Sign Idaho Banking NDA Safe

Industry sign banking idaho nda safe

you hello everyone and welcome to our webinar my name is will fowler and i am the associate state director for operations at the idaho small business development center and for those of you who don't know the idaho sbdc is a network of consultants across idaho that offer professional no cost confidential consulting for your business and we are presenting today some information we think is really really important for you which is the three most important actions a small business can take um to stay cyber safe so it's a big deal especially these days with everything being online in the midst of our coven 19 pandemic so um i just want to give you a couple ways to get the most out of this webinar one is there is a chat button at the bottom of your interface and i suggest you open that up we're going to be chatting certain key points and encouraging conversation um during the webinar so i think it would be really great to have that open also if you want to ask questions you might notice that you can't like unmute yourself or or turn your video on that's because we're in our webinar format so if you want to ask a question which we really want you to do click the q a button at the bottom of your interface and you can type in any question you want at any point and we will we will take time at the end to answer as many questions as we can and there might be a ton because this is a it's a pretty broad pretty broad subject matter out there um so so again open up your chat ask a bunch of questions with the q a interface and and have a great time during this webinar i'm gonna introduce um ruth schwartz if you if you've attended any of our webinars you have probably seen ruth she is our subject matter expert for all things um coveted 19 business related at the sbdc she's consultant out of our boise office and she's going to be participating in this webinar and introducing our panelists so ruth i'm going to kick it over to you and ruth you are muted just so you know good afternoon and welcome thanks for joining us on this webinar as you may or may not know october which we're coming to the end of is cyber security month it's such a pervasive issue and we're happy to be here addressing this issue as a part of a concerted and national effort i want to introduce our panel of experts here we tried to narrow down this huge topic into a few things a few things that you can do and with us to help do this in as simply a manner as possible is ed vasco the director for for the and i didn't know this is what the institute was called i had to go look for it ed the institute for pervasive cyber security that's an incredible um title and that's over at boise state university welcome ed tom brown who is a partner of mad hatter tex who are one of boise's award-winning it and cyber security companies matt sevieri the owner of semi-area insurance who's here to help us understand what cyber security insurance is about and i'm going to kick it off to ann swanson who is our sbdc regional director of region number five out of pocatello and i'm gonna kick it over to you ann to get us started here thank you ruth i appreciate that introduction and i'm so glad to have our panelists with us today as well um like ruth said i'm the director in of the small business development center in region 5 which is over in southeast idaho so i am not the expert that these three folks are but my role in this is to really deliver the cyber security presentation that i always wanted my small business clients to hear so i as i put these um slides together which won't take too long to get through and get right to the experts i thought you know what is it that businesses really want and it is low cost or no cost it's easy somewhat easy and most of all um it's resource driven what i mean by that is i've prepared for you um a worksheet kind of like a i guess a packet i'm not sure what the what the going term is right now but um i'm going to send you and i'll share this here with you i'm going to send you this after the presentation so this has all the links to all the resources that i'm going to talk about in these slides we've also got contact information for um folks that are on this call today as well as other possibilities for help with cyber security so i wanted to make this um package really easy for a small business to swallow because it's it's it can be um overwhelming like most things in small business and i really wanted to make sure that when you leave this webinar you have the tools to address these three areas that we're going to talk about so those three areas are really um i guess we we did a little bait and switch there because there are three very broad areas that we're going to talk about first of all is preparing your staff so that we'll talk about that first and then talking about what you do as a business owner or manager what your job is so that's number two and then number three um what you need to have ready in case you do get attacked because it happens a lot to small businesses i'm going to skip this scare tactics slide um we all know it happens to do any kind of business and everybody's you know inside including the hackers during the pandemic looking for something to do so we'll start with your staff i'll show my slide here so staff first thing to do with your staff no matter how big or small is make sure they have some kind of training particularly around fishing and if this is the first time you're hearing the word fishing it means that hackers send what looks like an innocuous email typically and inside that email are links that could be damaging to your to your systems it could be an email asking for passwords or getting some kind of information out of your employees that they the hackers can use against you so teaching employees what phishing looks like is very important and on that um packet that i showed you right before i brought up the slides there are three links to free fishing training so you don't have to go look for them um they're on youtube and they're from reputable sources the ones that we've referenced for you in that guide and we also have a pdf in there that you could distribute to your employees that talks about the red flags for fishing so i'm not going to go over all of them right now today but i want that to be in your minds as as the first priority teach your folks about fishing how to recognize the problem um second once you've gone through that teaching phase with your employees is to get a phishing test and that means that you connect with an outside company um to test all of your users so it's an outside company that will send users um suspicious emails with a hope that they've had the right phishing training to reject those if they don't happen to reject those phishing emails then they will come back and tell you the employer what's happened and then you can go back and do some retraining with your employees and there are two companies um that i have listed with a direct link on that packet that provide free phishing tests you have to register of course you've got to give them your name and email but that is a resource that's free for you to do number three with your staff is update so that includes passwords and software so there should be an expectation set among your employees and in your business that those two things need to be done regularly and so it uh of course um comes from the top down so that's a schedule that you would need to set with your employees i'm thinking about um complex pass phrases instead of regular passwords um also thinking about two-factor authentication so um setting two-factor authentication up especially with sensitive sites such as your banking sites or your credit card sites and then finally we remind our employees to do this all the time and i've got a link on that packet to some posters that are all ready to print out and you can post them in the break room um you can use them in your training whatever however you want to use them but there's a link there to some fun posters so i hope you can check those out and let's see if i can advance my slide there you go so that was staff that's number one priority is getting your staff trained and prepared especially for fishing phishing number two priority is what you the manager owner needs to do and the number one thing for you is to update your employee handbook with all of the things i spoke about in the previous slide so expectations around phishing expectations around education for that i should say expectations around password changes software updates and any other policy that you think is important this presentation isn't exhaustive this isn't a complete list of everything you could do to be cyber secure um but it is um i think would give you a strong start on a list that's that's pretty easy to implement and also low cost so all of these these tactics need to be in the employee handbook so what if you don't have a handbook uh if you don't have a handbook the small business development center can help you with that and we're happy to work with you to put one together and the other piece that i have on the the um this the um packet that i showed you at the beginning has a link to some samples of the kinds of cyber security policies that would go in um a handbook so you've got a copy to work off of there too feel free to to cut and paste as suits your company um the second thing that should be in that handbook and that that you as the owner should um make sure that you have in your business is a digital transaction policy for any kind of money changing so if there is you know a hacker favorite is to send an email that says hey um this is your boss and i need you to transfer 30 000 to xyz account to cover such and such a client and we've heard that story on the news before the employee thinking it's really the boss asking for the money transfer does the procedure and we're out 30 thousand dollars and the hackers are heading to bermuda wherever they go so having a transaction digital transaction policies set in your company when there's money involved is is really important so making sure everyone understands that whether it's something that has to be confirmed in a phone call whether you have to have two signers on an account or two logins on an account to confirm that anyway um they the finalists might have some better suggestions than those but having a policy in place so there's always a way to check on those money transactions remote backup i have two links to remote backup companies in the packet and the second step would be of course offline backup so having a hard drive somewhere that you back up to on a regular basis and that you keep disconnected from the internet so those two pieces are are responsibility for the owner as well backing things up next is minimizing data collection so what i mean by that is you want to gather and keep only the minimum data you need to serve your clients so if you really don't need your clients street address to serve them don't ask for it and don't store it and of course you don't want to store any kind of client credit card information social security number those kind of things so think about what is the minimum data that we need to operate our business and then get rid of collecting whatever is not absolutely necessary and finally is inventorying hardware and software so this means that you understand who has what devices where they are and what's on those devices so if you know that shelly has a laptop and a cell phone she uses for work you need to check and see what software is there and monitor those for the updates regularly actually shelley should be doing that herself after you train her but understanding all of the the hard assets that you have in terms of equipment and also the software that you are allowing to be present on those work those work devices so that's a checklist for yourself as the manager and the owner and then i wanted to make sure and address what happens if you get attacked so you sit down and open your computer one morning and it says you you've been hacked lucky day um you need to deposit 30 000 bitcoin i don't even know if that's a lot of bitcoin um but a million bitcoin um in such and such account or we're going to wipe your data we have a hold of all of your data all your customer information all your banking information so you need to pay us back or it's all gonna go so of course part of your attack plan is doing all those preparatory steps which i went through however um there's a couple of extra that really directly um relate to the potential of an attack and that is first of all meeting a cyber company so if you um if you haven't met an it or a cyber security company yet i highly encourage you to do so at the sbdc we always say um you need to have a lawyer and an accountant in your hip pocket with a relationship established because you never know when you're really going to need them and having a relationship set up with a cyber security company is really important to have before anything happens partly because that cyber security company needs to know um the information um about your company and what kind of data you have in order to handle an emergency and they typically need an nda sign so a non-disclosure agreement signed between you and the cyber security company in order for them to come in right away and work on your problem so in that packet i've got um four i believe four to five um cyber security companies that you can contact their names um emails in there and i would recommend creating a relationship with them um beforehand before the need starts now it is true um these are expensive people to work with just like lawyers and accountants um so when you are looking at a cyber security company to work with you're probably in a in an emergency situation looking at between 100 and 600 an hour so that's a lot i understand so that i hope that gives you some incentive to do all the the prevention um steps that we talked about in the first two slides the second thing is to consider cyber insurance cyber security insurance i should say and we've got an insurance representative here on our panel i've included his name and contact information in that packet as well as three other insurance agencies that provide cyber security insurance for small businesses also on that packet is a guide from the federal trade commission that helps you ask the right questions if you're looking for cyber security insurance and helps you understand on the difference for example between first party and third party insurance so i recommend you look at that so you've just been hacked what do you do well first of all should call your cyber security company second of all call your insurance company if you have it and third report the incident to the fbi and i've included the reporting link in that packet for you as well so that is the end of my um presentation it may seem shorter than most you've seen on cyber security but i i really um want it to be something that you can actually implement without too much um too much time and money starting with these kind of small steps preparing your staff with some education um keeping up with your employee handbook and setting expectations related to password and software updating um the things that you the owner can do and then finally making sure that when you get attacked you have a plan you have a phone number you can call you have a relationship that's set so you don't feel panicked and alone when this happens i hope it never does um and i will turn it back to ruth to introduce our panel one at a time and they can take the rest of your questions thanks thank you anne i want to encourage everybody to think of any question they ever wanted to ask about cyber security we've got an excellent panel of experts here and i'm gonna i'm gonna keep asking questions until you um ask them as well i see kristin that you do have a question in here and i'm gonna get to that in just one second and first introduce our experts um welcome ed vasco director of the institute for pervasive cyber security at boise state university would you tell us and what you think is also the most important most important item that a small business has to think about in the world of keeping data safe yeah i know hanks so much ruth and thank you all i really do appreciate the opportunity to be here today you know when i think about small businesses and prior to joining uh boise state and in this role uh i've actually been a serial entrepreneur myself i've started five different companies so many of you on the on the call uh i i have affinity with in terms of my background um and when i uh think about the one key thing that i would be looking to do is uh kind of living by the adage that you know an ounce of prevention is worth a pound of cure uh the things that that anne talked about here are are generally some of the most important aspects to uh to ensure that your organization and your company is less of a target and you know i always like to take the idea of cyber security and turn it into a physical analogy so if you think of your house um you know and if you think of of even your business and your storefront uh you know having an alarm system and having locks on your doors and bars on your windows uh really is all about ensuring that that the the bad actors the bad guys that are out there trying to steal your data um or steal the things inside your house um find it difficult find it more difficult to steal from you than from somebody else and in prepping your organization to to be uh just secure enough um while still being able to operate is highly highly important in today's world uh and ensuring that you have the right level of you know bars on your windows locks on your doors alarm system in place uh essentially allows the bad the bad guys to know uh that they can't get into you as quickly as they can get into your into some other business so they're going to go attack that are the business before they attack you and i think that that's really the the key element um you know is living by that adage that an ounce of prevention is worth a pound of cure thanks and um just out of curiosity and again i welcome people to get some more questions here this is your opportunity to get any question you have on cyber security answered um but i'm curious about ed is what actual uh situations have you seen most prevalent lately oh uh by far uh two two key things uh fishing um that leads to ransomware without a doubt uh you know we see that uh being the the most prevalent aspects um uh of or of criminal organizations uh who are the primary actors it's not it's not the traditional um you know image that we have from pop culture that it's a single actor somebody sitting in their basement breaking into uh you know into into your into your company this is a targeted set of criminal activities in a criminal underground that is working in in tandem with each other in their areas of subject matter expertise to look at everything from social networking uh to uh systems that you have that are exposed to the internet to even suppliers that you use uh that that are within your within your value chain um and and so doing so those criminal organizations look to profile and then target your organization with very specifically crafted emails as ann described before uh the concept of phishing you know and specifically uh specifically fishing out um you know your organization and contacts within it and then embedding into that phishing email either some sort of link to a malicious website or even just a file uh that in in clicking on that particular file you're downloading some level of ransomware uh and activating that ransomware within your environment uh and and so by i would say within i think most recent research points to about 75 to 80 of all uh cyber attacks at the moment uh have been ransomware oriented and that's become even more prevalent as covid19 has has taken such a hold on our business community and on our ourselves as individuals and the activation of a remote workforce as as workers who have been able to go into a remote work environment they become even a higher degree of target of fishing and ransomware opportunities so by far those two are the most prevalent uh so give me an example of a ransomware attack uh well certainly i think the the easiest way for me to describe what ransomware is about is uh it's essentially uh having a program um having a malicious piece of of software that begins to encrypt uh your hard drive and encrypt the files that are on it uh and in doing so begin once it's through that effort it actually alerts you to the fact that it's completed and holds your system in the files for ransom you know paid in other words pay the criminal organization some sort of ransom in order to get those files back and those are that's what i would call the base level ransomware attack uh ransomware has like uh like all things has evolved and over that evolution it's actually um they've it's evolved to the point where ransomware will infiltrate a system it will spread itself throughout your different uh business systems and then will activate once it's once it's attained a certain level of propagation once it activates not only is the first system impacted but just like any other any other virus so to speak it propagates through and and takes over those other systems so you may have your point of sale system be impacted as well as your back office systems as well as your financial or hr systems depending upon the size of company you happen to be every one of those systems will be then held for some sort of ransom and as i mentioned before criminal organizations are actually uh advancing themselves and becoming better at their jobs so to speak in that they are then giving over to you as a business owner the opportunity opportunity to to try before you fully buy so to speak they'll ask you to turn around and give over some piece of a bitcoin some fractional component of a bitcoin or some other cryptocurrency generally and in order to get backs us back to a certain number of files or a certain kind of file and that's the taste and after that then they will uh ask you for more the challenge the challenge that we're faced with in the as an industry and as as small business owners yourselves is that paying the ransom doesn't necessarily always mean that you're going to get your files back and therein lies the real challenge of ransomware uh you know and so there are as as ann pointed out at the beginning in her presentation there are a lot of very specific kinds of things that you can do as small business owners to ensure that the likelihood of being exposed to a ransomware attack and if you are exposed to a ransomware attack recovering from that attack are all embedded in that packet in the presentations you talked about okay thank you very much that's a really great um segue to introducing tom brown from mad hatter text um local i.t firm i feel like i want ghostbuster um music to to go in the background now so who are you gonna come yeah we're the guys that show up you're the guys that show up to follow up on kind of what ed was talking about a company a client um contacted us with no prior relationship with us uh regarding a um an attack a encryption attack um and if they had had a relationship with a company like us where we could have made sure all of these preventative measures were in place it may have set them back a couple of weeks or a month or something like that but instead it set them back it wiped out all their data incredibly expensive for them and it ceased their operations um so you know what i like to impart upon business owners is that their i.t systems are they require care and maintenance um similar to how your your car if you don't put oil in your car for a year one day it's going to blow up and that bill is going to be much more expensive than it would have been if you had been putting maintaining it at regular intervals putting oil in it and so on and so forth and so as a managed i.t company what we focus on is that regular preventative maintenance um basically all the measures that anne talked about in our powerpoint we you know we put those in place and maintain them and then it when and if something breaks something's gonna eventually go down b you have because you have a relationship established with us uh we're ready to show up and fix whatever the problem is so that in a nutshell is kind of what we do okay great so let's get specific um i know that you can only speak for your company but a small company wants to have a managed services contract with somebody like mad hatter tax what what would that look like and what would that cost them so it would depend on the company and what they want we would go in we would consult with them give them our recommendations and prepare an agreement based on that but essentially we're going to look at all of your assets and it's going to be based on the number of assets you have so for example if you have five desktops each one of them are going to require x amount of maintenance a month and we're going to um [Music] put that into the agreement and the price will be based on those seats as they're often referred to if you have a server that's another uh amount of maintenance that'll have to be performed each month and that will add to the cost how does it change if the um if the assets are cloud cloud-based well if they're cloud-based that means that the company providing those services is doing that maintenance therefore we you know we wouldn't have to maintain those in a majority of cases i can't think of a case without where we would have to maintain it um cloud-based solutions are incredible because um you know they're remotely located they're they're typically well protected um and you're also kind of off putting a lot of that risk onto the third party that's providing those cloud services well i'm thinking of a normal small business office you know i have a half a dozen boxes right that people are working on but i'm using say microsoft 360 in the cloud i'm using quickbooks in the cloud i'm still at risk for a cyber attack i'm assuming for your within your local environment there so your machines are certainly at risk but we're going to assume that microsoft has measures to protect their services in the cloud so and then that goes into the managed service contract that i would i would take with you say it would maybe lessen my exposure correct and we generally advise people to use those cloud services for their email or for other things having a co-located or an email server there on premises that's just another it asset that you have to take care of it's going to add to your cost and it also one day that server say it goes down now all of your emails are gone or something like that so having that service in the cloud is more advisable in my opinion there are of course cases where you may want to have that mail server in your office but that's a case-by-case basis okay so um among typical clients that you have um small business clients what are they paying you for a managed service contract on a monthly basis on average i know that you have to i'm just trying to give folks who are on this call an idea of what that really means to them so you could calculate it you figure a half hour per box for maintenance per month so then you would just uh do the math um typically let's say you have three desktops and a server that need to be maintained that's around around 200 a month okay and you do all that kind of maintenance remotely we try to yeah okay so if there's an alarm that sounds and somebody gets hacked do you know it before sometimes before a business owner would know it um not necessarily not necessarily no okay no catch on that one yeah um yeah uh typically the business owner would know first yeah and just to um wind up this this um part of my questioning because i do want to get to some other people's questions here um what why do you think it's a good reason for somebody to have a managed service contract so the biggest reason is that as a business owner you are an expert in your business and that's what you like to do um that's what you're good at uh so for you to have to like change hats go into it support mode when your i.t assets go down that's a really expensive contact switch you know it's going to take you a lot longer to fix those systems your your business is going to be down for a lot longer if you have a relationship established with a managed i.t company they are the experts they're going to get stuff back up and running more quickly they're going to know the ins and outs of your entire network uh and so that's that's basically it you're you're going to be in a position to to get up and running more quickly when things go down okay so let's get the first question out of the way because i know kristen's been waiting for a while for this how often should she uh how often do you recommend changing passwords i'll i'll jump on in uh so i've been a long time advocate of not changing passwords um surprisingly and and uh do and to the point that uh many like myself in the cyber security industry have actually been able to work with uh our federal standards bodies and uh standards establishment to help them understand why changing passwords actually uh increases the likelihood of exposure and so in 2017 um the the national institute of standards and technology changed their guidance which has had ripple impacts through the cyber security industry that instead of changing passwords the strong suggestion is instead is to increase password length so when you think about past words my my recommendation to to the audience is to think about past phrases um you know things like uh you know taking the the the first the first sentence you ever said to your spouse or the first sentence that uh your child wrote in a paper something that you remember or something that an experience that you had and and making it a sentence of some form or putting in a sentence form and using that as your as your passphrase that's going to be a lot more difficult to crack than an eight character password that you change every 30 60 or 90 days and you're likely going to remember for a much longer period of time do you recommend um using the same passphrase on multiple locations in other words for different logging attempts or do you want no no by far yeah and i'll give you a very very quickly because i know we've probably got to get the mat too uh i don't want to take up all the time um but if you if this is a common attack attack form uh bad actors bad people will uh assume that people use the same password for things like their bank accounts and their uh office office computer and that's very very true they they typically do and as a result if i gain access to your office computer and game and and guess its password uh guess what i have access to your your bank account and every other system that you put that same password on so while um long passes long pass phrases are important uh also realizing that having that shared passphrase creates more risk for you as a business owner or as an individual so what i typically recommend is to get a password vault a password manager there are many that are out there in the marketplace a few that come to mind just as general recommendations are one password lastpass um there there are many that are out there commercially and what that does is it gives you a single password a long passphrase and then allows you to establish unique passwords for those websites and other systems that you you go and use on a day-over-day basis doing that is by far a less risky approach than using the same password however long using the same password across multiple systems okay thank you interesting matt let me introduce you and um let's get a few um minutes in here before um answering some other questions um what is the one thing about cyber attack insurance that you think small business owners need to pay attention to well first of all thanks for for having me and it's hard to follow those guys they're extremely intelligent when it comes to cyber security and and all that stuff that they went over the presentation this great stuff is as a small business owner myself those are the practices that i try to take in and implement so it's all great stuff when that fails um there's insurance and insurance is a great way to kind of peace of mind and and know that you you have something to back you up um an you know whether it's a an attacking or computers whether it's data compromise there are tools out there that you should know as a small business owner that you have access to um if i give everyone one piece of advice it would be you know take advantage of your insurance professional whether it's whether it's someone like myself or whoever you use currently you want to sit down and make sure you review what kind of coverage is available to you what kind of coverage you think you might have and oftentimes i'll tell you when i do a review for a business owner um you know the business owner thinks that they have a certain coverage in place and oftentimes they really don't so it's really important to stay on top of that a lot of small business owners due to costs will go with a commercial general liability policy um thinking that they have coverage for things like cyber security but um there are things that insurance policies called exclusions and that tends to you know weed out some of those coverages that we think we have so sitting down reviewing that making sure you know your options that'd be the best piece of advice i'd give anybody so what what would um what could they buy from you say and what is the cost for a small business of you know under a couple mill dollars in revenue like what would it cost them to insure themselves against a cyber attack yeah so i certainly can't speak for every company out there that that writes this type of insurance but for us specifically we have a couple different endorsements that we add as an all cart item to our business owner policy and those cover one's called data compromise one's called cyber one security um and one is really coverage um liability mitigation of you your system being attacked the other is uh what happens if you're in possession of people's social security numbers or credit cards things that that that information gets out so both those endorsements are are going to provide protection for business owners for those two things what would that run yeah yeah for us about twenty five dollars a month it's about a three hundred dollar a year uh add-on to a business owner policy so you'll have you'll have your underlying business policy that contains general liability but then to add on these endorsements approximately 25 a month that doesn't sound like a lot of money not for peace of mind no it's uh and i'll say this um i'm a big believer in it as a business owner but um you know if you're out there you're on this call and you're listening you think you know i i don't have it don't you know don't feel bad there's we run into more people that don't have it or think they might have it but ultimately don't have it than we do people that that do have the coverage so um so i'm grateful to be on the call today to help educate and let people know there are resources out there and it's it's not really an overwhelming thing to get added and make sure you have that protection okay so um uh kristen asked does cyber insurance usually cover ransomware attacks um so so i so here's what i'm trying to say and not say i'm not i'm i'm not allowed to say what because each case can be individual i can't say what is it isn't covered um malware is specifically covered here ransomware i i can't give you a direct answer on that one and again there's there's multiple different products out there mine at a from an endorsement level we specifically call out malware and not and i don't have ransomware specifically listed uh so just for my own understanding um if you have malware insurance what are you actually getting insured for what are they going to pay for so it's it's listed under a data compromise insurance but i'll be honest i mean as a insurance provider anytime i get into a specific we we bring um an adjuster into the loop so every situation is specific and it's there's so many underlying reasons why so as the other presenters talked about there's a lot of things that we can do prevention wise um and there's a lot of those boxes that have to be checked before we can say whether something is going to be covered or isn't going to be covered which is why i get the handcuffs put on to make sure in other words if a business is negligent and taking care of their data possibly the insurance is not going to cover it that's okay so in other words uh let's you know we had a car uh analogy a minute ago um if i let my car run out of oil i might not get my engine covered with my um auto insurance if i neglected to do my maintenance but your engine's never going to be covered but uh but yes i understand the analogy okay um great i'm gonna i'm gonna go back to tom for just a second and um ask some of our attendees questions here and this is comes as a clump from amanda so maybe i'll read them all and then we can go back through them one by one tom and um okay here we go you ready i'm ready okay what actually goes into getting set up with a cyber security company what did they do to help secure your business at the beginning okay so we'll come in we'll audit everything you have find out what you're doing what you're not doing and give you recommendations for industry best practices that can mean a lot of different things let's say [Music] we notice that uh you don't have nothing is password protected say on your desktops or something okay we're going to recommend go ahead and do this we'll make that we'll actually do the work and make that happen let's say you have a server and there is no firewall and it's just exposed to the public internet that's a huge you know huge risk for you so we're going to uh lock that down and you know recommend installing a firewall whatever it takes um so yeah generally it's just a process of auditing everything giving you recommendations hoping you follow through with our recommendations uh in most cases people do so does that answer your question um how do how does she know if a cyber security company is reputable and safe to work with specifically because she is hipaa compliant and she's reluctant to bring in anybody i can understand that um ed you have any advice on uh yeah yeah no so so i think you know the the key element there is um you know hipaa hipaa uh regulations talk about uh and fine organizations for breaching and exposing health information and and uh just like in retail uh credit card information very very similar approaches in structure from a regulatory standpoint the the real challenge of bringing in a service provider or a cyber a cyber security company to help is taking a look at a couple of key things just as you build trust with other uh other people within your supply chain um suppliers and partners um that you happen to have as a business owner you build that trust off of both the reputation that the company has so look to um referrals uh and references that they may be that the company may be able to provide there are third party independent uh certifications that companies can get uh and um you know that that kind of show them above and beyond in the particular industry uh for uh for hipaa um there's a an organization called high trust h-i-t-r-u-s-t they are focused on they typically are focused on large hospital environments and large insurance providers that have health care information but as a service provider you can also become high trust become a high trust provider and in doing so there are certain elements that you have to sign up for as that service provider ultimately though you as the business owner have to build up a degree of trust with that provider um so what i would also recommend is you know as tom said uh see what their methodology looks like see what their approach looks like if they're coming in specifically and and saying well we want access to that data um i would probably be reluctant to engage them but like tom mentioned it's a his methodology is a very sound methodology you know we're gonna come they come in they audit they they look at the environment um and and look at avenues where you you as a business could improve and as a result of that um you know their that and that kind of structured methodology and structured result you have to make a determination as a business owner are you willing to extend trust to that to that company and allow them to to help you with securing that data more effectively there is as much as i wish is there there was a uh you know a good housekeeping seal of approval so to speak um you know there are to some degree in terms of better business bureau uh and other other other kinds of of industry specific service provider certifications that can be obtained but those service providers typically are focused on larger larger hospitals larger providers so just be aware of that but i think ultimately as a small business owner establishing that trust with somebody is is extremely important because the alternative of not knowing having the data and not knowing that it's exposed or not knowing that there are issues actually puts your company at a greater level of risk in my opinion and apparently no matter how much insurance you buy yes her last question here is um how liable is a cyber security company if if somebody gets hacked so we carry insurance um as far as how liable uh i think that would just depend on the circumstances um what does it say in your agreements in our service level agreement so we the service level agreement um that governs our service to you and it spells out what's going to be worked on the frequency that that work is going to take place it details if there are overages it of course details the cost it details how quickly your problems are going to be addressed does it does it um address um what happens if all that fails and there is a hack we well because you have a relationship established with us um our response would fall within that service level agreement uh in terms of like how quickly we address it right but you're not liable for it i mean the question is are you liable if you've done everything that you can do and still somebody gets in the question is how liable is the cyber security company that might that i might be working with if i get hacked so legal skin in the game do you have ed i think you were going to oh no go ahead tom if you want i mean if you want to so from our perspective we're not going to view that as our uh as long as we do everything that we are supposed to do and follow industry best practices and we're confident that we've uh you know uh secured everything as it should be um we're not going to be liable for that yeah i'll give you i'll give you probably a good enough hopefully a good analogy especially if there are health care providers or or people in the medical field on the on the in the audience um just as a doctor uh or health care provider uh carries um malpractice insurance of some form or some sort of liability insurance that covers the decisions that were made by that particular provider um and and helps to ensure that if there was some level of negligence or gross negligence upon the provider's part that let's say for let's say for example a competitor to tom's company uh competitor to matt hatter uh told you that um you know having no firewall and having all of your data exposed is the right way to go obviously there's a level of gross negligence in that and they should be held extremely liable however if you use a if you use an organization that says these are the best practices this is the right approach um with the foreknowledge that that that you're likely going to get attacked you're likely going to get attacked because there is no 100 security i think that's if there's one other piece that i would offer at the end of this is that there's no 100 100 secure system um even a system that's turned off can be turned back on and somebody could break into your into your organization and turn it on so there's no so that said the best analogy that could provide is that uh that both cyber insurance that that matt can provide the services that tom tom's company and others like his can provide are meant to help you uh understand what your issues are and to help uh avoid those issues in the future if something happens along the way the level of liability that's there is likely due to the decisions that they made however that doesn't mean that that once they're you know no longer inside the picture or they're not supporting your systems every single day or not part of your employee base that they could not yeah that they are that they're liable in case let's say somebody you know i'll pick on ruth uh she's in your organization she clicks on that email and that and opens up that ransomware the company is not going to be liable for an event of that nature they had no control over ruth just as to build upon the analogy the medical analogy the providers malpractice insurance is there for the actions that they take that impact you as the patient or you as the customer if you decide to uh listen to your provider follow follow all the recommendations and then a month later you know you're out doing exactly the things that you shouldn't be doing the sermon the the doctor or the health care provider should not be held responsible and liable for the actions that you take as a as a as a patient so there's a very very fine line between where where legal liability sits and where it doesn't um that said if let's say you know tom's competitor said again go do all these bad things that are obviously bad things and you follow them and you get hacked then there's a high degree of liability i'm not a lawyer i'll put that forward i'm not a lawyer but i've been doing this for you i think we got the question answered though yeah um i want to squeeze in the last couple uh brian once wants to give you a scenario um and one of you will jump in i'm sure i found an email in my spam it says it had an account password which i've not used in years but a valid one i've used in the past they said they were going to put my picture on a porn video and spread it all over my contacts i did not open any links in the email should i be worried i have actually answered a question like that for one of my clients similar not the same but uh i i believe that there are some people people do this because it works and i believe um that there are spammers out there that just kind of blanket email addresses and whatever comes back comes back they probably don't have that information they probably don't even have a no they might not even have a picture of you um and it may not be targeted only to you it's probably targeted to targeted to thousands of people if this happened to me or one of my clients i would say i wouldn't worry about it too much and i wouldn't give them any money or whatever they're asking for okay or not that's a classic fishing uh expedition isn't it yeah very much yeah okay and um last question um and whoever wants to answer this do you know if there are tax incentives for businesses for having cyber security insurance or other protections in place and just because we're just about done here i wanted to offer and maybe matt you'd like to add to this but as long as you are paying your insurance premiums that is a tax-deductible event if you you anything to add to that i'm definitely not a cpa but that is uh that's pretty common practice it's a business expense which insurance is and you can uh you can rent that off yeah so um i i'm hoping that's enough of an answer to that question kristen we're at the top of the hour i want to thank all of our guests for being here today and that was terrific if you signed up for this webinar you're going to get anne's wonderful um pamphlet what did we call it oh you're you're muted okay we called it a packet a pamphlet you can call it a handout it's up to you but you're gonna get a bunch of links sent to you um to help you navigate through all this including contact information for matt and tom and just by way of you know finishing this off just three things that you can do that are powerful train your employees about fishing and test them put some processes into place in your business and lastly know who you're going to call when you get hacked thank you for being here thank you thanks for having me thanks everybody good day thanks bye now