Your backup plan only works if someone remembers to run it. Josh Lamb shows SMBs how to stop hoping and start protecting.
GROWTH PILLAR: Cybersecurity & IT
WHO THIS IS FOR: SMB owners / Solopreneurs / Corporate escapees / Leaders building systems
WHAT THEY'LL GAIN: A clear picture of the IT threats that quietly take businesses down — and the practical steps to protect against them before something goes wrong.
Most small businesses don't have an IT disaster plan. They have good intentions and a Friday reminder nobody follows.
Josh Lamb, founder of Sterling Grace Technologies, joined East Trade Winds to break down the real threats facing SMBs right now. He covered disaster recovery planning, phishing attacks, password hygiene, and backup strategy — without the tech jargon. This session is practical, direct, and built for business owners who want to protect what they've built.
What Josh covered:
Josh's team at Sterling Grace Technologies serves Eastern Ontario with proactive, human-centred IT support. Six people. Long-term client relationships. Solutions that scale.
Connect with Josh Lamb: Visit Sterling Grace Technologies Connect with Josh on LinkedIn Read the Sterling Grace blog Sterling Grace on Facebook Sterling Grace Technologies on LinkedIn
Sponsors + Resources:
Join Canada Growth Network — Full GHL CRM + membership community access. First month $1 CAD. Then $47 CAD/month. No contract, no lock-in.
Try Web Indexer — The smart chatbot for the Knack 4 Business website. Search episodes faster. Discover related content. Book a meeting.
Explore @Hive — Community, collab, and resource space for entrepreneurs.
Take the next step:
Questions? Reach us at info@kreativinsight.com
Join Canada Growth Network — Full GHL CRM + community. $1 CAD first month. $47 CAD/month after. No lock-in.
Join East Trade Winds free — Tuesdays 8–9 AM EST
Subscribe to the podcast on your favourite platform.
Subscribe to the K4B blog — Episode recaps and business insights delivered to your inbox.
Search K4B episodes by topic — Press the ? on the K4B website and search by topic.
Register as a K4B guest — Want to be a guest on Knack 4 Business? Register on the K4B website and tell us your story.
Josh (00:06)
Alright, so disaster recovery planning is that thing that you think you won't ever need because it'll never happen to you. And yet you have car insurance. And so you know, I think that when I'm a pretty good driver, and nothing's gonna happen to me on the road either. And yet things that are outside of my control.
can still contribute to me having a big problem on the highway. And there are lots of ways that we can have big problems on the highway. And some of those ways, insurance becomes the imperfect metaphor because sometimes the car just breaks down and insurance isn't gonna save you from that. So we are a insurance policy against the car breaking down and an insurance policy against someone stealing the car and an insurance policy against
the car getting hit by somebody who's driving carelessly when you are paying attention and following all the rules. And last, we are an insurance policy when you are not driving carefully and you're not following the rules. You're looking at your phone instead of the 401 or the 416. So that's what we do. But more generally speaking, think anybody can adopt some good disaster recovery practices and make sure that they are not
Josh (01:11)
you
Josh (01:22)
caught in a situation that could seriously threaten their business. our company, we're a managed service provider. We offer a suite of technology solutions and we service Eastern Ontario primarily when we're servicing in person, but we also do remote service. This is our team. We're six people. We have phenomenal team. I'm very proud of them.
Susan is my office admin. She controls my calendar and doesn't let me schedule anything without checking with her first. So if you ever want to talk to me, Susan's who you got to go through because I'll be like, I would love to have a meeting with you, but I have to check with my boss first. The other guys are phenomenal software engineers and network admins, and we have just a great team. So if you want to find out more, then drop me a line.
but let's get into the meat and potatoes of this presentation. So there are a whole web of weird things going on out there on the internet and sometimes even on your own computer that can put your data and your business at risk.
Josh (02:31)
This is
Josh (02:32)
the waterfall of doom as I like to call it. So AI built this image for me based on a description of a true event that happened with one of my customers. This is what happens when you mount your air conditioning in your teeny tiny three by three closet that you also put your server rack in with $50,000 worth of server equipment and then never bothered to check the evaporation vent. The evaporation vent makes the water condensation evaporate.
And so when it gets clogged, that water doesn't go anywhere. And then overnight, this is the one thing that AI got wrong. It didn't waterfall, it just trickled, but it trickled for about 12 hours and it trickled into the cabinet and the servers did not fare well. So this kind of thing is scary, but it can happen and it can happen for all kinds of reasons.
We came into this office and they fortunately had a disaster recovery plan already built. And so we were able to substitute in a backup server and get them kind of set up immediately with their emergency recovery backups from offsite backup storage. So their backups were pulled offsite. Some of them were cloud-based for the smaller stuff, but the full system backups are periodically done and they're pulled offsite. And so...
if something happens like a fire or a flood, then they have a plan.
ago. another type of disaster recovery, another type of disaster is that your machine becomes compromised. And that can happen through phishing, through downloading software that you shouldn't, through somebody else in your network getting software that they shouldn't. And sometimes they or you will have insufficient security on your machine in order to be able to prevent cross contamination. And so what is phishing?
I've got a little bit of an educational piece in here I think that you'll find useful if you don't really know that much about fishing. So there are malicious actors out there and they figure out how the HTML, that's the look and presentation of your website for your bank looks.
and they can replicate that. And then they can use a compromised website to present that as if it is your bank. And then they send you an email saying, Hey, I'm your bank. Log in here to do this thing, to fix this critical error about your money. And you go in and you click a link and then you go and you fill in your information and it harvests your username and password and it redirects you to your bank's page.
where it tells you that you had an invalid password and you're like, that's weird, I just entered that. And then you enter it again in your real bank and then you log into your bank and whatever it was that was in that email, it isn't there, but you logged into your bank. And so you're just like, that was weird. And you delete the email or you move it into a file for later when you're gonna call your bank. And then you go about your day. In that process, that phishing attacker has stolen your credentials and now they got access to
possibly your bank, then possibly depending on your password hygiene, they might have access to a lot of other services that you use. And they know that your email is legitimate because they know which email they sent to that the person clicked the link and went and filled out that information. So.
Here's an example of an update your Apple ID email. What's wrong with this?
Josh (06:01)
Well.
Josh (06:03)
It's not an official apple.com address. If you hover over the email address, you might notice that it's verify at support.com. Your name's not Joan, it's Bernie. And so jone at ripnet.com is who it's to. Bernie was in a BCC and it just blacked like it blindly sent to a whole bunch of people. So that's another good hint.
Generic salutation, most services will know you and call you by name. Unusual wording, it's a good indication that the person who composed the thing was using English as a second language. And so not all phishing attacks come from second language countries, but some do. And so that's something that you can watch out for too. And generally speaking, even the ones that do, often they are not.
They're not good English speakers, but more than that, we might be giving too much credence to them not being good English speakers because the strategy that attackers can use is to deliberately use faulty language and basically sloppy language because it can weed out people who pay close attention to detail. They don't want people who pay close attention to detail. They want the people that don't.
They want the people that aren't going to notice that the web browser opens onto a site that says my dog caller.com, but it's the CIBC logo and you're logging into your bank. So that's another thing to watch for. If you hover over the link, often it'll show you a weird link like this Biz and Anya color box update thing that's at the bottom there. And then creating the sense of urgency. Most of the time,
your banks will not contact you and direct you to do something over email. They will share information with you and they'll tell you to call them and they may guide you to look up the bank number online rather than to just trust what's in their email. So there are some signals that can make it obvious. Malware. What happens with malware? Malware can use your computer in a weird way or it can actually damage your computer.
Josh (07:56)
So what
Josh (08:03)
And so it's not always the goal of malware to hijack your data. Sometimes it might just be to hijack your computer resources so that it can harass other people. But yeah, the infection chain is basically you get an email, a misleading email, you download something, maybe it says it's a PDF, but then it's actually an EXE file. And sometimes they can accomplish this just with super long file names that the EXE part is after.
a whole bunch of spaces that came after that PDF. And again, that attention to detail catches you because you're not looking at the EXE that's way over there. You're looking at the PDF that's right up front and you open that up and now you've got malware installed. You open up the malware and then it downloads other stuff. Sometimes it's just a mini bootstrapper that
opens up payload and pulls a whole bunch of stuff in the background. So you don't notice it's happening because it's doing it after you've already downloaded the thing. And then it can damage your files or it can damage your friends. And that kind of thing happens. So here's another cool little stuff. You know, these are the risks factors. And so what can you do to prevent? What can you do to fix it? Well,
You want to have a solid firewall. You want to make sure that you're updating your firewall might be the router. If you're a small business or if you're a home-based business, it might just be the little Linksys router or even the Bell two wire router that they gave you. You got to make sure that the firmware is updated. are compromises discovered all the time and they are pushing patches to fix them all the time. But the average person never.
logs into their router and looks for firmware updates. Something that you should probably check on once a year. If you're a bigger business, then your router might be a firewall. You may have firewalls internal to your network as appliances that are plugged in, just like your router would be. Gotta make sure those are updated. Gotta make sure they're on and configured properly. Gotta make sure that you have backups and that they're properly configured and that they're covering the right things. Your passwords and passphrases need to be secure and well-planned.
and you've got to be using encryption and make sure that you're using HTTP S and that the little block in Chrome shows up and that it doesn't say the insecure thing at the top. You got to make sure that you got the right antivirus or an EDR, which is like supercharged antivirus powered with AI. A lot of people don't realize that antivirus works by looking at fingerprints of viruses, which have been discovered because about a hundred thousand people got smoked on day one.
and they went and they reported their stuff in and it went to the semantic lab, the Norton lab. And then they were able to find the files that were the offenders on these dead machines and they pull out signatures of that and they distribute them. That's your Tuesday update with your antivirus. You're pulling in the fingerprints from these viruses that already tanked a whole bunch of other computers. EDR, it's basically the same thing plus AI. So it's watching behaviors of the stuff that's going on on your computer.
Josh (10:58)
with.
Josh (11:05)
and it's trying to make sure that it's not doing anything weird. Like, hey, there's a big encryption thing going on on my hard drive and the user didn't make any combination of clicks to consent to this. Maybe this is something that we should pause even though I don't have the signature. And then it pops up and it stops it and it asks you if you intended to do this. And so you get something like 85 to 90 % coverage with an antivirus and you get something like 95 to 97 % coverage with EDR.
Passwords do's and don'ts. Do use a unique password for each site. Keep track of the passwords in a password manager. We sell a software called Nord Pass, which is the same people who made Nord VPN. We also sell LastPass. We chose to go towards Nord Pass after evaluating a bunch of different passwords.
providers and they just have the best track record of security. They're still actively developing their product and they got great support. So these things are, they live in your browser, they store your passwords, they protect them with one master password that is two factor authenticated so that you can use a different and very complex password that's auto generated. You never have to type it in.
but they're different for every site. So no one site getting compromised is going to compromise a different site because it's just random stuff that's protected by your master password. I highly recommend if you have to deal with more than one password in your life that you consider looking at a password manager software. Update your password frequently and your password software manager can help you remember it so that you don't have to worry about the 15 different versions of that. The cow jumped over the moon password that you have.
Use a password generator that is part of your password manager. Yeah, so this is all kind of talking about that same thing. Make sure that you use mixed case. A lot of providers won't let you do anything else. So you have to have special characters and that kind of stuff. Don't just rely on passwords. Two-factor authentication is possible and it's easier than ever.
You can get an app on your phone, Google Authenticator or Microsoft Authenticator, and you immediately have access to a second factor authentication. So if your password gets compromised, you've got your phone with the secret key on it that generates a code that changes every 30 seconds and the attacker still can't get in. If your phone gets stolen and they have that key, hopefully they don't also have your password and it gives you a lead time to be able to change your passwords without having to worry about an immediate compromise.
Don't share your password. Don't write it down on a white piece of paper and put it in the top shelf of that desk that's right at the front of your office, guys. I've seen that so many times and I still see it. Terrible because a customer that you're not watching sees a desk that's just a little bit open and they see like a password on the bottom and they just reach in, grab it and out they go. And you won't know because you never checked that because you've memorized it anyway.
Josh (13:47)
It is terrible.
Josh (14:02)
So you might know a week later and then you'll have to check the camera to see who did it. Don't do that. Don't use dictionary words. Brute force attacking on passwords usually starts with a dictionary. They'll just randomly pummel authentication server like a rank or your RDP or whatever with three million dictionary words. And then they'll append little variations to it with
ones and one two threes and that kind of stuff. That is not a safe way to keep yourself secure. Don't use the same password for every login. This is where memory becomes a major struggle and again solution is password management software. And yeah don't use easy to guess passwords. Don't use your first name, don't use your kid's first name, don't use your dog's first name or even their middle name. One of the most
unrealistic things that you see on on video or on media where they're talking about people hacking, they're basically just guessing passwords. And they try a bunch of different combinations. And that doesn't work in real life in a secure network. But if it could work on yours, then you should think about changing your password. And yeah, make sure that you have sufficient length with your passwords. Maybe
pick a bad password from this list and a good password from this list?
touching on backups and it's kind of the tail end of the presentation. And so it's just you've got to think about your strategy. You got to think about how you're going to get your data backing quickly if something bad happens and what the bad things are.
You could have theft by an employee that's disgruntled. You could have theft by a customer or a competitor that's able to either compromise your network or physically get there. You can have a fire or a disaster. You can have software major failures. You can have viruses and malware. You can have a major disaster in the hardware. The hardware itself could fail or the building could fail. And so we plan, we look at where your critical data is.
So maybe you've got a QuickBooks desktop instance in-house. I would move that to QuickBooks online if I were you, but not everybody can or wants to do that. And so making sure that there is a native QuickBooks internal backup that stores those backups somewhere secure on your network, and then making sure that your systems have a system-wide backup. And so I always recommend that you do the native one first because...
Sometimes databases, if you do like a snapshot in time of your whole system, sometimes databases are in an inconsistent state. And then if you were to kind of pull that out of cold storage later, it might have been like weird. It might come back weird. And maybe you have data loss because it hasn't done, it hasn't fully saved everything to disk. hasn't committed all its transactions and stuff. So we start with that and then we do a full system backup.
depending on your location and the quality of your internet connection, you want to offload to the cloud as well. You want to have backups that are not writable by you, which means the backup software is responsible for copying everything and sending it up to a server that writes it into a volume that cannot be accessed by you or anybody else in your network. And that stuff is inert once it's written. It cannot be interacted with unless you're going to do a restore.
can't be overwritten. It's in a separate server. so there are various strategies. I would say that the worst strategy that we see is no backup. But the second worst would be you've got an external hard drive that you plug into your computer and then you make sure that every Friday at five o'clock you start your backup and then you unplug it and you bring it home and you bring in your second one for the next week so that you have one offsite at home.
It sounds good in theory, but the reason it sucks is because there is a critical break point. And that is you. You have to remember to do it every Friday. I've had offices that had that strategy and it would have been a wonderful strategy had they remembered to do it. But their QuickBooks backup was three months old when we brought in our automated backup. And that's a big no-no. So.
You should be planning for this. should look at automating wherever possible. This is kind of a typical model of the local device with a daily backup, bringing it into a local server that synchronizes with the cloud on some schedule. It might be weekly. It might be daily. don't, you know, whatever we want to do. How does recovery work?
it depends on where the chain has been broken here. So if your local device has gone down, then you got to get a new local device and then you can recover your daily backup from your local backup server. If the backup server is died and so have your local devices, then you've got your stuff offsite in the cloud in case things go wrong. Why not just go all the way to the cloud speed? So you can just go to the cloud. But if you're talking about
terabytes of data or even hundreds of gigs of data, you have a real recovery delay that is just downloading your files again. And so you can change something that takes four hours, including the picking up the new computer, setting it up, installing windows or reinstalling windows, and then recovering from the local server. You can be back in business in four hours with a local.
And that same recovery might take you 24 hours going from the cloud. And so that's one of the main reasons. And so that becomes a decision of cost versus benefit, cost benefit analysis. You can decide if you can tolerate being offline for 24 hours and would prefer to move to the cloud.
And you also might be able to look at it and say, I don't have as much data. And so this is really a consideration that becomes important when you're scaling and you've got like 10 employees, you have years and years of history and email and files locally, you need to make sure that you're strategizing to get back in business because a morning off work costs you five figures, six figures kind of thing. So that's the cost benefit analysis that has to be done.
So is. Thank you for listening to me talk about