This year, OCD Tech celebrates ten years as a company. Since its formation a decade ago, the Braintree-based IT audit and cybersecurity firm has expanded from one employee to 60 working all over the world—including in a newly opened Mexico City office—while remaining on the frontlines of cybersecurity defense and adapting consistently as the industry, and hackers, evolve.
MassTLC sat down with OCD Tech founder Michael Hammond, Principal of IT Audit & Security, to learn more about this evolution, the most common (and preventable) mistakes that he sees, how organizations can adapt now to the security concerns of the future, and more. Surprisingly, even as cybersecurity technology and threats advance, OCD Tech has observed that the core weaknesses of organizations largely remain the same. Hammond explains why that is and shares simple, human-centered decisions that leaders can make now to prevent catastrophe in the future.
Read on for the full conversation. Congratulations to OCD Tech for a successful first decade!
Could you introduce yourself and OCD Tech? What is your role at the organization?
My name is Michael Hammond, and I’m the partner in charge here at OCD Tech, an IT audit and cybersecurity firm located in Braintree on the South Shore of MA. OCD Tech was founded ten years ago as part of the IT audit group within O’Connor & Drew, a public accounting firm, also based here in Braintree, that has been around for 75 years.
Ten years ago, the four owners of O’Connor & Drew saw that more of the controls they were working on were IT-related and realized they needed to enhance the offerings they had within their own portfolio of services, so I was asked if I could start the IT audit group within the company. At the time, OCD Tech had zero people besides me. In the beginning, I didn’t have a business background, but over time as we grew, I spent more time working on the business side of things, overseeing marketing, hiring, and financials. We’ve made it to the point now where in January of this year, we actually split OCD Tech from the public accounting firm. As an owner of OCD Tech, now I spend even more time on those functions and the financial side of things than I did previously. As we approach our ten year anniversary, we have almost 60 people between the U.S. and Mexico office that we opened last year.
Everyone on our team deals strictly with IT audit and security. We’re not CPAs or financial people that moved over; everyone has some type of IT background on our team. We are management consultants, who do advisory and assurance work. On the advisory side of the house, we work with management to ensure that their environment is secure, whether it is on-premise hardware and software or in the cloud. We’re humans that advise other humans. We’re literally checking to make sure things are working. One of the things that we still see a lot of is that people assume they can buy a piece of software and risk will go away, but software still needs to be implemented on a network and tuned to an environment. Often companies don’t do that. That’s where we come in and help on the advisory side. On the assurance side, we do traditional IT audits.
OCD Tech has been around for ten years now, and you have been there since the beginning. How has the industry evolved since you started?
The biggest fundamental change that I’ve seen over these 10 years is the move to the cloud. In the beginning, people were hesitant to go to the cloud; they didn’t understand it. Now, people naturally sign up for cloud services, whether they realize it or not, and they adopt a cloud-first strategy versus building a server in-house and putting in their own network and hiring people to maintain that server.
The problem with this shift is that people assume these services are naturally secure, and they still don’t have good passwords, they’re not using two-factor authentication, or they don’t lock down their drive folders. There are hackers that scan constantly for these types of weaknesses. Everyone’s making the move to the cloud, which is great because it’s less on-premise hardware, but people are incorrectly assuming that it means that these systems are secure.
How have attacks changed over the last ten years since OCD Tech started?
Attacks are increasing. Vendors have data that confirms this. One of the benefits we see is that, because organizations don’t have the equipment on-premise as much, those types of attacks happen less. The problem is now, instead of a hacker having to go attack 100 companies and maybe get into just one, a hacker can attack just one cloud service provider and possibly get into all 100 of those at once. As companies consolidate more of their infrastructure into the cloud, it’s easier to go after just one cloud service.
What are the common mistakes that you see organizations make when it comes to security? What advice do you have when it comes to what to prioritize?
When people ask that question, I give them two easy answers. Both are free to implement. First of all, turn on two-factor authentication on every one of your services. Two-factor authentication is not perfect, but it definitely slows hackers down and makes it much harder for them to try to break in. Second, do not reuse passwords. One of the services that we do all the time while testing is to find password hashes from the dark web. We successfully use those passwords in our attacks. If we’re doing it, other people are definitely doing it too, and if those passwords are reused between different services, hackers can easily move across from a website to an online payroll portal to a VPN. If you use a password manager and don’t reuse passwords, then a hacker might hack into one tool, which is not great, but at least they’re not going to compromise everything that you’re using.
We’re ten years into it, and we’re still finding people use bad passwords. They use the same passwords over and over again, and they don’t turn on two-factor. Yes, there are sophisticated ways to get around two-factor, but it slows the whole thing down. If a hacker has two companies they are going after and one has two-factor turned on and one doesn’t, they are going to go after the easier one. It makes you an easy target.
It sounds like so much of this comes down to human behavior. What do you say to organizations that are searching for a “magic wand” tech solution to solve their security problems?
It doesn’t work that way. There’s no fancy box or piece of software that’s going to solve 100% of security problems. We have to make sure that we’re helping users be more security aware, so they know not to click, not to let someone in the door, not to download a piece of software from a website. From a technical perspective, we help them by actually turning on two-factor authentication and giving them the tools to be able to figure out where to save 300 passwords, so that they can change their behavior.
In our security reports, we’re still writing the same top three findings that we were writing ten years ago. Companies don’t know all the devices that are on their network, companies don’t use two-factor authentication, and the systems companies have on their network are not patched. When the systems are not patched, the vulnerabilities that existed years ago are still there, and we’re able to exploit them during our security reviews. Unfortunately, our template that we use for writing the reports hasn’t changed much, because those top three items tend to be the same. For our clients that we do year-over-year work with, the bar does get set higher as they work through it, but when we work with a new client, we are using that old template.
How do you expect to see threats evolve in the future? How can organizations prepare?
When we work with clients, we always emphasize that, yes, it’s bad that we were able to exploit a vulnerability, but the most important questions are: Did the organization detect us? How fast can they detect the bad things that we’re testing on the network or that other people are doing on the network? The faster they are detected, the faster an organization can contain it. There’s always going to be someone who is better than you at being able to break into your network. Because of that, we encourage people to focus on detecting attacks much faster. If we can detect them faster, we can shut them off. We have some clients where we run through their network very quickly, but they detect us every single time. That’s good, because they’re able to shut us off. Then we have other clients where we can be in there for three weeks, and they never even see an alert. If we’re in there for three weeks and they don’t notice, then unfortunately, there’re probably other people in there that have been in there much longer.
What’s next for OCD Tech?
We are 10 years into this now, and we are not finished. We just opened up our Mexico City office, because we have clients down in Mexico and Latin America that wanted to work with us in their local currency and with local people, so we opened a big office down there. For the next ten years, we will continue to grow. We don’t do hardware and software, so for us, it really is all about people. We’ll continue to invest in the talent of our teams. For example, we do a weekly lunch-and-learn. We pay for every certification that the teams want to get, because we never know what that next product is going to be. We are all constantly learning.
I’m always looking for those kinds of one and two-person IT and security teams with entrepreneurial spirit who want to make a go of having their own business but realize that running a business is hard and not what excites them. These are the kind of people we want to add to our team. They are going to help us grow from the 60 people we have now to 150 or more in the next ten years. We are in IT, so it doesn’t matter where you live. Some of our clients require that the person be a US citizen, so we have to segment that part of the work, but the rest of it doesn’t really matter.
The talent is what excites me most; it’s exciting when we hire a new person and they find some new way to service a client that we hadn’t thought of before. Whether the team’s writing custom software to exploit a vulnerability at a client site, or they’re writing an automation to help make part of their job easier, it’s that kind of stuff that I love to see.
It’s been a lot of work to get it to 60 people and to keep it going like this. I think the hardest thing for me was the first hire that wasn’t me. But going from the second hire to hire number 60… I can’t believe how fast the 10 years went.