The Site Shed
The Site Shed is a global podcast for tradies and trade-based business owners, designed to educate and inform around the topics that matter most in running a business.
Hosted by former plumber and digital agency owner Matt Jones, the podcast covers real-world conversations on apprenticeships, marketing, systems, technology, hiring, leadership, and more — all tailored to the trades.
Each episode features practical insights, honest lessons, and expert guests from across the industry. Whether you're a plumber, builder, electrician, landscaper, or any hands-on business owner, you'll find ideas and experiences you can apply straight away.
If you're ready to work smarter, not harder, The Site Shed offers tools, ideas, and perspectives to help your business move forward.
The Site Shed
Stop Online Scams Before They Hit Your Business | feat. Ronnie Manning | Ep. 476
👉 FREE tools, templates & resources for tradies: https://tradie.wiki/pod
In this 476th episode of The Site Shed, Matt Jones sits down with cybersecurity expert Ronnie Manning, Chief Brand Advocate at Yubico, to dive deep into best practices for protecting trade-based businesses and contractors like you in the digital age.
Discover the real risks of password reuse, why two-factor (2FA) and multi-factor authentication (MFA) are a MUST for your team, and how passkeys and physical security keys are shaping the future of online security.
Key Chapters:
00:00 – Teaser
01:20 – What Yubico does & why authentication keys matter
02:35 – How hackers get into business accounts through admin access
04:18 – MFA, 2FA and the evolution of authentication
05:36 – Passkeys explained: the strongest form of login security
06:03 – How physical YubiKeys work in real life
12:04 – The most common cyber breach scenarios for SMBs
17:43 – Why password managers are essential for every business
25:12 – MFA as the “seat belt” of cybersecurity
31:27 – New global data: Gen Z most likely to fall for phishing
You'll learn:
✔ Why using the same password for everything is dangerous, and what to do instead;
✔ How password managers can simplify your digital life while boosting security
✔ The evolution of authentication: From SMS codes to passkeys and physical security keys like Yubikey
✔ What “phishing-resistant authentication” actually means, and why it matters
✔ How to protect your business accounts from hackers, even in collaborative teams
✔ Browser and VPN tips to keep your data safe (especially when traveling or working remotely)
✔ Real-world stories, practical policies, and step-by-step strategies for small businesses
📲 Listen On The Go! https://tradie.wiki/listen
CONNECT WITH YUBICO
Website: https://www.yubico.com
YouTube: https://www.youtube.com/@UCqkvjt06Q4hejDEo5PZt6zg
Instagram: https://www.instagram.com/yubico/
LinkedIn: https://www.linkedin.com/company/yubico/
Facebook: https://www.facebook.com/Yubikey
CONNECT WITH RONNIE MANNING:
LinkedIn: https://www.linkedin.com/in/ronniemanning/
Instagram: https://www.instagram.com/ronniemanning/
Your Next Step:
Join Tradie Academy, our free community packed with templates, checklists, and resources shared by podcast guests, coaches, and successful tradies.
👉 Join free and grab your next growth tool here: https://tradie.wiki/pod
Follow The Site Shed:
- Facebook: The Site Shed
- Instagram: @thesiteshed
- LinkedIn: Matt Jones
- Website: thesiteshed.com
- YouTube: @TheSiteShed
If you enjoyed this podcast and this series, please take 5 to leave us a review:
⭐ https://lovethepodcast.com/TheSiteShed
Love the audio version of this podcast? Subscribe to the link below:
⭐ https://followthepodcast.com/TheSiteShed
[ 0:00 ] When you look at at social media platforms in themselves, I mean that is for a small
organization.
[ 0:04 ] That is your advertising.
[ 0:06 ] That is your brand.
[ 0:07 ] That is how you're speaking to people.
[ 0:08 ] So ensuring that you have the the security set up there to make sure that someone can't
get in is imperative.
[ 0:13 ] It's not a nice to have.
[ 0:15 ] It's a must have, right?
[ 0:15 ] You want to make sure AI is really increasing the scale and the ability to personalize and
the ability to to make it look like it's coming from a legit place or look legit or even build a build
a form or a site.
[ 0:25 ] In those ways, what scammers are trying to do is to get a quick sort of emotional
response out of you that you're going to go, "Oh gosh, I have to act on this quickly."
[ 0:33 ] It's really important to think before you click or think before you give information over
because, you know, if you do that, it can be really bad.
[ 0:42 ] Ronnie Manning is the chief brand advocate at Ubico with over 20 years of experience in
PR and marketing, driving technology launches and brand growth at companies like Rathon,
Websense, and Edelman.
[ 1:00 ] Ronnie, welcome to the Side Podcast.
[ 1:03 ] Thank you very much.
[ 1:03 ] Great to be here.
[ 1:04 ] All the way from San Diego, California.
[ 1:08 ] Yes, sir.
[ 1:09 ] Tell me a little bit about who you are, what you do.
[ 1:11 ] Uh my name is Ronnie Manning.
[ 1:12 ] I'm the chief brand advocate at Ubico.
[ 1:14 ] I've actually been with Ubico for about 12 years now.[ 1:20 ] Um so I've been uh when the company first started uh to now we're um a global
enterprise and and what we do is we provide authentication security uh in the form of a hardware
key.
[ 1:32 ] This is really what we came to market with.
[ 1:35 ] Um it's uh used globally as I said some of the biggest organizations in the world all the
way down to individuals.
[ 1:40 ] But myself uh I've been on the marketing side of Ubico but uh right now I'm I'm
enjoying having this conversation.
[ 1:49 ] Um, so we're talk we're here today to talk about cyber security and I got I suppose just
general digital security for uh trade-based businesses and contractors.
[ 2:00 ] Um definitely keen to unpack some of these things and I definitely have some insight as
well on some issues that we've had as a marketing agency where you know we've as a result had,
you know, client accounts, Facebook accounts be compromised due to right issues with, you
know, hackers getting in through unsecured personal accounts and all this kind of carry on.
[ 2:21 ] So, um, yeah, I definitely think not.
[ 2:27 ] No.
[ 2:27 ] And it's it's a very like there's just layers of security that you got to keep stacking on to
prevent those kind of things.
[ 2:34 ] So, I may as well talk about it now.
[ 2:35 ] Like, we've had situations within our own business and within clients businesses where
they haven't had their own um two-factor authentication set up on their personal account and as
because they're administrators to their business account.
[ 2:48 ] uh hackers got in on their personal account, got into access their business account and
their ad manager account and basically just started running all these spam ads to god knows
what.
[ 2:59 ] Um, stuff like stuff like that happened has happened quite quite a few times.
[ 3:04 ] So, we're constantly having to have that conversation with clients about even on
boarding, make sure they have two factor authentications and anything they've got a credit card
on basically um just to prevent I mean I say prevent to mitigate issues like that happening.
[ 3:19 ] Yeah, that's that's I mean you're giving them the the correct advice.
[ 3:22 ] I mean when you look at at social media platforms in themselves I mean that is for a
small organization that is your advertising that is your brand that is how you're speaking to
people.[ 3:22 ] I mean when you look at at social media platforms in themselves I mean that is for a
small organization that is your advertising that is your brand that is how you're speaking to
people.
[ 3:34 ] So ensuring that you have the the security set up there to make sure that someone can't
get in is imperative.
[ 3:39 ] It's it's not it's not a nice to have.
[ 3:41 ] It's a must to have, right?
[ 3:42 ] You want to make sure that you're doing all you can.
[ 3:44 ] The good thing is that all of these social platforms over the years have really put um the
mechanisms in place to allow people to easily set up multiffactor or two-factor authentication for
those accounts.
[ 3:58 ] Um, you know, it's it's and and they've really advanced.
[ 4:01 ] I can kind of I can kind of talk about um the state of authentication and and security and
kind of where where I've seen it go because this kind of plays really importantly into into uh into
into social media and what they're providing.
[ 4:18 ] So there there's multiple forms of MFA of 2FA.
[ 4:21 ] Uh you can set up a phone number, SMS like in the older days it was those OTP codes
that you would get from like a RSA security fob.
[ 4:30 ] It would be a timebased code that would go through, you'd try and log in and then that
would prompt you and you would basically enter that pin and go in.
[ 4:37 ] There's other mechanisms that have kind of followed that.
[ 4:40 ] Um, one of the things that um we did along with Google back in 2012 actually was
introduce um something that's called PHO universal second factor.
[ 4:53 ] And really what this was is this went away from the need for those OTP codes and all
those to allow for login which has now become a terminology called pass keys.
[ 5:03 ] Uh I'm not sure if you maybe gone to a site and something may have popped up and said
do you want to install a pass key but a pass key is a uh basically a key pair.
[ 5:13 ] Um as opposed to that that code it's a key pair that says okay I'll use Facebook as an
example because they support them.
[ 5:21 ] they have a public key, then there's a private key that can sit uh either on something like
a security key or it can sit on a phone, it can sit on the desktop itself that will allow you to
securely log in and and really kind of eliminate that password all by itself.[ 5:36 ] So, Facebook uh supports these pass keys.
[ 5:38 ] Uh Twitter supports these pass keys, other social platforms support them as well.
[ 5:44 ] And right now, that's really considered that that highest level of security.
[ 5:48 ] Uh it's actually considered fishing resistant uh authentication.
[ 5:54 ] So it's actual it's a physical device like the one you had in your hand a minute ago.
[ 5:58 ] That's that's one of the ways that you're able to do it.
[ 6:00 ] So yes, what what we what we have is a UB key.
[ 6:03 ] This is a physical security key here.
[ 6:05 ] So uh really the value with these is that it's not connected to a machine.
[ 6:09 ] It's not online all the time.
[ 6:11 ] Um these are purposebuilt for authentication.
[ 6:15 ] So when if I'm I'll just use this as an example.
[ 6:17 ] when I'm logging into my Facebook account and it'll actually prompt me to uh touch my
key.
[ 6:24 ] Uh when I touch my key, that will send that credential and that'll log me in.
[ 6:28 ] Why that's considered fishing resistant is because there's no code that I could give away.
[ 6:33 ] So if someone were to say, I want to try and get into that Facebook account or that other
social account, um there's nothing that can be given.
[ 6:41 ] I wouldn't be able to say, "Okay, here's that six-digit code that that I just got on my app
or on my phone or the SMS."
[ 6:48 ] Uh, so they work in security keys.
[ 6:50 ] Now, there's there's um there's kind of two forms of pass keys.
[ 6:54 ] There's devicebound, which resides on on something like a physical key, and then multi-
device, which can be on your phone as well.
[ 7:01 ] So, that may pop up and it'll say, do you want to create a pass key here?[ 7:04 ] Or if you're using a password manager on your uh computer, it could pop up and say, do
you want to store a pass key here?
[ 7:10 ] But the good thing is to have multiple pass keys stored for for each one so that you're not
uh logging yourself out.
[ 7:16 ] Now this is a newer uh technology so it's not kind of across the board.
[ 7:21 ] Um so with some platforms and services you know you still uh would set up the best you
can which could either be like an authenticator app or or like SMS code.
[ 7:33 ] So yeah, I mean I think most most of the listeners and viewers out there would be
familiar to a degree with like authenticator apps, Google authenticator, ory, these kind of things.
[ 7:43 ] Um which which we actually also use and promote.
[ 7:49 ] Um the so the the pass key is an additional layer to that or it replaces that?
[ 7:54 ] It actually replaces it.
[ 7:55 ] So if if you're thinking let's I'll just do kind of like a scale of of trust and authentication.
[ 8:01 ] you know, at the bottom would be a password.
[ 8:03 ] That's kind of the weakest form.
[ 8:06 ] As you move up, uh there would be SMS codes, there would be others.
[ 8:09 ] And when you get to to the very top, that's where pass keys and and it's called 502, uh is
actually the the technical term for the the authentication uh uh the authentication standard, but
that's that's considered the highest.
[ 8:23 ] It's the most modern.
[ 8:24 ] It's basically uh replicating a smart card for uh web use.
[ 8:30 ] Um, but where the real value and the real power is is that you're able to remove the
dependency on passwords altogether and do the entire login flow based on that pass key
credential to be able to log you in.
[ 8:42 ] Like I I just like Twitter just um if you're using uh or X I should say they actually just
came out there's been a bunch of stories that have that have gone out that if you are using a
security key or pass key you actually need to reinstall that.
[ 8:56 ] And and people didn't understand why.
[ 8:58 ] The reason why is because they are going to kind of kill the the the twitter.com domain
and move everything to X.[ 8:58 ] The reason why is because they are going to kind of kill the the the twitter.com domain
and move everything to X.
[ 9:05 ] So you had to go in, you had to repress the key and that that'll reset it up.
[ 9:08 ] But there is going to essentially remove the password in that flow.
[ 9:13 ] So is how is this different from say iPhone's facial recognition or thumbrint or something
along those lines.
[ 9:21 ] So So if if I'm using it, it depends where it is in the login process.
[ 9:26 ] Um, so a lot of times, um, when you're logging into an app on a phone for the first time,
you put in your username and password, maybe you get that authentication token to be able to
get in to remain trusted.
[ 9:38 ] Then the next time uh, that you'd be able to get in, you can press your thumbrint and that
will automatically log you into the application.
[ 9:45 ] So where this is a little different is this is protecting the account from external attacks.
[ 9:51 ] This is protecting the account.
[ 9:52 ] If someone were to get your login credentials, they wouldn't have that pass key.
[ 9:57 ] They wouldn't have that physical key to be able to log in.
[ 10:00 ] You know, the the the uh touch on the phone to be able to get in really is a convenience
factor because you're already logged in.
[ 10:06 ] That's kind of logging you into the the app again.
[ 10:10 ] So, how would this work in scenar like collaborative scenarios?
[ 10:14 ] So, you know, for context, if we've, you know, we've got a lot of within within within
my business, we've got a lot of a lot of team members in different locations that we share two
factor authentication um things on their phone with, so they can access various tools and things
like that.
[ 10:30 ] How would that work with a physical thingy?
[ 10:34 ] Oh, yeah.
[ 10:35 ] So if if I mean if we're talking about the physical key side of things, it it is
recommended that each individual has their own physical key.
[ 10:44 ] Um think of it just like a house or car key.[ 10:47 ] This is going to be the key to those accounts and and and such.
[ 10:50 ] What if you lose it?
[ 10:52 ] That's I was waiting for that question to come.
[ 10:54 ] So that that's the uh that's why the redundancy is very good.
[ 10:58 ] You know, we we recommend if you're if you're really going all in on security keys,
you have multiple.
[ 11:04 ] So you have a primary, you have a backup.
[ 11:05 ] But one of the great things about pass keys and kind of their evolution now is that there
are the devicebound side and then there is the the multi-device side.
[ 11:15 ] So you can actually have uh one set up here.
[ 11:19 ] I could have one set up on my phone.
[ 11:21 ] I could have one set up in my password manager.
[ 11:23 ] That way I have kind of multiple ways to be able to to get in.
[ 11:26 ] But but you would want to kind of kind of keep one of them as that route to be able to
get in should everything else kind of kind of fall down.
[ 11:34 ] So it's not like a it's not a case of if you lose your key you can never log into your
banking again.
[ 11:41 ] No.
[ 11:41 ] No.
[ 11:42 ] There there's there's there's a lot that's been put in place so that doesn't happen.
[ 11:44 ] Um and I think the the the growth in the market the growth of pass keys uh themselves
are are made to uh to eliminate that issue.
[ 11:54 ] But yeah we we've I like I said I've worked here for a very long time and that's always
been our our top question of what happens if we lose the key.
[ 12:01 ] So backup backup is always very important.
[ 12:04 ] Sure.
[ 12:04 ] So I mean in spite of you know all of these technologies and AI and all this kind of stuff
which is ever evolving in the marketplace today.[ 12:04 ] So I mean in spite of you know all of these technologies and AI and all this kind of stuff
which is ever evolving in the marketplace today.
[ 12:13 ] What are some of the more common scenarios that you see where there are like cyber
security related breaches when it relates to small business keeping in mind I suppose that they're
not government agencies.
[ 12:24 ] they don't have like highly sensitive information stored in their Google Drive, you
know.
[ 12:29 ] Yeah.
[ 12:29 ] I mean, I I think I think that the the threats uh whether an enterprise or um anme that it's
it's going to be the same.
[ 12:40 ] I mean, that there's always going to be financials.
[ 12:41 ] There's always going to be information that you can get out there.
[ 12:44 ] We already touched kind of about the the brand issues that can happen.
[ 12:48 ] you know, as as as an organization, you're you're working to build uh the brand of your
organization.
[ 12:54 ] You're working to build that trust.
[ 12:55 ] You're working to build that reputation should someone break into a social media
account.
[ 13:00 ] That could uh create some uh detrimental damage to the brand, which is which is never
good.
[ 13:06 ] But you did mention AI and and AI is really kind of advancing uh the scale and
complexity of fishing attacks.
[ 13:17 ] And um it doesn't just have to be going after a big organization.
[ 13:20 ] If if if someone uh is a target and if someone is uh you know potentially uh not using
great security um those could be targeted as well towards a towards a small or medium enterprise
for sure.
[ 13:33 ] in in a world where we're so now um less dependent on physical devices like hard hard
drives and servers and things like that you know with cloud computing I mean I understand
there's you know obviously we have our uh like these these things that we're discussing here
which enabled us to like with you know a high level of security access these these programs like
Google Drive and one drive and whatever it might be but like what what what about the actual
cloud platforms themselves like are we just hoping that you know Google has the best possible
security infrastructure in place on their servers.[ 14:14 ] I mean that that's it is built on trust and I think it it is if I would say the good thing about
I'm just going to say kind of core core accounts for business that would be your Google that
would be your Microsoft it could then kind of bleed into maybe your Apple account as well.
[ 14:32 ] uh they have taken really the the forefront from the authentication standpoint of of
allowing to to have that highest level of security.
[ 14:41 ] So if you're protecting it from your side, um, you know, I don't want to say yes, let's
let's hope that that it's secured there.
[ 14:48 ] Um I don't get into their uh their networks or their data stations and all those sorts of
things, but you know, they they've they've been early adopters of all of this um authentication
stands.
[ 14:59 ] they've actually been authors of of these.
[ 15:02 ] So, you know, that there definitely is trust to be had there.
[ 15:06 ] Um, but I think from the end user side, it's making sure that you're protecting yourself.
[ 15:11 ] Have you seen that Simpsons episode where they're like rocking up to the nuclear
power plant and they go through all these like 15 layers of security to get into the control room
and then there's like this this stray dog that's walked in through the back door and they just shoe
it out.
[ 15:24 ] Let's go.
[ 15:26 ] that that that's a that's a very that's a very common uh I I think we can we can relate that
to security in general.
[ 15:33 ] You know, it's it's um if you're not having and and of course this this goes across any
side of organization, but if you don't if you're not implementing kind of that same level of
security across an entire organization, across all the apps, across all the services, you're
essentially allowing for that that back door to to potentially be open.
[ 15:56 ] Um that's why we recommend you know if if you are a lot a lot of a lot of small
ummemes use Google they use Microsoft and and kind of those are the ones that they can log
into other applications and services with if you're protecting those core accounts and you're
logging in that way that's a that's a really good step.
[ 16:16 ] I I know back in the day like when we like we've been sort of reselling the well what is
now Google Workspace but I mean it's gone through 15 different name variations.
[ 16:24 ] I get you started on that.
[ 16:25 ] But anyway, like the, you know, people would always the the earlier conversation was,
well, I'm I'm I'm worried about how secure their data is.[ 16:25 ] But anyway, like the, you know, people would always the the earlier conversation was,
well, I'm I'm I'm worried about how secure their data is.
[ 16:34 ] Meanwhile, they're saving all their stuff on some dodgy server in their cupboard, you
know?
[ 16:39 ] Um, so the the argument back then was, are you joking?
[ 16:42 ] What do you think?
[ 16:42 ] Like Google's infrastructure is not more protected than your cupboard.
[ 16:47 ] Um, right.
[ 16:49 ] So I guess that kind of to a degree I think that that we don't have that conversation
anymore.
[ 16:53 ] like people have kind of um I think people people understand that there's there's a lot
um that they're doing on their side to make sure that the data stays protected.
[ 17:04 ] There's a lot of really big organizations that are that are using them as platforms.
[ 17:08 ] There's a lot of small organizations.
[ 17:10 ] There's a lot of individuals that are using them.
[ 17:11 ] So yes, I I I I don't really have that conversation very often.
[ 17:17 ] I I I must say though like it's I say it's not surprising to me but it it happens very
regularly and it's kind of concerning how many times we have conversation with clients about
when we have to set up different tools and things for them.
[ 17:30 ] What password would you like to use on this?
[ 17:32 ] Oh, the same one we use on everything, you know, admin one, two, three, four.
[ 17:36 ] Like I guess this is where this two two factor multiffactor authentication platforms
become necessity, right?
[ 17:43 ] It is.
[ 17:43 ] But you know, additionally with that, one of the other real tips for for organizations
because you you don't want to have to remember your passwords.
[ 17:53 ] And I think it's it's something that uh unfortunately if you're trying to do it in that way,
you're going to be reusing passwords or you're going to be simplifying passwords.
[ 18:05 ] And really what you should be doing is making them extremely complex when you
have to use them to log in.[ 18:05 ] And really what you should be doing is making them extremely complex when you
have to use them to log in.
[ 18:09 ] You want them to be different for everything.
[ 18:11 ] You want them to have certain characters, length, uh and really one of the
recommendations that that we put out there is to make sure that you're using password managers.
[ 18:19 ] Um there's a ton of different password managers.
[ 18:22 ] There's there's one password, there's Keeper, you know, Dashlane, um, a lot that that
are really good out there.
[ 18:29 ] And what those do is when you're logging into any app or service, those those have the
ability to generate extremely complex passwords.
[ 18:36 ] They store them in that vault.
[ 18:40 ] Um, and you can use those across your desktop, across your phone.
[ 18:44 ] You know, it's those transfer.
[ 18:45 ] Um, but the good thing is you don't actually know what those passwords are themselves
because they're being generated.
[ 18:50 ] they're being very complex.
[ 18:52 ] Now, what we do recommend, you know, is that you're making sure that you're using
strong authentication on those password managers themselves so that that vault isn't just
protected by, you know, a username and password.
[ 19:04 ] But, highly recommend um you know, it's it's the the the days of uh writing passwords
in a notebook.
[ 19:12 ] Uh you you shouldn't be doing those anymore.
[ 19:13 ] you're using the tools to to really help to make them more complex and and they are
extremely easy to use and and they they have a great value.
[ 19:22 ] There's really no excuse for you guys out there to not be using password protection
programs.
[ 19:26 ] I mean um as Ronnie said, there's there's dozens of them.
[ 19:31 ] Um and and I've tried loads of them and we, you know, we have one that we that we
use which I'm not even going to mention because truthfully I don't like promoting any of them
but um there's a lot out there and and essentially what is what Ronniey's saying is you don't
there's no excuse for you to have the same password used anywhere twice.[ 19:47 ] These these these programs will actually select the password for you, save it in the
system and enable you to log in using that password and all you need to do is remember the
password to get into the software.
[ 19:58 ] just the one password that will enable you access that enable you to access that and then
you should have some sort of multiffactor set up to access that tool only and then it pretty much
solves that problem for you.
[ 20:11 ] Exactly.
[ 20:13 ] You can share it with your team members and you can share it with your, you know,
whoever needs access and you don't even actually have to give them the password.
[ 20:20 ] You can just share with them like if they have the tool and the login as a company they
never see the password.
[ 20:24 ] it just populates it for them and it's it's another layer of security there.
[ 20:31 ] Yeah.
[ 20:31 ] I I think I think people think that they add a level of complexity but they actually
because and and kind of a bit of oh well how am I going to remember these very complex
passwords that it's creating.
[ 20:43 ] But that's the that's the whole point of it is that you don't need to remember them and
it'll autopop populate them and it'll automatically log you in.
[ 20:50 ] So there's kind of that that aspect of it.
[ 20:52 ] And then um if you are logging into apps and services that allow you to to log in with
your say your Google account or your, you know, that that federated login into those applications
that's another really good approach if if those accounts are protected as well.
[ 21:07 ] Yeah.
[ 21:07 ] Right.
[ 21:08 ] So you're talking about like when you get to a software and it says login using your
Google login.
[ 21:13 ] Correct.
[ 21:13 ] Correct.
[ 21:14 ] And so is that is that considered multiffactor?[ 21:18 ] that is considered a federated login through through Google.
[ 21:23 ] So that's not multiffactor login itself, but the multiffactor protection would be on that
Google account and then you're logging in.
[ 21:31 ] So there's nothing um that's kind of stealable or extractable from that application that
you're logging in with Google because it's based on that account.
[ 21:42 ] What about um I if this conversation is irrelevant, let me know.
[ 21:46 ] But what about like browser protection and using um uh what do they call them like
when you're traveling?
[ 21:56 ] Um CDN C uh VPNs VPN.
[ 22:02 ] Yeah, there's definitely value um to those.
[ 22:06 ] And I think one of the there's there's a lot of different browsers up there out there.
[ 22:10 ] There's some that are uh consider themselves privacy preserving.
[ 22:16 ] Um there's others that that don't track and and those sorts of things.
[ 22:19 ] But uh I think one of the most important aspects with with browsers themselves and I
would say with any apps as well is that if you get something that that pops up and says update
this browser or update this this application to click on those.
[ 22:33 ] You always want to make sure that you have the latest firmware that you have the latest
build because a lot of those fixes that come through are security fixes.
[ 22:40 ] They may find a bug.
[ 22:41 ] they may find something some sort of uh you know low-level or high level vulnerability
if it requires an immediate patch but uh always keep those updated but yeah a VPN uh you know
if you're using those that has the ability to kind of uh protect you as as a as a your own little
network uh so that people can't necessarily see and track what you're doing.
[ 23:02 ] I mean it's kind of one of the advantages you would hope or put it it's one of the selling
points I suppose of like SAS products software as a service where they're like well we'll manage
all of the you know the upkeep and so on and so forth of this product.
[ 23:17 ] So yeah I mean occasionally like I'll log into Google Chrome and it will say update
browser you know there's a new version this click here to update kind of thing.
[ 23:26 ] Um you don't actually have to really do anything.
[ 23:28 ] It's kind of done for you.[ 23:30 ] You just need to click on the button I guess.
[ 23:31 ] Oh yeah.
[ 23:32 ] Yeah.
[ 23:32 ] I mean, you you click on it, it it'll save all your browsing sessions and all of that.
[ 23:37 ] It'll it'll close the the browser and then redo it with those with those settings installed.
[ 23:42 ] I mean, back in the day when you had like software downloaded to the device, it was a
nightmare because you kind of had to manage all that yourself and you had to install and reinstall
and do all this kind of stuff.
[ 23:51 ] So, it's kind of I feel like we've we sort of have um we've been blessed by this.
[ 23:57 ] Yeah.
[ 23:59 ] I mean, it's it's it's it's simplified it tremendously because you're getting uh updates
pushed out all the time that you don't have, you know, if you click the download updates
automatically within the browsers, that's really what you want to do because then those will get
sent to you and and you'll just have to basically pull the trigger and and have those updated.
[ 24:16 ] So is there like a hierarchy of or like of things that you would advise businesses to like
take in terms of stepping stones to secure their uh ecosystem?
[ 24:30 ] Um you know if this if this then that if this then that like that kind of thing.
[ 24:37 ] Um, maybe not necessarily a hierarchy, but I think we've kind of touched on on what I
would consider to be the the top ones, which is which is making sure everything's updated.
[ 24:47 ] Um, using a password manager, rotating your passwords, making sure that those are uh
as upto-date and and complex as possible.
[ 24:59 ] Um, there there's also uh MFA, which which I consider to be the most important uh
thing that you can do.
[ 25:05 ] You know, one of the one of the ways that I like to look at it is is I remember growing
up, um, no one wanted to wear a seat belt.
[ 25:12 ] You know, everyone no, at least at least me growing up, no one wanted to wear a seat
belt.
[ 25:18 ] They were like, "Oh, I don't I don't I don't want to do this."
[ 25:20 ] But then slowly people just started wearing seat belts, wearing seat belts.[ 25:22 ] Now, everyone uh gets in and they put a seat belt on.
[ 25:25 ] And you really don't appreciate a seatelt until you need it.
[ 25:29 ] And and I like to think of of MFA as kind of that same sort of thing.
[ 25:33 ] you know, you could be like, why do I have to set this up?
[ 25:36 ] It it's it's a burden.
[ 25:38 ] It's difficult.
[ 25:39 ] I don't understand it.
[ 25:40 ] And that's not necessarily the case.
[ 25:41 ] It's it's improved in such a way that it's easier for the user.
[ 25:46 ] But, you know, best best advice is is to go into the security settings, um, find where you
can set up 2FA or MFA, whatever it is, turn it on, um, and really just, uh, let it do its thing, just
like a seat belt.
[ 25:59 ] if you have it on, you're kind of proactively protecting yourself and you're stopping the
the scammers from potentially getting getting into into your accounts.
[ 26:08 ] I know there's even we do this like we deploy policies across our Google Workspace
um account where every 3 months the passwords have to be updated and it will log people out
and it will say you need to reset yourself another secure password.
[ 26:23 ] Yeah, that's a that's a good policy.
[ 26:25 ] I mean that's that's refreshing passwords, it's rotating passwords.
[ 26:28 ] Um, if you have the ability to move to to passwordless, uh, I I would highly recommend
uh that as well.
[ 26:35 ] And that can be with with the pass key if you can remove that dependency on on
username and passwords uh, completely.
[ 26:43 ] Uh, and and like I said, Google right now supports it, Microsoft does.
[ 26:46 ] There's there's other apps and services, but if you can really pull that out, um, that's
going to really simplify how you get into your systems.
[ 26:54 ] It's going to simplify help desk and and and IT support issues and that sort of stuff
because you're not having to deal with password resets and those sorts of things.[ 27:03 ] And and really from the security standpoint, you're you're sitting at that that top level
because there's no actual passwords for people to steal.
[ 27:12 ] So would this be um Ronnie?
[ 27:16 ] Yeah.
[ 27:16 ] like an example of when I'm logging into my Apple account and I can just use my
fingerprint on my computer to get into to access the account.
[ 27:25 ] Uh it could be it it could be that that's more local to the machine and that's probably um
logging in with maybe your username and PIN but kind of bypassing it with your fingerprint.
[ 27:39 ] Um, or or if I lo if I if I log on to a website, I'm buying something and it says, "Do you
want to like you click on the credit card and then it says, "Okay, well, you put your use your
fingerprint to populate it."
[ 27:50 ] Yeah.
[ 27:51 ] I I wouldn't I wouldn't consider those uh passwordless uh per se.
[ 27:55 ] I think passwordless is when you're logging into kind of onboarding into the application
and and those sorts of things.
[ 28:02 ] You're you're removing a password entirely.
[ 28:04 ] So based on whatever app you're using, you're still you're using that fingerprint to
activate the payment or to activate that sort of thing, but there's still in the background probably a
username and password um as that login mechanism into that application.
[ 28:18 ] Uh it's it's really big kind of within the Microsoft ecosystem right now.
[ 28:22 ] You have the ability to completely uh remove passwords.
[ 28:26 ] Uh you can go into the security settings and say that you want to do passwordless login.
[ 28:30 ] And this is all based on those 502 and kind of pass key flows.
[ 28:35 ] So uh G basically when I would go to log in um it would prompt me to press my
physical key.
[ 28:43 ] I'd actually have to put a pin on top of that that will unlock the key.
[ 28:48 ] I touch it that sends that credential out and that's going to log me in.
[ 28:50 ] So at no point did I have to enter uh a password to be able to get in it.[ 28:56 ] It's it's a it's a growing ecosystem.
[ 28:58 ] you know, we're pushing really hard kind of for uh pass key adoption because what this
does is it simplifies those flow.
[ 29:04 ] I I would say that, you know, there's not a a uh you know, a ton of kind of consumer
applications that support it yet, but more kind of from the the business side.
[ 29:16 ] Interesting.
[ 29:16 ] Okay.
[ 29:17 ] And so where does the is that kind of where you see the future of this heading towards
that high level of security where people have this thing attached to their their keychain and Yep.
[ 29:28 ] Yeah.
[ 29:29 ] I mean that that's that's that's really the goal.
[ 29:30 ] That was one of the reasons that you know we worked with Google, we worked with
Microsoft, we worked with this it's called the phto alliance which is basically the fast identity
online uh that is promoting to to get this out.
[ 29:43 ] Um a lot more lot more apps and services are adding support.
[ 29:47 ] Um and and you know if we can eliminate the dependency on weaker credentials that's
that's all the better for everyone.
[ 29:54 ] But yes there's a lot of momentum.
[ 29:55 ] We were actually just at uh this authenticate conference which is hosted uh by phto just
two weeks ago.
[ 30:03 ] Um and it's it's it's really great to kind of see the momentum that's that's growing there.
[ 30:07 ] But yes that's that's our push.
[ 30:09 ] Uh these are open standard so anyone can take them and add them to any application or
service um and then build support to be able to get this pass key login.
[ 30:19 ] And do they all sort of work through like I don't know like a USB or something or is it
like what if you what if you need it on your phone or so so our our our security keys themselves
they they they come with uh USBC USBA they come in a lot of different different form factors
but they also support NFC.
[ 30:41 ] So you're able to when you're prompted to log into an app and service or service, you
can actually touch them to the back of the phone.[ 30:41 ] So you're able to when you're prompted to log into an app and service or service, you
can actually touch them to the back of the phone.
[ 30:48 ] It reads the NFC and it pulls that credential.
[ 30:51 ] But one of the things that, you know, a lot of people um kind of think with with this sort
of sort of login uh is that you have to do it every time.
[ 31:00 ] You actually don't.
[ 31:01 ] So once a app or service is kind of protected, you don't need to use uh the physical key
to get in every time.
[ 31:08 ] It can be a security setting where you'd want to do that, but for the most part, it can stay
trusted.
[ 31:13 ] Uh, but if someone were to to try and get into it, it actually presents you on the screen
and says, "Hey, where's this uh where's this device that's needed to be able to be able to log in?"
[ 31:25 ] Okay.
[ 31:25 ] Interesting.
[ 31:27 ] You know, there's a lot of uh a lot of we actually we actually just put out a report um uh
at the beginning.
[ 31:37 ] It's it's cyber security awareness month here here in the US and we put out a report we
we um there are some really interesting data points from it and we we put it out to about 18,000
um individuals across nine different countries.
[ 31:51 ] One of those uh being Australia as well and some of the one of the one of the most
interesting data points that that pulled out of it is that Gen Z is actually the most susceptible to
falling for fishing attacks.
[ 32:03 ] I think kind of a global a global stamp of that said that 62% of those uh have interacted
with a fishing attack which is either will be like false login or hey we noticed your you get the
text messages like the spam things hey click on this to receive your whatever fishing attacks
come in a lot of different ways you know as as we're in the holiday season now there there's as
people are shopping going to stores and trying to buy and get things uh purchased just a little at
least here.
[ 32:34 ] Um, you know, fishing attacks will will uh increase and and those can come in multiple
different ways.
[ 32:40 ] Those can come in trying to say maybe there's an issue with your credit card or issue
with this purchase or there's an issue with shipping, you need to log in here or a really good deal
that that they're going to send you to a fake e-commerce store.[ 32:53 ] Something along those lines.
[ 32:54 ] This can come through either email, uh it can come through text message, it can come
through uh social media, it could go through or even, you know, a phone call could happen uh
where they're deep faking a voice and trying to trick you to to give away personal information.
[ 33:10 ] So, but yeah, it it was it was interesting with that with that survey that that Gen Z
because every they're growing up online, you know, every everything is online all their entire
lives that they kind of had the the weakest security practices in place.
[ 33:24 ] I'm still amazed to this day at the amount of times I will get something like my bank
call up or whatever and they'll say, "Oh, is this Mr. Jones?"
[ 33:32 ] "Yes."
[ 33:33 ] "Oh, could you verify your phone number for me and your address?"
[ 33:35 ] And I'm like, "No."
[ 33:38 ] Yeah.
[ 33:38 ] I absolutely can do that.
[ 33:40 ] Yeah, the the best thing to do is is so you know when when a fishing attack is
happening or or they come through and like I said, you know, AI is really increasing the scale
and the ability to personalize and the ability to to make it look like it's it's it's coming from a legit
place or look legit or even build a build a form or a site.
[ 33:59 ] In those ways, it's it's it's best to kind of take a step back if you receive something
because really what scammers are trying to do is to get a quick sort of emotional response out of
you that you're going to go, "Oh gosh, I have to act on this quickly.
[ 34:11 ] I'm going to go here.
[ 34:12 ] I'm going to put in my login or like you said, here's here's my code.
[ 34:15 ] Here's my number."
[ 34:16 ] You know, sort of thing.
[ 34:18 ] So, uh it's it's really important to to to think uh before you before you click or think
before you uh give information over because um you know if you do that it can it can be really
bad.
[ 34:30 ] And this is both from a personal and a and a business perspective.
[ 34:34 ] Yeah.[ 34:34 ] Cool.
[ 34:35 ] I would just uh hey thank you uh for for the ability to come in and chat.
[ 34:40 ] You know, it's it's that time of the year.
[ 34:42 ] It's always good to do a little security hygiene uh to make sure that uh that your your
your your security settings are in place.
[ 34:52 ] Um and this is regardless of of if it's personal, if it's business, just go in and do a quick
audit and uh set up uh multiffactor or two-factor authentication wherever you can because it it is
one of the best defenses of of scammers trying to get information out of you.
[ 35:07 ] Yeah, I agree with that.
[ 35:07 ] I mean, and my take my advice to everyone is always just get a password protection
program and with that set up to FA to access it and it's you can't really go too far wrong with
that.
[ 35:18 ] Um, absolutely.
[ 35:19 ] And once you have the app, I mean, they're free.
[ 35:21 ] You get them on, you know, you can download them from the app store, even the
Google authenticator app.
[ 35:24 ] I don't know how good that is in terms of security, but like we use it, it's great.
[ 35:28 ] Yeah.
[ 35:29 ] Yeah.
[ 35:29 ] It it's it's it's it's all good.
[ 35:31 ] And I mean it's uh everything that you can do to kind of give you better peace of mind
that you're using unique passwords, that you're using complex passwords, that you're um you
know, having those stored in a good place is is all for the better.
[ 35:45 ] Great.
[ 35:45 ] Uh Ronnie, thank you so much.
[ 35:47 ] Uh it's been a good chat.
[ 35:49 ] Um listeners and viewers, I'm going to have access to um Ronnie and Ubico over at the
show notes.[ 35:54 ] So head across to the site.com type in R O N I for Ronnie um or Ubico Yub ICO uh and
you can get access to all those links and things like that.
[ 36:06 ] Um it's been great.
[ 36:08 ] Thank you very much.
[ 36:09 ] Um thank you.
[ 36:10 ] I guess that's a wrap.
[ 36:12 ] Appreciate it.
[ 36:12 ] Hey guys and girls, how would you like all of the value ads left behind from our
podcast guest all put together in the one spot?
[ 36:19 ] We've pulled every tool together, every template, every resource shared on the show,
and we've packed them all into the Trading Academy.
[ 36:26 ] It's free to join, and it's built by the team behind the Scared and Trading Web guys.
[ 36:31 ] Inside you'll get marketing tips, business tools, and first access to future resources, all in
one simple dashboard.
[ 36:37 ] Just head across to trady.wiki/pod.
[ 36:40 ] That's trady.wiki/pod.
[ 36:43 ] The links in the episode description.
[ 36:45 ] And once again, you just log in once and then you're all set.
[ 36:48 ] And if you want to get notified of upcoming episodes, hit subscribe or follow.
