Get Your Bootstrap Invoice Template for Security Streamlined

Bootstrap invoice template for Security

let's do it I just hit record that's good okay I'm gonna go ahead and kill my video so you don't have to look at me and you can focus on what we're talking about can everybody see my screen okay all right well welcome to the to the webinar today thank you guys for joining as you can see this is a Fitzy member webinar we're happy to have you here and thank you Fitzy for allowing us to to bring a little bit of education and insight to a serious topic which is bootstrapping legal I.T and insurance compliance right this is something everybody needs to understand right now um and so we'll just jump right in I'm going to go to the next slide I can meet just one moment there we go so I am Chris May I'm with Advantage technology I'm our security director all things cyber security and even physical security now and advanced camera systems and advanced Ai and machine learning tracking through those physical security systems so I'll be talking to you today about cyber compliance and how that relates into the legal sector and insurance uh and then we have uh Jennifer who can jump right in and introduce herself thanks Chris and good morning everyone Jen maisel I'm a partner at the law firm Rothwell fig based out of Washington DC um I I was a computer scientist before becoming an attorney and I have expertise in intellectual property law as well as privacy and data security a certified information privacy professional and advise clients on the whole spectrum of how to secure protect and enforce their most prized intellectual assets Brian I'll kick it off to you sure hi everybody my name is Brian Mahone I am with a company called angle handwriting Davies EHD Insurance we're a 125 year old privately owned Independent Insurance Agency uh basically do anything with Ward Insurance in it but I specialize in small business startups attacking life science Industry and what that comes the specialty knowledge of cyber liability insurance and clinical trial product liability insurance which a lot of Fitzy members are often asked for um from you know a research institution or maybe a big customer so I'll kick things over back to Christopher for some of his content all right thank you so much so first of all we're going to jump in like I said more on the the technical side the control side kind of things you need to understand um you know it honestly from a startup all the way through uh following out with the the business mission give me just one second while I'm there we are so as you can see at the top there we are a Microsoft Enterprise partner so we like to bring this information to you with the newest Knowledge from Microsoft which most people of course are using nowadays it seems to be a pretty widely used program but we're going to talk about cyber security for your business and how does this we're going to set a stage for the things you need to know that I promise you we're going to show you why you have a real need for cyber insurance and also legal Professionals for to help you with the compliance and the regulation side of it so what do we need today right what what is the plan that we should have today there's three pretty simple things I like to break it down for you you need protection detection and response right sounds pretty simple we need to protect the information the assets we need to detect problems that are happening with those assets with your people with information and then we have to have a response right we have to figure out how we're going to take action once something happens we now have to assume something will happen it's no longer the latter where we used to think well maybe it won't now we have to assume it will so how do we attack that so like I said Chris May I'm a Security Solutions director I bring this up again because there's so many Avenues to security now so many solutions that you actually need somebody to help you make sense of this it's one of the three the three things that I will tell you that you need everybody needs a good lawyer everybody needs a good insurance agent and now everybody needs a good cyber security person right it's it's critical to running your business and when I say that so what does cyber security mean for your business specifically right we have people on the phone today that are interested in what's it mean to you well look at these stats 50 of online adults which is all of us on this call about half were victims of cyber crime last year and you say well I didn't have anything stolen I you might want to think about that again Visa American Express T-Mobile just lost 4 million records recently uh so if you have a T-Mobile account when I say 4 million records 4 million a client records that had personal data in it pii as you would refer to it they expect this number by the time they run the numbers in 2023 this will go to 80 percent right this I was just with some very high level individuals in DC from csis some other government security agencies and it's this is a very serious thing um so we really have to pay attention to it now look at what this cost us as as as an economy 500 billion dollars last year that's half a trillion just in what we can figure in the global economy this number as of this was for 2021 as of 2022 the year's not over we're already over a trillion dollars that it's cost the global economy this year these are staggering numbers and most of these costs are associated with businesses right lost to the business uh loss to revenue just unbelievable amount of things here's the one that really affects all of us on the call 20 percent one in five small and medium businesses were targeted last year that's everybody on the call right pretty much so you think about that and when I say look at this word targeted I don't mean just got phishing emails randomly right just some spray to everybody I mean they literally targeted your business came after you to try to have some financial gain from your assets right that's all this is we have to remember it's a financial crime so these numbers are going to continue to go up and up this number is expected to be 50 of small and medium businesses as we move into the next year so how do we do that like how do we prevent this right we've seen the stats we know it's scary we've got to protect from the beginning and what does that look like you have to secure identities right so you have to make sure that you understand who the people are that are entering your environment and your network right you have to know these things um without the ability to without the ability to understand who's entering your systems you can't achieve any type of security right so we have to have good identity management we have to understand where our data and applications are and how we protect them that's one of the reasons that I recommend people need a good I.T advisor at minimum nowadays is you have this technology creep right you might still be running applications that have access to your your computers or your servers that you haven't used in two years you haven't used it so you forgot about it right well that's an open hole somebody can get in if it's not been patched or updated you have to understand devices are we letting client are we letting client devices or personal devices come on our networks everybody has one of these now everybody has a cell phone right so you got a little personal computer in your pocket that's connected to everybody's Wi-Fi and then how do we protect our infrastructure and most of us have hybrid environments on premise and in the cloud right so we really have to stop and think about the ways that we're protecting this data and our people so the data is is a big issue right so what type of businesses you know what type of business data do you have that's at risk right now um everybody has intellectual property right there's some type of IP in every organization or every company even if you're a sole proprietorship what about your financials being leaked out or employee information access credentials people give away passwords constantly now customer and client information the lawsuits as I'm sure Jennifer can tell you can get astronomical if you have a breach right this is why you need good legal teams to advise you ahead of time on what's going on and again when we talk about Legal Information and talk about customer and client data you you're probably going to want to have really good insurance in case you get one of these lawsuits because you've lost somebody's client data right so this is why we're tying all three of these things together today they're super critical um hold on one second the slides just seem to have Frozen on me there we go something we get asked a lot right now is what about the cloud is it safer is it not safe right since we're talking about protecting data protecting identities well the good thing is it gives you access on the go so we all have a cell phone we can get to things when we need them a lot of times cloud data you pay for What's consumed right so you don't have to go buy massive servers in your office you can process that stuff in the cloud you can actually only you can pay as you use the service and not for for hardware and software you may not need the bigger pieces I will tell you it can be much more safer in Secure data storage now a lot of things that we've seen over the years with Insider threats especially or somebody has access to a physical server in your office they can do almost anything if we put that in the cloud resource somewhere where it's protected these Big Data Centers have physical security tons of logical security and we can lock that down where nobody can actually get physical access then we can shut off all the ways in and out except one and really secure that data in a cloud environment so you'll hear a lot of things about the cloud I will tell you after doing this for 20 plus years that it is very secure now and we can do a lot of things to help you to work better faster and smarter with some Cloud resources and now we go to detection right so we know we need to protect the data protect the assets you have to recognize known threats and you also have to be aware of what risks are emerging right now that's something again where you need somebody that can help you whether it's through an internal I.T team external Consultants an external company to help you understand what is a threat in your environment right if you get something right now and you don't have an I.T or security resource to reach out to you're not going to know right the other thing is how do you know what to plan for in the future the attacks we're seeing today will not be the same attacks executed in the same way a month from now a year from now or 10 years from now it changes every day so we've got to really understand how do we detect these threats what types of softwares do we use uh what types of uh what types of training do we give our people just like we're doing now right this is an integral part of having the people that are Hands-On keyboards detect what is going on if they see an anomaly we talk about detection there's some common attacks um we have uh fishing is the biggest one it looks like this uh this slide got a little off-kilter here but you basically want to watch for suspicious email addresses um generic salutations if it just says pay person hey how you doing right nothing that's directly addressed to you anything that's alarming that's trying to set off alarm Bells right typically they're trying to figure a spear a fear response in these phishing emails they're trying to get you to take an action without thinking right you see it you say oh my gosh my Microsoft 365 password isn't going to work I need to update it now you click on that link it looks just like 365 you log it in now you've given somebody your password right and misspellings these are this will always be true if we were going to be hired to work in Spain we would be expected to speak very good Spanish probably some Catalan maybe just because it's maybe some Portuguese because of the people they work with if you've ever been there they would expect us to be able to communicate in those languages clearly it's the same thing here if you get something that's incredibly broken English that sounds like a fifth grader wrote it most likely that's probably not somebody somebody hired to reach out for their business so that's a very very key indicator too if we see something that that's not good on those phishing emails ransomware ransomware is typically the goal of fishing now they want to get into your system so they can lock you out and you don't have access to your data then you have to pay unless you have good backups and you can restore from backups but that still is a horrible undertaking what they're doing with phishing emails is they're trying to harvest your credentials your username and password they will use that username and password to gain access and then with about within 30 to probably 250 days they're going to lock everything out you have and force you to pay it is not a good thing and it is exactly what it sounds like it's probably one of the biggest threats to business right now that we see you have to also assume a breach mindset I said that a minute ago right we now have to assume that we're going to be breached you've got to protect contain and isolate these high value assets imagine if you lose access to all of your uh maybe you've got some type of patent information or some trade secret that you lose access to that you don't know maybe it's a formulary that you have no idea what it would be without this data but you're locked out so you really part of your security strategy needs to be back up your important data not only on-site but off-site somewhere in case the building burns down there's a fire there's a flood right we need that data replicated elsewhere in case there is a Cyber attack or an emergency we can restore you be aware of tech support scams these are huge right now especially in small business somebody's going to send you an email telling you their tech support they need to help you do X Y and Z somebody's going to call you send you a text message telling you something on your phone needs X Y and Z I'm from tech support problem with that is when you get on the phone with them you believe their tech support you're going to give them a lot of information to help you with a problem you may not even have so we really need to watch out for tech support scams right now and be suspicious of those cold calls and block pop-ups on your browser the ones that come up and say you've got to update this and that and buy McAfee and buy Norton and buy all these other things you really have to be careful those pop-ups and those suspicious cold calls about problems with your machine and plan ahead right you want to be prepared to detect these threats you want to have a policy right this is another thing where you sometimes you want to get really good legal advice right sit down and get compliance advice make sure your policy matches what you do make sure if you have a cyber insurance policy that the policies you have that talk about ways to recover and financial ways to recover that it includes sensible conversations with the people that will help you recover and educate your employees let them know what to look for we suggest you do an annual training with every employee you have that's something we can help you set up at no cost right this is a very low hanging fruit you can do for free but they're going to be your best line of defense because they have Hands-On keyboards every day and then the last piece is respond right you have to be prepared to stop an attack to do the proper reporting right again we keep talking about legal and compliance issues but if you have a breach of public data there's certain reporting requirements that you have to you have to fall into and my first response every time is going to be to send you to a lawyer right because at this point when you have to start reporting a breach and notify and reassure customers it's a big deal so what happens when we respond what what is what is the what do we need to look out for first of all we need to get help legal and technical help assess the damage assess any reporting obligations and you might have to contact law enforcement right so that's something you if you're prepared for this ahead of time it's much easier once something happens um and then mitigating the damage you have to respond quickly you have to notify customers and clients and you have to comply with any regulatory information you keep hearing me say that but I'm watching huge lawsuits and people even getting charged with actual crimes right like offenses that you can go to jail for for data breaches so make sure that you have all this in place to mitigate the damage and then we'll run through this lastly cloud storage is huge we can make it mobile and reliable things like Office 365 Google Drives Google Cloud Storage AWS secure your email business premium is great but there's also Advanced security features if you're just running off Office 365 that can really help and then have somebody managing your antivirus software that's a big one for me and lastly protect your assets back your data up make a plan that detects threats and reduces the risk and respond to breaches rapidly and appropriately right this is this three pretty simple things we're going to send you guys all these slides um but just try to remember that protect detect and respond and find somebody that can help you figure out how to do that we'll take questions at the end but that's my time for now hope that was valuable and I think we're going to jump to Jen if I'm not mistaken thanks Chris and appreciate the setup so on the team approach because it really is a team approach when we're talking about data security between I.T Lawyers Insurance the stakeholders of the company it's um it's really a team approach and you want to share yeah I'll switch over to my screen there we go I'm out all right jumps to the right slide all right so we're really talking about a team approach here and I put together three presentation here I'm not going to get through all the material on the slides because quite frankly it's like drinking out of a fire hose these days trying to stay on top of all the compliance obligations the new regulatory developments um but I want to give you an overview of the latest and greatest and just want to give a shout out to a couple of my colleagues at Rothwell figs privacy and data security practice so AJ Teigen and Kristen Logan who helped put these slides together and when we talk about legal there's no single data Protection Law instead what we're dealing with is a patchwork system so I'm just going to switch these screens great so we're really talking about a patchwork system of federal regulations federal and state statutes as well as state data breach laws you've probably seen a lot of news lately Chris mentioned a couple cases about you know from the Federal Trade Commission Federal Trade Commission the FTC um their their consumer focused they're in charge of enforcement when it comes to unfair or deceptive trade practices and they enforce Federal privacy and data protection laws at the federal level as well there there are a number of statutes mostly industry specific you know targeting Industries such as Financial Insurance um schools children um you know Health Care some of those industries that handle what we would consider very sensitive pii personally identifiable information like Social Security numbers credit reports health information things that can really cause a lot of damage to individuals if left out there in the open and then state law all 50 states have data breach notification laws you may have seen in the news some of the more General data protection laws for example the California consumer Privacy Act and ccpra now New York Virginia there are lots of upcoming General data protection laws and when I say data protection laws I mean a law that's not industry specific but a law that's targeting just general data management practices when it comes to pii as well as what to do in an event of a breach where there's pii and rather than the specific buckets of kind of industry specific information that we have from our federal statutes we're talking about things as potentially as simple as names email addresses things like um device identifiers any kind of information that can uniquely identify an individual so I want to give just a highlight of kind of the latest and greatest in both FTC as well as District Court enforcement actions and a couple of nuggets to take away from notes so first turning to the FTC consumer facing talking about unfair and deceptive trade practices and I filled out a couple themes from some of these recent enforcement actions that I'm going to go through now so what is this idea of personal liability as Chris mentioned we sometimes we're talking about jail time for specific individuals depending on the type of cyber crime and breach that has happened especially when you try to cover it up um a recent FTC enforcement action against Risley highlighted this idea of personal liability where Not only was the company at risk and subject to a consent order with the FTC but that consent order also applied to the CEO for his failures as part of the company's data management practices and and handling of certain security and um um incidents so you know there's this great quote from the order in the modern economy corporate Executives frequently moved from company to company not withstanding blemishes on their track record and emphasizing that this order will follow um the CEO relis even if he leaves drizzly so you know we're not just talking about corporate liability but also potentially personal liability some of these breaches failure to adequately train employees is a big one again you heard Chris talk about fishing and the check case there were four separate data breaches three of which involved phishing attacks on employees and you know when you're talking about four phishing attacks in a relatively short time period there's some training issues at play I mean you need to train your employees regularly on some of these common types of hacks and infiltration techniques that Chris had mentioned and the FTC is part of their their complaint alleged that the data breaches were the result of poor data security practice including failure to develop adequate training security policies and training and here um you know one other thing to note when it comes to pii he could be talking about pii of your customers so your outward facing customers that you're dealing with day to day as well as your employees and both types of pii can trigger these data protection laws and enforcement actions lots of failures to maintain reasonable security measures and I personally hate this word reasonable but it really is what you think it is it's you know looking at the industry and what you're what your competitors are doing if entities have a similar size and in the same industry you you have to stay up to date on the latest and greatest security measures and and take precautions and there are a number of enforcement actions that highlighted scenarios where the company did not take reasonable security measures one was failing to encrypt um sensitive data there was a database that was not encrypted that contains Social Security numbers and other sensitive information of individuals which violated industry practice of encrypting that data at rest not having multi-factor Authentication and and insecure storage of information login credentials um you know there was an incident where someone posted login credentials for a server on a public GitHub repository and in other public repositories so you know any hacker with a moderate degree of Investigation skills could find these credentials and just walk right into these systems and then failure to monitor for threats or responsive threats and and known security incidents you know one theme is if if you're aware of a breach well one you have to be monitoring for a breach and two once you become aware of our breach that starts the clock ticking for that investigation and to take action in response and then misrepresentations and breaking promises again Chris had mentioned notices and and public facing documents to Consumers if you have a privacy policy where you're saying you're doing one thing uh but behind the scenes you're doing another thing uh that can lead to liability Twitter is a great example of this um they are collecting phone numbers and email addresses of their users saying we're using this to authenticate you to our site of a fail to disclose that they're using that pii for targeted advertising and FTC issued a 150 million dollar penalty an order concerning these data collection and use practices and it's Switching gears a little bit I was talking about FTC enforcement actions you've probably also heard about some of the big class action lawsuits out there um these data breach litigations concerning tons and tons of data of consumers um Chris had also mentioned the T-Mobile case um it's the largest settlement that was announced this year at 350 million dollars as well as additional spending a boost out of security practices um ing to the complaint um they're T-Mobile failed to comply or Implement reasonable security practices that were standard in the industry um concerning their gtsn node and it allowed hackers to access more than 100 servers at T-Mobile and you know it's just another highlight here where thinking back on what what does the word reasonable mean we talk about reasonable security measures here there's a lot of attention in the complaint and the allegations on what competitors in the mobile industry were doing to protect their data and you know the complaint noted that T-Mobile had failed to implement rate limiting measures which was a standard industry protection so there is a bit of a sliding scale in terms of what exactly you're expected to do to maintain a reasonable security practices but you know one good place to look is with your competitors and entities of a similar size um the OPM data breach uh for those of you who have been in the DC and surrounding area long enough uh you may have gotten one of those notices a couple years back I know I did um in response to the OPM data breach it affected more than 21 million people was one of the largest thefts of personal data from the U.S government in history and there were there were a couple failures upon failures and data security practices involving vendors and you know just failures to adequately patch to update systems and establish the right controls to detect the breach because it did go undetected for quite some time um this this data breach ligation results in a 63 million dollar settlement so again we're seeing some very large numbers out there in terms of liability Sullivan um this is an Uber case some of you may have seen headlines about it and the whole um data breach incident and how Uber quite frankly failed to adequately respond to the speech this is another one of those cover-up stories where Uber had paid the hackers a hundred thousand dollars to not release the data um and to keep quiet about their attack and by contrast heard Chris just mentioned that in the events of a ransomware attack you know you have to assume there's a breach and enact ingly by contrast here Uber really tried to cover it up um specifically through Sullivan and instead steered steered that payment through their bug bouncy program and kind of hit it onto the rug and Jerry found um Sullivan guilty and the case is still pending so we'll see how it shakes out but again themes of personal liabilities as well as you know having measures in place for responding to security incidents and here's here's an interesting one so far we've been talking about settlements for the large part you know the FTC and some of these case OPM um but in his um there's a breach of a law firm from an organization with the catchy name the dark Overlord and this case actually went to a jury trial and interestingly enough thinking about that sliding scale and what companies are obligated to do the jury actually found for the defendant in this case finding that the that the plaintiff did not meet their burden to show that um what the what the thing what the defendant did was unreasonable under the circumstances Etc so it'll be interesting to see how people interpret this finding and what the appeal process looks like but you know I don't know maybe maybe if you have good documented practices you know had the team in place and had your policies and procedures out there you know maybe it is something to fight down the road and here's a helpful data point and just finally talking about legal risk some here's some really low fruit hanging ways to address risk one is to document and limit the scope of data collection and retention you may have heard about document retention policies document destruction policies it it quite frankly is a liability to have a lot of pii and other sensitive data sitting around that you're not using and it's important to get you know to do a roadmap and to see what personal information and sensitive data your organization is collecting and figure out hey do we actually need this and if not you know consider destroying it because it is a sitting liability implementing a comprehensive security program again talking about the team approach you need to have buy-in from management overseeing a data security program I think again about the personal liability obligations where you have CEOs and other top Executives who just quite simply failed to implement the internal policies and procedures but it's best to have that in place beforehand before you have to respond on the fly to a data breach which often happens at inconvenient times Implement industry standard basic security measures and this is something that people like Chris can help with just figuring out what do you need to do hiring competent i i t to secure your systems Outsourcing where appropriate you know maintaining reasonable control over your vendors that are handling your information you know you have to make sure you're on top of best practices when it does come time to a breach you have to be accurate in your notices and disclosures that's why you know legal legal gets involved you know we have to bless the notices you have to make sure they're accurate they're not misrepresenting information and that the correct people are notified whether it's affected customers or law enforcement and again just reiterating that team approach so with that I'll kick things off to Brian perfect can you hear me I need to see my screen here ensuring Innovation um as Jen and Chris kind of went through their presentation I have a T-Mobile data breach notice sitting on my desk I was a customer and uh I used to buy books from Chegg as well so I've been in in both of those personally but professionally I help small businesses um really Finance their risk through insurance contracts so kind of the lens of my talk will be you know this startup life cycle I found um and really the first thing that happens when an insurance person gets involved with a startup is basically they need a door right they need a place to call home they need an address they need an office space they need lab space and that's pretty basic right you might be able to get by with some sort of you know local family agent or a State Farm you know you need general liability if there's a slip and fall if you were to cause damage to your office or lab space at Fitzy they need you know their tenant uh to cover those types of things if you have employees basically you need workers comp for if they're injured anywhere in the country uh it's very State specific so Maryland's a pretty strict state and then uh maybe this concept of hired a non-toned auto liability you might be a startup and say hey we don't have company Vehicles why do we need Auto coverage well if you were to rent a vehicle but also uh someone working on your team and employees you know commuting to the office or going to the post office or going to the bank or meeting a client they're using their personal Auto there are still some some uh business Auto liability attached to that even though they're using their personal Auto um so really the the friends and family precede uh stage that's really all you're looking at is to check a box we don't really see you know any claims or or high premiums here um as you move on to you know your first big Capital injection whether you know that's some sort of seed round series A or B um maybe your board of directors is growing that's where you know uh you want to make sure you're working with someone who understands to Tech and life science Industry and the insurance carriers that play in that space uh the you know uh the first thing you might happen that's pretty basic is is property insurance right maybe you have computers and equipment and inventory and um stock or or prototypes you know you physically need to protect that that business personal property you might not own a building you're still renting but you still have you know contents that needs covered um directors and officers insurance is a huge thing that comes into play a lot of um investors or new board members would be weary to join a startup if there's not a policy in place and uh Jen kind of alluded to this that that that yeah these directors and officers can be personally liable um outside of the company so yeah the easiest way to think of dno is you know their side a side B inside C coverage so um basically it's you know for the company on its own the company and the dnos if they're named in a suit together and then just the dnos of just the dnos are named uh and another um big issue with life science biotech startups in particular that that might work if Fitzy is uh you're doing something unique uh doing maybe clinical trials uh some sort of medical device and you're inputting something foreign into the human body for the first time you know you're doing a phase one clinical trial all right you're getting out of animal testing uh there's the concept of clinical trial product liability what if that harms someone um you might think of you know this is kind of a big pharmaceutical company problem but really these these coverages and these policies grow with the company as the various phases of their clinical trials progress um so you know these policies are DNL and product liability are going to be two of the biggest expenses uh as startups kind of get growing um sticking with kind of our theme of of cyber and you know October with cyber security awareness month we had kind of had to push to uh November but oftentimes you know if if there is proprietary data that that has been breached uh hopefully a cyber insurance policy is in place because it's going to be a nightmare if you don't have it in place and really the way it works is it's it's designed for consumers of Technology there's another coverage for providers of Technology uh called technology errors and Emissions which you include some cyber coverage in there but basically it's it's a panic button um it's it's a there's you have a policy in place it's a 1-800 365-247 incident response hotline hey something's going on I'm not sure what it is that phone uh number is manned by a law firm someone like Jennifer uh who understands Privacy Law and they kind of act as a data breach response coach and quarterback breach response efforts so they get in you know I T forensics think of you know the most expensive attorney in the world's hourly rate times three I mean he's I.T forensics guys are extremely expensive and in high demand and they figure out you know what happened uh what kind of data was stolen how the bad guys got in uh legal analyzes the it forensics report and kind of matches that against various laws to figure out do we need to notify those affected legally um you might have hundreds or thousands of customers and only a few employees how are you going to notify them well you have notification service providers that come in uh to do those types of things it's then you know these nice little letters out um at the same time you don't want to end up in the local news right so you might have to hire public relations firm to kind of smooth things over with with your current customers and future customers uh all this you know mess is happening all while you probably aren't generating any Revenue right you know you can't you know log in you can't send an invoice uh you know like for an insurance agency we have an agency management system it has all of our clients information and the way we interact with them hospital has a patient management system so if you have some sort of software you rely on you can't access your sitting dock right well you still have to pay your taxes and your overhead and your insurance um cyber Insurance can cover your business Interruption loss due to a data breach so it's a very Dynamic product um and oftentimes you know startups aren't really asked for it right away but you better bet once you land a big contract with maybe a research a hospital or at University or or a big customer they might require you to carry some um it's not something I focus on here at EHD and there's also uh I kind of call this the currency of doing business a certificate of liability right this is how you prove you're covered and you might be submitting a bid for a new um client or contract and you have to prove uh to either your landlord maybe Fitzy or maybe a customer that you have coverage and it's done in a very specific way in the insurance industry your agent or broker will create a certificate of insurance and proving that you have what you have and compare that to what they want and kind of negotiate and compare and contrast so I've seen a lot of the times where you know John Hopkins or or uh you know Johnson Johnson these startups are are working with these huge entities and and often they honestly get bullied when it comes to insurance requirements and it doesn't make sense for you know less than you know million dollar Revenue fitsy startup to uh carry you know 10 million dollars worth of cyber coverage or on the 10 million dollar umbrella um so if you do have you know that team in place of legal I.T or Insurance um they'll be able to help you kind of push back on this and and save you a lot of headache and money um I'll open up the mics here uh for any questions we might have and I have a couple questions for Jen and Chris as well um but I I have my own kind of website where I just post content and videos and really our industry gets a definitely a bad rap nobody likes insurance they all hate insurance it's too expensive they're never going to use it all those great things um but kind of a framework of trying to understand you know is what I have good is the is the way I'm going about it a good way I mean you've all heard of you know business The Business Bureau BBB uh Bare Bones an agent uh is is a an insurance person that's that's uh kind of held captive to an insurance carrier like State Farm agent sell State Farm and they can't really offer you anything else a broker or an independent agent works with you know dozens of carriers and kind of compare and contrast and and recommend different solutions and pricing uh so we have an alphabet soup in our industry cpcu cic those things are all well and good um some of the more advanced things I'd look out for is is yeah what are you getting besides the policy are you getting you know advice on contracts or any risk control claims services those types of things um you know is your is your solution in place now still faxing you things or mailing you things you know startups need to move quick e-sign online payment e-delivery portals video quotes all those things are great and then industry specific knowledge right Specialists are always better to work with than generalists and really that's true in you know anything you hire uh even you know personal contractors at your home uh so someone that can understand uh Tech and life science and and kind of work with the appropriate Underwriters and carriers to you know negotiate those contracts so I'll open up the mics here I just have the the three of us up here um there was kind of throughout the presentation a lot of talks of these big companies right Uber and Chegg and and there's this myth out there that yeah we'll we'll you know these data breaches these these cyber issues are aren't aren't my problem I'm little old me you know three-person startup and Frederick Maryland why would anybody want my information uh I'm curious if if Chris you could kind of talk on that and Jen maybe chime in on um that myth out there that you know this is really a small business issue not a corporate America issue absolutely um so we're just for the information we were on the call we're a full service I.T and cyber security firm we're the largest one in West Virginia we also have offices of course in Maryland Frederick but we get referred clients all the time in in from businesses with literally two employees up to 40 employees from other smaller I.T companies that have had a breach and don't know what to do they weren't prepared they don't know how to handle it um anything from so this week I've had three different uh clients have a problems because that originated with business email compromise right basically they answered a phishing link they gave somebody their passwords and one of them has 12 employees and one of their accounts sent out 600 emails to every customer they have in their contacts right imagine that 600 emails that had links in them to actual malware and some of those people opened that malware caused them issues you can see where this is going to go so and like I said that was a small company um what we've seen and and Brian brought that up we traditionally saw the attacks on larger targets for years because they had the most money there was the most to gain well that trend has changed while they still attack them that's a much harder ask right so they've done is shifted the focus to the people that are at least protected this is just a financial crime I promise you if you have a bank account you are a Target that's what I've been telling people there they don't really care about your data as much as how they use that data and how they monetize it right either get you to pay for it or sell it to somebody else so the fact that you have a bank account especially as a small business they look at you as an easier Target because you have less protections um and it's just that's where we've seen the biggest increase honestly I used to see most of the security breaches and ransomwares of companies of about 7 500 people and up and recently in the last in the last probably two years especially since covet it's went the other direction so it's a huge concern for everybody on here the the good news is though you don't have to spend the money the Enterprise that Enterprise spends right we can do some things very low hanging fruit right and now a lot of these security products are per user or per seat or per computer so it's very relative we can with somebody with five computers and five people we can give you the same security we can give to Enterprise just at a much scaled down version and price point so it's definitely a huge concern right now I'll jump in on that I I fully agree with everything Chris just said and it's really about the target sometimes the smaller companies really or the vulnerable Target in in the whole ecosystem and I advise clients all the time on matters where you know maybe it's a three or four person startup they have a really Innovative products they're partnering with a much larger firm or customer who sends over their form paperwork and you know you have to sign away your life and and all sorts of other things your wraps and warranties about your data security practices the checklist you know all those representations that you have to make in order to do business and that gets a lot of companies in trouble and um the OPM data breach I think was a good example of this where the breach originated through a contractor a government contractor and infiltrated through the system so you know we're really not just talking about large Enterprises you know those are those tend to be the ones that get the big dollar amounts but a lot of times these breaches originate with you know the smaller companies that people may think are easier targets so cyber security is for everyone it is what and I'll follow up real quick to that too something a lot of people don't think about and she just said it a lot of these breaches are through third parties now right somebody you're connected to most Hospital breaches don't come through the hospital they come through somebody they're connected to that has access into their system the same goes for your I.T and security provider if you're using somebody or plan to use somebody for that find out what their security practices are right do they have the right certifications to do it well we're one of the few companies I know of our size in in this space that has a sock 2 certification which is an attestation that tells you that we do everything securely that we lock our data down that we are safe make sure you ask for these things now if you're going to do business with people that are you're directly tied into their their systems and their communication stream because they can can bring a nightmare down on you as Jen said I have seen it more times than I'd care to count lately yeah we're seeing a trend too uh just like having your financials audited by you know accounting firm and stamped off on uh the sock 2 type 2 reports is is really uh next in line for to be pretty mainstream um and that's yeah what Chris said just a report you pay for from an outside uh accounting or I.T company to basically verify that you have the it controls in place that you say you do um I did have one other question you know if you maybe we all take a different spin on this but if you were a startup right and you only had I don't know ten thousand dollars a thousand dollars and there was you know one process or one product or one um you know service you would Implement you know in legal or ITN insurance which what would it be I mean whether it was the way to get to your provider or specific thing that maybe your outsourced provider should be doing like um not a one-size-fits all but something I'll have maybe the most impact say your six employees or less sure yeah we see this every day we get calls for startups that ask us to come in and build a ground up solution right so one of the first things I tell people and I mentioned earlier is a lot of times there's not a need to invest in a server in your office right now right so let's find a way to easily share information securely share information documents and store those Microsoft 365 we can use anything in the world we're a big IT company it's what we choose to use because it's that low hanging fruit you don't have to keep an email server on site we can secure it it's available right it's a big enough product that we know how to keep it safe and it communicates well we can put other security layers to lock it down you're talking for licenses of about twelve dollars and fifty cents a month per user you can get full email that's secure you can get one drives so we can have good cloud storage for you a terabyte for each user where you can securely store those documents so they're safe they're not just on a desktop if the computer dies you still have them it also includes a SharePoint which become comes a really good place to share your resources with other people that we can lock down really well instead of just emailing them back and forth we can give you sites in there and then all the word Microsoft Office applications come with it as well you can build a really tight little package around email document sharing document storage for literally twelve dollars and fifty cents a month a user and it's always updated it's always secured you never have to patch it it does its thing that is usually where we start that and a good firewall at your main location those two things you need a good firewall no matter how big or small you are that is your front door your alarm system your gatekeeper to the internet yeah I think that's great I mean you don't have to reinvent the wheel right you can rely on third-party services that that have been tested and proven keep yourself for up to date for the liability perspective you know prevention is the best medicine I think and I I always reiterate data minimization you know having a document destruction plan you know when you're in the early stages you know just keep what you need and I I know that can be hard to figure out right away but just have a good understanding in terms of what what data you have and you know try to limit your exposure yeah I would agree um on my end if I had to pick one thing for every yeah small business owner Fitzy startup to do a lot of people don't really understand how Insurance works and you know maybe that's all purpose or maybe they have a bad agent or what I don't know why um but you get to pick two things as a business right you get to pick the carrier and you get to pick the agent or the broker and just like you'd shop for a car you know online or out of dealerships um you want to do it in two specific ways I mean we often talk about a thing called a broker selection process that um really only large companies treat it this way and they don't even talk about insurance coverages or premiums or any of that stuff they go around and they almost like they're hiring a candidate an interview you know various agencies on their Specialties and capabilities and all those things and then from there um that's how they get through to the carrier and sometimes we have clients where you know they want to shop every carrier every single year and really they shoot themselves in the foot um you know these Underwriters uh take notes they know you know which businesses come with which agent every single year and they know you know there's no loyalty and they just kind of automatic decline you know it's kind of like an HR Director uh with 500 resumes on their desks same thing is true with Underwriters you know you want to strategically um you know shop every few years and with a what we refer to as the top of the stack submission with you know complete data not last minute ahead of time proactive and go beyond you know boring insurance applications because these Underwriters are humans even though they seem like robots and and tell a story so sometimes we put together what we call like a co-sign Narrative of you know here's our company here's where we've been and our history and here's what we're struggling with what we're doing now and here's where we want to be in the future and kind of paint that picture um so business owners never almost never do that um big companies to kind of take that approach but um we have I think two or three more minutes uh Andrew or yeah do you have any any questions that maybe you're seeing day to day at Fitzy that you think maybe this group of folks would be able to touch on before we go I don't personally um it's got a lot of wheels turning in my head not only for our startups but for Fitzy itself yeah um which is interesting but I think a large not necessarily anyone on this meeting but a large portion of people probably don't think about this stuff especially at the early stage that's probably not a concern to them until you know something happens so I I want to thank you guys for doing this because I think it's extremely valuable information that we can then you know disseminate in the future well one of the biggest things you can do is just to have this resource right I mean to the people on the call or to the people that may come through Fitzy in the future that aren't on the call today I think the three of us can tell you you know we're here to help most of my life is is giving advice right and it may not be always advice that that that you know leads to a direct sale with us but that's not really what we're looking for at the end of the day my goal is to secure businesses better because it makes my job easier right at the end of the day I'm a security guy and and you have a lawyer and an agent representative here and our job is to honestly to help assess risk and to mitigate risk at the end of the day and startups that's a big thing right I've started my own companies um you guys are in a risky position as it is and so if we can help you to eliminate some of that risk and honestly I'll I'll tell you right now I believe after doing this for this many years that security is the big cyber security is the biggest threat to business we face today your whole entire operation is forward-facing to the internet pretty much so it's it's basically like leaving your front door sitting in Times Square where anybody can walk in 24 7. what's going to happen if that door is not locked well right that's a really easy way to picture it in your mind so um definitely I know for me use us as a resource I can do complementary cyber security training for your organization I know you know I'm sure you know Jen and Brian are on here for the same reason if you need advice from us just reach out I mean it's simple email sometimes can save you a nightmare in the end I I fully agree and just to add on to that I could probably speak for you know all three of us on this point we'd much rather have the conversation with you now before there's an incident before there's an issue um it this is really one of those areas where it's best to be proactive and I say that as a litigator someone that loves being in court but really we don't want to meet you when you've already had a data breach you want to set up this Protections in advance absolutely perfect well thanks guys I appreciate it yeah um Andrew I'll get over the recording and slides and everything to you and if any questions come up you know where to reach us awesome thank you guys so much thank you everybody enjoy the day thanks guys