Episode #209: From Green Beret to Cybersecurity Leader: Josh Wathen on Business Resilience

Josh Wathen, COO of Triad InfoSec and former Green Beret, joins Craig Andrews to sound the alarm on a growing leadership challenge: cyber resilience. In a world where ransomware is a billion-dollar business and hackers operate in full-fledged corporate teams, Josh breaks down why small businesses are soft targets—and how leadership complacency can be fatal.

He shares hard-earned insights into the psychology of cyber threats, the high failure rate of insurance claims, and why reactive security costs 10x more than prevention. Josh outlines a leadership approach rooted in responsibility, training, and smart risk transfer. His advice? Stop assuming you're safe. Get real, get proactive, and lead by example.

Want to learn more about Josh Wathen's work? Check out their website at https://triadinfosec.io.

Connect with Josh Wathen on LinkedIn at https://www.linkedin.com/in/joshua-wathen/.

Key Points with Timestamps

00:51 – Introduction of Josh Wathen and his roles
01:30 – Why small businesses are major cyber targets
02:22 – Pain-driven decision-making in cybersecurity
03:05 – Real-world ransom examples: food trucks, dry cleaners
04:04 – The hidden danger of ransomware insurance
05:21 – Hackers now operate like global enterprises
06:51 – “Drive-by” cyberattacks and their dangers
08:21 – Sophisticated phishing and long-term system breaches
09:47 – Why off-network backups are critical
10:22 – SIM tools and the “garden” metaphor for business systems
11:40 – The emotional toll of seeing businesses fail post-breach
14:07 – No system is impenetrable; leaders must prepare for breach
15:02 – Insurance isn’t optional—it’s part of smart leadership
16:12 – Being harder to hack than your neighbor matters
17:18 – 80–90% of breaches come from human error
18:03 – Why brute force attacks crush weak passwords
19:23 – Use password managers; avoid browser-based storage
21:08 – Lessons from Craig’s coma on access and resilience
22:15 – Cybersecurity is wealth protection, not just IT hygiene
24:09 – Leadership means enforcing secure policies company-wide
25:26 – Josh’s three-part leadership checklist for cyber defense
27:04 – Why many businesses with insurance still close down
27:32 – How to connect with Josh and get help from Triad InfoSec

Transcript

00;00;00;00 - 00;00;30;20
Craig Andrews
I was in a coma for six weeks while the doctors told my wife I was going to die. When I woke up, she told me the most fantastic story. My team kept running the business without me. Freelancers reached out to my team and said, we will do whatever it takes. As long as Craig's in the hospital. I consider that the greatest accomplishment in my career.

00;00;30;23 - 00;00;51;10
Craig Andrews
My name is Craig Andrews and this is the Leaders and Legacies podcast where we talk to leaders creating an impact beyond themselves. At the end of today's interview, I'll tell you how you can be the next leader featured on this show.

00;00;51;10 - 00;01;02;15
Craig Andrews
Today I want to welcome Josh Wathen He is a former Green Beret. He is currently the chief operating officer of Triad InfoSec. It's a

00;01;02;15 - 00;01;07;08
Craig Andrews
veteran owned cybersecurity business. He's also the owner of,

00;01;07;08 - 00;01;07;27
Craig Andrews
Dukes for,

00;01;07;27 - 00;01;10;14
Craig Andrews
for this consulting. And,

00;01;10;14 - 00;01;14;11
Craig Andrews
he's on the board of advisors for owners in honor.

00;01;14;11 - 00;01;15;17
Craig Andrews
Obviously,

00;01;15;17 - 00;01;21;08
Craig Andrews
Josh focuses a lot on veterans and veteran owned businesses.

00;01;21;10 - 00;01;21;28
Craig Andrews
And,

00;01;21;28 - 00;01;28;08
Craig Andrews
we're going to be talking about something that, you know, we were just Josh and I were just talking about in the green room.

00;01;28;08 - 00;01;32;20
Craig Andrews
So many small businesses feel like they're not a target of,

00;01;32;20 - 00;01;39;19
Craig Andrews
cyber attacks. You know that that's not something they have to worry about. That that's something the big businesses have to worry about.

00;01;39;21 - 00;01;49;01
Craig Andrews
And it's just not true. And the challenges? Getting the message out there in a way that's not just fear based,

00;01;49;01 - 00;01;52;24
Craig Andrews
but to reality. So if you own a business,

00;01;52;24 - 00;01;55;06
Craig Andrews
or you're in the senior role in the business,

00;01;55;06 - 00;02;03;03
Craig Andrews
listen into this. Because you are a target. Probably more so than you realize. So, Josh, welcome.

00;02;03;06 - 00;02;05;23
Josh Wathen
Thanks for having me. Pleasure to be here.

00;02;05;25 - 00;02;22;04
Craig Andrews
Yeah. You know, and we were. Yeah, we were talking about it. It's it's so hard. At least from my experience, it's so hard to sell anything in the cyber security space because it's. It feels like you have to really scare people.

00;02;22;07 - 00;02;22;20
Josh Wathen
Death.

00;02;22;20 - 00;02;32;17
Josh Wathen
People don't move unless there's pain. I think that that's that's true. Even if there's pain from a friend or personal situation, know

00;02;32;17 - 00;02;45;22
Josh Wathen
that's really what gets people to move in a direction. And cybersecurity is often viewed as just a strictly a call center. So that makes it rough when people are trying to grow their revenue and increase their profits.

00;02;45;23 - 00;02;59;03
Josh Wathen
And looking at more expenses for resilience can be a hard decision to make. Yeah, the doesn't mean it's the wrong one, but it's it's got to be a budget focused conversation to make sure it's affordable.

00;02;59;05 - 00;03;00;07
Craig Andrews
You know, and I've,

00;03;00;07 - 00;03;05;19
Craig Andrews
I've done some work in this area and I've, I've sat in a room with a major insurer,

00;03;05;19 - 00;03;22;24
Craig Andrews
with my client that was, was a broker and listened to some of the stories, you know, and I heard stories about, like, a, a food truck that had a cyber security breach. I heard about a dry cleaner, just a not a big chain of dry cleaners, just a dry cleaner that got ransomed.

00;03;22;24 - 00;03;40;12
Craig Andrews
And if you think about it, you have like a thousand garments on the rack somewhere. You have no idea where they are because all the information's in the computer. And if you're going to get your customers or garments, you got to you got to do something. You got you pay the ransom. I don't know what what what do you do in that situation?

00;03;40;12 - 00;03;42;27
Craig Andrews
If you were if you were advising that,

00;03;42;27 - 00;03;51;11
Craig Andrews
that dry cleaner that just got ransomed and people need to pick up their garments. What would be your advice?

00;03;51;13 - 00;04;04;22
Josh Wathen
Well, for that particular situation, hopefully they have some sort of backup system. Hopefully their data store as a non network location to where they can reboot a laptop or at least understand where everything's at.

00;04;04;22 - 00;04;17;07
Josh Wathen
They've got a written incident response plan. First question where I was ask is do you have insurance? Coincidentally enough. It's kind of chicken and the egg was cyber insurance.

00;04;17;07 - 00;04;39;04
Josh Wathen
And the rise in ransomware insurance is essentially the venture capital arm of hackers, because 20 years ago, a hacker would come in and ask for five grand and be hopeful that they would get it. Now they can come and ask for half a million, because the banking that you have an insurance policy that's going to pay their. Wow.

00;04;39;06 - 00;05;03;04
Josh Wathen
Yeah, that's that's the hard part of of the retroactive fix as it's, it's ten x what it will cost you if you do it proactively because of the ransomware, the issue that you've been breached. So the premiums that you're, you know, the hike in the premiums you're going to get to now get insurance, all of this stuff to actually fix it through forensics, if that's what you want to do.

00;05;03;06 - 00;05;21;24
Josh Wathen
And then you put everything in place for policy. It can be a really big list. So having an insurance policy, having a little bit of cash reserves, having some solid backup plans in security 101 is just an interesting environment. Yeah.

00;05;21;26 - 00;05;54;23
Craig Andrews
You know, one of the things I heard that just really helped me understand why it's so prevalent. There's I mean, they're there, like software development centers. These aren't like, some hacker with greasy hair in his basement who's writing this ransomware. These are actually companies with teams of developers, and they they essentially sell. They have, like, an affiliate program where they provide their ransomware for, for the guy in the basement to, penetrate the system.

00;05;54;25 - 00;05;58;20
Craig Andrews
And when they pay the ransom, they just get a cut of the action.

00;05;58;22 - 00;06;08;17
Josh Wathen
Yeah. It's it's it's even more involved in that word. It's it's a full enterprise in other countries. Now there's, there's, I don't know, in any country that,

00;06;08;17 - 00;06;11;00
Josh Wathen
extradited one of their citizens because,

00;06;11;00 - 00;06;23;02
Josh Wathen
they hacked a foreign company. Wow. And so the with the anonymity there, and, you know, there are certain countries that we're not too friendly with, and it's an economic warfare.

00;06;23;09 - 00;06;51;16
Josh Wathen
So they are incentivized to have this activity happen. So, you know, it's think instead of dying in a hoodie in his mom's basement, it's 15 story building, fully staffed. This is how they make their money. It's it's a multi-billion dollar it's not $1 trillion industry because it's just the new wave of theft. No longer do you have to physically break in to get anything.

00;06;51;18 - 00;07;13;29
Josh Wathen
Have your face on a camera. You can go in through the back door. All I got to do is get somebody to you. Don't even think you need to click a link anymore. There's websites where it's called drive by attack. If you just visit that website, by putting that URL in there in your system, you've really got to be careful and deliberate about what you're doing.

00;07;14;01 - 00;07;24;11
Josh Wathen
You know, and it is the key to security that pays, is what makes all the difference.

00;07;24;14 - 00;07;29;21
Craig Andrews
You know, one of the emails, I'm sure you've gotten these emails. I used to get them,

00;07;29;21 - 00;07;41;10
Craig Andrews
before, but as I get this email saying, oh, you know, you don't know this, but we hacked into your system, gained access to your camera, and we caught you doing naughty things and,

00;07;41;10 - 00;07;45;13
Craig Andrews
if you don't send us this much Bitcoin, then we're going to exposure.

00;07;45;15 - 00;08;01;19
Craig Andrews
And the funniest one I got was I have one come through like November December of 2021. And it said oh we hacked into your system in October of 21 and we caught you doing naughty things.

00;08;01;19 - 00;08;08;08
Craig Andrews
I was in the hospital then learning how to walk again. I was like, I don't even have the strength to do naughty things.

00;08;08;08 - 00;08;10;07
Craig Andrews
I wish I did.

00;08;10;09 - 00;08;21;18
Josh Wathen
Yeah. Yeah. They'll say anything. And, you know, the I think our misconception is that a hacker will get into your system and immediately attack, and it's it's more of a,

00;08;21;18 - 00;08;33;27
Josh Wathen
recon and raid strategy. So a real attack is perfectly timed because they've been in your system for six months. Read all your emails, understand your habits, understand who talks to you.

00;08;33;27 - 00;08;58;01
Josh Wathen
And so then you take AI as a tool to make sure there's no grammatical errors. Do deep research on who they are pretending to be, and all of a sudden the phishing attack is extremely sophisticated. So, you know, you get an email from your boss, trust, but verify. Yeah. Pick up the phone and call or send an email back to them.

00;08;58;03 - 00;09;01;03
Craig Andrews
Well, that was the case with the SolarWinds attack.

00;09;01;03 - 00;09;10;28
Craig Andrews
And, I mean, they had been the system for months and months and months. I mean, how how long was it from the time they gained access to the time it was discovered?

00;09;11;01 - 00;09;19;12
Josh Wathen
I don't know for sure. But that's pretty typical, I think. The average is sitting between 140 and 190 days.

00;09;19;12 - 00;09;25;13
Josh Wathen
In a system depending on which statistical report you read. And it's quite one.

00;09;25;15 - 00;09;47;19
Craig Andrews
So what's that mean in terms of backup strategy? If they're in there for, you know, at least six months before you realize they're in there. How do you have how do you do backups there? You know, kind of like in the case of that dry cleaner, how do you have a backup that's relevant? If you do get ransomware?

00;09;47;21 - 00;09;49;01
Josh Wathen
Yeah. You got to back it up to,

00;09;49;01 - 00;09;57;26
Josh Wathen
something that's not connected to the network. And the key is to console or scan. So there's different tools out there,

00;09;57;26 - 00;10;12;08
Josh Wathen
where we can, you know, you can do a vulnerability scan to test and see where likely breaches would occur. You can do a penetration test, which is essentially hiring white hat, white hat hackers to come in and breach your system.

00;10;12;10 - 00;10;15;09
Josh Wathen
That's more preventative. Then they have things called,

00;10;15;09 - 00;10;22;03
Josh Wathen
a tool called a SIM. Best way for me to understand this is if you look at your business like a garden,

00;10;22;03 - 00;10;27;28
Josh Wathen
a vulnerability scan will look at which gates are unlocked. Which fences to low.

00;10;27;28 - 00;10;31;00
Josh Wathen
Can we dig underneath the fence? Things like that. Where is a sim?

00;10;31;00 - 00;10;51;07
Josh Wathen
Will look at the microscopic level of every blade of grass and every leaf inside the garden. That is your business. And it's. There is a bug or a piece of fungus or something dying or a weed. It also open alert so that you could check that and see if it's actually a bad actor inside the system. Yeah.

00;10;51;07 - 00;10;58;27
Josh Wathen
It's that type of tracking that you got to have, and there's different ways to backup your information,

00;10;58;27 - 00;11;01;17
Josh Wathen
so that it goes through filters and mines off site.

00;11;01;20 - 00;11;17;06
Josh Wathen
But even then, you throw stuff into a backup and an external hard drive and unplug it. If you experience a breach that needs to be scanned before it gets plugged back in to make sure that it wasn't loaded with some sort of encryption or,

00;11;17;06 - 00;11;20;02
Josh Wathen
you know, time delay device.

00;11;20;04 - 00;11;40;06
Craig Andrews
Makes sense. So you were telling me the one of the saddest moments in in operations is when you get a phone call. You get a phone call and you realize that, you know, the problem's bigger than they know it.

00;11;40;09 - 00;11;53;25
Josh Wathen
Yeah, it's the, you know, the small businesses, especially when they've been around for ten years, like ten, $15 million a year. We'll get calls every once in a while to see if we can help.

00;11;53;25 - 00;12;09;04
Josh Wathen
Because we're kind of like a general for hire. So we've got different spec ops teams and armies that we can reach out to for, for different things that you need and we'll sit on some of these calls and, you know, company just got locked out of their system.

00;12;09;06 - 00;12;37;26
Josh Wathen
They don't have insurance. They don't know what they can access, because if they open the door, they might it might get worse. And so typically on those calls, you know, we're going through the motions of let's help, let's give you the resources. But I know that if you don't have insurance and you have a half million dollar ransom and your whole network is compromised, you're looking at $1 million left and you're probably going under,

00;12;37;26 - 00;12;40;20
Josh Wathen
and it's just it's heartbreaking to sit on a call like that.

00;12;40;26 - 00;12;51;15
Josh Wathen
And see the frantic ness and kind of know that this is probably not going to work out. You're probably going to have to close your business and just sell your assets.

00;12;53;10 - 00;13;24;03
Josh Wathen
And, you know, inevitably 3 or 4 days later, that that tends to be the conversation was how it would go about. So let's take down. When it's sad, you know, it's it's really sad. Running a business is hard. And it turns into your life's work. You know, I'm a military guy and come through a lot, and it's still like, it'll make you want to cry when you see somebody suffering like that.

00;13;24;06 - 00;13;25;15
Josh Wathen
It's it's like,

00;13;25;15 - 00;13;26;06
Josh Wathen
it's like seeing

00;13;26;06 - 00;13;33;15
Josh Wathen
somebody on the battlefield that, you know, is bleeding out, and they don't know yet, but it's over. It's rough.

00;13;33;17 - 00;14;07;07
Craig Andrews
Well, wow. Well, the picture. So. What? I guess one question I have, I mean, and maybe this is wrong thing on my part, but my guess is it's impossible to build a system that's, you know, that can never be penetrated, that it's just there's just too much creativity. There's too much in flux. And so

00;14;07;07 - 00;14;15;21
Craig Andrews
what's the is there a mindset of okay, we know will you know, we know will be penetrated.

00;14;15;23 - 00;14;23;28
Craig Andrews
And here's our plan for when that happens. Or is it more of a plan of let's just make sure we're never penetrated. How do you guys approach that?

00;14;24;01 - 00;14;27;08
Josh Wathen
Yeah, you're right. There is no 100% resiliency.

00;14;27;08 - 00;14;33;21
Josh Wathen
So the overall strategy, regardless of the company size or industry, is reduce the risk,

00;14;33;21 - 00;14;43;29
Josh Wathen
as much as tolerable for the budget. And then you take the remaining risk and try and compartmentalize it as much as possible so that you're working in some sort of,

00;14;43;29 - 00;14;45;23
Josh Wathen
different access levels, right?

00;14;45;24 - 00;15;02;27
Josh Wathen
Rings of protection. And then you take all that remaining risk and you also add it to an insurance policy that, well, covers that. And it should cover not only the cost of the ransomware, it should cover the cost of the forensics. It should cover the cost of the rebuild. It should cover the cost of brand management.

00;15;02;27 - 00;15;08;04
Josh Wathen
Because you may have to notify your clients or your end users that their data was breached.

00;15;08;11 - 00;15;16;29
Josh Wathen
And so all of that marketing efforts should be covered under the insurance policy as well. And so it's a question of risk reduction,

00;15;16;29 - 00;15;17;18
Josh Wathen
versus

00;15;17;18 - 00;15;24;19
Josh Wathen
transferring that risk to a policy. And it's an ongoing effort to not only make sure the resiliency works,

00;15;24;19 - 00;15;37;11
Josh Wathen
but to improve it and then to continually have conversations with your insurance provider about the underwriting for your business and say, if we can do X, Y, and Z beyond the minimum requirements, what does that do to our premiums?

00;15;37;16 - 00;15;44;23
Josh Wathen
So now you're able to have a a board worthy conversation about the resiliency that you're trying to put in place.

00;15;44;26 - 00;15;47;18
Craig Andrews
Yeah.

00;15;47;18 - 00;15;50;05
Craig Andrews
So what about you know, there's a concept I call it the,

00;15;50;05 - 00;15;58;12
Craig Andrews
the, you know, the padlock you put on the shed in the back. Yeah. Those locks are easily penetrated. I mean, they're,

00;15;58;12 - 00;16;12;13
Craig Andrews
but they stop. Most people. And is there a concept there where, you know, maybe the maybe the goal is just to be harder to penetrate than somebody down the street.

00;16;12;16 - 00;16;24;08
Craig Andrews
You know, somebody who left the shed open versus somebody who put a padlock on the shed. The criminal's going to go to the shed that's open. Is there that concept in cybersecurity?

00;16;24;11 - 00;16;25;19
Josh Wathen
Yeah, kind of,

00;16;25;19 - 00;16;32;06
Josh Wathen
there the the bad actors are scanning all the businesses all the time, right? Trying to figure out how to get it.

00;16;32;06 - 00;16;48;18
Josh Wathen
The scalability is crazy. So you've got to understand that, that they can check tens of thousands, if not hundreds of thousands of locks simultaneously. So really, the the lock in this case is the infrastructure that we put in place.

00;16;48;21 - 00;17;18;21
Josh Wathen
And then the weakest link part of this is the people. So if the if the network is pretty secure, the the easiest way to get in is to socially engineer somebody in the company to have them grant you access. So it's, that's, that's the weakest link. I would say again it depends on what you agreed. But 80 to 90% of breaches are caused by human from inside the company.

00;17;18;24 - 00;17;29;18
Craig Andrews
I've seen a list before of the most popular passwords they're used. I mean, it's shocking. What are some of the ones that you've seen? And I'm sure you've seen the same list.

00;17;29;21 - 00;17;35;00
Josh Wathen
Well, you know, password is the most commonly,

00;17;35;00 - 00;17;40;00
Josh Wathen
commonly breached password, I would say, because it's, you know, or some variation of that. Right.

00;17;40;00 - 00;17;55;15
Josh Wathen
There. And a lot of people don't even change the stock password. Right. There's a lot of, you know, if you get a security panel done, your house for an alarm system, the stock passwords usually one two, 3456.

00;17;55;17 - 00;17;58;23
Josh Wathen
Yeah. There's tons of people that I'll change it.

00;17;58;23 - 00;18;03;22
Josh Wathen
And then just weak passwords. A brute force attack is essentially taking a,

00;18;03;22 - 00;18;14;13
Josh Wathen
computer to try every single password over and over and over again. So if your password is six characters without a whole lot of variance, it doesn't take that long for

00;18;14;13 - 00;18;16;18
Josh Wathen
the computer to crack that thing.

00;18;16;20 - 00;18;23;18
Josh Wathen
That's why they recommend, you know, 20 characters with every single variation that you can possibly use at random.

00;18;23;18 - 00;18;37;18
Josh Wathen
Because then it becomes a, a time problem to where it's going to take years and years and years to break that password. So it's the it's the password is complex enough to where it'll take two years to break it.

00;18;37;18 - 00;18;48;09
Josh Wathen
And you change that password every six months. Then the statistical likelihood that that's going to be broken from the third force attack is really, really low.

00;18;48;12 - 00;18;53;11
Craig Andrews
How about if you have a really good password that's a strong password.

00;18;53;11 - 00;18;56;26
Craig Andrews
Should you use that across all of your different logins.

00;18;56;28 - 00;19;23;25
Josh Wathen
No, no. Because one one password breach means no, don't have access to everything. That's where the compartmentalization that's one step in compartmentalization is if I've got a different complex password for every single thing I log into, then there is no, you know, going from one system to the next. If it requires a login every time. And that's where password managers make this actually achievable.

00;19;23;27 - 00;19;34;11
Josh Wathen
Right. Because you've got one password manager with a master password, you attach that to everything you got and it opens everything up based on the,

00;19;34;11 - 00;19;44;05
Josh Wathen
the difference in passwords. And it'll auto generate those and save them for you. And then you just rotate your master password, make sure it's written down on a piece of paper somewhere that's locked

00;19;44;05 - 00;19;49;22
Josh Wathen
on a postal code, stuck to your computer or on your desk.

00;19;49;24 - 00;20;06;08
Craig Andrews
You know, one of the things I ran into. So I've been using a password manager for, I think I started using it in 2016. And you know that for me, it was I had a client that asked us about where security measures were, and I was like, you know,

00;20;06;08 - 00;20;12;21
Craig Andrews
and I had a I had a spreadsheet on the network drive with our passwords and,

00;20;12;21 - 00;20;15;20
Craig Andrews
and so,

00;20;15;20 - 00;20;24;24
Craig Andrews
I whenever I started using one of the password managers and I thought I had done all of I thought I had done everything right.

00;20;24;26 - 00;20;26;08
Craig Andrews
I had somebody,

00;20;26;08 - 00;20;30;08
Craig Andrews
had family member that had access to,

00;20;30;08 - 00;20;47;03
Craig Andrews
you know, had admin access to that and could access all the passwords. And I told them, I said, hey, you know, just so you know, you have this and he and required him to sign in and what have you. Well, when I went in my coma in 2021, he forgot about that.

00;20;47;05 - 00;20;50;01
Craig Andrews
And so all of a sudden that broke down,

00;20;50;01 - 00;21;08;01
Craig Andrews
and he didn't know how to do it. He managed to find that old spreadsheet that had on the network. And it's still there were a couple passwords that were still valid. And he used, you know, he was able to use that to log in to a few things. But for me, it was a real wake up call.

00;21;08;01 - 00;21;17;02
Craig Andrews
And I've since taken some measures to to overcome that point of weakness.

00;21;17;04 - 00;21;33;16
Josh Wathen
Yeah. I mean, this that you can't beat. Write it down, put it in a fire. Fireproof safe. Yeah. Right. Because then it's if something happens on the the person that knows where the key is that you trust can go in and grab that thing,

00;21;33;16 - 00;21;39;15
Josh Wathen
and, and get access. Right. Or, you know, the worst comes to worst, your spouse has to grab it because you're no longer here.

00;21;39;15 - 00;21;55;07
Josh Wathen
She can get access to everything, especially, you know, everything's in there, right? For old banking information or financial information, how are you going to sell a company if you don't have access? And how are if they're not written in on the bank account and you're not there to cosign? Thank you. Now you've got

00;21;55;07 - 00;21;56;18
Josh Wathen
everything that goes into probate.

00;21;56;19 - 00;22;15;01
Josh Wathen
You're going to wait forever, and the business is going to die down, and it's not going to be worth business. Resiliency doesn't doesn't stop with cyber. It goes into everything that you plan for so that you can, you know, turn on a dime. That's that's what makes it really wealth management as opposed to just,

00;22;15;01 - 00;22;17;14
Josh Wathen
right now money creation.

00;22;17;16 - 00;22;21;29
Craig Andrews
Yeah. Well, I think one thing that people don't realize,

00;22;21;29 - 00;22;35;04
Craig Andrews
and there's, there's somebody in my life that I keep saying, please don't use the same password, you know, everywhere. Because what, what people don't realize is,

00;22;35;04 - 00;22;43;10
Craig Andrews
they'll hack some system where you have that, that password on one that, and then it's real easy. They just like, well, I wonder where they bank.

00;22;43;10 - 00;22;54;20
Craig Andrews
Well, how many banks are there in the U.S? You know, and you just go in and you start taking their email and, and that password and next thing you know you're in their bank account.

00;22;54;22 - 00;23;06;14
Josh Wathen
Yeah. I mean the worse is, is people using the Google Chrome to save everything because it's in your browser. All I got to do is get a new Gmail and I've got everything. Not only do I have,

00;23;06;14 - 00;23;19;21
Josh Wathen
all of your passwords, but more than like 90% of your multi-factor authentication is going into your email. So when I go to log in is it sends me a push notification, it's going to go straight to your Gmail.

00;23;19;21 - 00;23;22;12
Josh Wathen
And I'm going to get that six digit code to put in. And

00;23;22;12 - 00;23;41;17
Josh Wathen
and everything. Right. So again compartmentalize those efforts. Have your stuff go directly to your cell phone, have a password manager that's encrypted, that's separate from everything else. Don't save stuff in your browser. You know, I have some notifications that'll go to

00;23;41;17 - 00;23;46;23
Josh Wathen
one email. Some will go to a different, some that'll go to apps on my side, some that'll send me text messages to.

00;23;46;23 - 00;24;03;09
Josh Wathen
So it's not the same across the board. And it's all pretty easy, right? Anytime you get one of those notifications, it's going to say, I sent this to this. So it's I don't have to remember. It's my my brain is not good enough these days to remember all that stuff.

00;24;03;09 - 00;24;07;12
Josh Wathen
But I can set it up so that it helps me out and stay secure.

00;24;07;14 - 00;24;09;15
Craig Andrews
Yeah.

00;24;09;15 - 00;24;20;26
Craig Andrews
You mentioned that the people are always the weakest link. What would you tell business owners that they need to do to make sure that their people aren't the link that gets them hacked?

00;24;20;28 - 00;24;43;18
Josh Wathen
Be involved with the policy that would help you build lead from the front and actually do what the policy says, and then enforce that down down the pipeline. It's not a question of, you know, you don't say, please do this now. You need to do your your training so that you're aware you need to accept responsibility for your own actions.

00;24;43;20 - 00;25;03;08
Josh Wathen
And I realize that, you know, working a password manager and doing multi-factor authentication and going through those classes is not dishonest stuff in the world by any means. But it's necessary in order to make sure that you keep your job. You're working 8 to 12 hours a day to make sure you keep your job and advance your career.

00;25;03;11 - 00;25;08;28
Josh Wathen
Spend 30s when you need to to make sure that it's secure.

00;25;09;01 - 00;25;16;06
Craig Andrews
Yeah, yeah, well, that's really cool. Well, Josh, this has been interesting. And it's,

00;25;16;06 - 00;25;26;24
Craig Andrews
what piece of advice would you give, you know, if you were to summarize, let's say three top things that somebody listening should focus on? What would be those three things.

00;25;26;27 - 00;25;36;10
Josh Wathen
To don't wait. It is it is so much more cost effective to be proactive and preventative,

00;25;36;10 - 00;25;42;18
Josh Wathen
than it is to be reactive in these types of situations. It's that old medical adage of,

00;25;42;18 - 00;25;51;26
Josh Wathen
an ounce of prevention is worth a pound of treatment. The same is true here. Get an insurance. Make sure that your insurance is enough.

00;25;51;27 - 00;26;20;00
Josh Wathen
The average for each cost is between 1.5 and $4.5 million, depending on what you read. So I $30,000 supplement is not going to save your business. It needs to be real. And if you don't know how to do that, contact an expert. Right there is do the DIY, get your password manager, set up multifactor authentication. Educate yourself like those are all important, but if you can afford it, call a professional.

00;26;20;02 - 00;26;40;26
Josh Wathen
At least buy a consulting session to go over what the plan should be so that you can work on it on your own. And if you're in a big enough business to where you can afford it, outsource some expert help. That's what you do with your CPA. It's what you do with some of your marketing, right? Like why wouldn't you outsource the livelihood?

00;26;40;26 - 00;26;46;02
Josh Wathen
Protecting the library? Know that you've spent a lifetime creating with an expert.

00;26;46;04 - 00;27;04;01
Craig Andrews
Yeah, no. That's great. And yeah, and I mean, your story about you get on the phone with somebody and you realize that they're going to be closing their business in 3 or 4 days, and they haven't yet realized that that's that's a sadness. I think everybody wants to avoid.

00;27;04;04 - 00;27;26;25
Josh Wathen
Yeah. Beyond that, that happens. I think the numbers 44% of people with insurance will not get paid because they said yes to all the things that the questioner asked, and nobody made sure that that was being done. So they'll get breached and they're expecting insurance to pay out. And so there's a longer lead time on the businesses closing, but you're probably still closing.

00;27;26;27 - 00;27;30;13
Craig Andrews
Oh my goodness. Wow. Well, Josh, how can,

00;27;30;13 - 00;27;32;25
Craig Andrews
folks reach you.

00;27;32;27 - 00;27;37;23
Josh Wathen
Triad infosec.io is our website. There's a contact us page there.

00;27;37;23 - 00;27;42;29
Josh Wathen
If you got any questions about that. I'm all over LinkedIn, so LinkedIn backslash. Josh Lawson.

00;27;42;29 - 00;27;47;17
Josh Wathen
Feel free to connect and send me a message directly. And I'm happy to help and work in.

00;27;47;20 - 00;27;50;14
Craig Andrews
All right. Well, thanks for coming on Layers and Legacies.

00;27;50;17 - 00;27;53;29
Josh Wathen
Thanks for having me. It's been a pleasure.

00;27;53;29 - 00;28;20;25
Craig Andrews
This is Craig Andrews. I want to thank you for listening to the Leaders and Legacies podcast. We're looking for leaders to share how they're making the impact beyond themselves. If that's you, please go to Ally's for me.com/guest and sign up there. If you got something out of this interview, we would love you to share this

00;28;20;25 - 00;28;22;20
Craig Andrews
episode on social media.

00;28;22;22 - 00;28;46;02
Craig Andrews
Just do a quick screenshot with your phone and text it to a friend, or posted on the socials. If you know someone who would be a great guest. Tag them on social media and let them know about the show, including the hashtag leaders and legacies. I love seeing your posts and suggestions. We are regularly putting out new episodes and content to make sure you don't miss anything.

00;28;46;04 - 00;28;54;09
Craig Andrews
Please go ahead and subscribe. Your thumbs up. Ratings and reviews go a long way to help promote the show. It means a lot to me.

00;28;54;09 - 00;30;56;12
Craig Andrews
It means a lot to my team. If you want to know more, please go to Ally's for me.com. Or follow me on LinkedIn. Thanks for listening. We'll see you next time.