Andrew Edstrom With Assessivate

Intro: [00:00:04] Broadcasting live from the Business RadioX Studios in Atlanta, Georgia. It’s time for Atlanta Business Radio. Brought to you by on pay. Atlanta’s New standard in payroll. Now, here’s your host.

Lee Kantor: [00:00:24] Lee Kantor here another episode of Atlanta Business Radio, and this is going to be a good one. But before we get started, it’s important to recognize our sponsor, Onpay. Without them, we couldn’t be sharing these important stories. Today on Atlanta Business Radio, we have Andrew Edstrom with Assessivate. Welcome.

Andrew Edstrom: [00:00:43] Hey, Lee, how are you doing?

Lee Kantor: [00:00:45] I am doing well. I’m so excited to learn what you’re up to. Tell us about Assessivate, how you serving folks.

Andrew Edstrom: [00:00:51] So we’re a managed compliance services provider. So what we do is businesses that have a compliance requirement, say in health care or the payment card industry or many other areas. Now we help them achieve that compliance by making sure they’re doing the right things, whether it’s a control that manages governance or on a policy or a control that is around a technical cyber solution. And that’s where we really add value to businesses and help them achieve their goals.

Lee Kantor: [00:01:19] Now, are you working primarily with kind of startups that haven’t done this before and then you’re helping implement kind of the foundation, or is it something that you get called in after something bad has happened?

Andrew Edstrom: [00:01:31] Yeah, it’s a little bit of both, to be honest. We get we get a lot of customers, like you said, that are kind of in an entry point. They’re trying to figure out what they’re supposed to be doing to make sure they don’t create create a situation that causes them either a breach or a compliance issue. But then also we get even larger organizations that look to use us to augment what they’re already trying to do. You’ve probably heard of the staffing shortage around cybersecurity and things like that, and we kind of fit into that that picture as it stands today.

Lee Kantor: [00:02:01] So the industries you mentioned, fintech and health care, those are the obvious ones, or is that kind of the bulk of it? Or are there is this something that kind of every industry should be at least putting some energy towards?

Andrew Edstrom: [00:02:14] Yeah. I mean, really, everybody needs to do it. Compliance really is kind of the guiding point to meet really your security concerns or maybe some operational maturity things that help you to achieve business goals. But yeah, I mean, everybody everybody out there, whether you’re running a lawn care business or you’re a Fortune 100 company, you really need to be looking at what you’re doing to protect information, whether it’s intellectual property or personally identifiable information or other critical stuff that could impact your business in a negative way.

Lee Kantor: [00:02:46] Now, there’s kind of some rules of thumb of how much you should invest in different aspects of your business. Is it the same thing in your industry? Is there a certain rule of thumb that I should be investing in cybersecurity or privacy?

Andrew Edstrom: [00:02:59] That’s a really great question. Lee Yeah, a lot. A lot of times people ask us what a magic number is, and I think the magic number really kind of depends on what data you’re trying to protect and where you’re at. So, you know, if you’ve, if you’ve decided to set up your own data center, there’s obviously a lot more cost around that or servers that you’re going to buy and build. But if you if you go into a cloud environment, then the lift is a little bit less as far as cost goes because then you just pay for a subscription service. So if you need that subscription service, say with AWS, Azure or any cloud provider, you can pay for a fraction of the cost, you know, maybe $50 a virtual machine a month. And then you do some additional hardening around it. But I would just say kind of as a rule of thumb, when when people look at their business, they need to really look at endpoint protection, that that cost is usually fairly insignificant. Somewhere between, say, five and $35 a user a month, depending on the level of support it gets. But it’s it and that’s a little bit of where we come into play. Also, too, is to make sure people are spending right money in the right things. There’s a lot of shiny objects and gimmicks and stuff out there that really can, you know, cause businesses to spend money unnecessarily. And so what we try to do is we try to help them measure or understand what is the appropriate level of defense or infrastructure to protect that investment that they’ve made around their product or service.

Lee Kantor: [00:04:29] Now, how do you typically engage with a new client? What’s that typical point of entry?

Andrew Edstrom: [00:04:36] Yeah, so a lot of times people want an assessment. So we’ll do like typically like an assessment of their overall infrastructure against security and if they have a applicable framework around compliance like PCI or HIPAA, something like that, those are probably the two most common. Then we’ll really do a measurement, if you will, against that and then help them to understand where they’re at. And that’s kind of one of our our things is we try to act like GPS for for their journey. And so we tell them where they’re at and then we tell them how to get to where they’re trying to go.

Lee Kantor: [00:05:10] Well, assess is in your name. So I would imagine a good assessment is part of your your deliverable.

Andrew Edstrom: [00:05:16] It really is. It really is.

Lee Kantor: [00:05:19] So now with all this remote work, is that. Just opening up another can of worms that folks have to be dealing with nowadays. Having, you know, people that work with your company all over the globe, it’s always been around for, you know, for certain people. But now it seems like more and more people are now remote. Does is that add more complexity to the challenge that you have to help with?

Andrew Edstrom: [00:05:46] It can you know, every organization is a little bit different. So depending on company culture and then the investment that they’re willing to make in their technology. So a lot of times technology departments or cybersecurity is looked at as a cost center instead of something that can help project your business. Um, but yeah, the remote work definitely introduced some new concerns, you know, whether it’s somebody that lives in your home that can walk by your computer and see information they shouldn’t be seeing, or maybe they’re using a home computer and sharing a login. Those are the things that really started to show themselves. And then, you know, depending on what the investment was on the endpoint security, that was another part of it, because most businesses aren’t going to put their the identical infrastructure they put around their corporate office and every employees office that they’re working from home. So a lot of times what they do there is they add some identity access management tools and some really robust endpoint protection security tools that really can control that access and mitigate some of that risk.

Lee Kantor: [00:06:47] And it’s just it’s not their laptop only, right? It could be their phone as well.

Andrew Edstrom: [00:06:52] Yeah, absolutely. Yeah. So when when they have a remote office, they could actually have a phone device in their in their home. They could have a softphone on their computer. So yeah, there’s, there’s a lot of different aspects to it. It does limit some of the other risks though, because they may or may not have, you know, some additional things going on that they may have in the office. Like they may not be printing at home, they may not be allowed to print at home. And those would be some of the parameters that we would set out of the gate as we help secure them if they did remote work.

Lee Kantor: [00:07:24] Is there any kind of low hanging fruit for somebody who wants to protect their identity or just shore up their security if they are at home?

Andrew Edstrom: [00:07:33] Yeah, I think, you know, as far as identity stuff goes, the main thing I tell people a lot of times is, you know, you know, don’t make it easy on somebody that’s trying to get to your information. So specifically, when you come down to whether it’s employee identities or just your personal identity, a couple of things that we always tell people is to lock your credit if you’re not actively using it. And what that means is you go to any one of the big three and you can do it online. And actually I believe you can do it over the phone as well. But you basically set through some knowledge base to access some some questions and things that would challenge people. So if they tried to establish credit on your behalf, your credit is already locked. And basically it can’t go any further without them calling in and then be able to answer a bunch of questions that really only you should know.

Lee Kantor: [00:08:25] So it’s as simple as that. It’s just you have to contact all of the credit agencies or just one.

Andrew Edstrom: [00:08:30] You would reach out to each one of them and you would you would set it up. I believe there’s some some services that now that will actually do that kind of for you as as a top level. But right now, what we’ve just told people is just go directly to each one of the big three, do the enrollment and go ahead and freeze your credit so you can prevent identity theft from happening. It slows it down. And most of the time when it happens, they also have alerting. So, you know, when somebody attempted to do it and it definitely helps protect you.

Lee Kantor: [00:09:01] Now, what’s your backstory? How’d you get involved in this line of work?

Andrew Edstrom: [00:09:05] So I found out at a very young age that I was fascinated with computers and started taking classes back in high school. And I’m a I’m somebody who was born in the late 60s, so I’ve been around for a minute doing this from kind of the beginning when technology there was mainframes, there was bulletin boards and dialing up and doing different things and and my career and my experience really started, you know, like early on, I went into the military. They gave me access to computers there. And then I just continued to evolve it. And I just found out I had a real knack for understanding how to fix those problems for people and, you know, doing helpdesk roles and then becoming a manager and doing some engineering and then running things and then becoming a CIO and a CISO and then finally starting my own company because I just felt like I could do it better if I was the one pulling the levers. And I think we are doing it better now.

Lee Kantor: [00:09:57] It seems like at least lately, maybe this is the way it is all the time. It just seems like in the news there’s a lot of breaches and cybersecurity issues that are involving companies of all sizes. Is this something that’s just getting worse and worse or the bad guys are getting better at this faster than the good guys can prevent it?

Andrew Edstrom: [00:10:17] Yeah, I think I think the old cliche line is we have to get it right all the time and the hackers only have to get it right once to really steal from you and then I would also just say that, yeah, there’s there’s more technology today than there has ever been on this planet. So there’s more avenues or mechanisms or ways to get into stuff. And, and I think another part of that challenge or I would just absolutely say there’s another part of that challenge is, you know, anybody with a credit card can go to AWS or Azure or whatever and start up a server and find somebody develops an application. And a lot of us don’t necessarily know the background of how that application or service came to be about. So you may have people that are completely oblivious to cybersecurity, but maybe they make a great product and those things then start to collect data and information. And once that stuff gets out there, then the hackers, they’ll, they’ll poke around and there’s a lot of tools and websites that can do the research for them, if you will, and tell them where there’s open ports and and places are accessible.

Andrew Edstrom: [00:11:20] And then finally, I would just say that, you know, once somebody gets hacked once, then it’s almost like sales 101, you know, you start to farm the account. They try to, you know, get in there and steal more information or more data. And especially if somebody’s paid a ransom, that usually becomes a bigger target long term for other hackers, because I think what you would find is the Intel and the dark Web would definitely shine a light on, hey, you know, company X, Y, Z, we got 50,000 from them. There’s probably another opportunity here. Or they may have an advanced, persistent threat still in that network, still stealing that data. So it some of the complexity is there. But I would say more times than not, probably 90 to 95% of the time it’s misconfiguration, lack of visibility or monitoring of infrastructure that causes the breaches. Typical phishing, emails, training, those things are always important. But most of these cyber attacks are preventable and for whatever reason, they’re still happening. And it blows my mind.

Lee Kantor: [00:12:23] Now, something I’ve seen a little bit lately, or at least have gone to my attention are VPNs. Is that can you explain that and is that helpful?

Andrew Edstrom: [00:12:32] Yeah. So VPNs or virtual private network is just basically a way to make your device be an extension of your corporate network. What that means is that traffic becomes all encrypted over that VPN tunnel and there are some other technical configurations around that they can do something called split tunneling where everything doesn’t go through the tunnel. But VPN is definitely a value added technology, but the changes in technology are also allowing for some other technologies to come to light to to eliminate the VPN stuff. The VPN stuff can be a little bit clunky and cumbersome with installing additional clients and stuff there. There’s some products out there now that use something called zero Trust that also looks at like the health of your machine, making sure it has endpoint protection like an antivirus or an anti malware tool on it. It checks your identity. And then maybe it also considers your geo location of where you’re coming from. So you could set maybe somebody could access it from their home. But if they want to Starbucks or a hotel, you could lock out that access to prevent possible bleed over into other devices, getting access to that tunnel and connecting to it.

Lee Kantor: [00:13:44] Now, what about like kind of back in the day, you know, everybody said, oh, put that, you know, the software on and you don’t have to worry about it. Is that relevant today in today’s world? You know, those protective softwares that you can buy kind of at every.

Andrew Edstrom: [00:14:02] Yeah, there’s there’s a lot of different classifications of it. And it’s unfortunate that we seem to keep making it more complex and more difficult to figure out which solutions are right. But when you get into some of the advanced products, if you’re looking for an endpoint protection product, I would always highly recommend that people look for something that specifically calls out defending against ransomware. Maybe also has other detect features, tamper protection, advanced logging, advanced heuristics around how it scans and looks, how far down and deep it will scan. And then the reputation of that vendor as far as like defending against different cyber attacks. And really when we when we talk about that, really talking to industry professionals, word of mouth and finding out what really is working versus something’s a little bit vaporware and I don’t want to call out any specific brands, but but that’s kind of what we tell people. And then that’s also where, you know, if they’re if they’re using one set of products from one vendor for, say, firewalls and they have an endpoint protection product, there’s usually some value to adding that same product in that set so that we don’t silo information that can be used in an event if there’s a breach or an incident that can help minimize the amount of time that a hacker can be in your system or control it. A lot of them have now an isolation feature where if something goes bad, you can basically press a button and then that device can’t get to anything. So you can lock it down and prevent it from infecting other computers.

Lee Kantor: [00:15:40] So what’s that thing that’s happening right now in a prospective clients business where they should be contacting the folks at eight?

Andrew Edstrom: [00:15:51] Yeah, I think the main thing I would I would tell people is specifically if they have any kind of a compliance requirement like HIPAA, PCI, or they’re looking at getting into like maybe their technology or a software company and they’re looking at getting a SOC two attestation from the AICPA, which is kind of a validation of security availability, confidentiality, privacy and integrity, integrity, processing. Those things are things that are right in our our wheelhouse where we can just really jump into an organization and help them understand that. And that aligns with policy or procedure creation around acceptable use, information security policies, business continuity testing, tabletop exercises. There’s a whole realm of services that that help. And we usually start with some foundational ones and then continue to increase it as they increase their security posture.

Lee Kantor: [00:16:52] Good stuff. Well, this is stuff that you really have to stay on top of. Are some of these compliance requirements. Is that something that they have to do annually or is it something they do one time and check a box and then they’re good?

Andrew Edstrom: [00:17:07] Yeah, So so compliance is a tricky thing. It’s just like security. It’s really kind of a never ending thing. So once you jump into something, say if you go into a vertical like health care and you got to do HIPAA and you got to protect it, you really under that governance for the entirety of why your business is is touching patient records or EPI. But conversely, if you do like a soc2 attestation, that’s kind of a choice, right? That’s just a business choice to improve something you’re doing. But also we’re seeing a lot more vendor management requests where people are asking about the vendors they’re doing business with to see if they have a soc2 letter or they’re able to demonstrate through a questionnaire that they have the appropriate security things in place. The Soc2 is is an option. It’s not a mandated thing, but it does give people an understanding of people’s culture and position on cybersecurity and what they’re willing to do to make sure that they protect people’s information.

Lee Kantor: [00:18:06] Well, if somebody wants to learn more, have a more substantive conversation with you or somebody on your team, what’s the website? What’s that? What’s the website in case somebody wants to learn more? Oh yeah.

Andrew Edstrom: [00:18:17] It’s sorry about that. It’s assassinate.com a s s s s i v e.com. And please do call us and we’d be glad to help anybody.

Lee Kantor: [00:18:27] Well, Andrew, thank you so much for sharing your story. You’re doing important work and we appreciate you.

Andrew Edstrom: [00:18:32] Sounds good. Thank you so much, Lee, for having us. All right.

Lee Kantor: [00:18:35] This is Lee Kantor. We’ll see you all next time on Atlanta Business Radio.