Jessica Robinson (00:00):
Data security is something that is only going to become more intense and more focused in the United States over the next 10 years. And so for business owners to really start to have an understanding of their data is really important. The onus is on you as the business owner to know, so do you have people that are, I would call partners that you can trust that you can go to, to even ask questions and that you could stay up to date from their emails and from their newsletter about what's going on?
Susan Boles (00:35):
How many of your passwords are the same? How many people have you shared those passwords with? How secure is the data you hold? And what do you do if your company has a cybersecurity breach? I'm Susan Boles, and you're listening to Break the Ceiling, the show where we break down unconventional strategies you can use to save time boost profit and increase your operational capacity. This month I'm talking about privacy and security, and those are actually two different aspects of overall cybersecurity. I really love the definition of these two from the Fathom Analytics blog about the difference between digital privacy and online security, and I'll link to it in the show notes. But it says digital privacy protects our personal information and data so that it's not unnecessarily exposed. So protecting information before it's known and online security protects and secures our personal information and data when it needs to be exposed or making sure that when the personal info needs to be known, it's done as safely as possible.
Susan Boles (01:35):
Last week, I talked to Paul Jarvis, the author of that blog post and co-founder of Fathom, which is a privacy-focused analytics company. And we talked a lot about digital privacy and how to only collect information that does really need to be known. This week I want to talk about the other side of the coin, security. And my guest today is an outsourced chief information security officer and CEO of PurePoint International. Jessica Robinson is an expert in data security, cyber risk, and privacy. PurePoint International provides cybersecurity consulting and training for financial services, insurance, and other middle-market global companies with a hundred million to 500 million in revenue. Jessica and I talk about where the cybersecurity risks might live in your business. We talk about how to assess the risk of a data breach in your own business and what steps to take to shore up the security of your business and keep both you and your client's information Safe. Hey Jessica, thanks for being here.
Jessica Robinson (02:37):
Hi, Susan. It's an honor to be here. Thank you for having me.
Susan Boles (02:40):
Am really excited for this conversation. So can you give me a quick overview of the kind of work that you do? It's a little unusual for guests on the podcast. So I want to get you to give people kind of an overview in your own words.
Jessica Robinson (02:55):
Yeah. I am a cybersecurity leader with a different approach and I'm CEO of PurePoint International. We're a cybersecurity company that works with CEOs and C-level leaders to help them protect the money that they make and help them better protect the data that they're entrusted to carry, care for and support with their clients. And so the work we do is anywhere from supporting organizations and building and maturing cybersecurity programs, to helping them with training, meaning employee awareness training, and incident response. So when there's an actual breach within the business coming in and supporting them with that particular incident. We're not right for everyone with the work that we do and how we work, but the clients we work with see significant results in a short period of time. And we've worked with companies from pre-startup, pre-revenue all the way up to 350 million in total revenue.
Susan Boles (03:55):
So, all big range.
Jessica Robinson (03:57):
Yes. It is a big range. A lot of it just depends on what it is we're doing with them. Not everything is going to be for everyone, and all of it also depends on the industry as well. Some have more employees than others, depending on the type of business they have, but also what their revenue stream is, in terms of how they're bringing in revenue for the business.
Susan Boles (04:18):
AI know with a lot of kind of internet style businesses, there are some security requirements, PCI compliance, that kind of thing. Is that in your wheelhouse or not so much?
Jessica Robinson (04:35):
It is something that I have focused on in the past. So it was something that was a big deal back in particularly 2014 to 2016 when there were complaints updates that were taking place around this. So it was a big deal when we started to have the chip and put into our cards, and it was something that was being more ubiquitous within the United States anyways. However, in recent years we haven't done much work in that area. It hasn't been something that we've been asked to do or work that our clients have specifically needed. Nonetheless, it is extremely important, and there are a number of organizations and security companies that do that type of work.
Susan Boles (05:17):
Yeah. I worked with a few that were going through that PCI process of moving over into being compliant. And it was just really unpleasant.
Jessica Robinson (05:29):
Yes. So I think anytime you're going through a process where you have to work towards compliance, it is extremely unpleasant, and it's really frustrating. What I tell my clients when we're working towards that, and I've helped clients, insurance companies and financial services companies think about compliance to ISO, which is the International Standards Organization, they have a cybersecurity compliance area or information security. And so I work with companies and helping them to achieve compliance there. I've also worked with an organization helping them to achieve compliance with the New York cybersecurity regulation in line with the department of financial services. It's always a challenge, and my clients, I just kind of remind them that's going to be a tough road, there are going to be times where they're going to be tough conversations. People are going to continue to ask questions around why we have to do something, whether it's someone that's on the technical teams, or maybe someone who's part of the larger business team. But once we get through to the other side and it's complete, it will feel so good. The journey will have been worth it.
Susan Boles (06:39):
I think for many, maybe even most small business owners, we have a long list of things to do. If I had to guess, just based off of my own experience and the experience of my client that worrying about data security, data privacy, it's not very high on that list of things to do. But why should it be, why should some cybersecurity or privacy issues be a priority for business owners?
Jessica Robinson (07:06):
Yeah. So that mindset that thinking of, it's not a top of my top of mind in the way maybe other things that are for businesses. And I totally get there because, as a business owner I can definitely understand that, particularly in the year that we've had in 2020 really focusing on, sales and marketing is really kind of probably the top priority for a lot of companies. But at the end of the day we are in this new decade, we are officially in 2021. And it doesn't matter if you are a solopreneur, or if you're an executive in a large business. Not thinking about security and privacy in your business is something that will impede you from having a successful long-term business.
Jessica Robinson (07:53):
If you aren't clear in your business about what data that you're taking in from your clients, and which data is more sensitive than others, and even from a regulatory standpoint, if you're required to protect that information from a privacy or security perspective, and you're already behind the ball. And the past five years, we've seen so much regulation in the United States alone, let alone around the world that odds are, business owners need to comply to some regulation that they just don't know what it is. And not only that, because there has been so many breaches and because there are so many different ways that an organization can be vulnerable and can be impacted, and their data can be impacted right now, particularly if you are a B2B business, if you want to work, if you're a small business that wants to work with a larger business, you're going to be required to make it through their vendor risk process.
Jessica Robinson (08:50):
At this point, we've worked with companies that have six employees, we've worked with companies with one employee. And in order for them to be able to get through the vendor risk process, they have to be able to show that they're doing something related to security. That if that organization gives them their information, that they can say that they're going to be secure, and that they're protecting that data according to whatever standard that they've set. And so it's just, the world is continuing to change very fast, technology is continuing to change very fast and people, they don't stay up with the change will be left behind. It'll be something that may not seem like it will happen right away but for sure over time, whether it's a couple years or five years or seven years, if a company is not doing this, and really focusing on how security is relating to their own business objectives, it's hard for me to see how that business is going to be able to make it in the longterm.
Susan Boles (09:52):
Yeah, I completely agree. I think security, privacy being more cognizant of the regulations and the requirements, there's a lot of overlap to how business owners approach that and how they approach their finances. And oftentimes it's easier to prioritize other things that seem more interesting or more important, like sales and marketing and that stuff’s sexy and fun. But I think data and security are critical and you don't realize how critical until something goes wrong, and then it does become an emergency. It's not urgent until it's an emergency.
Jessica Robinson (10:36):
Yeah. I mean, that's it. And it's easy to kind of shy away from it because it's one of those things where people really feel uncomfortable with it. Talking about security or talking about something technical, it's kind of like, "I don't really want to go there." For a lot of people I'm sure you could probably relate to this with finances. It's one of those things where you know, you need to focus on it, but I don't know if I always want to dive deep into it the way that I should. And so it's one of those things where it absolutely has to happen. What we've seen in larger companies is our CEOs being held accountable as well as boards being held accountable for not focusing on security enough.
Jessica Robinson (11:16):
And whether it's the FTC, SEC coming in and leveraging fines against these organizations, whatever that happens to be, what we've seen even in the state of New York is a law that was passed called the Shield Act. This went into effect in March of last year, so March of 2020. And many people don't realize it. Even if you have one employee, and you collect personal information on that individual, you are required to have a data security program that is appropriate to the organization and the type of data that you collect. So this is important because if you have any type of breach, then if you could be investigated in regards to why you have not been compliant with this act. And so this is changing so quickly for organizations that many don't even realize how fast this is occurring.
Susan Boles (12:11):
Interesting. I didn't know about that. So one of the pieces of software that I recommend for a lot of people's backend is a software called Gusto. And I normally pitch it, it's easy and employees can self onboard them, you email them, and they onboard themselves and fill in all of their information, it's masked. You don't see their bank account information, you don't see their social security information. They fill out the information, it's compliant, but you as the employer won’t see it. And I never really thought about it that there were other regulations that require you to keep that information secure.
Susan Boles (12:52):
What's your take on the... To me, that's just I'm offloading my responsibility onto a company that has much bigger resources than I do, to protect people's information, as long as I don't see it, and I don't have paper. I'm not writing anything down on paper, it's a more secure system. But talk to me a little bit about how you feel about the kind of cloud-based move. A lot of old school folks are still keeping their own servers and keeping paper copies because they feel it's more secure and they can't be hacked. But talk to me a little bit about your perspective there.
Jessica Robinson (13:29):
Yeah. I think that a lot of it depends on the company, it depends on the type of data they're collecting, and it depends on how the business operates. I think that both work, if you have servers on premise, or if you're using cloud. Cloud without a doubt, I think definitely has some great advantages of ensuring that there's redundancy of data. You can have a server go down, and even if it's down for a couple of hours, and not have access to that, and even if there's a backup server in the same storage room, the challenges is if something happened to the electricity in that building, or if something happened to that particular room, then it could just be difficult to access data. However, when something's in the cloud, redundancy is a lot easier, meaning your backups are most likely going to be more available to you much quicker than otherwise.
Jessica Robinson (14:22):
There are so many different reasons though, why an organization would want to go through their own assessment to really find out which is best for them. But I think that in let's say this particular case with this particular application that you mentioned for a small business to say, okay, we're going to collect the employee information, but we're going to use this particular app, which they may be thinking, okay, I'm not looking at this information, that's going to be stored in this third-party application. So that means that third party is to take on the risk of holding all of this employee information. And in one instance or one viewpoint of that is, yes, that is true. So there's no doubt that that company, Vesto is going to have to ensure that they're doing everything they can to ensure that they're abiding by all regulations and all compliance areas that they're going to have to, in order to do that.
Jessica Robinson (15:12):
But that does not necessarily release the expectation that is also on that business owner. That business owner also has to ensure that, that company is doing everything that they're saying they're going to do. One area that could pose a challenge, and where we see a lot of times with businesses is they have their password to that application isn't strong enough, or they haven't enabled multifactor authentication, something like that, that could allow an attacker to log in using that small business owners credentials, and still somehow, even if it's not a lot of information in regards to that employee, because it's not available to that particular person, but just getting any information or just having that brief take place at all, that could be a major concern.
Jessica Robinson (16:04):
The only way if anyone is looking or thinking about how to transfer cyber risk, is to have cybersecurity insurance. But even then you can transfer the risk. But what insurance companies are making very clear is that you still at the cases own that risk. You have to take it on, you can't take on data and not protect that data, and then just hit get an insurance policy for it. That's not going to work either. And so there are certain expectations that companies have to have nowadays just even get cybersecurity insurance. So at the end of the day, a lot of the responsibility will still always continue to rest with that business owner.
Susan Boles (16:43):
Interesting. So we still have a responsibility to research the companies that we do business with, if we're expecting them to be taking on a big bulk of the protection of the data that we're working with and still really be thinking about potential breaches and opportunities and where the weakest link is.
Jessica Robinson (17:05):
Absolutely. Now, as a small business owner, particularly if you're solopreneur, 5-10 person business. Odds are, if you're working with Amazon or Microsoft directly, you're not going to ask them to complete a vendor risk questionnaire. But if you happen to be big enough where maybe you have 20 or 30 people, and you do happen to be using a third party that you've hired, but you're just using cloud services that they offer, having that third party complete some sort of vendor questionnaire that states what their security processes are and that they are doing everything that they can to protect your business, is something that would be recommended.
Jessica Robinson (17:43):
Because at the end of the day, as I mentioned before, is that this is part of the challenge with small businesses, that if they want to work larger businesses, that the expectation is also on them to complete a vendor risk questionnaire. And so I think part of this mindset that small business owners have to adapt is that at some point, yes, they can speak in complete all of these questionnaires for their ideal client, hoping that they get through their vendors process and can secure that relationship. But they also have to start getting to a point where they're looking at their own risk and starting to ask their own vendors questions, and start providing a vendor risk cybersecurity questionnaire to them.
Susan Boles (18:19):
Interesting. Hey there, it's Susan. If you've been listening to this interview and it's making you think about some of these issues and ideas, and you wish you could talk to some other real live business owners about it, I wanted to invite you to my free monthly round table dollars and decisions. Once a month, I get together live with a group of amazing business owners, just like you to geek out on money and operations and workflow and software, all that stuff that you hear me talk about here. The round table is kind of like a live interactive version of the podcast. So I would love to have you join me. To sign up for the next round table, head to scalespark.co/dollarsanddecisions, no spaces, no hyphens, or you can just click the link in the show notes. Hope to see you there. What are kind of the few top areas that, quick wins, something that small business owners should be thinking about or paying attention to, in their business when it comes to privacy or security? And where do you see the biggest opportunity for most folks?
Jessica Robinson (19:26):
Yes. First I'll just say, since we've been talking about a vendor risks, so I think we've covered a lot in that area so far, but that should definitely be top of mind. And that is something actually that the SolarWinds attack that took place in December, that was indeed through the supply chain, meaning that this particular product from SolarWinds called the Orion app is something that 450, I believe of the Forbes 500 companies use as well as multiple government agencies, including the department of energy, the department of defense department of Homeland security and several others. And the fact that this one app was a breach, that attack, that allowed escalation for the attacker in this particular app to then possibly make their way to any of these other organizations, and to be able to then escalate their own privileges within each one of these organizations, if they would have chosen to do that. It seems like maybe the government was maybe the main focus here.
Jessica Robinson (20:31):
So definitely we know for sure that company and the government organizations were impacted, and security companies were impacted, but this is a big deal. And so vendor risk, when you have a large IT company that has something like that happen, and that's from a nation state, that one thing smaller companies should also be thinking about is, how could this impact me? And so even if a small company downloaded a trial version of that app, just to check it out, that's something that they should be thinking about. And so there are vulnerabilities all around from places we don't always even think about. So vendor risk is going to be is one of those things that absolutely has to be a focus for small businesses.
Jessica Robinson (21:16):
The other thing that I would say is data security. So in thinking about data security, first it's just having an understanding of what type of data that you have. Like through the course of your business, what type of data are you collecting? And is it considered personally identifiable information? Meaning is it information where a person can be defined or identified by that information? And if it is, we definitely do want to ensure that information is secure in the right way. Is it a little information or is it a lot of information? And if it's a lot of information it's important to think about in the longterm, how that data is stored and how it's protected. Even something as small as how you're taking in email addresses is a really big deal.
Jessica Robinson (22:00):
If you're an organization that has any European residents as part of your email list, that's something for you to know, now that can be really hard to know. But on the other hand, you should probably also know though, if you're targeting any one in Europe, or if you're targeting companies in Europe. And all vendor it would also be important to know that European residents have privacy protection under the general data protection regulation. It includes all of their data, including their email addresses. And so this has been a big thing from a marketing perspective, but but data security is something that is only going to become more intense and more focused in the United States over the next 10 years. And so for business owners to really start to have an understanding of their data is really important.
Jessica Robinson (22:51):
Then I would say from a third standpoint, is really thinking about what I would call authentication hygiene. So authentic education hygiene would be thinking about your passwords. You know. How are your passwords? How long are they? Are you using passwords or reusing them multiple times in different areas? Are you ensuring that any passwords that you're using for work are only used for work and only for one application? Your email password is one thing, and maybe if you have a software that you log into for let's just even say something like Vesto or ADP that those have completely separate passwords. Also that they're alphanumeric that there are at least eight or 12 characters in length?
Jessica Robinson (23:36):
Are you using a password manager? That's all really important. And then I would say the next thing about authentication hygiene is using two-factor or multifactor authentication. So ensuring that you have some sort of way to validate that you are the person that is logging in, that it's not someone else who could just be entering your password. So a lot of times what this can look like is, you putting in some sort of a code, a token or something like that gets sent to your phone, or maybe you have an RSA token, whatever that happens to look like. But something that only you can have, that will be a second authenticator in addition to your password.
Susan Boles (24:18):
No, those are all really good. So I think we're talking a lot about how this stuff changes, and how we need to be aware of what's going on, as business owners with new regulations or new breaches, any of that stuff. Is there any recommendations that you have about how we kind of keep up to date on all of this? It's hard to kind of track the movement. So are there a few sources or how do you recommend people stay up to date here?
Jessica Robinson (24:57):
Yeah. I would say, find a couple of trusted storage sources in the area of cybersecurity and get on their email list and follow them. So for example, you can come to my website at www.the-purepoint, P-U-R-E-P-O-I-N-T.com, and you can sign up for a newsletter. And just continue to stay up to date with the information that's being provided to you. There's no way that you're going to know everything about what's going on, but having a couple of different resources, maybe if there's another organization that you're aware of, or even if you watch, if you have a subscription to the New York Times or to the Washington Post, make a point that if you see articles in there that relate to cyber security or the privacy that you take the time to read them. Because what's happening is changing very quickly and gone really are the days where even a solopreneur says, I didn't know that.
Jessica Robinson (25:53):
Because it's just to run a business nowadays, there are certain things you have to know. It's like when you decide to state what type of business you're going to have, is it going to be an S-corp? Is it going to be a C-corp? Is it going to be an LLC an LLP? It's kind of like gone are the days where you just, you're running a business without incorporating it the right way, or not fully understanding all the liability that comes with that. And so it's the same thing with security. So the onus is on you as the business owner to know. So do have people in that I would call partners that you can trust, that you can go to, to even ask questions? And that you could restate up to date from their emails and from their newsletter about what's going on?
Susan Boles (26:42):
Perfect. So is there anything you think we should talk about that we haven't touched on yet?
Jessica Robinson (26:48):
Let's see. We've talked about the SolarWinds attack, talked a bit about privacy and talked about the general data protection regulation and the shield act. I think we're good. I think this has actually been a good focus on a wide variety of areas that are critical for business owners to ensure that they're kept up to date with, and that they're continuing to focus on throughout the time they're continuing to grow their business.
Susan Boles (27:15):
I have one more that you may or may not have an opinion on, but I've been following the last year, that is just super intriguing me, and that's TikTok. Trump wanted to ban TikTok for data security issues. And I'm curious, they ended up banning him first, which was kind of delightful. But talk to me a little bit about the real privacy concerns here. Is it actually anything more than Facebook, Google, Amazon? The big ones are tracking on us. And is this something to be concerned about or not so much?
Jessica Robinson (27:54):
Well, I think with TikTok being a company based out of China and China being a communist country, and so the companies there do bow down to the government. Is there a concern that TikTok could hand information over about a US citizen to the Chinese government? Yes. However, is there evidence that this has occurred as of right now from the assessments that I believe that are carried by the US government? There hasn't been any evidence to really support that this is the case. I think it makes it somewhat challenging for the government or for Trump to completely say that TikTok is banned. At the end of the day TikTok over the past year has been away like a lot of other social media platforms for people to connect with each other.
Jessica Robinson (28:50):
It's been in some cases, a source for healing for people, a source of expression for people. If there was actual evidence that the government could support, and maybe there is, maybe it's classified and they're just not providing that information publicly. But I also think if that was the case, then it would have already been banned by now. But since they can't seem to provide evidence that TikTok is providing information to the Chinese government about US citizens, then as of right now, I think it's just status quo, where you just continue to use the app, the way that it is. Yes, continue to put any restrictions in place to even ensure that there are checks and balances, the way that's taking place now. I think that's fine. I think that even when we-
Susan Boles (29:42):
[inaudible 00:29:42] take my stupid dancing videos away from me [crosstalk 00:29:45].
Jessica Robinson (29:44):
Exactly. [inaudible 00:29:46]. This is also, the conversation with Huawei and the question around 5G and not wanting that company to come into the United States and start focus on implementing 5G and many other countries around Europe and other countries around the world have had the same conversations. And so the fact that Huawei could be collecting so much information just from a communication standpoint, phone calls, information, emails, anything that would be transferred through communication lines, that they can have extreme amount of information on US citizens. I think that there's always a lot to be said and a lot of fears to be said, the fact that we are in 2021, I do think it's very real to say that the next war ,and people would say, we're already fighting it.
Jessica Robinson (30:40):
It is a cyber war. It's not going to necessarily be a hot war or a cold war, it'll be a cyber war. But there needs to be evidence to also to be able to back us up and fully prove it. And as of right now, I think the decision on Huawei has been made though, that that will not happen. That there's no way a company like that will have that type of influence over the communications of US citizens, but a TikTok it's very different. So-
Susan Boles (31:13):
Thank you. So tell me, where can our listeners find you if they want to connect or learn more about what you do?
Jessica Robinson (31:19):
Yes. So again, you can come to our website at www.the-purepoint.com, P-U-R-E-P-O-I-N-T. And then you can also just feel free to email me at firstname.lastname@example.org.
Susan Boles (31:36):
Perfect. Thank you so much.
Jessica Robinson (31:39):
This was wonderful. Thank you.
Susan Boles (31:41):
Jessica had some really helpful tips to help you think about securing access into your systems and data. As she mentioned, this is really the weakest link when it comes to security, but some other great ideas that are mentioned in the blog posts that I shared at the beginning of the episode are just to limit what you share online and to think about how, what you share could potentially be used against you. This is something that was drilled into me during my time in the military, but it's something that everyone should be thinking about. Now, we got it drilled into us so that we wouldn't post where we were deployed or troop numbers, that sort of thing. But this applies to you too. Things like posting where you live, what's your pet's names are, kids' names, birthdays, all of that can be exploited against you.
Susan Boles (32:26):
Think about those security questions you get asked when you're trying to reset your password. A lot of those can be found relatively easily online. So be aware of what you're sharing and what you're picking for your security question, answers. Another great idea is to use a password manager, two-factor authentication and unique passwords for each service. That way, if one account gets breached, it's limited to just that service. If you're using the same email and password for everything, they can get into all your other accounts. You can even go so far as to use different email addresses. So most email services now like Gmail, they allow you to create on-demand unique email addresses by adding the plus sign, and then whatever you want to your email address. So you can actually easily create a unique email address for each service. I like to go with something like Susan plus the app name, and they all go directly into my normal email account.
Susan Boles (33:23):
But if one email gets breached, nothing else does. And as a bonus, if you get unauthorized emails to those email addresses that you didn't subscribe to, it's really easy to tell who sold your email address because the app name is right in there. But when it comes right down to it, the important part is to be informed, to understand what's happening from a security perspective in the online world, to be informed about how your data is being used and secured with everyone you work with, and to really think about where the weaknesses might be in your own system. Next week, we're heading back behind the scenes of my own experiment into privacy-focused marketing, and I'll be talking to Kim Harrington, a big part of my own marketing team, who's helping me execute this experiment. So hit subscribe in your favorite podcast player, so you don't miss it. Break the Ceiling is produced by Yellow House Media. Our executive producer is Sean McMullin, our production coordinator is Lou Blazer. This episode was edited by Marty Seefeldt with production assistance by Kristen Runvik.