Episode Transcript
Speaker 1 00:00:05 Welcome to the Clear Impact Podcast, brought to you by P G T I University. Thanks for joining us today. My name is Sherry Connor, and I am your host. Good afternoon. We are here on the Clear Impact Podcast, and we are doing a series around executive updates and Steven Loppe in studio with us today. And welcome back, Steven.
Speaker 2 00:00:28 Thank you, Sherry. It's a pleasure to be back.
Speaker 1 00:00:30 Yeah. So Steven, you and I recorded an episode last year as you two years ago, and you were still kind of new in your role as vice president of our IT teams. And so I would imagine that last year, last fall when you get a call that we're under a cyber attack, that's probably about your worst nightmare come true. And so I know your team responded very quickly and had to rebuild servers and computers and recover data and just a ton of different things. And so I think maybe enough time has gone by where you can talk about it now, <laugh>. So can you tell us just a little bit about that? Sure.
Speaker 2 00:01:12 Um, I think it definitely was the worst day of my entire adult life and probably worst few weeks of my entire adult life to get a phone call at seven in the morning that we've been hit with a cyber attack.
Speaker 1 00:01:26 Yeah. On a Saturday too,
Speaker 2 00:01:28 On a Saturday morning at seven o'clock in the morning. And my first thought was like, is this really a cyber attack or did somebody just lock themself out of their computer? Mm-hmm. <affirmative>. So I said, you know, I better just go in to make sure, you know, I literally live 20 minutes away, but drove in and already, you know, three of the key members of the infrastructure team were on site and literally like pulling wires out of walls, just disconnecting anything they could. Oh my. Uh, because it was a true cyber attack. And so, you know, I give all the credit in the world to the team for their efforts, but, you know, to make that call at seven o'clock in the morning to Jeff, our ceo Right. Our chief legal counsel, our chief financial officer saying, we've been hit, we don't know how bad, I'll let you know.
Speaker 1 00:02:20 Oh
Speaker 2 00:02:20 Gosh. And so, you know, the first thing we did was just assess, you know, where are we? But at, you know, nine in the morning we were looking at, this is so bad, it could take us two to four weeks to fully recover. Mm. Not a good feeling in your stomach, let me just tell you. Yeah. But by, I wanna say three in the afternoon, we had a much better assessment of where we were and felt, you know, this is recoverable mm-hmm. <affirmative> and, you know, started working on that and the wheels were in motion already at that point with cyber legal counsel, uh, ransomware negotiator, third party managers, detection response firm, a forensics firm. Oh my gosh. A world that I just really, I had heard of mm-hmm. <affirmative>, but really didn't, you know, ever come close to before.
Speaker 1 00:03:10 So definite learning experience, <laugh>, sadly, those are not the things you wanna learn, but, and not that way anyway.
Speaker 2 00:03:17 No, I I, I, I've basically said to anybody and anyone who will listen, if, if you want to talk about it and how to prepare and how to defend, I'm more than willing to talk about it because it truly is something I, I wouldn't wor wish on my worst enemy. Mm-hmm. <affirmative>, it was that stressful. And, you know, it lasted for me, the heat of it, you know, was two weeks now we had all of PGT back up and running within a week, but I have this new rule, it's called the 90 90 rule. When you're 90% done, there's only 90% left to go
Speaker 1 00:03:51 <laugh>. Okay. Because,
Speaker 2 00:03:53 You know, everybody in the company saw our systems were up and working, but there was a tremendous amount of work still going on in the background to protect us more going forward. There was a tremendous amount of work to make sure, you know, obviously that nothing had impacted our financial statements. So Yeah, it was brutal.
Speaker 1 00:04:11 Yeah. And everybody had to have their laptops rebuilt and the impact just trickled out and trickled out and trickled out. So that was the first time I'd ever really been involved in anything like that. <laugh> like, wait, what? Like, oh my goodness. It was very strange walking through here those first couple of days. And I mean, did you guys just like set up cots and order food in or <laugh>? I mean, like,
Speaker 2 00:04:35 For, for the most part, and again, I thank all the executives who pretty much brought food to us. I mean, you know, kept us going with caffeine and food. But yeah, I, I think, you know, a lot of the team didn't sleep for 72 hours to the point finally I was like, look, everybody needs to go home and get some rest. Yeah. It was pretty crazy. But that's where, you know, again, the company coming together behind this was just as incredible as the IT team coming together because as we started to get things back online, obviously everything wasn't working. So in Fort Myers, they couldn't print, but they had a printer up here. People would drive the paperwork from Venice down to Fort Myers, do work, drive paperwork back to input. So just, it's the one thing about PGT that I love is this truly is like a big family that everybody's willing to help everybody.
Speaker 1 00:05:29 So how does something like that happen? Like obviously we're a bigger target than maybe a mom and pop shop or a small business because we're, you know, 1.5 or 1.6 billion, you know, last year. And so obviously if it's a cyber attack, it's a ransom thing, right? They want money, right. To give you your system back. Right. But security, any kind of IT security, anybody's vulnerable to viruses and things like that. Yep. So how does something like that happen? Yeah,
Speaker 2 00:05:59 So the main, what they call vector of entry typically is phishing emails. Hey, Sherry, here's a great deal on pizza tonight from Eddie's Pizza, which you've never heard of. And you go, oh my gosh. You know, if free pizzas tonight, that's a simple example, but somebody clicks on that, it kicks off a download of malicious software onto your computer and you don't know it at that point. And the threat actors, at the end of the day, they're very smart people. They'll just sit and leave that software running on your computer to gather data and gather every keystroke that you type in and feed it back to them. So then they know your passwords. So they can easily go back at any point in time and get in. And that's why it's really important, you know, one of the first things to do for everyone, especially I always tell people anything around finance, make sure you have multifactor authentication enabled where if you log onto your bank, make sure they send you a code that you have to enter to continue to get into your area of your banking. Right. Don't leave it just, I logged on, on a website at, I'm at wells fargo.com, because if you do that, you're really leaving yourself exposed.
Speaker 1 00:07:19 Be sure to tune in for upcoming episodes to help you understand the fenestration industry, what you need to know when buying windows and doors and other related topics. You can find out more about us at p pg ti university.com. You can also find us on Facebook and LinkedIn. Yeah. And, you know, so having strong passwords, having multifactor authentication, and then I know one of the things that we were instructed as team members was to completely turn off our computers every night. And I had not been in the habit of doing that. And so that's just kind of a no-brainer for everyone. Right. Just make sure everything's turned off at the end of the day because then they, they can't get in and do anything.
Speaker 2 00:07:59 Right. The people who were most protected at the end of the day at PGT were people who, who had laptops who were not in the office, because again, there was no way for the threat actor to get out to somebody's home at that point. If you're not connected. It was the people who left their computers on sitting there all day. And, and a lot of people have seen this in the news recently, the, the threat actors company called Royal. And, you know, I think the city of Dallas was hit two weeks ago. Mm. And shut down, I think their police department. I mean, massive, massive outage.
Speaker 1 00:08:33 Wow. That's so crazy. Yeah. So what have we put into place, if you can talk about it, what have we put into place to prevent future events like this from happening, other than what we've already mentioned?
Speaker 2 00:08:45 Yeah. So the, the first thing we did again was this managed detection and response company, and it's a company called Arctic Wolf. They're, you know, premier in the industry, but they are our 24 7. They're watching our networks. They have software on our networks now on every single machine that is constantly looking for anything out of the normal. So if my machine and your machine never talk, and all of a sudden they start talking, Arctic Wolf will just shut that down and they have permission to just shut everything down first, ask questions second. Right. So we've added additional software for, you know, more advanced, I'll just call it antivirus software at the end of the day mm-hmm. <affirmative>. And then there's other things in the background that we've done as well. But it is a comforting, and nobody's ever truly protected. I mean, the CIA's been hit, the navy's been hit. I mean, you know, people that spend, you know, hundreds of million dollars a year on security, but at least for me, it makes me sleep better at night knowing these guys will alert us 24 7 if they see anything out of the ordinary, at least, uh, again, it feels good that we're protected.
Speaker 1 00:10:00 Yeah. Well, and it's nice to know that we have a team that can respond quickly when something like that does happen. Yes. And that we're not completely paralyzed, you know, for days and days and days and weeks. Right. So how can our dealers protect their systems?
Speaker 2 00:10:16 Yeah. So the first thing I'll say is you have to back up, you know, if you're a dealer with a single server or just a desktop that you're running Quicken or just a piece of software that you use to manage your business back that software up back, that computer up and eventually test that, you know, you can use an old computer to test a restore to that, but the more frequent you back up and the more frequent you restore the higher comfort level you'll know of, we can do this. Mm-hmm. <affirmative>, you don't want to be in that position of, oh my gosh, we back up our computer, but nobody's ever tested it in the three years since we've been doing this. And then have that day come and go, wait, we don't even know how to restore it. Right. So I, I think that to me is the number one thing to get comfortable with that. And if you're not comfortable with that, look for what they call an msp, a managed service provider. And there are a lot of managed service providers out there that cater to, I'll just call it mom and pop type shops. They don't charge an arm and a leg, but they have expertise in these things and can, again, it just gives you a higher level of comfort to sleep at night.
Speaker 1 00:11:31 Right. It's like locking your doors. Exactly. Yeah. Or setting your alarms or whatever you need to do. Anything else you wanna share around this topic? Yeah,
Speaker 2 00:11:38 I mean, I think, again, it comes back to like good digital hygiene. At the end of the day, don't click on links that you, you just won a million dollars. You know, don't
Speaker 1 00:11:48 No, those aren't real.
Speaker 2 00:11:50 No, I, I know you've done it three times, but you know, they're never real.
Speaker 1 00:11:53 I don't have a lo I don't, I don't have a long lost uncle in Saudi Arabia who's leaving me his oil fields. No,
Speaker 2 00:11:58 No, you don't.
Speaker 1 00:11:59 Um, oh man. So
Speaker 2 00:12:02 I, I, I think, you know, again, it's practice that good digital hygiene of, again, just good common sense at the end of the day, don't click on those links. You know, if you get a link from even someone that you typically do business with, but you feel it's strange, take that time to make that phone call and say, Hey, Sherry, I got this email message from you and it says X, but I wasn't exp Yeah. I never sent that. Because again, they're very good at spoofing other, you know, you know, they could easily figure out who our top vendors are and send us emails going, Hey, this is Eddie from one of those top vendors. Do this. I, I think, you know, that to me is, is the biggest thing you can do at the end of day.
Speaker 1 00:12:45 Right. So just don't open everything and click on things. And so watch links. What about attachments? Can attachments carry those things to
Speaker 2 00:12:52 Attachments? That is pretty much where 90% of these come from is malicious attachments. So again, don't click on links, don't click on attachments. The other thing you can do, and, and you can do it at a pretty reasonable cost, and when I say reasonable, I'll even say cheap, is do some basic cybersecurity training and give your employees that cybersecurity training. We use a company called no before, very reasonable on a individual basis, but we make all employees, our new employees go through training. We give, you know, people go through it twice a year. These are the things you need to look out for. And we test our employees because we want them to go, whoops, I made a mistake. Why should I not do that in the future?
Speaker 1 00:13:38 Yeah. So no, before is K N O W. Yep. Be b e and then the number four number. Yep. And so I remember taking that, but I think it was like, Hey, what's wrong with this email? And there was like 10 things that were wrong with that email that, you know, were obviously set up that way for us to be able to identify them. But even if just one of those things exists in an email, that's a signal. Exactly. All right, well here's to, uh, good digital hygiene and cybersecurity and great teamwork and just trying to keep on top of these things.
Speaker 2 00:14:12 Yes. Love the team here at P G
Speaker 1 00:14:14 T. Yeah. That's awesome. All right. Thank you, Steven. I appreciate your time today. Thank you, Sherry. Have a great day. You too. Okay. P G T I University is the customer education team for an entire family of brands. We began with the original Easy Breeze, porch enclosure line then became P G t, America's leading brand of impact-resistant windows and doors. We then added cgi, CGI I c Window, Western Windows Systems, new South Windows, echo windows, and doors, and lin windows and doors, and our latest acquisition Martin Garage doors. We create products built to withstand major storms, keeping people safe, secure, and prepared. Our exceptional brands give you the protection you need without compromising design or functionality. P G T I University is here to educate you, our listener, so that you can be a more informed consumer of window and door products.
