Secure AI Starts with Education
Meghan Lynch (00:00):
Cybersecurity can feel abstract right up until it isn't. And in family businesses where trust runs deep and resources can often run lean, the risks often hide in plain sight. My guest today has spent more than 30 years helping businesses stay secure in a world where threat actors now use AI to work faster than ever. We talk about why jumping in uninformed is actually the biggest risk when adopting AI and how culture not technology is your first line of defense. Plus we talk about what a secure rollout actually looks like for a family business. And of course Henry joins us with his questions about strange tech disasters, kid-friendly cybersecurity, and what to do if a hacker ever comes. Knocking all this and more coming up on this episode of Building Unbreakable Brands, welcome to Building Unbreakable Brands, the podcast where we talk to business leaders with a generational mindset. I'm Megan Lynch. I'm an advisor to family businesses and CEO of six point strategy, which helps generational brands honor their past while evolving for the future. My guest today is Mike Gini, the founder of Network Strategic Services, a managed it and cybersecurity firm that helps small businesses cut through the tech chaos and stay secure, compliant and productive. With over 30 years in the trenches, Mike brings a straight talking business first approach to it, focusing on real risk, real relationships, and real results. Welcome Mike. So glad to have you on the show.
Mike Giovaninni (01:52):
It's great to be here. Megan, thanks so much for having me board.
Meghan Lynch (01:55):
I think this will be really fun because one of the reasons why I wanted to have you on was because you do bring such a, you both have a highly technical background and technical understanding of the materials, but I think you also bring a very realistic translation of that to the operations of a business and for business leaders to think about. So I'm really hoping that this conversation can provide our audience with both a better understanding of IT, security right now, what they need to be thinking about, but also some practical steps on how to actually apply some of that to their business.
Mike Giovaninni (02:38):
Fantastic. I'm ready.
Meghan Lynch (02:40):
And we had originally connected on this topic and decided to bring you on when we started kind of chatting back and forth about AI and what family businesses that are starting to implement AI programs might not be thinking when it comes to security. And I know you immediately were like, oh my gosh, there's some basic things that people need to be thinking about and they need to know about it. So when you think about family businesses implementing ai, what's the biggest risk that they are overlooking when they start to experiment?
Mike Giovaninni (03:19):
I would say that the biggest risk that they have is jumping in uninformed.
(03:24):
And the truth is all AI platforms are going to do basically the same thing. You're going to build a prompt, you're going to get information out of it, and you're going to refine the prompt until you get all of the things that you want. But if you don't understand the platform that you're using and you don't understand it well, you can leave security vulnerabilities for your data and in some cases actually leave loopholes that threat actors can compromise your system by basically compromising your chat and with the right mindset and the right understanding of those security controls, you can secure it quite well. You can keep the bad actors out. One thing I will say, if you're going to get into ai, if you dabble in one of the free AI platforms like chat, GPTs free version, don't do anything that's sensitive because you don't have the security controls, they're not really there. You really need to have a paid subscription for it to get the benefit of that. And so again, know the control that you're going to use. Know the platform that you're going to use and investigate the security or talk to an advisor, somebody like myself or somebody who works in cybersecurity because we have spent since the beginning of ai, we have spent hours in finding where the vulnerabilities lie. And it can be devastating.
Meghan Lynch (04:51):
I think for a lot of family business leaders not understanding the security risk or just thinking about like, oh, this feels like putting a lot of information and a lot of power in the hands of something that I don't really understand can make them not want to even take a step into it, not implement it at all. Is that a realistic fear or response to it?
Mike Giovaninni (05:20):
Yeah, it's definitely a realistic response. You don't know what you don't know, and unless you have somebody guiding you along working with you to help you understand what the possibilities are and the limitations, then yeah, it's going to be a scary place. Now, one of the things that we recommend when a company is starting to really dive into AI is first sit down and have a plan. What is it that you want to get out of it? What's the outcome? Where are you going with this? Start to build some guardrails, build your security policies out your acceptable use policy for ai. Make sure that you have the right tools in place that you've created accounts that end users can't compromise or can't change the security settings on so that you really restrict that down to what you want them to be using it for. Have a good conversation with people.
(06:16):
Education goes a long way with AI and before you even start to dabble in the great pool of artificial intelligence, have a solid conversation with your people and explain to them the dangers, explain to them what the benefits can be. It's not there to take away people's jobs, it's there to enhance jobs. And I know we've seen this Amazon lays off 14,000 people because those jobs can be mostly automated. That's pretty sad. However, when you look at the breadth of that for a small business or a family owned business that is really trying to build up their brand, they're trying to make a dent in some of the tedious roles of marketing, content creation and scheduling and stuff like that. There are some great blessings to it, there's some great opportunities to it, but if you don't put the guardrails on it, it's going to come apart really, really fast. So culture, we were talking about that earlier. Culture is the hardest ship to turn.
Meghan Lynch (07:22):
Yeah. Can you talk a little bit more about that? Why culture? When you're talking tech, why would culture be the critical thing?
Mike Giovaninni (07:32):
And this is where I veer off from a lot of my peers. We specialize in cybersecurity and compliance and with compliance, culture is everything. If you don't have a compliance oriented culture, a mindset, then you will never stay in compliance. And what is also very important is that culture, that emphasis on setting boundaries and setting an example has to come from the top. And so if the CEO of the company is saying, the rules are for not for me, then the workers are just going to say, eh, no, not interested, too much aggravation. I'm going to keep doing it my way. And it becomes a wild, wild west. So you really have to have that top-down view of what you want your culture to look like. And cybersecurity is the same thing. We have a four stage model of cybersecurity maturity, and it goes from being basically ignorant of what your risks are to being really proponents of risk aversion.
(08:38):
You are doing everything you can to mitigate or remove risk from your business. So a more cybersecurity mature organization is going to have fewer incidents where a threat actor is going to break through their defenses. Not that it can't happen, however, it's a lot less likely and the impact is usually less. You see these small businesses go under with just a very minor intrusion, it doesn't take much. And when you're talking about ai, which is automating certain functions to make them happen faster, if a threat actor threat actors have their own AI that has no controls, it has no guardrails, now you become an easier target if you're not paying attention to that. And the culture is where it starts. Education, it's a fairly well documented statistic that if you provide for your organization cybersecurity awareness training, and that also includes ai so that nowadays it's all part and parcel if you invest in that platform that it's a learning management type system that gives you an annual training and then gives you regular training, and then it also tests to see if you can catch those nasty little fish that come into your email box.
(09:59):
When you implement a program like that, I have seen risk reduction by as much as 50%.
Meghan Lynch (10:07):
Wow.
Mike Giovaninni (10:08):
Just by educating,
Meghan Lynch (10:09):
Just educating,
Mike Giovaninni (10:10):
Just educating. We call it the human firewall. 85% of all of your risky activities happen because of a lack of knowledge, what we call an insider threat doesn't have to be malicious in nature.
(10:26):
A good example for this now, we got called several years ago by an organization in Western Massachusetts, small business, and they had called us in because they had gotten ransomware. And I went in and I talked to the owners and they said, well, this is the first time this happened. It happened about six months ago, and our bookkeeper had opened up an attachment and her station got locked the first time. The second time it happened, well, it was the same person, the same bookkeeper opened the same type of attachment, but this time, instead of locking just her computer, it bricked the entire network, about 15 computers a server. And then we started doing forensics and we found that whoever had set up their backup had set it up wrong. It had never been tested, so they didn't have a valid backup at that point. We just told them, it's going to be easier for you to just burn all this stuff and start from scratch, then try to recover this because there's no return at this point. You've passed the point of no return. The cost would be staggering. And so this is why we just say, if you can educate your users to recognize these very simple threats, and while AI is making it more difficult or more sophisticated, they use AI to make these things more believable.
Henry Lynch (11:51):
They
Mike Giovaninni (11:51):
Rip off valid vendors. Microsoft is a big target. They use that HP Google. It's never ending. But if you can educate people to recognize these things, they have power and they can protect the organization. Now, back to culture. Megan, the challenge with this is until you can explain that everybody's job in an organization is at risk to ransomware, then you will never see adoption of any type type of a cybersecurity awareness platform or security tools, any of that. And the sad truth is ransomware can disrupt an organization for weeks. We just did a ransomware forensics process started in the middle of September, and they were pretty much down for four weeks with minimal ability to be productive.
Meghan Lynch (12:56):
Wow. Yeah.
Mike Giovaninni (12:57):
They had servers bricked, they had workstations, bricked, and we had to pick up the pieces and figure out what was the extent of the damage, how much information did the threat actor get their hands on? And it's not inexpensive because for that small company that was about a $30,000 hit just in the forensic work
Henry Lynch (13:18):
And
Mike Giovaninni (13:19):
The basic recovery, we're still picking through the wreckage at this point. And this is two months out, they're back to business or being productive again. But I don't wish that on anybody. Disruptive. Painful.
Meghan Lynch (13:36):
Yeah. So what I hear you saying is like twofold. One is that family businesses need to be thinking about just even being aware of what is our culture of
(13:49):
How permissive is our culture, how compliant am I as the leader? And what example am I setting for the team? So how am I leading this? And then also, how educated am I and is our team to be that human firewall in terms of being able to spot potential threats and being able to act on them. I mean, it's a great example of somebody making the same mistake twice and clearly that one individual was a security risk for them, and you wouldn't even really have to do anything else other than just educate them and test them and see what else could be put into place.
Mike Giovaninni (14:35):
Now the funny thing with that particular company, they had called us, they weren't a client of ours when we went through the forensic process and we saw how many just really bad, simple mistakes that were made with their security, we figured, no, we gave him a quote, write down every bit and piece that needed to be replaced and reconfigured and brought back online data recovery, the whole nine yards. They opted to stay with the same IT provider that had been the architect of the two ransomware attacks. And so here's the thing, here's the truth. People are willing to stay with the devil they know
(15:18):
And take the chance that maybe this new person, this new organization might not work out. And here's the problem with that is it ends up costing them in the long run because they get what they allow. So if you allow sloppy security from your IT provider, if you allow a lackadaisical attitude with your compliance, then you can expect that it's going to be a bumpy, bumpy road. And this is not to say that all IT providers are bad. There's some great people out here. I know quite a few of them. In fact, having spoken at a couple of national conferences, I've got a pretty deep pile of contacts with some great people all around the country. In fact, I meet with a bunch of them every Wednesday and they're the best of people, but there are some out there who they're not taking it seriously. It's one of the differences. When COVID hit, we made the conscious decision that at that time in 2020, the rate at which ransomware was escalating was 600 times what it had been the year before.
Henry Lynch (16:29):
Wow.
Mike Giovaninni (16:30):
Yeah. That's a big eyeopener. And it hasn't changed much. In fact, in October of this past year, ransomware had increased 37%. And that's just what gets reported. That doesn't take into account the companies who don't report. They just pay the ransom quietly. They get their data back, but their data is still out there. There's a lot of truth to there's no honor among thieves. And now that they're using AI to make it easier for them to compromise your system, small organizations really need to get away from that mindset that we're too small to be attacked. Because the truth is they make easier targets because they don't always have the type of culture or controls in place to block a persistent threat actor. And like this one that we worked on in September and October found, they didn't take advice. They decided, nah, we don't want to spend that money. And they spent the money anyways just all at once and that wasn't a good thing.
Meghan Lynch (17:44):
Yeah. I mean, one of the things I've been hearing about too is that family offices are being targeted because they are managing large amounts of wealth, but often with a very small staff and probably a very purpose of culture of we're all family here, it's fine. Or we don't need a big IT structure. There's just four of us. So I think it is one of those things you are starting to hear more and more about. And so I think that idea of we're too small to have to worry about that. To your point, it's almost the opposite of yeah, it's,
Mike Giovaninni (18:29):
And the more that the threat actors use AI to simplify their process, the easier that the average organization is going to be to be a target it. It's just going to happen. Now, one of the things that we haven't talked about at all is social engineering. Now, when you think about social engineering, back in the day it was somebody shoulder surfing, watching over your shoulder or giving you a call trying to get you to click on a link or open up a document or to go to a website for IT support, or you get what we call a drive by web attack, one of these fake antivirus warnings and everybody panics, no, no, just kill Chrome. It goes away, drive on. But they know that people are, well, bad behavior is one of those things that just continues. We had a client some time ago that again, and it seems to be the bookkeepers, and so love them, love mine, but because they handle finance, they're a target for what we call a business email compromise.
(19:43):
And what this is is they compromise an email account, and a lot of times they do it now, they use an AI generated phishing message that gets the person to go to a login page for their Microsoft account. So they basically fool them into thinking that they have to log back into Microsoft 365 or Google Workspace can be either one. But what that is, it's called a man in the middle attack. And when the person puts in their credentials, it gives those credentials to the threat actor and it gives them a very important piece. It's called a token, and it's that session token that allows them to not need your username or password or multifactor authentication to get in because they're already in. And so by targeting the bookkeepers, the accountants, the finance people, they now have access to their email accounts. And here's the danger of that.
(20:41):
When you have that finance person's email account and you are now putting in rules to redirect messages to you, the threat actor, you find out who you're talking to and what kind of money is moving around and how it's moving around. And we had one company over the course of a year, they had three business email compromises, all because of the same person kept opening these emails and giving her credentials, and we'd catch 'em pretty quick. But again, and this is the danger, I get it. Small businesses, I'm a small business, my budget's tight and spending money on these tools, these security, like you said, you don't need this big IT program unfortunately. Now you can't really do it that way because the threat actors, they don't care. Their whole goal is to financially gain from the interaction that they have with you. So it's either going to be ransomware or it's going to be business email compromise. They're going to redirect crazy amounts of money. Had a client who they work with a small private airline and through a business email compromise, they got an email to transfer over a million dollars for fuel to a different account, an offshore account, which was not uncommon. But if it weren't for the education that we had been giving this particular individual over the years, she made this smart choice and she called the client said, is this legit? She said, no, I didn't do that.
Henry Lynch (22:23):
Wow.
Mike Giovaninni (22:24):
If they had pushed that button and sent that million dollars, they'd never see it again. Now, the FBI can sometimes get some of that back, but it's hard. It's really difficult. Once it goes away, it's gone.
Meghan Lynch (22:37):
So one of the things that you've talked about is that businesses should have the mindset of this has already happened to us, and just be thinking about it that way. Why does that mindset matter? What does it change?
Mike Giovaninni (22:53):
Sure. Okay. So the mindset that you're talking about, Megan, is you look at the news every day and you see some big breaches happened, whether it's healthcare or it's financial. There's been a breach happening on a weekly basis for the last five or six years. If you don't accept the fact that your data is out there in some form or another, whether it's your personal data, your health information, which of course includes your social security number and a lot of other very delicate details of who you are, you have to accept the fact that it's out there. And so you have to act as if you've already been breached and take the precautions that you can from getting worse. So what does that mean? It means going out and locking your credit. It means monitoring your credit reports. It means having a good relationship with your bank and know what their protocols are, whoever you're doing business with financially.
(23:59):
Now, one of the most common areas where people get targeted is shopping, online shopping. A lot of those sites have been compromised and they are poor at PCI compliance, payment card industry compliance in a lot of cases. And so if you have your card, somebody stole one of my cards and I don't know what site it was that I was on, and all of a sudden I get this notification, did you happen to buy this thing at Disney in Los Angeles? I's like, Hmm, last time I checked, I was in Feeding Hills, Massachusetts, I, I'm not with the mouse. And it went through at first like a $30 charge, and then they tried to hit it for a thousand dollars charge. Well, the joke was on them. That card was pretty much maxed and it didn't matter. It got blocked anyways. But the simple truth is it's so easy for these things to be compromised. So if you're not taking the right steps, you're not looking at how might I have been compromised? There's a great website, it's called have I been honed, pw n eed.com. Okay. Very, very simple. And you can go there and you can put in your email address and it will show you if you have been caught up in any number of different data breaches. And that's a very valuable bit of information. One of the things we recommend, so if you're a small business owner, don't use your business email address for your personal shopping.
(25:36):
Just don't, when you're using your email, whether it's your personal email or your business email for some transaction and you have to create an account, do not use the same password on every account. Don't use the same root of the password and just change a couple characters. And here's why. Threat actors know that people are likely to do this. And so what they do is they take the information from one of these breaches that has happened and they just go spamming a whole bunch of other sites that they think you might go to, and pretty certain they're going to use a brute force attack using that root of that password that was compromised at all these other sites, and they're going to get some hits.
(26:22):
I'm a strong proponent for password management that will allow you to use longer, more complicated passwords. You don't have to use the same password over and over again. In fact, it will warn you if you do, it will even warn you if you have had one of your credentials breached on the dark web. So there are things that you can do that are not expensive, they're not difficult to manage, that you can do easy very simply and bring about a lot of peace of mind. That's what we do. We try to bring peace of mind.
Meghan Lynch (26:59):
Yeah, I think that oftentimes one of the things that stops people from taking action is just feeling overwhelmed by like, oh my gosh, I haven't done any of those things that you've talked about. And so how do I even get started? Oh, it's just too big. I'm just not going to do anything. How do you kind of combat that overwhelm feeling?
Mike Giovaninni (27:23):
It's sometimes difficult. Depends on the people I'm getting. Older elderly people or people who have hit past that 60 mark tend to be more set in their ways and they're less likely to want to change. And that's not common, not uncommon at all, and it's not a bad thing, but how do you put it in place? Well, the first thing you want to do is get some education. There are plenty of free resources online, the cybersecurity and Information infrastructure security agency, cisa.org or cisa.gov. I think they have some really good training available on their website, no cost. And find what you can for free resources. If you're a business, the free resources are great, but they don't give you any type of evidence that these things have been done. And here's why that's an important facet. We get back to talking about AI and the necessity to have policies that dictate the use of ai.
(28:30):
Most compliance frameworks. So if you are in healthcare, you fall under hipaa. If you are a accountant or an attorney who handles financial cases, you're going to fall on their FTC safeguards. If you are a manufacturer and you are doing business with the government and you want to get a federal contract, you're going to run against C-M-M-C-A cybersecurity maturity model framework or compliance. And if you are not doing certain things, then you can get in a lot of trouble with that. If you're at that level, then you want to be investing in a good professional cybersecurity awareness learning platform, because what that will do is that will allow you to put all your policies in it. It will allow you to require sign off on certain things like acceptable use should always be reviewed and signed off on by all your employees at least annually. Cybersecurity awareness training should be done annually, at the very least. And again, some frameworks such as FTC, safeguards, hipaa, those require it. Those are very hard coded into the framework that these things need to be done. So that's where I'd start. And it doesn't have to break the bank. In most cases. A good quality cybersecurity awareness training program shouldn't cost much more than a cup of coffee a month or user.
(30:07):
So here's the thing. Now let's unpack that for just a bit. So if you go to Starbucks or Dunkin, I don't drink coffee personally, so it doesn't do anything for me, but if you go to Starbucks and Duck and you're going to pay a minimum of five or $6 for each cup of Joe on average for a 10 user company, you should be looking at paying no more than about five to $7 per seat per month for that management program. So if you're talking 50 to $75 a month on that one particular piece, and you can reduce your risk by 50% or more, that can mean the difference between a $30,000 invoice for forensics or a couple cups of coffee for your people once a month.
Meghan Lynch (31:01):
I feel like that's going to be really surprising to listeners, not just the cost of it, but also that the number one thing that they should do is just educate themselves and
Mike Giovaninni (31:13):
Start there,
Meghan Lynch (31:14):
Educate their people, because that both feels very doable and also feels like something that family businesses would do anyway. Like, oh, if we knew that we were supposed to do that, we'd do that anyway. I think that the most people listening are probably thinking, oh, step one means some kind of really expensive audit and some kind of tech lock that all of those things are.
Mike Giovaninni (31:39):
I will extend this to anybody who's watching the podcast. If you would like a professional, independent third party cybersecurity, well, we call 'em a penetration test. It's on a lower level. We're not going to be breaking into your building or anything like that, but a good cybersecurity assessment, we will do that for free. What it's going to do, it's going to give us a baseline.
(32:06):
Some have controls in place that we'll pick it up right away on these tests, these scans, and it will block our system, which is a good thing. And we encourage that, yes, somebody, they're doing the right things, but we have the opportunity to do that through one of our vendors. They're actually the ones who go through our system monthly and quarterly with some pretty deep level testing to make sure that our network is secure because supply chain is vulnerable. And if you were talking about small businesses, family owned businesses, that's something that they have to be concerning themselves with vendor security. Do they have a vendor questionnaire to say, are you doing these things? Do you have minimum benchmark security in place so that if you get compromised, I don't get compromised. Do you have adequate insurance in place so that if you get compromised and I get compromised that I'm not on the hook for what you brought into my system? So there are certain questions that should be asked by every company, let alone just family owned businesses. But I think family owned businesses are often, they're not aware of these things. It's not front and center to them. A large corporation, they're going to have a chief information security officer who's looking at everything saying, looking at every vendor that they use, every product that they use in determining what are the risks. And I think this is where small businesses in general
(33:42):
Need some help.
Meghan Lynch (33:43):
Yeah. I also think that there's a piece of trust. Well, we've done business with them for 30 years or 60 years or something, so of course we trust them. We don't have to worry about it. And it feels like those days are gone that it's not about trusting the individual that you're working with. It's about trusting all of, as you were saying, the bad actors out there who are attacking them and attacking you.
Mike Giovaninni (34:10):
And yeah, I mean, that ship has sailed, Megan, and one of the big challenges is this. Threat actors are often in the systems that they target for months before they spring their final trap.
(34:24):
Some of them will do hit and run. The one that I dealt with in September that was a hit and run was 24 hours. They were in and out. They got what they wanted. They sprang the ransomware trap, and that was that. But a lot of them will be in their 9272, 3 months, six months, some more than a year. And by having that persistent access to your network, that means they may also have persistent access to your other clients and vendors networks. So yeah, you can't take it lightly anymore. It has to be a very certain part of your business budget. And again, this is where we see a lot of small businesses struggle is they don't really have a budget. They cross that bridge when they get to it. The problem is that often ends up costing them a lot more than it would if they had a good lifecycle management plan. They had a good IT security plan in place.
Meghan Lynch (35:21):
Yeah. So it's really about that stewardship of thinking about how do we get ahead of things as opposed to waiting until it's too late and then trying to undo things.
Mike Giovaninni (35:34):
Yeah. I mean, the hard truth is this, though, Megan, there's always going to be a bad guy out there who's better than your controls. You just want to make them so hard for the myriad of low level actors out there that are breaking in so that you at least get rid of that riffraff as a threat. So
Meghan Lynch (35:58):
If a family business is thinking about moving forward with some kind of AI implementation plan, but they really want to do it the right way, they're concerned about security, they're committed to training their employees. What does a secure rollout plan look like?
Mike Giovaninni (36:19):
Yeah, so the first step for that is going to be to create an acceptable use policy for ai. And you can either do it yourself, there are templates out there, or you can have somebody like myself who writes these silly things all the time to help you work through that. Once you have determined what you're going to do with it, how you're going to employ it, who you're going to allow to use it, what boundaries you want to put on them, you build that policy. Then you have the people who are going to be using it before they even touch the AI controls that they read, they accept and they sign off on that policy. That's your guardrails. In most states. If you don't have something written down as a policy, it's not a policy.
(37:05):
So if you have to go to a labor dispute, you've gone to terminate somebody because they used AI inappropriately. If you don't have it documented and you have no evidence of it being documented, you have no case. And so putting that level in first, have a plan, know what you want to do with it, know what your outcomes are going to be, what they're going to look like and communicate, talk about it. Bring somebody in who is familiar with AI that can guide you through it. It's always best to have a guide who understands it, but here you have to be careful because there are a lot of people who say they're really good with ai, but they're really there to take your money. So vet them well.
Meghan Lynch (37:49):
Yeah. And what does that vetting look like? What are the kinds of things you should be asking or thinking about as you're looking at vendors? I agree. It's very overwhelming. Now, the number of people who do this,
Mike Giovaninni (38:04):
Unfortunately, you can use AI to write some pretty good stuff about yourself. Always ask for references. Always ask for references or a referral. If it's a referral from somebody that you trust, say, Hey, Megan really understands AI really well, you need to talk to her. I would put a lot of weight in that. But if it's just some guy that you saw on the web and everything there is to, chances are, it's like when we see these people who say, we can have you compliant for HIPAA in 30 days. No, no, you can't. That's a minimum one year to 18 months to get you HIPAA compliant. It is a long journey with a lot of steps. So you got to be careful of that. If it sounds too good to be true, that probably is.
Meghan Lynch (39:02):
Yeah, so acceptable Use policy. Have a professional who's very familiar with ai, walk you through and your team through how to implement it. Have a plan you mentioned of what are the outcomes that you're looking for and
Mike Giovaninni (39:23):
Do training. There's plenty of great training on AI, even from the vendors themselves on proper prompt. Proper prompt. It's one of those tongue twisters, prompt development, how you can get it to do what you want to do without putting you at risk. Again, talk to somebody about security.
Meghan Lynch (39:46):
And then you had mentioned the pieces of making sure that you have, you're not using free tools, that you understand the security features available in the tools that you have and get it as locked down as possible.
Mike Giovaninni (40:01):
I mean, it's okay to use free tools for things that are not going to touch anything that's sensitive. If you're just dabbling, you're just testing the waters. Definitely use the free tools when you're deciding which platform is the best one for you, because they all have great features, but they're not all created equal, and your results may vary. One of the most important things you need to educate people on is do not take everything that AI tells you as gospel. Case in point, the attorney in California who got some legal briefs from ai, turns out they were fake, and he submitted them to court and the judge figured it out. He's now disbarred.
Meghan Lynch (40:47):
Yeah, I feel like we're seeing more and more examples of those hallucinations of people not double checking references data and just assuming that it's true. And then I've also heard too that businesses aren't getting the efficiency savings that they think they're going to because basically they're just pushing the work from one person to another. So, so that attorney creates their thing really quickly, but now the judge has to spend time double checking it and find all the places where it's not right. So again, I think it is that culture of responsibility and educating people is also, it not only helps keep you safe, but I think it also helps you get more from the tools that people know how to use. Well,
Mike Giovaninni (41:37):
Our society today has some serious problems with this nasty little word called accountability. And if you are not accountable to yourself when you start using ai, you're going to find yourself doing some things that you probably wouldn't want your pastor to see. You're going to be taking some liberties that are a little bit of a stretch to the sense of propriety. So just beware. It's a big rabbit hole. You can get sucked into it really easily. It's a lot of fun. I mean, I do a lot of work in ai, but I have boundaries. I have guardrails, and anything that I'm looking for a factual response, you can be certain that I am verifying that that is not just some wild hallucination that AI has dropped in my lap.
Meghan Lynch (42:30):
Yeah. I think also what you're bringing up, which I think is also an important conversation for family businesses to be having is how AI fits in with their values. How do we want to be using this? What are we using it for? How are we not using it? What are the guardrails that we're putting on it? And talking about that as a family and as a leadership team, there's a piece of it that is technical, but then there's also a piece that is, as you said, cultural values driven. What kind of company do we want to be? What kind of leaders do we want to be, and how are we setting the tone for our organization and enforcing that? That's going to be the case?
Mike Giovaninni (43:10):
So that's a good segue to a very important point that I wanted to make sure we brought up with ai. Okay. There's a lot of things that you can do with it, and one of the challenges that we are going to see, and it's just starting to show itself, especially with youth who are using it for school, for schoolwork, all of us kind of know that Wikipedia was not always accurate. Well, AI is not always accurate, but the more and more that we come to rely on AI for all of these tasks that we put it to the less creative, we now become more reliant on AI to fill in all the blanks and all the gaps. So we have to stop for a minute and think on this family business, I've built a brand on our integrity, on our product, on our quality, on our sales, on our pricing.
(44:06):
And now you start taking all that and you filter it into ai, which you can do. You do great things with ai, but if you lose yourself in it and now you start letting AI do all of the thinking for you, well, now you're going to see some changes in your business because less effort has to go into keeping that brand or so you think. But you'll also see that brand unravel a lot when people realize that it's all just nice words. It's not really what the culture is showing. So again, back to that culture, if you allow AI to take too much of a lead in what you're doing without guardrails on it, some breaks on it, you're going to find some really painful results down the road. So just be mindful.
Meghan Lynch (44:54):
Yeah, and I think it comes back to also that question about what are some of the things that we do not want to outsource
Mike Giovaninni (45:03):
The AI exactly
Meghan Lynch (45:04):
As our secret sauce of how we do business or how we do things. And I think as you see more businesses defaulting to like, oh, we'll just automate this or whatever, that it can also become a differentiator to not have certain things automated, to run things in a certain way that I think family businesses could use as a differentiator and a growth lever for the future.
Mike Giovaninni (45:32):
Again, there are a lot of things that AI can do, and the more sophisticated you become at writing prompts, I can tell you that it will simplify those honors tasks that we all just despise having to do. The challenge is, of course, if you allow yourself to rely on it too much, what do you do when it breaks?
Meghan Lynch (45:54):
What
Mike Giovaninni (45:54):
Do you do when you can't access it or there's something wrong with it? Now you've lost the edge. You've lost that competitive side of your brain. It has just not getting the exercise that it needs. I know for you, Megan, you guys are amazing creators. You come up with some beautiful work, your content is outstanding. If you give all of that process to ai, what happens?
Meghan Lynch (46:20):
Is
Mike Giovaninni (46:20):
It still every time?
Meghan Lynch (46:21):
Yeah, we use that muscle and that function. I think about it almost as learning how to do long division and stuff. When you're in school and you're learning how to do all this complex math and you're like, oh, I'm never going to need to do this. I've got a calculator. Why do I need to learn how to do this? And then when you don't have a calculator, exactly, do it long form. It's like, alright, that's why I learned that. But yeah, and I think it is interesting to you get so accustomed to the speed of it that slowing down to do something yourself starts to feel like, oh, this is taking way too long. Even when it's normal.
Mike Giovaninni (47:06):
I don't know. I've been finding that certain AI engines have been bogging lately. I try to do simple things like, oh, for heaven's sake, I'm waiting five, 10 minutes for the page to refresh. I'm out of here. I'll use my head. I'll go back to searching the web.
Meghan Lynch (47:25):
But yeah, so I think just taking some time to unplug for a bit or do something in a manual way can also just reset us to like, okay, number one, I still have the skill. I'm still exercising this muscle. And then also just reorient you to how long something takes to do and
Mike Giovaninni (47:45):
Oh, I agree. And one of the things that I would encourage, so if you've got listeners who are looking to get into ai, and I certainly don't want them to be discouraged from doing it because it can do some really good stuff with it. What I would recommend, if you're going to use it for any type of content creation, make sure that your final check is through your own eyes or human eyes. Always have that human layer to make sure that you're not sending out hallucinations or something that is going to tarnish your brand, and it's very easy to do, or it's going to set you up for making promises that you can't keep. AI is really great. If you ever notice, every AI prompt is always saying Great question. Yeah, telling me hear. That's a really good idea. Want to hear? Yeah, exactly. And so the other downside of this now, if you haven't seen the news lately, but there are people who are becoming so enamored with their AI chat that it's like they're in a relationship with them.
Meghan Lynch (48:46):
Yeah, there's some definite crazy rabbit holes. People are,
Mike Giovaninni (48:51):
Frankly, I was just yelling at Chad GPT earlier today, so have a pretty good handle on what I think of it. So yeah, you to got to stay focused on who you are, you got to stay in today, you got to stay in reality. And unfortunately, the more that we rely on ai, the more that rely on even just leave your smartphone away from the dinner table. You go out to dinner with somebody, leave your smartphone in the car. If you got kids and you got to worry about that, at least set it on to vibrate and put it in your pocket. But we spend so much time with screens in our face that AI is just going to make that much more of a drawback to actually having real relationships, having these one-on-one conversations like this. If we let AI and we let technology do it all for us, we're going to become very shallow really fast. Consider 57% of Gen Z aspires to be influencers. Doesn't that make you cringe?
Meghan Lynch (50:10):
Sure does. And I think it goes a long way to say that the tech guy is saying Unplug for a while.
Mike Giovaninni (50:15):
Unplug. Yeah. I love the summer because I can unplug. I can go out into my garden and just work in my garden for the entire day, leave my phone in the house. I'm not going to hear it anyways. And so for me, it's bomb for the soul. So yeah, unplugged. I'm a follower of Darren Hardy, and one of the things he says is have one day a week where you just completely unplugged from tech, everything, your computer, your email, your phone, everything. Just put it aside and focus on things that you can do with your mind and putting things on paper. Be creative. Use that as your creative time so that you exercise that part of your brain. I don't get to do it as often as I'd like, but when I do, I tell you what it, it's like a slice of heaven. It's a beautiful thing.
Meghan Lynch (51:09):
You're listening to Building Unbreakable Brands, the podcast all about brand stewardship and crafting an enduring legacy. I'm speaking with Mike Giovanni, founder of Network Strategic Services, and now my son Henry is here to be the voice of the next Generation with some questions for Mike.
Henry Lynch (51:26):
Hi, Mike. Great to meet you.
Mike Giovaninni (51:28):
Great to meet you as well. I've been looking forward to this.
Henry Lynch (51:32):
So what's the weirdest tech issue you've ever had to fix?
Mike Giovaninni (51:37):
Oh, I could take that in a lot of different directions. Oh boy. Let's see. I would say the weirdest one I ever had to deal with was way, way back when I first started in technology, I used to fix music equipment and I had somebody bring in a very expensive keyboard that his cat decided to, well use it as a litter box. That was probably the strangest thing I had ever had to deal with. I've never known that cat business can etch the metal right off of a circuit board. It's very acidic. That's the weirdest one. I would say the hardest one is for a follow-up on that, the hardest one I've ever had to deal with was getting a company recovered from ransomware. That's a lot of time.
Henry Lynch (52:29):
Definitely. So what's one thing a kid my age could do to keep their computer safe?
Mike Giovaninni (52:36):
Well, there's a couple things. The first one is educate yourself. Understand how threat actors target young children like yourself, especially in the middle school, high school levels. They will often target the websites that you frequent. And I'll give you a little story. So I've got kids, they're all adults now, but when they were young about your age, my daughter especially, she had a tendency to go to nickelodeon.com frequently, and it seemed that every time she went to nick.com, she got a virus. And here's the thing, a lot of these big websites, especially those geared towards children, are used as launchpads. They use what are called a hack. They put a compromised image, or they put a compromised link on a website that is frequented by young people knowing that they have a tendency to click on things and they see, oh, I got to click on that.
(53:42):
And what that does is that creates a vulnerability, a risk to the computer that you're using. And if that's a computer that's shared among the family, the goal is to get on that computer and hopefully compromise mom and dad's financial accounts or work accounts, things like that. So that's the first thing, educate. The second is know what is bogus. Learning to recognize things like those pop-up ads that come on your computer that sound like they're a real good idea, they very rarely are. Or if they tell you something that is you have to do right away, give you a sense of urgency, like it has to be done right this minute. That's probably something that you should be very suspicious of. If you get a popup that says your computer has a virus, don't click on anything and don't make any phone calls. It's garbage nine times out of 10. So just be mindful of that.
Henry Lynch (54:49):
So if a hacker tried to break into your systems, what's the first thing that you would do to stop them?
Mike Giovaninni (54:57):
Well, myself, I wouldn't do a whole lot. I have some sophisticated tools to keep that from happening, but for the average people who don't have that level of cybersecurity sophistication in place, I have to have it because I could damage my clients if my systems get compromised. But for the average person, the first thing that you want to do for anything that looks really bad is disconnect your computer from the network. Don't turn it off, disconnect it from the network. And the reason you want to do that is because it will break the connection between your system in the thread actor that use what's called the command and control structure. And if you turn it off, you lose all of the evidence, you lose all the forensic information that somebody like me can determine how bad is it? So once you turn the power off, all of that stuff goes away.
(55:56):
So we want to be able to get information out of memory. We want to be able to get information out of log files in that type of a situation. That would be the first thing. Unplug it from the network and call somebody who can help you as far as how can you protect yourself? Good antivirus software, that's a good place to start, but it has to be something that includes something called endpoint detection in response, because that's going to look for indicators that somebody's doing something suspicious on your computer. They do what they do usually when you're not watching so late at night, early in the morning. So you want to make sure that any security software that you have is watching out for that when it's happening.
Henry Lynch (56:40):
Thanks, Mike. I have a joke for you.
Mike Giovaninni (56:43):
Awesome.
Henry Lynch (56:44):
Why don't computer programmers like hiking?
Mike Giovaninni (56:48):
I don't know. I'm a computer programmer and I like hiking,
Henry Lynch (56:52):
But why? There are too many bugs.
Mike Giovaninni (56:54):
Too many bugs. Yeah. Well, that would definitely, I'd agree with that. Yeah, there are bugs out there. There's a good one. That's a good one.
Henry Lynch (57:02):
Yeah. Thanks so much for being on the show. If people want to learn more about you or your company, what's the best way for them to do that?
Mike Giovaninni (57:10):
Best way would to jump on our website, just go to get networks, G-E-T-N-E-T-W-E-R-K s.com, and that'll get you to us. We can certainly have a conversation with anybody who's interested in finding how to secure themselves or digging deep into ai. That's what we do.
Henry Lynch (57:32):
Great. We will link to those in the show notes. Thanks again. It was great talking to you.
Mike Giovaninni (57:38):
Awesome, Henry. It was great to meet you.
Meghan Lynch (57:43):
What struck me most today was Mike's insistence that education, not hardware or software, is the strongest security tool we have. The idea of the human firewall is simple but powerful. Most risk comes from what we don't know, and training alone can cut that risk in half. I also appreciated his reminder that culture sets the tone. If leaders take shortcuts, the whole organization follows. But when leaders model smart habits like pausing before clicking or verifying requests, teams rise to that standard too. If you want to learn more about Mike's work or request a cybersecurity assessment, you can visit get networks.com. We'll link to it in the show notes. And if this episode helped you think differently about AI security or stewardship, please share it and leave us a review. It helps more leaders like you discover the podcast. Thanks so much for listening, and we'll see you next time on Building Unbreakable Brands.
