Why Cybersecurity Starts With YOU!

DAVIN: Thank you so much, Kindsey. Excuse me, my allergies might be messing up just a little bit. This Arkansas weather is wild. But I appreciate everybody attending today. I’m excited to talk to you all. Of course, this is Episode 2 of our deeper dives. Last week, we spoke on a different subject of cybersecurity, and every single week we’re going to be picking and pinpointing a different topic to share with you all.

This Episode 2 is “Why Cybersecurity Starts With You.” We’re going to run through this. We have our founder and CEO, To Kirkham. You might’ve caught it in the beginning; he’s going to add some color. I like to say fluff. He says color. This is a fun, relaxed series about a serious topic. Like I said, we’re going to have a few more sessions throughout the following weeks.

But before we start, I want to give you a quick news update. We’re day in, day out, learning and discovering different things about cybersecurity. Some new things came up on our radar in the past couple days. One, the Senate passed

.

KINDSEY: Okay, I don’t know if that was on my end or y’all’s end.

TOM: Fort Smith’s been having internet problems.

KINDSEY: Okay, we’ll give Davin a second to jump back on.

TOM: You want me to dance or anything while we’re waiting?

KINDSEY: [laughs] Sorry about that, everybody.

DAVIN: There we go. Are we back up and running?

KINDSEY: Yeah. You want to share your screen back out?

DAVIN: All good?

KINDSEY: Yep.

DAVIN: There we go. What I was getting to – sorry for the delay, little mishap there. I was getting to NSA encouraging zero trust networks. What is zero trust? It’s assuming that you have someone inside, a malicious insider or threats already existing on your network. That doesn’t mean that your employees are malicious hackers, but it brings us to the topic today: no one should have all the keys to the kingdom because of a simple topic called human error and the reasoning behind why cybersecurity starts with you. We’ll get into that.

But before we get on to the nitty-gritty, let’s start with a question for you all. I want to hear your take on what you think the number one cause of a successful security breach is. I wish I could vote on this, give you a hint. Human error, poor policies and procedures, outdated devices, lack of security tools. Interesting.

KINDSEY: You want to go over the results, Davin?

DAVIN: Yes. Hold on a second, so I can get it pulled back up. I think it said 7 out of 9 said human error. 2 out of 9 said poor policies and procedures. I’ll give it to the majority. The answer is human error. 95% of the main causes of cyber breaches are human error. What is human error? Unintentional actions, mess-ups, accidentally clicking on something. No matter the cause, that is the main reason for successful cyberattacks in the past few years.

There’s different types of human error, and we’ve all been a victim of this. It might not be in the workplace, maybe at home, but let’s break that down a little bit. You see this picture with a guy making this face a little bit confused. I have made that face far too many times to admit, and a few of you have as well. It may be because you sent an email and then you look back – “Maybe I shouldn’t have sent that.” Or you get an email and you click on something, now your computer’s acting a little funny, and now you’re making that face right there, “I’m probably going to hear from my boss about this tomorrow afternoon.” That looks like a face of confusion and human error, but there’s ways to avoid that.

When we dive into human error, there’s two different types. There’s skill-based error and there’s decision-based. Skill-based is making small mistakes in doing everyday tasks. Sending emails all day long you may forget to type in or put your signature. But these small mistakes doing everyday tasks usually come from being tired, not paying attention, could be distracted, or just overall forgetting to do something, forgetting to do a part of that specific task. Happens every day. It’s inevitable, but it’s something we can work on.

Another type of human error is decision-based. That can really get into the face that you see on there. Making a faulty decision, not too sure, it’s kind of 50/50. That comes from lack of knowledge. You might not have enough information to make the decision needed. Or you could be doing nothing, resulting actually in making a decision by itself. We’ll get into that topic in a second.

But let’s talk about some different types of human error and how that happens. Misdelivery. What do we mean by misdelivery? Sending information to the wrong person. Working with lawyers, accountants, in the medical field, any field really, you may have some sensitive information that needs to be sent peer to peer just for operational purposes. When sending confidential, sensitive information, if you send that to the wrong person, human error takes effect and you have a breach of confidential, sensitive information. That needs to be addressed. But it’s not because you did it on purpose. It’s just human error. There’s ways to take care of that.

Another common human error or mistake that we see a lot regarding passwords. News flash: this is breaking news in 2020 – the word “password” actually isn’t a good password. Cyber hackers have figured out that a lot of people use that, and the results are successful cyberattacks, successful cyber breaches. Passwords are easily overlooked. Credentials, using your actual login as your password. People are moving away from that now, for good cause, because passwords are important.

How you keep up with your passwords is changing as well. In the past, people have written it down on a piece of paper and then that paper gets lost and it’s basically like handing the keys of the kingdom to anyone in the building.

And when we talk about keys to the kingdom, if you have admin access, if you have credentials that are privileged, they’re more than what the average person has, you have keys to the kingdom. If someone gets access to your credentials, to your login, to your password, they have easy access to the front door of your organization. It’s very, very hard to stop attacks and stop breaches when they have a key and there’s nothing going on. They have access to everything. So passwords and human error with passwords is very, very important and a topic that should be discussed and addressed.

Next is patching. With patching, what is that? That comes in the security updates, things like that. We’re seeing a lot now that you may have a MacBook per se, and with that you’ll get a software update. Like, “I’m busy right now, I’ll get to that later,” and later becomes two weeks, three weeks, a month. There’s usually a reason for those security updates, those software patches, because they’re usually fixing a security hole. That’s why we call it a patch: put the patch on the hole, now you don’t have to worry about the security hole.

Taking those patches and software updates seriously is important because without that, you’re leaving a gap in your security. That’s another part where human error comes in. We simply forget to do the update. We’re not aware of the update. And you’re not purposely trying to put your company at risk; it’s just you forgot. It’s human error.

But like I said, with proper training in different tactics, human error can – not completely get rid of, but there’s things you can do to put your company in the best situation to keep human error to a minimum.

Next, I know you may be getting tired of my voice. I haven’t been talking too long. I have a short video that really moves us into the next topic of where organizations are going in 2022. It starts with creating a cybersecurity culture.

Video

Cybersecurity is not a product. It is a culture. Positive cybersecurity culture is when the entire workforce understands the value of information and adopts positive cybersecurity practices to protect it.

So, how do you foster positive cybersecurity culture in your workplace? Positive culture is positive through positive engagements. And a positive cybersecurity culture is fostered through engagement between the CISO, the cybersecurity team, and end users. At Security Quotient, we don’t see ourselves as another cybersecurity training company. We consider ourselves enablers.

DAVIN: We don’t work with them, but they do something similar to us, and that’s creating a security-first culture. You hear them talk about positive engagement. Security first, creating a cybersecurity culture, it’s new. It shouldn’t be new, but now it’s inevitable, and that’s where organizations are going. That’s where they’re pushing to. It doesn’t just start with the CEO, the CIO, or the CISO. It’s everyone’s responsibility, from the top to the bottom, from the new employee to the intern to the owner or the founder or the CEO of the organization. It’s everyone’s responsibility to take care of the organization and be aware of cybersecurity. You’re really the first defense regarding security in your organization.

It’s not a one-time fix. I mean, when you move into a house, you don’t lock the door behind you one time, and after that keep it unlocked, walking in and walking out. Every day after you leave the house, you lock the door. When you come back, you unlock the door. Same thing with security. It’s an everyday thing. Cybersecurity threats are changing and adapting. Technology, as you know, is not going to go away. It’s just going to keep getting better. But with technology changing, threats change as well.

So you have to consistently keep cybersecurity in the front of your mind. It’s something that you’re going to work with and deal with for the rest of your lives because it’s important for protecting your organization, your clients, and your employees.

It’s not a destination, it’s a journey. There’s steps you’ve got to take. It’s a gradual process of getting your security to where it needs to be, getting your security posture to where it needs to be. What’s important about that journey is positive interactions.

With that, encouraging good cybersecurity practices. Report phishing emails. One thing that I like to see is, some of our clients, when they see a phishing email or they’re not too sure about an email that they receive, they send it over to us. We check it out, “Yeah, you’re good,” or we get something and go, “Whoa, you need to stay away from this. Let your employees know because this is a possible cybersecurity risk.” Interactions like that should be rewarded. Those are good. Give them a high five, pat on the back. That’s how you start the beginning of a security-first culture.

Be proud of having a security-first culture. Let your customers know that “Hey, we take security serious. You and your information are with us. Your confidential, sensitive information, you can rest assured and you can sleep good at night that we are taking the proper steps to make sure nothing happens. If you hear about a cyber breach, it won’t be from us because we have the proper tools in place.”

That security and that sureness that you can give not only your employees, not only your clients, means more to them than you know. Especially with everything going on right now – you hear of all the different cybersecurity breaches, all these different organizations getting hacked, all this information being exposed out there in the wild – as a customer of different organizations, security is important to me if I want to involve myself with an organization. So creating that security-first culture is extremely, extremely important.

New things that you’ll start to see is new company structures. In that video before, you heard the word “CISO” and “CIO” thrown around. CIO, chief information officer. CISO, chief information security officer. Nowadays, organizations are shifting. They’re changing to incorporate cybersecurity first into their organization.

Tom actually has been working on some pieces himself regarding restructuring organizations and how CEOs and CFOs are now even reporting to CIOs and CISOs, and how cybersecurity teams are being involved in big decisions for organizations’ futures and how companies are embracing change overall. Tom, do you have anything you’d like to add regarding new company positions, how organizations are restructuring with CISO and CIO?

TOM: Yeah. Me and a bunch of other thought leaders in the industry, we always preach about security being job one. That’s our business. Our business is not to minimize your help desk calls. We’re cognizant of it. But the number one job is security. It’s one of the most important things from a strategic perspective leadership role of your organization.

So we begin questioning, why do most people, outside of our industry, think of cybersecurity as a bolt-on to the IT department? Fortune 500 companies realized that’s not the way to think of it, so now, as of last year, all Fortune 500 companies have a chief information security officer that reports directly to the CEO. Now, I know there’s probably no one on the call here that’s a part of an organization that large, but someone’s wearing those hats. You may be an owner or solopreneur, whatever. You’re wearing that CEO hat, the finance officer’s hat, the security officer’s hat, and the IT hat. Or you outsource it.

I have been promoting lately, let’s reverse that and change the thinking around making an IT an add-in to security, to that security officer role and duties, and then let them manage IT because it’s paramount to protecting your firm and your reputation and keeping you in business.

First of all, there’s federal legislation, and some states already have it, where everyone’s going to be required to report an incident. You’re an accountant, an attorney, if you’re in any business that your professional reputation is your company’s main asset, a strategic policy you have to have in place is to secure it. Or else you’re going to go out of business.

So let’s reverse those roles. Let’s think about a security officer and then add IT into it, because IT, whether you outsource it or in-house it, has become a very – and there’s terrific IT providers out there, and they have a job. But let’s make them answer to security. Don’t even make it a debate. Let the security officer dictate whether we’re going to put in multi-factor authentication or put in an EDR and rip out antivirus. Let’s just go ahead and do it and quit messing around with it.

I’m trying to get everybody to rethink security versus IT. I don’t know if that –

DAVIN: It does. It’s a cultural change that’s slowly happening, but once it does and once it really starts hitting the road, people are going to start seeing the benefits, for sure.

Before we move on, I have another quick question. You don’t have to respond. You can put it in the chat if you want. What is the month of October known for? Of course, it’s known for many things; I don’t want to take away from any of the great things that it’s known for supporting. But newly added on to October, it’s become Cybersecurity Awareness Month. That’s a new change that everyone is seeing, and that’s recent. That’s how important cybersecurity is becoming, and becoming a part of organizations’ cultures.

Next I have another quick question, quick poll. I’m just curious: how would you rate your organization’s overall security posture?

TOM: Wow, we got two “highs” already. Three. I’m glad to hear that. Must be IronTech clients.

DAVIN: Must be. [laughs] A few “medium,” right down the middle. One “low.” That’s interesting. Like I said, I mentioned this in our episode last week – I’d love to come back to these questions towards the end of our series and see if some of our attendees hopefully have worked with us or have gotten some good advice so they can change their answer from a “low” to a “high” at the end.

Our next topic is to really wrap up why and how cybersecurity starts with you. One of my favorite topics to talk about is cybersecurity training. You see that little picture below. I’m a big Karate Kid fan. When we’re talking about training, one of the best movies out there regarding training, next to Rocky with the great training series, is Karate Kid. Cybersecurity training is extremely important because, like I said, your employees are your first defense, your most important defense.

When we think of cybersecurity training, “Okay, one and done, once a year, that’s good. I know everything I need to know. I’ll see you next January. We’ll get it back then” – that’s false. Cybersecurity training is continuous. Like I said, threats are changing every single day. As an employee outside of the infosec world, you’re not dealing with cybersecurity every day. You’re not keeping up to date with how things are changing, what to look out for, “they’re sending these certain types of emails; I need to change my password to this; what’s going on?”

You need training. You need a source that can keep you up to date on how these threats are changing so when human error comes into factor, it’s minimized because you have the proper training and knowledge to combat those different threats and make sure you’re not the reason your organization falls victim to a ransomware attack.

You’re learning best security practices, supporting that safety-first culture that your organization is trying to create. With best practices, you learn proper password management practices. You might be into using a password vault, where you can keep all of your credentials safe and encrypted in one safe location. But overall, increasing your password security strength by, instead of using the word “password,” now you have a 10-15 character password that is kept in your vault.

You’ll learn the best practices of EDR and MFA and storage encryption, the 5 things that we talked about, those 5 best practices that your organization needs. You’ll learn about those. You’ll learn why they’re important and how to use them. You’ll also learn about best practices from your security team.

These 5 things I mentioned – skilled security team, MFA, EDR, storage encryption, cybersecurity training, continuously updating your security – these short 5 things are what you need as an organization to secure and have that security-first culture. You’ll hear every episode, we’ll mention the 5 things. Like I said, that’s not coming from us. That’s the White House. That is what is recommended for every organization to have the proper security posture that they need.

With training, this is one of the best tools an organization can have to train their employees: simulated phishing emails. Everyone receives phishing emails. That is one of the top ways that a successful ransomware attack happens, by simply clicking on a link. You thought it was from a trusted source; ends up being a malicious cyberattack that, in turn, results in a ransomware attack. You thought it may have come from Facebook that you need to change your password, you clicked on it, now you’re changing your password, and now someone has your credentials.

TOM: Hey Davin?

DAVIN: Yeah?

TOM: I want to point out that we do that. We simulate phishing emails in our company, and I think two a week go out, because we use two different systems for our internal use. No one in our company but one person has scored 100%. I’ve failed it.

DAVIN: As with me.

TOM: And the reason I did, and the president did, and some others have – not the only reason, but one of my failures – and I think I’ve failed twice – was I just happened to be working on some security settings in my Google account, and the phish sim, the test to see if I would fall for it, just happened to be about Google and the authentication system, and I clicked on it without reading it carefully.

If those criminals and nation-states – mostly criminals – that are using these tactics can fool professionals in the industry, there’s no way an average layperson is going to not get fooled. So don’t think it can’t happen to you. The days of misspelled words, bad graphics, bad grammar are long gone. Don’t kid yourself. These are professionals. It’s not a Nigerian 419 scam where you’re an heir of some guy who just happens to have your name, dies in a plane crash, and he’s got $20 million. No, these emails, the legitimate ones and the simulated ones, are so good they can fool the professionals. I just wanted to stress that.

DAVIN: That’s true. Simulated phishing emails is great training for your employees because those phishing emails are not going to go away. That is a great way that cyber attackers are using to reach organizations, and they’re not just sniper shots. They’re not directed at one person. They are shotgun bullets. They’re going everywhere. They’re reaching hundreds of thousands of people at one time, and they’re trying to get you. They’re not going to go away. So you have to be trained properly to be on the lookout for those, know what to look for.

Overall, one of the first steps to creating a cybersecurity-first environment is training your employees, training your defenses, getting your employees ready to combat these cyberattacks and make sure they’re prepared as much as possible to secure your organization and support that security-first culture.

Our last question of the day that I’m also curious about is: are you currently enrolled in a continuous cybersecurity training?

TOM: Key word being “continuous.”

DAVIN: You might go to a once a year training.

TOM: I don’t even think that’s adequate.

DAVIN: No.

TOM: One of ours is every week. It’s a two-minute video on average, and four questions. You’ve got to score and you’ve got to make sure your people are following them. And then coaching if necessary. What really makes cybersecurity training successful in your organization is managing it and monitoring it ongoing. It’s not a set and forget. You’ve got to make sure. You’ve got to bring these people up.

I think a perfect score on one of ours is 800. No one’s got it except Joseph, who has never failed a phishing sim. But you see somebody that’s getting into the medium risk, then they’re the weakest link in the chain of your entire organization. And if they’re only scoring 400, that’s going to tip the whole needle of risk at your company. It affects the whole thing. You’ve got to set the tone at the top and walk the talk, especially when it comes to cybersecurity training.

And that’s not something, if you’re going to outsource – we think of ourselves as virtual chief information security officers for our clients, but that’s something that we can’t do. All aspects of our company are designed for us and our clients to be on the same team. In other words, we don’t make more money when you have problems. It costs us money when our clients have problems. That puts us financially in the same interest. The fewer problems, breaches, IT problems you have, the more profitable we are and the better your company runs, and the safer it is.

But something that we can’t do is, if you’re the owner, the president, the leader, that’s a culture that’s up to you to nurture and lead by example and stuff. That’s something that the people that are good at training and are successful with it understand. It’s not a set and forget, just buy it. It’s a management decision to say “I’m going to buy it for everybody.” It’s a leadership deal to make sure it’s monitored and continuously checked for laggards and coaching opportunities. Good leaders know that it’s not about using a stick. It’s about coaching and making sure everybody takes it as serious as you did when you made the management decision to buy the product or the service.

DAVIN: Top to bottom. It’s simple, but where do you go from here? How do you get cybersecurity training? Where do you get a team to help you with this, help coach your defense up, your employees up?

Speak with an information security specialist. Right below, you see an email. You can use that link right there to schedule a short meeting, short chat at your convenience. You can also shoot us an email. We’re here to talk with you, see what needs you have, talk to you about cybersecurity training possibilities that will fit best for your organization. Like Tom said, we have weekly, monthly, all different types of things that we can do. We’re here to help you and help your employees and overall help protect your organization and your clients.

Right below you’ll see my personal cellphone directly to my office. I want to talk with you. I want to answer any questions you may have. You can call me any time. Of course, at midnight I most likely will be asleep, but leave a voicemail and I promise I’ll get back with you.

I appreciate you all attending. Like I said, this is a weekly deeper dive, so next week we’ll have our next episode. You’ll see registrations on LinkedIn and different places. You’ll get emails. Feel free to invite your employees, your friends. Cybersecurity is important, and we’re here to talk about it and make sure we can put you in the best position to secure your organization, your employees, and your clients.

TOM: Hey Davin, Jacqueline’s got something I want to talk a little bit about.

KINDSEY: Yeah, there’s a question.

TOM: And you answered part of that live. Basically, I think the way both systems work is there’s an annual test. That gives you a baseline. Then there’s micro quizzes. One of them is every week; the other is I think once a month, or maybe it’s twice a month. I’m not sure.

DAVIN: Once a month.

TOM: And it does have to be continuous. I want to direct a thing here – some orgs are marrying cybersecurity operations with the chief risk officer role. I question the wisdom in that. And I’m sure there’s exceptions to this, but generally speaking, a risk officer for a trucking company is going to be an operations role. They’ve got to understand the risk to truck accidents and other – I’m not an expert in the industry, so I don’t know. I think that’s an industry-specific operational role.

Now, that person being a cybersecurity role without an IT background of any sort I think is trivializing the seriousness of infosec or infosec professionals. Actually, I’d like to know – in fact, if you know of any companies where they’ve done that, I’d like to see what type of company that is. I just don’t know. If they’ve got a chief risk officer, why can’t they afford a security officer as well?

Hey, thanks, Jacqueline. Yeah, that’s interesting. I’ve never heard that. Usually they throw in the CIO like Colonial Pipeline did. And I wasn’t part of that investigation, but I really believe that they would not have been breached if they had had a chief information security officer. And apparently the CEO does as well, because they immediately started searching for one after that breach.

Let me explain why. And if you’re ready to leave, by all means. [laughs] I love this story. Here’s the deal. That breach targeted a legacy VPN connection that was unprotected by multi-factor authentication. In other words, all they had to have was username and password, and it was legacy and unused. It had been there for years and years and years. Chances are it had a very weak password, so all the attacker had to do was use brute force against it. And it probably didn’t have any delaying tactics, like five misspelled words it resets for 30 minutes. Probably didn’t even have that on it. So they just did a brute force dictionary attack against it and that’s probably how they got in.

A security officer’s number one job is to make sure these old legacy connections are turned off. IT’s objective is just to make sure the company runs. And apparently their IT, their CIO, was very skilled and very well-respected, and the CEO said so. But he still hired a security officer. Because of that breach, he understood how important and distinct those two roles are.

Now, add in a chief risk officer – if you’re going to combine it with that, why not make the CFO the CISO? I just can’t imagine a scenario where that’s a good idea. I’m sure there is, but I’m having a hard time visualizing “Oh yeah, that’s perfect. That’s a perfect person. They can do both.” It’s got to be a specific vertical or something like that. I get where you’re going. I get where that thought comes from, because it is a risk analysis position. That’s what it’s all about. There’s no such thing as perfect security. It’s all about managing the risk.

So yeah, Jacqueline just send that to me or Davin or whatever – you know how to reach us – when you come across that thought. That’s intriguing. Thanks for bringing that up.

Anyway, how much does it cost for somebody to spend five minutes with you, Davin?

DAVIN: Absolutely zero dollars.

TOM: There you go.

DAVIN: I won’t even charge you.

TOM: I hate to use cliches, but it’s not a matter of if you’re going to get attacked; it’s when. Acknowledging your vulnerabilities is all well and good, but action is what you need to do. If you’ve gone that step and you say, “We’re really bad at this, everybody’s reusing their passwords, we treat security as a hassle” – acknowledging the existence of those in your firm is actually part of the first steps. But then if you’re going to do that, let’s go ahead and spend 5 or 10 minutes with Davin.

DAVIN: I’ll make it worth your while. I’ll find a joke or something to make you smile during the call.

TOM: Yeah. When’s the best time? Well, right now. This situation in Ukraine’s just escalating. I’m shocked that the nation has not come under attack yet. Yet.

DAVIN: We haven’t heard about it.

TOM: Well, we would know. There’s a lot of telltale signs. But I have got my ear to the ground. I am almost always checking CNN and other news sources besides the regular firehose we get. Sunday we had a lot of internet outages and a lot of weird things were happening, as it is today. That internet hiccup you just saw. It hasn’t all been fixed here, and it’s affecting cell service. This all started Sunday. My first thought was we were under attack, but I had no way to contact the outside world.

Anyway, found out – I’m not sure that it’s not related, but so far it looks – we’re paying careful attention, if you want to get behind the curtain, see how the sausage is made. There’s a couple of technical threats that we have reason to believe will be the canary in the coalmine. As soon as we see evidence of it in the United States with one of our clients, that’s when we’re going to have all hands on deck and keep all eyeballs on it for however long it takes. That’s the only thing Russia has in its arsenal to go after the United States. He’s gotten himself into a corner. And kudos to the Ukrainian people. I have friends there and I’ve been there a couple of times. They don’t deserve it. Never did.

Any other questions?

DAVIN: I don’t see any other questions. Next week, same time, 2:00 Central Time. Tuesday. Next topic, you’ll receive emails. I look forward to talking to you all next week. Of course, if you have any questions, you have the contact information. Reach out. We’re happy to talk to you and answer any questions you might have.

TOM: What are you talking about next week, Davin? Did you already say that? Did I miss it?

DAVIN: No, I did not.

KINDSEY: It’s Information Technology versus Information Security: What’s the Difference?

TOM: Security versus technology. I love that. I could talk for hours.

DAVIN: It’s going to be a good one.

TOM: It’s about changing that mindset. Make IT a bolt-on to security, not the other way around. If you make compromises on security – obvious compromises; there’s always a compromise. Even we ourselves don’t use our full security stack. But don’t trade security for productivity or efficiency.

DAVIN: Part of that culture change.

TOM: Yeah. And none of it really works unless you’re setting the tone yourself as a leader. If you’re the leader of your organization, you’ve got to set it. And everybody else in the company has got to be on the lookout, and everybody else in the company has got to snitch. I hate to use such a crude word, but I expect everybody in the company, if they see somebody practicing bad security hygiene – every time we hire a new person, the very first thing they do is go through security training.

We had someone very capable, a great hire, setting up the laptop, and she wrote her password down – after already saying, “It’s got to be longer than that. That can be broke in two seconds with just a PC, the brute force attack. It’s got to be longer than that.” And then she wrote it down and I said, “Do not write that down. Change the password. No, we’re not going to wad that up and throw it away. Make a new password. Do not write it down.”

It’s just the thing we have to do. That was an uncomfortable situation with a brand new person, me saying it – I just happened to be the first one to see it. But you’ve got to stress how serious and how important it is. It will put you out of business. It will certainly damage us. I mean, how would you like your security company to have a breach? But it happens. It does happen, and IT companies especially.

DAVIN: It’s not their main focus. It’s not their specialty. They’re there to keep everything up and running.

TOM: Say you outsource your IT and they’re using Bitdefender or something like that. You’re not using best of breed. There’s better stuff out there. That doesn’t mean they’re a bad IT person at all; it’s just they have a different objective. As do many risk officers. See what I did there?

DAVIN: It comes back.

TOM: Tied it right back into Jacqueline’s statement. All right, wrap it up.

DAVIN: That’s it. You have the number, you have the email. I look forward to talking to you all.

KINDSEY: Thanks, everyone.