Decision Vision Episode 57, How Do I Secure Data for Work at Home Employees? – An Interview with Justin Daniels, Baker Donelson, and Jodi Daniels, Red Clover Advisors
Millions of employees are now working at home because of coronavirus-related “shelter in place” directives, creating a data security problem for many employers. Justin Daniels, Baker Donelson, and Jodi Daniels, Red Clover Advisors, address this problem in the latest edition of “Decision Vision.” This series is hosted by Mike Blake and presented by Brady Ware & Company.
Justin Daniels, Baker Donelson
Jodi Daniels, Red Clover Advisors
Jodi Daniels is the Founder and CEO of Red Clover Advisors. She is a Certified Informational Privacy Professional (CIPP/US) with more than 20 years of experience helping a range of businesses from solopreneurs to multi-national companies in privacy, marketing, strategy, and finance roles. During her corporate career, she proved a valuable asset to companies like Deloitte, The Home Depot, Cox Enterprises, Bank of America where she most recently served as the privacy partner for Digital Banking and Digital Marketing. Ms. Daniels started her privacy career by creating the comprehensive privacy program at Cox Automotive. She launched an online advertising network for Autotrader and Kelley Blue Book.
Since launching in 2017, Red Clover Advisors has helped hundreds of companies create privacy programs, achieve GDPR, CCPA, and US privacy law compliance, and establish a secure online data strategy their customers can count on. Jodi makes privacy easy to understand by breaking it down into measurable steps using plain language her clients can relate to. She passionately supports the idea that privacy is more than just compliance and concern over fines. It’s a human right we all deserve. She has made it her mission to help businesses build trust and transparency with this core value at its foundation.
Jodi holds a Masters of Business Administration and a Bachelor of Business Administration with a concentration in Accounting from Emory University’s Goizueta Business School. She lives in Atlanta, GA with her husband, two little girls, and a big fluffy dog named Basil.
Michael Blake, Brady Ware & Company
Michael Blake is Host of the “Decision Vision” podcast series and a Director of Brady Ware & Company. Mike specializes in the valuation of intellectual property-driven firms, such as software firms, aerospace firms and professional services firms, most frequently in the capacity as a transaction advisor, helping clients obtain great outcomes from complex transaction opportunities. He is also a specialist in the appraisal of intellectual properties as stand-alone assets, such as software, trade secrets, and patents.
Mike has been a full-time business appraiser for 13 years with public accounting firms, boutique business appraisal firms, and an owner of his own firm. Prior to that, he spent 8 years in venture capital and investment banking, including transactions in the U.S., Israel, Russia, Ukraine, and Belarus.
Brady Ware & Company
Brady Ware & Company is a regional full-service accounting and advisory firm which helps businesses and entrepreneurs make visions a reality. Brady Ware services clients nationally from its offices in Alpharetta, GA; Columbus and Dayton, OH; and Richmond, IN. The firm is growth minded, committed to the regions in which they operate, and most importantly, they make significant investments in their people and service offerings to meet the changing financial needs of those they are privileged to serve. The firm is dedicated to providing results that make a difference for its clients.
Decision Vision Podcast Series
“Decision Vision” is a podcast covering topics and issues facing small business owners and connecting them with solutions from leading experts. This series is presented by Brady Ware & Company. If you are a decision maker for a small business, we’d love to hear from you. Contact us at firstname.lastname@example.org and make sure to listen to every Thursday to the “Decision Vision” podcast. Past episodes of “Decision Vision” can be found here. “Decision Vision” is produced and broadcast by the North Fulton studio of Business RadioX®.
Visit Brady Ware & Company on social media:
Mike Blake: [00:00:00] Welcome to Decision Vision, a podcast giving you, the listener, clear vision to make great decisions. In each episode, we discuss the processes of decision making on a different topic from a business owner’s or executive’s perspective. We aren’t necessarily telling you what to do, but we can put you in a position to make an informed decision on your own and understand when you might need help along the way.
Mike Blake: [00:00:19] My name is Mike Blake, and I’m your host for today’s program. I’m a Director at Brady Ware & Company, a full-service accounting firm based in Dayton, Ohio, with offices in Dayton; Columbus, Ohio; Richmond, Indiana; and Alpharetta, Georgia. Brady Ware is sponsoring this podcast, which is being recorded in Atlanta per social distancing protocols. If you like this podcast, please subscribe to your favorite podcast aggregator and please consider leaving or review the podcast as well.
Mike Blake: [00:00:44] This is a first in a sub-series of topics regarding how to address the coronavirus crisis. And I think we’re gonna have a few of these podcasts that we’re going to record before everything is said and done. But this is our initial attempt at this, and we’ll see how it goes. But I think that it should go pretty well. And specifically, we’re going to talk about data security.
Mike Blake: [00:01:07] Now, in episode 15, we had Charles Hoff come on to talk generally about data security practices and procedures. But now, we are faced with an unprecedented data security challenge. We’ve all been basically told to take our balls, and go home, and don’t come back until somebody else gives us the all clear. Now, for a lot of us, like myself, this is a good thing. It means that we don’t have to not be working at all. We can work from home, but it does present some novel challenges that, frankly, I don’t think a lot of us ever thought we would ever wind up having to face – certainly not on the scale. And as we always do for our podcasts, I bring in the best experts that I can find for this because I don’t know anything about this. All I know is to ask a few questions and we’ll let the experts talk.
Mike Blake: [00:01:59] So, joining us today are Justin and Jodi Daniels. Justin is a partner with Baker Donelson, which is the 64th largest firm in the US, giving their clients access to a team of more than 700 attorneys and public policy advisors, representing more than 30 practice areas, all seamlessly connected across 21 offices to serve virtually any legal and policy needs. Baker Donelson provides their clients a global network of global counsel and other professionals and to help their clients take advantage of global opportunities in more than 90 countries spanning six continents.
Mike Blake: [00:02:30] Justin’s corporate practice consists of representing middle-market and emerging growth businesses and business owners in all aspects of their growth cycle from structuring new ventures, raising capital, and advising on acquisitions and divestitures, to reviewing and negotiating key vendor franchise employment and customer contracts. Justin specifically advises businesses on cyber business and legal issues that pertain to mergers and acquisitions, investment capital transactions, and related due diligence matters, vendor customer contracts, information security plans, and cyber insurance. His representation of one of the largest crypto mining facilities in the country has provided him with a strong background in blockchain technology. This experience has been especially relevant in helping clients navigate how the blockchain might apply to a specific use case and the potential business and legal issues arising from it. He is also co-founder of Baker Donelson’s Cybersecurity Accelerator.
Mike Blake: [00:03:22] Jodi Daniels as founder and CEO of Red Clover Advisors. Since launching in 2017, Red Clover Advisors has helped hundreds of companies create privacy programs, achieve GDPR, CCPA, and US privacy law compliance -if you want to know what those are, again, go back and listen to Episode 15 – and establish a secure online data strategy their customers can count on. Jodi makes privacy easy to understand by breaking it down into measurable steps using plain language her clients can relate to. She passionately supports the idea that privacy is more than just compliance and concern over fines, it’s a human right we all deserve. She’s made it her mission to help businesses build trust and transparency with this core value at its foundation.
Mike Blake: [00:04:05] Jodi is a certified informational privacy professional with more than 20 years of experience, helping a range of businesses from solopreneurs to multinational companies in privacy, marketing, strategy and finance roles. During her corporate career, she proved a valuable asset to companies like Deloitte, the Home Depot, Cox Enterprises, Bank of America, where she most recently served as a privacy partner for digital banking and digital marketing. Ms. Daniels studied her privacy career by training at the Comprehensive Privacy Program with Cox Automotive. She launched an online advertising network for Auto Trader and Bluebook, Justin and Jodi Daniels, welcome to the program.
Jodi Daniels: [00:04:43] Hi. I’m glad to be here.
Mike Blake: [00:04:45] So, with all that said, you guys know a thing or two, you know a thing or two about security. Before we get started, I just kind of want to dive in to kind of a high level. When everything started hitting the fan about two weeks ago, what were your first thoughts in terms of how this is going to impact and really just sort of change the game in terms of business, privacy, and data security?
Justin Daniels: [00:05:14] So, thanks, Mike. Let me take that one. So, the biggest thing that we identified is pretty much overnight, companies, as you said, told their workforce, “Take your ball, and go home, and work remotely.” So, now, when you take a whole lot of companies who may not have had a significant part of their workforce work remotely and introduce them into this whole new concept of working remotely, a lot of the security challenges that companies were struggling to deal with, just in the workplace, now take on an added focus now that you’ve got all these people who are unfamiliar working at home, who now have to go and work at home and connect remotely to the company server, and all of the potential mischief and mayhem that can present for our trusty cyber criminals who are always out there.
Mike Blake: [00:06:10] So, let me ask this. I’m already going off the script, but I know you can handle it. Do you think as soon as this started happening, cyber criminals around the world, and crime syndicates, and so forth, and even state-sponsored are sort of rubbing their hands in anticipation because of the vulnerabilities here?
Justin Daniels: [00:06:27] I have three words for you. They think of this as target-rich environment. Absolutely, because any kind of dislocation like that, just like you’re advising your clients to think strategically about new ways to do business, a pandemic like this for a cyber-criminals says, “Wow, look at all this dislocation and people working remotely, this is just a great opportunity to commit different and varied types of crimes.” And as we get into this, I’ll share with you some of the things that we’re already seeing, which are cyber threats that are very specific to coronavirus when it comes to phishing and other kinds of things, but absolutely.
Mike Blake: [00:07:08] So, now, everybody has gone home. And for, at least, in many cases, they’re working on their personal device in some respect. And they may have been before, but certainly more of them are now. What sort of issues does using your personal device to telework present?
Jodi Daniels: [00:07:25] Sure. And so, you have the teleworking piece, but you also have, a lot of people like us, you have children doing distance learning and virtual learning. And so, it’s very similar scenarios. But you have probably no VPN, maybe the home Wi-Fi doesn’t have a password, or the password is password, or my pet’s name, something very simple that’s really easy to crack. So, if I don’t have a good password or no password, that’s sort of the first line of defense on the Wi-Fi or router. And then, I might not have a VPN, a virtual private network. That’s often been sort of saved for some of the more sophisticated or bigger companies. And again, just an aside, if I was a company and sent everyone home because that’s what we needed to do, I didn’t think about a VPN and how I set that up.
Jodi Daniels: [00:08:15] A lot of people who are now potentially exposing company data fairly easily, the Wi-Fi might be one kind of wall that’s a bad actor has to make it through. A VPN would be a second wall that they’d have to make it through. You also have company information now on a personal device, which presents two interesting things. You have the security challenge. You actually also have a privacy challenge because the privacy laws haven’t gone away. And now, you’ve just exposed further where that personal information is. And you have others in the home who might be seeing it. And maybe someone comes along and, oops, accidentally sends that email that you had and draft that had all this information on it or shared information that they didn’t anticipate doing or a variety of things kind of like that.
Mike Blake: [00:09:10] So, you talk about the Wi-Fi piece. And I wanted to divert into that because I think that’s really important. When I think of Wi-Fi security, I think of going on airport Wi-Fi, Starbucks, whatever. Obviously, a vulnerability. And as you mentioned, that’s a target rich environment because if I’m a hacker, I know there’s 20 people in there that are using them, that are using Wi-Fi. Chances are there’s one computer in there, at least, that’s not secured properly. In a residential environment, what is the crime case there? Have you heard of criminals literally just like is parking outside somebody’s home, or a group of homes, or maybe a multi residential property, and just scanning for open networks and seeing if they can hack in?
Jodi Daniels: [00:09:58] Yeah. Well, if you actually think back to some of the stories you’ve seen on the children’s baby monitors that had Wi-Fi on them and how people were able to hack in. And sort of a nanny cam, people would call. The same idea is true. Those are on Wi-Fi networks. So, you have a couple different things. You have people from around the world who can break into those Wi-Fi networks that don’t necessarily … You know, there’s backdoors into all of this. Certainly, people could park outside my house. My neighbors can break in. We all don’t exactly know who our neighbors are all the time. So, you’re certainly exposing yourself. And the way the digital system works, I don’t necessarily have to be in range to be able to still break in, just like with those nanny cams years ago or ring devices. We’ve seen the developers of certain different Wi-Fi-enabled devices be able to break in and see whatever they want to see on those exposed devices.
Mike Blake: [00:10:53] So, are there any new threats that are being posed by mass teleworking, or do kind of the distribution or the composition of the threats change? Well, I guess what is the threat? How does the threat landscape change now that we’re in this mass remote working environment?
Justin Daniels: [00:11:14] So, Mike, I think the way that it changes is the type of phishing scams that you had before where they try to get to you through work, they’re now going to try to get to you as a remote worker. And let me break this down for you a little bit. So, you’re going to start to get emails that are very specific to coronavirus. And someone shared with me one that said, “Hey, this is from the CDC.com,” or I’m sorry, .gov.org. And the fact that they added on the “.org,” that’s what made it a phishing type of e-mail. So, now think about instead of phishing people at work, you’re now going to phish people at home, and they’d be distracted because they have kids, or trying to get work done, they have a million things on their mind.
Justin Daniels: [00:11:56] Well, let me take a step further for you. And it’s a concept called Identity Access Management. And what that really is, is have companies – because they so quickly get their remote workforce working remotely – did they really think about, “Well, how do I have to limit the access of my employees?” Like, for example, with what you do, Mike, it might be that your company says, ‘You know what? Mike gets access to the network, but there’s probably no reason for him to get access to invoicing or cash management,” because that’s not really your role. But I think what you’re going to find with a lot of these other companies who are just quickly trying to get their employees working remotely, they didn’t think about how to limit the employees’ access to the company network.
Justin Daniels: [00:12:43] So, now, if I phish remotely on someone, not only may I get through their e-mail, I may get access to the entire company network because the company didn’t think through, “Well, maybe I need to limit their access.” And now, they can get to the invoicing, they can get the wiring, they can get this sensitive company IP. So, it’s really a cascading effect because it’s not just the remote working, it’s how did you setup identity access management? How are you putting in layers of defense to help your people who are working remotely? Because just the phish e-mail is just the first step in getting access to a network that they may not have limited appropriately for the different workers because you put several thousand people working remotely, a lot of companies may not have thought about this.
Mike Blake: [00:13:29] I think that’s a really interesting point that you bring up. So, I want to drill back into that. So much of cyber security still relies on the focus of the individual user. And that distraction I face, I have a nine year old that we’re homeschooling now. My wife has her own business. Our situation is not that dissimilar to yours. And it’s different. Even though I work from home a lot, it’s still different. And I have to change my work hours and so forth to make sure I can concentrate. But all it does, and because the nature of cyber threats, all it does is, it takes one wrong clicked email when you’re not 100% focused, and the whole house of cards can come down, right?
Justin Daniels: [00:13:29] That’s it. That’s it.
Mike Blake: [00:14:17] And so, I think a key bullet point, if you’re a remote worker and you’re listening to this podcast or if you’re a manager, one of the things to think about, aside from policies, and software, and hardware – and we will get into that – is also just maintaining concentration and focus because not only are we in a target rich environment but, realistically, for a lot of people, we’re in an environment that encourages mistakes. Sorry. Go ahead.
Jodi Daniels: [00:14:49] I just want to add. I think this environment, also, it’s emotionally charged. People are tired. They’re stressed. We’re all at home hoping we don’t get this disease. We might know others who do. And there’ll also be a fair amount of personal information that might come through our personal emails like, “Please donate to this cause here,” or like the one that Justin just said, “Let’s get more information on the virus here.” And so, when your defenses are down because you’re tired, and you’re trying to do 14 things at the same time, there’s going to be a multitude of different ways of how these actors are going to try and get at you.
Mike Blake: [00:15:33] So, let’s start at the heart of this from the infrastructure-wise. I think we’ll kind of start there and work our way out. Employees are now going to be accessing their servers remotely through the internet, through their home access. It maybe cable. It maybe fibr for some case. It maybe through their mobile device. How does that change the security equation? And how should companies be reacting or addressing that to minimize the security exposure at the infrastructure level?
Justin Daniels: [00:16:09] So, Mike, let’s talk about that. So, when you log on to your network with your business, I suspect you may have something, as Jodi alluded to, what’s called a virtual private network. So, let’s talk a little bit in general business terms what that is. So, that is software that you can put on your computer that creates a secure link between you and your company network using your home internet. But here’s the thing with VPN that’s interesting, is IT infrastructure wasn’t built so that everybody would be connecting via virtual private network.
Justin Daniels: [00:16:54] So, one of the things that companies may face is, one, they may not have sufficient licenses to put everyone on a VPN. But second, and probably just as important, is their network may not have the capacities to sustain the load of almost all of your workforce being remote. So, you may need to put in policies and procedures that say only certain employees have access during certain times because if everybody goes at the same time and is using it at the same time, you’re likely to have a disruption to your network or worse, it could go down. And then, you compound the problem.
Justin Daniels: [00:17:30] So, that’s just from an IT perspective, in addition to the security, because security is part and parcel of how do I keep stuff running because if it’s not secure, and we have a breach, then things don’t really run. But in general, how are you thinking about your IT infrastructure? And I think a lot of people did this because they had to get it done to keep working without thinking through, we’re gonna do this for an indefinite period of time. How do I make sure my IT infrastructure has the capacity to take care of all these people and also do it in a reasonably secure fashion?
Mike Blake: [00:18:05] So, you bring up virtual private network. I want to touch on that too because some people may have virtual private networks already, they may have purchased one because they’re concerned about the abolition of net neutrality. Some people have them because they want to be able to access Star Trek Discovery on Netflix. So, they spoof it into thinking they’re an international subscriber. So, it has been a consumer use case for VPN. Is that the same thing? And if I already have a VPN, does that mean that I’m using that to access those corporate documents or are we talking about two different animals?
Jodi Daniels: [00:18:45] I don’t know that it’s necessarily different. I think if you’re going to use any software on your personal computer to access the company network, your company and their IT professionals should be involved in that because I think one of the things you and I talked about was, should you use your own devices? And I think the answer to that is my company issued me a computer, but that may not be a realistic choice under this time pressure for everyone. So, my answer to you is you might be able to do it, but it’s not something where a company should said, “Hey, Mike, go off in whatever VPN you might have. Just go and use it.” It needs to be more of a concerted, “we’ve engaged with professionals and this is the type of VPN we want you to use. We’re going to give it to you because even though you’re letting employees have their own access, you want to have some level of control.”
Justin Daniels: [00:19:35] And we haven’t even talked about our iPhones. And that’s a whole nother area. And remember, a VPN just deals with the connection from you connecting to your server. It doesn’t really deal with any PII or other sensitive information that may now reside on your phone or your computer, and how that might impact the ransomware attack.
Mike Blake: [00:19:56] Yeah. And we’re definitely going to get to that. So, we’re kind of moving from that access in on out. The licensing issue you bring up is interesting. We phased out at the firm that I used to work for, when we had the Snowmageddon back, I want to say 2014, I think that sort of was. And of course, we’re all home. Once we finally got home, we’re home for about three days while the ice melted. And a lot of us couldn’t get on because we didn’t have enough licenses. We had to start rationing license. Then, we scrambled. But we never foresaw a scenario where 300 people, all of a sudden, would need remote access. And ironically, I think that’s actually made a lot of Atlanta companies better prepared for this, because we had sort of a dress rehearsal back and forth team to do just that.
Mike Blake: [00:20:52] Let me ask this. I know this is an area that you deal with a lot. So, I think your answer is going to be great. And that is, what are the cyber liability policy implications of moving to this mass remote working? When insurers wrote that policy, they thought there’s only a certain amount of remote and a certain amount of onsite. Now, that whole thing’s been disrupted. Are people’s policies being blown up if there is a breach? Are companies still covered?
Justin Daniels: [00:21:23] So, I think the answer to that question, Mike, is you really have to look at your individual policy, because if I’ve learned anything when I’ve been involved in the cyber insurance game is that there is no uniform policy out there like you have with commercial general liability or some of the other more well established type of policies. And so, I think what you’re going to have to do is take a look at the exclusions in your policy because it’s one of the hardest contracts that I have to read. And I hesitate to give you an answer that’s definitive because it’s really policy-dependent.
Justin Daniels: [00:21:58] But what I will say is companies should really be looking at whether or not they have specific, they call it social engineered emails in their coverage because a lot of companies may not realize that they’re not covered for the kinds of increase in what I expect of phishing scams to be, and they may want to look at their insurance and say, “Well, how am I covered for this?” because you probably know this, we’re in kind of the season where insurance is being renewed. And so, this is now a great time to bring up the issue of, “Hey, what is my coverage for socially engineered emails? And what is covered? What isn’t covered? Can I increase my defenses, so that I can get bigger coverage? What is excluded now that I’m more of a remote workforce?
Justin Daniels: [00:22:48] These are questions that should be brought up now because I know we are now in the season for people getting renewals on their insurance, and premiums might be changing on that kind of stuff. But now is the time to be asking those questions to the insurers because you know what, when you talked about Snowmageddon, you bring up a larger point. A lot of companies who really don’t have or never practice their business continuity plan, they’re now having to build it in flight.
Justin Daniels: [00:23:16] And so, an additional challenge is this teleworking issue is a big one. I think we’re going to see a rise in cyber breaches, but they’re going to have to figure that along with furloughing employees. What if my employee, do I have to test them for the COVID? If they test positive, what do I do? So, now, you’ve got this teleworking issue sitting alongside all those other issues as a business. And it’s a capacity issue. How many of these issues can you deal with in mid-flight if you don’t have a plan and you’ve never practiced it? And that’s why I think you’re going to see such a rise in breaches because people are going to discount this one for some of these more immediate ones until this one becomes a huge problem.
Mike Blake: [00:23:57] Yeah, I think a key bullet point. And I appreciate you can’t answer this blanket. I mean, you sound like you have command of everybody’s insurance policy.
Justin Daniels: [00:24:06] Yeah.
Mike Blake: [00:24:06] But it does sound like it is definitely worth your while at a minimum to pull your policy out and see how this changing environment may alter the coverage. So, let’s move then sort of away from the infrastructure then to the individual device access. We’ll get to mobile in a second but I want to ask a question about computers first because I think they’re slightly different. And my question is this, I guess, broadly, what would best practices be for companies in terms of monitoring, policing, developing standards, I guess, around the actual hardware that employees are using to telework?
Jodi Daniels: [00:24:59] Well so, I think that starts with a few different things. There’s certainly software that companies can use to manage and monitor what’s happening. There’s data loss prevention software, there’s monitoring software, there’s VPN monitoring software, there’s noodles of software to actually manage the ins and outs of data on a network. At the same time, you really have to have some policies in place that inform the employee what is actually being monitored. And that’s really important depending on the country you’re in. So, if you’re outside the US, there’s some stricter policies in place, especially if you’re in GDP, what you can and can’t be monitoring, and what you have to disclose to me. If I’m here in the United States, there are still some issues. So, you kind of need to factor in the HR component combined with an information security policy.
Jodi Daniels: [00:25:56] So, while there’s an IT team who can identify the right software depending on the type of information and the number of employees to be able to monitor and determine where is traffic coming in and out of, what’s being downloaded, there’s capabilities to restrict what’s being downloaded, or shared, or forwarded. There’s a lot that you can do. And again, it’s very dependent on the company and the type of data. You do have to factor in the human element and the notice requirements, so that employees understand what is happening to them, to not have it be such a huge surprise.
Mike Blake: [00:26:37] Now, the question I think that follows from that naturally is, where’s that software going to reside? Of course, many people, not everybody, but many people do own their own computers. And so, they could use that to access whatever it is they need access or do. Is that the right answer is BYOD? And now, WYOD, just work on your own device. Is that presenting additional challenges? And if so, maybe, should a company consider them, at least, giving employees the option to use company issued equipment, so that maybe the company has more power over this, or maybe I’m barking up the wrong tree? Is that a way to think about this?
Jodi Daniels: [00:27:31] I think it’s a great question. So, BYOD, WWOD, pick your flavor of acronym, they all do present big issues. And again, a policy piece is something I’ve helped a number of companies on, which is, what is the policy? Because it does make it a little bit harder if I have my own device, depending on the tools that I’m using, you may or may not be able to see what I’m doing on that device. So, in some policies, the company has the right to take a look at it at any time. I have the right to be able to wipe it at any time. And I know we’re gonna get into mobile, but that’s really quite similar for mobile because a lot of times, I’m putting my company email on mobile, I might access my apps on mobile. It’s really very similar of what power does the company have to be able to come in and kind of audit, if you will, be able to test and control when it needs to, and it reserves the right to be able to do so.
Jodi Daniels: [00:28:29] At the same time, because there’s so much in the cloud these days, if I’m using Google Docs or I’m using Exchange, there are still some monitoring tools that can be connected to those cloud servers. So, let’s say I’m sending an email, and I’m trying to forward it to a personal email, there is some capabilities to be able to limit that. You can put in certain … you can’t forward it to G-mails, and Yahoo!’s, and things like that. I’ve seen companies do that. So, it’s a little bit dependent on the type of software I’m using, but it is definitely still possible.
Mike Blake: [00:29:06] So, let me bring up a specific case that I think if I were in a decision making capacity – I guess I semi am – that would concern me if I’m allowing all my employees to use their personal devices, particularly if they’re not necessarily particularly conscientious about their own security is, who knows what is on the employees computer, right? And whether it’s free apps, whether they’ve downloaded pornography, whatever they’ve done with their computer, we know that there’s malware and other things that piggyback off of other content that may be basically cohabitating with company data in some respect, right? So, if we’re going to ask employees to use their own equipment, is that an additional risk? And is that one that the company can reasonably manage absent issuing everybody a company-issued laptop that then the company can lock down, and restrict use, and downloads, and all that good stuff?
Justin Daniels: [00:30:15] So, Mike, I think to address that question, what I would say is I am going use a term I learned from the US Secret Services, it’s really about concentric rings of defense. And what I mean by that is you’re absolutely right, who knows what employees have downloaded? And if you’re a company who’s not in the position to configure a hundred computers or whatnot and just disseminate them out, you’re kind of in a spot where you’re going down BYOD. But as I alluded to before, I think you have to go at this with a sense of you’re going to assume that some fish e-mail is going to make it through. They only have to be right once. So, you do security, I think, you train people up the best that you can, but you do it under the assumption that some e-mail or something is going to get clicked on because that’s just the law of averages.
Justin Daniels: [00:31:06] But the other things that you can do, and I alluded to it before, is are you making sure that your employees have the least amount of access necessary to do their work? Meaning that even if you phish someone, maybe it’s the administrative assistant to the CEO, that they don’t have access to billing and invoicing. The access that a criminal would get is very limited. So, then, what you’re adding in are these other layers of defense that make it harder for a criminal to get around, to get to your wire instructions or get to other information that they’re seeking to get to because you just don’t give people carte blanch access to the network.
Justin Daniels: [00:31:46] And are you using – and you’ve probably heard of this – two factor authentication? Maybe you have instances where if you want access to certain parts of the network, there has to be a higher level of authentication than is required, so that people get access to invoicing, billing, financial statements, things of that nature. So, there are other things that you can implement to institute all these different layers of defense among the different assets that you’re identifying as being the most important for your organization.
Justin Daniels: [00:32:15] And that’s a lot of what I’ve been doing lately for clients is I’ve been helping them issue spot across a whole different swath of areas that are impacting their business. And when we start talking about teleworking, I start to ask these questions. When they say, “Oh, well, they just have access to the network,” then that’s where you’re creating the opportunities to help clients identify these issues, and then start to implement this defense and depth, which, really, it’s a factor of the technology that you’re using, we talked about; pop processes and procedures, Jodi alluded to that; and also, it’s educating your workforce about what to look for in phishing. It’s really doing all three of those things and doing it in layers of defense.
Jodi Daniels: [00:32:58] All right. So, let’s then move out to the mobile device. And I appreciate that that’s similar to the more conventional work device, but I think they’re a little bit different in that mobile devices are more likely to have been issued by someone’s employment. At a minimum, they’re probably picking up the tab for the access, which I think, then, gives the company certain rights that they may not have with respect to a true BYOD. So, how does the equation now change for mobile devices? Or let me ask this. iPhone or Apple has gotten a lot of publicity for their security. Even the government can’t crack it, et cetera. So, I don’t know if that’s true or that’s a sort of an urban legend like roving bands of surgeons that steal kidneys, but that’s certainly the reputation. Does the security equation change with mobile devices? And if mobile devices do, in fact, offer superior security, is there a case to be made that maybe you want to try to work off a mobile devices as much as possible?
Justin Daniels: [00:34:12] So, Mike, I’m going to answer the first part of that. So, when I was in Israel on a mission for cyber, even the Israelis said the iPhone is a much better platform for security. And one of the big reasons why is everything with Apple is internal to Apple with the apps and everything else. With Android and some of the other users system environments, other developers can come, and create things, and put them onto their systems. So, those are potential areas of weakness as opposed to Apple that’s very much self-contained. It is very difficult to breach Apple’s security, as we know from the San Bernardino issue and whatnot. So, Jodi and I happen to have the iPhones. So, one thing people should be doing is you can have a passcode that’s six digits long instead of four. People should implement that. It’s another layer of security.
Justin Daniels: [00:35:09] As for the other parts of your question, with mobile devices, I know that you can install software from a company perspective on devices that you give people that allows you to monitor the software or monitor the machine, what’s coming on to it, but also more importantly, what if somebody just loses it or something happens? It allows you to wipe their machine immediately. And having some of that software, particularly on devices that the company has issued, can really be the difference between a large breach and keeping something on a low boil because you’re able to get to your machine or your phone and just wipe it.
Justin Daniels: [00:35:43] So, that’s where, to me, mobile devices have some other security that might be if the companies issued all the phones, and they don’t have it on there, they might want to consider pushing apps out to their users, so they can now monitor the phone, the ISPs. And it shouldn’t be an issue if those are phone issued by the company, you just probably want to check some of your policies and employee handbook, so that people are made aware of you, and you put it on the computer or the phone that says, “Hey, look, anything you do on this, we can monitor.”
Jodi Daniels: [00:36:15] I’d add two interesting things. So, on the Apple side, one important distinction is a lot of people, they might use Slack or other chat channels, but if they use the iMessage, iMessage, so Apple to Apple is what’s encrypted. But if I’m Apple to Android, I’m not encrypted. So, kind of an interesting differentiation on that. And then, if I’m a company who didn’t issue devices, and now everyone’s remote, and I have all these mobile devices, another avenue to, at least, be able to protect the data without … there are going to be some companies who don’t want to say, “I’m going to wipe all the data on your personal device.” That’s just not going to be the culture. For that company, the six digit passcode is going to be really important one. You can also have two factor authentication on the different company-focused apps, and tools, and suites, and things along those lines too. Again, it’s another added layer to Justin’s concentric methodology.
Mike Blake: [00:37:15] And what do you think about biometric authentication? That’s getting more and more common. Android is headed for a while. Apple is catching up. Windows, hello. I’m a big fan of it. And I also use KeyLemon for Apple devices. Are you a big fan of biometric authentication as well, or do you think it’s overkill?
Jodi Daniels: [00:37:36] I think it depends on the type of data that your company has. I think it’s just all relative to the type. Again, what kind of information and the volume of information that the employee has? Maybe it’s appropriate for some employees, not for other employees. And bring it to the privacy side, biometrics is a very sensitive area. So, for anyone who has employees really actually anywhere in Europe, for sure, it’s a sensitive data field under GDPR. That requires special notice and consent. And then, for States, here in the United States, biometric, also, there’s a variety of hoops you have to go through. So, can absolutely still do it. Just have to make sure you follow the laws where you’ve notified, you’ve asked for consent, I get what I’m doing. And to me, it’s just a matter of, does it make sense? Is it the right method for what I’m using?
Mike Blake: [00:38:30] So, you mentioned privacy. That’s a good segue to the next question I wanted to ask, which is, does this new work regime create loopholes that have not been foreseen in privacy protection and ownership protocols? Are there companies that, therefore, might be tempted to collect data that they wouldn’t necessarily be in a position to collect before? Is that an issue? And then, what are best practices to kind of safeguard against that?
Jodi Daniels: [00:39:05] So, from an employee standpoint … And there’s a difference, I think, between us and the rest of the world. The rest of the world generally has stricter privacy regulations than what we have here in the US. And in the US, we’re very sectoral. Every industry is going to have its own privacy laws. But if I had any level of a remote workforce, I likely was already monitoring something – IP addresses, where are people accessing my network from, and things along like that. If I have more of them, I probably just have more data points. If a company is going to start analyzing it and using it in some other fashion, then I think that does tie into the loopholes that you’ve just described.
Jodi Daniels: [00:39:50] I personally haven’t heard of any company yet trying to do that. I think everyone is just in a little bit of survival mode trying to keep their business afloat as best as they can. So, it’s quite possible, but I haven’t heard of that yet. It would, though, go to the same theme that we’ve been talking about, which it brings it back to policy. Whatever it is that a company is doing, whether it’s on your customers or for your employees, you need to have a policy that informs them of what it is that you’re doing. And in some countries, the individual rights might be a little bit greater and the notice might be a little bit greater, but it is a fundamental privacy baseline to inform of what it is that companies are doing.
Justin Daniels: [00:40:37] Mike, I want to add one other point alongside of what Jodi is saying is. If I’m a company, and if it’s the difference between my sales going down by 80% and collecting and using data to market to people, I think you know what a lot of companies are likely to decide to do, particularly small or medium sized companies that may not have the cash reserves to withstand this. So, I think you’re going to have a lot of companies making some pretty tough decisions. Well, we got these privacy laws and these other things. Well, I need to sell this because I need to generate revenue. And I think that’s also going to create some issues.
Mike Blake: [00:41:13] Yeah. And that answer segues in a question that I’ve got to ask. And it’s an unfair question, but I’m going to ask it anyway.
Justin Daniels: [00:41:20] Okay.
Mike Blake: [00:41:20] And the question is this, is that I think more companies are in this position than are going to admit. One day, everybody is in the office. The next day, everybody isn’t. Most companies probably are just not compliant as they need to be day one. I mean, I think that’s a fact of life. How do you manage that? Is the best practice to cause all of your operations until you get compliant? Do you just sort of roll that, and do the best you can, and hope that you don’t get unlucky, and you kind of make it until you do get to the point where you want to be? That’s a real kind of brass tacks decision. How do you think about that? I got to imagine your clients are raising that issue with you.
Jodi Daniels: [00:42:10] Yeah, we each have some thoughts. I think we’re going to both take a stab. I think that the reality is business needs to go on, especially in the environment that we’re in right now. And for any of the privacy laws and security requirements, it’s impossible to be perfectly 100% secure and 100% compliant. Companies should do the best that they can. And for some, it’s just starting out, and they know the five things they need to do. They have a list and they’re going to dedicate to working towards as many of them as they can. For others, they’re farther down the path, and they’re going to try and maintain where it is that they are.
Jodi Daniels: [00:42:50] So, generally, I don’t think it’s the best idea to just stop all business and wait for sort of your perfect compliance secure program because it’s moving. The security challenges are continuously changing. It’s doing the best that you can. Everyone can pretty simply educate a workforce of what they should be on the lookout for. There’s some practical items that they can do pretty simply. And there’s some more complicated things that they can work towards. And this is probably not the first time we’re going to have this. So, planning for the next iteration, I think, is going to be incredibly important. And Justin, I’m sure you have some thoughts too.
Justin Daniels: [00:43:34] So, Mike, I’ve already had that some pretty tough discussions with people, particularly around potentially violating one law or having a potential lawsuit. And I’ve had to give some tough advice because you’re put in a position where the uncertainty of a lawsuit versus maybe violating some other law, I’m going to violate the law, kind of know what that might look like because you’re just trying to make some tough business decisions. When it comes to the security and the privacy, it’s like every other risk in your business. You need to manage it.
Justin Daniels: [00:44:07] And what Jodi and I have tried to articulate in our discussion today are some of the real commonsense things that you can do that don’t cost tons of money, don’t take an overwhelming amount of effort to start to manage this because you and I both know there’s no way people are going to wait to be perfectly compliant. That’s not what they’re gonna do. But what they can do is, is if they do none of the things we’ve talked about and have these issues, if you have a data breach on top of what the environment is now, I think most companies, you’re done.
Justin Daniels: [00:44:40] And so, what can companies be doing to do some commonsense things that don’t cost the sun and the moon to address this? And that’s really the approach that Jodi and I have taken with our clients and customers on how to manage this amongst all the other things that people are trying to manage, because you know what businesses are focused on. How do I trim expenses and how do I generate new revenue? And within all of that, how do I manage these risks, which are very real when you have a remote workforce from a security and privacy standpoint?
Mike Blake: [00:45:12] So, Jodi and Justin, this has been a great conversation. I’ve learned a lot. I think our listeners are going to learn a lot as well. They probably will have more questions. How can they contact you for more information?
Jodi Daniels: [00:45:26] Sure. So, for me, a couple of different ways. My website is redcloveradvisors.com. You can also find me on LinkedIn, Red Clover Advisors or personally, Jodi Daniels. Real simply, email is just email@example.com.
Justin Daniels: [00:45:45] As for me, my email is firstname.lastname@example.org. And you can also find me on LinkedIn because Jodi and I post on these topics very regularly for more information. And I also have been advising companies just generally on strategically issue spotting. And so, if companies need help with that as this is important but not the only point. I’ll be honest, Mike, that’s been the bulk of my advisory services lately is helping companies strategically implement a business continuity plan in mid air because they either haven’t had one or the one they have doesn’t really relate to something this significant.
Mike Blake: [00:46:33] Well, thanks so much. That’s going to wrap it up for today’s program. I’d like to thank Jodi Daniels of Red Clover and Justin Daniels of Baker Donelson so much for joining us and sharing their expertise with us today. We’ll be exploring a new topic each week. So, please tune in, so that when you’re faced with your next executive decision, you have clear vision when making it. If you enjoy these podcast, please consider leaving a review with your favorite podcast aggregator. It helps people find us, so that we can help them. Once again, this is Mike Blake. Our sponsor is Brady Ware & Company. And this has been the Decision Vision Podcast.