MERGER SHE WROTE
Merger She Wrote is a podcast for business owners looking to scale, sell, or transition their companies. Each episode unpacks the strategies behind successful exits, the pitfalls to avoid, and the steps to maximize value. Featuring expert insights and real-world case studies, this podcast helps you navigate the complexities of M&A with confidence. Whether you're planning your next move or just starting to think about the future, Merger She Wrote gives you the knowledge you need to make informed decisions and build a business buyers want.
MERGER SHE WROTE
EP 4 | Scaling Up? Don’t Skip Cybersecurity!
Cybersecurity isn't just for big tech, it’s crucial for any business looking to grow or sell. In this episode, cybersecurity expert Paige Hanson, co-founder of SecureLabs, breaks down why strong security practices can make or break your company’s future.
With 60% of small businesses never recovering from cyberattacks, this conversation is a must-listen. Paige shares how threats change as you scale and why buyers care about your security setup, especially in regulated industries like healthcare.
From frameworks like NIST and SOC 2 to AI scams like voice cloning, this episode covers what every business owner needs to know to protect their data and boost their valuation.
Thinking about an exit? Start now with simple steps that secure your business and build trust for the road ahead.
Thank you. Welcome to another episode of Merger. She Wrote, I'm Paloma Goggins with Nocturne Illegal, and today I am hosting Paige Hansen. She is the co-founder of Secure Labs and a cyber safety expert. She is a renowned authority in consumer and digital safety with nearly two decades of experience in identity management. She is a frequent speaker at nationwide events raising awareness about identity theft and related issues. Thank you so much, paige, for being on today. Thanks for having me. So we'll just dive right into the questions. I think from. Let's take it from the top. Let's say you are a business that's doing really well, you're scaling. You're thinking at some point in the future of exiting. You know what? I have my list of questions here that I have for Paige. So if you're watching this podcast instead of listening, you'll see me look down from time to time. So what would you say is the most common cyber threats that a scaling company can focus? And if you want to be industry specific, go ahead. Otherwise, generalities work too.
Speaker 2:Yeah well, I think, generally it just depends on your size. If you're a smaller company, you have to think of it more as threats that are happening to your employees, so phishing emails, multi-factor authentication, intruders trying to get in kind of the high level, low hanging fruit. If you're a larger company, that's when you get more of a third party risk and you have other factors Because, if you think about it, the larger the company, the more systems you're going to have in place, the more vendors you're going to be using.
Speaker 1:Therefore, your risk is greater so true, yeah, I think the layering of complexity is one of those pieces that people forget, right, the more you grow and the more complicated your systems become, the more you have that chance for loopholes or areas where someone could sneak in and get into a system. I want to back up a moment, because you talked about what a smaller business might be dealing with when it comes to phishing. I feel like that is universally both big and small company. If you've worked in corporate America, you've seen the phishing test. You've failed the phishing test.
Speaker 2:Oh, absolutely.
Speaker 1:The better phrase. But you know, I think a lot of people who are running smaller you know, family owned and operated businesses, aren't necessarily thinking about implementing phishing type traps to teach their employees hey, don't click on things without checking them out. You know what are some first steps. Let's say you're operating a business and it's been really successful all these years, but you've never really even thought about cybersecurity. Where do you start?
Speaker 2:Well, I'll acknowledge that usually cybersecurity is an afterthought, and it I mean you're thinking about building your business and your client base and just everything around building your business.
Speaker 2:Usually and generally, cybersecurity isn't like you know what. Let's pause and fish test our employees. So let's acknowledge that that's a thing, and that is the clients that I deal with are small to medium-sized businesses and so, taking a step back and realizing these fraudsters are working in scam compounds 24-7, trying to find a hole, trying to find a way in, so not only us as consumers have to have our guard up, but as a business, and especially a profitable business, where you may have loopholes in your invoicing, the way you invoice, and there might not be controls in place, where you have multiple people authenticating invoices or outreach and things like that. That's a problem and as you whether you're growing or you're really small you have to know that that's a priority, because one potential you know invoice that you pay or ransomware in your organization. 60% of small businesses, according to the National Cybersecurity Alliance, do not recover when they've had a cyber incident, and that's a big problem. That's that's crazy.
Speaker 1:I mean you know, you hear about in the news organizations that have had and especially in the medical world, right, but you hear of these organizations that have had someone breach their infrastructure and then they get locked out of their computer systems or they get locked out of their records and are held essentially for ransom. And you hear about these companies that make the decision to pay the ransom and get their things back. And the crazy part is what, if you pay the ransom and you don't get your things back, right, I mean it's not like it's a guarantee.
Speaker 2:It's not a guarantee. You're definitely taking a chance and the FBI will say do not pay the ransom. And I think a lot of businesses segment themselves and they think, okay, we've got to get a, whatever the reason is, whether they want to get their data back or they don't want the news to break that they had a data breach. But it all depends on the end goal. So here you are. Okay, maybe you do go to the FBI for help, but you need to get on it right away. It's not a oh, let's figure this out over the weekend by ourselves. No, you need to involve them right away because, depending on their data, that they've stolen or have access to, it really depends.
Speaker 2:Now, who knows what's going to happen? You know, is it client data, is it payment data? But that's also a really important note to say what controls do you have in place internally? Do you have a control where you back up your company's data every year, every quarter, every month? Is it air-gapped or segmented, so it's not on the same network as the rest of your data that could potentially be compromised? These are all things that you go through if you're following a cybersecurity framework. So there's a NIST cybersecurity framework. There is a SOC 2 cybersecurity framework that helps with privacy and security. These sort of things help as almost like a checklist of things that baseline you should be doing as an organization things that baseline you should be doing as an organization.
Speaker 1:I want to go back to what you were saying just a little bit before about how the data that's breached I mean, I think in a lot of the perspective of the business owner is not necessarily thinking about breach, in that it can fall into two separate buckets that have two sort of separate impacts to the business. One is, you know, like you were talking about the integrity of invoicing and sort of chain of custody, right, as you might discuss, like how you know invoice is sent to someone and is paid, and is there the potential for someone to duplicate or make that process look very, very similar? So a client sees it, pays, it doesn't realize they just paid someone else. But that's something that impacts the bottom line of the business, whereas what you were talking about just a few minutes ago, where the breach of data is client information, you know, maybe it's social security numbers, maybe it's health information. I mean, sometimes I feel like when you talk with people about cybersecurity, they're thinking about only one of those buckets, right, right.
Speaker 2:It is, and that's the thing. It's not just one thing. I get asked all the time what's the one thing? And maybe you'll ask this later.
Speaker 2:What's the one thing a business should do or should think of? And it's not. It can't be one thing because, to your point, you have access controls within your business operation that need to be tied down, but then you also have the access and the identity management of your client data, your company data, your business IP. All of that that I think a lot of people put in the same buckets, but they're not. They're ways to be vulnerable and have exposure unwanted exposure at that.
Speaker 1:So if you had to describe for someone who's just starting to look at compliance and cybersecurity, you know obviously there's a lot of ways that you can go about tackling this. Is there a place that they should start? Is there certain plans and implementation? Like, I guess it's such a broad space. If you could give more of a concrete like, this is where you could start or this is where it could be easy to start implementing, what would that suggestion be?
Speaker 2:I think, high level. If you're looking for a list to follow, implementing a NIST cybersecurity framework would be a really great one. To start with, what that means and what that boils down to a couple things Identity and access controls. As a business, we want everybody to access something. What if so-and-so's out? We want to make sure these other five people can access the same system, or one person is in charge of developing our website or whatever it may be, but we want, just in case, we want you to have these other people backed up.
Speaker 2:You have to look and scrutinize very hard your identity and your access controls within your organization. There should not be a number of people that don't need access to certain systems or employee data, that don't need access to certain systems or employee data, patient data, business data in general that have access just because it makes life easier. We need to scrutinize that. But the important thing, too, is audit trails. If you're reviewing a policy, if you're reviewing something or you do have access control, you need to have the documentation that you've done so, because in the event of a breach, in the event that you have some sort of audit, they're going to look at timestamps, they're going to look at the audit trail, and that could be the difference between paying an absorbent fine because you're negligent or not as much. You will still pay a fine, but not as much because you did have the proper controls in place. It just happened to happen.
Speaker 1:I think that that highlights another good thing, which is that a lot of people think of data security, data privacy, as sort of this potential I would say pitfall of their business from a financial standpoint, from their reputation standpoint, but a lot of people don't think about the fines, the potential for getting in trouble, right For failing to do what is necessary to protect your client information, and so I think it's really important to highlight that there's this you know, yes, you could impact your bottom line. You could impact your bottom line even further by getting fined, but also, what are the ramifications for your reputation as a business, even if you survive financially, if your clients then you know no longer, you know their social security number's out on the dark web. What are the implications for them? What are your obligations? You know, after the breach occurs.
Speaker 2:Right, well, one your reputation. Now that could take years or it could totally tank, and now you no longer have a business. There are businesses that recover from that. They put out the right statement and they offer the data or the identity protection and services like that, but when it comes to you know, as a business, what do you do? It depends on the data that was breached, it depends on your industry, it depends on the threshold within your state. All of that matters, and so it's going to be situational, couldn't?
Speaker 1:agree more. I think we've probably covered enough of why you should be afraid enough to do cybersecurity as a business. Well, I actually do want to add something.
Speaker 2:Yeah, please, so one you know, oftentimes we'll get. Well, we have cyber risk insurance. Have you heard this? We have cyber risk insurance. We're fine.
Speaker 2:But actually, did you know, in order to be paid out on said cyber risk insurance, in the event something happens, you have to have the controls in place, meaning there's requirements. You can't just have cyber risk insurance and then say, okay, we're good. I mean, it would be like, if I make the jump here, it's your own personal home insurance. If you say to your provider, I have three fire alarms or smoke detectors, I have three of them. And they say, okay, we'll mark you down there. Okay, this is your premium.
Speaker 2:But then you have, unfortunately, you have a fire. Now, all of a sudden, they're going to say, well, how many smoke detectors did you have? Oh, you didn't have any. Oh well, we're not going to pay you out, or you're, it's going to be nothing. And so the same things you have to think about, just the same thing applies to your business. If you say, yes, we have multi-factor authentication and we segment our data and we do these 10 things that are required, but then it comes back when they do an investigation and audit that you don't, well, now you're in the bucket of larger fines and you're not being paid out on something that you were going to rely on to help you recover.
Speaker 1:It's so true I think that's missed on a lot of people is you have to make an effort. It works even in the M&A world from a merger and acquisition, reps and warranties insurance perspective, which, for anybody who's unfamiliar reps and warranty insurance, essentially helps protect you against the failure of a seller to disclose important items and you only find them out post-closing. And it's very expensive and and it it's it's kind of one of those insurances that if you're not doing your due diligence in the process and you're being lazy and you're not turning every stone over and in kind of doing your part, the insurance just like the cyber security insurance won't cover. And got to see that live in person with you. You know a business that had went through the underwriting process, bought the expensive insurance, found out pounds receivable wasn't going to be paid, that they paid for as part of the purchase price, and I mean it's wild. So I think that's a really great point to underline is that you have to do the work to make sure that you are protecting your business in a way that the insurance can then come in and say you did as much as you possibly could to essentially bolster what we've come in to protect you against Exactly One hundred percent, against Exactly 100%. So I think this can dovetail into a really nice kind of segue into a different conversation, which is we talked a little bit about implementation and how important that is.
Speaker 1:I think the other piece of this is when a business is ready to sell let's say they're three, five years out they're starting to look to get organized, get their things. That, you know, I always say fair is in order. You know what is. How can someone just kind of taking even a step further back someone who's going to go through diligence, which is really the process of the buyer really inspecting everything about their business, what can a potential business that's going to sell do to really, I think, make the diligence process easier, right, what are you talked about? The list, yes, what else can from a records perspective? And obviously you know there's going to be reps and warranties in the document that says you know we've maintained, you know, certain security, you know thresholds and obligations or procedures or whatever it may be, and that's great, fine and dandy, but what does that look like on paper? First, you know what. Describe what that would look like if someone had to turn over records to prove it.
Speaker 2:I think, first, if you were to get, let's say, go for your SOC 2 attestation, if you have that report, that might be enough to say I have this report, I'm attesting to the fact that I have the proper security and privacy controls in place and will be reviewed on a yearly basis.
Speaker 2:But then you should be taking it a step further and asking the company to provide then the documentation for each of those controls, so when you're audited, depending on the auditing company, they could audit the entire control set, meaning that they're looking at every single document supply. But then others they do a sample of things when it comes to risk management, your access controls, your HR, legal practices, your policies. But if you're really doing your diligence, you are going to look at every single document yourself and do almost your own audit to make sure that that in fact is happening, because there's a range of credible audit companies, auditors, and so you want to make sure, if it's really something that you want to look into, that you you're doing it yourself and not just asking just for the the per se, which is a really great start, don't get me wrong but doing that extra step of looking at the documentation.
Speaker 1:So, going back to, I want, for anybody who's not familiar with SOC 2, can you give us, like the basic 101 of what SOC 2 is?
Speaker 2:Yeah, soc 2 is telling the business world that we take privacy and security seriously within our company. Here is what we do and there's a list depending on there's trust service criteria. There's five different trust service criteria. Most businesses will do at least security the first time and they'll say, yes, I am taking the proper steps. And here's the documentation that I take seriously that not only the security of my employees but my data as well. And then they'll start to expand over time and they'll start looking at policies of the hiring processes and integrity and there's more to it if you want to provide that. But really it's saying we take this seriously. Here's the documents to prove it. We've been audited by an external auditor that, in fact, that we do that and approve.
Speaker 1:So I'm going to play a little devil's advocate, just because I know business owners are busy, they struggle, they want. There's lots of things they have on their want list and the things that they actually check off are the most obviously critical right, the things that keep the business cash flowing, that operational right. So if someone, let's say, they put the SOC 2 on their wish list but it's something that they never actually go through and obtain, is there something they can do that in the meantime they can essentially document and protect themselves in a less certified fashion, but something that could hold up, say in the diligence process, where it's less formal?
Speaker 2:Yeah, absolutely you can do. You can either have an internal audit so you have hired somebody internally to that's maybe that's their job to document all of those. I I lean towards the NIST cybersecurity framework just because it is dealing with the security and privacy of the controls that you're that you're implementing throughout your organization, or you can hire a third party to come in and gather that information with the help of somebody internally, because the reality is a lot of these businesses don't usually have an entire compliance team or compliance department, or the operations person is wearing so many hats. The thought of juggling that as well is very daunting, and so usually hiring a third party to help build that is generally the route that organizations go, and it's less expensive and an overhead of hiring somebody internally to be able to provide that documentation.
Speaker 1:Of course. Yeah, I could see that. Yeah, no, I think that's really great. I'm going to ask a question that I think I know the answer to already. I'm going to ask a question that I think I know the answer to already, but is there any business that is too small to create some sort of internal policy around cybersecurity or data privacy? What do you think the answer is?
Speaker 2:I'm going to say no, okay, you're right. You're right Because here's and I and again, I work with a lot of small to medium sized businesses and a lot of small to medium-sized businesses and a lot in the startup community and if you are at least getting access controls right and the identity management pieces right, segmenting your data right, at least from the foundation level of your business, it is going to be massively efficient later down the line when you are ready to get the proper documentation. So, building that just from a foundation level is huge. And no, there's not a, I'm a business of three people and we are documenting and we have the policy. And you might think, oh, we're just over here in the corner doing these things when it comes to compliance, but no, no, we're, as a company, documenting all of that as well, because we understand the importance of that. And then, in the event, you do grow and be bigger, then great, you've got it.
Speaker 1:You've got a lot of your ducks in a row already. I would expect nothing less. Right, I know? Right, could you imagine Walking the walk? Talking to talk? Yeah, so I think that this conversation is actually a really great way to segment into something that we were talking about actually before we started sitting down for the podcast, which is, you know, I think, when you're thinking about businesses that are transitioning into an exit plan, right, someone is planning to sell, preparing for that which we kind of talked about. You know, documentation getting a sock to. You know some of these options for essentially creating more trust and something that the buyer can hang their hat on.
Speaker 1:But even from the buyer side, you know I represent buyers quite frequently. I represent both sides and when a buyer is coming in to purchase something like a medical practice or a practice that touches a medical realm, whether it's HIPAA, a lot of times you know we'll put in there reps and warranties as to. You know you've complied with health care laws. List all the health care laws. You've complied with data privacy requirements. You know, make sure HIPAA is included. Hipaa is included, but on you know that's great on paper, but then the buyer, during the diligence process, it's their responsibility to say okay, hand over the proof that you're doing this. And in some instances, like I've represented, you know buyers that are purchasing, you know hearing aid locations and it is. It's still HIPAA, right, it's even though it's not the traditional idea of a doctor's office. And you know we've seen the gambit of you know it's a recurring buyer and so we've seen the gambit of here's.
Speaker 1:You know one instance where you know an audiology practice is doing the best it possibly could. Everything is documented down to the letter. It's got a handbook, a guide, everything is written down, and then we've seen the opposite, which is like everything is an absolute disaster. They haven't been doing. You know they've been compliant because their software is doing a lot of the legwork for them, but they're not doing anything above and beyond.
Speaker 1:And so you know, paige and I were talking briefly before this podcast about HIPAA and HIPAA compliance and kind of how people tend to think of HIPAA, separate and apart from the cybersecurity and world that requires sort of that data compliance because it's so health specific. But there's so many pieces that touch on HIPAA and I think I'd also like to underline just separately that if you're doing business with a company that is obligated to comply with HIPAA. You're also likely processing, you know, personally identifiable health information right, so you'll need to have a business associate agreement in order to make that all fully compliant. But you know, paige was just saying how the HIPAA rules are sort of in flux. They're changing. I'd love for you to go into that a little bit.
Speaker 2:Yes, and I do want to acknowledge in your scenarios where you say the business over here has everything buttoned up, great, but I'm going to go ahead and majority of the healthcare practices that we work with or I've heard of in the past it's 95% sit over in this other camp which is, oh, we have the HIPAA compliant software that provides the policies and we're okay, we're HIPAA compliant and it's like well, that's actually that's not the truth.
Speaker 2:It can be further from the truth, but I think there's some education that can happen and for them to fully understand what that means to be HIPAA compliant. But to help answer your question is the HIPAA privacy rule changes every year. There's usually additions that have usually not a lot of removal or subtractions, but additions. This year it's focused on cybersecurity and cybersecurity practices within the HIPAA privacy rule. So adding things like, which might seem obvious, but multi-factor authentication, a requirement, required policy documentation, and it has to be not only just policies, but policies and your operations of how you actually implement said policy. So you can have the best policy in the world, but if you're not actually following it or doing it well, then it's not really your policy. So those are the sort of things that if an auditor were to come in or you were to be audited, that you would likely fail because you might have certain things in place but it's not to the full gamut. So cybersecurity is a big thing happening this year and it needs to. It needs to be because the healthcare industry according to the IC3 report, which is the fbi's internet crimes report, health care is usually one or two um on the list when it comes to information that has been exposed, via what vehicle, and it's usually a health care practice that's fascinating uh, it doesn't surprise me though
Speaker 2:it's not. No, it's not surprising, and especially when you were go to. I know getting kind kind of tactical here, but, like um, you go into the doctor and you're filling out a form and there's a line for your social security number. But did you know you actually don't need to provide your social security number? Social security numbers are used for tax purposes only, credit related only.
Speaker 2:It's a law now that you can't have medical debt on your credit report, so there is no reason for that line to be there. But yet it continues to be there, which means as a healthcare organization you're opening yourself up for more risk. Will it potentially get you paid down the line if you're able to, from a credit perspective, go and have a debt collector, go and collect those debts? Maybe, maybe. But at the same time now you have all this risk that now you have an entire column of social security numbers of people that just give it, just because the line says and that's a risk that you have to really think hard about in your organization and when you're setting up your operations and your intake process.
Speaker 1:Well and that goes back to your original comment about who should have access to the information that's absolutely critical to the operation of the business, which one would argue that you're handing over a paper form. How many other people are going to see that paper form? Is it going to be stored properly? Are there other employees of that business that can access that form unnecessarily? They have nothing to do with billing Right. Are they seeing it?
Speaker 2:anyway. Well, and this is what you have to think through when we come to access control, it's not just access of your online systems, it's also access to your physical copies, because in this scenario, let's say, you are filling out this form at the doctor and you hand it over to the front desk Okay, if they're scanning it in for their online system, what that piece of paper? Does it go in a bin that then goes into the shred bin. Who has access to this shred bin? Who has the keys? Is it a janitorial staff or an outside service that then comes and picks it up? It's just, it's those sort of things where you think, oh my gosh, do I really have to think of those things? You do need to think of those things, and that's where the vulnerabilities end up happening in your organization if you're not thinking through those things.
Speaker 1:As I'm listening to you talk, the one thing that was kind of reverberating in my mind was one way that you could, potentially as a business that's starting to think about this more seriously as all of you should is to sit down and just like when you're trying to automate or make your systems better, you have to first sit down and think about what are my systems? Where do things get funneled right? Intake how does the intake process from start to finish happen? And then, how are our records being maintained? How are they being purged right? So all of this like nitty-gritty detail where I mean, I think some of the best ways to do that even regardless of whether it's cyber security or you're just trying to figure out how to make your systems and processes better is to sit down and just mind map it right. But that's a really low level. I'm just trying to think of ways to have people get access to this, like, do this sitting at on the couch with a sports game on, or, or you know, whatever your cup of tea is the bachelor on in the background, right? Whatever is your, your poison, um, and sit down with these just notepad and start, you know, jotting down what you currently have and what your systems are and who touches what, and is there access right? Start just jotting down these ideas so that maybe you get a better sense. Maybe you don't have to do anything with it ASAP, but you get a better sense of where you currently are in this process and where you could make it better.
Speaker 2:Yeah, and you go back to one of the questions you asked before, which is, you know, if you're looking at M&A from a perspective, what does the potential buyer ask for? Those low level are things that you can ask for, this mind map or this map of where the data goes and how it flows and realize. Is that too risky for you? Is that acceptable? Are there things that we can implement to make this more safe and secure? And that's a good way, really great place to start.
Speaker 1:Yeah, I mean honestly, as silly as it sounds right, because everyone thinks of diligence as this very formal process where you're getting you know financial information, you're getting all the contracts of the business, but that's not always the case, especially in these smaller, closely held businesses is you're getting you know disorganized documents that are scanned in because they were in paper form from the 1960s, right?
Speaker 1:So I think, as silly as it may sound, getting, if you were to take, let's say, you sit down tonight on the couch and you start mind mapping and then you have someone on your team or you yourself turn it into something where it's actually a document that goes in your kind of book for your business, your handbook.
Speaker 1:Oh my God, a buyer would love to have that handbook right To be given, sort of the key to the kingdom, where it says look, this is how our system operates. Granted, if you create something like this, your obligation is to continually update it, right, and it serves no good purpose if you create it once and you don't keep it updated throughout this evolution of your business. But it's that sort of looking behind the curtain, right? You know, thinking of, you know ways to show the buyer hey, we've thought about this, We've documented it, We've gone through the process, and this applies kind of across the board. But buyers are ultimately just looking for a way to feel comfort that what they're buying is what you're saying that they're buying, and what better way to do that than to say, okay, here's my documentation to prove it Right?
Speaker 2:Well, and then SOC 2, that's a requirement. So, network diagram A lot of these frameworks are. You need to have a network diagram and it'll walk through usually depending on what's the requirement, but you will have that. But healthcare, a framework to mention is high trust. A lot of times people, yes, they abide by HIPAA, but then high trust is the next level in the healthcare game and it doesn't matter that. You know, health care data, personal health care data, is personal health care data, and so you know I run across some that are like, well, I mean, we're assisted living, but we don't have to abide by HIPAA. Yes, you do. So it's just there's a lot of misconceptions. I just think there's learning that can happen out there and how to protect said data in personal health information is a big part of that.
Speaker 1:So you mentioned, when you were talking about SOC 2 network map.
Speaker 2:Yes, what is that? Ah, that's what you were saying, where you're saying here's our data, here's a data flow of oh, video can see what's going on. That's a data flow of a piece of data that comes into your organization and it maps it into where it goes and how it's stored and who has access to it, and so it's a really great document, or set of documents, that can follow all of these elements that are in your organization and to see how safe and secure your processes are.
Speaker 1:I wanted to have you give the explanation because for anybody who's out there who doesn't know all the lingo, they're, you know, listening and going okay, soc 2, network map, and then going to have to potentially Google it, and if you're listening to it in a car, it's no good. Right In one ear out the other.
Speaker 2:So that's perfect.
Speaker 1:I'm just trying to fill the gap. So I think one thing that I always try and do on the podcast is I try and talk about stories because stories resonate, I mean they're more. We've talked a lot about the nitty gritty. We've done some high level overview of like what people can start thinking about, but I don't think it hits home as hard as giving some examples of things we've seen out in the wild. I love your story about the social security number. I know that comes from a personal place, you know, I think to share something I've seen out in the wild. Seen out in the wild.
Speaker 1:You know big corporation that had a gift card scam get sent out via email from what looked like was the president of the company to people that directly reported to him. And I mean this company had phishing tests all the time. So you know, just as a kind of an underline to this entire conversation, you have to continually educate your team, your employees, that, even if it's a small team, right. You know, I have another story, but I think it's great that we exchange these stories and I'll give you, you know, the next turn on this. But it turns out the direct report got this email. It said buy me, you know, 500 gift cards at X amount of dollars I mean it was a lot Went out, bought the gift cards on the company credit card and started sending the gift card information via email and I ended up getting caught sort of in this process, but it was too late.
Speaker 1:A lot of the information already been shared and and so what's crazy to me in that situation is they had been doing very aggressive phishing tests, which they didn't quite look the same right, because a lot of the phishing tests that had been sent out were, you know, know, click this link. You know, enter your password. It was very much the stuff that it's not a direct ask where it's almost outside the scope of what you're normally doing. It seems like a special, special task that you've been given by the president, right, so really fascinating. You know, obviously that changed drastically how that company was educating. They kind of reassessed okay, what we're doing is not working, that you know we can have this happen and you know lesson learned and uh, it did ultimately change their relationship with their employees because of that, that whole situation. But, um, you know what have you seen? That's, that's a good kind of reminder that can happen to anybody, big or small, and even with the right precautions in place, potentially you know, with the evolution of AI, it's making these requests look more legitimate.
Speaker 2:So you've heard voice cloning, have you heard about this? So this is, I mean, they can take our voices right now. Right, and you just need five to 10 seconds and you can create an exact clone of a voice. So recently, earlier this year, I was speaking at a bankers association meeting and we got into voice cloning. We talked about the AI, amplified attacks, and one of the presidents of the bank this small bank in the middle of the US said yeah, actually I got a call pretending to be me, oh, shoot. And he said you know that's not right because you're talking to me.
Speaker 2:You know they're pretending to say oh, I'm the president of the bank, I just want to let you know of this XYZ scam that's happening right now, and they would go through this entire scam of essentially trying to target the members of this bank because they were trying to get their PIN numbers and account numbers and for them to log on. Well, they targeted the wrong person. But here's the deal the person the scammer called back to then get more of his voice, kept him on the phone long enough, where they ended up duplicating the bank president's voice and then targeting the membership base with the legit. You know it wasn't just some weird you know a guy sound, it was actually sounded like him and so, luckily, because this did happen to, they put out an alert. Alert. But they did have members fall for it where they provided their personal identifying information, their bank credentials and so on, and the fraudsters so for them they had to put in and implement, which is another thing is have an incident response plan implemented, their incident response plan right away, which was to lower the thresholds of any outgoing money from that bank. So, even even if it was $10, there was an extra layer of authentication that needed to happen.
Speaker 2:But that's only you know. They were being targeted, and that's a big thing. I mean, you think, oh, I'm gonna keep these scammers on the phone because then they can't target somebody else, but in reality, depending on the skillset of that fraudster, they can be recording your voice and then use that against you and target your friends and family. So having a safe word, not only in your business life but your personal life, is extremely important to say. You know, it's my husband calling and then all of a sudden I'm like this is weird. Is he really arrested or is he really, you know, in a hospital somewhere? Is it? Pick up the phone and call them. Yeah, have that word that you exchange or something that no one else would know, and have them answer, and then your guard can go, maybe not be frazzled because you think something's wrong with somebody.
Speaker 1:Yeah, I think this.
Speaker 1:I mean things are getting complicated, right.
Speaker 1:Right, the AI is changing our world rapidly and at warp speed, and I think it's difficult to really I think I don't want to say estimate, because everyone is underestimating, right, but it's hard to estimate how much the technology that we're going to be utilizing in ways that are beneficial can also be utilized in ways that are detrimental to everyone, and I think your story highlights just how quickly technological developments can drastically change things.
Speaker 1:And I want to highlight one important aspect and we've talked about it before, you know, through the podcast and elsewhere is really is AI, I think, is one of those tools that a lot of people, both individually, in their capacity in the personal life and in their business life, utilize as a tool. Right, it's getting almost more specific and better than Google in a lot of instances, because Google is showing now the people who have, you know, paid for the top spots, or the SEO is really good, and so it's not necessarily what the information you're looking for, and so people are turning to things like chat GDP for answers, and I want to highlight in this realm of cybersecurity, that the AI models and putting your information into those chat GDP or any other model. You always run the risk of having those models be learning from that information, from you, and I actually just had this conversation with a couple of friends who were uploading their photos to chat GDP and turning them into like anime style photos, and that's the trend right now right.
Speaker 2:To turn yourself into some product or a toy. You know you're open.
Speaker 1:And I think it's neat. And so the first question I had asked the friend back when they sent me the photo on text was doesn't chat GDP take your information and learn from it? Because that was my understanding was like any information you plug in text-wise was being essentially absorbed into the broader intelligence of AI and being utilized to teach it to learn. And even on Facebook's AI, I mean, there was all sorts of stuff that came out when people started rolling out AI into different software platforms that's like yeah, facebook is going to learn from you using this AI.
Speaker 1:And so we had the friend asks are you taking my photos? And you're like learning from them? Or you know what are you doing with my photos? And the answer was we're doing nothing with the photo, it's only local to your account, we don't save it, it doesn't get put anywhere, we're not learning from it. And the friend texts me the screenshot and I'm like what about the text? Though I always thought the text like okay, so if we're safe on the photos, and of course the joke was like do we really trust it telling us what?
Speaker 2:it's doing, I know right. It's telling you what you want to hear, right.
Speaker 1:I'm like I don't know if we should really take its advice directly. It's just starting to feel a little sci-fi-ish. But he asked the same question and the question was no, it was learning. And the question was no, it was learning. And so I found that really fascinating because it kind of just solidified this idea that I think my, my, this is a really big tangent.
Speaker 1:But essentially, I want business owners to be aware if you're taking things that are having sensitive information, whether you think it's sensitive or not, right, think about it. Just even from a contract. You know, I know a lot of business owners try and cut corners when they're, you know, need to get a contract out. Take an old contract, plug it into chat GDP and be like change, you know, change it this way. Or just ask for certain information. And I mean, if you're uploading something that's you know your business information, you know that document could have banking information on it.
Speaker 1:If you're not careful, it could have, you know, pricing information. I mean, who knows what gets leaked in this world today, right? And so I think the idea, realistically, is that you need to be cautious about what you're providing your information to. And back to what Paige was saying with the social security line on the medical forms. Right, that seems more obvious because it's a tactile version. Right, you're having to physically write in your social number. Granted, there's inherent trust because it's a doctor's office, but people don't have that same innate pause when they're just copying and pasting information into a text box.
Speaker 2:On, the internet they don't. They kind of are in your own little world, behind your screen and as companies. There are AI frameworks that you can follow to go through the risk management process of incorporating AI for the use of your employees. Now, in the use of your product, your tool or your data, that's different. But let's say, the employee code, my protocol for employees to use AI.
Speaker 2:You can't just put your head in the sand and say, oh, they're going to know how to use it, it's a tool, it's going to make us more productive. Okay, yes, but to your point. So you're saying I take a customer letter and their customer, all their information and all of that, that you need to be able to redact it and that has to be part of your policy and the policy. You can't just have a policy and set it to get dust on it, collect dust. No, you have to talk about your policy with your employees. Maybe you have incorporated a tool, maybe you've chosen one for your organization that then segments your business data away from the rest of the learning. But that's what you'll go through when you go through the process of onboarding and incorporating that for business use. But you have to talk to your employees about that, because I'm gonna guess more times than not. They're not redacting, they're taking screenshots of business data, uploading it because it is efficient and more easier. You know it's easier oh yeah, and they're not redacting.
Speaker 2:Need to talk about it.
Speaker 1:Well, and I think, to your point, that highlights a couple of additional, I think, good reminders, right.
Speaker 1:One is that you can't just you're talking about sitting down on the couch and doing the mind map and starting somewhere, right, but you've got to do the hard work of not only implementing but then also auditing Auditing your people, auditing your process to make sure it's being followed, auditing to make sure whatever the storage process is is being completed right. And to your point, um, with cell phones being so easily available, right, you're at work, it's just easier to just screenshot something with your phone and then, all of a sudden, that information has left the protected system and it's now in someone's physical personal phone, which, I mean, opens up so much liability for the company. And so I think you know also, having that talk with your employees about the importance of the integrity and protection of information that's stored adds that additional layer that you know. I guess it helps to keep your processes in place and your protection working, and it's not, you know, fail safe, but at least it helps to potentially keep things going.
Speaker 2:Exactly, and you talk about training and continuing to have the conversation. The same thing has to go around AI. So October is Cybersecurity Awareness Month, and I do speaking engagements throughout the year, but more specifically October, I seem to have a lot more of them. One company in particular wanted me to focus all on AI using AI, the positives and the negatives or potential dangers and what it did is aligned with the philosophy and the communication that they're sending out throughout the whole year. But it was coming from somebody else, somebody outside the organization that was coming in to do it.
Speaker 2:So this is part of having a conversation. Maybe you don't have a big budget to bring in an outside speaker, but mix it up Lunch and learns Messages over Slack, Maybe a nice little meme in the break room, Whatever it may be, but you have to keep these conversations going because otherwise you just get into oh, this is really easy, I'll just upload this and it's then very detrimental to, especially if you're following a framework like a SOC 2 framework ISO 27001, that require documentation. So if you're, potentially you're damaging the certificate or the security certificate status by going outside the ecosystem that has been approved in which we keep that data.
Speaker 1:Excellent point, absolutely so. If I was a business that wanted to come to you and work with you, what does that look like?
Speaker 2:Well, we help with their compliance. So we would fall into that category. Is they need a partner? They need somebody to help them. One do a risk assessment or just even see where they're at, but then we would help them start. One do a risk assessment or just even see where they're at, but then we would help them start getting the documentation to achieve whichever framework that they were looking for. One of our specialties is SOC 2. So that's what we would do we would start helping you gather the evidence. We have a GRC platform, which is Governance Risk Compliance Platform, store it all in and that way the auditor can look at the platform, pull all the documentation they need, and it ends up streamlining a lot of what would be a very frustrating time gathering all that evidence so is it safe to say?
Speaker 1:instead of hiring someone internally, I could, as a business owner, come to you and you could help with the entire process absolutely that's.
Speaker 2:That's our jam, that's what we do awesome.
Speaker 1:Well, um, I think this conversation, I think for a lot of business owners, feels distant, because it's something that I think a lot of business owners feel like is this thing that is only required of the big corporate giants when, in reality, there are plenty of small businesses that could be implementing systems that not only protect their liability and ensure that they can scale properly up to their exit plan, but also allows them to sell more seamlessly, to pass the baton in a way that is less convoluted? I think one thing to highlight in this conversation and obviously I'm happy to have you chime in on other stories that you've also seen out in the wild, because I think it's important this piece that you talked about with making sure your employees are trained and well-informed about the systems and processes that you should follow, is such a salient point to see, even big companies where employees that are sophisticated you know executive level individuals that you would, you know the the average person's like you know Bob's VP of sales, he's not going to fall for that, and and then and then they do, and so I think that this misnomer that you know there are certain people that aren't, you know, potentially going to fall prey to these tactics is just untrue. And, um, I worked for a law firm in the past that you know potentially going to fall prey to these tactics is just untrue. And I worked for a law firm in the past that you know we did a lot of, you know, phishing testing and other things to like train people. And even then we would still have things happen where I would get an email and it would be a phishing test and they were really good at them at this one firm that I was at and it would come in and it would look like a UPS or a FedEx confirmation code and it's perfect for law firms because you're doing a ton of mailing.
Speaker 1:Usually you're doing mailing. In my practice, being corporate in nature and doing M&A, I'm doing far less mailing. You know, usually you're doing mailing In my practice, being corporate in nature and doing M&A, I'm doing far less mailing. It's not. There's no, you know litigation is far more mail intensive. You might have some mailings that go out, but for the most part you're not doing any mailing.
Speaker 1:And so when I received the email, it's like this is weird. I haven't sent anything, I don't think I'm expecting anything and I forwarded it to my assistant and I said I don't think this is relevant, whatever this is, but can you just look at it? She clicked the link and and I felt so bad because I was like I didn't mean to tear up for it, right, I think it was like a phishing test for me specifically. They wanted me to click the link, um, and but it was.
Speaker 1:It was such a good learning moment for the two of us and I think it highlighted how important it is that the training isn't just done in a silo, right, because that training was intended for me to teach me not to click the link without checking the email. And this was early on in my my legal career, right, kind of when phishing was really becoming in vogue, where, like, the testing part was coming in vogue, cause that was not something that was happening kind of broadly and you might do some testing, but it wasn't like as sophisticated as as it has become today and um, but I think that story just highlighted how important it was that she and I have communication and training together about you know, we're a team and how much that team could, you know, effectively fail a phishing test together in a way Exactly.
Speaker 2:And to your previous example, which is the team member got a request from the president. It's the direct reports, it's people you work most intimately with that you need to have that conversation with and train. I think that's an excellent example. I mean otherwise. I mean, if I use the example of LinkedIn, you know we're all posting what we're doing and where we're going and we had a great business meeting and it's photos of us, maybe even traveling.
Speaker 2:So I don't, in my personal life, post on my social media when I'm traveling. It's more of a later gram. Why am I doing it on LinkedIn? Just because I had a great business meeting and did a you know a presentation for you know 400 people at some. You know big amphitheater, great. Well, I can wait a couple moments when I'm back and posting that because in the event then, because usually LinkedIn is just public you can have anybody that you can click to see who's in my organization and then you can easily fish them, just because you know the person is out and about. So it's just those conversations of, even when you're posting and having the conversations about. I would never ask you for a gift card, I would never do those things.
Speaker 2:So no really great reminders.
Speaker 1:Yeah, absolutely Well, I want to thank you for being on today. Thank you for having me as a closing question. I would love to know what is a more recent book or podcast that you've listened to that you think a business owner would love to also read or listen to.
Speaker 2:Well, that's the thing is, I am actually reading older books, so I hope that I can have an asterisk here One I recently. I'm reading in the middle right now of Living With a Seal. Have you read it? I have not. It's Jesse Itzler. He's a big marketing person, but he has invited David Goggins into his life for 30 days, or 60 days, maybe it was to train like a seal, and for me, I think, as a business owner, two years into this, it's really teaching me determination. You can do whatever you put your mind to and, yes, is it more on a fitness level? Sure, but it really is focusing on. You know you're going to stick with it. You're sick with your plan, you're going to get out of your comfort zone. You're going to do all these things, and I appreciate that from it's even from a health angle. So I've been really digging it.
Speaker 1:That's cool. No, I uh David Goggins is. Uh, his methods are. I've seen a couple of his Instagram reels. I'm like this is not for me. Uh, unfortunately, we share the same last name, so I often get asked if we're related. Um, I'm like, no, thankfully. I don't think I can handle his energy on a daily basis. Um, but no, awesome. Well, I appreciate all of your insights and, uh, look forward to having another discussion sometime in the future. I'd love that. All right, thanks, thanks. If your business is looking to get compliant or SOC 2 certified, reach out to Paige at Secure Labs or drop us a question in the comments below. Thank you,