48: The Same Way and the Same Pace with Andrew Rinaldi

Andrew Rinaldi is the co-founder of Defendify, an all-in-one cybersecurity platform specifically built for organizations without in-house security teams. He is also the founding partner of Steady Vision, one of Boston’s oldest full-service digital agencies. We talk about cybersecurity for small businesses, organizational alignment, and the benefits of layered security systems. 

—

Listen to the podcast here

 

The Same Way and the Same Pace with Andrew Rinaldi

Our guest is Andrew Rinaldi, who is the co-founder of Defendify, an all-in-one security cybersecurity platform, which is the first to specifically have been built for organizations without in-house security teams. Prior to that, Andrew was a founder and partner at one of Boston’s oldest digital agencies. And he’s also the board member and in charge of corporate strategy at an international family business out of Connecticut. So Andrew, welcome to the show. Great to have you here.

Steve, thanks so much. It’s great to be here. I appreciate it.

Well, I’m all intrigued about your journey and how does one become a cybersecurity entrepreneur? What road did it take you here?

It’s a great question. I grew up in an entrepreneurial family, so I kind of had it in the blood. My dad had started a couple of companies, grew them over the years. I was always exposed to that. I always wanted to start my own business, went to business school at Bentley outside of Boston and studied there and came out of school. And I knew right then and there that I wanted to start my own company. So I did that, built a digital marketing agency with a business partner in Boston for about 15 years.

From that point, I started getting involved in that family business that we talked about a little bit earlier, and splitting some time between the two. And that’s when I started to have some conversations with another friend who was talking about security and cybersecurity and the void in the market there. And we really believe that there was something that had to be done about it. And that’s when we started this company, Defendify.

So how do you go from doing a digital marketing agency to go into the security business? I would have thought that this was very specific and you have to have a specific background in cyber to be able to get into this business, but maybe that’s not the case or maybe you do have it. 

There’s just like with any business, there’s the operational component. So I was, you know, I helped build the companies in the past. I’ve done corporate strategy in the past, brand strategy, core values, all that stuff. And that’s really what you need is the fundamental building blocks of any company. So yeah, you can apply that to a cybersecurity company. I did see application security and product development kind of fell a little bit under what I was doing in my company in Boston.

So those things started to come together with when I crossed paths with my now business partner, Rob, he was coming out of the physical and electronic security world. That’s kind of card access control surveillance systems. And we both were seeing that there was this kind of conversation percolating about security, web apps, building security and cybersecurity kind of encompassing it all. And that’s really where we started to get into deep conversations and said, geez, nobody else is doing something about this problem.

And the problem for us was that there really isn’t cybersecurity for a smaller business. And when I say a small business, kind of under 500 employees, it could be a mom and pop, but it could be a one, two, 300, 400 person size company. They just, you know, they have a lot on their plate and they don’t have the budgets and capabilities that a large enterprise might have.

So, help me understand a little bit. So what is it that, why is it that small businesses didn’t have access to it? Is it an awareness thing or is it, is it prohibitive to have an enterprise level cybersecurity? I can’t even imagine what all those things that go into this concept of cybersecurity. I’m sure there are, you know, multiple moving pieces there. Can you help our listeners understand this a little bit more?

Definitely. It’s a great question because a lot of people don’t really know what cybersecurity is quite yet, and it’s kind of got a changing face depending on who you are, what industry you’re in, how it works. When we talk about it not being really available to smaller organizations. Yes, they have certain things like antivirus and a firewall, but the things that an enterprise would do with, you know, hundreds of security professionals on staff, building out operations center, having high technology, military grade technology, in some cases for large banks and financial institutes, those kinds of things are very challenging for a smaller organization to employ.

And when we started the business, we said, geez, cybersecurity is about more than just plugging in a widget. I can tell you one thing, cybersecurity isn’t, it’s not a widget. It’s not something you just pop onto your computer and you’re good to go. It’s the idea that cybersecurity is really a function of your business. It’s not a feature in your business. It’s something like your health that you have to take care of at all times.

And when you start to look at that and you look at policies and training and technology and assessments and understanding the whole landscape, it becomes really overwhelming for a smaller organization because you need multiple resources to kind of drive that forward and starting at the leadership level. And it’s just, it’s not that there isn’t always a will, it’s just the ability to do it with everything else going on is very challenging. And that’s where we came up with the idea of Defendify, which was bundling a number of those things together in one place and making it affordable and available, accessible, scalable.

It's not that there isn't always a will, it's just the ability to do it with everything else going on is very challenging. Click To Tweet

So how do you make something like that affordable for a small business? So if there are so many things to do around cybersecurity, you need the equipment, the operations, you need the policies, you need to be able to respond to new things. I’m just guessing here. How can you create a package of these services where you’re still doing this for these companies, but it’s not going to be prohibitive to them? How does it work?

One of the things that we do is we bring it all into one place. For instance, right now, Defendify has 13 different tools in one place. If you didn’t use Defendify, you might be faced with five, eight, 10 vendors that you’re managing. So right there alone, that can be a savings and an efficiency. Also, the smaller organization can’t afford and doesn’t always need that level of security that an enterprise needs. So they don’t need to go purchase an enterprise level security system. They need something that fits their business.

The reality is as small businesses, they’re leaving the doors open. The windows are wide open, the back door is wide open, the locks aren’t even on the doors. So yes, there are sophisticated attacks at small businesses, but 99% of what happens out there is just because the basics haven’t been done. So we rolled that all up into one place and we’ve built it into a platform so it’s automated. So you can go in and you can, for example, put information into the platform and you’ll get your policies. You’ll get reporting automatically.

You’ll have things like phishing simulations where we send phishing emails at the employees and report on it done for you automatically. So through that automation, we streamline cybersecurity for these organizations, which allows them to have an efficiency that they might not have in trying to build out a large scale operation center per se.

So typical small to medium sized business, you know, less than 500 employees, what are the top three to five threats that people should be aware of and should be protected against?

Well, nothing exciting here, but it’s human error is probably the biggest one. Phishing emails are arriving in all of our inboxes every day. We just have to be, you know, smarter about that and know that anybody can be hit with one of those things. So it’s really just about awareness. You know, ransomware, you hear about it almost every day. This is rampant right now. So we need to be also proactively looking for those kinds of things.

Daily phishing emails remind us to be smarter and more aware—anyone can fall victim. Click To Tweet

And what happens is, you know, antivirus and firewalls are baseline tools that definitely help and need to be there, but sometimes they’re not configured in the way that they need to be because we just don’t have the time and bandwidth to go in and use them for all that they can do. So we need other things on top of that to be looking for suspicious activity in our networks in our emails, things of that nature. So it’s really just, you know, those are two of the leading attack vectors will call them that you hear about almost every day.

But, you know, some of the basic things that we can do every day are just to be aware of it to slow down a little bit. If you don’t, if you get something in your email that you’re not sure about, don’t click through and know that phishing attempts are coming for everybody. They’re not just targeted at certain types of organizations. They’re easily launched by attackers. And all it really takes is that one click and all of a sudden something might be inside your computer or your network.

I mean, it’s easy to get complacent about this kind of stuff. I know that personally I kind of am probably a little bit complacent I’m using Apple products and I’m just trusting Apple to take care of that kind of stuff for me but maybe they are not going to do this. Is that they’re gonna have the vigilance or I should have an extra layer here?

Yeah, if you ask me, I’ll say that you need extra layers on top of everything. I mean, take a look at what’s happening in the news. These major, major organizations worldwide, global companies with teams of security professionals, 500 people on some of them, they’re still getting breached. Why is that? Because human error plays a role in that. All it takes is one back door that gets left open by mistake. There’s internal people, we call it kind of insider threat that might plant something or leave a door open.

So as good as a product Apple puts out, which they do, and they do a great job with their security, that’s not gonna prevent you from clicking on a link that comes through to your email that might contain something. And there are viruses and malware and ransomware that can happen on Apple products too. So yes, there’s a nice degree of trust with the Apple products, but generally speaking, you need to have multiple layers. And that’s how we’ve kind of shaped our business. We talk about having multiple layers of security. You got to kind of cover people, process and technology.

And if you think about all those things, then you’re going to be in a much better place. And also the ability to be resilient. If something does happen, it’s really important to be able to say, geez, what do I do? Do I unplug the computer? Do I call Defendify? Do I call the FBI? How do I do that? How do I do it quickly? How do I get it cleaned up? Because being down for a business for five days instead of five weeks can make the difference between that business, you know, staying in business. And that’s the kind of thing that everybody needs to be,you know, keeping in mind.

So how about new threats? I mean, the criminals are always more innovative than the police, or at least most of the time, because the police is always reacting to what the criminals come up with. So how do you guys stay ahead of the curve and protect your clients from emerging threats that maybe are new even to you?

It’s a great question. And you hit the nail on the head, is the criminals are basically usually always one step ahead. That’s just crime in general, right? What else can I do to make things, you know, work in the way that they want them to, even with things like viruses take a virus that’s already known and being tracked by antivirus software, tweak it a little bit and all of a sudden it’s a new virus and nobody’s ever seen before that doesn’t, you know, train your team to be on the lookout. You know, what should I be looking out for?

A phishing email, you know, a phone call, a text message that might be coming from an attacker, bad websites, you know, just being in the know. Most employees and people around the organization don’t know what to look for. So they continue along their day in the same way that they do every day. So awareness training and just making everybody a cyber defender is super important. And then when you’re ready for it, there are kind of higher level solutions.

For example, we have something called breach detection and response, which is basically, think of it as like a cyber alarm system, you know, putting sensors across the network and all the computers, and then looking for anomalous or suspicious behavior. And if we see something, then freezing it or blocking it or containing it, that’s where you really need to get. The large enterprises have, again, they have operation centers of people doing this. For a smaller business, you might need to outsource that through a platform like Defendify or other, there are others out there in the market. So that’s really where you have to be, is proactive.

You can’t just be reactive, proactive, looking for suspicious activity, and knowing that these attacks are not just technical, they’re not just code that gets exploited somewhere. There’s people behind them. They’re human beings. So to defend against other humans using their brains to do things against your business, you need them on your side too. You need experts looking at that traffic, understanding it, and raising the red flag if something is going on.

In the face of cyber threats, it's crucial to understand that attacks involve human beings using their brains to exploit vulnerabilities. Having experts on your side to analyze and interpret suspicious activity is vital for effective defense. Click To Tweet

So, it’s not all technology, you’ve got the experts who will make the judgment and the recognize patterns and and and take action for for us. Okay, got it. So, I understand that email is your fishing always has been around for a while and we know that it’s different, it’s dangerous to click on on files that you’re not sure of. What are the ways are there where we are exposed? You mentioned bad website. You mentioned text message, phone call. So how do these other exposures threaten us, and what else should we avoid other than clicking on potential bad emails?

Definitely. I mean, you’re seeing it all the time now, getting text messages saying, hey, your UPS delivery is on its way. You can click a link there and that might launch something on your phone. It might set off a whole chain reaction of events that occur down the road. There’s that, there’s, you know, if you go to a website and it’s got, you know, bad security on it, it could be your own website. And that’s another thing that we do is got to keep an eye on your websites.

Even the marketing websites, it’s fairly simple sometimes for attackers to embed bad code in there, where you’re clicking on what might be an image on somebody, you know, on the team and all of a sudden, we’re either launching malware or it’s going off to ads that you know you don’t want it to be so those kinds of things are happening so it’s just, it’s kind of everywhere. You know, using public WiFi we always recommend you don’t use public WiFi and you use, if you have a mobile hotspot most cell phones do now, that’s much more secure than jumping on the coffee shop or the airport WiFi, because you don’t know who’s on that network and you know oftentimes that that’s where things can start.

Public Wi-Fi can be a breeding ground for cyber threats. Using a mobile hotspot is a more secure alternative, as it reduces the risk of falling victim to attacks on public networks. Click To Tweet

So you got to be aware of those types of scenarios it’s really just being diligent, you know, think about the obvious things where am I going, what am I doing and you know who else could be out there looking for the things that I have on my system. And part of it is acknowledging everybody’s got sensitive information and not everybody thinks they do. You know, we were talking, for example, a food manufacturer, we don’t have that. Well, what about the IP, the recipe for that? You know that, oh, I never really thought about that. Those are the kinds of things that we need to be thinking about and just kind of identifying what we have to protect. And that starts with assessing yourself. And that’s really the first step in the whole process.

What about ransomware? Does it also start with the phishing email or it’s something else? It works in a different way.

There’s a lot of times it does start with a phishing email. Other times we’re seeing that they’re scanning systems and networks for vulnerabilities. You hear about all the patches that come out, Microsoft Weekly, Patch Tuesday, Google, Chrome patching all the time. What happens is as soon as they find something in Google or Microsoft or wherever all the software developers, then they identify that vulnerability they announced that there’s a patch for it well that also announces that most systems that aren’t patched have vulnerabilities. So there’s scanners that will run out there that bad actors can use to look for systems they’re not always looking for somebody in particular. Scanning systems, finding an open vulnerability, and then finding their way through that. And that happens often, too.

Okay. Well, that’s very concerning that they do that. But it’s good that there are solutions. So let’s kind of take a step back here before we talk about maybe solutions here is the Defendify has been around for a while and you guys have been growing the business. Have you used any management blueprints or business frameworks to build this business such as, you know, the image or great game of business or scaling up traction EOS, anything like that?

Yes, definitely. So the last one you mentioned there, EOS, which is the Entrepreneurial Operating System. I was turned on to that many years ago, starting in my company in Boston and bringing it to the other organization in Connecticut. And that for me has been fundamentally the way you can run a very healthy business. And we found it to be super successful in both in organizations that have been around a while, but also in the startup environment. And even starting with the basics, vision, core values, right people in the right place, EOS does a fantastic job of kind of laying that out for you and giving you the foundation to build the business on and scale the business, which, you know, for us in startup mode and high tech, you know, it’s kind of rapid growth and high growth, and you need to be able to pivot very quickly. And I think those systems give you some of the basics that you need in place to make that a reality.

So you’re using EOS, so you know what’s your vision, where are you going and how you’re going to get there. So can you share it with us? What is the Defend device vision long term? Where do you want to take this company, let’s say 10 years into the future?

When we look way down the road, we want to make cybersecurity possible for every business. That’s our goal. Really, what is it that we’re doing is we’re trying to solve this massive problem where most of the dollars and most of the effort and most of the tech that you see today is geared to the mid market or the enterprise. And rightfully so, there’s a lot to be done there, even at the military level. There’s so much to be done there. So for us, it’s making it accessible for everybody, kind of like what HubSpot has done for marketing and Salesforce has done for CRM or Intuit and QuickBooks has done for finance. You know, we expect Defendify will be the household name for cybersecurity.

I love that. So the HubSpot for cyber, that, yeah, that’s an attractive thing. So what kind of people will help you get there? Who are the kind of people that you’re looking to attract to your cause at Defendify?

Here at the company, well, you know, it goes back to what we were talking about a few minutes ago. It’s, first of all, it’s the right fit. It’s, you know, having the right core value system that matches to what we need. And it’s like you said earlier, there’s technical and non-technical people that are part of a company like this. And that’s really important that they’re matched with what your goals are and where you’re going with the company. And we surround ourselves with, you know, people that are smarter than us. Me, my business partner, our leadership.

We have a great board of advisors and a great board of directors that really have their kind of ear to the ground on industry trends and what’s going on. It’s really important to have those things going and peer groups, things like that. and kind of one of the leaders of the company, to me, it’s always learning. We wanna continue to be learning, continuous improvement. And that’s really important to me. It’s really important to us as a company and our culture. And I think that’s the kind of people that we wanna surround ourselves with and have and have helped us be successful so far.

So, you mentioned you’re looking for people who want to continuously improve themselves. What are other behaviors that your people exhibit that differentiate you from other companies?

I think it’s partially the kind of entrepreneurial spirit. You know, when we sit with somebody and we’re bringing them into our team and we’re looking at our core values, that’s a big part of it. It’s kind of the hustle, the self-starter. That doesn’t mean you need to be an entrepreneur and run your own business. There’s a spirit to an entrepreneur that we like to see in the people that join our team. And when we see that, we have a lot of success and we work really well together. And it’s kind of just, you know, one of the other things that we’d like to do is look at everybody as a customer. If you have that ability to kind of look at not only your customers as customers, you have customers, partners, vendors.

Internally, each employee for each other is its own customer. If we think about it that way, then we work in a certain way about communications and how we treat each other and the goals that we’re trying to accomplish and that’s really important for us and we don’t leave each other hanging and we, you know, push, push forward with a lot of energy and a lot of enthusiasm in the same direction and that goes back to some of the concepts and iOS and alignment, you know, it’s really about getting hyper aligned to move forward as fast as you can.

Alignment is huge. And it’s easy to miss it because it’s kind of an abstract concept for more people, most people what alignment means, but yeah, you really want everyone to see what you’re seeing and be excited about the mission and be clear on what the vision is so they can make their own decisions aligned with the company’s vision and mission. And then basically the little things during the day, you know, they can basically make all those small communications and decisions in line with the ultimate objective and the calling goals and all that stuff.

100 percent. It makes all the difference in the wrong direction well they they got to get them off the boat doesn’t mean they’re a bad person but it’s going to slow the company down. The same time if you got everybody rowing in the right direction. If everybody’s rowing at a different rate, that’s not as fast as you can go either. So when I talk about alignment I say, geez, we’re all moving in the same pace is really what I’m talking about with hyperalignment. It’s kind of not all just kind of moving in one direction, but moving there in the same way at the same time. And that makes a huge difference too.

I love that, same way at the same time. Going back to cyber, if I’m a business owner, I own a 50% company, and I know that I haven’t done anything on cyber, so I’m probably behind and I’m running a risk I’m not even aware of what how big that risk is. What is the low hanging fruit for me? How can I de-risk my business? How can I, what are the first steps that I can kind of a baby steps to take in the right direction?

That’s a great question. There’s a lot that can be done and not all of it costs money, right? So there’s certain things you can do to start. First things first is kind of acknowledging what cybersecurity is that it’s, you know, we say it’s a posture, not a project. It’s kind of, again, it’s that function of your business and it starts at the leadership level and it’s acknowledging that and saying, hey, this is a thing. If we don’t get on top of it, we’re gonna fall behind as opposed to, you know, being ahead. That’s A1A.

We have to make sure that we acknowledge it, that it’s something that needs to be done and start dedicating resources, time, dollars, whatever it might be. It’s not just something we squeeze in an IT budget. It’s something that’s got to get taken care of. That’s one thing to do. Another is to do an assessment. Basically, find out where your business is. That’s the biggest question we probably hear is, yeah, I’m interested. I get it. I don’t know where we stand. So grade yourself.

We have something in our Defendify platform where you can go through a full assessment and understand, you know, are you a B minus? Are you a D? Are you an F? Where are your strengths and weaknesses? And now you can figure out what to do and then you reassess over time. That’s the best place to start, really. Little things like two-factor authentication, super important. Just turn it on everywhere. Make it a mandate for the organization to be able to, you know, use it with your Google, your Microsoft, all the apps that you have, most of them have two-factor authentication turned on. If they don’t, think about potentially not using that app.

It’s not gonna protect you against absolutely everything, but a vast majority of the attacks, it’s gonna make it very difficult for them to get through. So then that’s free, that doesn’t cost anything. We just really encourage everybody to turn it on. So it’s really having that mindset, starting to assess, turning on things like two-factor authentication, using long passwords that aren’t, one of the unfortunate things is we hear, oh, passwords, passwords, everybody’s gotta reset your password. Well, the stats are like 60, 70% or something of people recycle their password.

So if an attacker gets into the local pizza shop account that you’re using, then they might be able to get into your company or corporate network, things like that. And when you say, use a passphrase. So something that’s long and that you remember that longer is actually better than something short. So it might be the name of a song that you really like, as long as it’s really long. And if you can’t remember them all, use a password keeper. There’s plenty of products out there. There’s one called Keeper, Dashlane, LastPass. There are all sorts of things out there. Those things are easy to use and make a big difference.

I use Keeper as well. And it takes a little bit of discipline because when you quickly want to log on something new, it takes this extra step that you open up and you type your email and the password and everything in. But it really is worth it in the long term.

It does, it makes a difference and you get used to it. I felt the same way even at the beginning when we started our company. And then once you start to, that first thing I mentioned was kind of acknowledging the why, why do I need this? Why is it important? You start to make less excuses about being complacent, which is, security is an inconvenience. That’s why it’s there. So if you have that shift in perspective, that’s really helpful. And again, just question anything that might be unexpected that comes across email, phone call, text message, social media post, whatever it might be.

If you don’t feel right about it or you weren’t expecting it, take an extra minute to go connect with that person separately. Give them a phone call. Send them a text message. Hey, did you send me this thing? That’s a big step. Again, it doesn’t cost anything, just a little bit of time to verify that you, they had sent it. And if, you know, if everything checks out, you’re good to go. But you know, those fake emails that come across and you can call business email compromise, these things are happening every day. So these are little things that, you know, don’t cost anything that can really help your business.

I love these nuggets. Definitely two factor, the, you know, long password, these are very simple things and we start there and create the awareness and then we will see other things that we can fix simply and sounds like Defendify could be a great solution. So if people are interested in Defendify, they want to learn more, where do they go?

Sure. See, the best place is our website. So it’s www.defendify.io. And if anybody wants to reach me personally, feel free to reach out on LinkedIn and I’m happy to have a conversation.

Okay, well, definitely do that. Andrew Rinaldi, co-founder of Defendify. I would definitely check him out and he’s open to taking your questions as well. So please do that. If you enjoyed the show, please go on Apple Podcasts and rate and review our show so that it gets out to more people, reaches more people. And give us a review. I’ll be, I’m always on the lookout and I read every review. So I’d love to hear some feedback from you. And stay tuned. Next week, we’re going to have another great entrepreneur coming on the show and sharing their secret treasures with us. So thank you. Thank you, Andrew, for coming.

Thanks, Steve. I appreciate you having me on. I appreciate you having me on.

 

Important Links:

• Pinnacle: Five Principles that Take Your Business to the Top of the Mountain
• Stevepreda.com
• Andrew’s LinkedIn
• Andrew’s Website
• Steve’s Book: Buyable
• Steve’s blog
• Complete the Buyability Assessment