Cybersecurity expert Dan Anthony explains why auto shops are common targets and how simple changes can dramatically reduce risk. He outlines key problem areas including weak payment security, shared logins, and flat networks that expose the entire business during a breach. Dan shares practical, low cost solutions such as separate user accounts, password managers, and isolating payment systems on their own network. The discussion also covers safer multi factor authentication, spotting phishing attempts with quick verification calls, and training teams through short, consistent reminders. The episode closes with clear guidance on backups, stressing the importance of testing them, storing them offsite, and keeping them encrypted.

Host(s):

Jimmy Lea, VP of Business Development

Guest(s):

Dan Anthony, Cyber Security Expert

Show Highlights:

[00:01:21] – Weak payment security practices and shared logins are two red flags.

[00:07:10] – Keep card machines and payment systems on a separate network to reduce PCI risk during a breach.

[00:09:14] – Use a second router to segment payment or business critical traffic.

[00:12:45] – You don’t have to be perfect. Just be harder to hit than the easiest target.

[00:16:00] – Internet connected tools like cameras often create openings by requiring firewall access.

[00:18:02] – Split Wi-Fi into corporate and guest networks to keep personal devices off business systems.

[00:28:00] – Separate accounts, password manager, and a dedicated payment network.

[00:33:09] – MFA helps, but app or hardware based options beat text codes for security.

[00:36:21] – Best phishing defense is trusting your gut and make the quick verification phone call.

[00:45:00] – Backups only matter if you test them, store them offsite, and encrypt the drive.

Don’t miss exclusive insights, expert takeaways, and real talk you won’t hear anywhere else. Hit Subscribe, drop a comment, and share it with someone who needs to hear this!

Links & Resources: 

________________________________________

Episode Transcript Disclaimer

Episode Transcript:

Jimmy Lea: Hello, friend. This is Jimmy Lee with the Institute for Automotive Business Excellence, and you are listening to the Leading Edge podcast. My guest today is Dan Anthony, and he is a expert in the realm and in the world of cybersecurity. So why would we have Anthony on with us today? Oh, that's a really good question.

Jimmy Lea: To get into that information and to get into this, I, I welcome Dan. Dan, welcome. How are you, brother?

Dan Anthony: I'm doing great. Thanks for having me on today, Jimmy.

Jimmy Lea: Hey, you're welcome. So, hey, uh, cybersecurity. It, it's a, it's a big thing. It is something that's important and, and it seems like it never is getting the attention it needs until the world's coming to an end, right?

Jimmy Lea: It's true. Yep. Always, always. The way we all, we all get a new computer and we plug it in and it's like, oh, yeah, yeah, here we go, and everything's fine. And then it's not.

Dan Anthony: Until it's not. Yes.

Jimmy Lea: Yeah. Hey, hey. What, what is a, um, a, a typical small business cybersecurity red flag that you see or that you notice as you go around and visit small businesses?

Jimmy Lea: What's one of those red flags that's just so omnipresent? You can feel it when you walk in?

Dan Anthony: There's, there, there's probably two. I would, I would kick it off with. Okay. Uh, the first I don't see as prevalent. Uh, it's not as prevalent as it used to be, but there, uh, even five years ago, I would walk into any mom and pop shop and I would go and I would tap my debit card.

Dan Anthony: Uh, not tap it or I, you'd insert it. Right. And the idea with PCI compliance, right, is that you would insert it so it would read the chip. Yes. And then you would enter your pin. Right. But you know, there were a lot of cases where I would just go insert it. And, uh, the, the pin, right? Never asked for the pin.

Dan Anthony: And I, I loved just throwing that at a lot of these mom and pop shops and I would say, oh, yeah, you're, uh, skipping the chip and pin. And they would just say, oh, yeah, we, you know, we didn't want to pay the extra, you know, we didn't have the extra funds, time, whatever in place to add that extra piece of the pin.

Dan Anthony: And I, I would just kind of throw that out and say, you know, if there's a hack that comes through your shop. Visa won't cover you. Shut up. That's, that's A PCI, right? That's a PCI component. PCI compliance issue. Yeah. Right. So it used to be that if there was any fraud involved, visa, MasterCard, whoever they would, they would just show up and they would just say, oh, okay.

Dan Anthony: Yeah, we'll, we'll cover all, all the fraudulent charges. We'll charges, we'll refund it. And they would make everything right. But they got tired of paying all of that. Yeah. And so with the PCI rules that that was one of the. Big things I started noticing a few years ago and so I, I'd just kind of throw it out there and just say, oh yeah, you guys are skipping that.

Dan Anthony: Alright. Oh yeah, it was extra. Yeah, go ahead to to, to my

Jimmy Lea: ignorance. I thought that when that happened and I would put in my debit card, I thought if it didn't ask for my pin, it was just running it as credit.

Dan Anthony: Right. So there, there are times where it could just be running it as credit, but if, yeah, again, if it is running it as debit, that's, yeah.

Dan Anthony: There, there's a lot of nuance in there. And yeah. If you're a small business owner, is this right? Is this a

Jimmy Lea: huge, is it a huge amount that, that you've gotta sign up for with this pin code?

Dan Anthony: Uh, it's, it's just an extra fee, if I recall correctly at the time when I looked into it a few years back.

Jimmy Lea: Yeah.

Dan Anthony: Uh, it, it was a percentage, right?

Dan Anthony: It was just an additional percentage. Oh. That the payment processors were taken. So instead of three and a half percent on a, on a credit, right? Or, or, or a little less, I think it was on debits as well. It, right. They just bumped it up. It adds up. Right. It really, it, it adds up over time really quick.

Jimmy Lea: It, it really does, especially if you consider the automotive industry where our average repair order is anywhere from 500 bucks to 1500 bucks.

Jimmy Lea: So on a, on a larger, on a larger bill, when you're talking about 3% of a $5,000. Yeah. I had to insert, I had to put a new shock struts, a water pump, a, a radiator. If $5,000 at 3%, it starts, you

Dan Anthony: know,

Jimmy Lea: that's, yeah. That starts adding up really fast. And that's why a lot of shops will run it as a debit because the fees are less and it's a direct transfer.

Jimmy Lea: Uh, even they're getting into now, uh, doing ACHs with banks.

Dan Anthony: Yes.

Jimmy Lea: And, and with, um, automotive repair. Yeah. Um, so that, that's interesting. So making sure that was number one. That was number one. Making sure you have the, the pin activated for your, for your chips.

Dan Anthony: Yeah. When, when you're getting that chip going, yeah.

Dan Anthony: They, they go together for a reason. Uh, and then the second thing, uh, that I see, especially in a lot of small automotive shops is that there is just one person. Uh, or one, I should say, one user account. When I, when I'm standing there at the front desk talking to whoever's at the front desk, they'll work on it for a second.

Dan Anthony: They'll say, okay, let me go check something. And they'll, they'll walk away and then someone else will come in and they'll start working on the same machine. And that's, that's one thing that just makes my, it, it just makes me a little fuzzy, right? Gets me a little nick Cage twitchy. When I watch that, I just go, how do you know who did what?

Jimmy Lea: Yeah. How do, where's the fingernails? On the chalkboard? That's what I'm hearing. Yeah. Yeah. How dare you?

Dan Anthony: Yeah. You just don't have a, and it's, it's not that I'm particularly worried that, oh, you know, this person's gonna come change something on my account. Right. It's just being able, it's just being able to have accountability.

Dan Anthony: Right? Yeah. Of who made what changes, of who did what, and if there was an accident is where my brain goes. I wanna, you know, I wanna blame things on, on accidents, not maliciousness usually. Yeah. But Right. That's, that is one of the big things I see where it's just kind of a free for all and it's, it's, everybody doesn't have their own account.

Dan Anthony: And if you don't have an account on that Windows machine that that's at the front, I, it makes my brain kind of go. Are there any machines in here that you have your own account on? Is there any separation of, you know, who does what and how do you know if somebody adds an extra zero or forgets an extra zero?

Dan Anthony: Oh my gosh. When they're, when they're invoicing. Well,

Jimmy Lea: Dan, this is absolutely fascinating. We're talking about this, I mean, this is cybersecurity. You're not even the credit card guy, but here we are talking about cybersecurity, right? This is so important. So if I'm a, a mom and pop shop and I'm automotive aftermarket, and I've got two service advisors at the front desk, each one needs to have their own credit card processing unit, or are you saying.

Jimmy Lea: Just the computer, just their login when they walk away. Yeah. They should log out so that the next person coming in should have to log in.

Dan Anthony: Yeah. Or, or uh, or just right lock the, they would have maybe the each, they, they each have their own, uh, uh, pc, uh, yeah. And yeah, they, if, if you have one, uh, PLS terminal, right?

Dan Anthony: One. You have one card machine. Yep. Yeah. Those card machines with, with, it's gonna come back to PCI because I've, I've been in compliance and on the compliance side of things for so long. That's, that's where my brain likes to go. But I, I would say, yeah, you keep those, those payment machines and anything related to payments.

Dan Anthony: Separate from anything else that, right. That's one of the, one of the first things, if there's a breach, that's one of the first things Visa does when they send forensic examiners is they're gonna look at your network and say, is, is every computer plugged in on the same network as these card machines?

Dan Anthony: That's how they are. And if they are, then all of a sudden all of those computers are within that scope of what they can look at and say, oh, this computer doesn't have these settings, so your entire network is not PCI compliant. Oh gosh, yeah, we're not gonna pay for that. Versus if you just have a separate network for those, for those card machines, then suddenly your scope is just that network with those card machines.

Dan Anthony: So if five of your customers come in going, Hey, I got weird charges on my card and Visa rolls that truck up, you can say, Nope. Everything with those cards is all on its own network. So yeah, I'm a, I'm a big, I'm, I'm big on keep things separate, right? Not just for accountability, but all also it makes things a lot easier, uh, if, if PCI ever becomes a, a big deal for you.

Jimmy Lea: For sure. And, and most shops don't keep any record of credit cards. There's, there's no, so they don't need encryption, they don't need that kind of stuff. Uh, it's just running the credit cards on the machine, on the unit itself. And you're saying make sure you've got a, a separate network. Yeah. Yeah. Easy.

Jimmy Lea: Yeah.

Dan Anthony: Easy setup for whoever's setting your networks up, uh, if Right. If you have somebody coming in to do it. Okay. Uh, and the, I would call it the poor man's method of doing it. I actually do it at my own home for my, uh, uh, 'cause I, I have a work from home job, yeah. Where I took an old router and I plugged that router into my router.

Dan Anthony: At, right. So it creates a sub network that has a firewall. So there's nothing going between anything that's on that second router and your home network or the rest of the wor network. And you can just, right, it's, and that's, that's a great use for an old, old router that you're, that it, that can't be updated because once it's behind your main router, your Comcast router, your Time Warner router, it's.

Dan Anthony: Protecting That's doing. Yeah, that's doing the heavy lifting. You've just got the sec, second one in there to segregate and just say everything payment related. Everything work from home related just happens on this second router, on this network and segregated and

Jimmy Lea: uh Oh wow. It keeps it all separate.

Jimmy Lea: Yeah. And, and I love that, that that is gonna help a lot of shop owners. I, I can already hear the wheels turning in shop owners' heads saying, oh wait, you know what? That, that's something I can do that, that's easy. I can put this on a separate, I've got an extra router. It's in the closet. It's right here.

Jimmy Lea: Let's plug it in. And, and even if you don't, it's less than a hundred bucks. You can get another router. Yeah. And you're good to go. Yeah. Yeah. Most shop owners, most shop owners, they're, they're thinking about cars, customers, cash flow. They're not thinking about hackers, they're not thinking about PCI. Why would they even care about cybersecurity if nothing bad has happened yet?

Dan Anthony: Yet. Yeah. Yeah. That's, uh, I, I ac when I, when I worked for, uh, the State Department of Health, I, I would have some employees who would ask me that same question. They would, they would just say, Dan, I'm a low level employee, right. I'm not a manager. I'm not a director. I don't have access to anything that's, that's that important.

Dan Anthony: And I, I would just say, well, but you have access to the network. You have access too. Right? And it's, that's, that's all, that's all. Any, any of these outside entities want from you? If, if you are a, if you're a small business, if you're running a small shop, uh, you, you might be thinking, well, I, you know, I don't have a lot of cash flow, or I don't have a lot of money in the bank that could be stolen.

Dan Anthony: Uh, I would say, do you, do you have a. What's a, an EIN Do you have a, any social security number that might be flowing over, over any of those networks that somebody might wanna pull loans out in your name? Right? It's, it's not how, how much money you have, it's how much money they can get using your data, whatever, whatever way necessary.

Dan Anthony: Uh, so that's, that, that's one of the reasons I, I, I love, I love this work is right, keeping people safe from as much as possible.

Jimmy Lea: Yeah. Keep the honest people honest. So if you had, if you were, if you were to try and explain cybersecurity to a shop owner, uh, from, and, and, um, this is like an elevator pitch or, or the time it takes to walk from the front door to a bay door, what would you say to a shop owner to help them understand cybersecurity?

Dan Anthony: It's, uh, you're, you're running a race with, with every other, other small business owner. And you don't have to be the best, you don't have to spend the most, uh, you just have to be better than the worst. Right? You don't have to be the fastest person to escape the bear. You just can't be the slowest. Yeah.

Dan Anthony: You gotta be faster than that slow guy. Right? And it's, yeah, cybersecurity's, the, the exact same. Uh, when you're, when, when a, when a thief is, is say, walking through a neighborhood, driving through a neighborhood, they're looking for the easy targets, so. W what I say is don't go out and buy the Fort Knox of deadbolts and, and alarm systems.

Dan Anthony: Don't buy, you know, a one everything if you don't live in an A one neighborhood, otherwise, right? Otherwise, you're gonna make yourself a target, right? You're gonna overspend and you're gonna make yourself a target. Make, make it so that you're just enough, more difficult to deal with that it's not worth the hassle.

Dan Anthony: Okay. Right. Okay. If all, if all your neighbors are spending $20 on deadbolts and you go and spend $50 on one, then probably your place is just not worth the hassle of, of trying to break into. And it's the exact same idea with cybersecurity is there's a lot of people who don't spend any time on it. It's right.

Dan Anthony: They just, they, I, I don't have the time, or it's too complicated. And if, if you spend five minutes, you know, five minutes a week, there's, there's a couple hundred minutes a year that you've spent on it. That it makes you that much more, it gives that perception that, hey, this target's just not gonna be worth it.

Dan Anthony: Right. Why? Why would I go after these guys when, you know, the shop down the road has no protection?

Jimmy Lea: Well, speaking of deadbolts and in, uh, the automotive industry, they will go out and buy. The top tools, the top scanners, the top, whatever that it might be. So what, what kind of systems are, uh, in a shop that are the most at risk, where they might need that sort of an upgrade?

Jimmy Lea: Um, and I'm gonna give you some specific examples. Uh, their, their shop management system, the software, their, uh, emails that they're using, uh, whether it's Gmail or Outlook or QuickBooks or credit card terminals or wifi. Uh, wifi routers. What, what is, what are some of those systems that a shop owner needs to be aware of that they've got, that are at risk inside of their shop immediately?

Dan Anthony: The number one thing that I usually look to defend is anything that's, anything online, anything connected online that can be. That a software program can, that somebody, some kid in Russia and living in his parents' basement is just trying every IP address and running quick scans. So that's the right, and when you, when you install a a Windows machine.

Dan Anthony: First thing it, one of the first things it does is it turns on its own firewall. When you install the router you get from Comcast or Ex or, uh, time Warner, whoever, one of the first things that that does is it hit, it sets up a firewall, right? To, to shut off most of that, those sort of connections. Uh, so. Uh, a lot of that immediately gets covered.

Dan Anthony: But if I have cameras at my shop that I can access online, then I have to open up doors. I have to open up holes in my firewall and it for my app on my phone to be able to touch those cameras from the web right from anywhere if I've got a, you know, badge, uh, card or badge readers saying that. That talk out online.

Dan Anthony: Same idea. Uh, right. So that's, those are the first places I look is anything that's, any internet of thing things. Okay. Those are the bigs. Yeah.

Jimmy Lea: So I'm, I'm hearing the cameras and I, I think a lot of shops do have cameras set up, uh, around their shop and they do monitor it remotely. Um, why? Because that's why we're, we're shop owners.

Jimmy Lea: We want to have that autonomy to be able to be away, to be on the ski slopes or on the golf course, or riding my motorcycle across the country, whatever the scenario is. So I see cameras being, uh, it sounds like an option, but I also have technicians in the bays and these technicians might have an Alexa, um, yeah, Alexa that wants to.

Jimmy Lea: Participate in the conversation or they're playing music. That's what I hear most of them, they're playing music on their Alexas, uh, their little echoes and the little dots and stuff like that. But also technicians have at their bays a computer so they can get online to check with Phi, the Ts, BS the, yeah, the, the difference, uh, Mitchell, uh, all data, when they need assistance in doing a repair, they're gonna get online.

Jimmy Lea: So that terminal. It becomes a target as well, right?

Dan Anthony: Yeah. Yeah. Uh, for, for situations where, where you're gonna have that mix one, uh, if, if you're using wireless per se, I would, I would say yeah, just set up two wirelesses. You have, you have the company wireless. Yeah. And just let 'em know this is corporate, right?

Dan Anthony: Only corporate devices connect. Right. Only the business devices connect to this one. And do you usually have a guest account? And guest?

Jimmy Lea: Okay. Yeah. Yep. So we, as a company, we only connect to the corporate account. It's usually the 5.0

Dan Anthony: right

Jimmy Lea: feed. Yeah. And then we've got a separate one that is our guest account, and it's usually at the 2.4.

Jimmy Lea: It's at the lower, uh, speed. But it doesn't matter. I mean, guests are there for short amount of times. Right. They shouldn't, they're probably streaming movies, but whatever.

Dan Anthony: That's so for me, I would, yeah, I would have at least those two where I would say corporate and only do corporate things on the, on that one.

Dan Anthony: And then if my employees have an Alexa, if they have any, if they have their own phone or whatever that they want to, they want to Facebook on while they're on break or whatever. Connect to the guest network, that's Oh, yeah, totally. Okay. That, that's what it's there for is, yeah. I mean, you could, so where's our

Jimmy Lea: credit card terminal?

Jimmy Lea: Where do we connect that to

Dan Anthony: Personally, I would have that on a wired, on its wired, uh, right wired and on its own, uh, unless I'm in, you know, Wells, Nevada, or, you know, Matis c Wyoming or, you know, some other tiny, tiny place, uh, where I'm not concerned about. About any sort of wireless, anybody, uh, coming in and trying to sniff my wireless traffic or anything like that.

Dan Anthony: If I'm in a big city, then I'm gonna take a lot more precautions with wireless. Uh, as far as right. My guest, my guest wireless network, I'm gonna say, okay, we're gonna want to change that password regularly. And regularly, meaning I I would say at least once a month. Uh,

Jimmy Lea: so are you serious once a month, you're gonna

Dan Anthony: change it?

Dan Anthony: Uh, that's, that's me If I'm in a big city, uh, okay. I would seriously consider it. And it's, it's a risk assessment, right? It's okay's, it's. The, the thing that I'm concerned most about with offering wireless Yeah. Is that somebody is gonna connect to it and they're gonna download something that's illegal, whether that's movies or adult films, or write other things.

Dan Anthony: Sure. That they're gonna download something like that and that's gonna come back to my IP address. Mm. And, and, right. I'm the one who's gonna get the phone call. Mm-hmm. And so. You know, or, or you just shut it off, right? It's 5:00 PM closing time also to, you know, whenever, whenever you get your wifi set up, you just say, no, I want my wifi around here.

Dan Anthony: Shut off too. Uh, so we don't have people, you know, in the parking lot at 2:00 AM using my fast wifi on my guest network to, to do unscrupulous things. Uh,

Jimmy Lea: that is absolutely interesting and fascinating. Uh, I hadn't even considered that. Shutting off your wifi, your guest wifi. Yeah. 'cause the only things on the guest wifi are superfluous.

Jimmy Lea: Alexa. Yeah. Cell phones, blah, blah, blah, blah, blah. Yeah. Or customers that have been in previously. Yeah. So, uh, it shuts off at five. I like that. Well, and, and, and to this point, um. Because many shops think, oh my gosh, we're, we're small. No one cares about us. We're real small. But, but what is the cost of a small shop in real world terms, like lost days, lost data, lost reputation, what does that look like for a small shop?

Jimmy Lea: But, but, and here's the, here's the interesting thing, Dan. They're small shops all across North America. In big cities and small cities. Yeah. Urban and rural, it doesn't matter. Most shops are small shops and small meaning less than 30 employees. It's a small footprint. Yeah. Okay. Talk to me about real world lost cost

Dan Anthony: of, of.

Dan Anthony: Most of the time, and I, I think this is why a lot of folks feel like, it's like, it's not, uh, I admit I'm a hammer, so when I look around, I see nails. Right? But a lot of people just it, right? It's it. They don't know anybody that that's happened to, and they don't think it will happen to them because I'm not Chase, I'm not Wells Fargo, right?

Dan Anthony: I'm not a target. Uh, and it's y you're not. But when a program is just incrementing the each target that it's going after and saying, okay, I am looking after computer number one now on. Comcast's network. Now I'm looking at number two, number three, number four. And it just sits there. And the, the, that's what they do.

Dan Anthony: They, they crawl. And any, anybody who's thinking that through is going, well, why can't Comcast or or Time Warner shut that kind of thing off? And the answer is very easy because that would kill Google. Google does the same thing. They crawl and that's how they get their search results. It's the same sort of thing.

Dan Anthony: They don't do the same scans. But at any rate, to, to, to your question what I mean, what are we looking at? For a lot of people it's just gonna be lost, lost time and effort. Uh, yeah. So is, is it that you left some social media. Logged in, right? Or you clicked a link and they got a hold of your social media account and somebody started posting, you know, Chuck Norris jokes and you know, ha ha, that's great.

Dan Anthony: Uh, you know, everybody loves Chuck Norris jokes. Or is it more serious than that? Where, right, where we mentioned earlier, you have customers start coming in and saying, look, I've got charges being pulled off my card, and the only place I've used it in the last week or two weeks is here. Oh, and right where, where the first person you hear that from, you kind of go, well, yeah, go talk to your bank.

Dan Anthony: They'll help you with that. But when the fifth or 10th person walks through the door and says that you're in trouble, right? That's, yeah. That's, that's, that's where you start sweating and that Yeah. You, you know, real trouble is, uh, is definitely at your doorstep and, uh, how much can it be? It. It can be, it can be thousands, it can be catastrophic.

Dan Anthony: It, right. It just, it just depends. Yeah. And so, uh, a lot of times, especially with, uh, with PCI, where I'm gonna come back around to PCI, so if, if Visa comes in and they're, and they're doing an investigation and they see that no effort has been made. No thought has been put into it. I mean, you're completely non-compliant.

Dan Anthony: No efforts, no anything. You're on a flat network. Everything's plugged into that same network, all shared on the wifi, right? That's most likely in that case, visa is just gonna say, yeah, good luck. Yeah. We're not covering any of those costs from all of the people who got ripped off. In fact, you're gonna cover those costs and you're gonna cover the costs of our forensics team that.

Dan Anthony: As of 10 years ago, it was like a $10,000, just a truck roll was 10 grand for, for visa's forensic teams to show up at. Like it's, and I can only imagine what it's what it is now. Oh yeah. Right. So I mean it, yeah, it can be catastrophic. Most of the time it's right. It's just gonna be somebody posting Chuck Norris jokes.

Dan Anthony: That's, that's what we're gonna see most of the time. But. If you see the Chuck Norris jokes that should be, or, you know, somebody posting something funny or, or whatever on your social media, that really should be the wake up call of, oh, hey, yeah, that's, Hey, that was funny, but also I, I might actually have a problem.

Jimmy Lea: Yeah, no, and, and most often you do have a problem. So how often are you getting those? Oh, crap moments. Uh, something hit the fan. Uh. They, they've definitely hacked me. Um,

Dan Anthony: oh, I've, I mean, you are in the business. I mean, that's just Tuesday for you, but No, no, no, actually, it's, it really isn't. Uh, I've, I've been officially, officially in cyber All we will, we will round it to between 10, 15 years and between all of the, all of the employers that I've been with there, there have been two.

Dan Anthony: Oh wow. Uh, two incidences where I can absolutely, without a doubt, say Oh, oh, yes. Uh, we, we had an a, uh, in, in the industry it's called an incident, right? Yeah. It's not, if it's not as serious as an incident. Right. You can call it an event, but, oh, geez. But yeah, there, there are a couple where, uh, yeah, where it was, it was an official incident and that was, uh.

Dan Anthony: My, my, my boss put it as a, uh, yeah, it's a, that's a, I hope you wore the brown pants today because it's maybe all weak and Yeah. Yeah. When you, when you're that deep in it, it, it's, it is scary. Can be, uh, can be. Oh gosh. And

Jimmy Lea: yeah. Well, let's talk about

Jimmy Lea: some, some simple practical first steps. What is something that.

Jimmy Lea: Or what not. Not even one. Let's talk about three. What are three basic things that shop owners can do this week? What, what should those fixes be?

Dan Anthony: Oh, uh, right outta the gate. Separate. Yeah. Separate accounts is, is one of my right, like I mentioned in the beginning. Right. Separate accounts. Separate accounts

Jimmy Lea: on the same computer,

Dan Anthony: right.

Dan Anthony: Whether it's on the same machine or across, yeah. Everybody has. Own login has, has their own login. Okay. Um, and that's, whether that's your Windows box or whether that's whatever online systems, especially in QuickBooks, anything accounting, right? You want people to have their own username and password.

Dan Anthony: Just, uh, again, not, not to protect from hacking, but just, just so that you have that accountability so that people, your employees and, and anybody who's in QuickBooks knows that they're not anonymous. Mm-hmm. Uh. Th so outta the gate. Yeah, that's separate accounts. Uh, just, just for that tracking. Second is passwords.

Dan Anthony: Uh, I, I'm a big proponent of use a password manager. They, if you're, if you're a small shop, 10 people, 20 people, that sort of a thing. A lot of times you can get a, a company license for a, for a decent password manager for one 200 bucks a year. Oh wow. And suddenly Yeah. That's,

Jimmy Lea: that's very,

Dan Anthony: yeah. It's, it's reasonable.

Dan Anthony: It's easy. It's, it's very, a lot of times, so for my, for my part, I, I, when I say I wanna see 30 character complex passwords on everything, which I can say I, I do at least 30 characters on all of mine because I have a password manager, and it takes care of all of that. Uh, and, and once you have ridiculous, crazy long passwords like that.

Dan Anthony: Uh, that's, that's where I can step back and say, okay, the bonus is now. I would, I would throw out that you only need to change those once a year. Okay. And you don't have to remember in the first place, but also, you know, during a slow time of the year if you have such a thing. That's, that's a great time to tell your people.

Dan Anthony: Okay. Go in. It's time to change passwords.

Jimmy Lea: Got it, got it. Alright, so separate logins,

Dan Anthony: password, separate logs, savers

Jimmy Lea: and passwords. All right. What? Gimme a third one.

Dan Anthony: Third, third, third, third. Uh, I'll, I'll go back to that network setup. I would absolutely have a se a separate Yep. A, a completely separate network segment for everything.

Dan Anthony: Payment related. Uh, yeah, just, just for PCI.

Jimmy Lea: I love it. I love it. That, that's good. So you're recommending, uh, uh, password savers. If, if, uh, if a shop were not to be doing password savers, what would be a good, uh, outline or a good guideline for, I mean, they're not gonna remember 30 characters,

Dan Anthony: right? That's, uh, I, I love, uh.

Dan Anthony: What are they? Uh, the word just left me pass phrases. Mm. So it's, it's the sort of, it's the sort of thing that you can write out almost a story and a password. Yeah, it is like a sentence. My parents met under the starry sky sort of a thing, or, oh, wow. My, you know, my parents met under the starry sky. One exclamation point.

Dan Anthony: Right. Yeah, great password because it's stupid long and horrible because I just posted it online for anybody who listens to this podcast,

Jimmy Lea: nobody's gonna do that one. It is like the guy that has 1, 2, 3, 4 is his password. No, nobody, yeah, they just don't do that.

Dan Anthony: Okay. They do. Yeah. Unfortunately people still do that, and so that's, yeah.

Dan Anthony: Yeah. Don't do that. But yeah, use the password manager and. If you don't have one or you can't, again, it comes right back to risk assessment. Uh, if you're, if you're a big shop, if you're, if you're a shop in a big city, right? Where there's lots of walk bys, lot of foot traffic, uh, day and night, uh, that's where I'm gonna say absolutely, positively come down hard on anybody who writes down a, a password on a post-it.

Dan Anthony: And sticks it on their monitor or under their keyboard or under their mouse pad, or sticks their wallet in the end of their shoes at the beach. Right? These are the things, danger, right? These are the things we all think we're so clever, but, but if you're in a, if you're in a small shop in the middle of nowhere, you know, West Virginia or a small shop in the middle of nothing, Kansas, Kentucky, anywhere like that, if you have a book that has passwords written down in it.

Dan Anthony: You keep in a safe, I've, I would kind of say, you know, you don't have a lot of foot traffic. I can't, I can't say I'd fault you for that. Uh, because the, the biggest problem is gonna be somebody walking away with it. And if you don't have that traffic, uh, I would say there's probably other things you can do that would be, that would give you a better return on your time.

Jimmy Lea: Yeah. Yeah. Okay. Uh, most shops don't have the nuclear codes. They don't have credit cards. That's on file. What about multifactor authentication? Uh, MFA for short is, is it, does it matter? Should shops

Dan Anthony: skip it? I, yeah, I, I recommend it and use it, use it as much as possible. I will throw out that there, there are, there are different, uh, there are different tiers.

Dan Anthony: There are different types of MFA. If you have an app. On your phone or one of those little kind of key fobs that sits on your key ring. Those are great. Uh, you know, top tier s tier the kids would call it these days. That's, that's s tier. It's, it's, that's the, that, those are the ones we want. Then there are other ones that are where you get texted that code.

Dan Anthony: Just, just on your phone. And that one tends to be quite a bit less secure. Oh, really? Only for the reason that, uh, that cell phone companies tend to still tend to let just about anybody phone in and make changes on people's accounts.

Jimmy Lea: Hmm.

Dan Anthony: Uh, even if you've set up a pin with them, even if you've set up a code, there's a really great video on YouTube at a, uh, at one of the Def Con Hacking Conferences where a social hacker, uh, uh, a reporter walks up to a social engineering hacker and she says, well, give me five minutes.

Dan Anthony: I will have full access to everything on your cell phone plan, and all she does is she calls the company's customer service, and then on her computer, she starts a YouTube video of a crying baby. And she puts that next to the phone as she, and she's just saying, oh no, I know. I'm sorry. I'm not listed on the account.

Dan Anthony: But we've been living together for five years and he's probably just never got to it. And this baby is going crazy. And right just through, just through a YouTube video of a baby crying, she's able to social engineer her way through. Within just a couple minutes, she has full access to everything on this guy's account.

Dan Anthony: She's able to change numbers, she's able to write, add, and remove phones. And so at that point, anybody who does that can add a new number or change numbers, things like that. And suddenly any two factor that's being sent as a text message is gonna go to them too. Yikes. Oh, that's

Jimmy Lea: scary dude.

Dan Anthony: So yeah, the apps, the apps are great.

Dan Anthony: The, uh, Yuba keys are a favorite. Uh, but yeah, an app. What's a Yuba key? Uh, it's, it's another one of those little key fobs. Oh, okay. But it also has a, uh, a lot of times they, they will plug into a USB port and some of their higher models also make you put a finger on there. To give a little, gives a little resistance, a little electrical resistance, so it's something that cannot be done remotely.

Dan Anthony: Oh wow. Right. It's the sort of thing where you plug it in and you have to be at the machine because you're, you're providing that it's, it's an extra, but yeah. If, if, if you're into the tech and you want extra uuv key's worth checking out.

Jimmy Lea: Oh, wow.

Dan Anthony: Okay.

Jimmy Lea: Well, uh, bringing it back down to, uh, emails, because that seems to be a, a, a common way for hackers to get in.

Dan Anthony: Yeah.

Jimmy Lea: What are some of the most common mistakes or scams or phishing emails that you're seeing hitting small businesses right now?

Dan Anthony: Uh, shoot, every, everybody knows about the Nigerian prints. Uh, yeah, we do. Right. So I, but I still love bringing it up because that one's still effective in 2025. Uh, no way. And a lot of people look at it and go, man, you're either dumb or you're desperate.

Dan Anthony: And yeah. That's, those are the people it works on. Uh, mostly the desperate, uh, but the, the, the compromises that I'm seeing. Are, uh oh wait. Almost always intelligence gathering. Uh, so you're, so you're getting an email and it's from somebody that you know, right? It's some, it's from another, somebody from another company that you've worked with, something like that.

Dan Anthony: And, uh, this, this one, I, I just saw a couple years ago, uh, a lady in a, in loans, I think it was one of the loan departments. Mortgage. Yeah. Uh, not mortgage, but in, in, uh, it was one of the. Uh, yeah, personal loans, type

Jimmy Lea: of deal.

Dan Anthony: Loans. At any rate, she got an email from a, someone she had worked with prior, uh, a city employee, and he said, Hey, we've got this RFP out, I've attached the PDF.

Dan Anthony: So she opened it and she goes through and she starts filling it out. But then she called me and she said, look. Everything about this is normal. I work with this guy regularly. He sends me these RFPs regularly, but inside this PDF, there are two lines in here that are, that have no business being here, and so just her gut was saying this, this is not right.

Dan Anthony: I told her, I just said, yeah, I can, I can, I can scan 'em. And so, you know, I scan the email, I scan the PDF, and there there's nothing, there's nothing technically wrong with those. And so I, I called her back and I just said, you know, if you, how well do you know the guy? She says, you know, pretty well, we've worked on a few projects.

Dan Anthony: I said, best thing you can do is call him ten second phone call. Hey, did you send this email? Why do you need, you know, why do you need this? You know, you don't have to, you, you don't have to be confrontational. Just, Hey, did you, did you send this, this? It's got some new forms. There were changes in there.

Dan Anthony: And 30 seconds later she was telling him she was the method of informing him at the city that the city's email system had been compromised. Oh, wow. And. Uh, right. So I I love the 32nd phone call. Oh, yeah. As, as a security, because how, how often are we getting completely outta the blue emails from strangers versus most of the work we're doing over email, like 80% of the work we're doing is with people we already know.

Dan Anthony: So. If the, there's that gut check. If something looks wrong, feels wrong. I mean, you can, you, you do all the usual checks of, you know, you look at the links and you hover for a second, and if you're seeing weird stuff, yeah, there's, there's a lot of that misspellings, grammar, uh, you know, things like that. But, uh, yeah, the, the gut check and the 32nd phone call is absolutely my favorite.

Jimmy Lea: I've gotten that. I've gotten that. RFP, uh, in fact, do you know, do you know Watt.

Dan Anthony: I do not.

Jimmy Lea: Dino is in our chapter, the Mountain West National Speakers Association. Oh, alright. So Dino sent out a, an email, but it wasn't him. He was hacked and I called him and I was like, dude, are you putting on some sort of a summit meeting or what?

Jimmy Lea: What's going on? He's like, dude, I got hacked, man. Don't fill it out. Don't open it. Well, I already opened it. I already looked at the PDF.

Jimmy Lea: Yeah, I just deleted

Jimmy Lea: it all. You know, the other one that I've seen too happening here quite recently is. An email goes out and it says, uh, we're trying to update our accounting software and we lost everything.

Jimmy Lea: Yeah. How much do I owe you? What do I owe you? What's the invoice number? Send me all this information. Yeah. And it's like, oh my God, no. The total scammy. The other third one that I've seen, and it's happened a lot, is I'll get an email from Cecil Bullard saying, Hey Jimmy, I need you to do me a quick thing.

Jimmy Lea: I'm in a meeting. Uh, can you run down to the store and get a couple of gift cards and send 'em out to x, Y, z? Right.

Dan Anthony: Yeah. Anytime gift cards are involved. Yeah, you can, you can just about, just about, it's 99.99. Nine nine. I don't have enough nines memorized. Nope. Percent of the time that Yeah. It's too infinity.

Dan Anthony: Yeah. But yeah, the, it's, yeah. Again, the 32nd phone call. Hey, we're updating our software. Hey, we're, uh, yeah. I mean, a surprising scam that continues to work is the, uh, the, just the out of the blue invoice. Yeah.

Jimmy Lea: Yeah, that's, oh dude. Yeah. I got one from I, we were at sema. We were at sema, and I'm getting this email and I'm going, this is from Freeman for the power, but this is so sketch, this looks so right.

Jimmy Lea: They didn't spell our name right. They didn't use the proper name of our business. Da da da da da da. Yeah. I really don't believe this. So I ignored it and I was like, Nope, not gonna answer. It comes again. Nope, not gonna answer it. The woman came to us, the booth at SEMA and was like, Hey, you guys still owe us $227.

Jimmy Lea: Oh, that's a real one. I totally thought it was fake. I totally dismissed it as spam because there's no way there's, it looks so sketched, dude.

Jimmy Lea: Yeah. That's so, even the real thing can

Dan Anthony: look sketchy and Absolutely. Yeah. That's, yeah. The phone call, that's right. Back to the, yeah. You, you, uh, the phone call, the gut check.

Jimmy Lea: You gotta make sure you're listening to. Your spidey senses and, and that you're paying attention to what's going on. Yeah, yeah, yeah, yeah. You can't fault a 32nd phone call. Alright, so, um, let's talk about this from a, a shop owner's point of view. How can they train their teams on these cyber threats without killing them and boring them to death?

Jimmy Lea: PowerPoint them to death? You know, how do we, how do we not kill the team and, and still convey the message,

Dan Anthony: uh, for, for, uh. I, I used to do those sorts of trainings and I, I kind of hate myself for it, for ever taking part in any, any security cyber training over an hour because I, I know I'm the only person in the room who loved it that much.

Dan Anthony: Uh, for my part, I, I suggest frequent and, and short. If you do five minute, 10 minute. Yeah. Stand up. Yeah. Uh, my, one of my favorite trainings with the previous employer was a, uh, uh, once a week I would send out an email that I worked my tail off to make sure was never longer than two paragraphs. I wanted it to be one, right.

Dan Anthony: I wanted it to be something that was 30 seconds, maybe 45 people could read real quick and say, yep. There, you know, there's a good reminder. Got it. Boom. Uh, the, the second part of that is if, if you hear somebody suggesting 30 character long passwords, right. That's. That's rough if you don't have a password manager or if you don't have a passwordless solution where you can, you know, do a, a, a facial recognition or a fingerprint or something like that, which surprisingly, uh, is, is getting more like you can get a $15 fingerprint reader at Walmart, things like that, where you make it easy.

Dan Anthony: Yeah. Where you don't have to do a 30, uh, huge password because all we have to do is, uh, on one my laptops. That's biometrics. Yeah. I swipe my finger and it logs me in. Nice. And, and that's it. It's great. Uh, so yeah, I would say if, if you want great security, uh, skip the training as much as you can and just make it, make it something that's easy and part of the workflow so that your, your people don't even, right, they're worried about fixing cars.

Dan Anthony: Leave, let 'em be worried about fixing. You know, why? Wondering why that radiator or why that, uh, alternator just fell out. Well, it fell out 'cause you didn't tighten the bolts dummy. But, uh, I may or may not have had that experience with an alternator once. I will neither confirm nor deny.

Jimmy Lea: Oh, you're such a straight shade tree mechanic.

Jimmy Lea: You are working on your own stuff. It does happen. No, no, no. So let's bring this back here into, um, into cybersecurity and, and, and, yeah. I wanna look at like a, um, we talk about backups, we talk about recovery. We talk about what is your SOP for the bad day plan. Yeah. Perhaps hit the fan. Do we have a backup?

Jimmy Lea: How does the shop know if they're actually having a backup?

Dan Anthony: Uh, if, if you're, if you're, if, let's say you've got QuickBooks, if your QuickBooks is hosted. On your computer versus is it hosted online? That's the pertinent question. Uh, so if you have apps that are host, if you have a server in your office, yeah.

Dan Anthony: Tho those backups are, I would do those frequently and check them to make sure they work at least, you know, once or twice a year, make sure your backups work alternately, if you're, if you're in a QuickBooks Online. Right. Or if you're, if, uh, I've. I hesitate to say, put all of your, use all of the web versions of whatever software you can, uh, just because it's less control.

Dan Anthony: And I, I, I like having control. But if you push everything off to those web versions, then they have to worry about the backups and they have to worry about the compliance, and they have to worry about fail safes. And if your computer goes down. It's, Hey, hey, Jimmy, run down to Best Buy. Here's the credit card.

Dan Anthony: Right? He goes, buys a new laptop, you plunk it down and everything's online. So all I gotta do is log back in and we're right, we're right back up and running. So there's definitely pros and cons, uh, to, to both methods. Uh,

Jimmy Lea: yeah. But, and what I, what I do, and I'm, I'm holding up my external hard drive. It's a, yeah.

Jimmy Lea: Two terabyte or 10 terabytes, something like that. It's ginormous. Every Friday I plug that sucker in and let it run

Dan Anthony: and back up.

Jimmy Lea: Does its back up over the weekend, however long it takes. I don't care. It does its thing and, and that way, if ever poop hits the fan, I've, I can run to Best Buy, get another computer.

Jimmy Lea: I have this that has all of the physical stuff on it, but then I also have a computer with all my cloud-based stuff.

Dan Anthony: Perfect. Yeah. And that's, that's great. I, the only, the only addition or addendum I would throw on that is where you store that drive matters, right? If you're storing that drive in a fire safe right inside your shop, oh no, it's on my desk, right?

Dan Anthony: And your shop burns down your toast, right? Yeah, yeah. You lost your computers and even if it's in a fire safe, most likely it's gonna wreck. Any data drives inside a fire safe. So yeah. If, if you've got backups like that, it's always a good idea to make sure your backups are, if Yeah, you plug it in, you do it, and then get it off of that, you know, out of that site.

Dan Anthony: Whether it's out of the property. Yeah. Whether it's an earthquake, a fire, a, a flood, whatever you Yeah. You just want to, yeah. I got some separation. And if you're doing that, yeah. Make sure those backups are, are encrypted. Right. So nobody else can just, you know, find your backup and then have all the keys to your, to your business.

Jimmy Lea: Yep. Plug and play. They would just be right in on everything. Oh my gosh. Well, I hadn't even considered that. Take it away from the shop, which, I mean, there, there's a whole nother challenge. 'cause that's when you got 48 hours that that backup is running and it's available. And if somebody breaks into your shop.

Jimmy Lea: They grab that backup. They've got all the data, all the information, all, yeah. So if you're not encrypted, then if you're not password protected, they can plug and play, and now they've got everything. Oh, gosh. All right. Well, thank you that that was, that was a good one even for me. I, I like that one.

Dan Anthony: It's fun.

Dan Anthony: It's, it's, it's a fun thing to think about, theoretically. It's not fun when it's happening in real life.

Jimmy Lea: Yeah, yeah, yeah. Well, and you know, I mean, here we are talking about backups and recovery. I want to di dive into that deeper, but, uh, we're, we're running to the end of our hour here. I, and we didn't even get into wifi and devices and vendors and, and talking about those types of things.

Jimmy Lea: I mean, shoot, we're gonna have to circle back and do this again, Dan.

Dan Anthony: There is so much that it, and it touches on everything. Oh, yeah's, budgets,

Jimmy Lea: priorities. What's the non-negotiables? What are the nice halves? Yeah. What's the must-haves? We, we didn't even get into any of that.

Dan Anthony: There's all sorts of great stuff.

Jimmy Lea: All right, so we will circle the wagons. We'll do this again, but I want to hit you with a couple rapid fire lightning questions. Bring it on. This is meant for you to answer in short one sentence answers. Are you ready?

Dan Anthony: As best I can. All

Jimmy Lea: right. What makes the single easiest cyber mistake small shops make every day?

Dan Anthony: Uh, ly. Uh, I would passwords, I'll go with passwords that they're, they're either shared or they're shared or reused or just, just not monitored at all.

Jimmy Lea: Yeah. Well, and I liked your, uh, one about the credit cards, credit card separation machine being on the same Yeah. You gotta separate. Yeah, separate. Yeah.

Jimmy Lea: Strong password or multifactor authentication. If you could only pick one, which one wins?

Dan Anthony: Oh, don't do that to me. Uh, I'd probably go with the cyber community is gonna kick me out, but I would go with strong password. Uh, I've, yeah. I can hear the hate mail

Jimmy Lea: coming already. Right. Okay. Biggest wrong password flag?

Jimmy Lea: Yeah. Biggest red flag in an email that says, do not click me. Urgency. Ooh. Yeah. Yes. Okay. How often should a small shop change critical passwords? Uh, 30, 60, or 90, or one every year.

Dan Anthony: If, shoot, that's not a one. Ans it's not a one question, one, one word answer. If it's like a 10 character password. Uh, yeah.

Dan Anthony: Change it every 30 to every 45, 90 days. Uh, if it's like 30 characters plus once a year. Got it.

Jimmy Lea: More dangerous in your opinion? Uh, public wifis or reusable passwords.

Dan Anthony: Uh, reuse passwords.

Jimmy Lea: On a scale of one to 10, how risky is it to share one login for the whole front office?

Dan Anthony: Do you do background checks for your employees?

Jimmy Lea: Um, yes and usually. It happens after they have already started. Yep.

Dan Anthony: How much do you trust your people? That's, yeah. Wow. You know? Yeah. How much, I mean, are they, are they in debt? Can they be leveraged? Uh, yeah. Ouch.

Jimmy Lea: Yeah, I know a lot of horror stories, unfortunately about that one. Yeah. Alright. If a shop owner can only secure one thing this week, what is it?

Jimmy Lea: Email, wifi, or backups, where do they start?

Dan Anthony: Oh, email. It's, it's the most connected. That's WiFi's. Localized backups are local. Should be localized generally. Yeah. Yeah. We e email's. The most connected, the most online. So I'd start there.

Jimmy Lea: What cybersecurity tool or feature would you wish every shop turned on today?

Dan Anthony: Uh, password manager. Right. I told you everything was gonna come back to passwords, and it's, I, it does. I hate how much it does. I hate how much it does.

Jimmy Lea: All right. Fill in the blank. If you don't have this in place, it's not a matter of if you'll be hit, but when, if you don't have this in place, it's not a matter of if, it's a matter of when.

Dan Anthony: Yeah. Good, good. Uh, password hygiene. Mm. Right. If your people are never changing their passwords, they're probably also reusing them. Uh, yeah.

Jimmy Lea: That sort of thing. What's your one word reaction when a shop owner says, we're too small for hackers to care about us.

Dan Anthony: Wrong?

Dan Anthony: Mine was idiot. Yeah, lull. Yeah. No, it's Lowell. Lowell. LOL, right? Yeah. It's no if, if you have money or you have credit.

Jimmy Lea: If you have information. Yeah, and that's what we have.

Dan Anthony: And any of that, anything, anything valuable is a target.

Jimmy Lea: Oh man. Dan, thank you so much, brother. I really appreciate being able to talk with you.

Jimmy Lea: Uh, if people need to reach you, reach out to you, how, how can they contact you? What's the best way for them to get in touch with Dan Anthony?

Dan Anthony: Uh, easy to, uh, just, uh, throw me an email just [email protected]. It's all spelled normally. Uh, or, or you can, I mean, you can throw me a message at my website.

Dan Anthony: That's, uh, dan anthony speaker.com. Uh, there's a little message for him on there, but yeah, either one of those. Is, uh, is a great way to, uh, get ahold of me and I'm, I'm happy to chat.

Jimmy Lea: Oh, I love it. Love it. Appreciate it Dan. Thank you very much and thank you to you and your knowledge and information and to the automotive aftermarket.

Jimmy Lea: Thank you for keeping us on the go. On the Move Safe and sound. Not only does that apply to you, Dan, that also applies to everyone that is in the automotive aftermarket. Thank you for all you do. You're awesome. Thank you. Alright brother. Talk to you real soon. Thank you.

Dan Anthony: Thanks, Jimmy.