Blog

John Jantsch (00:00): I was like, I found it. I found it. This is what I’ve been looking for. I can honestly say it has genuinely changed the way I run my business. It’s changed the results that I’m seeing. It’s changed my engagement with clients. It’s changed my engagement with the team. I couldn’t be happier. Honestly. It’s the best investment I ever made.

(00:16): What you just heard was a testimonial from a recent graduate of the Duct Tape Marketing certification intensive program for fractional CMOs marketing agencies and consultants just like them. You could choose our system to move from vendor to trusted advisor, attract only ideal clients, and confidently present your strategies to build monthly recurring revenue. Visit DTM world slash scale to book your free advisory call and learn more. It’s time to transform your approach. Book your call today, DTM world slash scale. Hello and welcome to another episode of the Duct Tape Marketing Podcast. This is John Jantsch. My guest today is Zach Kromkowski. I was so worried about the last name that I’ve messed up. You

Zack Kromkowski (01:15): Overthought the last name and you got the first name. No worries.

John Jantsch (01:19): Kromkowski. Here we go. He is a force in cybersecurity driven to make system hardening both effective and accessible. Co-founder of Ion, he and his team developed an innovative platform that automates hardening for workstation servers and browsers to CIS standards, streamlining compliance and security. So we’re going to talk about security cybersecurity, I suppose more specifically. So this is a topic that is not necessarily marketing very related to what we do as marketers, very related to what we do as business owners. So Zach, welcome to the show.

Zack Kromkowski (01:54): Yeah, thank you for having me on. And I mean, you kicked off right there, John. Why is this relatable to marketing firms and owners? I mean, our little pre-session banter, it’s like us marketing firms, and when we work with clients, they’re telling us a lot of their ip. They’re telling us their brand, their image. All of these details is how bad actors might be able to create a more targeted phishing email or a more targeted, more persuasive email that isn’t real. So even though we’re talking about security on a marketing podcast, it’s all related. So I really appreciate the pre-show banter we had, John.

John Jantsch (02:30): Yeah, well, and not to mention, I mean, we have clients that their cousin’s, ex-boyfriend set up all of their passwords on things and they just have ’em on a spreadsheet and they give ’em to us. And as a marketing agency, in some ways that makes life easier because I’ve got all the keys, right? But it’s also should be very scary to anybody that is taking that data. So let’s kind of back up and can you give us some best practices on the typical small business we can get into? The agency maybe is a little different, but the typical small business, what are some of the things they need to be doing as just routine practices? Not because the sky’s falling, just but because lots of things happen, right? You’ve got bad actors, but you’ve also got disgruntled employees. Maybe you’ve got lots of things that can happen in the world because stuff happens. So let’s kind of start there. What are the basics?

Zack Kromkowski (03:26): Yeah, I mean, there’s risk to anything. Again, in that pre-show we talked about as Duct Tape Marketing, you have your own third party vendors. What can I do to protect myself? And you shared a little bit about that. So

(03:37): Talking to those basics, there’s a misconception with security that you have to invest hundreds, thousands of dollars just to have security. And I’ll be the first vendor to admit, you don’t need to spend a ton of money on security. There are things you can do specifically called system hardening. So this is one of the first things, in my opinion, any business owner, any SMB can really focus on. This is a concept of understanding. Where are your assets? Where are your computers? Where is your server? Maybe you have one, maybe you don’t. Where are your computers? And the next step of saying how are they configured? What software is installed on this computer? How can I configure that new software to be more secure? So talking about some of these easy examples, something every small business owner I talk to always and my parents, right? My family, for example, they want to save their passwords to the browser. This is universally just accepted. This is what everyone does. But the browser, the Google, the Microsoft Edge, these are not security first browser password storage methods. There are literally companies that dedicate their entire business model just to saving the password. So that’s like bit warden LastPass.

John Jantsch (04:58): And

Zack Kromkowski (04:58): When I talk about hardening, you can’t write a policy and say, Hey employees, I don’t want any of you to save your password to the browser and expect them to do that. When I talk about hardening, we literally remove the ability to save a password to the browser. That way that policy is enforced and happens by nature. There’s no way around it. So that’s one aspect of hardening, John.

John Jantsch (05:22): Yeah. Awesome. So what about, I guess, outstanding on that same topic. What about the fact that in my particular case, there is no server, there is no central office. In a lot of cases, people are using their own devices to connect to many of the assets. So how does somebody who has a distributed workforce, is that going to be different or are we really just going to run a much higher risk?

Zack Kromkowski (05:50): So this is another good follow up. It’s this concept of risk and being able to communicate this as a marketing or that owner is really important because if you can educate and talk towards your risk, it’s going to build more trust. And this trust, if I’m outsourcing my marketing as cion, I have to trust the person that I want to work with. So let’s say there is a distributor distributed network, BYOD devices. It’s my personal computer and my work computer. What can we do? One of the things, and I’ll stay on the topic of browsers, browser security, browser hardening is very important. You can write a policy to say, Hey, for work, you have to use the Google Chrome browser for personal use. The other one, the Edge, the Firefox. Or if you want to set up a Google workspace, if you have a little bit of budget to invest, you can create a Google Chrome profile and you configure the profile to have company standards and then the personal one they manage on their own. There is a level of risk to that decision because they still have access to the other profile. Worst case scenario, that profile is compromised and they find a way to get to the other one. But you at least have that segmentation to add an additional barrier to that bad actor. So when I talk about hardening, again, the key thing is here not to have default settings. If your settings are in defaults, a bad actor will know what the settings are before they get there.

(07:25): So if we can change some of those settings and create even the smallest barrier for that bad actor to have to invest 10 minutes instead of 30 seconds, they might just bypass you and go to the next target. They may not even try to hack you anymore.

John Jantsch (07:40): Yeah, a great example of that, not necessarily on a server, but many of our clients are on WordPress.

Zack Kromkowski (07:45): And

John Jantsch (07:47): Just a simple thing like changing the page name of the admin login does that same thing because they’re out there knowing that 90% of the sites out there, it’s admin, wpa, admin. And so if they’re not going to find that in the one second bot search, they’re probably going to move on. So

Zack Kromkowski (08:05): That is a really good example. And we talk about WordPress, but we can also talk about Microsoft in the same respect. So there’s also an administrator account on the workstation, on the laptop itself, and that admin account, I mean, we could talk about Fortinet firewalls, right? The password and newsrooms, if we just take that five minutes to change these default choices, it adds an extra layer of effort. And this is by most intensive purposes, the most important takeaway from the show is by adding layers of difficulty, even just one layer makes you a target that they probably won’t want to hit.

John Jantsch (08:42): Because you see a lot of these things are obviously being done by bots in a lot of cases. So the bots just told, ping this and so it’ll move on.

Zack Kromkowski (08:51): Exactly. That’s exactly right, John. That is a perfect way to say it.

John Jantsch (08:55): So what about many people? I don’t know what the percentages are these days, but a lot of, especially virtual companies have turned to Google Workspace as really a lot of their internal storage, their email, their calendars. What are some best practices for that? I know super admins have some security things they can set up. So what are some best practices to make sure that even if it’s not the most secure thing, you can make it more secure?

Zack Kromkowski (09:24): Absolutely. So this is going to go into more piss. You’re a Google House, you want to use single sign on, you just want to click sign on with Google, that’s great. But we do that so often. We’re just signing up for this free trial of that. It builds up so much. So my recommendation here would be one, look at Google had a recent update. My CISO is extremely excited, but you can actually see now all of the accounts that are linked to your single sign-on,

John Jantsch (09:54): And

Zack Kromkowski (09:54): You can easily remove that from having access, because again, this is looking at the layers of security. If your single account is unfortunately compromised, now they have access to everything

John Jantsch (10:07): And

Zack Kromkowski (10:07): Even things you don’t use or don’t need anymore. So doing that asset inventory review allows you to reduce your tax surface and reduce the things that have access. And let’s talk about the flip side of that. If that third party company, the one you did use single sign on to sign on with, and you don’t even need it anymore, they get compromised now, they can leverage that to attack you because you still are authenticated. You still have the permissions because you never removed it. So that first most important best practice would be to review what you currently have available via that single sign on.

John Jantsch (10:44): It’s my pleasure to welcome a new sponsor to the podcast. Our friends at ActiveCampaign. ActiveCampaign helps small teams power big businesses with the must have platform for intelligent marketing automation. We’ve been using ActiveCampaign for years here at Duct Tape Marketing to power our subscription forms, email newsletters and sales funnel drip campaigns. ActiveCampaign is that rare platform that’s affordable, easy to use, and capable of handling even the most complex marketing automation needs. And they make it easy to switch. They provide every new customer with one-on-one personal training and free migrations from your current marketing automation or email marketing provider. You can try ActiveCampaign for free for 14 days and there’s no credit card required. Just visit activecampaign.com/duct tape. That’s right, duct Tape Marketing podcast listeners who sign up via that link. We’ll also receive 15% off an annual plan if purchased by March 31st, 2024. That’s activecampaign.com/duct tape. Now, this offer is limited to new active campaign customers only. So what are you waiting for? Fuel your growth, boost revenue and save precious time by upgrading to ActiveCampaign today. What about users? Are there policies that you should have all of your users adhering to?

Zack Kromkowski (12:05): This is a good one. So this goes towards disabled browser password manager. So that one example is the most relatable to everyone because everyone knows what a password is. Everyone knows how to save a password. I’ll go high level on this, but there’s an organization, it’s a free nonprofit. It’s called Center for Internet Security, CIS, and they have free downloadable PDFs on how to configure your Google Chrome, how to configure your Microsoft Edge. And that setting, I gave the example of with passwords, that’s about one setting out of a hundred some different settings.

(12:41): So another example is when executing a download, you have to explicitly say, download it to this folder, right? It makes you do one extra click because for that fish, without that in place, that fish, you click automatically done with the extra layer. Now the user says, okay, I’m going to click this. Oh, now it wants to trigger a download. That’s not behavior I expected. And it allows your employee, it allows your clients, it allows you to take an extra second to say, is this what I thought would happen? And maybe that extra second prevents the worst from happening.

John Jantsch (13:21): A little bit about password management as it relates to certainly to Google, but then you also mentioned some of the password managers out there. Are there best practices for password management in general?

Zack Kromkowski (13:31): Yeah, so this one’s good. So two FA, I’ll say this on every single episode I go on. For any field password managers are critical. Save your passwords there, but let’s talk about getting into the password manager. This has to be the most unique password because you can’t put it in their password manager. You can’t, if you don’t know this password, you can’t sign into it to figure out what it is, right? So you need to know that password, and that is something you should treat like your social security number, whether you have it written down and put into a safe, or you just have it memorized, which memorizes, of course, the best practice. But making sure this has at least 20 different characters. And when I say characters, I’m referring to letters, numbers, and symbols. Those are the things that make a strong password. And because this is a password you use nowhere else, it’s a single password. This is actually not something I would recommend to rotate or change. This is just your forever password

John Jantsch (14:29): Until

Zack Kromkowski (14:30): Your safe gets broken into, until you get an alert saying possible password compromise. You never have to rotate this password. This is your single source of truth to get into your password manager. And yeah, on top of that, I’ll say it one more time. The two FA, every piece of software, everything that you have access to always go through and just see, Hey, in the setting section or the security and option section, do they have a two a option available? Do you want me to go a little bit deeper into why that’s important, John?

John Jantsch (15:01): No, but I do want to explain, not everybody knows the acronym two FA. So two factor authentication. So we’ve all got some, all the financial folks have gone to almost forcing that. So you log in and then it says, all right, we’re not sure this is you. We’re going to text you a code, or you need to use an authenticator or something. So basically it’s just a second hoop, if you will, to somebody could have your phone, they can have your password, so they could authenticate it, but it just adds an extra hoop for somebody that’s out there in some far away island that’s trying to hack into your stuff.

Zack Kromkowski (15:38): And I think that’s a great point, and I’m glad you called me out for that. I do my best to speak all of my acronyms. It’s alphabet soup in the security world. But

(15:48): This is a cool thing, and relating it again, back to the marketing departments and marketing teams and doing sales, right? If you were trying to sell ION or a security company, Hey, I want to do your marketing. I need all of this brand information, I need all of your value props, I need whatever, to build the perfect messaging. If one question I would probably ask, Hey, how are you storing this? Right? So marketing departments may want to take half a step into enabling their sales team to say, Hey, if it ever makes sense, feel free to let the prospect know, Hey, we secure our data this way. We have managed browsers, we do use two FA. If a marketing firm said that to me and leaned into MySpace as a security vendor, I’d be impressed. I’d be like, Hey, maybe they’re not experts, but they took that half a step to at least try to appeal to what I care about, and that would mean a lot to me.

John Jantsch (16:42): So here’s my other topic. I’m going to throw this one in here. This might just mix up the soup a little bit, but where do you stand on VPNs? So again, since we’re all over the world and all doing, we’re all logging into Google to do X, should we all be using virtual private networks that mask our ips?

Zack Kromkowski (17:01): Yeah, I mean, this again, goes towards that BYOD. If you are an enterprise who can only access certain things via the on-premise domain, you have to be connected. You have to be onsite in order to obtain certain information, you’re going to be inherently required to have A VPN. Now, the debate kind of comes in, okay, we can only access the data onsite. We have no one remote. Do we really need a VPN? In that case, you probably don’t. I mean, more is always better, but in that case, it’s probably overkill. If everyone is already working on site, the computers never leave the business, everything has to be done there. There’s not a lot of value because the data’s never leaving that secure built environment. Now, to your point, a lot of people are B-O-I-O-D. We’re all remote nowadays. So yeah, they really do become that backbone to say, if I don’t lock out some of that business data and require A VPN in order to reach it, anyone can reach it,

John Jantsch (18:08): Right?

Zack Kromkowski (18:09): So it’s going to depend on your business model, your business setup. But yeah, VPNs are critical for those remote environments. But if you are on site, probably not necessary.

John Jantsch (18:21): So you talked about if somebody was wanting to do your marketing, if I went to a company and they were asking, in fact, we’ve had this happen before where people have an IT company that they work with and they’re like, Hey, here’s our checklist of security standards. Do you meet them? So is there kind of a, I wouldn’t call it the gold standard, but maybe even a minimum standard that if I went to them and just said, oh yeah, we are BXYC compliant. Is there one sort of compliance level that say a small business should strive towards?

Zack Kromkowski (18:54): So there’s an easy answer that comes to mind here, and that’s going to be SOC two compliance, which is maybe what you’re leaning towards.

John Jantsch (19:00): And

Zack Kromkowski (19:00): It’s definitely one of the most common and most understood compliances to me. And it would mean something to me. It would definitely say, well, they at least did that. That means they care about it To some extent, the follow-up question. And if you do take the approach of getting a SOC two, which yes, that’s a good approach. ION has one, right? We’re doing all this, but be able to say, not only do we have one, this is what we got it for. So that’s the very unique thing with SOC two. I can get a SOC two on the ION website, but the ION solution itself has no security certification. So if you intend to take the approach of leading or injecting at some point during the sales conversation as a marketing firm, hey, we have our SOC two, be sure to be ready for that follow-up question and say, what’s your SOC two for?

John Jantsch (19:52): Because

Zack Kromkowski (19:52): That is something that we would ask if anyone ever said that to us.

John Jantsch (19:56): And I believe that’s SOC two, right? It is,

Zack Kromkowski (19:59): Yep. And I think it’s the Roman numerals two is usually how it’s, yep.

John Jantsch (20:03): Alright, if people want to look that up. We’re 18 minutes and 38 seconds into this recording. Let’s talk about ai. Oh boy. So does ai, where are the risks, I suppose, posed by AI that we need to at least be thinking about?

Zack Kromkowski (20:19): So risk especially in the relation to marketing and the business field that you cater to. John, you are a goldmine to a bad actor. Why? We talked about this a little bit at the start, but you have multiple companies, brand multiple companies, points of context, multiple companies, just image if an ai, if you were to be compromised, and I already heard you have your layers of security, so kudos to you on being able to talk towards that very good conversation. But let’s talk about if worst case scenario you were compromised that AI can now ingest hundreds of companies, unique branding, colors, branding, verbiage, branding, everything, and it takes that data and then can target the next business your customer. You have a similar risk profile to a managed service provider. So a managed service provider will typically manage the IT and security and has more access. So they can be a direct point of breach, they can take advantage of things, but you’re the next layer. You’re the layer still hugely valuable to an ai because that AI now is tailoring, its messaging, becoming you talking to that end client. And it’s going to be hard to tell the difference, John. I mean, that’s the end of the day. Our AI are becoming so trained and so tailored. If we inject it with the appropriate information, which marketing firms already have, how are your clients going to know the difference?

John Jantsch (21:51): I actually saw somebody post, and again, there are definitely a lot of people out there trying to lead with the fear factor, but some of it’s real. And they were suggesting that if you got a phone call from somebody and your boss, your spouse, and they were asking you for something that you thought was a little odd, but it sure sounded like them, that level of fake is going to be out there and that people were actually talking about having your own sort of password with each other.

Zack Kromkowski (22:22): I love the stories. So when we call partners and sometimes they don’t always have our number saved, and a lot of, I mean just you guys, we’re all in marketing here, right? We’ve done the cold calls, we’ve done the customer calls, and they may not recognize the number. Some security companies will take an edgier take to this and have a little AI recording or AI interface to almost annoy the person on the other line. They simply pretend to be a real person, but you’re actually talking to a computer the whole time, and that’s just one piece of ai. Now, you take that kind of a comedy scenario that satire like, oh, it was just used for goofy, but you actually allow it to now make outgoing calls, make those outgoing fakes. Having that key password phrase makes a difference. I think my biggest point here is, Hey, can you remind me what, so-and-so’s story was right? Doing something personal that an AI probably doesn’t know. And I’m going to be honest, I’ve had to do that. Hey, this conversation has been going for 45 seconds. I haven’t felt anything real out of it. I’m going to put a very personal question here to see how it responds, and sure enough, it couldn’t, it just went back to the replay loop.

John Jantsch (23:37): Yeah. Wow. So Zach, I appreciate you taking a few moments to stop by the Duct Tape Marketing Podcast. We obviously a wide range of topics. It probably just stirred up more questions than answers. Happy to come back, but you want to invite people where they might want to connect with you and maybe find out more about some of the things we talked about if they have some concerns.

Zack Kromkowski (23:58): Yeah. So my name again, Zach Kowski. I’m very active on LinkedIn. You can find that at security, Zach as the profile name. But the big thing I want to shout out here is you don’t need a security budget to do security activities. The things I talked about today is knowing what software you have, knowing what hardware you have, and then changing settings. If you’re overwhelmed and don’t know what these settings do, we have free documentation across YouTube and our resource hub to say, this setting does that. This setting does that. And you can take advantage of this a hundred percent free offering to do some of these steps without paying anything. Now, if you do want to do this at a mass scale, ion automates all of this. That’s the plug. But there’s a lot of free steps you can do without even investing a dollar.

John Jantsch (24:46): Awesome. Well, again, I appreciate you stopping by and hopefully we run into you one of these days out there on the road.