Dave Cain: Welcome to unsuitable on Rea Radio, the award winning financial services and business advisory Podcast that challenges your old school business practices and their traditional business suit culture. Our guests are industry professionals and experts who will challenge you to think beyond the suit and tie while offering you meaningful modern solutions to help enhance your company’s growth. And I’m your host, Dave Cain.
Dave: The amount of data we produce continues to increase, which means the number of threats we received from cyber criminals has increased as well. But just as the hackers are thinking of smarter ways to break into our networks, the good guys continue to think of new ways to protect our businesses.
Dave: The state of Ohio, for example, the state has passed the cybersecurity data breach, Safe Harbor Law in November. And today’s guest is one of those great guys, Mike Moran, president of affiliated Resource Group located in Dublin, Ohio is going to explain what it is and how this new rule can actually help us protect our businesses. Welcome back to unsuitable Mike.
Mike Moran: Thanks Dave. I appreciate it. Thanks for having me.
Dave: And good to see ya. Hey, what’s happening? What’s new with the affiliated resource group?
Mike: Life is moving along very well. There’s never a shortage of things to do in the technology world. It’s amazing the different things that go on. And for example, this law that came out, this cybersecurity Safe Harbor Law is really a tie on to the fact that since 2006 Ohio’s had a data protection law. As today, every state has one. And the important thing about that is, is that Ohio’s state of protection law requires an organization that has had a data breach to provide 45 days notice. They have 45 days from the day they find out they had a breach until they notify the people that were affected by the breach.
Mike: Well, the state of New York just passed a law that if you’re doing business in the state of New York and you have a data breach, you have three days from the date that you found out you had an issue. So if you think about this, an average small business takes three days to recover. You’re already in violation of the New York State Law by the time you’ve recovered, let alone trying to get back to normalcy and then organize and report or notify the people that have been affected.
Mike: And what we’re going to see is more and more states are going to start shrinking that time. So the state came out with Cybersecurity Safe Harbor Law, which basically says, “If you have a written cyber security program in place, a plan and a program,” if you will, “Then you have a legitimate defense against civil liability.”
Mike: Because what’s happening is, is that all of a sudden these folks have data breaches and the companies right, wrong or different or getting sued. Especially those in regulated areas like healthcare where they have HIPAA laws or if you’ve got PCI compliance or … There’s insurance industry has theirs, government contractors have theirs. The issue then becomes, if you’re not following the rules and following compliance, you’re technically negligent. Well, if you’re negligent, you obviously have an exposure there to be sued. And civil liability today can be significant in terms of where this goes.
Dave: This is a piece of good news for our businesses in the state of Ohio.
Mike: It’s a double edged sword. Those that take advantage of building out their cybersecurity plan and implementing it, are in good shape. Those that choose not to by purpose of this law now leave themselves open and exposed to the issue.
Dave: If you’re not taking care of business, you open the checkbook a little bit.
Mike: That you have that situation to happen. Yeah. So that’s a big concern.
Dave: Yeah. I want to commend you. On your mailing list, your newsletter, IT news you can use. And in the one I just happened to open was the article about developing, formalize your cybersecurity protection plan. Again, article, well written, well thought out. There’s a lot of stuff in there that are very helpful for a novice in this area.
Mike: Thank you. No, I appreciate that.
Dave: And how can our listeners get a on this mailing of yours? Is there a way we can do that?
Mike: Oh, sure. The easiest way to do it, is if you go to our website, which is www.aresgrp.com, aresgrp.com, and then go to the info section and just leave a note and say, “Please add me to your newsletter.” If I get your name, your email address, and the company we’ll be happy to do that. And then you’ll get one of those every month.
Dave: Great. Or we can just contact Rea & Associates and we’ll put you in touch.
Mike: That’s a little bit easier. That’s even easier.
Dave: But anyway, well done, good piece and very helpful and that’s kind of what today we’re going to talk about is this plan. Now let me go back. You mentioned New York is three days. Is Ohio 45 days?
Mike: 45 days today.
Dave: Today. And do you expect that to shrink as you mentioned?
Mike: Yeah, because again, New York followed after the European, the E use GDPR rules. And that’s a three day scenario. So New York’s done it. California is starting to look at it. And if you will, once that table starts to tip, then everybody comes back and start doing it. It wasn’t but two years ago that we still had a plethora of states that had no data protection.
Dave: Okay. So if there’s a breach, I have 45 days to do something. I think it’s a notification. What actually does notification mean? What types of notification?
Mike: So for example, if you’re a company that takes people’s personal information, let’s start off with the simple thing is I have your name, I take your social security number, I get your driver’s license number and it’s an or it’s not a have to have them all. So if I get your name and your social security number, if I get your name and your driver’s license number, if I get your name and your credit card information, including that three digit authorization or four digit, if you use American Express, I now have collected personal information about you.
Mike: Cause I have your name and address and … One of those three or more. So if I happen to do that. So if you think about this, every employer has their employee records to protect. Every organization that has 1099s has that information they have to protect because they gather these people’s information. Any transportation company that employs drivers and takes their driver’s license as a part of ensuring your insurance program, has data they have to protect.
Mike: So the notification means is that you have to within that time period, notify them that they were a victim of a breach and you are the company and what was going on and what potentially was breached. And then what if any remediation you’re going to provide to that person. So in some cases, you see some of the big guys that get hit, they provide one or two or three years of like lifelong or some protection in terms of that or in some cases they do some other things and in some cases they come back and say they’re not going to do anything at all.
Mike: They’re just saying, “Hey, look. We had a breach. Oh, well here’s what it is.” So there’s no requirement other than to say that you are a victim of this and this is what was done and this was there. And then obviously from a public relations perspective you’re gonna want to talk about what you’ve done to ensure that it won’t happen again. But basically that’s the notification scenario.
Dave: So it doesn’t mean hey you’re going to send me a certified letter and sand hey you’ve been breached. And-
Mike: No, in some cases it might be an email and other cases it’s a letter. It’s not like it has to be a registered letter or that. There are specific requirements based on the law as to what you have to do for notification.
Dave: Okay.
Mike: And there’s some cases where if you have less than 10 employees you have different requirements than if you’re a very large corporation. Cause if you’re over 500 records, there may be something else, a different approach. You may have to notify the media, you may have to notify the government. And then based on certain regulated industries like healthcare and the PCI, the credit card scenario, those have specific things that have to be followed as well. So the key is follow the requirements of your specific industry that you need to be dealing with.
Dave: Just so I’m clear on this … Again, size is irrelevant when it comes to this that each organization that has this sensitive data should have a plan. There’s no exemption for me because I’m a sole proprietor or et cetera.
Mike: Yeah, you can choose not to do anything. I mean that’s always an option. It’s always an option. But I think that the smart organization is going to use this cybersecurity plan capability as an opportunity to really look at their technology, their security and what goes on. And in many cases, it’s going to give them an opportunity to start looking at IT in a more strategic way. Many small businesses … And when I talk about small businesses, I’m talking about companies that have seven, eight, 900 even 1000 users, are still considered small businesses by the big guys.
Mike: Those organizations, IT may not be strategic for them. This will give you an opportunity, especially if you look at the first step in a plan, the identify step, it requires leadership to get together and look at that. Set some tone, set some government and set expectations. So I think that’s an important part of one of the values that this can help provide. Another thing we’re starting to see people see the value from is, everyone is being asked about cybersecurity insurance. If you have a cybersecurity plan, you’ve documented and detailed out how you actually are protecting your organization.
Mike: When you go and fill out that one page document you used to fill out 10 years ago, where today it might be as many as we’ve helped customers that have had 20 pages they had to fill out. Having this document helps the insurance underwriters greatly reduce your premiums because they’re saying, “Hey, you’ve got the things in place to help reduce your risk.”
Dave: Right, right. Let’s talk about this cyber security plan. Does it have to be written
Mike: Yes. It typically does and what we recommend is we follow the national institutes of standards and technology, which is called NIST. They’ve published a cybersecurity framework and you can go out on their website and get a 55 page document that quite frankly it’s good sleeping reading.
Dave: Right.
Mike: At the same point in time, it’s also designed in a certain way that most companies might look at it and go, “Hell, this doesn’t apply to me, but yet it does.” And so we’ve kind of narrowed it down as we help our customers look at this and we help the people that we think need some assistance. It’s broken down into five functional areas. And then the first step is identifying, I touched on that. And that’s really where you identify, What do we have? What do we need to protect? What’s our tolerance? What’s our risk tolerance level? How are we gonna govern making sure we’re doing the right things and then getting an assessment to understand where you go?
Mike: And then the next steps are protect. And protect if you will, is the area that most organizations today spend their money. That’s where you have your antivirus. That’s where you might have your password policies. That’s where you have your patching of your software and you’re maintaining your things. The next area is detect. Now, some companies don’t necessarily need to have a heavy detect function. They may not. But if you’re a regulated industry like in healthcare and like the CPA firm, you want to have an awful lot more monitoring and analysis tools on your systems to help not only prevent things, but more importantly if you get a hit, you want to be able to find it fast and be able to stop quickly as opposed to other companies where, “Hey look, if I get a hit, we’ll address getting it responded.”
Mike: The next step is response and that’s how am I going to fix it? How am I going to have my communication plan? And then the last step is recover. What do I do to better my lessons learned so that I don’t get hit again? Because unfortunately many organizations that get hit with a malware attack or a ransomware attack get hit a second and a third time because they don’t plug the holes effectively.
Dave: So which of these plans … Just make sure I understand. The cybersecurity plan, there’s basically five functions that we should cover. Like you just mentioned, when I quickly hit those identify, protect, detect, respond and recover.
Mike: Yup.
Dave: Good will have all components of that.
Mike: Yes. And from our perspective, when we work with folks, we actually kind of put together a spreadsheet that has each function but also then has each step or requirement as those functions. And then it’s laid across. And what we look at doing is some of the added features we’d look at in our plans are again, what is the oversight function? Who is responsible? And as part of that oversight, in other words, how are we going to validate we’re actually doing this? What’s the timeframe? And here’s where this plays into importance.
Mike: If you look at many of the data breaches that have gone on in the past five or six years, many of them can be tied back to a situation where a patch wasn’t applied properly. Antivirus wasn’t updated properly, their staff wasn’t properly trained on how to avoid a phishing email. Or you look at that scenario that says, “Well, I lost my device but I didn’t report it for a couple of weeks,” and somebody who stole it, there was no password policy. So they just opened up the laptop and started working and they found all this information.
Mike: The reality is, is that, if you have oversight on those things in our tracking. So quarterly with our customers, we sit down and we show them. “Here’s to show you what’s been done with your antivirus patching. Here’s to be done, what your operating system patching. Here’s your backup scenario to verify that it’s been done so you as a customer have that peace of mind. Here’s people that haven’t logged onto the system in 30 days. What have we done to validate those accounts?”
Mike: And it goes on and on and on and on. So that that way as a business leader, I know that my IT team is doing their jobs correctly and it’s one less thing that we have to worry about. Because a lot of people quite frankly are lulled into the fact that, “I don’t understand IT, I don’t get IT and they tell me they’re doing it. So Okay, I’m just going to trust them.”
Dave: But as you mentioned in a kind of reading between the lines, but I think I’m right on point on this. If your client has affiliated resources, this is non negotiable, you will have a plan.
Mike: We’re going to help. Again, it’s always your option not to. We recommend that you do and the plans are unique to each individual organization, but there are gonna be some folks that say, “Hey, you know what? I don’t really care. I don’t need one. I don’t do this. I’m in a full commodity business.” And we talked to those folks that I don’t take … For example, you could be a $25 million distributor that only sells to businesses. Okay, great. Well, I don’t have any real issues. I protect my payroll. I’ve got one person who does payroll, we use ADP, it’s in the cloud, so that’s protected.
Mike: Okay, great. I don’t take credit cards. I don’t, you know, dah, dah, dah, dah. Okay, super. At the same point in time, what’s the most important thing to your business? Well, I’m a commodity and I have a call center that does all my orders. Okay, so let’s talk about that. You’re a $25 million company. Simple math, 25 by 250 days, I’m open a year. I have $100,000 worth of revenue a year. Our Day that I get 100,000 in revenue a day. Okay, great. So if I’m down for a day, what’s it really matter? Well, my hundred employees costs me $150 each day. So my cost is $15,000. Whoa, whoa, whoa. Hold on their Dave that makes sense.
Mike: But what about $100,000 in revenue? You just told me you’re a commodity business. If I call your company and you can’t help me today, what am I going to do? Well, a certain percentage of people are probably gonna call the next guy on the list. Sure they are. Let’s say that’s 20%. And how many of that 20% is gonna come back to you? Well, I dunno, maybe none of them. Okay. How much does each one of those customers do with you a year?
Mike: Well, our average customer spends $10,000 with us a year. So I just had roughly 20% of my customers, maybe as much as $20,000 go out the door. But take that times three years, you’re now looking at $60,000 times that number of customers, that could be a whole lot of money you’ve lost. Oh, I didn’t think about it that way. That’s how we help our customers kind of see what the real risk and value is to what they’re looking at.
Dave: Right. And you’re extremely connected within industry across the United States. Got any stories about the civil liabilities? You just kind of touched on that a little bit, but what are some of the numbers or horror stories? Can you share anything with us as part …
Mike: An organization? And we’ll talk about this from a healthcare perspective cause that’s I think easy. But for example, a healthcare services company that worked with hospital systems had hospital data on one of the … The service systems company’s phone. The phone was lost and it wasn’t immediately reported. There were about 700 patient records on that phone. You got a $600,000 fine. Now another situation where-
Dave: $600,000 fine.
Mike: Another situation and organization lost the laptop. The laptop was not encrypted. They did not have a formal password policy that required passwords and things to be changed. They had not done a risk assessment as the HIPAA requirements do for compliance, they’re fined over $2 million. So from a regulated perspective, there’s a huge cost. What people are seeing today is then there is more and more civil litigation that goes on top of that. Because if I’m fined by the government, they they are saying that I am negligent. I did not do my duty.
Mike: Well, negligence in many cases in the healthcare industry is equal to malpractice. And you know what happens when people think you’ve got malpractice. You can get sued. And the difference here is, is that … And I’m not speaking out of school, what’s a logical scenario? If I’m hurt an accident, I have one potential client. But if I’m dealing with someone who has a negligent data breach and it has materially affected 500 people, I potentially have 500 clients that I can sue that organization. And that cost goes up exponentially.
Dave: We talked about what the new Cybersecurity Safe Harbor Law means to organizations in Ohio. We talked about, do we need a plan? And then you gave us a quick overview of cyber security plan and the five functions. Let’s wrap up in a few minutes that we have left. And you’ve touched on this a number of times, but let’s wrap up the value to your organization.
Mike: Yeah, it’s more than just that another administrative thing, it really is. It’s in our opinion, the value of this helps you prioritize and strategize your IT. It helps you organize from a business and understand how I can have a more effective IT, how it can be better aligned with my business. From a leadership perspective, in many cases it forces you to think about what is our organization’s risk tolerance? We had a customer who we were helping build a disaster recovery plan for a few years ago and everybody sat in the room and said, “Oh my God, our systems can only be down for a half an hour.”
Mike: Only down for half an hour. We said, “Okay. Well, just so you’re aware, you’ve spent about $750,000 on your systems. For that to be down, you’re gonna spend about that amount of money again, plus the replication costs, plus the cost to support it. The CFO took a pause, look back and he said, “Well, little costs if we’re down for three days.” And it’s kind of the way people think, but the reality is we say, “Wait a minute, hold on. Let’s talk about what was most important. And to this organization, what was most important was their email system.” Their ERP system, their financial system. That could be down for three or four or five days.
Mike: But their email, they had 150 reps out, all of their contracts, all of their orders, all their updates to their customers, all was done with email. They couldn’t have that down. So what we did was we focused on replicating their email system so it wouldn’t go down. Another one of our customers that we did work for, which is a large retail organization here based in central Ohio, their biggest issue was payroll. Because they paid most of their employees paycheck to paycheck. And if they didn’t get a check every Friday, they weren’t going to show up for work on Saturday.
Mike: So they had to make sure that payroll was done. And obviously we have some other customers that were union shops and Lord knows if you have a requirement based on your union contract, this is when things are gonna be done and this is how it’s done. If you deviate from that, that’s a lot of grief. So again, it’s based on your businesses priorities and that’s a huge value in my opinion to where it is. The next step is he get the whole team involved. Because a big part of this is, is user awareness training. And I know you guys have user awareness training at Rea for some of your things.
Mike: The challenge is, is that a lot of companies don’t. And this is so different than the, “Well, we’ll give you a half hour once a year at lunch. It’s gotta be reinforced because staff members are the front line at protection given that a lot of these threats come in today via phishing emails and bad things along that way.”
Dave: Great.
Mike: That’s a big help.
Dave: Great. It’s guys like you when in companies like Affiliated Resource Group that are making a difference. Cybersecurity is at the top of the listener and I think we are making some inroads on education. But we got a lot of work to do in the process.
Mike: I mean, let’s be honest, it’s kind of a necessary evil. Much organizations would much rather spend their money on plant, people and material. Unfortunately in today’s environment it’s something that you’ve got to spend time on and make a decision how you’re going to invest in it.
Dave: Perfect. Thanks again for joining us on unsuitable, Mike. Great presentation. Our guest today has been Mike Moran, president of Affiliated Resource Group here in Central Ohio. Listeners, if you want to learn more about this topic, check out today’s episode page on Reacpa.com/podcast. We’ve included some great resources for you and if you’re listening to this episode on iTunes, iHeartRadio, Google Play Music, or even YouTube, leave us a comment, give us a thumbs up and certainly share it with your colleagues. Until next time, I’m Dave Cain encouraging you to loosen up your tie and think outside the box.
Disclaimer: The views expressed on unsuitable on Rea Radio are our own and do not necessarily reflect the views of Rea & Associates. The podcast is for informational and educational purposes only and is not intended to replace the professional advice you would receive elsewhere. Consult with a trusted advisor about your unique situation so they can expertly guide you to the best solution for your specific circumstance.