Learning Without Scars

S4 E10•June 13, 2024•51 min

Protecting Your Business: Unpacking Cybersecurity and Risk Assessments

Send us Fan Mail Is your business truly protected against modern cyber threats? Join us for a compelling discussion with Kevin Landers, an IT veteran with over 25 years of experience, as we unpack the complexities of data security and the critical need for ongoing risk assessments. Kevin shares how his company, Rocketwise, helps dealerships uncover and address security vulnerabilities, emphasizing the financial and operational risks that come with data breaches. Through his insights, you'll gain a deeper understanding of why regular security assessments are non-negotiable in today's digital landscape. Explore the ins and outs of Rocketwise's "Inspect What You Expect" service, which provides monthly risk assessments to keep your business secure. Kevin explains the importance of having strong security measures like antivirus and detection systems, and the vital role of compliance programs within dealerships. We'll also discuss the shared responsibility between businesses and third-party vendors, highlighting the need for a standardized self-assessment questionnaire to ensure robust cybersecurity practices across the board. In our conversation, we dive into the intricacies of vendor compliance reviews and their impact on overall cybersecurity. Discover the importance of having a dedicated Chief Technology Officer to oversee these efforts and how real-world data breaches underline the necessity for proactive measures. We'll also touch on the challenges posed by power outages and the importance of having effective data recovery plans in place. Don’t miss this episode if you’re looking to safeguard your business against ever-evolving cyber threats and stay ahead in the game of data security. Visit us at LearningWithoutScars.org for more training solutions for Equipment Dealerships - Construction, Mining, Agriculture, Cranes, Trucks and Trailers. We provide comprehensive online learning programs for employees starting with an individualized skills assessment to a personalized employee development program designed for their skill level.

Transcript

0:01

And welcome to another Candid Conversation. Today, we're joined by, I believe, an extremely good man, Kevin Landers, who also is very knowledgeable in the world of IT. And I want to broach with Kevin the subject of data security and the fact that very smart people, bad actors, have been hacking a lot of business systems around the world. and try and increase our understanding and knowledge of that world. So with that as an introduction, Kevin, welcome aboard. Maybe you can tell everybody a little bit about you and then give us a read on what you think is going on with data security and risk.

1:14

Yeah, absolutely. Well, thank you for having me. attest that there will be at least one additional person that will listen to this podcast. And that'll be my wife because you specifically said, I'm a very good man. I think you said very good man. Maybe it was just good, but anyway.

1:32

Very, very woodwork also.

1:34

There you go. But yeah, so, you know, I guess for my part, I have been in IT for, oh man, or longer than I'd like to admit, at least 24. Oh, gosh. Longer than that. So we'll just go with more than 25 years. How about that? And in the past, I guess, seven or eight years of that, our company, our team over at Rocketwise, we've shifted our focus, our primary focus to the equipment dealership space. And that said, yeah, I mean, cybersecurity, you know, it's... It's been a hot topic. There's tons of money being poured into and solutions being poured into the space. Oddly enough, on one end, you have all this money, all this effort going into putting protections in place for security. And on the flip side, you've got, you know, those who need it, who may not realize or may be burying their heads in the sand, as it were, to the need. So, you know, lots to talk about, lots of different avenues that could be covered here.

2:59

So let me put another paragraph in front of that. The 25 years prior to Kevin hitting the space, I was involved running data processing shops, computer shops, running software companies. And back in the early days for our concern, most of the consultants that were involved in the space of assisting businesses had served prison terms. Today, the world is the platform. In my early years, it was strictly North America. So we have a very much more complicated situation to deal with. And as Kevin is... mentioning there's all manner of money being put into this. But the audience, our audience, I think, has to have a better understanding of what's going on. I think some of these men and women running these businesses have been hacked. It has cost them money. It has cost them data loss. It has cost their businesses time. So some of them are sensitized to this, but the vast majority don't really know what we're talking about.

4:18

Yeah, I mean, it's very true. I mean, going to events, whether it be an AED event or any of the other associations out there, you know, it's not uncommon to have this conversation and someone candidly reveal that, yeah, they've fallen, you know, victim to something, whether that be gift card scams or phishing attacks or whatever have you, ransomware, etc. But at the same time. You get that mindset of, but I don't need it. I'm not a target. So it's odd having conversations when those two things are said in the same conversation. But yeah, I mean, there's a reason why there are tons of companies pouring money into this and developing solutions to prevent all the things that are out there. On the flip side, there's tons of money and effort being put into the space of creating these issues. discovering vulnerabilities are out there that can allow someone to take advantage of a company. And I'm happy to take this conversation wherever you would like it.

5:28

Well, go down that path for a second. Does Rocketwise offer a service where they will come in and review a dealership for vulnerability? Yes,

5:42

we will. In fact, it's a core offering. Actually, it's something that the FTC says you're supposed to be doing at least once a year. Cyber liability insurance providers also say that any organization they're covering,99% of them say that they have to have that in place at least annually. And so, yes, we do offer that. We have different levels of it. But the goal is to come in, meet with. executive leadership, stakeholders in an organization and dealership, take them through some very high-level Q &A. Maybe it takes about 30 minutes going through Q &A. Just ask them some questions about processes, procedures, type of data they're handling. And then after that, at the very high level, we execute some scans on a handful of computers. pull that data into a series of reports, and then we have a follow-up meeting to go over it to do a report of findings. And I can say that in the five years that we've been doing that, we've never had a dealership where we haven't found something, whether it's potentially something already in the system, potentially someone... Having key vulnerabilities in place, people where their passwords are out in the open. Anyway, we always find something. And oddly enough, we were actually working on some marketing in regards to that about four or five months ago. And we were going back through some of the testimonials that we had from dealers. And it suddenly struck me like four or five of them were like, it's eye opening. It's eye opening. You know, I was completely in the dark and it was very eye opening. So I guess you can take it. Yeah, you can take it that it is eye-opening. Ultimately, as business owners, I'm one, you're one. We're often talking to business owners in these dealerships, or at least, like I said, key stakeholders, whether that be executive or what. And ultimately, at the end of the day, we have expectations. We have expectations in all sorts of things. areas of our company, the sales, sales department. We have an expectation that our sales folks are smiling and dialing. They're researching our prospects. They're researching our internal accounts of our current clients. They're looking for ways to serve them and that they're doing all these series of tasks to bring in new business and or grow existing business and doing all the things it takes to do that. And we see that as a critical aspect of our business. And so we have all these different metrics and different things in place to inspect what we expect there, right? To know whether the team as a whole is hitting the mark or if there's one or two individuals that need to go on a PIP or however you've got that all structured. And we do the same thing on the service side, part side. We've got all sorts of metrics. We know what we expect and we know how to inspect it. But IT is one of those areas that even if we have internal IT team members, if that's not a function that we're outsourcing completely somewhere else anyway, in both scenarios, leadership, for the most part, has no idea what to expect. They expect that they're safe. They're expecting that their systems are up. They're expecting their systems are in pristine condition. Um, but they have no idea how to inspect that. They have no idea how to actually, you know, uh, go underneath the hood and make sure that things are the way they should be. It's not like we're walking out to a piece of equipment, um, you know, unscrewing a knob and checking the oil. Um, it's, it's much more complicated than that. And, um, so I would, you know, I'd say that probably for the most part, those folks are. They're intimidated by that. I mean, you know, and that's one of the things we try to eliminate tech speak. Right. And put it in layman's terms where the rest of the world can understand outside of the world of the geek and try to bring that down and help them understand, OK, these are some of the things you should expect. These are some of the things that when you inspect that. Maybe you don't know how to inspect it, but this is an indicator that that is good or that we have a problem there. And so whether we're doing that one off for a dealer or we're doing it on a recurring basis, again, insurance companies, FTC say, you know, need to have it once a year. Reality is, if you have a breach on average, then the average is that someone has been in your systems for 290 days before you ever find them. So basically the FTC and cyber insurance companies go, hey, you should check it at least once every 365 days. I kind of advise clients to inspect that more often, ideally monthly, because the last thing you want to do is inspect everything, you're clean. And then 365 days later, you find out somebody's been in there for 290. And then it's a... you know, you're a day late and a dollar short. So anyway, I'll pause there.

11:35

So that's a good place to pause. So this initial work with dealers that you perform at Rocketwise can be done remotely, correct?

11:45

Yeah, the entire thing is done remotely. It's literally, it's jumping on a call 30 minutes of time, you know, longer if they have Q &A, you know, if they have questions that we need to answer. And then executing it remotely, we simply send somebody things that they can click on the computers. And then the follow-on is like, again, about an hour call. It depends on if there are a lot of questions.

12:13

Let me label it. I don't know what you call it, but I'm going to call it the inspect what you expect review. If I start at day one with that phone call, day one, how long is it before you can give them back a report? I'll work five days, ten days, two months.

12:34

Yeah, on average, we can do it in about four or five days. From initial call, as long as the part that's dependent on the equipment dealer is that middle part, which is running the utility on their computers that does our scans. And then it takes two business days for us to generate the report. Putting a good bit of time into it, we're trying to. you know, present them with valuable information and then a follow-on call.

13:02

Okay. So to help the audience that's listening to this, can I suggest you write me a blog that defines and describes the inspect what you expect service that you provide. And even though it's going to be a bit of a promotional piece that we'll put it up as a blog in the form of explanation as soon as you get it to us.

13:25

Yeah, absolutely. I'll get our team on it.

13:29

So we have the inspect what you expect, an overarching review to get a position placement as to where you are and probably a risk assessment. We also have down that other channel playing catch up, the insurance industry,

13:49

trying

13:50

to establish some insulation for themselves against an insurance claim. for damages. The damages can be, as you said, gift cards as small as, but it could also be invoices for machinery that's three, four, five million bucks that gets paid in a complete scam. The ongoing, so we have the inspect to expect program. I would suspect that it would be a good idea for a service from RocketWise to be in on a very regular basis, at least weekly. randomly evaluating a system. Do you do that as well? Yes.

14:38

Well, if we're solely talking about in terms of inspecting things, then yes. From a risk assessment perspective, yes. If you need security things in place, like antivirus and MDR, and XDR, and EDR, and I don't expect any of y 'all to remember that or even know what that is. long list of all the things you need to have in place that are actively not only protecting your systems, but sending alerts, notifications to folks, departments that are, you know, looking into those issues as they're reported to their systems and acting on them. But on the inspect what you expect portion, yes, we actually We do those actually monthly. So we do monthly scans and then we either meet monthly or quarterly with our clients to go over the results. And if it's an ongoing basis, we're literally reviewing, okay, in the past, this is what we've, we had last time. This is where the score was. These were the 20% of the items that we said we would work on that would move us 80% of the way in a positive direction. Who are the stakeholders? Who's responsible for those items? What are the status updates on those? Now, here's our new baseline for today, where we sit today. You can see these things have improved. You can see that we now have new challenges ahead of us because security is a bit of a mirage. You never arrive to a state of full security. As soon as you do, you take a second or a fraction of a second to pat yourself on the back and now you've got more work to do. So, you know, from there, it's OK. These are the new challenges we have again. What's the next 20 percent of the things that we can do to get us 80 percent of the way there? Where do we need to put our focus? Who's responsible for that? So someone inside of a dealership is another vendor. Is it your dealer management system or your ERP? Is an issue with that that we need to take to those folks to get addressed? Is it an issue with your OEM? All right. Probably, that might be hard to accomplish, but there have been times when OEMs have listened to, hey, your entire dealer base is exposed here because of this thing, needs a little bit of attention, needs a little bit of being taken care of, same thing with the ERPs, et cetera. Again, it's identifying who's responsible and what things do we need to move forward. Right.

17:18

Okay, so I'm going to bring it back. I'm going to bring it back into the dealership as you did, that in the parts department, we have a daily knowledge of the back orders that are outstanding. On the service department, we've got a daily knowledge of the work orders that are finished and haven't been invoiced. On the sales side, we get call reporting on finance. The bill hasn't been paid. So now the IT group, or I'm going to call it technology generally, has the same kind of tools available, same type of metrics available to do this evaluation on an ongoing basis. Who owns it? What do we do? How do we solve a problem as we find them and go forward? And let's move on to the other side of the table. The tools that are there that we need to have there to protect us somewhat. So it's not the inspect what you expect anymore. It's creating, I'm going to call them firewalls because it's a word that people seem to understand, but creating tools, you provide solutions, tools that will stop hacking or identify hacking or protect your passwords or the portals of entry, whether it's an OEM manufacturer or a DMS provider, irrespective. And that complicates things because it's not internal controls solely. We sometimes have to have shared responsibility for these things.

18:52

Yeah. And I will, I'll pause before I go to that rabbit hole to just share. This is one area where it kind of gets into policies and procedures. Yeah. And all of these, all of these businesses, these dealerships, there should be a type of compliance program in place for them. And part of that is going to be identifying. What are the questions that we need to have answered by all of our third party providers, whether it be our ERP or OEM, our phone company who put a phone system in our network, et cetera. And they should be doing at least annually what is called a self-assessment questionnaire for those vendors. And that's basically having a. you know, standard list of questions you want to know the answer to and putting it in front of your vendors so that they answer them. That's going to pay off if you're involved in any kind of legal issue, i. e. insurance related, FTC, etc. But that's going to help you also gauge where your risk is.

20:09

So stay with that for a second, Kevin. Do you have such a questionnaire that you sell to dealers to assist them or that you would guide a dealer on doing with outside third-party suppliers so they know what needs to be done and how it's done because you show them how it's done? Do you do that as a service as well?

20:32

So, yes. So, as part of our compliance program, we actually have a tool whereby we go in with the dealer, show them how to input. the information for all of their current vendors and then our system will actually automate the process of sending and collecting the self-assessment questionnaires from those vendors and it will go ahead and send it annually so if you plug the vendor in we get their answers it's stored in that system so that you have you know collected you know collection of those all in one central place And then as far as, yes, as far as selection or even evaluating your current vendors, we do assist with that. We identify, you know, even if it's something like simple as Internet service, right? Identify these are the things that we're looking for. What's the problem we're trying to solve? You know, and what are the questions we need to ask and so forth? And basically coming up with a consistent way of evaluating that.

21:40

So do you have any kind of a catchy phrase on that? I'm going to call this vendor compliance reviews, but I don't know what you call it.

21:49

Well, that specifically is just this. Well, I think you're talking about overall. I don't. That specific part of sending out the questionnaires is just our third party self-assessment questionnaire. It's part of a larger offering, our clients as a service offering, which is basically overall as a system that allows them to build out their policies and procedures, keep track of them, revisions on them, the approvals on them from executive leadership, and basically also putting those policies in front of your team members and making sure that they've read them and collecting evidence that they have.

22:35

Okay, so let me try and put a wall around this thing. What we need from a dealer or a distributor in the capital goods space is we need a list of every single vendor that provides services to the dealership,

22:56

number one.

22:57

And then number two, you have a questionnaire developed that... can be used with each of those vendors specific to that kind of industry. Example, the telematics network. Example, password management. Example, data dictionary. So you have both of those things available. Vendor compliance, I'm going to call it vendor compliance review for lack of another term, and specific then recommendations that you make to address those problems.

23:33

Correct? Yes, correct.

23:36

Okay.

23:37

So the reality is that even based on these self-assessment questionnaires, you may very well get results back that are not pleasant regarding that vendor. And it may very well be that it's going to be impossible and or timely. I mean, like if they tried to resolve it, it would take a long time to resolve it and or the vendor's just not interested. or you're not loud enough or noisy enough or represent enough revenue to them to be concerned about it. And so you may still find yourself in a position where you can't part ways with that vendor. You depend on them and you have to. And so it becomes a question of, all right, how do we put in other policies, other technical controls or physical controls or whatever kind of control it needs to be? to mitigate that. And that's going to be important if there's a breach. It's going to be important that you've identified those things and that you've taken the time to document it because at the end of the day, if there's a breach, hopefully you have insurance that covers it. And when you call their insurance provider, you're going to want to make... really sure that you did everything you could to prevent it and that you documented it. So when the insurance company is looking at it, they don't have a reason to walk away from the table and leave you high and dry and potentially turn around like Travelers Insurance did in the last year or so and actually sue you for not actually holding up to what you told them you were doing. And then, you know, if you've got those things in place and you've covered yourself as best as you can, well, you know, then you've done due diligence. And that's the big thing. It's due diligence.

25:32

Go ahead.

25:34

Well, an example would be there is an ERP, a dealer management software. I won't name them. It wouldn't be hard to find them. But they had a data breach and the FTC took them to task. over that data breach, leveraging the Graham-Man, I always get this backwards. Graham-Leach-Bliley Act, or also known as FTC Safeguards, because of a portion of that act. Ultimately, they had a data breach, and there was nothing that any of their dealers could have done to prevent it. They use that software, period. They use it. They don't control it. Now, ideally, They could have had self-assessment questionnaires in place, and they could have gotten the best of answers. And at least they've done due diligence. But on the back end, the dealer management system provider, the high level of it is they were running out of disk space on their servers. So they asked a guy in the IT department to get extra storage to make backups and move these backups off on the storage to free up space. So the guy did, he went to basically the equivalent of a Best Buy, a local retail establishment, bought a consumer grade hard drive that plugs into your network so you can back up over the network, plugs it into their infrastructure, backs up, accomplishes his task. But what he doesn't know is there's a software update for that device that patches a vulnerability on that device. And now that it's on the network, it's accessible to the Internet and poof, all the data for several hundred dealerships and all their customers got swiped. And so the FTC came down on them and went after the actual dealer management system.

27:29

So, you know, we're in a place today, Kevin, I characterize it this way, that we're 30 years behind on. The technology that's available being implemented. The things that we're reading about today, we're so far behind implementing those things. Artificial intelligence, machine learning, all of this stuff. I'll give you just a simple example. There's a thing up on YouTube from 1993 called BMW augmented reality, which shows a technician walking out to a vehicle, putting on glasses and being instructed. what the repair was with a diagram of it. And we could go, I mentioned this to you last week, we could go across 100 dealers and find nobody using that. That's 30 years old already. That having been said, these third-party vendors, they are in the same place that a dealer is, except their influence is... orders of magnitude greater. So let me just freeze frame there for a second. There's some very, very smart people on this planet

28:44

that are

28:45

in jurisdictions that we're never going to be able to touch,

28:48

that

28:50

have found means to make money by doing illegal things. And that's not going to stop. As long as that genie's out of the bottle, there's going to be more and more people. And we're never going to be smart enough. to be able to avoid everything. But those things that we are aware of, and there are many of them, and you deal with them every day, there are tools that we can employ that will reduce our risk. Really, all this is is risk mitigation. And there almost needs to be a body, a person, a function. You know, chief technology officer is a term that's bandied about. I think that's going to be commonplace. There'll be somebody in a dealership or businesses in general. within five to 10 years who has responsibility for this. Today, there isn't. There

29:40

isn't. I mean, well, for the most part, there isn't. I mean, kind of to your point that these things are not necessarily new. Even this position is not really new. It's just slowly making its way into the, you know, quote unquote, small, medium business realm. You know, CISO, our chief information security officer. It's a thing. I mean, that's a position that's been out there for quite a while. where there's an individual or team of individuals that are solely focused on the security of the information that you possess. So I wouldn't even say this really even should fall to a CTO or an IT manager, IT director. This is more specialized, needs to be more specialized. Because it's something that goes beyond, you know, do you know how to set up a printer? Do you know how to set up a network? Well, the question becomes, do you know how to secure those things? You know, and do even more beyond that. You know, to your point on the other side of this, the flip side, the malicious actor side of it, you know, you're not, we have this idea. I mean, you Google hacker. Go to images. google. com, type in hacker, and it's all dark rooms with somebody in a hoodie and their face is blurred or they're wearing one of these white masks or whatever, like they were in an episode of Scream or something. And we have this idea that it's this guy sitting in a dark room who's going, who am I going to attempt to attack today? Oh, Acme Machinery. That's my target for today. And his whole focus for the next indefinite amount of time is solely hacking into Acme Machinery. And this leads into people at like Acme Machinery going, I'm not a target. Nobody's interested in my company. Nobody's coming after me. Well, that's true. Nobody's interested in your company. They're interested in dollars. Your company just happens to have dollars. And they may not have targeted you because today you have these sophisticated businesses. I mean, yes, there are nation states who have teams and all this sort of stuff. Sure, let's put that all in a box over to the side. There are basically businesses where they have a sales and marketing team. They have a research and development team. They have a customer support team. They have all these different teams. like a well-established, organized business, and they're in the business of developing malicious tools. And some of that is used directly against folks directly in a malicious way. Some of it is, let's just use our systems to gain access to a plesora of computers out there. And then let's actually set up a software as a service subscription model, whereby if you're a 14-year-old kid that's bored at home during the summer and you have access to mommy or daddy's credit card or Apple Pay account, simply set up your own little account over here in our software solution. And for, you know, X amount of months, we'll give you access to 100 computers. And you just tell us what you want to do. Do you want to do ransomware today? Sure. Okay, great. We have access to these machines. We're just going to deploy ransomware for you. And you basically don't have to know how to do any of this, Ron. If you can log into a Gmail account, you can also suddenly become a malicious actor. That's how easy it is. And it's even easier because if you try it and it doesn't work, they have customer service people. They have better IT support than most Fortune 500 companies where you literally just call in and they chat with you and they go, hey, so sorry you're having a bad day and you're not breaking in the money from your ransomware activities. Let us hop right in and see if we can help troubleshoot this, debug it, fix it for you and get you back on your merry way. And they will even give you your money back if it doesn't work. So, you know, it's a business model and it's and it's. You know, we can take it back to the ag world. It's that old broadcast method. You know, you want to plant grass. You don't, you know, you don't plow a row and put in individual seeds. You just cast seed out everywhere, right? I mean, okay, there may be more to it, but, you know, you cast all this out or take it to a shotgun approach. You put in a shotgun shell, you don't aim for a bullseye. You aim in the general vicinity and you send out all these pellets. that's how they approach this malicious activity. It's not, hey, I want to hit acne machinery, or I even want to hit the machinery, equipment, dealer space in general. It's, I just want to hit computers. And so if I can detect issues out there, if I can spread through email and breach your email accounts, then great. And then I can send all my stuff out. And once we get a fish on the hook, Then I can look in to see exactly what kind of fish it is. Is it a trout? Is it a bass? Is it a CFO at an equipment dealership? Is it a CEO at an eye company? And then I can research it further.

35:25

I'm going to dig it in deeper than that, even. I'm going to start from a database. And the fact that we have data all over the place in our dealerships. And we don't have any control of the data. Nobody owns a particular data field. Then we bring in different software businesses to interact with our database. They have their own databases. So as an example, a customer profile example, and I'll have a call reporting system, I'll have a marketing system, I'll have a market coverage system. And I'll have three different pieces of software that are all updating a file, all updating a data field, yet they don't communicate with each other. So my data analytics, which have become really critical in this world of artificial intelligence, are flawed. I don't have accuracy or control on my data. So data security is a piece. Data analytics is another piece. In the dictionaries, I mean, there's a whole host of things here. We've been concentrating on selling equipment. That's where this whole world started. And I'm trying to make the guy who's on a shovel, I'm trying to make his life easier by giving him a machine. Terrific. I did that. But then I got into the situation, well, this guy needed to understand how to fix that machine. So he either fixes it or he hires somebody to fix it for him. Now I'm exposed because I got somebody other than the owner. messing with something. So here I've got a business, I run it manually, and then all of a sudden I bring in a dealer management system. And a lot of those folks anymore don't understand the business that they're providing the software for. So, and let me name names for a minute here. We've got Microsoft in it. We've got Oracle in it. We've got Infor in it. We've got SAP in it. We've got JD Edwards in it. We've got big players. And every single one of those, as an example, they're all clients of mine. And they make their money consulting. They don't make their money in selling the product. They make the money in adapting and adjusting that product to fit the dealer's needs. But nowhere in there does either side, to your comment on this insurance industry vendor compliance, nobody looks at that. Nobody looks at that. And I don't know if I'm looking at your space, how many people are out there competing with you? There's some big majors, but not very many people are specializing in your area of expertise.

38:16

Not within our, yeah, no, they're not.

38:19

And the other side of that is how the hell do you get your message out there through vehicles like this, through associations or meetings, annual conventions, et cetera. But I'm one of these idiots. I want to help you get that message out there. So let's, Let's have you write a blog post on the inspect what you expect, and we'll start with that one and get it out there. I put one up last night called People Over Profits, which we talked a little bit about yesterday or last week, where I'm a little bit annoyed at myself as well that the standards and metrics that we use in the industry haven't been touched for about 30 years, and the world has changed. So I've committed to next year I'm going to update all of that stuff and put it out available for people. Part of that has to be, and it wasn't in those days, but part of that has to be data security. So I'm going to be coming back to you over the next couple of months and saying, okay, we need to have a chapter, we need to have a section on IT, which we don't have. Another thing that I would submit that needs to be looked at, there's consulting companies out there like what I used to do. that go out and do dealership reviews. And it's a finite number of people that do that. Some of them are big names. Everybody knows Accenture, McKinsey, those types of folks. But it's the ones that are out there at the ground level that are important to me and you because they don't do any data security or risk compliance reviews when they do those dealership operational reviews. And that should change.

40:01

Yeah, agreed.

40:03

I hope this is going to be the beginning of a change in perspective for owners and the executive suite in all distributors and OEMs. I had a client last year who had their system disabled for over a week. They could not use the system for over a week because the bad actor was able to get in through a modem on the network because there was no shielding on the modem. I had one of my former employers not have the ability to do invoicing for the parts business for several months in a multi-billion dollar business. I had a case where I had to run a parts business at over 50 stores manually. Because the hard drive had a warped platter in it and could not function. We have no idea how vulnerable we are to technology. We really literally can't do anything without a computer being involved.

41:18

Yeah, well, and there's such a demand for cloud these days. Everybody touts cloud. Cloud really is just a... Fancy marketing person's way of saying data center. Your data's sitting on the server and somebody else's data center, right? And now we think if we go to the Google or we go to the Microsoft or the Amazon of the world, that it's all taken care of for us. But again, it's that inspect what you expect because it's not. If you actually read the end user license agreement when you're signing up, that agreement that you're saying, hey, I'm the end user. This is what I'm agreeing to. Microsoft and Google both tell you, hey, we don't back your data up. Like we have our own backups. And if the fan were to turn brown, all of our services go down. We're going to go to those backups. We're going to try to restore services from those backups. And if all of our services come up, great. That's awesome. If your data happens to be there when you log in, wonderful. If it's not, eh. Not our problem. We told you you needed to back it up. And you would think, okay, well, you know, it's Google, it's Microsoft, and, you know, what are the chances? Well, you know, back last month, there was over a billion-dollar organization overseas that somebody that works at Google basically, I mean, the 500,000-foot view of it is they deleted. They flipped a switch, deleted data, and, you know, that companies whose revenue is in the billions, their data was gone. Fortunately, someone had backups going to a system outside of Google, so they were able to recover, but they were down for a good bit. So, you know, it's one of those things. I mean, it's just, yeah, we do have a lot of people touching our data these days. I mean, I would be surprised if there's a single company out there, a dealer at least, that, doesn't have someone externally touching their data.

43:31

It's just not

43:32

the world we live in.

43:34

Yeah, interesting little comment. Learning Without Scars, our employee development education business, Canada will not allow anybody who deals with a school to have a server that is not in Canada. It's the only country in the world in which that exists. Now, I've had... discussions with them. Our server now is in Canada, so we don't have to worry about it. But when I'm talking to the government, I say, well, how do I know where the server is if it's on the cloud? And that just gives you a small illustration. The other thing about the data backup you're talking about, my daughter and I are the principal owners of our classes. And she now has a five terabit, and I have a five terabit disk drive that we back everything up every week. both of us, her computer to hers and my computer to mine, so that we're covered. Because God forbid I would have to recreate that crap. You know, I'm not going to live another 70 years to do it, you know.

44:40

Those hard drives are in different locations there, right? Yeah, that's right.

44:47

That's exactly right. So I think this is an important subject. Kevin, I think it's a critical subject. I really appreciate the time you're spending with us, and I appreciate your knowledge. And I want to try and extend your reach a little bit further into the industry. If you don't mind, I'm sure you won't. So let's view this as the starting pistol going off on a race that's probably not going to be ever-ending because the bad actors are just as smart as we are, and they find places before we do. That's for damn sure.

45:23

Absolutely.

45:24

Have you got any kind of closing remarks you want to throw out at the audience?

45:30

No, I mean, nothing more than just, you know, ultimately, you don't have to, you can't accomplish all this overnight. Don't be discouraged or overwhelmed by, you know, if you're listening to this and go, man, we got more issues than a reader's digest with regards to our IT. Don't. Don't buckle to the overwhelm. Don't buckle to, you know, just too much to do. This is a, to your point, it's a race that doesn't end and you're just going to have to pace yourself. And so it's just taking, taking small actions today, the things that you can do today that get you 80% of the way there and, and just keeping after it and being diligent about it. I guess if I were, you know, speaking to, someone in leadership, you know, it may not be that equipment dealers are making headlines for being taken to task by the FTC for data breaches or local state governments for data breaches. They may not even be making the headlines for breaches with insurance companies. And if that's true, then fine. That's great. If that's your only reason for doing it, then for not doing it is that, you know, they're not making headlines. I think it goes back to if you're being a steward of the organization, you've got to pay attention to this aspect because this is the one aspect that whoever is in charge of IT, whoever's managing it, if it's done wrong, it can take a company, to your point, it can take a company out of commission. It can close a... close the doors of a company for the most part or put them way behind. There is a dealership. I literally called and offered the risk assessment one day. No, we're good. We have no interest in it. Six months later, they were down for almost a month because of a data breach. And, you know, some companies don't recover from that.

47:45

That's right. That's right.

47:48

Spoke to someone later about it and they were like, you know, we can get our data. You know, we look back and we're looking over our trends and there's a whole month to two months because there's another month of recovery where they were doing things manual and now they had to key it all in. It's like there's two or three months of our data that makes no sense. We can't make any business decisions off any of that data because none of it's right. It's a whole black hole for a single month. And so my thing is just, you know, if you're in leadership. realize this can take the company out, but more importantly, it's going to affect those folks who work for you, their livelihoods. It's going to affect your clients who depend on you to be there, to keep their equipment running so that they can serve our communities. It goes beyond, to your point, people before profits. Yes, at the end of the day, we're all running a business, and the goal of running any business, even a nonprofit, is to make profit so you can keep doing things. But the ultimate goal, the ultimate purpose of that really should be the people we're serving and the way in which we're serving them, the problems we're solving for them. And I think that in itself should be enough to make somebody go, you know what? I need to take a look at this one aspect of our company where we don't, we have a blind spot. We don't know what to expect and we do not know how to inspect it even if we did.

49:10

I'll give you one very simple illustration. And in the 70s, I'm running a computer shop, two computers supporting, I think it was nine stores, maybe 11. And we went online. And we had to be concerned with recovery. So bring it out into today's world. And you have a power outage. And the power goes out for 30 minutes. So the power comes back. At what point was the data last accurate? When the power went out. And where do you restart the business from that point forward? Because I've been operating manually for the last 30 minutes. I have to reenter that. In what sequence? Because my on hand will be out. My credit limit will be out. All manner of things. We don't even know today. Every single dealership is subject to power outages where the computer center is. Every cloud location, every server, everywhere is subject to a power outage. I haven't heard anybody tell me definitively what their checkpoint recovery system is. Ask that question alone, and it causes some eyebrows. Kevin, thank you very much for this. I appreciate it. I hope the audience has appreciated it. Those of you that are interested in this, keep your eyes peeled. Kevin has written as a contributor for us in the past, but will be in the future. And we'll be posting this podcast somewhere in the next week or so. And hopefully we get Kevin up to give us another blog before that time passes. So thank you, everybody. Mahalo. And I look forward to having you with us at the next Candid Conversation.

51:05

Thank you for listening to our podcast. We appreciate your support. Should you have any thoughts or comments, please don't hesitate to contact us at www. learningwithoutscars. com. The time is now. Mahalo.

Protecting Your Business: Unpacking Cybersecurity and Risk Assessments

0:00

0:00

Related Episodes

Old Tools, New Minds

Old Tools, New Minds

Feb 8, 202662 min

Flip ChartsPowerPointSales Calls

How Concentration, Clean Data, And Customer Choice Beat Giants

How Concentration, Clean Data, And Customer Choice Beat Giants

Oct 20, 202564 min

Nick MavrickBuilt DataCustomer Concentration

Business Value and the Human Connection

Business Value and the Human Connection

Sep 22, 202566 min

Business ValueHuman ExchangeCustomer Retention

AI is not your competition—it's your most powerful ally in business.

AI is not your competition—it's your most powerful ally in business.

Aug 4, 202556 min

Artificial IntelligenceEquipment DealershipsAI Diagnostics