Scaling Up? Don’t Skip Cybersecurity!

WEBVTT

00:00:08.224 --> 00:00:35.457
Thank you.

00:00:35.457 --> 00:00:37.658
Welcome to another episode of Merger.

00:00:37.658 --> 00:00:43.287
She Wrote, I'm Paloma Goggins with Nocturne Illegal, and today I am hosting Paige Hansen.

00:00:43.287 --> 00:00:47.704
She is the co-founder of Secure Labs and a cyber safety expert.

00:00:47.704 --> 00:00:54.466
She is a renowned authority in consumer and digital safety with nearly two decades of experience in identity management.

00:00:54.466 --> 00:01:00.968
She is a frequent speaker at nationwide events raising awareness about identity theft and related issues.

00:01:00.968 --> 00:01:03.060
Thank you so much, paige, for being on today.

00:01:03.060 --> 00:01:04.143
Thanks for having me.

00:01:04.143 --> 00:01:07.028
So we'll just dive right into the questions.

00:01:07.028 --> 00:01:08.751
I think from.

00:01:08.751 --> 00:01:10.694
Let's take it from the top.

00:01:10.694 --> 00:01:15.510
Let's say you are a business that's doing really well, you're scaling.

00:01:15.510 --> 00:01:18.823
You're thinking at some point in the future of exiting.

00:01:18.823 --> 00:01:20.087
You know what?

00:01:20.087 --> 00:01:22.572
I have my list of questions here that I have for Paige.

00:01:22.572 --> 00:01:27.227
So if you're watching this podcast instead of listening, you'll see me look down from time to time.

00:01:27.227 --> 00:01:33.787
So what would you say is the most common cyber threats that a scaling company can focus?

00:01:33.787 --> 00:01:36.468
And if you want to be industry specific, go ahead.

00:01:36.468 --> 00:01:38.147
Otherwise, generalities work too.

00:01:38.879 --> 00:01:41.349
Yeah well, I think, generally it just depends on your size.

00:01:41.349 --> 00:01:56.647
If you're a smaller company, you have to think of it more as threats that are happening to your employees, so phishing emails, multi-factor authentication, intruders trying to get in kind of the high level, low hanging fruit.

00:01:56.647 --> 00:02:10.542
If you're a larger company, that's when you get more of a third party risk and you have other factors Because, if you think about it, the larger the company, the more systems you're going to have in place, the more vendors you're going to be using.

00:02:10.762 --> 00:02:30.780
Therefore, your risk is greater so true, yeah, I think the layering of complexity is one of those pieces that people forget, right, the more you grow and the more complicated your systems become, the more you have that chance for loopholes or areas where someone could sneak in and get into a system.

00:02:30.780 --> 00:02:39.754
I want to back up a moment, because you talked about what a smaller business might be dealing with when it comes to phishing.

00:02:39.754 --> 00:02:43.350
I feel like that is universally both big and small company.

00:02:43.350 --> 00:02:46.419
If you've worked in corporate America, you've seen the phishing test.

00:02:46.419 --> 00:02:47.784
You've failed the phishing test.

00:02:47.866 --> 00:02:48.328
Oh, absolutely.

00:02:49.301 --> 00:02:50.004
The better phrase.

00:02:50.004 --> 00:03:08.604
But you know, I think a lot of people who are running smaller you know, family owned and operated businesses, aren't necessarily thinking about implementing phishing type traps to teach their employees hey, don't click on things without checking them out.

00:03:08.604 --> 00:03:10.247
You know what are some first steps.

00:03:10.247 --> 00:03:16.932
Let's say you're operating a business and it's been really successful all these years, but you've never really even thought about cybersecurity.

00:03:16.932 --> 00:03:17.921
Where do you start?

00:03:18.323 --> 00:03:27.908
Well, I'll acknowledge that usually cybersecurity is an afterthought, and it I mean you're thinking about building your business and your client base and just everything around building your business.

00:03:28.520 --> 00:03:31.341
Usually and generally, cybersecurity isn't like you know what.

00:03:31.341 --> 00:03:34.471
Let's pause and fish test our employees.

00:03:34.471 --> 00:04:14.122
So let's acknowledge that that's a thing, and that is the clients that I deal with are small to medium-sized businesses and so, taking a step back and realizing these fraudsters are working in scam compounds 24-7, trying to find a hole, trying to find a way in, so not only us as consumers have to have our guard up, but as a business, and especially a profitable business, where you may have loopholes in your invoicing, the way you invoice, and there might not be controls in place, where you have multiple people authenticating invoices or outreach and things like that.

00:04:14.122 --> 00:04:30.228
That's a problem and as you whether you're growing or you're really small you have to know that that's a priority, because one potential you know invoice that you pay or ransomware in your organization.

00:04:30.228 --> 00:04:39.980
60% of small businesses, according to the National Cybersecurity Alliance, do not recover when they've had a cyber incident, and that's a big problem.

00:04:39.980 --> 00:04:41.483
That's that's crazy.

00:04:42.605 --> 00:05:06.053
I mean you know, you hear about in the news organizations that have had and especially in the medical world, right, but you hear of these organizations that have had someone breach their infrastructure and then they get locked out of their computer systems or they get locked out of their records and are held essentially for ransom.

00:05:06.053 --> 00:05:13.327
And you hear about these companies that make the decision to pay the ransom and get their things back.

00:05:13.327 --> 00:05:21.666
And the crazy part is what, if you pay the ransom and you don't get your things back, right, I mean it's not like it's a guarantee.

00:05:21.687 --> 00:05:22.951
It's not a guarantee.

00:05:22.951 --> 00:05:26.867
You're definitely taking a chance and the FBI will say do not pay the ransom.

00:05:26.867 --> 00:05:36.608
And I think a lot of businesses segment themselves and they think, okay, we've got to get a, whatever the reason is, whether they want to get their data back or they don't want the news to break that they had a data breach.

00:05:36.608 --> 00:05:38.882
But it all depends on the end goal.

00:05:38.882 --> 00:05:39.583
So here you are.

00:05:39.583 --> 00:05:46.132
Okay, maybe you do go to the FBI for help, but you need to get on it right away.

00:05:46.132 --> 00:05:49.375
It's not a oh, let's figure this out over the weekend by ourselves.

00:05:49.375 --> 00:06:00.740
No, you need to involve them right away because, depending on their data, that they've stolen or have access to, it really depends.

00:06:01.240 --> 00:06:02.706
Now, who knows what's going to happen?

00:06:02.706 --> 00:06:04.603
You know, is it client data, is it payment data?

00:06:04.603 --> 00:06:13.725
But that's also a really important note to say what controls do you have in place internally?

00:06:13.725 --> 00:06:17.314
Do you have a control where you back up your company's data every year, every quarter, every month?

00:06:17.314 --> 00:06:24.706
Is it air-gapped or segmented, so it's not on the same network as the rest of your data that could potentially be compromised?

00:06:24.706 --> 00:06:29.572
These are all things that you go through if you're following a cybersecurity framework.

00:06:29.572 --> 00:06:31.266
So there's a NIST cybersecurity framework.

00:06:31.266 --> 00:06:35.980
There is a SOC 2 cybersecurity framework that helps with privacy and security.

00:06:35.980 --> 00:06:47.362
These sort of things help as almost like a checklist of things that baseline you should be doing as an organization things that baseline you should be doing as an organization.

00:06:47.382 --> 00:07:05.754
I want to go back to what you were saying just a little bit before about how the data that's breached I mean, I think in a lot of the perspective of the business owner is not necessarily thinking about breach, in that it can fall into two separate buckets that have two sort of separate impacts to the business.

00:07:05.754 --> 00:07:23.846
One is, you know, like you were talking about the integrity of invoicing and sort of chain of custody, right, as you might discuss, like how you know invoice is sent to someone and is paid, and is there the potential for someone to duplicate or make that process look very, very similar?

00:07:23.846 --> 00:07:28.303
So a client sees it, pays, it doesn't realize they just paid someone else.

00:07:28.303 --> 00:07:43.733
But that's something that impacts the bottom line of the business, whereas what you were talking about just a few minutes ago, where the breach of data is client information, you know, maybe it's social security numbers, maybe it's health information.

00:07:43.733 --> 00:07:51.887
I mean, sometimes I feel like when you talk with people about cybersecurity, they're thinking about only one of those buckets, right, right.

00:07:52.288 --> 00:07:53.793
It is, and that's the thing.

00:07:53.793 --> 00:07:55.507
It's not just one thing.

00:07:55.507 --> 00:07:57.766
I get asked all the time what's the one thing?

00:07:57.766 --> 00:07:58.790
And maybe you'll ask this later.

00:07:58.899 --> 00:08:01.064
What's the one thing a business should do or should think of?

00:08:01.064 --> 00:08:01.906
And it's not.

00:08:01.906 --> 00:08:19.120
It can't be one thing because, to your point, you have access controls within your business operation that need to be tied down, but then you also have the access and the identity management of your client data, your company data, your business IP.

00:08:19.120 --> 00:08:23.987
All of that that I think a lot of people put in the same buckets, but they're not.

00:08:23.987 --> 00:08:30.096
They're ways to be vulnerable and have exposure unwanted exposure at that.

00:08:31.221 --> 00:08:42.831
So if you had to describe for someone who's just starting to look at compliance and cybersecurity, you know obviously there's a lot of ways that you can go about tackling this.

00:08:42.831 --> 00:08:45.921
Is there a place that they should start?

00:08:45.921 --> 00:08:49.307
Is there certain plans and implementation?

00:08:49.307 --> 00:08:51.692
Like, I guess it's such a broad space.

00:08:51.692 --> 00:09:00.086
If you could give more of a concrete like, this is where you could start or this is where it could be easy to start implementing, what would that suggestion be?

00:09:00.347 --> 00:09:01.068
I think, high level.

00:09:01.068 --> 00:09:07.971
If you're looking for a list to follow, implementing a NIST cybersecurity framework would be a really great one.

00:09:07.971 --> 00:09:14.086
To start with, what that means and what that boils down to a couple things Identity and access controls.

00:09:14.086 --> 00:09:16.868
As a business, we want everybody to access something.

00:09:16.868 --> 00:09:17.870
What if so-and-so's out?

00:09:17.870 --> 00:09:31.551
We want to make sure these other five people can access the same system, or one person is in charge of developing our website or whatever it may be, but we want, just in case, we want you to have these other people backed up.

00:09:31.571 --> 00:09:37.419
You have to look and scrutinize very hard your identity and your access controls within your organization.

00:09:37.419 --> 00:09:51.672
There should not be a number of people that don't need access to certain systems or employee data, that don't need access to certain systems or employee data, patient data, business data in general that have access just because it makes life easier.

00:09:51.672 --> 00:09:52.695
We need to scrutinize that.

00:09:52.695 --> 00:09:55.168
But the important thing, too, is audit trails.

00:09:55.168 --> 00:10:20.267
If you're reviewing a policy, if you're reviewing something or you do have access control, you need to have the documentation that you've done so, because in the event of a breach, in the event that you have some sort of audit, they're going to look at timestamps, they're going to look at the audit trail, and that could be the difference between paying an absorbent fine because you're negligent or not as much.

00:10:20.267 --> 00:10:23.961
You will still pay a fine, but not as much because you did have the proper controls in place.

00:10:23.961 --> 00:10:25.004
It just happened to happen.

00:10:26.167 --> 00:11:08.033
I think that that highlights another good thing, which is that a lot of people think of data security, data privacy, as sort of this potential I would say pitfall of their business from a financial standpoint, from their reputation standpoint, but a lot of people don't think about the fines, the potential for getting in trouble, right For failing to do what is necessary to protect your client information, and so I think it's really important to highlight that there's this you know, yes, you could impact your bottom line.

00:11:08.033 --> 00:11:25.355
You could impact your bottom line even further by getting fined, but also, what are the ramifications for your reputation as a business, even if you survive financially, if your clients then you know no longer, you know their social security number's out on the dark web.

00:11:25.355 --> 00:11:27.687
What are the implications for them?

00:11:27.687 --> 00:11:28.903
What are your obligations?

00:11:28.903 --> 00:11:30.609
You know, after the breach occurs.

00:11:31.009 --> 00:11:33.043
Right, well, one your reputation.

00:11:33.043 --> 00:11:38.614
Now that could take years or it could totally tank, and now you no longer have a business.

00:11:38.614 --> 00:11:41.207
There are businesses that recover from that.

00:11:41.207 --> 00:11:53.653
They put out the right statement and they offer the data or the identity protection and services like that, but when it comes to you know, as a business, what do you do?

00:11:53.653 --> 00:12:01.510
It depends on the data that was breached, it depends on your industry, it depends on the threshold within your state.

00:12:01.510 --> 00:12:06.022
All of that matters, and so it's going to be situational, couldn't?

00:12:06.042 --> 00:12:06.523
agree more.

00:12:06.523 --> 00:12:12.970
I think we've probably covered enough of why you should be afraid enough to do cybersecurity as a business.

00:12:12.970 --> 00:12:14.980
Well, I actually do want to add something.

00:12:15.000 --> 00:12:17.226
Yeah, please, so one you know, oftentimes we'll get.

00:12:17.226 --> 00:12:18.650
Well, we have cyber risk insurance.

00:12:18.650 --> 00:12:19.442
Have you heard this?

00:12:19.442 --> 00:12:20.485
We have cyber risk insurance.

00:12:20.485 --> 00:12:20.886
We're fine.

00:12:21.368 --> 00:12:29.761
But actually, did you know, in order to be paid out on said cyber risk insurance, in the event something happens, you have to have the controls in place, meaning there's requirements.

00:12:29.761 --> 00:12:32.971
You can't just have cyber risk insurance and then say, okay, we're good.

00:12:32.971 --> 00:12:39.873
I mean, it would be like, if I make the jump here, it's your own personal home insurance.

00:12:39.873 --> 00:12:46.011
If you say to your provider, I have three fire alarms or smoke detectors, I have three of them.

00:12:46.011 --> 00:12:47.626
And they say, okay, we'll mark you down there.

00:12:47.626 --> 00:12:48.572
Okay, this is your premium.

00:12:48.854 --> 00:12:50.703
But then you have, unfortunately, you have a fire.

00:12:50.703 --> 00:12:54.220
Now, all of a sudden, they're going to say, well, how many smoke detectors did you have?

00:12:54.220 --> 00:12:55.081
Oh, you didn't have any.

00:12:55.081 --> 00:12:58.504
Oh well, we're not going to pay you out, or you're, it's going to be nothing.

00:12:58.504 --> 00:13:02.429
And so the same things you have to think about, just the same thing applies to your business.

00:13:02.429 --> 00:13:19.740
If you say, yes, we have multi-factor authentication and we segment our data and we do these 10 things that are required, but then it comes back when they do an investigation and audit that you don't, well, now you're in the bucket of larger fines and you're not being paid out on something that you were going to rely on to help you recover.

00:13:20.722 --> 00:13:26.274
It's so true I think that's missed on a lot of people is you have to make an effort.

00:13:26.274 --> 00:13:45.019
It works even in the M&A world from a merger and acquisition, reps and warranties insurance perspective, which, for anybody who's unfamiliar reps and warranty insurance, essentially helps protect you against the failure of a seller to disclose important items and you only find them out post-closing.

00:13:45.019 --> 00:14:03.932
And it's very expensive and and it it's it's kind of one of those insurances that if you're not doing your due diligence in the process and you're being lazy and you're not turning every stone over and in kind of doing your part, the insurance just like the cyber security insurance won't cover.

00:14:03.932 --> 00:14:07.086
And got to see that live in person with you.

00:14:07.086 --> 00:14:19.489
You know a business that had went through the underwriting process, bought the expensive insurance, found out pounds receivable wasn't going to be paid, that they paid for as part of the purchase price, and I mean it's wild.

00:14:19.489 --> 00:14:49.163
So I think that's a really great point to underline is that you have to do the work to make sure that you are protecting your business in a way that the insurance can then come in and say you did as much as you possibly could to essentially bolster what we've come in to protect you against Exactly One hundred percent, against Exactly 100%.

00:14:49.163 --> 00:14:54.701
So I think this can dovetail into a really nice kind of segue into a different conversation, which is we talked a little bit about implementation and how important that is.

00:14:55.283 --> 00:15:04.885
I think the other piece of this is when a business is ready to sell let's say they're three, five years out they're starting to look to get organized, get their things.

00:15:04.885 --> 00:15:06.849
That, you know, I always say fair is in order.

00:15:06.849 --> 00:15:09.091
You know what is.

00:15:09.091 --> 00:15:29.828
How can someone just kind of taking even a step further back someone who's going to go through diligence, which is really the process of the buyer really inspecting everything about their business, what can a potential business that's going to sell do to really, I think, make the diligence process easier, right, what are you talked about?

00:15:29.828 --> 00:15:34.624
The list, yes, what else can from a records perspective?

00:15:34.624 --> 00:15:51.472
And obviously you know there's going to be reps and warranties in the document that says you know we've maintained, you know, certain security, you know thresholds and obligations or procedures or whatever it may be, and that's great, fine and dandy, but what does that look like on paper?

00:15:51.472 --> 00:15:52.562
First, you know what.

00:15:52.562 --> 00:15:56.201
Describe what that would look like if someone had to turn over records to prove it.

00:15:57.123 --> 00:16:13.828
I think, first, if you were to get, let's say, go for your SOC 2 attestation, if you have that report, that might be enough to say I have this report, I'm attesting to the fact that I have the proper security and privacy controls in place and will be reviewed on a yearly basis.

00:16:14.309 --> 00:16:31.221
But then you should be taking it a step further and asking the company to provide then the documentation for each of those controls, so when you're audited, depending on the auditing company, they could audit the entire control set, meaning that they're looking at every single document supply.

00:16:31.221 --> 00:16:39.969
But then others they do a sample of things when it comes to risk management, your access controls, your HR, legal practices, your policies.

00:16:39.969 --> 00:17:09.852
But if you're really doing your diligence, you are going to look at every single document yourself and do almost your own audit to make sure that that in fact is happening, because there's a range of credible audit companies, auditors, and so you want to make sure, if it's really something that you want to look into, that you you're doing it yourself and not just asking just for the the per se, which is a really great start, don't get me wrong but doing that extra step of looking at the documentation.

00:17:11.180 --> 00:17:19.443
So, going back to, I want, for anybody who's not familiar with SOC 2, can you give us, like the basic 101 of what SOC 2 is?

00:17:19.663 --> 00:17:27.690
Yeah, soc 2 is telling the business world that we take privacy and security seriously within our company.

00:17:27.690 --> 00:17:32.111
Here is what we do and there's a list depending on there's trust service criteria.

00:17:32.111 --> 00:17:34.442
There's five different trust service criteria.

00:17:34.442 --> 00:17:41.695
Most businesses will do at least security the first time and they'll say, yes, I am taking the proper steps.

00:17:41.695 --> 00:17:47.488
And here's the documentation that I take seriously that not only the security of my employees but my data as well.

00:17:47.488 --> 00:17:58.593
And then they'll start to expand over time and they'll start looking at policies of the hiring processes and integrity and there's more to it if you want to provide that.

00:17:58.593 --> 00:18:02.269
But really it's saying we take this seriously.

00:18:02.269 --> 00:18:03.685
Here's the documents to prove it.

00:18:03.685 --> 00:18:09.173
We've been audited by an external auditor that, in fact, that we do that and approve.

00:18:10.836 --> 00:18:18.849
So I'm going to play a little devil's advocate, just because I know business owners are busy, they struggle, they want.

00:18:18.849 --> 00:18:28.865
There's lots of things they have on their want list and the things that they actually check off are the most obviously critical right, the things that keep the business cash flowing, that operational right.

00:18:28.865 --> 00:18:51.763
So if someone, let's say, they put the SOC 2 on their wish list but it's something that they never actually go through and obtain, is there something they can do that in the meantime they can essentially document and protect themselves in a less certified fashion, but something that could hold up, say in the diligence process, where it's less formal?

00:18:51.903 --> 00:18:53.027
Yeah, absolutely you can do.

00:18:53.027 --> 00:19:01.038
You can either have an internal audit so you have hired somebody internally to that's maybe that's their job to document all of those.

00:19:01.038 --> 00:19:26.199
I I lean towards the NIST cybersecurity framework just because it is dealing with the security and privacy of the controls that you're that you're implementing throughout your organization, or you can hire a third party to come in and gather that information with the help of somebody internally, because the reality is a lot of these businesses don't usually have an entire compliance team or compliance department, or the operations person is wearing so many hats.

00:19:26.199 --> 00:19:44.385
The thought of juggling that as well is very daunting, and so usually hiring a third party to help build that is generally the route that organizations go, and it's less expensive and an overhead of hiring somebody internally to be able to provide that documentation.

00:19:44.846 --> 00:19:45.167
Of course.

00:19:45.167 --> 00:19:46.431
Yeah, I could see that.

00:19:46.431 --> 00:19:49.182
Yeah, no, I think that's really great.

00:19:49.182 --> 00:19:53.365
I'm going to ask a question that I think I know the answer to already.

00:19:53.365 --> 00:20:03.589
I'm going to ask a question that I think I know the answer to already, but is there any business that is too small to create some sort of internal policy around cybersecurity or data privacy?

00:20:03.589 --> 00:20:04.798
What do you think the answer is?

00:20:05.339 --> 00:20:07.166
I'm going to say no, okay, you're right.

00:20:07.166 --> 00:20:37.410
You're right Because here's and I and again, I work with a lot of small to medium sized businesses and a lot of small to medium-sized businesses and a lot in the startup community and if you are at least getting access controls right and the identity management pieces right, segmenting your data right, at least from the foundation level of your business, it is going to be massively efficient later down the line when you are ready to get the proper documentation.

00:20:37.410 --> 00:20:40.023
So, building that just from a foundation level is huge.

00:20:40.023 --> 00:20:46.214
And no, there's not a, I'm a business of three people and we are documenting and we have the policy.

00:20:46.214 --> 00:20:54.643
And you might think, oh, we're just over here in the corner doing these things when it comes to compliance, but no, no, we're, as a company, documenting all of that as well, because we understand the importance of that.

00:20:54.643 --> 00:20:58.910
And then, in the event, you do grow and be bigger, then great, you've got it.

00:21:03.835 --> 00:21:05.259
You've got a lot of your ducks in a row already.

00:21:05.259 --> 00:21:05.859
I would expect nothing less.

00:21:05.859 --> 00:21:06.422
Right, I know?

00:21:06.422 --> 00:21:07.545
Right, could you imagine Walking the walk?

00:21:07.545 --> 00:21:08.105
Talking to talk?

00:21:08.105 --> 00:21:36.218
Yeah, so I think that this conversation is actually a really great way to segment into something that we were talking about actually before we started sitting down for the podcast, which is, you know, I think, when you're thinking about businesses that are transitioning into an exit plan, right, someone is planning to sell, preparing for that which we kind of talked about.

00:21:36.218 --> 00:21:37.881
You know, documentation getting a sock to.

00:21:37.881 --> 00:21:43.500
You know some of these options for essentially creating more trust and something that the buyer can hang their hat on.

00:21:43.961 --> 00:21:48.335
But even from the buyer side, you know I represent buyers quite frequently.

00:21:48.335 --> 00:22:03.308
I represent both sides and when a buyer is coming in to purchase something like a medical practice or a practice that touches a medical realm, whether it's HIPAA, a lot of times you know we'll put in there reps and warranties as to.

00:22:03.308 --> 00:22:05.750
You know you've complied with health care laws.

00:22:05.750 --> 00:22:06.872
List all the health care laws.

00:22:06.872 --> 00:22:08.961
You've complied with data privacy requirements.

00:22:08.961 --> 00:22:10.766
You know, make sure HIPAA is included.

00:22:10.766 --> 00:22:22.250
Hipaa is included, but on you know that's great on paper, but then the buyer, during the diligence process, it's their responsibility to say okay, hand over the proof that you're doing this.

00:22:22.250 --> 00:22:32.640
And in some instances, like I've represented, you know buyers that are purchasing, you know hearing aid locations and it is.

00:22:32.640 --> 00:22:37.457
It's still HIPAA, right, it's even though it's not the traditional idea of a doctor's office.

00:22:37.457 --> 00:22:44.378
And you know we've seen the gambit of you know it's a recurring buyer and so we've seen the gambit of here's.

00:22:44.538 --> 00:22:50.198
You know one instance where you know an audiology practice is doing the best it possibly could.

00:22:50.198 --> 00:22:52.480
Everything is documented down to the letter.

00:22:52.480 --> 00:23:00.030
It's got a handbook, a guide, everything is written down, and then we've seen the opposite, which is like everything is an absolute disaster.

00:23:00.030 --> 00:23:05.178
They haven't been doing.

00:23:05.178 --> 00:23:09.153
You know they've been compliant because their software is doing a lot of the legwork for them, but they're not doing anything above and beyond.

00:23:09.173 --> 00:23:26.855
And so you know, paige and I were talking briefly before this podcast about HIPAA and HIPAA compliance and kind of how people tend to think of HIPAA, separate and apart from the cybersecurity and world that requires sort of that data compliance because it's so health specific.

00:23:26.855 --> 00:23:38.766
But there's so many pieces that touch on HIPAA and I think I'd also like to underline just separately that if you're doing business with a company that is obligated to comply with HIPAA.

00:23:38.766 --> 00:23:56.442
You're also likely processing, you know, personally identifiable health information right, so you'll need to have a business associate agreement in order to make that all fully compliant.

00:23:56.442 --> 00:23:58.728
But you know, paige was just saying how the HIPAA rules are sort of in flux.

00:23:58.728 --> 00:23:59.489
They're changing.

00:23:59.489 --> 00:24:01.521
I'd love for you to go into that a little bit.

00:24:01.815 --> 00:24:29.726
Yes, and I do want to acknowledge in your scenarios where you say the business over here has everything buttoned up, great, but I'm going to go ahead and majority of the healthcare practices that we work with or I've heard of in the past it's 95% sit over in this other camp which is, oh, we have the HIPAA compliant software that provides the policies and we're okay, we're HIPAA compliant and it's like well, that's actually that's not the truth.

00:24:29.746 --> 00:24:37.391
It can be further from the truth, but I think there's some education that can happen and for them to fully understand what that means to be HIPAA compliant.

00:24:37.391 --> 00:24:41.922
But to help answer your question is the HIPAA privacy rule changes every year.

00:24:41.922 --> 00:24:47.121
There's usually additions that have usually not a lot of removal or subtractions, but additions.

00:24:47.121 --> 00:24:53.040
This year it's focused on cybersecurity and cybersecurity practices within the HIPAA privacy rule.

00:24:53.040 --> 00:25:11.263
So adding things like, which might seem obvious, but multi-factor authentication, a requirement, required policy documentation, and it has to be not only just policies, but policies and your operations of how you actually implement said policy.

00:25:11.263 --> 00:25:16.384
So you can have the best policy in the world, but if you're not actually following it or doing it well, then it's not really your policy.

00:25:16.384 --> 00:25:26.509
So those are the sort of things that if an auditor were to come in or you were to be audited, that you would likely fail because you might have certain things in place but it's not to the full gamut.

00:25:26.509 --> 00:25:31.564
So cybersecurity is a big thing happening this year and it needs to.

00:25:31.564 --> 00:25:50.144
It needs to be because the healthcare industry according to the IC3 report, which is the fbi's internet crimes report, health care is usually one or two um on the list when it comes to information that has been exposed, via what vehicle, and it's usually a health care practice that's fascinating uh, it doesn't surprise me though

00:25:50.505 --> 00:25:50.746
it's not.

00:25:50.746 --> 00:25:53.218
No, it's not surprising, and especially when you were go to.

00:25:53.218 --> 00:25:59.902
I know getting kind kind of tactical here, but, like um, you go into the doctor and you're filling out a form and there's a line for your social security number.

00:25:59.902 --> 00:26:03.338
But did you know you actually don't need to provide your social security number?

00:26:03.338 --> 00:26:08.036
Social security numbers are used for tax purposes only, credit related only.

00:26:08.457 --> 00:26:15.608
It's a law now that you can't have medical debt on your credit report, so there is no reason for that line to be there.

00:26:15.608 --> 00:26:21.635
But yet it continues to be there, which means as a healthcare organization you're opening yourself up for more risk.

00:26:21.635 --> 00:26:30.962
Will it potentially get you paid down the line if you're able to, from a credit perspective, go and have a debt collector, go and collect those debts?

00:26:30.962 --> 00:26:32.125
Maybe, maybe.

00:26:32.125 --> 00:26:48.481
But at the same time now you have all this risk that now you have an entire column of social security numbers of people that just give it, just because the line says and that's a risk that you have to really think hard about in your organization and when you're setting up your operations and your intake process.

00:26:49.095 --> 00:27:01.156
Well and that goes back to your original comment about who should have access to the information that's absolutely critical to the operation of the business, which one would argue that you're handing over a paper form.

00:27:01.156 --> 00:27:03.703
How many other people are going to see that paper form?

00:27:03.703 --> 00:27:04.987
Is it going to be stored properly?

00:27:04.987 --> 00:27:09.726
Are there other employees of that business that can access that form unnecessarily?

00:27:09.726 --> 00:27:11.637
They have nothing to do with billing Right.

00:27:11.637 --> 00:27:12.720
Are they seeing it?

00:27:12.779 --> 00:27:13.180
anyway.

00:27:13.180 --> 00:27:32.220
Well, and this is what you have to think through when we come to access control, it's not just access of your online systems, it's also access to your physical copies, because in this scenario, let's say, you are filling out this form at the doctor and you hand it over to the front desk Okay, if they're scanning it in for their online system, what that piece of paper?

00:27:32.220 --> 00:27:34.523
Does it go in a bin that then goes into the shred bin.

00:27:34.523 --> 00:27:35.988
Who has access to this shred bin?

00:27:35.988 --> 00:27:36.709
Who has the keys?

00:27:36.709 --> 00:27:41.358
Is it a janitorial staff or an outside service that then comes and picks it up?

00:27:41.358 --> 00:27:47.105
It's just, it's those sort of things where you think, oh my gosh, do I really have to think of those things?

00:27:47.105 --> 00:27:54.286
You do need to think of those things, and that's where the vulnerabilities end up happening in your organization if you're not thinking through those things.

00:28:01.015 --> 00:28:22.446
As I'm listening to you talk, the one thing that was kind of reverberating in my mind was one way that you could, potentially as a business that's starting to think about this more seriously as all of you should is to sit down and just like when you're trying to automate or make your systems better, you have to first sit down and think about what are my systems?

00:28:22.446 --> 00:28:24.162
Where do things get funneled right?

00:28:24.162 --> 00:28:27.965
Intake how does the intake process from start to finish happen?

00:28:27.965 --> 00:28:31.586
And then, how are our records being maintained?

00:28:31.586 --> 00:28:32.901
How are they being purged right?

00:28:32.901 --> 00:28:45.837
So all of this like nitty-gritty detail where I mean, I think some of the best ways to do that even regardless of whether it's cyber security or you're just trying to figure out how to make your systems and processes better is to sit down and just mind map it right.

00:28:45.837 --> 00:28:47.663
But that's a really low level.

00:28:47.663 --> 00:28:59.990
I'm just trying to think of ways to have people get access to this, like, do this sitting at on the couch with a sports game on, or, or you know, whatever your cup of tea is the bachelor on in the background, right?

00:28:59.990 --> 00:29:13.934
Whatever is your, your poison, um, and sit down with these just notepad and start, you know, jotting down what you currently have and what your systems are and who touches what, and is there access right?

00:29:13.934 --> 00:29:18.346
Start just jotting down these ideas so that maybe you get a better sense.

00:29:18.346 --> 00:29:26.122
Maybe you don't have to do anything with it ASAP, but you get a better sense of where you currently are in this process and where you could make it better.

00:29:27.095 --> 00:29:36.083
Yeah, and you go back to one of the questions you asked before, which is, you know, if you're looking at M&A from a perspective, what does the potential buyer ask for?

00:29:36.083 --> 00:29:46.800
Those low level are things that you can ask for, this mind map or this map of where the data goes and how it flows and realize.

00:29:46.800 --> 00:29:47.983
Is that too risky for you?

00:29:47.983 --> 00:29:48.846
Is that acceptable?

00:29:48.846 --> 00:29:51.759
Are there things that we can implement to make this more safe and secure?

00:29:51.759 --> 00:29:55.728
And that's a good way, really great place to start.

00:29:56.315 --> 00:30:19.662
Yeah, I mean honestly, as silly as it sounds right, because everyone thinks of diligence as this very formal process where you're getting you know financial information, you're getting all the contracts of the business, but that's not always the case, especially in these smaller, closely held businesses is you're getting you know disorganized documents that are scanned in because they were in paper form from the 1960s, right?

00:30:20.063 --> 00:30:39.402
So I think, as silly as it may sound, getting, if you were to take, let's say, you sit down tonight on the couch and you start mind mapping and then you have someone on your team or you yourself turn it into something where it's actually a document that goes in your kind of book for your business, your handbook.

00:30:40.103 --> 00:30:48.917
Oh my God, a buyer would love to have that handbook right To be given, sort of the key to the kingdom, where it says look, this is how our system operates.

00:30:48.917 --> 00:31:00.476
Granted, if you create something like this, your obligation is to continually update it, right, and it serves no good purpose if you create it once and you don't keep it updated throughout this evolution of your business.

00:31:00.476 --> 00:31:06.086
But it's that sort of looking behind the curtain, right?

00:31:06.086 --> 00:31:16.595
You know, thinking of, you know ways to show the buyer hey, we've thought about this, We've documented it, We've gone through the process, and this applies kind of across the board.

00:31:16.595 --> 00:31:30.864
But buyers are ultimately just looking for a way to feel comfort that what they're buying is what you're saying that they're buying, and what better way to do that than to say, okay, here's my documentation to prove it Right?

00:31:31.576 --> 00:31:33.642
Well, and then SOC 2, that's a requirement.

00:31:33.642 --> 00:31:36.257
So, network diagram A lot of these frameworks are.

00:31:36.257 --> 00:31:44.281
You need to have a network diagram and it'll walk through usually depending on what's the requirement, but you will have that.

00:31:44.281 --> 00:31:47.415
But healthcare, a framework to mention is high trust.

00:31:47.415 --> 00:31:55.222
A lot of times people, yes, they abide by HIPAA, but then high trust is the next level in the healthcare game and it doesn't matter that.

00:31:55.222 --> 00:32:06.002
You know, health care data, personal health care data, is personal health care data, and so you know I run across some that are like, well, I mean, we're assisted living, but we don't have to abide by HIPAA.

00:32:06.002 --> 00:32:07.467
Yes, you do.

00:32:07.467 --> 00:32:10.894
So it's just there's a lot of misconceptions.

00:32:10.894 --> 00:32:19.586
I just think there's learning that can happen out there and how to protect said data in personal health information is a big part of that.

00:32:20.174 --> 00:32:23.804
So you mentioned, when you were talking about SOC 2 network map.

00:32:24.385 --> 00:32:25.166
Yes, what is that?

00:32:25.166 --> 00:32:35.467
Ah, that's what you were saying, where you're saying here's our data, here's a data flow of oh, video can see what's going on.

00:32:35.467 --> 00:32:59.487
That's a data flow of a piece of data that comes into your organization and it maps it into where it goes and how it's stored and who has access to it, and so it's a really great document, or set of documents, that can follow all of these elements that are in your organization and to see how safe and secure your processes are.

00:33:00.776 --> 00:33:14.939
I wanted to have you give the explanation because for anybody who's out there who doesn't know all the lingo, they're, you know, listening and going okay, soc 2, network map, and then going to have to potentially Google it, and if you're listening to it in a car, it's no good.

00:33:14.939 --> 00:33:16.242
Right In one ear out the other.

00:33:16.343 --> 00:33:17.065
So that's perfect.

00:33:17.345 --> 00:33:18.596
I'm just trying to fill the gap.

00:33:18.596 --> 00:33:30.284
So I think one thing that I always try and do on the podcast is I try and talk about stories because stories resonate, I mean they're more.

00:33:30.284 --> 00:33:32.288
We've talked a lot about the nitty gritty.

00:33:32.288 --> 00:33:42.051
We've done some high level overview of like what people can start thinking about, but I don't think it hits home as hard as giving some examples of things we've seen out in the wild.

00:33:42.051 --> 00:33:44.252
I love your story about the social security number.

00:33:44.252 --> 00:33:51.189
I know that comes from a personal place, you know, I think to share something I've seen out in the wild.

00:33:51.189 --> 00:33:59.476
Seen out in the wild.

00:33:59.496 --> 00:34:05.147
You know big corporation that had a gift card scam get sent out via email from what looked like was the president of the company to people that directly reported to him.

00:34:05.147 --> 00:34:09.181
And I mean this company had phishing tests all the time.

00:34:09.181 --> 00:34:21.130
So you know, just as a kind of an underline to this entire conversation, you have to continually educate your team, your employees, that, even if it's a small team, right.

00:34:21.130 --> 00:34:28.909
You know, I have another story, but I think it's great that we exchange these stories and I'll give you, you know, the next turn on this.

00:34:28.909 --> 00:34:33.186
But it turns out the direct report got this email.

00:34:33.186 --> 00:34:55.065
It said buy me, you know, 500 gift cards at X amount of dollars I mean it was a lot Went out, bought the gift cards on the company credit card and started sending the gift card information via email and I ended up getting caught sort of in this process, but it was too late.

00:34:55.485 --> 00:35:13.244
A lot of the information already been shared and and so what's crazy to me in that situation is they had been doing very aggressive phishing tests, which they didn't quite look the same right, because a lot of the phishing tests that had been sent out were, you know, know, click this link.

00:35:13.244 --> 00:35:14.947
You know, enter your password.

00:35:14.947 --> 00:35:22.155
It was very much the stuff that it's not a direct ask where it's almost outside the scope of what you're normally doing.

00:35:22.155 --> 00:35:28.300
It seems like a special, special task that you've been given by the president, right, so really fascinating.

00:35:28.300 --> 00:35:32.534
You know, obviously that changed drastically how that company was educating.

00:35:32.534 --> 00:35:46.275
They kind of reassessed okay, what we're doing is not working, that you know we can have this happen and you know lesson learned and uh, it did ultimately change their relationship with their employees because of that, that whole situation.

00:35:46.275 --> 00:35:49.398
But, um, you know what have you seen?

00:35:49.398 --> 00:36:06.509
That's, that's a good kind of reminder that can happen to anybody, big or small, and even with the right precautions in place, potentially you know, with the evolution of AI, it's making these requests look more legitimate.

00:36:07.054 --> 00:36:10.005
So you've heard voice cloning, have you heard about this?

00:36:10.005 --> 00:36:13.253
So this is, I mean, they can take our voices right now.

00:36:13.253 --> 00:36:18.864
Right, and you just need five to 10 seconds and you can create an exact clone of a voice.

00:36:18.864 --> 00:36:26.266
So recently, earlier this year, I was speaking at a bankers association meeting and we got into voice cloning.

00:36:26.266 --> 00:36:39.784
We talked about the AI, amplified attacks, and one of the presidents of the bank this small bank in the middle of the US said yeah, actually I got a call pretending to be me, oh, shoot.

00:36:39.784 --> 00:36:44.317
And he said you know that's not right because you're talking to me.

00:36:44.356 --> 00:37:01.079
You know they're pretending to say oh, I'm the president of the bank, I just want to let you know of this XYZ scam that's happening right now, and they would go through this entire scam of essentially trying to target the members of this bank because they were trying to get their PIN numbers and account numbers and for them to log on.

00:37:01.079 --> 00:37:04.068
Well, they targeted the wrong person.

00:37:04.068 --> 00:37:21.945
But here's the deal the person the scammer called back to then get more of his voice, kept him on the phone long enough, where they ended up duplicating the bank president's voice and then targeting the membership base with the legit.

00:37:21.945 --> 00:37:32.764
You know it wasn't just some weird you know a guy sound, it was actually sounded like him and so, luckily, because this did happen to, they put out an alert.

00:37:32.764 --> 00:37:33.065
Alert.

00:37:33.065 --> 00:37:52.123
But they did have members fall for it where they provided their personal identifying information, their bank credentials and so on, and the fraudsters so for them they had to put in and implement, which is another thing is have an incident response plan implemented, their incident response plan right away, which was to lower the thresholds of any outgoing money from that bank.

00:37:52.123 --> 00:37:57.539
So, even even if it was $10, there was an extra layer of authentication that needed to happen.

00:37:58.094 --> 00:37:59.039
But that's only you know.

00:37:59.039 --> 00:38:01.862
They were being targeted, and that's a big thing.

00:38:01.862 --> 00:38:15.804
I mean, you think, oh, I'm gonna keep these scammers on the phone because then they can't target somebody else, but in reality, depending on the skillset of that fraudster, they can be recording your voice and then use that against you and target your friends and family.

00:38:15.804 --> 00:38:21.996
So having a safe word, not only in your business life but your personal life, is extremely important to say.

00:38:21.996 --> 00:38:26.547
You know, it's my husband calling and then all of a sudden I'm like this is weird.

00:38:26.547 --> 00:38:29.425
Is he really arrested or is he really, you know, in a hospital somewhere?

00:38:29.425 --> 00:38:30.115
Is it?

00:38:30.115 --> 00:38:31.521
Pick up the phone and call them.

00:38:31.521 --> 00:38:42.914
Yeah, have that word that you exchange or something that no one else would know, and have them answer, and then your guard can go, maybe not be frazzled because you think something's wrong with somebody.

00:38:44.878 --> 00:38:46.943
Yeah, I think this.

00:38:47.284 --> 00:38:49.128
I mean things are getting complicated, right.

00:38:49.208 --> 00:39:28.297
Right, the AI is changing our world rapidly and at warp speed, and I think it's difficult to really I think I don't want to say estimate, because everyone is underestimating, right, but it's hard to estimate how much the technology that we're going to be utilizing in ways that are beneficial can also be utilized in ways that are detrimental to everyone, and I think your story highlights just how quickly technological developments can drastically change things.

00:39:28.597 --> 00:39:49.628
And I want to highlight one important aspect and we've talked about it before, you know, through the podcast and elsewhere is really is AI, I think, is one of those tools that a lot of people, both individually, in their capacity in the personal life and in their business life, utilize as a tool.

00:39:49.628 --> 00:40:20.936
Right, it's getting almost more specific and better than Google in a lot of instances, because Google is showing now the people who have, you know, paid for the top spots, or the SEO is really good, and so it's not necessarily what the information you're looking for, and so people are turning to things like chat GDP for answers, and I want to highlight in this realm of cybersecurity, that the AI models and putting your information into those chat GDP or any other model.

00:40:20.936 --> 00:40:36.039
You always run the risk of having those models be learning from that information, from you, and I actually just had this conversation with a couple of friends who were uploading their photos to chat GDP and turning them into like anime style photos, and that's the trend right now right.

00:40:38.726 --> 00:40:40.751
To turn yourself into some product or a toy.

00:40:40.751 --> 00:40:41.552
You know you're open.

00:40:43.181 --> 00:40:44.487
And I think it's neat.

00:40:44.487 --> 00:40:54.552
And so the first question I had asked the friend back when they sent me the photo on text was doesn't chat GDP take your information and learn from it?

00:40:54.552 --> 00:41:08.190
Because that was my understanding was like any information you plug in text-wise was being essentially absorbed into the broader intelligence of AI and being utilized to teach it to learn.

00:41:08.190 --> 00:41:18.050
And even on Facebook's AI, I mean, there was all sorts of stuff that came out when people started rolling out AI into different software platforms that's like yeah, facebook is going to learn from you using this AI.

00:41:20.384 --> 00:41:24.974
And so we had the friend asks are you taking my photos?

00:41:24.974 --> 00:41:26.384
And you're like learning from them?

00:41:26.384 --> 00:41:28.530
Or you know what are you doing with my photos?

00:41:28.530 --> 00:41:38.804
And the answer was we're doing nothing with the photo, it's only local to your account, we don't save it, it doesn't get put anywhere, we're not learning from it.

00:41:38.804 --> 00:41:44.257
And the friend texts me the screenshot and I'm like what about the text?

00:41:44.257 --> 00:41:51.697
Though I always thought the text like okay, so if we're safe on the photos, and of course the joke was like do we really trust it telling us what?

00:41:51.717 --> 00:41:52.664
it's doing, I know right.

00:41:52.664 --> 00:41:54.239
It's telling you what you want to hear, right.

00:41:54.760 --> 00:41:57.590
I'm like I don't know if we should really take its advice directly.

00:41:57.590 --> 00:41:59.947
It's just starting to feel a little sci-fi-ish.

00:41:59.947 --> 00:42:04.811
But he asked the same question and the question was no, it was learning.

00:42:04.811 --> 00:42:08.543
And the question was no, it was learning.

00:42:08.543 --> 00:42:11.996
And so I found that really fascinating because it kind of just solidified this idea that I think my, my, this is a really big tangent.

00:42:12.056 --> 00:42:23.567
But essentially, I want business owners to be aware if you're taking things that are having sensitive information, whether you think it's sensitive or not, right, think about it.

00:42:23.567 --> 00:42:25.170
Just even from a contract.

00:42:25.170 --> 00:42:30.670
You know, I know a lot of business owners try and cut corners when they're, you know, need to get a contract out.

00:42:30.670 --> 00:42:35.994
Take an old contract, plug it into chat GDP and be like change, you know, change it this way.

00:42:35.994 --> 00:42:37.581
Or just ask for certain information.

00:42:37.581 --> 00:42:47.047
And I mean, if you're uploading something that's you know your business information, you know that document could have banking information on it.

00:42:47.088 --> 00:42:51.516
If you're not careful, it could have, you know, pricing information.

00:42:51.516 --> 00:42:54.322
I mean, who knows what gets leaked in this world today, right?

00:42:54.322 --> 00:43:02.489
And so I think the idea, realistically, is that you need to be cautious about what you're providing your information to.

00:43:02.489 --> 00:43:07.447
And back to what Paige was saying with the social security line on the medical forms.

00:43:07.447 --> 00:43:12.014
Right, that seems more obvious because it's a tactile version.

00:43:12.014 --> 00:43:14.822
Right, you're having to physically write in your social number.

00:43:14.822 --> 00:43:26.505
Granted, there's inherent trust because it's a doctor's office, but people don't have that same innate pause when they're just copying and pasting information into a text box.

00:43:26.565 --> 00:43:28.311
On, the internet they don't.

00:43:28.311 --> 00:43:32.951
They kind of are in your own little world, behind your screen and as companies.

00:43:32.951 --> 00:43:42.722
There are AI frameworks that you can follow to go through the risk management process of incorporating AI for the use of your employees.

00:43:42.722 --> 00:43:48.134
Now, in the use of your product, your tool or your data, that's different.

00:43:48.134 --> 00:43:55.052
But let's say, the employee code, my protocol for employees to use AI.

00:43:55.820 --> 00:44:02.286
You can't just put your head in the sand and say, oh, they're going to know how to use it, it's a tool, it's going to make us more productive.

00:44:02.286 --> 00:44:04.864
Okay, yes, but to your point.

00:44:04.864 --> 00:44:16.905
So you're saying I take a customer letter and their customer, all their information and all of that, that you need to be able to redact it and that has to be part of your policy and the policy.

00:44:16.905 --> 00:44:20.079
You can't just have a policy and set it to get dust on it, collect dust.

00:44:20.079 --> 00:44:23.010
No, you have to talk about your policy with your employees.

00:44:23.010 --> 00:44:32.849
Maybe you have incorporated a tool, maybe you've chosen one for your organization that then segments your business data away from the rest of the learning.

00:44:32.849 --> 00:44:39.309
But that's what you'll go through when you go through the process of onboarding and incorporating that for business use.

00:44:39.309 --> 00:44:44.268
But you have to talk to your employees about that, because I'm gonna guess more times than not.

00:44:44.268 --> 00:44:52.090
They're not redacting, they're taking screenshots of business data, uploading it because it is efficient and more easier.

00:44:52.090 --> 00:44:54.594
You know it's easier oh yeah, and they're not redacting.

00:44:55.141 --> 00:44:55.864
Need to talk about it.

00:44:56.500 --> 00:45:02.612
Well, and I think, to your point, that highlights a couple of additional, I think, good reminders, right.

00:45:03.001 --> 00:45:26.460
One is that you can't just you're talking about sitting down on the couch and doing the mind map and starting somewhere, right, but you've got to do the hard work of not only implementing but then also auditing Auditing your people, auditing your process to make sure it's being followed, auditing to make sure whatever the storage process is is being completed right.

00:45:26.460 --> 00:45:46.521
And to your point, um, with cell phones being so easily available, right, you're at work, it's just easier to just screenshot something with your phone and then, all of a sudden, that information has left the protected system and it's now in someone's physical personal phone, which, I mean, opens up so much liability for the company.

00:45:46.521 --> 00:45:59.231
And so I think you know also, having that talk with your employees about the importance of the integrity and protection of information that's stored adds that additional layer that you know.

00:45:59.231 --> 00:46:14.106
I guess it helps to keep your processes in place and your protection working, and it's not, you know, fail safe, but at least it helps to potentially keep things going.

00:46:14.387 --> 00:46:18.264
Exactly, and you talk about training and continuing to have the conversation.

00:46:18.264 --> 00:46:20.150
The same thing has to go around AI.

00:46:20.150 --> 00:46:32.402
So October is Cybersecurity Awareness Month, and I do speaking engagements throughout the year, but more specifically October, I seem to have a lot more of them.

00:46:32.402 --> 00:46:43.619
One company in particular wanted me to focus all on AI using AI, the positives and the negatives or potential dangers and what it did is aligned with the philosophy and the communication that they're sending out throughout the whole year.

00:46:43.619 --> 00:46:47.547
But it was coming from somebody else, somebody outside the organization that was coming in to do it.

00:46:47.626 --> 00:46:51.172
So this is part of having a conversation.

00:46:51.172 --> 00:47:16.952
Maybe you don't have a big budget to bring in an outside speaker, but mix it up Lunch and learns Messages over Slack, Maybe a nice little meme in the break room, Whatever it may be, but you have to keep these conversations going because otherwise you just get into oh, this is really easy, I'll just upload this and it's then very detrimental to, especially if you're following a framework like a SOC 2 framework ISO 27001, that require documentation.

00:47:16.952 --> 00:47:27.072
So if you're, potentially you're damaging the certificate or the security certificate status by going outside the ecosystem that has been approved in which we keep that data.

00:47:27.659 --> 00:47:30.141
Excellent point, absolutely so.

00:47:30.141 --> 00:47:35.833
If I was a business that wanted to come to you and work with you, what does that look like?

00:47:36.440 --> 00:47:38.128
Well, we help with their compliance.

00:47:38.128 --> 00:47:40.072
So we would fall into that category.

00:47:40.072 --> 00:47:41.380
Is they need a partner?

00:47:41.380 --> 00:47:42.463
They need somebody to help them.

00:47:42.463 --> 00:47:44.467
One do a risk assessment or just even see where they're at, but then we would help them start.

00:47:44.467 --> 00:47:52.411
One do a risk assessment or just even see where they're at, but then we would help them start getting the documentation to achieve whichever framework that they were looking for.

00:47:52.411 --> 00:47:54.768
One of our specialties is SOC 2.

00:47:54.768 --> 00:47:57.860
So that's what we would do we would start helping you gather the evidence.

00:47:57.860 --> 00:48:14.367
We have a GRC platform, which is Governance Risk Compliance Platform, store it all in and that way the auditor can look at the platform, pull all the documentation they need, and it ends up streamlining a lot of what would be a very frustrating time gathering all that evidence so is it safe to say?

00:48:14.467 --> 00:48:21.690
instead of hiring someone internally, I could, as a business owner, come to you and you could help with the entire process absolutely that's.

00:48:21.871 --> 00:48:25.284
That's our jam, that's what we do awesome.

00:48:25.405 --> 00:49:08.315
Well, um, I think this conversation, I think for a lot of business owners, feels distant, because it's something that I think a lot of business owners feel like is this thing that is only required of the big corporate giants when, in reality, there are plenty of small businesses that could be implementing systems that not only protect their liability and ensure that they can scale properly up to their exit plan, but also allows them to sell more seamlessly, to pass the baton in a way that is less convoluted?

00:49:08.315 --> 00:50:06.824
I think one thing to highlight in this conversation and obviously I'm happy to have you chime in on other stories that you've also seen out in the wild, because I think it's important this piece that you talked about with making sure your employees are trained and well-informed about the systems and processes that you should follow, is such a salient point to see, even big companies where employees that are sophisticated you know executive level individuals that you would, you know the the average person's like you know Bob's VP of sales, he's not going to fall for that, and and then and then they do, and so I think that this misnomer that you know there are certain people that aren't, you know, potentially going to fall prey to these tactics is just untrue.

00:50:06.824 --> 00:50:12.514
And, um, I worked for a law firm in the past that you know potentially going to fall prey to these tactics is just untrue.

00:50:12.514 --> 00:50:16.762
And I worked for a law firm in the past that you know we did a lot of, you know, phishing testing and other things to like train people.

00:50:16.762 --> 00:50:43.733
And even then we would still have things happen where I would get an email and it would be a phishing test and they were really good at them at this one firm that I was at and it would come in and it would look like a UPS or a FedEx confirmation code and it's perfect for law firms because you're doing a ton of mailing.

00:50:44.581 --> 00:50:45.385
Usually you're doing mailing.

00:50:45.385 --> 00:50:47.130
In my practice, being corporate in nature and doing M&A, I'm doing far less mailing.

00:50:47.130 --> 00:50:49.766
You know, usually you're doing mailing In my practice, being corporate in nature and doing M&A, I'm doing far less mailing.

00:50:49.766 --> 00:50:50.188
It's not.

00:50:50.188 --> 00:50:53.344
There's no, you know litigation is far more mail intensive.

00:50:53.344 --> 00:50:56.581
You might have some mailings that go out, but for the most part you're not doing any mailing.

00:50:56.621 --> 00:50:59.688
And so when I received the email, it's like this is weird.

00:50:59.688 --> 00:51:10.405
I haven't sent anything, I don't think I'm expecting anything and I forwarded it to my assistant and I said I don't think this is relevant, whatever this is, but can you just look at it?

00:51:10.405 --> 00:51:18.501
She clicked the link and and I felt so bad because I was like I didn't mean to tear up for it, right, I think it was like a phishing test for me specifically.

00:51:18.501 --> 00:51:22.376
They wanted me to click the link, um, and but it was.

00:51:22.456 --> 00:51:37.806
It was such a good learning moment for the two of us and I think it highlighted how important it is that the training isn't just done in a silo, right, because that training was intended for me to teach me not to click the link without checking the email.

00:51:37.806 --> 00:52:13.449
And this was early on in my my legal career, right, kind of when phishing was really becoming in vogue, where, like, the testing part was coming in vogue, cause that was not something that was happening kind of broadly and you might do some testing, but it wasn't like as sophisticated as as it has become today and um, but I think that story just highlighted how important it was that she and I have communication and training together about you know, we're a team and how much that team could, you know, effectively fail a phishing test together in a way Exactly.

00:52:13.630 --> 00:52:19.626
And to your previous example, which is the team member got a request from the president.

00:52:19.626 --> 00:52:26.708
It's the direct reports, it's people you work most intimately with that you need to have that conversation with and train.

00:52:26.708 --> 00:52:28.452
I think that's an excellent example.

00:52:28.452 --> 00:52:29.561
I mean otherwise.

00:52:29.561 --> 00:52:38.103
I mean, if I use the example of LinkedIn, you know we're all posting what we're doing and where we're going and we had a great business meeting and it's photos of us, maybe even traveling.

00:52:38.724 --> 00:52:42.572
So I don't, in my personal life, post on my social media when I'm traveling.

00:52:42.572 --> 00:52:43.782
It's more of a later gram.

00:52:43.782 --> 00:52:45.505
Why am I doing it on LinkedIn?

00:52:45.505 --> 00:52:50.514
Just because I had a great business meeting and did a you know a presentation for you know 400 people at some.

00:52:50.514 --> 00:52:52.884
You know big amphitheater, great.

00:52:52.884 --> 00:53:09.603
Well, I can wait a couple moments when I'm back and posting that because in the event then, because usually LinkedIn is just public you can have anybody that you can click to see who's in my organization and then you can easily fish them, just because you know the person is out and about.

00:53:09.603 --> 00:53:15.103
So it's just those conversations of, even when you're posting and having the conversations about.

00:53:15.103 --> 00:53:17.851
I would never ask you for a gift card, I would never do those things.

00:53:19.121 --> 00:53:20.523
So no really great reminders.

00:53:20.905 --> 00:53:25.253
Yeah, absolutely Well, I want to thank you for being on today.

00:53:25.253 --> 00:53:28.746
Thank you for having me as a closing question.

00:53:28.746 --> 00:53:37.251
I would love to know what is a more recent book or podcast that you've listened to that you think a business owner would love to also read or listen to.

00:53:38.179 --> 00:53:44.342
Well, that's the thing is, I am actually reading older books, so I hope that I can have an asterisk here One I recently.

00:53:44.342 --> 00:53:47.150
I'm reading in the middle right now of Living With a Seal.

00:53:47.150 --> 00:53:47.831
Have you read it?

00:53:47.831 --> 00:53:48.432
I have not.

00:53:48.432 --> 00:53:49.726
It's Jesse Itzler.

00:53:49.726 --> 00:54:05.188
He's a big marketing person, but he has invited David Goggins into his life for 30 days, or 60 days, maybe it was to train like a seal, and for me, I think, as a business owner, two years into this, it's really teaching me determination.

00:54:05.188 --> 00:54:09.068
You can do whatever you put your mind to and, yes, is it more on a fitness level?

00:54:09.068 --> 00:54:12.054
Sure, but it really is focusing on.

00:54:12.054 --> 00:54:13.126
You know you're going to stick with it.

00:54:13.126 --> 00:54:15.340
You're sick with your plan, you're going to get out of your comfort zone.

00:54:15.340 --> 00:54:20.346
You're going to do all these things, and I appreciate that from it's even from a health angle.

00:54:20.346 --> 00:54:22.628
So I've been really digging it.

00:54:22.929 --> 00:54:23.409
That's cool.

00:54:23.409 --> 00:54:26.092
No, I uh David Goggins is.

00:54:26.092 --> 00:54:27.534
Uh, his methods are.

00:54:27.534 --> 00:54:31.202
I've seen a couple of his Instagram reels.

00:54:31.202 --> 00:54:32.445
I'm like this is not for me.

00:54:32.445 --> 00:54:36.586
Uh, unfortunately, we share the same last name, so I often get asked if we're related.

00:54:36.586 --> 00:54:38.375
Um, I'm like, no, thankfully.

00:54:38.375 --> 00:54:41.161
I don't think I can handle his energy on a daily basis.

00:54:41.161 --> 00:54:43.425
Um, but no, awesome.

00:54:43.425 --> 00:54:49.492
Well, I appreciate all of your insights and, uh, look forward to having another discussion sometime in the future.

00:54:49.492 --> 00:54:50.153
I'd love that.

00:54:50.153 --> 00:54:51.396
All right, thanks, thanks.

00:54:51.396 --> 00:54:59.059
If your business is looking to get compliant or SOC 2 certified, reach out to Paige at Secure Labs or drop us a question in the comments below.

00:54:59.059 --> 00:55:34.027
Thank you,