Updated on: December 4, 2024
Business owners frequently ask our advice for cost-effective cybersecurity solutions against common threats like phishing and ransomware, employee training, and how to handle compliance requirements like GDPR, SOC 2 etc.
To help them, we decided to start this new Safety Detectives interview series with business owners who have successfully faced these same challenges head-on. If you’re looking for actionable tips to safeguard your company—and avoid costly mistakes— from those who have been in your shoes, keep reading.
Our guest today is Ivan Vislavskiy, CEO and co-founder of Comrade Digital Marketing, a full-service digital marketing agency. He discussed his insights from direct experience with cryptojacking, phishing, handling security inhouse vs outsourcing, and how Comrade currently keeps their customers’ data secure.
Tell us a bit about you and your role in your company.
Our focus is law firms and home service businesses, but we work with a variety of industries. Over the last 15 years, I’ve worn many hats, from strategizing marketing campaigns to leading the company through significant transitions, like narrowing our focus to our niche industries.
In my current role, I’m responsible for guiding the vision and growth of our company. This means keeping a close eye on industry trends, implementing AI across most of our departments to improve efficiency, and ensuring our team delivers exceptional results for our clients. My job is equal parts visionary, problem-solver, and motivator— and it’s something I take great pride in.
Like many business owners, I’ve had my fair share of challenges, especially around operational efficiency and cybersecurity—both of which are critical for any digital-first company. But those lessons have also shaped the way we serve our clients today.
What event(s) made you realize the real importance of online safety and privacy? What happened and what lessons did you learn from that episode(s)?
We’ve faced numerous security issues, including spam, hacking attempts, and phishing scams. There wasn’t one single incident that made us prioritize online safety- it was more a series of events that underscored its importance.
One notable time was a development server we used to host both internal and client files. We discovered that it had been hijacked to run a cryptocurrency mining operation, which was silently draining the server’s resources and consuming a significant amount of electricity. The operation was so well-hidden that it took extensive investigation to identify the issue.
This kind of cyberattack is called cryptojacking. An attacker compromises a system (like a server, personal computer, or an IoT device) to secretly run cryptocurrency mining operations. Between 2022 and 2023, cryptojacking incidents have surged by an average 399%, with sensitive sectors such as healthcare seeing an increase of 690% only in the first half of 2023.
We also often get phishing attempts targeted at new team members. In one example, the scammer posed as me and requested that the new team member purchase gift cards for the team, promising reimbursement. Thankfully, the team member double-checked with me before taking any action, which allowed us to catch the scam before any damage occurred.
Additionally, there was a client-related incident where hackers created a fake version of a client’s company, complete with a separate bank account, to divert customer payments. They even managed to distribute fraudulent invoices to the company’s entire client list, which could have led to significant financial loss if it hadn’t been addressed in time.
Takeaways:
- The biggest lesson we’ve learned is maintaining vigilance and verification. We treat any unusual activity with extreme caution and verify its legitimacy immediately.
- On the financial side, we’ve implemented strict protocols: our accounting team cannot send payments or share financial information without executive approval and verification.
How do you handle sensitive information online—whether personal or work-related? Are there tools, apps, settings, or habits that you consider essential, and why?
We approach handling sensitive information (whether personal or work-related) with a combination of practical tools, thoughtful processes, and daily habits that prioritize security. We’ve learned over time that safeguarding data isn’t just about having the right software; it’s about creating a culture where everyone understands the importance of privacy.
Safeguarding data isn’t just about having the right software; it’s about creating a culture where everyone understands the importance of privacy.
We use 1Password to manage all our internal and client-related passwords. It’s a simple but effective way to ensure passwords are securely stored, regularly updated, and only accessible to the team members who truly need them. This helps us avoid the chaos of shared spreadsheets or insecure practices like reusing passwords.
We also make sure every team member has antivirus software installed on their devices. It’s not glamorous, but it’s an essential layer of protection that prevents malware or unauthorized access from slipping through the cracks.
When it comes to particularly sensitive information—like client billing details—we’ve created clear, secure workflows. For example, only designated team members in our billing department handle this data, and we have strict protocols in place for how it’s stored and shared.
Beyond tools, though, small habits make a big difference. We encourage our team to always verify requests for sensitive information, use two-factor authentication (2FA) wherever possible, and think twice before sharing anything over unencrypted channels. These are the kinds of everyday actions that build strong security practices.
That said, we know there’s always room for improvement. Cybersecurity isn’t a set-it-and-forget-it kind of thing—it’s a moving target. We have someone on our team in charge of our IT infrastructure and cybersecurity, and I personally stay engaged by reading articles, watching videos, and sharing insights with them. Sometimes, we even reach out to other agencies to swap ideas and learn from their experiences.
What measures, tools, and services are you using to protect your company and customers’ data, and train your employees? What was the process like for you when deciding where to allocate your budget?
In addition to tools like 1Password and antivirus software, we rely heavily on Google Workspace and Google Cloud Storage to protect our company and client data. These platforms provide end-to-end encryption, ensuring that all sensitive information—whether internal or client-related—is secure. For any information stored on our servers and databases, we have protocols in place to ensure encryption and proper handling.
When it comes to employee training, we admittedly don’t have a formal, repeatable process in place yet. We’re not perfect, and it’s something we know we need to work on at Comrade! Currently, our IT specialist responsible for cybersecurity sends out memos, articles, and tips regularly, and we address important topics during team meetings. While this approach works for now, we’re planning to develop a structured training program to ensure consistent and ongoing education for our team.
Regarding budget allocation, we have a general budget for IT needs and technology implementation, with cybersecurity falling under that umbrella. Some tools, like Google Workspace, were implemented early on—even before we formalized a budget.
Now, when decisions need to be made, our cybersecurity specialist reviews our options, consults the budget, and coordinates with our executive team to ensure resources are allocated appropriately.
What’s your experience with outsourcing cybersecurity to a Managed Service Provider (MSP) versus handling things in-house? What would you suggest to other companies of your size?
As a digital and technology-focused company, we’ve always had tech-savvy individuals on our team who proactively manage our IT and cybersecurity needs, so we’ve never relied on an MSP (Managed Service Provider). However, most small businesses don’t have that luxury.
In my opinion, outsourcing to an MSP is a smart, cost-effective solution for companies that lack in-house IT expertise or can’t yet afford a dedicated team. Your cybersecurity and IT infrastructure will be handled professionally without the overhead of hiring full-time staff.
In-house IT might not be worth it if you have fewer than 50 employees, so an MSP is a great middle-ground investment that will let you avoid risks. A great way to get professional, reliable support without the expense of building an in-house team prematurely.
That said, as a company grows—around 50 to 100 employees or more—hiring in-house IT is often more beneficial. They can provide tailored solutions, build a long-term vision for your IT infrastructure, and align decisions with your company’s unique needs.
What regulatory requirements around data protection and privacy have impacted your business, and how? What helped you ease the adaptation process?
After 15 years in digital marketing, I’ve learned that you need to stay ahead of regulatory requirements—whether it’s about data privacy, accessibility, or industry-specific rules. Ignoring these regulations is risky! It can lead to lawsuits, fines, or damaged trust with your customers.
Over the years, we’ve seen firsthand how regulations like GDPR, California Consumer Privacy Act (CCPA), HIPAA, and ADA compliance impact businesses. If you have a website—big or small—you need to be aware of these rules to avoid trouble. Here’s what we’d consider:
GDPR and CCPA Compliance
GDPR (General Data Protection Regulation) and its U.S. counterpart, the CCPA, are all about protecting user data. GDPR applies to businesses interacting with users in the EU, while CCPA focuses on consumers in California. Both regulations require transparency in how data is collected and used, giving users rights like opting out of data collection or requesting their information be deleted.
Even if your business isn’t based in California or the EU, you still need to comply if you attract users from these areas. For example, we’ve helped clients implement cookie consent banners, update privacy policies, and secure data storage to align with these rules.
HIPAA Compliance
For healthcare clients, HIPAA compliance is non-negotiable. It requires strict protection for patient data, which means using encrypted communication tools, secure storage, and role-based access controls.
One of the biggest challenges we’ve seen is educating our team about HIPAA rules. For example, even something as simple as sharing login credentials can be a violation. To address this, we’ve implemented tools like 1Password and HIPAA-compliant data storage solutions to handle sensitive data and trained our team to follow clear protocols.
ADA Compliance (Website Accessibility)
Accessibility is a legal requirement under the ADA (Americans with Disabilities Act). This means your website needs to accommodate users with disabilities—for example, by including alt text for images, offering keyboard navigation, and ensuring content is easily readable.
One of our clients learned this the hard way. Even though their website passed an online accessibility tool’s test, they were hit with a legal claim alleging non-compliance. Larger websites with high traffic are especially at risk of these claims. Our advice? Don’t rely solely on automated tools. Conduct a professional accessibility audit to ensure your site meets standards.
Overall, the larger your website grows, the more likely it is to attract attention from regulators—or opportunistic lawsuits. We’ve seen businesses caught off guard, thinking they’re compliant when they’re not. For example, without proper GDPR or CCPA protocols, you could face fines for something as simple as failing to disclose how you use cookies.
Are there any emerging technologies or trends you personally find either exciting or concerning when it comes to online privacy?
I am both excited and cautious about emerging technologies.
I believe AI has incredible potential. In theory, it can detect and block cyber threats faster than ever before. It has the ability to analyze patterns, predict breaches, and safeguard sensitive data almost in real-time. While we’re not quite there yet, I look forward to seeing these capabilities fully in action, making security more proactive and reliable for businesses like ours and the clients we serve. I’m certain that more tools with these capabilities will be released soon.
At the same time, there are trends that concern me:
- Although AI is a powerful tool for good, it is also being exploited by hackers to create sophisticated phishing scams and bypass security measures.
- Another unsettling trend is the growing data economy—the sheer amount of personal data being collected, sold, and shared, often without you even realizing it. This creates a privacy minefield.
- The rapid rise of deepfakes is also alarming. I have seen examples where realistic fake audio or video is used to impersonate someone, and it is frightening to consider how that could be weaponized against individuals or businesses.
The truth is, technology is evolving so quickly that we cannot afford to be complacent. The key is to embrace innovation with both enthusiasm and caution. You need to be prepared for whatever comes next.
Connect with Ivan Vislavskiy
LinkedIn: https://www.linkedin.com/in/ivan-vislavskiy-53bb559
Website: https://comradeweb.com/about/ivan-vislavskiy/