Dave Cain: Welcome to unsuitable on Rea Radio, the award winning financial services and business advisory podcast that challenges your old-school business practices and their traditional business suit culture. Our guests are industry professionals and experts who will challenge you to think beyond the suit and tie, while offering you meaningful modern solutions to help enhance your company’s growth, and I’m your host today, Dave Cain.
We’ve all been talking about cybersecurity for several years now, but the threat has been around much longer than that, and with every day that passes, the threat continues to grow and evolve. Today’s guest has worked to pioneer a new line of defense for businesses and the customers they serve.
Paul Hugenberg, co-founder and CEO of InfoGPS Networks, a software development company based out of Boardman, Ohio, specializes in monitoring and leveraging data at rest for applications across a variety of markets. Paul joins us today’s show to talk about the threats taking aim at our businesses today and how a different mindset can result in improved protection.
Welcome to unsuitable, Paul.
Paul Hugenberg: Thanks for having me. Great to be here.
Dave: Thanks for taking the trip down 71 to Dublin, Ohio.
Paul: Yeah, made it. Missed all the deer and everything.
Dave: Hey. So I want to start out, we always like to have entrepreneurs on the show, and of course as co-founder and CEO of InfoGPS Networks, can you give our entrepreneurs maybe a few suggestions along the way of some things that worked for you?
Paul: I can.
We’ve been an entrepreneur in training for about four years now, and I can tell you that it’s a ‘listen to your customer’ type of environment. We all start these things out with great ideas in the front of our minds, and we think that we have developed the two ended pencil that we think everybody needs, and we find out quick when we start to go out into the market that there’s a lot of different ways to look at the problems, and listening really just becomes your best friend. So if I talk to folks, I generally tell them that all the time, just listen.
Dave: Good piece of advice.
Paul: Yeah.
Dave: You know, we’re in the midst of a new tax act that’s in play. Any thoughts about the impact on your business?
Paul: So at my stage, probably not anything worth-
Dave: Nothing jumps out.
Paul: Digging into. Nothing jumps out at us. It’s more of a recognition issue for revenue, so as long as we earn revenue, we’ll recognize it any way people want us to.
Dave: Okay, so we’re going to talk about cybersecurity. We can go many different directions, but it’s still out there. Are we making headway?
Paul: So I get folks that’ll stand up and challenge me quite a bit when we get into this conversation because my answer is generally, I think we’re behind the eight ball, and we’re-
Dave: Still behind, okay.
Paul: Struggling, getting better. Yeah. So if you would just look at the investment in cybersecurity by startups such as myself, the big players that you would generally buy and see in an environment today, the amount of money we spend every year goes up significantly. We’re spending about 10 or 11% average growth rate in cybersecurity a year. We’re losing more data every year than we did the year before. So we’re literally throwing more money at a problem that we are not slowing down. I think our approach to the problem has to come at it from a fresh view. What we’re doing isn’t working. So it becomes the old adage, the definition of insanity is doing the same thing over and over again and expecting a different outcome. And I think that’s where we’re at.
Dave: We talk a lot on this show about rate of return, and spending money, and there’s got to be a rate of return, and what you just said kind of hit a nerve. We’re spending more money and not getting the results.
Paul: That’s correct. So not only are we spending more money and not getting the results, but we haven’t figured out a way to have our conversation at the decision making level of an organization that actually talks about cyber in dollars and cents. We talk all the time about number of IRIS’s we’ve stopped, or number of people who tried to access our network and passwords were bad, and at the end of the day, nobody really digested information, nobody knows how to respond to that information, and nobody knows how to spend money better to stop things from happening tomorrow that aren’t happening today. We’re just going at this in a way that seems counterintuitive.
Dave: So I want to go back to maybe a note that we talked about in pre-production about developing, understanding the purpose of your organization and the mission, and how do you rely upon technology to accomplish that mission? And it’s kind of roundabout way what you just said about spending money on something that you have no idea what the result is. So what do you think? What are some things we can do there to focus on protecting from the threats that put us at risk that may be outside our mission?
Paul: Sure. I start out every conversation I have with a new client with a non-technical meeting. I want to know what it is that you’re in business for, what drives your bottom line, what puts that objective at risk? So if you are Easter Seals and you have a nonprofit drive, if you are a medical billing company and your job is to generate revenue for the doctors, if you’re a collections company, there is a purpose for your business being in play. Technology is there to support your ability to reach that purpose.
Paul: So if you just jump at technology and say, you look like everybody else, and we’re going to apply the same controls as we do to everybody else. Then we’ve really just ignored the reason that you started your business in the first place. There’s a mission that you came to the market with, and we just ignore it. So what I do is I ask, what are you here for? What puts that at risk? Who is asking you to meet certain obligations? What thresholds do you have to manage or monitor, and do you have to do it once a year, do you have to do it once a quarter? So that I understand not only what types of things you’re trying to protect yourself from, but how you’re trying to protect yourself from some of those threats.
Paul: The next thing that we’ll do is say, Because of the type of business that you’re in, now let’s have a conversation about what puts that at risk. What is the threat we are trying to protect ourselves from? Not everybody’s at risk for Ransomware, not everybody’s at risk for physical penetration, not everybody has cash in a vault, so we don’t need to protect against everything in every situation. We have to understand what puts us behind the eight ball and go after that.
Dave: We do a lot of discussion about strategic plans, and of course you and I have sat in boatloads of those type of conversations, and those strategic plans a lot of times will talk about developing new business and maybe mergers and acquisition and the like, but very seldom have I heard something in a strategic plan about technology.
Paul: Sure.
Dave: Can you comment on where technology should fit in in that strategic plan? Kind of along the discussion we had about the mission.
Paul: Right. So I would make a broad statement that says it makes about as much sense to omit technology in your strategic plan as it does to omit financial statements. Everything that happens in your business happens-
Dave: That’s a pretty brash statement, there.
Paul: It is pretty brash, you know?
Dave: … CPA, look, but now I got it.
Paul: So I’ll pass a little secret on to you.
Dave: Okay. I love secrets.
Paul: I’m in the cybersecurity space, but I’m an accountant by trade, and a CPA before I was a certified cyber guy, so I kind of look at stuff through the idea of making sure that we exist tomorrow. So I’ll use words like going concern, off balance sheet risk in a room full of IT folks-
Dave: Oh, I love this conversation, man.
Paul: And they’ll just look at me and they’ll be like, What are you talking about? But generally, you can’t go to market today without a set of computers, without a network together. You’re dealing with people that are carrying their lives on their hips. We’re built to communicate in ones and zeroes today, so how do you functionally get yourself to market in a space that is driven by technology and ignore technology? Would you go to market as a sales organization and not talk about the type of salespeople you wanted to hire? What skills you wanted them to have to get to the demographic you wanted to reach? Guess what? The demographic I want to reach, they use Facebook, they use Instagram, they’re bloggers. The demographic I want to reach doesn’t buy at stores, they buy on the internet. That’s all technology. Every bit of it. So it has to be a part of it. If it’s not, I think you’re just selling yourself short.
Dave: You referred to yourself as a cyber security guy. Is that a new designation in the marketplace? Cyber security guy?
Paul: It is. So cybersecurity is the word that everybody likes to use today, so I tend to like to use that word in conjunction with required and impactful skillsets inside your shop. I think it’s a word people ought to put their hands around and jump on.
Dave: Great. Now I want to talk about threats.
Paul: Yes, sir.
Dave: And what type of threats are putting businesses at risk today? And that’s the first part of the question. Let’s talk about that, and then we’ll talk about what we can do about that, but what type of threats are putting businesses at risk today?
Paul: Let’s just start with two or three that everybody would recognize that are relatively significant and the things we hear about in the news, and then talk about something that’s maybe a little bit more implicit that’s driving those risks. So, what do you have to deal with today in terms of cyber? Frankly speaking, it’s things like fishing, clicking on wrong links. And while those seem kind of mundane and traditional types of comments, if you would think of the environment that you have just spent hundreds of thousands of dollars or not more to protect, email just poked a hole right through the castle wall you built. The internet just poked a hole right through it. The cell phones you bring in, the iPads, things like that. So when you allow those holes to be broken, basically what happens is there is now an authorized event that can occur inside your network.
Paul: Let me back up by saying there are no unauthorized breaches. None. Computers only do what computers are allowed to do. So if it happened, it was allowed to do it. That also means there are no external breaches. Everything happens inside. It’s inside a computer you own, or you’re contracted with, or you paid a vendor to provide you. So if you take those two things, everything’s actually authorized, and everything happens on the inside. Your job is to control what comes in and who can click on something that would allow something to go out. So email, fishing is a big deal.
Paul: Second are passwords. And that seems kind of rudimentary again, but the concept of making sure that the keys that we hold in our own possession to keep the bad guys out are the strongest keys that we can possibly put in front of each other, and we change them as often as we possibly can if they’re not overly long. If we can be really good and we can start to use things like extremely long and complex passwords and tokens, maybe we can change them less, but the idea is, between you and I, there has to be a barrier, and it’s got to be something I can control.
Paul: So those would be things that, if you hear about a breach today, it’s normally going to be one of those two things. It’s going to be somebody clicked on something they shouldn’t have clicked on, or there was a bad password or a bad configuration setting that was just missed or omitted, and it allowed somebody to get in. I think what’s driving most of those threats though are, if we kind of look around this room right now, and there’s a series of chairs around this table. If we would leave this room and then come back and a chair was missing, we would all know it right away. The chair’s gone. Somebody took a chair. In the world of cybersecurity, somebody can come in and actually take everything it is that we’re trying to protect, and it’ll still be there Monday morning because it’s just copied. It’s just moved over and copied.
Paul: So what that brings us to is a real need to be as close to our assets as possible, understand what’s putting that business objective at risk, and watch that as close and as often as we possibly can. Because if it comes in money and it’s not here, and we’re not watching it, it might be, and this is an industry standard, nine months before we figure it out. So one of the comments that we’ve brought up in a training event with the accountants in the room a few months ago was, imagine if you find out about a breach that puts your organization at a going concern nine months after you just opined on the financial statements and everything’s pretty good. You’ve already done your strategy, you’ve already done your budgeting. So those threats that we can handle right away, we need to handle them, and we need to focus right on those assets that are at risk and watch them as close and as often as we can.
Dave: So let me put this in realtime for us a CPA firm that, we do a tremendous amount of auditing financial statements for our clients, and that’s industry wide, but what you just said is, as a business, I could get a clean bill of health on my financial statement, clean report on my audit, but something could be going on in the cyber space and impact that business nine months, a year from now, that would have an impact on my financial position.
Paul: That’s correct. If you would just imagine that you were responsible for the largest asset inside an organization, we traditionally think of that as the currency or the money in an organization if I’m the CFO, right? And I’m going to be responsible both legally to my shareholders, possibly criminally if something goes wrong, but definitely from a professional standpoint to the members of my management and the board. And I’m going to be able to tell you that we’re doing things the right way, and I never reconcile my accounts. I never count the vault. I never monitor transactions that happened yesterday. And when I give you the balance sheets, you say, Can you tell me what makes up this balance? And I’ll say, I can’t, but I’ll be happy to look at it and bring it back.
Paul: That is IT security today. I’m an information security officer and I walk in and I’ve never found my data, and don’t track it every day, and I don’t know where most of it is, but I’m going to stand up and say everything’s okay. And I’m doing it in a world where, again, it can be stolen without me knowing. The average time for me to detect it is nine months. Imagine if you’re the ISO of Marriott, it’s been five years. The Marriott Breach was a five year event.
Dave: Five year?
Paul: Five year event. And they bought it. It came from an acquisition. The original threat came from a company that Marriott bought. So there’s a lot of details behind that, but again, you just start talking about, we’ve traditionally gone at the world of security by making statements around assets that we don’t even know where they are. And our claim to fame started with Sarbanes-Oxley when the financial auditors came out and said, Holy cow, everything is happening on these computers, and I don’t know if the computers are right. I don’t know what integrity means. I don’t know if what’s coming in is what’s going out. So we rose to the top as people that are supposed to help you understand if that’s actually the case, and we’ve made it forever without ever being able to tell you how much money’s in the vault. To me, that’s just a tremendous gap.
Paul: So when I say we’re behind the eight ball and things are getting worse, it’s because all those dollars that we spend, we’re building higher castle walls. We’re putting more gators in the moat, but we still don’t know where the vault is. We still don’t know where the gold bars are. Does that make sense? So imagine if you were responsible for the Secret Service and no one ever told you where the president was. That’s us. And I say that broadly. There are significant steps and there are some very mature organizations that do focus on data first, but I think that’s really where we need to start.
Dave: I want to go back to, hey, if something happens, it could be nine months, and the other example you used, it could be five years, have you got any other horror stories that you can share about data breach that maybe changed it up a bit? Because those stories are scary.
Paul: I’ve got a couple that I can share. We would hear things today about a breach that occurred, and we’ll have a CEO or a PR person come out and say, We identified the problem, we didn’t lose any confidential data. We know everything that’s been taken. Here’s free credit monitoring for a year. Everything’s okay. Period. We care about your security, and your private information is important to us. Full stop. So when I read those things, I say, How can you make that statement given what just occurred? So we’re literally responding to an event that we didn’t know was happening by saying, Now we know everything that’s happening. Without actually doing some additional work.
Paul: So the tangible result of that is you often see followup announcements where breaches get bigger, more data was lost than was thought. But what we see now is a lot of, somebody breached Yahoo, got all my emails. Somebody breached Facebook and got some emails and some demographic data. And we look at those things and say, Okay, it’s email. It’s really not that big a deal. Well, in some states in the US, email is now considered private information. European Union, it most specifically is. However, what’s happening when that email occurs? What that email, it’s just being stuffed in a big stash. Whatever’s taken is just thrown into a big database on what we call the dark web. The stuff just gets taken and stored in a database just like everybody else, and then it’s used to do things like we just talked about earlier. Send out thousands, and thousands, and thousands of emails.
Paul: Basically, the bad guys are commercial fishermen. They have really big nets and they throw big nets in the water, and they’re going to catch some stuff. Every now and then, they’ll catch something they didn’t think about. So when that happens, you start to see things like a large financial institution suffer losses that incurred Ransomware or BitCoin type of payouts because somebody lost an email. And that email was lost five years ago in an unrelated event that we didn’t even think mattered. So those are some of the things that happen to drive us to work today.
Paul: The other thing that happens and I think is more relevant is, we operate in an environment where we are continuously trying to protect ourselves from the exposure of a threat or somebody taking advantage of a vulnerability, and what we think is, We can get out of this if we can just change our way of approaching it. Put in more controls. But what’s happening is we’re spending, let’s just say a small business here in town spends 75 grand to refresh their hardware set today, and they’re doing five million bucks a year in revenue, nice lifestyle business, maybe some international customers. Well next year, all that stuff they just bought this year is now vulnerable. It’s old. Well, that company doesn’t have another $80 thousand to spend on technology every year. Take that and multiply that with your large banks. Take that and multiply that with your large hospitals, who are continuously fighting really small margins and just don’t have a ton of dollars to refresh their environment every day.
Paul: Those end up being where we get breaches. I’ve had the experience of the phone call at two in the morning where an older piece of equipment sitting in a customer facing position caught a flu bug. Something running across the internet that said, Hey, are you home? And we said yes, and it knocked on the door and walked in. About 150 grand later, we figured out whether it was a problem or not, and that’s a big deal. So if you’re an organization, can you eat 100 grand right now? Can you eat 50 grand right now in a breach? It’ll put a lot of people out of business.
Dave: Sure. In the time we have left, I want to talk about when its important to bring in an outside expert to evaluate, even correct the cybersecurity position or posture of your organization. Again, as money tightens up sometimes, organizations try to do it themselves.
Paul: Sure.
Dave: And there’s the balance of bringing in an expert like you guys. So when is it important? Give us some ideas here.
Paul: So I would take just a triage look at this. One, if you happen to be in a regulated industry, so if you are a bank, if you are in healthcare, if you’re taking credit cards, if you work for the government, if you do secondary education, let me correct myself. If you’re in business, you’re probably regulated. We’ll just back up. You’re touching something. You’re also probably not in business to be a cybersecurity auditor. It’s not why you started your business. You started a law firm, you started a CPA firm, you started a billing company, so focus on what you’re good at and bring in folks that are good at something else that’s not necessarily in your bailiwick.
Paul: I would take an immediate start if I have information that, if it should get out and find its way to the front page of the paper, I’m worried about my business living through that event. If I can make that statement, then I’d call somebody to come in. Generally, you can call somebody to come in, self included, where it’s not going to cost you anything to just have a conversation. Have a cup of coffee.
Dave: Do a little assessment, see what’s going on.
Paul: Just tell me what’s going on, right? And if we need to go do some more work, we can figure out what that work is and go forward. But do what you do best and bring in folks that do what they do best, and cybersecurity is one of them. Just like you have an external financial auditor that comes in, you should have an external person that’s looking at your cyber. The other thing I think is really important to understand is, every single day, there are more vulnerabilities than were the day prior. So it’s important that there is a group of people whose entire reason, their mission for being in business is to understand vulnerabilities, understand threats and talk to you about them, make use of it.
Dave: One of the things that sticks in my mind, a term you used, is a cyber commercial fishermen just out there fishing and they’re going catch something.
Paul: They are.
Dave: And that’s what they do.
Paul: That is exactly what they do. If you’ve ever seen an email come in, or a phone call come in, somebody show up at the front door in a suit, said they belong there but they don’t, they’re playing odds there, right? It only takes a couple percentage of people to click on the email or to let you in the building, and they’re successful, and they get what they need.
Dave: In the discussion about national security and the like, is cybersecurity overtaking the threat of terrorism as one of our key national security events?
Paul: From an emotional standpoint, obviously not. There’s an impact valuation to the terror threat that drives the conversation. From a likelihood and then economic impact, of course. I had the opportunity to see retired General Hayden speak, and he started out his conversation simply with a picture of a Chinese bomber next to a picture of our bomber, and they look alike. And his comment was, If you don’t think that nation states are taking our information and using it right now, then you might be misguided.
Dave: Sure.
Paul: So yes, it’s happening quite a bit. So again, when you just start talking about the investment dollars it takes to keep your environment refreshed, move that away from the hospital and put it in front of the operating system that operates the dam.
Dave: Right.
Paul: And if that’s legacy and there’s vulnerabilities there, then the dam’s at risk. So one of the things that I think cybersecurity, that term that we use now, we don’t use information security anymore, it’s cybersecurity… Is that the internet of things, the connectivity of all of our devices literally has put physical threats, physical harm actually in our scope. So we’re looking at a computer on a table that, instead of stealing a social security number, I can literally open a lock on a dam. I can stop the brakes from working on your car. I can turn your stove on from work. So the threats have just grown and accelerated so much, and we see all those in national state.
Dave: Well, after talking to you, I think I’m going off grid for a while.
Paul: Go off grid. Give it a whirl.
Dave: Just to give it a whirl.
Paul: Give it a whirl.
Dave: Let’s kind of wrap up here in the few minutes we have left, just tie everything together. One is you talk about focus on protecting yourself from the threats that put you at risk and understand your mission statement and strategic plan, and technology plays a huge role in that. Again, know there are threats out there, you may not even be aware, but they are there every hour of the day, and certainly have discussions with an outside expert sometime during the business cycle.
Paul: Yeah, of course. Again, you’re in business for something, and there are things that put that at risk. It might be a slow paying customer, it might be a virus that gets in your network and shuts your sales system down, it might be Ransomware where you have to pay off somebody, right? So there’s always threats and risks, so you just need to talk to somebody and put your best foot forward.
Dave: Sure. For our listeners, certainly if they want to get in touch with you, have more conversation, they can get ahold of us at ReaCPA.com, they can give us a call, they can contact our marketing team. Bixer will take care of all the incoming calls. But give us how we can get ahold of you. Maybe an email, maybe that’s the best way. Company name and email.
Paul: Sure. So company name would be InfoGPS Networks, email there would be, we’ll just do Support@InfoGPSNetworks.com, probably easier than spelling my name.
Dave: Sure
Paul: And that’ll come to me. I am very active on social media, so InfoGPS on LinkedIn or Twitter. You can get ahold of me there and read some updates almost daily.
Dave: We can find this and we’ll be sending out a copy of this podcast to our friends in the podcast community as well.
Paul: Great. Appreciate it.
Dave: So our guest today has been Paul Hugenberg, co-founder and CEO of InfoGPS Networks, software development company based in Boardman, Ohio. Again, thanks for joining us today. Great insight on today.
Paul: Thanks for the opportunity.
Dave: The threat of a data breach is very, very real, and I haven’t met a business owner who isn’t concerned. Thank you for providing us with a new perspective and for sharing your expertise, and a few stories. Did you enjoy today’s episode? Let us know. Like it, comment on it, or share it, and don’t forget to check out videos of our podcast on YouTube. Until next time, I’m Dave King encouraging you to loosen up your tie and think outside the box.
Disclaimer: The views expressed on unsuitable on Rea Radio are our own and do not necessarily reflect the views of Rea & Associates. The podcast is for informational and educational purposes only, and is not intended to replace the professional advice you would receive elsewhere. Consult with a trusted advisor about your unique situation so they can expertly guide you to the best solution for your specific circumstance.