictionary word. The idea behind this, think of a bike lock where you spin the numbers to unlock the code. If each part of the code can be 0–9 then there are 10 possible combinations for that single digit (character) to be correct. If you use lowercase alphabet, the lock is basically 1–26 in one spot. Add capitals, now it is 1–52, add numbers it is 1–62, add symbols and it is closer to 1–80 for one single character to be guessed. Multiply that by 8 characters, and even the strongest computer will take years to brute force get in.

As a part of our series about “5 Things You Need To Know To Tighten Up Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Andrew Lassise.

Andrew Lassise is the chief dorkestrator of Rush Tech Support, an IT company that specializes in tech support and cyber security for accountants and small businesses. In 2020 Rush Tech Support has been listed as an Accounting Today Top 100 VARS, The Manifest’s Top 100 Cyber Security Companies, and has technicians that all hold certifications with the AICPA in cyber security. When he is not saving the world from hackers & malware, he enjoys traveling, cooking, and spending time with his wife, Emma, and two sons, Jack & Colby.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

I grew up in Ellicott City, MD in a family of four with pretty much everything I could ever want at my disposal. I always had an affinity toward computers and technology. My grandfather taught me basic DOS and I could run Sim City 2000 from a floppy disk from command line. As I grew up, I learned more advanced computer skills by breaking and fixing the family computer and network. Through trial and error, computers became a very big passion of mine, but I never considered it as a career. My parents were both very successful in finance and I always thought that I would carry on the family tradition by being a certified financial planner when I “grew up.” I attended college and graduated with a BA in financial planning, following the formula, but during 2009 during one of the worst recessions in US history. It was from there that I decided to pivot and really dug into my passion in IT.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

In 2013 I relocated to Florida from Maryland without a real plan, just needing a change and realizing that if I stayed in Maryland, nothing would ever change. I applied at multiple companies in the area and was referred by a friend to work at a sales job at a company I knew absolutely nothing about. I accidentally brought my “tech” resume to the interview, instead of my sales resume (with the very little experience I had). The company turned out to be a company that focused on tech support and cyber security. From there, I absolutely fell in love with the field and started consuming every piece of content I could about computers, malware, and how it all was intertwined with these computers we use every day.

After a few months at the job, I basically declared myself an escalation technician and was handling some of the larger, more complicated jobs. The company was growing super fast, and frankly, nobody really knew what was going on internally. So I just told my boss that I was an escalation tech now, and he didn’t dig into whether or not I was, just went with it and started handing me more complicated work. I became one of the go-to computer techs in a company of about 400–500 employees at that time. Some friends caught wind that I was excelling at my current job, and offered me an opportunity to help them build their own tech company from scratch. With some misgiving, I went in, and really was put to the test of handling all of the back end tech work and workflow processes of a small business. I quickly saw how the security measures that I was implementing were affecting the organization and how important it was to not just have all of our customer’s data floating around for others to steal. Looking out for the customers, the company, and everyone’s job became my obsession and I still continue that passion to this day.

Can you share the most interesting story that happened to you since you began this fascinating career?

The start up that I was working at eventually failed, but I made an agreement with the owner that I would continue to service his clients for free, and he could continue to collect monthly residual checks for 2 months while I worked to stop any refunds from happening. The end goal was after those two months, if the phone rang, I would update the customer’s billing information to my company, Rush Tech Support. That company had about 500 customers, and I was able to handle it all on my own, and things went very well.

I was later approached by a friend at the huge company I had previously worked at with an opportunity to service their 60,000 clients. I did not know how to do it, but I accepted, and we grew from me in my living room to 10 full time employees very fast.

I learned the calculation of customer lifetime value and saw what I was paying in commissions, which was very high at the time, but we were getting by. After succeeding with that 60,000 customer company, I was approached by a different company that also had 60,000 customers, but the seller didn’t want revenue share, he wanted money.

Knowing my numbers, I had calculated his list to be worth ~300,000 dollars, and while I didn’t have the capital I wasn’t willing to turn down the opportunity. I asked how much he wanted for the entire list, and he replied 600. My heart sank, as it seemed like he wanted double what I thought the list was worth and what I could afford. He then proceeded to text me, “cash is cool if you can do it” and then I realized he didn’t want 600,000 dollars, he actually meant 600.00 dollars. I jumped on the opportunity (of a lifetime in retrospect) and after 4 hours the list was paid for and the next year was almost free marketing for thousands of new customers.

None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?

My director of operations, Bill Dougherty, has played a giant role in the success of Rush Tech Support. He was originally hired as a friend of a friend and I could tell in the beginning he was a hard worker. Most of the people in the company at that time weren’t the hardest workers, but at least showed up and the customers were happy, so I turned a blind eye to their shortcomings. The previous DOO was let go, and Bill was the only person in the office that showed up to work on time and consistently, so by default, he was awarded the position.

Little did I know, what he brought to the table was so much more than just being a hard worker. Within 6 months he managed to QUADRUPLE our sales, while barely increasing our costs. It was one of the best hiring decisions I ever made, and he is still with me to this day.

Are you working on any exciting new projects now? How do you think that will help people?

The big project and undertaking we are currently working on is our cyber security for accountants plan. There are hundreds of pages of regulatory law around cyber security that apply specifically to accountants. Similar to HIPAA, but with much less attention. We have curated an operating procedure that helps them become compliant, without breaking the bank, and we get to help their clients make sure that their customer’s financial data isn’t breached.

So much of what accountants do is compliance work, and they really understand the importance of what we do and bring to the table, so it is a great relationship for everyone involved.

What advice would you give to your colleagues to help them to thrive and not “burn out”?

I am extremely guilty of experiencing burn out from taking on too many shiny things at once and not really focusing on what has the greatest impact. As difficult as it is to disconnect, taking time away from the computer and email and Slack to be able to enjoy your life is something that I think is extremely overlooked in today’s hustle culture.

We used to have our cyber security company and a web design company. Some people thought that since we were good with computers we could also do art and marketing, which are so different, but the customers figured computers are all the same, so they asked and we said yes. I found myself extremely stressed all the time about the web design business, which wasn’t profitable and was bringing in about 5,000 dollars/mo in top line revenue. Meanwhile, Rush Tech Support, was generating over 300,000 dollars per month and running itself. As much as it hurt to close the design business, it gave me the opportunity to focus on the important things and be able to discern what matters.

The difficult part is that when you remove one stressor, we have a tendency to fill it with something different. So setting boundaries of when you DO work and more importantly when you DON’T work, is crucial to avoid burn out. The built in deadlines force you to get things done that are important, while avoiding distractions that you know you can handle at a different time.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?

  1. Cloud Offices: With COVID and the work from home movement in full force. I am very excited and petrified about what the future will hold for small businesses trying to adapt. Most just put band aids on their current in-office system and made it work remotely. The issue is, they don’t have proper security in place. This is similar to having a door on your house, but it is always unlocked. Yes, it is shut, and there is something in the way, but with 1 ounce of effort, someone easily infiltrate these organizations and cause devasting issues. Most owners are not aware that these problems even exist, and I think there will be a huge shift in the conversation of cloud computing and working from home.
  2. IoT: Internet of Things has taken on a huge push in the last 5 years and it will only continue to grow. We were approached by a company a few years ago for a buy out that did IoT smart refrigerators in restaurants. What they did was track all food item’s expiration dates, and the specials menu would re-organize based on ingredients that were about to go bad, to minimize spoilage. Brilliant things are happening in that space, and it will only improve with time. The flip side, is that with all of these devices connected to the internet, there are gaping vulnerabilities in many networks that, yet again, many are not aware exist. It will only come to their attention after it is too late. Securing IoT devices is another piece of cyber security that is new, fascinating, overlooked, and really needs more attention.
  3. Virtualization of Hardware: I think it is crazy that you can basically click a few buttons and essentially have enterprise equipment running, but it is all done through the cloud and doesn’t require physical infrastructure. My company at it’s peak had 50 employees, and now everyone works from home and I have 4 offices of equipment that I can’t even give away, nonetheless sell. If we had been working in an elastic virtual environment, we could simply click a button, and the enterprise hardware we spent thousands of dollars on that is now obsolete, just wouldn’t exist and the costs / storage are all gone. People are now going to be able to use very expensive equipment in a virtual environment where they get the exact same benefits of enterprise firewalls, etc without having to come up with thousands of dollars and complicated installation. This makes securing an company more affordable than ever before!

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?

Companies MUST start taking a deeper look at their data protection policies, GDPR in EU has a lot of best practices that we really need to adopt in the US. Your customer list has a price tag on the internet and just because your organization is “small” does not mean that you will be overlooked in phishing attacks. With ransomware and a poorly set up office infrastructure, a temp employee could accidentally open one email and wipe out your entire company. This isn’t just something that “happens to other people, it won’t happen to me” it is happening every single day and the money is getting larger and larger. Riviera Beach had to pay a 600,000 dollars ransom because of a poorly configured network. Employees are not downloading these things on purpose, and the phishing emails don’t say “click here for a virus” it is very convincing, that is why it is effective and very bad for businesses. Security awareness training is not a wasted cost, but an asset in defending your company from all the terrible things out there.

Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

Unfortunately, we usually get calls from new customers after it is too late. “All of my customer’s information is on the dark web and I’ve been hacked, can you help get it back?” and sadly, there is little that you can do after the fact. These hackers are smart people / groups, and stopping something after it already happened is very difficult and extremely expensive with a fractional success rates.

On the other hand, our customers get stopped from being hacked every minute of every day. But so much goes on in the background that they don’t recognize the things that are going on. I’ve come to find, most people would rather pay us, have the peace of mind, and just look at a report each month of everything we blocked / fixed than to give them a red alert we did our job and saved you every minute of every day. If you have access to a business firewall with Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) you would see that all organizations are CONSTANTLY (literally, every few minutes) under attack. This doesn’t only apply to big organizations; we see it in small <5 employee offices too. If you are connected to the internet, you are at risk. It is so crucial to have an organization behind you that actually knows what they are doing. Just because your nephew is going to college for computer science, doesn’t make them an expert at cyber security — it just makes them better than most people. Unfortunately, you don’t find out if your current IT provider is any good until it is too late.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

Syncro has become a favorite tool to monitor all of our customers’ machines for suspicious activity and making sure that they are on the latest patches of Windows updates and that their 3rd part software isn’t leaving them vulnerable. While tech people may not consider it a “cyber security” tool per se, it is a great tool in management of devices and preventing the issues from happening in the first place.

I’ve recently become infatuated with pfSense, which is an open source firewall program. Think of it like Windows, but specifically designed for managing firewalls. From there, you can see all of the traffic that is flowing through an organization AND all of the things that are being blocked and protected. Packages like SNORT (which do IDS/IPS) are crazy when you first unravel how many attacks happen every day. Just like everything else in cyber security, prevention is KEY to having a successful set up. One data breach is too many, and catastrophic to your bottom line and reputation.

How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter”software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?

Just because you don’t have a large team doesn’t mean you can’t get this handled. At the same time, it is essential that you work with someone who knows what they are doing. Software is just a tool that can assist the professionals. You can go on Amazon and buy surgical scalpels for less than 20 dollars, but I highly doubt anyone is considering that as an option if you need to perform open heart surgery. The tools are nice, but it is knowing how to use them, and the mistakes that can happen if used improperly. The internet makes it seem very easy to do a lot of cyber security pieces, and it’s much more of a holistic practice that requires employee participation and training, not just a YouTube video and some experience with running Malwarebytes to remove a virus from your home PC.

Hiring an IT company or your own CISO is never something that is “once you achieve x now you need one” but I’d say as a general rule of thumb, if you think you might need one then you definitely do. It is far better to have a consultant check your current system, make suggestions on improvement and implementing than it is to have damage control after the fact.

At my house, for instance, we didn’t have security cameras until one day my neighbor asked if I saw the alligator that was on my front porch the previous night. The next day, I was installing cameras, making sure that my family was safe from any potential threats. The same goes for most small business owners, they wait until something bad, or possibly bad happens to then do something about the situation. It costs so much less for prevention and piece of mind than it costs for clean up and damage control.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?

  1. You are receiving strange responses from customers to messages that were not sent. We saw an instance of a hacker’s call center using a compromised company’s spoofed phone number to call their existing customers and ask them for money. They identified themselves as the company and it looked like it was coming from the company that was hacked. They discovered something was strange when they started getting a ton of calls from their customers saying “Hey, I’m calling back, I had a missed call from you guys” when the call didn’t actually happen on their side.
  2. There are a ton of “message failed” to send messages in your outbox, or there are filters set up in Outlook to automatically delete forwarded messages or to delete those “message failed” alerts so it doesn’t look conspicuous. Unrecognizable email filters are a simple one to check for, that can have huge impacts. They can set up something like {when hacked customer sends email saying wire instructions} then {delete original message, and send customer hacker’s wire instructions on hacked company’s letterhead}. This happens a ton in the real estate, title, and mortgage industries.
  3. Your home page is different or you are getting pop up messages you didn’t used to get. There are browser hijackers that look like Google, but aren’t actually Google, and track your keystrokes. You can also see notifications such as “your computer has 534 registry problems, click here to fix” and it is mostly nonsense.
  4. Use websites like www.haveibeenpwned.com to see if a breach has already happened and if your information is already compromised. If so, immediately change any passwords associated with the findings, especially if you use the same passwords on multiple sites.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

Many states have mandatory laws regarding alerting your customers and how breaches need to be handled. To protect themselves, they MUST change every single password in the organization. People underestimate the value of an email password. From an email, you can reset virtually any password that is attached to that email address, which makes it very attractive to someone trying to steal information. Hiring an outside agency to perform a penetration test would also be beneficial so you can tell where the breach came from and what should have been done in the first place to prevent it. Protecting customer data is so important, and that is where a lot of the value lies in hacking an organization. Strong passwords, multi factor authentication, and logs of who clicked what when will be vital in uncovering what has been stolen and how it happened. Advising customers of the breach is usually mandatory, but let them know what measures you are taking to correct the situation and let them know what might have been stolen. It is better that they know so they know what to look for.

How have recent privacy measures like The California Consumer Privacy Act (CCPA), CPRA GDPR and other related laws affected your business? How do you think they might affect business in general?

These laws are very important in the world of data security for the consumer. Most people don’t know the impact of simply filling out a form online. It shines a light on organizations that have been misusing customer data for years and hopefully, brings awareness to the topic of information security. I believe that the data security laws will make work like ours more important than ever because compliance will force business owners to take it serious.

I believe business in general, especially companies that utilize SaaS products, will have to be more deliberate in the information they collect about their customers and minimizing what is collected from “it’s nice to know everything about them” to “I need to know x, y, and z to get my job done and that’s all I’m collecting.” When you need to be transparent with your customers about how the data is used, it forces accountability from the business owner side, and empowers those who are doing business with organizations.

What are the most common data security and cybersecurity mistakes you have seen companies make?

  1. Thinking “I am too small, nobody will hack me” — sending a phishing email to small companies is just as easy as sending it to large companies. You click, ransomware infects the system, send bitcoin — easy money from sending to a list. It isn’t spear phishing going after the big guys, it is mass emails to thousands and hoping someone clicks.
  2. Waiting until it is too late. After a breach, not a ton can be done to remediate the damage. Especially, with reputation loss. An ounce of prevention prevents a pound of damage, and the costs are in the same proportion. It is a ton cheaper for a peace of mind penetration test, than it is to uncover how a data breach that already occurred happened.
  3. Not using 2-factor authentication. Yes it is inconvenient to type in a 6 digit code, or to click allow on your cell phone to get access to your files. But again, how many data breaches would you like to happen before it becomes important? There have been so many breaches where that single step would have saved a company thousands to millions of dollars in damage and it’s free to use.
  4. Re-using passwords for everything. There is free software like LastPass that generates complicated passwords, and saves them for you, so you only need to remember one unique hard password and that’s the end. Using the same password on website abc.com that you use at work.com can be terrible because if abc.com gets hacked, and someone has access to a password you use on everything — you are in a lot of trouble. If you share that password on a bank account, they can wire money out of your account, and when you make a fraud claim, the bank can say nobody reset your password, so they can only assume that you gave them access and you have no recourse.

Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?

The uptick is gigantic, and it will only be increasing. Most organizations just put a band-aid on a bullet hole to get everyone out of the office and working from home. Once everything was back to “normal” they have all of their employees on their own network, with very little security and no standardized practice. The issue is that everything is fine until it’s not fine, and then you have a catastrophic disaster on your hands.

It’s not the necessarily the business owner’s fault, I don’t blame them for not knowing or understanding the severity of weak security in their businesses. Many can make the argument, they have spent 0 dollars on cyber security, and have had 0 issues so far, so they will continue spending 0 dollars until it becomes a problem.

The issue with this mindset, is that it requires an expensive, reputation damaging issue to happen before it becomes a priority. It only takes one employee getting infected one time to completely devastate the entire company. When you were in an office, you only had one spot to protect, you now have every computer at every house and every internet that all of your employees are on accessing your most private data. Many companies did not set up a proper VPN, or have things in place to connect in a secure way to the customer’s information. Most just have SaaS products, and figure the software will protect them and hopefully, everyone has a good enough password.

This will continue to get worse before it gets better. The headlines happen when large organizations get hit, but once SMB owners’ friends start having data breaches and they realize “this can happen to me too” there won’t be a huge new demand for it. In April / May, those who value it got it taken care of, but now it is the “new normal” and people need to understand that these threats are real and will happen to them. It’s not science fiction, it is real life and it happens every day.

Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)

  1. Force 2 Factor Authentication on EVERYTHING. It is inconvenient, but it is one extra step that can be the difference between a data breach and nothing happening at all. Large companies, like Deloitte, could have avoided data breaches because one admin password was floating around and there wasn’t 2FA protecting the database. They then had to disclose to their customers that there was a breach and dealt with an onslaught of bad press and damage control. All for something that could have been avoided for free.
  2. Use a unique password on every single website, even not important ones. We saw a residential client who used the same password in her bank that she used on a website that was hacked. Her information was on the dark web for sale, and that same password worked to log in to her bank. Because there was not a password reset, the bank declared that the client gave access to the hacker, and it was their fault, and the bank didn’t cover the fraudulent wire.
  3. Have a strong password policy. We all have heard the use strong passwords, at least 8 characters, capital, lower, number, and symbol mixture on a non-dictionary word. The idea behind this, think of a bike lock where you spin the numbers to unlock the code. If each part of the code can be 0–9 then there are 10 possible combinations for that single digit (character) to be correct. If you use lowercase alphabet, the lock is basically 1–26 in one spot. Add capitals, now it is 1–52, add numbers it is 1–62, add symbols and it is closer to 1–80 for one single character to be guessed. Multiply that by 8 characters, and even the strongest computer will take years to brute force get in.
  4. Frequently check user policies and deactivate old employees. So many times we will onboard a new client, and go through the list of people who have access to their database, and they will inform us that the person was fired months or years ago, and they just never got around to removing their access. Ex-employees are usually not the happiest people, and if they can make money off selling your data, back against the wall, especially with unemployment as high as it is. They may look into alternatives that they normally wouldn’t have in order to make money at your expense. The business owner is then the villain who did not protect their customer’s data, at the same time they are a victim of a cyber crime. If you look at Equifax data breach from a few years ago, they were the victims of a data breach, and have lost so much credibility and had to pay out restitution, and they were the one’s who got attacked. There is more to the story obviously than just that, but it goes to show, there is no sympathy for the business that gets hacked.
  5. Insert “Dummy” data into all of your data bases. A simple thing you can do is create a free email account that holds data of a made up person. For instance, you could create [email protected] first name Andrew last name QuickBooks and set the phone number to either your personal number or set up a free voice forwarding service. That information should only be used internally, and you’ll know if you start getting emails or phone calls with people using that information, you will know that your Quickbooks data has been breached. There are many ways to go about inserting dummy data, but if you start getting peculiar messages, you don’t have to wait for your customers to tell you something is going on, you can be in front of it before it gets bad.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)

Stop thinking “A data breach won’t happen to me” and shift the focus to “I know a data breach CAN’T happen to me because I have taken these steps to insure it CAN’T happen.”

How can our readers further follow your work online?

This was very inspiring and informative. Thank you so much for the time you spent with this interview!

Thank you so much for giving me the opportunity to share my knowledge with those who can benefit from it.

We use cookies on our site to give you the best experience possible. By continuing to browse the site, you agree to this use. For more information on how we use cookies, see our Privacy Policy.