How big is the problem of hacking worldwide? How do I protect my business? If I experience a data breach, what should I do? In this edition of “Decision Vision,” Charles Hoff, CEO of Data Security University, answers these questions and more in an important conversation with “Decision Vision” host Michael Blake.
Charles Hoff, Data Security University
Charles Hoff is the CEO and Co-Founder of Data Security University. Data Security University (DSU) provides its clients with its innovative Security to the 6th Power platform. The platform enables organizations, along with their SMB customers, franchisees, and government agencies, and vendors, to seamlessly receive and manage 1) Data Security and Privacy Regulation education/training; 2) Financial Calculation of specific data security exposure; 3) Security Risk Assessments; 4) Vulnerability Scoring; 5) Immediate Customized Action Planning to significantly mitigate exposure, and 6) Connection to the most reputable Managed Service and Data Security Technology providers.
Charles is very proud of the fact that Data Security University has helped business operators throughout varied industries understand and take action to better safeguard their organizations from devastating data security breaches.
Although Charles has traveled the world extensively, he took advantage of the excellent schools close to his hometown of Atlanta, having received his BA from Emory University, JD from UGA Law School and EMBA from Kennesaw State University. Charles and his wonderful wife Eileen are proud to call both Atlanta and Charleston, SC their homes. Charles and Eileen’s greatest joy emanates from their family consisting of their adult children and son-in-law – Alex, Mallory, and Ben.
Michael Blake, Brady Ware & Company
Michael Blake is Host of the “Decision Vision” podcast series and a Director of Brady Ware & Company. Mike specializes in the valuation of intellectual property-driven firms, such as software firms, aerospace firms and professional services firms, most frequently in the capacity as a transaction advisor, helping clients obtain great outcomes from complex transaction opportunities. He is also a specialist in the appraisal of intellectual properties as stand-alone assets, such as software, trade secrets, and patents.
Mike has been a full-time business appraiser for 13 years with public accounting firms, boutique business appraisal firms, and an owner of his own firm. Prior to that, he spent 8 years in venture capital and investment banking, including transactions in the U.S., Israel, Russia, Ukraine, and Belarus.
Brady Ware & Company
Brady Ware & Company is a regional full-service accounting and advisory firm which helps businesses and entrepreneurs make visions a reality. Brady Ware services clients nationally from its offices in Alpharetta, GA; Columbus and Dayton, OH; and Richmond, IN. The firm is growth minded, committed to the regions in which they operate, and most importantly, they make significant investments in their people and service offerings to meet the changing financial needs of those they are privileged to serve. The firm is dedicated to providing results that make a difference for its clients.
Decision Vision Podcast Series
“Decision Vision” is a podcast covering topics and issues facing small business owners and connecting them with solutions from leading experts. This series is presented by Brady Ware & Company. If you are a decision maker for a small business, we’d love to hear from you. Contact us at email@example.com and make sure to listen to every Thursday to the “Decision Vision” podcast. Past episodes of “Decision Vision” can be found here. “Decision Vision” is produced and broadcast by Business RadioX®.
Visit Brady Ware & Company on social media:
Intro: [00:00:01] Welcome to Decision Vision, a podcast series focusing on critical business decisions, brought to you by Brady Ware n& Company. Brady Ware is a regional, full-service accounting and advisory firm that helps businesses and entrepreneurs make vision a reality.
Michael Blake: [00:00:20] And welcome back to another episode of Decision Vision, a podcast giving you, the listener, clear vision to make great decisions. In each episode, we’re discussing the process of decision making on a different topic. But rather than making recommendations because everyone’s circumstances are different, we talk to subject matter experts about how they would recommend thinking about that decision.
Michael Blake: [00:00:37] My name is Mike Blake, and I am your host for today’s program. I’m a Director at Brady Ware & Company, a full-service accounting firm based in Dayton, Ohio, with offices in Dayton; Columbus, Ohio; Richmond, Indiana; and Alpharetta, Georgia, which is where we’re recording today. Brady Ware is sponsoring this podcast. If you like this podcast, please subscribe on your favorite podcast aggregator, and please also consider leaving a review of the podcast as well.
Michael Blake: [00:01:03] Today, we’re going to talk about data security. And helping us out today as Charles Hoff, CEO of Data Security University. DSU was established just over four years ago with the mission of demystifying the regulatory and contractual obligations of small and medium-sized businesses to comply with data security standards including NAST, PCI, DSS, and GDPR. And I’m sure we’ll find out what those things actually mean in the interview.
Michael Blake: [00:01:30] DSU’s commitment to communicating in plain English while delivering engaging patent-pending products resonated with business operators who had very little time to learn how to keep their customers’ business, personal, and credit card data secure. Data Security University’s unique products deliver interactive education while assessing an organization’s security vulnerabilities and providing a tailored action plan for data protection.
Michael Blake: [00:01:54] Data Security University’s customers recognize the shorthand for this approach to educate, calculate, assess, score, action plan, connect to experts. In addition, they’re able to leverage Data Security University’s cybersecurity, PCI, and GDPR assessment tools to benefit from its backend big data analytics, while marketing their own related security products and services.
Michael Blake: [00:02:19] Although Charles has traveled the world extensively, he took advantage of the excellent schools close to his hometown of Atlanta, having received his bachelor’s degree from Emory University, his law degree from the University of Georgia Law School, and his executive MBA from Kennesaw State University. Charles and his wife, Eileen, are proud to call both Atlanta and Charleston, South Carolina their homes. Charles and Eileen’s greatest joy emanates from their family consisting of their adult children and son-in-law Alex, Mallory, and Ben. And on a personal note, first of all, Charleston has an awesome town. I love it every time that I go there.
Charles Hoff: [00:02:52] Ain’t it great?
Michael Blake: [00:02:52] When I grow up, I got to retire there.
Charles Hoff: [00:02:54] It’s a special place.
Michael Blake: [00:02:56] And Charles and I have known each other for a long time. It’s got to be at least 10 years.
Charles Hoff: [00:02:59] Yes.
Michael Blake: [00:03:00] I don’t think that I’ve met an attorney who smiles and laughs as much as you do. And in a nice way, not a sort of rubbing-your-hands-greedily certain way.
Charles Hoff: [00:03:08] I appreciate that.
Michael Blake: [00:03:09] But in a very good natured way. I find that it’s just a joy to talk to you. So, thanks for coming on.
Charles Hoff: [00:03:18] Thank you, Mike.
Michael Blake: [00:03:18] I really appreciate that.
Charles Hoff: [00:03:18] It’s always great to see you.
Michael Blake: [00:03:20] So, you’re a recovering attorney. When we last did business together, we’re involved in a litigation case involving a restaurant chain.
Charles Hoff: [00:03:28] Right, right.
Michael Blake: [00:03:29] I don’t do litigation anymore. I don’t think you do. Do you do law anymore? Do you practice law?
Charles Hoff: [00:03:33] Not anymore. No. I just leverage my legal background.
Michael Blake: [00:03:35] So, you’re completely out of the practice of law entirely?
Charles Hoff: [00:03:37] Yes, yes.
Michael Blake: [00:03:38] So, what led you to chuck all that and get into data security education?
Charles Hoff: [00:03:45] Great question. The funny thing is, Mike, that the common thread in my entire career has been data security and fraud. My 20 years at Equifax, a lot of friends kid me that I was doing ID theft and fraud before it was cool, but that was the beginning. And then, when I became General Counsel for the Georgia Restaurant Association and saw all these restaurants experiencing these tragic security breaches, and many of them going out of business, unfortunately.
Charles Hoff: [00:04:15] And the National Restaurant Association knew my background, and they said “Gee, we have 300,000 plus members that are suffering these terrible breaches. They don’t know how to comply fully with payment card industry, data security standards. Can you help them? Can you consult? Can you train? Can you help?” And I said, “I would be happy to do so.”
Charles Hoff: [00:04:37] It was very old school at the time. I went around the country making speeches, doing the whitepapers, even webinars. But one thing I found with very technical material like this, people’s eyes glaze over. And they have only so much. I mean, these are very successful. And at the time it was restaurant tours We, of course, branched out considerably. But they have very important jobs to do, and they only have so much time where they could focus on something other than their operations.
Charles Hoff: [00:05:06] So, the genesis of the company was I had a very good friend, I still do, who was one the top guys in Web MD, one of the first guys in. And he said, “Gee, make it engaging. Make it as entertaining as possible and get them through it as quickly.”
Charles Hoff: [00:05:22] And so, that’s really what started. And that’s how we got into it. And after I started doing it, I realized, “Gee, I so much better enjoy this than I did handling class action suits,” which even though is against the bad guys when you had breaches, still, I loved this process. We’re in a very quick and an easy fashion. We do demystify and help in terms of remedying it.
Michael Blake: [00:05:47] That entertaining part, I’m going to go off script for a minute because I haven’t really heard this elevator pitch for that. Entertaining part is important, right, because you want to get your kids to eat their vegetables, but there’s nothing wrong with putting over the sauce on them.
Charles Hoff: [00:06:01] Right, exactly.
Michael Blake: [00:06:02] If that’s what it takes to eat the vegetables, right? If you’re going to have people go through that education, why not not make it a waterboarding session to get through, right?
Charles Hoff: [00:06:12] So true.
Michael Blake: [00:06:12] There’s no reason you can’t do that if you take the time and make the effort. It doesn’t have to be a yuck-yucksession. But it doesn’t sort of have to be Ben Stein and Ferris Bueller’s day off either, just, sort of, droning on in front of the audience, right?
Michael Blake: [00:06:25] Yeah, you’re absolutely right. I mean, it’s got to be user friendly. It’s got to be non-technical. And we take a lot of pride in our videos because even though, in some fashion, they may appear to be lighthearted, they really get to the very core, and they’re short, and people get through it, and they said, “Gee, that was a painless way of learning something that that was so incredible in terms of it normally being very dense but breaking it out in that fashion.”
Michael Blake: [00:06:50] So, how long is your typical video?
Charles Hoff: [00:06:52] You don’t want to make it more than three minutes if you can, if you can avoid it.
Michael Blake: [00:06:56] Three minutes, really?
Charles Hoff: [00:06:56] Typically. Sometimes, we go a little bit over but not much.
Michael Blake: [00:07:00] You can teach what you need in three minutes?
Charles Hoff: [00:07:01] You can give a nice primer. You could lay the foundation. And that’s what we try to achieve with the videos.
Michael Blake: [00:07:08] And so, in the way that you’re — I know I’m going off script, but this is fine. So, in the way that you model, do people pay by the video? Do they buy a subscription? How does that whole arrangement work?
Charles Hoff: [00:07:18] Yeah. You got a great question there. In terms of our business model, we really provide to sum for the many. We have a model, which we provide a license for our application. I’ll go into it in a moment, if you like, security of 6th power. But we have companies like Paychex, there’s some great Atlanta companies that we’re very proud to call our own as customers, INSUREtrust, and we have a number of them that you would know, Bluefin. And what they do is they license and white label or gray label our platform.
Charles Hoff: [00:08:03] And so, by virtue of doing that, their customers, their vendors, their franchisees – for instance, like Jimmy John’s Franchisee Association is a customer – they’re able to have access throughout the year, anytime they want, as many times as they need to the education, the training, and the risk assessment.
Michael Blake: [00:08:26] So, you said something in the intro here where you are in data security before data security was cool. Why is it suddenly cool now?
Charles Hoff: [00:08:36] Well, in terms of cool, this become something that has become a great occupation. And it’s funny, when I first got into this, there were very few law firms that even touched it. And, now, just about every reputable law firm has their own cybersecurity team.
Charles Hoff: [00:08:57] And it is so essential. I mean, it’s the greatest existential threat that small businesses have. And of course, even the large ones, for that matter, but it’ll take a small and medium-sized business into bankruptcy before you know it. And we can get into that, of course.
Charles Hoff: [00:09:17] And the frightening thing is that by 2021 they’re expected to have $6 trillion, that’s what the T, $6 trillion of losses attributed to cybersecurity breaches.
Michael Blake: [00:09:29] That’s a big number.
Charles Hoff: [00:09:31] It is. It was $3 trillion in 2015. This year, you’re looking at about $11.4 billion as a result of ransomware, which we can discuss as well. So, with those kind of numbers with, very frankly, national security, we’re into a cyberwar, at this point. It’s so critical to everything that in the way we live our democracy, our economy. And so, it’s a huge, huge issue.
Michael Blake: [00:10:03] So, I grew up with computers, I’m Generation X. And data security in the very early sort of the 8-bit Atari, Commodore, Apple era, it was really about pirating games, right?
Charles Hoff: [00:10:16] Exactly.
Michael Blake: [00:10:17] I’m getting a copy of Zaxxon or whatever.
Charles Hoff: [00:10:19] Right.
Michael Blake: [00:10:21] But now, it’s had to evolve. Then, we want to semi online data services like CompuServe, and Prodigy, and those guys. But even then, I don’t think data security is necessarily a big deal. It’s got to be that just everything now is just so connected, right?
Charles Hoff: [00:10:38] Yeah.
Michael Blake: [00:10:38] And it’s just dizzying. Probably, the average person, including myself, probably doesn’t understand just how exposed we all are.
Charles Hoff: [00:10:46] And that’s what’s so frightening really. And that’s what we try to do in just a short period of time. Again, going back to making it user-friendly, non-technical, and giving people a foundation as quickly as possible because there’s so much to it, and it is so dense, and complex that it’s so easy for people to just — I mean, you’re a technical guy, you know this stuff, but so many people just say, “Hey, look, I don’t have time for this. I’m getting confused,” and just throw their hands up. And you want to avoid that at all cost.
Michael Blake: [00:11:18] I mean, for me, the data security evolved for me as far as antivirus software, and antiadware, and things being loaded onto your browser. But it’s even beyond that now, right? I mean, that’s all well and good, but just knowing you have up-to-date virus software doesn’t mean your data is secure, right?
Charles Hoff: [00:11:41] That’s a start.
Michael Blake: [00:11:41] It’s a start.
Charles Hoff: [00:11:42] It’s a start, Mike, yeah. Then, you add to it penetration testing, vulnerability testing, VPN routers, the firewall, the point-to-point encryption, the tokenization, the EMV, which is the chip and pin, multi-factor authentication. The list goes on and on. But the good news is, the very good news is approximately 90% of all breaches can be avoided by just simple safeguards. It’s a matter of taking people, process, and technology. And in an integrated fashion, making it work. It doesn’t have to be as complicated as it initially sounds.
Michael Blake: [00:12:25] Yeah, that’s a great point. I’ve studied this a little bit and indirectly experienced it. I’ve done some studies on the value impact on companies of data breaches and what happens to them. And that’s beyond the scope of this conversation. But I clearly remember one of the incidents that was cited. I think it was a VA Hospital in Minnesota. And they had 4000 medical records exposed because some guy wandered off the street, asked the nurse if he could borrow a laptop, and she gave it to him, and just walked out with the laptop.
Charles Hoff: [00:12:59] Yes.
Michael Blake: [00:13:00] Right. That’s not a technical thing. If somebody asks a laptop, say no.
Charles Hoff: [00:13:04] Well, that’s exactly right. And what people forget so many times, and it get lost in technology, that approximately 90% of breaches are employee-related. I mean, they’re bringing in tablets, they got the mobile devices. they got the laptops. And, of course, so many are victims to phishing and spear phishing. And it just is an awful situation. As a matter of fact, the stats — and I’ll apologize for getting too much into stats.
Michael Blake: [00:13:36] No, I love it.
Charles Hoff: [00:13:37] They are very profound. They’re very sobering. If you look at a small business, the average amount of malicious emails and over 90% of ransomware come in through these malicious e-mails. You’re looking at nine phishing emails a month on average. So, if you’re a small company with 10 employees, that’s 90 times where it’s just with emails. Through guys, like a trusted source, trying to fool you.
Charles Hoff: [00:14:13] And look, it’s great if it doesn’t get through the firewall, or you got an email filter that’s working. But what it comes down to is employees have to be well-trained and understand that even though it looks like it’s coming from my CEO, and I need to pay attention not to click. And so, training is so very, very essential.
Michael Blake: [00:14:36] And point of fact, a dear friend of mine was a CFO of a nonprofit, and she lost her job because she fell victim to a spear phishing attack. Wind up invert. She thought that her boss had asked for tax returns of certain donors. She sent them. All of a sudden, that data is exposed, and she had to take the blame for it, and she was out. That was it.
Charles Hoff: [00:15:03] There’s too many war stories like that. Here in Atlanta, in the Atlanta area, there is a company where you had a CEO, a small company, but the CEO, I believe, he had to attend a funeral. The COO was going to a conference, an event. And, of course, everybody posts with social media now. So, it’s not difficult for the bad guys to really determine who your children or the names of your children, your wife, spouse, husband. And you had a situation where they, actually, did some spear phishing for the controller who was left in the office. It looked like it was coming from the CEO, the e-mail, saying that. “Look, I’m away at a funeral.” I’ll make up a name. “Fred is off to the conference. We’re doing a quick, quick acquisition, a small one. First, confirm that you got this e-mail, and that you’re aware that it’s coming from me. And just give me confirmation of that fact.”
Charles Hoff: [00:16:01] And she shouted right back. “Yes, Mr. Jones. And condolences in terms of the funeral.” And he said, “Well, thank you. Let’s go ahead, and I’m going to have a lawyer contact you. And so, we can get the wiring instructions because we need to make this happen immediately while I’m out of town.” And sure enough, she wired the money, $1.7 million.
Michael Blake: [00:16:24] And just spear phishing, for those of you who are listening or may not know, spear phishing is like a phishing attack, but is more targeted and sophisticated, and that the perpetrators are able to mimic somebody, usually, inside the organization that you would expect to receive an email from.
Charles Hoff: [00:16:43] That’s right.
Michael Blake: [00:16:43] So, it doesn’t look like a Nigerian gold scam or anything like that, but it looks like somebody that you trust. And in the case of my friend’s organization, I’m bias, but, to me, the organization was at fault because they’d never provided any training. She’d never heard of spear phishing before then. Nobody in the organization was. She just got unlucky, and the perpetrators got lucky. They picked on the right organization at the right time. Yes, she has some blame, but it was really that it occurred because there was a systemic failure.
Charles Hoff: [00:17:15] Unquestionably. And that’s why phishing, testing, simulation, it’s critical because it’s gone so sophisticated. And so, it’s very, very important to not only train but test constantly. And we want to do our partner, we provide that, and we even do a gamification to keep them incented.
Michael Blake: [00:17:35] And like so many things, the attacker only has to be successful once.
Charles Hoff: [00:17:45] That’s right.
Michael Blake: [00:17:45] And they may be attacking literally millions of times if they’re using bots of some kind, right? A small percentage gets through, but you talked about that nine-person firm, and the 90 things that get through, if you even have a 1% failure rate, that’s a disaster. If you have a a one-thousandth of 1% failure rate, it’s probably still a disaster.
Charles Hoff: [00:18:08] Absolutely. And, again, some more stories. Orthopedic Group, I understand they’re worth. I’ve heard figures like 150 million. They were victims. And they ended up selling their hospital for zero for $1 because their value had been taken all the way down because of all the personal records, the health records that were exposed or breached. I mean, look at the city of Atlanta. I mean, you had ransomware. It wasn’t that long ago. You know what that demand was for, by the way?
Michael Blake: [00:18:39] I don’t recall.
Charles Hoff: [00:18:39] It was $51,000. And the City of Atlanta refused it, which a lot of companies and entities do. And you can go both ways on whether they should or not. The FBI still recommends that you don’t, but a lot do. The end result, $17 million in recovery fees, another $5 million to build out the infrastructure that was damaged.
Michael Blake: [00:19:02] So, I’m a small business owner, I’m listening to this. I’m either reaching for scotch, or breathing into a brown paper bag, or maybe I’m doing both, right?
Charles Hoff: [00:19:13] Right.
Michael Blake: [00:19:14] As a small business owner, I mean, I don’t have the resources that a Home Depot. Even they even had a major breach. Target did. Almost everyone we can name probably has had one, or they’re going to the next five years.
Charles Hoff: [00:19:26] True
Michael Blake: [00:19:27] I’m a small business. What do I need to do? How can I, in some economical way, protect myself from just this onslaught of people that are trying to rip off my data and sink my company?
Charles Hoff: [00:19:43] Right. Well, the first listed really is to understand that even though you’re a small business, and you don’t think that maybe anybody’s targeting you, well, the fact of the matter is that the last statistics I’ve seen are 61% have actually been the target of the hackers.
Michael Blake: [00:20:02] It makes sense, right?
Charles Hoff: [00:20:03] Yeah.
Michael Blake: [00:20:03] You’re less likely to have protection.
Charles Hoff: [00:20:04] Well, that’s it. It’s because of exactly what you say, that they don’t have the resources. They are really lean. But so often, they don’t think that they’re exposed. And what really happens is that they call it, the hackers call it spray and pray, where they just really — it’s a shotgun type effect in terms of what they do with phishing and ransomware and see what sticks. And it just that’s where the opening and vulnerability just happens be with those small and medium-sized businesses. And unfortunately, they be they become a target.
Charles Hoff: [00:20:44] So, the first thing is to realize that there’s a good likelihood that you’re going to be breached. And then, do something about it. Be proactive. I’ve had too many clients, unfortunately, come to me after the fact where they become very knowledgeable that they’ve been breached and what they should have done. But this is the time to do it.
Charles Hoff: [00:21:04] And you start out with, first of all, doing an inventory of your sensitive data- healthcare data, personal data, a customer credit card data, where everything is kept and the systems what you have. And then, really, you have trusted certified professionals. And it’s part of what we do to connect with the most trusted in the field, the most reputable, because you can have a problem if you don’t go to the right people.
Charles Hoff: [00:21:33] But have them perform an audit. But you’ll be a partner with them, and understand what they’re doing, and then put together — again, going back to that people, process, and technology, and having an integrated layered approach, making sure that you have an incent recovery plan because you can’t make it up as you go. It’s like a crisis management. You’re in that crisis, you’ve got to move, you’ve got to have the playbook. And you need to have a recovery plan we’re getting back that data. And those are things that are so very critical in the equation.
Michael Blake: [00:22:12] So, let’s put ourselves in the seat of people that you were once very closely involved with a restaurant. Restaurants get $2 million of revenue. If they’re doing great, they’re clearing $100,000, right?
Charles Hoff: [00:22:29] Yeah. Yes.
Michael Blake: [00:22:30] Can those businesses afford to be secure realistically?
Charles Hoff: [00:22:33] Yes. Realistically, yes.
Michael Blake: [00:22:37] Okay.
Charles Hoff: [00:22:37] And that’s a great takeaway here, Mike. And that’s a good news because it doesn’t have to be that expensive.
Michael Blake: [00:22:45] Because I think about all these nerds coming in and doing simulations, and audits, and stuff, I mean, that sounds expensive.
Charles Hoff: [00:22:52] Look, it is with large enterprises, and when you talk about the assessments and analysis. And that’s why we focus. I’d like my legacy to be that I helped these small and medium-sized businesses avoid breaches because it’s an incredible loss when they get hit. And they don’t realize that there’s different ways it could happen. But if they’re using credit cards, they have an agreement with their merchant acquirers. And a lot of small and medium-sized business think, “I’m covered because I’ve got a great card processor, I got a great POS company behind me,” and they don’t realize that in the fine print of the merchant acquirer agreement, it stipulates that they have to be compliant with payment card industry data security standards.
Charles Hoff: [00:23:45] And you look at 12 pretty straightforward requirements, but there’s over 300 subcomponents. And if they fail, and they find out very quickly when they fail because when there’s a breach, the first thing they find out is there’s got to be a forensic audit, and there’s a select number of auditors that the merchant acquirer will allow to come in. It’s a very intrusive process. And that can add up to 6,000, 7,000, 8,000, 9,000, 10,000 a pop for each location. And then they find out, too, that the merchant acquirer contractually can freeze their accounts receivable, six figures.
Charles Hoff: [00:24:22] And I don’t know that many small to medium-sized restaurants and franchisees that can survive for any length of time having $100,000 or so. And then, there’s penalties and fees that the merchant acquirer can assess, charge backs, charges for re-issuance of cards, remediation, litigation comes into play, oftentimes. So, it’s no wonder that so many of these small and medium-sized businesses go out.
Michael Blake: [00:24:51] So, the short answer is, I mean, this is just a new cost of doing business, right?
Charles Hoff: [00:24:55] It is. It’s the reality. And even, sometimes, I hear with larger enterprises, we serve a good many larger enterprises that, of course, have a lot of smaller customers, and franchisee, chains, locations. And, sometimes, you’ll have where, “Gee, we’re going to get to this. We know it’s important.” But we have a couple of really high-charging executives that there’s revenue projects that the IT Department needs to work on first. And very frankly, we even had them, I’m not going to name the company, but we heard that, and they were breached before we could do anything for them, which is really unfortunate.
Michael Blake: [00:25:40] So, actually, that brings up another questions. So, let’s say somebody is listening to this too late, or they’re acting on it too late. I’m a small company, or any company. I guess that part doesn’t matter. And I discover that I’ve likely been breached. What do I do?
Charles Hoff: [00:25:57] Well, it depends on what kind of breach. But the first thing that they should do really is get in touch with an attorney who is proficient and expert in this field. A lot of lawyers aren’t. You want to call your merchant acquirer if it’s a card information, your POS provider, but law enforcement comes into play in a hurry. And you want to make sure, oftentimes, it’s Secret Service. Now, the FBI is taking even more responsibility.
Michael Blake: [00:26:27] The Secret Service, really?
Charles Hoff: [00:26:28] The Secret Service. Well, a lot of this really comes down to Homeland Security.
Michael Blake: [00:26:32] I guess so, yeah.
Charles Hoff: [00:26:33] And we’ll talk about it in a little while if you like, but they’re always looking to see if nation states are involved as well. So, in terms of law enforcement, normally, it’s not the locals, it’s the Secret Service and the FBI. They get involved. It’s that serious. And, of course, they have the expertise, and the capabilities, and resources to really do what needs to be done from a forensic standpoint.
Michael Blake: [00:26:58] Now, a lot of companies are putting their data into the cloud now. Small companies, I did when I had my own firm, I had everything on one drive.
Charles Hoff: [00:27:04] Right.
Michael Blake: [00:27:06] Should that give me any comfort that my data is any more secure that if we’re just sort of sitting around on a client computer or if I’m hosting my own server?
Charles Hoff: [00:27:15] Well, the answer is a qualified yes. I mean it’s — But I was with somebody the other day who said, “Well, I checked off that box. We should be good. We’re in the cloud.” Well, think about that. I mean, really, you need to make sure that, one, it’s a very reputable company. And you need to ask a lot of questions and take a look at that agreement because the way they look at it is it’s a shared risk. And, again, a lot of things, sure, you don’t have to worry about servers anymore and backups, but the same time, all those other things, the employee issues are still there. So, you have that.
Charles Hoff: [00:27:53] And these cloud servers are the targets of a lot of attacks because, naturally, there’s so many company information, so many companies involved with that that they’re a bigger target. And so, they get attacked. And I even heard of a situation to where there was an issue as to when a company, there was a dispute as far as payment paying to the cloud service provider, and the cloud service provider took their data. They said, “That’s ours. If you look at the contract that, it belongs to us now.”.
Charles Hoff: [00:28:26] So, it is risk sharing. It is something where I do advocate a cloud solution, but really do your homework, and make sure it’s the right one, and don’t kid yourself in terms of believing that once you do that, that your worries are over.
Michael Blake: [00:28:43] Right. Because somebody could still give away that laptop, but if it has access to your One Drive account-
Charles Hoff: [00:28:47] Precisely.
Michael Blake: [00:28:48] … it doesn’t matter, you still have that vulnerability.
Charles Hoff: [00:28:50] That’s exactly right, Mike.
Michael Blake: [00:28:51] So, what about insurance, is this a risk that you can purchase insurance against?
Charles Hoff: [00:28:59] Well, the answer is yes. And there’s some very good cybersecurity policies out there. And as you can imagine, more and more carriers have gone into this. Years ago, that wasn’t the case. Now, again, a caveat that you have to take a look very carefully at the wording of those insurance policies. I mean, they may not cover penalties. It may not cover forensic audits, attorneys’ fees. I mean, there’s so many different things that could be excluded, and you’re on your own, and you’re really having a problem.
Charles Hoff: [00:29:32] So, as a matter of fact, one of our clients’ customers, INSUREtrust, they are a pioneer in cybersecurity and security of 6th power, working with them to make sure that through their brokers, folks can really pay attention to that.
Michael Blake: [00:29:47] Are there certain kinds of businesses that tend to be more attractive targets or tend to be more vulnerable than others?
Charles Hoff: [00:29:54] Well, the answer is yes. First of all, we talked about the ones who are most vulnerable are the ones that aren’t paying attention and are doing what they need to in the way of safeguards. But as far as the vulnerable companies are concerned, I mean, look at — and it’s a little scary when you look at our power grid, utility companies, energy. I mean, now, they’re getting to the point where they’re really paying attention, and there’s new regulations. of course, governments, with this executive order last year that government agencies have to do assessments now. So, that’s the good news. But if you look at the sensitivity with government information, in South Carolina, there was a big breach a few years ago.
Michael Blake: [00:30:37] I remember that.
Charles Hoff: [00:30:38] Yeah. I think it was $3.8 million. I mean, excuse me, 3.8 million personal records.
Michael Blake: [00:30:42] Data records.
Charles Hoff: [00:30:44] … data records that were affected and compromised. And just think how powerful that information is. And a lot of times, these hackers, with a credit card information, there’s a short shelf life, and they have to really do what they can there in terms of fraud. But that’s not the case with our social security numbers, and date of birth, and we have children that will come of age, and more people start making money. And it’s a treasure trove.
Charles Hoff: [00:31:15] So, the government, unfortunately, has been vulnerable. Healthcare with that Anthem breach, remember that? That was, I believe, about 78 million people were affected by that. And right now, you have in America, one in eight Americans have had their health information compromised, which is very sobering. And a lot of people and a lot of commentators will tell you that the next big thing outside of ransomware is that — and everybody is watching to see these data aggregators, which have so much information, so much more than even Equifax, my old employer. And they have sensitive information.
Charles Hoff: [00:31:59] I mean, when you have information that deals with health, I hate to bring it up, but Ashley Madison with that breach, there were actually some suicides, there were some extortion.
Michael Blake: [00:32:11] They went out of business overnight.
Charles Hoff: [00:32:13] And you had where people actually were shamed because what was on. And then, you had people with healthcare items selling their medical records that they don’t want released. So, there is so much sensitivity, and there’s so much vulnerability to that kind of data.
Michael Blake: [00:32:31] And I speculate, but don’t know. I’m curious. Are companies that have electronic point of sale, do they tend to be more vulnerable than others just because those kinds of businesses, by necessity, have a front-facing, basically, portal to their data to the public? Is that fair to say?
Charles Hoff: [00:32:53] Well, yes. I mean, the good news is point of sale systems had gone better. But the thing that people don’t realize so many times, customers don’t realize, is that when they get the POS system they’re represented that, “Hey, this is PCI-compliant.” What they do after with that system may very well take it out of compliance. And it’s how you use them. You have employees surfing. I mean, there’s so many different ways that there could be an issue. It may not be the system itself but how the system is applied.
Michael Blake: [00:33:27] There’s a lot of talk about hacking of foreign origin. Most notably North Korea, Russia, and China. Is that accurate? Is most of the breaching activity indeed coming from abroad, or is that just sort of so much media attention, but there’s just as much coming domestically?
Charles Hoff: [00:33:54] No, that’s pretty accurate. I mean, we have our share domestically. But you have from abroad two different types. You have the nation state, where it’s actually the governments we’re talking about. You mentioned North Korea. Iran is part of that too and China. Of course, China is where we’re now on in terms of influence as far as IP. So, you have the nation states. And then, you have the individuals where, oftentimes, law enforcers are more lax.
Charles Hoff: [00:34:22] And it’s interesting that there are theories about why you have so many of these hackers, these individual hackers, or syndicates in Eastern Europe. And these other sites that we’re talking about. And some people speculate it’s because they have early education, heavy IT training in the lower schools, middle schools; and yet, they do not have a Silicon Valley and the type of opportunities in companies in the private sector to really take that skill and do something good and beneficial to it.
Charles Hoff: [00:34:57] And that’s not condoning in any way, but it’s just a theory as to why there may be so many out there focusing their attention. These are bright people. They could and should be spending their time doing something on the good side and making their money properly. And they probably make a lot given how bright they are.
Michael Blake: [00:35:15] Well, I guess, it goes back to the very old adage, right, “Idle hands are the devil’s playground.”
Charles Hoff: [00:35:21] True. Very, very true.
Michael Blake: [00:35:22] And I suspect, also, that a cyber criminal in Russia knows that they’re not going to be prosecuted-
Charles Hoff: [00:35:30] That’s right.
Charles Hoff: [00:35:32] … for hacking an American system.
Charles Hoff: [00:35:34] That’s exactly right.
Michael Blake: [00:35:35] They’re just not as long as-
Charles Hoff: [00:35:36] They could be a hero.
Michael Blake: [00:35:36] They could be a hero, right. They could get a medal, right?
Charles Hoff: [00:35:39] Yeah.
Michael Blake: [00:35:40] So, as long as our relationship with the Russians is the way it is, they can practice that with impunity. So-
Charles Hoff: [00:35:46] Unfortunately so.
Michael Blake: [00:35:50] One last question I want to cover before we wrap up today is about GDPR. There’s a lot of coverage in that in the media. It’s obvious that it’s a European data standard or data security standard. Can you talk a little bit about that? And at what point does a typical American business need to be concerned with that?
Charles Hoff: [00:36:15] Well, that’s a great question. GDPR is the General Data Protection Regulation. And that came into effect last May. And, really, what you’re seeing here, and it is considered to be the biggest privacy change, a dramatic change in well over 20 years. I mean, now, parliament EU, the parliament passed this. And it’s a matter of law. So, it’s not just best practices or standards they have to require.
Charles Hoff: [00:36:49] And really, what’s fascinating about this, and I’m sure you read with Zuckerberg where he said, he’s been grilled, and Facebook executives have been grilled, shouldn’t there be a GDPR kind of regulation in the States? And he actually said that he would advocate for some form of regulations modeled after the GDPR. And what the GDPR and what the GDPR is all about is it really gives back to to individuals, to consumers the right to have some control and to manage their personal data.
Charles Hoff: [00:37:31] And it gets to the point where data subjects have the right to ask the company what information it has about them and what the company does with this information. In addition, data subject has the right to ask for corrections. They can object the processing, they get larger complaint, and they can even ask for deletion of the information.
Michael Blake: [00:37:56] So, this is a sea change. And it’s something that US companies have to deal with now, on two levels. One is that if you are, say, in the hospitality field, travel, software engineer, a marketing company wherein you have that kind of personal information on EU residents. Look, if you have a targeted website, and you do business with Europe, then you are affected by this. And it is something that is enforceable, and the penalties are incredible. You have where it could be up to 2% or 4% depending how egregious it is of the total global annual turnover, which, of course, is-
Michael Blake: [00:38:39] Revenue.
Charles Hoff: [00:38:40] Yes, yes, made by everybody else, or £10 million or £20 million, whichever is greater. So, you’re looking at something that really has teeth in it. And what you’re seeing now is you’ve heard of the CCPA, the California Consumer Privacy Act, which goes into effect beginning of next year 2020. They have modeled their regulations after the GDPR. And you’re going to see other states now take that up. You may end up with a patchwork of states doing that. And then, there’s a talk about the Federal Government doing a National Government as well.
Charles Hoff: [00:39:18] So, it’s something that is a lot of people are excited about. It’s going to change things dramatically. But the good news is that consumers, now, are going to have the ability to better control, and manage, and give consent to how data about them, personal data is being used, particularly if it’s other than what was obtained for, the purpose it was obtained for.
Michael Blake: [00:39:45] All right. So, we’re running out of time here, and we’re only scratching the surface. This is such a deep topic. This could easily be a one-week seminar, and where even then, we’re just getting started. If someone wants to contact you to learn more about this, maybe explore what their company’s needs are, how can they find you?
Charles Hoff: [00:40:05] We’d be delighted to talk to them. They could look at about.datasecurityu.com. And they can call me at 404-245-6751 or e-mail me at firstname.lastname@example.org. Be delighted to, this is my life, and delighted to talk, and however we can help.
Michael Blake: [00:40:31] Okay. Well, very good. That’s going to wrap it up for today’s program. I would like to thank Charles Hoff so much for joining us and sharing his expertise with us.
Michael Blake: [00:40:39] We’ll be exploring a new topic each week. So, please tune in so that when you’re faced with your next business decision you have clear vision when making it. If you enjoy this podcast, please consider leaving a review with your favorite podcast aggregator. It helps people find us, so that we can help them. Once again, this is Mike Blake. Our sponsor is Brady Ware & Company. And this has been the Decision Vision Podcast.