Dealer Tech Tuesdays
S02E01 - FTC Regulators Mount UP - New Safeguard Rules - Customer Information
Dealer Tech Tuesday is a podcast and Clubhouse room on the Automotive Innovations Club. It airs at 2pm EST every Tuesday. It is a discussion and QA for anyone in the automotive space. VTech Dealer IT hosts the show, bringing in experts in their respective fields.
This week's episode is with my co-host Paul Jensen from the Qvale Auto Group. We discuss future-proofing your dealership and the effects of electric vehicles on your operation.
Visit us at: https://www.vtechdealerit.com/247-it-support/
Dealer Tech Tuesday is a podcast and Clubhouse room on the Automotive Innovations Club. It airs at 2pm EST every Tuesday. It is a discussion and QA for anyone in the automotive space. VTech Dealer IT hosts the show, bringing in experts in their respective fields.
This week's episode is with my co-host Paul Jensen from the Qvale Auto Group. We discuss future-proofing your dealership and the effects of electric vehicles on your operation.
Visit us at: https://www.vtechdealerit.com/247-it-support/
Today we're here with Phil Liberty and James Bowers. James is from Input Output. He's one of the managing partners over at Input Output and my longtime friend. We've got a new friend and a longtime friend, phil Liberty, from Universal, the communication company. Right Is that right?
Speaker 3:That's correct. Good to see you again, John.
Speaker 1:Good to see you, phil man. It's correct, good to see you. Good to see you, phil man. It's always great to see you. Um phil has been doing our.
Speaker 3:He's been helping us secure um internet connections for a lot of our customers, which is a very needed um part of this, but also phil about I mean what um in october probably yeah when the glba um might have been a little bit after that but yeah the ftc ruling came out and I said this probably applies to you and your business and we should probably have lunch with james, and that's how this all came to be right so how did you come, how did you first hear about um the new rulings with, uh, the new ruling that came out from the federal trade commission?
Speaker 3:so our company. We're in business since the mid-'90s and since the late-'90s we've been taking care of phone and Internet connections at a car dealership here in South Florida. We've been handling their communications for 20 years, so we're close to them and so we're just like you in the industry heard about it and I just said I wonder if john's aware of this and what is john doing? Because I had met james and there was an application that I thought made sense for vtech yeah, that makes sense.
Speaker 1:Yeah, that makes sense. And then, so, james, tell me a little bit about your background. So I know that I know what that is, but obviously our audience doesn't. But tell me a little bit about your background. So I know that I know what that is, but obviously our audience doesn't. But tell me a little bit about your background.
Speaker 2:Yeah, so not wanting to take up all the time on the call. Um but no, my uh, my background, uh, really at the high level, is always been, uh, some sort of risk management.
Speaker 1:Okay.
Speaker 2:Um, that started, uh, quite a few years ago doing a financial analysis, uh, managing 401ks large portfolios for companies, then on to credit side risk managing capital for companies and then varied in a few different areas and now really focusing on the security and the compliance risk. So I've always been talking to companies about how we can manage their risk, how we can talk through it and how we can address it appropriately. And that's really where Phil, I think you and me came together.
Speaker 3:We came together in the parking lot before the Florida Georgia Line concert a few years ago. I got invited by one of my suppliers and James got invited by the same supplier. Oh nice, I promised my daughter I'd take her, and so, thankfully, I met James. So there was something good that came out of the concert.
Speaker 2:Yeah, right, and see, this is why you do networking.
Speaker 3:Yeah, exactly, exactly, it poured rain that night too, so it was a total disaster, but James and I just started communicating since then and it's been great good good.
Speaker 1:So, james, would you say your experience is mainly from the banking side. Right is that um the, the financial institution, the traditional financial institutions, right banking investment type um that world?
Speaker 2:mainly uh, I wouldn't say mainly because there's quite a big stint on the IT side helping to manage companies a lot in healthcare. But really starting from that financial side was always the risk reward. There's risk in everything we do. So even on the IT side, working with companies, it was always talking to them about risk and reward. What path do we want to go down? That's going to make the most sense for your business? And I started having more and more of just those conversations rather than anything technical, which is really why I started Input Output to just focus on the risk management, help companies with the compliance. But it started on the banking and just continued on through.
Speaker 1:But primarily to industries that have traditionally been heavily regulated. So, you know, banks have a momentum, or like an ecosystem, of regulation and compliance, as well as healthcare, with HIPAA.
Speaker 1:There are industries that this isn't news to you know, it's like, um, one of the things that that kind of surprised me the most about the initial conversations that I've had with dealers is that this is an industry that has not really been regulated.
Speaker 1:There's PCI compliance, obviously because they're processing credit card information, but not really enforced Not. You know, you're not seeing across the board that. You know there's mega pci audits that are hitting you know automotive news or anything of that nature, and you know the. The thing that I've come, that I'm coming across kind of in the industry, is that you know some of some of the dealers are light years away from being even close to a place of compliance right, so it's like let's just start with the basics, and the basics are user active directory domain and users having their own accounts and not being on work groups, and there's actually a firewall on site and it's not just a router, and so it's like well if I could, and I don't know how well this is going to go over with your dealer audience, but in my 20 plus years experience in working on the communication side with auto dealers, here's the analysis, that analogy, rather, that I've always made to other customers that I deal with.
Speaker 3:Yeah, when you walk into a car dealer, it's to their benefit for you to lease a car yep.
Speaker 3:Yep, okay, but in dealing with car dealers, because they're not cash poor, their attitude towards the way they purchase or the way they do business is to buy something and drive the wheels off it. Yeah, technologically, absolutely. So while they would like you to lease because that's to their benefit, they are not a type of company that because that's to their benefit, they are not the type of company that has to do a month-to-month-to-month because they can't afford it. So that's been my experience in the way they do business and of course, it just applies to technology as well as anything else?
Speaker 1:Yeah, that makes sense Absolutely. I mean, there's the CapEx versus OpEx conversation, right, is that one thing versus the other? And you're right, I've gone into dealers where they've had networking equipment that's been around for 17 years it still runs right, John, yeah, exactly it works.
Speaker 3:Why would I replace it? Does the?
Speaker 1:computer, you know, get on the internet. Well, it's fine, I'll keep moving forward, yeah.
Speaker 3:But that's our job is to get them beyond that understanding, from dollars and cents into what James is. James is like selling insurance. That's a concept that has to be understood.
Speaker 1:Sorry guys, One second. Sorry about that interruption, but we had somebody come knocking at the door so we were saying that dealers drive the wheels off of something, right?
Speaker 3:Yeah, just the way they're used to making purchases is let's just use a simple phone systems yeah okay, they buy a phone system and they pay for it. And because, really, what does an auto dealership typically do? They answer calls, they forward calls, they listen to voicemail. There's not traditionally been a complex need for a phone system. That's changing.
Speaker 3:That's a whole other podcast, but traditionally that's just been the mentality. So, in terms of risk, because all the industries that you're dealing with James, I think you've said this before If you don't regulate yourself, you're going to get regulated, and that's probably what you're running into across the board.
Speaker 2:Yeah, quite a bit, and some of it just comes down to, I think, a perspective shift. It's not really been something that the dealers or even other companies have really thought about. At the executive level, it normally is something kind of separate to where they're thinking business.
Speaker 1:And then there's IT, which is a drain, or there's a phone system which are a drain or a black hole of you know money to burn, yeah, and you get the call from Phil and it's oh my God, what is he trying to sell me now?
Speaker 2:Yeah, Completely relate. But, but really it comes down to helping companies to understand that this is all tied together. The risk affects the business, it affects where you can go operationally and just kind of starting to bring those together I think helps give a good perspective to where in some cases you can still drive the wheels off some of the purchases you make cases you you can still drive the wheels off some of the purchases you make other cases that just that's not the best approach and actually will end up costing you more money, yeah, and whether that's through lost productivity or through money down the road that you have to spend somewhere, you've got to pick your pain.
Speaker 1:Yeah, absolutely up front or at the end yeah, like the fram guy, right, you pay me now or pay me later. There is some aspect to that and I think generally there is this touch the stove moment that the FTC had because they they had to shell out so much, you know some, so much government resources and addressing some of these attacks, that they said, ok, now the dealership body, the dealer body, has to have some skin in the game. Right, they said this is no longer going to be up to the secret service to do. You know, cyber crime investigations and the fbi looking at ransomware attacks or whatever that hits the news. And with the colonial pipeline and all the stuff that was happening, the deal, they said, hey, you guys are now congratulations, you're now financial institutions and you have to have skin in the game and we can't be in a situation where just exposing people's personal information out.
Speaker 3:That's the key. Right, there is personal data.
Speaker 1:Yeah, everyone's got to be responsible for personal data and, to be fair, it's not just dealerships, but it's the ftc rule says any non-banking financial institution, which happens to mean auto dealerships yeah, I mean they specifically say, yes, auto, you know automotive dealerships as named in the final ruling, and say, unfortunately you guys have to have really big boy regulations to, or, sorry, big boy infrastructure to be able to comply with these rulings correct.
Speaker 3:Yeah, and it's just the way each of us individually wants our data handled right. So you've got to look at it from both sides. Nobody wants to be overregulated, but at the same time, I want my data handled properly and so forth. So that's where we are today.
Speaker 1:Yeah, and I mean California had the CCPA. That happened a couple, you know, two years ago at this point. That started, you know, putting these things together, I mean the CCPA has the additional kind of stipulation that says if I request my information to be deleted and have a receipt of that as a consumer of a product, right, if I call, you know, let's call Liberty Toyota and I say, hey, phil, I no longer want you to have my information deleted. You have to provide an audit trail of saying I have deleted your information from all these databases and there's kind of a receipt. The good thing is that the FTC at this moment is not requiring anything of that nature, but they are requiring some pretty mature safeguards for the IT side of dealership business, right?
Speaker 3:You know. I would also like to point out that none of this is a shock to you and your company. No, because your company's been requiring this, and so you're not running around scrambling saying oh my gosh, what am I going?
Speaker 1:to do with my clients. You're here as a public service to those who have not.
Speaker 1:Yeah, I mean, the majority of my customers are within striking distance, which is, you know, giving the fact that they said, you know, october 27th, I think it was when the ruling came out, and they have to be complies by december of 2022. We're within, well within, striking distance and the biggest heavy lift, you know, the reality of our customers is their internal programs, say they have to have a information security program, they have to designate somebody inside the body, they have to report to the board of directors.
Speaker 1:Like it's more the, it's not as much the policy and procedure. Yeah, it's not as much as infrastructure wise, because everything's monitored 24, 7, 365. We have advanced endpoint detection and response on all of our infrastructure. Multi-factor authentication we've had as a base for a long time. We have policies and procedures for incident response. Those things are kind of the normal stuff that you're supposed to have if you're dealing with this and, to tell you the truth, on my side it's a CYA.
Speaker 1:I need to cover my rear end and my and I need to protect my customers, even if they don't like the news. Right, and how much that's going to cost.
Speaker 3:I have to say, hey, I'm going to do this anyways, and we're going to implement all these processes and procedures to make sure that you guys are safe, because if something happens, I'm the guy that you're going to be coming after and the point for your audience here of this podcast is, if the person that's managing your network isn't holding you to that standard, think about where the savings is really, Because from your perspective I know you you won't work with the client unless they'll go along with your policies and procedures. Correct, Because you're protecting them, but at the same time you're protecting yourself. So if they're dealing with an IT company or a management company that's not holding to that standard, that's a time to review. Why not?
Speaker 2:You know, and I think something really important to consider is it's not just trying to say convince all of the dealerships, convince all the businesses that you have to have security.
Speaker 2:You have to spend on security Because obviously if you get a data breach that's one of the major things you could get fines and we can agree that stinks.
Speaker 2:But the other end of that is if you're not structuring your network effectively, if you're not putting the procedures in place when something happens, how are you going to continue operating and continue your business? Are you going to lose two hours of customers or are you going to lose possibly a week or two weeks or three weeks? And what's that really going to cost? Because that's not shelling money out, that's not receiving the income in. So from a business perspective and this is a conversation I have with a lot of companies is don't just look at this as a thing of. These are more hurdles we have to jump. It's really that starting point to say you know what we really need to dive into understanding our business, all aspects of the business, so that we understand when something happens, not if, when we're going to respond appropriately and we're going to be able to weather it and it's going to be annoying but not catastrophic.
Speaker 1:So that's the thing that I've been struggling with the most. Right is that manufacturers have had IT requirements for a long time and you walk into some of these dealers and it's like they never received a document or it was never enforceable or something. You look into these places and you say there is zero standard here that somebody was held to, and a lot of my customers that take those assessments seriously is like a lot of the stuff is already in there. It's like you know audi's been talking about this. You know the volkswagen auto group has been talking about this for years.
Speaker 1:I've been filling out assessments for years to say do you have multi-factor authentication? That's recommended. Right, it wasn't enforced but it was recommended and we would always go to the highest standard that was recommended because it gives us a really good north. And so do you have a SIEM? You know like? Siem is a security event information management system, which is where a security operations center is looking at a screen for those people that don't know, they're just listening that they can see threats across in real time and they can address them Right and the whole, the whole organization in one spot.
Speaker 1:Yeah, exactly, it's the whole. It's like your IT organization on one screen that you know, guys that are, you know, have the credentials for security, are addressing those threats and shutting them down in real time. But they had, you know the IT requirements, already had that.
Speaker 3:So to James's point, as it ties to what you're saying is a lot of people came into the industry years ago the IT management industry and they, the way they came into the industry, appeared to the dealership as an expense.
Speaker 1:Yeah.
Speaker 3:That's a cost and that's the way they came in. Hey, you have to do this. This is how much it costs.
Speaker 3:We do it great, you should work with us yeah and that's what james how he differs is saying look, yeah, there's going to be some expense, obviously, in everything we do, but let's not focus on that. Let's focus on keeping your business running, becoming more profitable, by eliminating risk and treating it as business risk, not just an it expense. Yeah, and that's been a differentiator in the way that you know we're going to market to our customers. And yeah, by the way, where does you know a risk management guy, risk the management guy in a communications company come together.
Speaker 3:Well, when we met he, he had been in our industry yeah and realized that's not the direction I want to go, because he's got strengths over here, but the the attitude that he had towards where business is going is the way I've always wanted to approach my clients. In other words, as long as I've been in this industry, I want to solve the most difficult problem that a business has, and then everything below that in complexity that I can provide I get.
Speaker 1:Yeah, that makes sense, yeah.
Speaker 3:Right If I go into somebody and say hey, how much are you paying for long distance? Eight cents a minute. Good, here's seven. Push hard, you're making three copies.
Speaker 2:Yeah.
Speaker 3:Yeah, I just saved him a penny on his long distance and I see nothing else yeah in his business. I know nothing about it, other than I saved him a penny yeah to be ridiculous. But if I can come in with james and say, let's look at your entire business and the risk, where does it lie? Let's answer the question.
Speaker 3:You don't know what you don't know yeah and that's really what happens when we go in is we're trying to answer that question for the client and then what comes out of that is a template that they can use and that may or may not result in business but no, not always.
Speaker 2:Yeah, really, what comes out of it is that information security program or information security management system, ISMS, or pick your acronym.
Speaker 2:All of the different frameworks and standards have their own, but it's the same thing. How do we approach risk, how do we approach security in our organization? And I think one of the big things that differs and where we have a lot of traction and engagement from the clients is a lot of security professionals, a lot of even risk management consultants, really focus on the CIA triad Confidentiality, integrity and availability Really kind of protecting the data, making sure it's accurate and making sure it's available really kind of protecting the data, making sure it's accurate and making sure it's available. And you brought it up CCPA in New York has their SHIELD Act, Yep, and more are coming down the pipe. There will eventually be a federal privacy mandate. Yeah, so there's the CIAP privacy side. And then, because we do a lot in healthcare, we also focus on safety. Obviously, if your computers go down while you're on, have somebody on the operating table that that could be a serious issue, Absolutely.
Speaker 1:Or you're doing that remote surgery or something you know it just infinitely more complex. Yeah, when you do it on a zoom call, you don't want the zoom call going down Exactly.
Speaker 2:But an area that, an area that I think that we really differ is we also talk to the company about what's your mission, what are your objectives and what are your obligations, because everything that you do, you should be able to tie to your mission, objectives and obligations, because that's what's driving the business. If you don't have a business, there's no reason to even address the risk, there's no point in it at all.
Speaker 3:To that point in the auto industry, so many of your clients have the owner's name on the building.
Speaker 1:Yeah, okay, that's a thing in the auto bonus space. Yeah, okay.
Speaker 3:And, as it relates to risk, it's the reputation. Yeah, it's the name. The family name that's on that building is as important, or could be the most important thing, and the rest is, you know, we're just going to find out what else is going on.
Speaker 1:Yeah.
Speaker 3:But that's one of the drivers in the auto industry is the owner's name is on dozens of buildings, sometimes throughout the community or throughout the country, and so that's something that they just cannot overlook.
Speaker 1:Yeah, and on the other hand, this is what we talk about a lot. We talk about this kind of subject with my peers in the industry is that dealers are some of the most charitable people out there that have a terrible way of showing it. They're constantly involved with the community. They're Habitat for Humanity, they're donating, they're changing people's lives. They're some of the most prominent employers in the industry. It's like, look at some of the larger auto groups and it's like, oh yeah, how many families do those guys affect in a positive way and don't really advertise it. They're very quiet about it.
Speaker 1:And you know, with something as simple as a data breach, their name can be all over the news and have you know, you can have a hundred attaboys and it just takes one. Oh crap. And and all that good good nature or you know, good will is erased. So there is a huge potential damage to a reputation. And also, how do you handle it after something happens? Right, it's like you know, data breaches happen. They happen all the time. No IT company or security company out there is going to guarantee you that you're not going to be breached, but it's how you respond to it and how you get back on it that really says the character of the organization in some capacity right, absolutely yeah, yeah, one of the big things is, when you're looking at risk, you can avoid it.
Speaker 2:You can transfer it, typically like insurance, so say cybersecurity insurance. You can mitigate it. So insurance, so say cybersecurity insurance. You can mitigate it. So two factor authentication, any type of controls, and then eventually just accept it. Those are the four ways you can address risk.
Speaker 2:And one of the big ways that we really focus on and this goes back to understanding the business is avoiding the risk entirely. So how can we structure the systems, how can we set everything up to where, if you have a data breach, it doesn't really matter so much, To where you could come out to your clients and say we did have a data breach, it affected us, but none of our client data. And those are some ways to where, especially and you've probably seen this, probably not with your clients, but just everything's available. All the computers are connected, all the systems, all the data. Everybody's got the keys to the kingdom. And one of the big ways that we really help is just tying that all down.
Speaker 2:Who needs to know? And just make sure that they know, not because we don't trust anybody, but just because that starts limiting our exposure, and that's one of the ways that really you can restructure things without spending a lot. Sometimes we talk to companies, show them something and it doesn't result in any business for us and that's fine. We were able to help them out. Eventually it's going to come around. But that's a really big thing is looking at not just that we have to now go and buy all new firewalls and all new phone systems although those are great to have Definitely contact, you know interview gentlemen, but also just how can we pivot slightly without spending anything?
Speaker 2:just change maybe how we're doing things to really avoid a lot of risk and help protect the business.
Speaker 3:Yeah. It goes back to the green, yellow, red. Yeah, data storage. You know data manipulation understanding. You know who needs everything green, who needs some of it yellow and you know who needs just access to a limited group red and just identifying where, what those are and where they're located. Again, it's just like anything else just over time, things get done a certain way. They've not been looked at.
Speaker 1:They need to be looked at yeah, the the thing that I'm that I'm most concerned about is the gap. That's the thing that I'm most concerned about is the gap. That's the thing that I'm most concerned about, because, you know, if you're there's some momentum and there's an ecosystem in some of these more IT mature industries that understand what that momentum looks like and what it feels like, it's like, oh, we're doing an audit again. It's like, oh well, every so often we get audited or whatever that looks like. The industry, the automotive space, doesn't really necessarily have that. They have that in. You know, you have a floor plan audit or you have, you know, a parts audit where you're doing those things. Or you have like a red flag where they have to figure out certain processes and procedures and they even have compliance where locking in the finance doors and whatnot.
Speaker 1:But on the IT side that hasn't really been a standard, that hasn't been something that's been there or there isn't really even a mechanism for that to happen. And so you know, I was talking to a dealer recently and I'm like, okay, let's talk about, you know, the GLBA safeguards and what needs to happen, and we started getting into something that was based off, you know, the NIST model, right of compliance and based off, you know, the nist model right of of compliance and it was japanese, it was news. It was so far away from any place that dealers could be that we we had to really like kind of really distill what came out of the conversations like, let's, we need to distill this to a place that people can easily answer.
Speaker 3:I wasn't in that conversation. I don't even know who you're talking about, but by any chance, the person you were talking to was his name on the building or a family member of the person's name on the building.
Speaker 1:No but close enough, okay, but we did. We did do like a mock dealership because we need to. That's the chasm that I've always been worried about is, like you know, it was more of like an exercise for us internally to set the bar Right. It's like what does this look like? And let's go through a mock dealership.
Speaker 1:So I, I built and this might be familiar to some of our listeners is like I said okay, you're a two rooftop and you know Florence, kentucky, and you have. You know you're a domestic manufacturer, right, and you have. You know you're a domestic manufacturer, right, and you have 150 users. You're on dealer track as your, your DMS and your emails go daddy, just like a normal dealer. This is a run of the mill, normal dealer that's very successful at what they do. They've been in business for a long time and kind of ask them those questions. And then these guys that come from you know similar background as James, right, those are our partners in Torchlight, our cybersecurity partners that are, like, used to work for three-letter agencies and you know we have all these credentials and all this stuff. And you know the secret squirrel guys and they came in and it wasn't right-sized right, it was just so big that they were like what is your procedure for data retention on blah, blah blah? And like what are you?
Speaker 1:I don't even have an internet security like a information security plan, like in your information security plan, do you have? It's like, have you heard of an information security? Do you know what an information security plan is? And it was kind of that. It was like so overwhelming to the dealer or the guy that was in charge of the thing I mean, this was a very astute person that I have a very close relationship with to act as that kind of canary or you know, canary in the coal mine to say where are we off here? And then he gave us some really good feedback and he's going to do it for actually his dealer and we're going to have that conversation to right size it.
Speaker 1:But that's the thing that I'm most worried about is this chasm between the guys that know what's going on, the curse of knowledge, right, the guys. This chasm between the guys that know what's going on, the curse of knowledge, right, the guys that know what what's going on and what we assume that the dealer should know and in reality they don't really are prepared for this ecosystem. So that's my main concern is that, because we'll lose the, we'll lose the industry in that process, right yeah, it's.
Speaker 3:There's a fair amount of evangelizing in what you do, okay, sadly, that means those who get it and respond to what we're making available get chosen first.
Speaker 1:Yeah.
Speaker 3:Because we have to make a living, and so we're bringing this concept to one business after another and those that say I get it, I need it, please help me. They get the help they're looking for and I get where you're going. Is you just wish everybody would jump on that bandwagon and at least be asking you hey, am I okay?
Speaker 1:Not necessarily. What I'm more aiming at doing is making sure that my messaging is appropriate for the ears that are receiving Correct Right and that I'm meeting people where they are not where I think they should be. Yeah, which is I have that fault right as I'm like. You know, I didn't come. I'm not an IT guy by trade, you know, I learned about the industry. But even being in the industry, I'm already, you know, nerd talk. I'm like, oh, where I go a million miles an hour and I'm assuming that my audience understands what I'm speaking about and the reality is that it's farther away than I realized.
Speaker 3:Well, it's funny you bring that up because we have an engagement next week somebody that I introduced to James and we have a project going and he's preparing for this and he's sending me material and all the material has four letters or three-letter acronym, mostly four letters, a lot of four-letter words Three, three in my industry.
Speaker 3:Because my industry can only tolerate three-letter acronyms, but your industry has a lot of four-letter acronyms and I've been saying to your point, John, we need a glossary. Our first meeting should be a glossary in terms of understanding what it is that we can do for you in English yeah, exactly yeah, and I think the messaging is really a big thing.
Speaker 2:That's kind of an art that is an art.
Speaker 2:And that's in every industry. How do I take all of this great stuff that I know that can protect you? How do I take all of this great stuff that I know that can protect you? And, kind of, as an IT geek, we can get excited and oh, you need MFA and you need encryption and AES-256, and blah, blah, blah, blah blah and we get so excited. And why does that matter Me as a business owner? Why do I need that? And on the IT cybersecurity side, there's almost this pullback of how do you not get this? You know this, this is minor things, but where that, where that gap is in that that we've really noticed a lot is it's not being tied back to the business. Really, the first conversation is how do you manage your risk? And yeah, and let them identify that most are a deer in headlights.
Speaker 1:Yeah.
Speaker 2:We don't really do that. Okay, great, that's really the first thing we need to do, yeah, and then we start identifying what are the risks in the business. Well, Mr and Mrs Dealer, what would happen if you had a data breach? What would that mean to your business?
Speaker 1:What is a data breach? Yeah, what is a data breach Exactly. What is a data breach? Exactly what is a data breach? What's considered a data breach?
Speaker 2:You know, and once you start identifying those risks, that's where I think it becomes a thing that most businesses even say I don't really care how you fix this, yes, fix it, but they're on board at that point, correct Right? Because it means something.
Speaker 1:You tied it to the business. Yeah, they're like, because it means something I don't care. Yeah, they're like I don't care, just fix it. And you're like, okay, cool, you just keep moving forward. And then you give them the reports and but you know, we talk about pii, like everybody knows what pii is. Right, it's like, you know, you know how it's defined in this. You know, I'm looking at this 183 page final dot, final um ruling from the, from the ftc on, and they very specifically say what personal identifiable information is. They state you know what a qualified individual at a dealership has to have like what does that look like? And you know what the information security program has to have inside of it. It really makes it simple and there's not a lot of people that will read that and digest it, and digest it for your audience, which is We've got to watch out.
Speaker 3:James is going to swipe that and take it home and read it because, he's the guy that's chomping at the bit.
Speaker 2:I've read it before. I've already read it.
Speaker 3:So yeah, to use a health care example, what you and I did, you know, a few months ago we got invited to a webinar to present to the healthcare industry, okay, and again, they're focused on specific things that they think are regulatory. Okay, okay, and that's what they're. So and that's why they take their lunch to join a webinar. They think there's some regulatory thing they're going to miss and James quickly says here's an example, that he did real life with an imaging company you might want to tell them.
Speaker 2:Okay. Well, now I'm put on the spot.
Speaker 3:Tell that joke, you know.
Speaker 2:So what that came down to was a real-life example. I worked with a lot of ophthalmologists to deal with the eyes, in case people don't know, and they have very, very expensive imaging systems about $300,000 to $500,000 for that piece of equipment. They do very cool things. They let the doctor see what's going on in the eye of equipment. They do very cool things. They let the doctor see what's going on in the eye and every butt that sits in that seat is a $10,000 check for the doctor's office.
Speaker 1:Oh wow, geez, I'm in the wrong business.
Speaker 3:How many times a day?
Speaker 2:And they can do these in about five to 10 minutes. So they're running hundreds of people through every single day. Oh, that's great.
Speaker 1:So their're running hundreds of people through every single day. Oh, that's great. So their names are also on the building.
Speaker 2:But the organization didn't buy another machine, they only had one and it was normally down at least three days in a year, Typically at least three days every quarter. But they couldn't get over that hurdle of well. We don't want to spend $500,000 on another machine, Just fix that one, Tying it to the business to be able to show when this is down for three days. This is costing you $150,000.
Speaker 3:It was a big number, it was a stupid number.
Speaker 2:When we add it all up over the course of the lifetime of the machine. You're going to spend $500,000 on the machine. It's going to allow you to capture $10 million in actual income.
Speaker 1:Yeah, that's a pretty old, so what?
Speaker 3:did they do, John? When the light bulb went off, they bought two more machines. Two more machines.
Speaker 2:They built out a room. They bought two more so, but that's.
Speaker 3:That's the difference between looking at that machine as an expense. Looking at it as an expense, yeah, versus james tying it to the business and go wait a minute. I'd buy three machines if I had the money now that you understand, yeah that I could fill seats in front of that machine until the cows hired more people. Right, actually spent more money hiring people because it was tied to the business, no longer tied to it as an expense. Yeah, that makes sense so that's the gap that we are responsible for filling.
Speaker 2:Yeah, yeah, you know, and it's really important to identify those things, because if I just come in and say, hey, you need a firewall, you need MFA, you need better encryption which yes, yes and yes, but if I can't tie that to the business, how much do I really know about my business? I think there's an unspoken, not very well articulated expanse between a lot of cybersecurity professionals in the business side, because it feels like if you really knew this, you could probably speak my language, but you're, you're just at this, at this smaller level, not able to get over that hump to kind of kind of the business side, the, the, the big boy side, right, big pants.
Speaker 3:Yeah, that's the key is tying it to business and selling more cars. There's so much being done in the industry with how are we structuring our BDC? And here's another risk question that everybody's wrestling with Am I sending employees home? Are they staying home? Are they coming back to work? When I send them home with PII, what does that mean? There's a lot going on. Oh, absolutely.
Speaker 3:You and I both know, we all know that there's a lot of restless nights in the minds of the people that are responsible for that. But you know, not thinking about it doesn't fix it that. But you know not thinking about it doesn't fix it. So there's, there's a it's a fluid industry as much as the. The car business is selling cars. What's happened the last few years? Sending people home, you know what? The bdc and automation, all the stuff that's going on there. Uh, there, there's a lot of opportunity to ask the question. Please help me know what I don't know. Any business is smart to ask that question, because to think you know it all, you're nuts. It's not a good place to be.
Speaker 1:One of the things that surprised me the most is the FTC moving the responsibility on the shoulders of the dealership for their vendors. That's the thing that really caught me by surprise that the FTC said hey, by the way, you need to verify that your vendors, big or small, you know, Because there's hooks.
Speaker 1:Yeah, there's hooks From all the vendors into the systems and they said you guys now need to verify that they have a proper security program and that there is some auditing that's happening there. And that's the thing that keeps me up at night. It's like you know the vendors in the space, not the IT vendors I'm talking about. You know guys that are doing you know after service calls for you guys, or you know after-hours calling and have access to your DMS and have access to your CRM and have access. All those companies need to be audited, looked at, verified.
Speaker 3:So, James, is that an IT problem or is that a policy and procedures problem?
Speaker 2:That's kind of both. And to speak to the, the ftc, they're not just requiring this now. Nothing really changed there. Yeah, um, it used to be. If you look at the old rule, there's basically one line that said you have to have appropriate security controls okay this is included, making sure that you're protecting the data appropriately. But people didn't even have passwords on some systems. So, the FTC came and said okay, here's some very specific rules that you need to follow, and it's not just the FTC doing this.
Speaker 2:Us Department of Defense is doing it with the CMMC, the new cybersecurity maturity model certificate. They used to let companies self-certify. They saw that, okay, you boneheads aren't doing it, we're actually going to make it a certification. So the entire industry is going to the same thing of here's the very specific rules, which is great to be able to spell it out and say here's what you need to do to be compliant because it typically was very ambiguous. Compliant, because it typically was very ambiguous.
Speaker 2:Yeah, um, but tying it back to the, to checking all of the suppliers and vendors, uh I think we've talked about it before to where, if you take somebody's data, you receive it. You now own that, you have the responsibility to protect it and you can never transfer that fiduciary responsibility. So it's very much like if I'm borrowing your car, yeah, and then Phil comes to me and says, hey, can I use that car, and I give him the keys and Phil wrecks it. Well, you're going to be mad at me, not at Phil, I mean probably Phil as well, but really you're going to be mad at me.
Speaker 2:And I'm going to have to make the amends. And it's the same thing with the data. If I'm sending your data off to all these places, I need to be sure that they're going to protect it appropriately.
Speaker 3:Yep, We've talked a lot without actually addressing. I think we've made an assumption here as well that our audience is fully aware and familiar with what the rule change is, so is that something that we might want to roll through? Yeah, absolutely.
Speaker 1:Let's talk about kind of like the highlights of what it looks like or what the new requirements are. I mean, I do have it handy if we want to go through that and maybe explain like do a couple seconds on each one. So number one is an information security plan. Right, that's pretty self-explanatory. You want to?
Speaker 3:expound on what that really means.
Speaker 2:Well, I think that's what we talked about before, which ties back to really how are you identifying risk? How do you identify and how do you inform risk to make appropriate decisions for your business?
Speaker 1:And this isn't something that you can shoulder on a vendor, right? It's like these are internal protocols and operational protocols that the dealership itself has to have and manage actively, like an oil recycling program or a loaner program, anything that has to be actively managed.
Speaker 3:Yeah, I buy a car from you. You've got my data. You've got a. You're responsible for it. To your earlier point, you can't put that off on anyone else the plan has the plan has to be written. I think the way you've described it before, james, is if you get yourself in trouble, you've got to show that you've made the effort yeah, due diligence, due care.
Speaker 1:Yeah, we've actually done everything that we could do, or appropriately yeah, what I think the definition may correct me if I'm wrong is like it. What's what a reasonable person would do? Right it's like it's something of that nature. It's like is this something that a reasonable person would do? Is like do some investigation, create a plan, put some meetings together, put that together and then address this in the most appropriate way that they have available.
Speaker 2:Right right, exactly, and it comes down to how many resources do you have? Yeah if it's, if it's a single person dealership on the on the corner, they obviously can do a lot less what they should be doing. It's a. It's a 12-site location with millions of dollars coming in. You can do a bit more. And the FTC, when they come and look at the data breaches, actually factor that in.
Speaker 3:That makes sense To whom much is given, much is expected. Yes, exactly.
Speaker 1:So the second part is an incident response plan. So that's pretty standard, right. I mean, that's something that you can do and have like a fire drill, right. And you say, hey, this is who's responsible for this plan. If this person is not responsible, an alternate right In the military we had.
Speaker 1:These things were pretty standard and said do this checklist and do this, do this, do this, do this, do this and inform your council. Talk to the managers what was exposed, define it and that's a pretty static document. Right, that's not something that's going to be changing constantly.
Speaker 3:Right Geographically. If you live in South Florida or in Florida, you've got a hurricane response plan. If you live in the Midwest you've got a tornado response plan, and so forth. It's in a binder, you you know, on the desk behind somebody. So yeah, as long as it's there and they come in and say where's your incident response plan, it's in the binder, right here.
Speaker 2:Great, check the box yeah, exactly yeah, and that can even be um pushed on to a third party as well yeah, at least on the cyber security, yeah to where, if I see something, I'm calling this number and then they take care of it.
Speaker 1:Yeah, we have an incident response point. That's like our standard, templatized, and we're like, hey, fill in this information, the variables, which is your name and the last time it was reviewed, and do these things if something happens, and we'll help you through that process. Call us is step one right?
Speaker 2:Yeah, it doesn't need to be complicated.
Speaker 1:Yeah, exactly, exactly so, exactly so. This is a good one.
Speaker 2:risk assessment this is where IO right really shines is input, output really says okay, here's a risk assessment, Can you? Let's go into that a little bit. Well, it really comes down to identifying how do you assess risk, putting the system in place so that it can be repeatable, to where you know how to identify risk, then you can assess it to see what impact would that be to the business. And then that will allow you to have the conversation internally of what should we do regarding this risk for a data breach or for a hurricane. What controls should we put in place? Do we want to spend the money on hurricane glass or do we just want to put up shutters?
Speaker 1:Yeah, and if something goes sideways on that, that you accepted that risk Correct and you said, no, we're, it was just for the nature of our business. We're going to put shutters and it's better than impact, and then we just move along with that risk, right?
Speaker 2:Yeah it really comes down to. Once you understand it, then you can understand what's called your risk appetite. How much risk do I want to take? And it's the same in finance. Some people are heavy into stocks and they're riding that wave every day, and then other people are just in CDs bonds. Some have the money under the mattress.
Speaker 3:So a little bit different risk appetite there. So okay, so provide a risk assessment. I want James to kind of blows on horn a little bit. What that means in his world is, when the questions are asked and answered describe the deliverable that you provide to your customer. Favorable that you provide to your customer, our customer, and how many categories of risk basically, are you assessing to help bridge the gap as to what is it you're really doing?
Speaker 2:yeah. So I guess, to talk about the actual assessment down and dirty a little bit more is we follow a lot of the same nist standards, um, and for those that don't know, that's the National Institute of Standards and Technology in the US. Yeah, they basically come up with a lot of those very long reports and different rules, but a lot of best practices. So we follow that, but we really look at a lot of different control domains. All right, one of the big things is the governance of the organization. How are you all actually managing your risk? That really comes down to your information security plan. Do you have one? Who's in charge? How are you addressing it?
Speaker 1:So let me interrupt you one second. So if you didn't have an information security plan, what score would you get? One to ten?
Speaker 3:Well, it's an interesting question because when James presents the assessment, nine times out of 10, the client's like, oh my gosh, I'm going out of business with that score. And he's very quick to say a hundred's not the way we're judging here. A hundred is beyond belief, unbelievable, yeah there there was.
Speaker 1:I was talking to somebody who's like working for a company that gets 100 is almost impossible to work for is that right is like that's not necessarily the goal, but you'd say not having information security plan is a zero, and then having one would be, you know, a five, or typically like a five.
Speaker 2:So it goes from okay, you don't have one at all, a zero, you have an informal one. Nothing's written down, we just we quote, unquote. Know what we're doing, which you don't. And then there's a partial written one, a written one, and then, finally, the best you can get is we've got a written policy that's approved and appropriately maintained, and Ernest Young made it or something.
Speaker 1:Yeah, deloitte was. It's been looked at Exactly, or?
Speaker 2:Input, output or somebody else made it.
Speaker 3:Or Input Output. I'm sorry.
Speaker 2:Just throwing that out there, but in the same thing with the controls. So it's really looking to see where are we at, what do you have in place and then what's the risk associated with this? If it's a low risk, don't spend any more money on this section. It still maybe shows up red, but you can be a little bit more confident or not let that bug you so much, because now you've assessed the risk and if an auditor comes in, you can actually stand behind what you did. We did this because this is the risk we. If an auditor comes in, you can actually stand behind what you did. We did this because this is the risk we had assessed.
Speaker 1:Yeah, and this is the way we decided to move forward so in, in a real world scenario that would be like, hey, we're three people, right, and it's like, yeah, we have, uh, this, we've gone over this, we're three people dealership and and that's in.
Speaker 3:You know, let's say, 441, we're in south florida, so 441 dealership, but we have three people, so we're assuming the risk, right, or it's or it's 500 we can be rooftop, we could be any size group, but the wow it's red, and if we ever have that happen, it's going to cost a hundred dollars. No, problem.
Speaker 1:Yeah, exactly like we're assuming the risk of this and and then move forward with it, right, but you have identified it and that goes a long way in the eyes of these regulators, regulator bodies, right, okay?
Speaker 2:Yeah, and it kind of comes down to don't put a $1,000 lock on a $100 bicycle. Yeah, that makes sense, that's not good business sense. Yeah, that makes sense.
Speaker 1:All right. So I think I have a pretty good understanding of the risk assessment and what it enjoys, and it's really where your strengths and weaknesses is in the organization and what you can do about it. And even if you decide to not do something, you at least looked at it right, correct, and that assessment proves that portion Correct. Another piece is encrypt all data. Right Is encrypt data that has personal identifiable information right.
Speaker 1:That there's some pretty standard tools out there that can do that. That's nothing outside of this world. G Suite does it, you know. At rest, office 365 does the same thing. You know you want to transmit encrypted data, don't you know? Send people's driver's license through email, right or personal identifiable information. That's data loss prevention in some capacity.
Speaker 3:Multi-factor, oh, go ahead, but the the key following the assessment is great, we know all that. What controls in place to make sure you don't do it? Yeah right so we know that. Okay, we, everybody knows that in the auto world. Okay, that's not news that you don't do what you just said you shouldn't do with a driver's license. What's the control in place that prevents it or catches it if it starts to happen?
Speaker 1:and by control you mean something that's repeatable, measurable and trainable. Right that's, and who owns it and who and somebody Is it?
Speaker 3:somebody in the dealership that owns it, yeah, or are we pawning that off to somebody else to put a system in place that will prevent that? You know, dlp.
Speaker 1:Yeah.
Speaker 3:Right, If I'm sending a driver's license information or social security information out, is there a system that will say that can't go?
Speaker 1:Yep, that's not allowed.
Speaker 3:Right Is there a system that will say that can't go, yep, that's not allowed, right and what's a big one usually is wire transfers.
Speaker 2:Right, that's a real big one. I mean, you get those wire transfer requests in and that comes down to also having a policy kind of a procedure. How do we handle these internally? So that comes down to some training. And then another layer of the defense is the DLP. That's the technical side of it, and then what other controls can we put in place so that there's kind of that layered defense? So if people are going to mess up when they do, is there something that's going to catch that mess up Correct, and if that fails, is there something that's going to catch that one?
Speaker 1:Yeah, yeah, and one of the things that I'm kind of explaining to you is like this is a scaffolding, like cybersecurity is a scaffolding, right? You put the dealership in the middle and you build a scaffolding all around it, right? So if you have multi-factor authentication encryption, you know EDR I'm using a lot of acronyms but a security operations center and you have all these things. We're mitigating the chances, right, or reducing the chances of risk to make it as small as possible.
Speaker 3:Going back to our earlier part of the conversation, if you're not careful, scaffolding building can be perceived as an expense. Yes, the bigger the scaffold gets, the bigger my expense. So the idea is to focus on the risk side. And what are the pros and cons? Why are we building this scaffolding? Absolutely? Why are we building a $1,000 scaffold? To protect $?
Speaker 1:protect a hundred bucks, yeah exactly, or is it going to?
Speaker 3:cost me a hundred bucks to protect.
Speaker 1:You know a lot that's and and you know to be very clear, the three guy dealership is not our customer, that's not the, the, the people that really should be worrying about this. I think the minimum is that if you deal with 5 000 records I think I think the FTC said it's something of that nature there's kind of a minimum requirement that says if you're not a business that's doing you know, ccpa was, I think, at least $25 million a year in business and dealerships, small dealerships, blow through that easily. That's kind of the thing is there's not many businesses that do so much business in a such a small kind of footprint, right?
Speaker 3:but, to be fair, there's nothing that prevents the three guy dealership from doing everything right the tools are out there and, and they need email, they need all these other things, yeah, so they're paying for it and somebody's implementing it. There's nothing that prevents them from doing it, right, yeah, at obviously a fraction of the cost, because of their size.
Speaker 2:You know, in talking about kind of that layer, the doing it right. Going back to the, how can we avoid risk? Sometimes in the risk assessment we identify that multiple buildings, multiple sites have customer information but they don't need it. We only need that say, maybe in just the finance office, Okay, All the others we just remove it from. So now we don't even need to do security controls in there, because maybe all it is that could be impacted is just a desktop computer, and you know we can buy a new one if needs be.
Speaker 1:So on that point, that's a very good point, a very good segue to my next question data retention policy. There's two ways that you can look at this. Right, it's like what you're supposed to keep and for how long, which is there's probably state regulation that said, hey, if your service records is a big one, right if you have to keep service records for seven years. But also, on the flip side of that, it's like if you don't have to keep the data, destroy it. Right, like the personal identifiable information, process it and destroy it properly, right. You don't want to keep records that you don't necessarily need to have for longer than you do because it increases that risk and that risk assessment. Am I correct in that thought process?
Speaker 2:No, absolutely. I'm going to steal a term that one of our partners uses, but he calls data toxic waste.
Speaker 1:Yep.
Speaker 2:Once you have it, it's there, it's on your hands. You can't get it off, but if you can get rid of it, get rid of it.
Speaker 1:Yeah.
Speaker 2:Because it's just, it's a problem waiting to happen, yep. So again and I harp on this, but it goes back to understanding your business A lot of companies collect all of this information and they hold on to it, yeah, with no way to monetize it. Yep, if you can monetize it, it's going to do something for the business. Great, that makes sense. If it's just sitting there because you've never evaluated it or you just don't want to get rid of it, that doesn't make any business sense.
Speaker 1:Get rid of it so that you can protect yourself. Toxic waste is a good way to look at it, so you're not advocating taking that old data and creating a spam list.
Speaker 2:No, not at all Monetizing. Okay, just being clear. We've talked about this. I think you'll not get a call from the FCC.
Speaker 1:You'll get a call from the FCC. All right. So multi-factor authentication we use this term a lot, mfa, multi-factor authentication, to put it very simply, is a second way of verifying that you're you logging into your account, right? So that would be you go to let's put facebook as an example you put your password and your username and your password in, and then you get a text message or something to your phone or an authentication or a code to your email, and that's a second way of authenticating that you're actually you and it's not some guy in Uzbekistan that has gained access to your account and now there's actually a data breach in progress, right?
Speaker 2:Correct. Yeah, the multi-factor actually comes down to different methods of identifying who you are. So something you know is your password, something you have like a token, or on your phone, the um, the, uh, the number that comes up, um, code, yeah, something you are. So maybe a biometric, yep, um, and then, uh, you can also do somewhere that you are, so maybe that's geolocation.
Speaker 3:Maybe we restrict it to a specific area two things about this that we should establish in the industry. This is no longer something that I might should think about doing this is table stakes table stakes.
Speaker 3:Okay, number one. But if you're implementing it for the first time, think about it. You decide, hey, I need to do this, and you just say here's what's going to happen tomorrow. Well, where's the policy in your documents that says employees use either their cell phone or an app? Okay, that's part of the whole input output process. Yeah, you're adding something. It's got to be documented all the way through. Okay, and back to table stakes. We've understood recently that if you check, we are not using mfa on your cyber insurance application.
Speaker 3:It's an automatic denial yeah, that makes sense, so that's just not even something you can ask. I need a cyber insurance that will not make me do MFA. Yeah, yeah, yeah. Waste of time.
Speaker 1:Yeah, that's like you know. It's like I need a car insurance policy that will let me drink and drive.
Speaker 3:Correct. That's just 100%. It's a no-go, it's a non-starter right Correct.
Speaker 1:Yeah, 89% of data breaches come through passwords getting compromised, right, I mean in some capacity, and that phishing. That's what phishing is. It's to say, hey, phil, log into your Office 365 account and you're like, oh, it looks legit. You put your username, you put your password and then you're in, or a wire transfer. Or a wire transfer. And if you don't geolock right, meaning that you can't log in from outside of the United States, which mitigates risk if you don't have a multi-factor authentication, which is the second way of verifying that it's actually you, or you don't have. You know odd behavior analysis on your infrastructure. That's a very easy way. And you know Amazon packages and people share their passwords at multiple locations and it's very. You know this is the common way. And you know, let's call Bob in accounting and you know, maybe not a sophisticated PC user. That's low-hanging fruit for hackers. That's the reality. It's somebody. A 12-year-old can do that, so along that line funny story.
Speaker 3:Real quick. Somebody told me a story. They were cracking up while they were telling it. It was their son-in-law's family or something related. And the mom picked up the phone one day and called the husband and said what did you order? He says I didn't order anything. What did you order Nothing? Why? What did you order? He says I didn't order anything. What did you order? Uh, nothing, why. There's two huge packages. They got freight dropped on their driveway. Dad didn't order anything. Mom didn't order anything. Trace it back. The four-year-old jumped on amazon with the saved password, saw a three thousand dollar jungle gym that looked really cool and bought it. Are you serious?
Speaker 3:that's serious oh it cost him like 800 bucks to ship it back.
Speaker 2:Oh so you can't get to keep it. That's too bad that's terrible.
Speaker 3:There's a bad lesson in that keeping it would have been a bad lesson, but but again, why? How does a four-year-old make a purchase of three thousand dollars? Saved amazon password on mom's account Convenience?
Speaker 1:That's why Convenience we sacrifice a lot for convenience. We've understood that since 2000,.
Speaker 3:The reality but again, as we're going through the list, what is it that we're protecting? If we keep our eye on the ball, it's client data. Correct so this is all about client data and responsibility Sounds like. Why, why, why?
Speaker 2:yeah, well, yeah, and that's that's the focus of the ftc, but what we're really protecting is the business correct. We're keeping the business operational, we're keeping the reputation and ensuring that the business can continue to function.
Speaker 1:Yeah, absolutely all right. This one is a little. I think this is outside of kind of people's normal understanding of what what it requirements are, because most people are kind of used to multi understanding of what IT requirements are, because most people are kind of used to multi-factor authentication. Data encryption is something that they've heard about before. So adopt procedures for IT change management. This is one of my favorite ones. How could you explain this to somebody that isn't necessarily IT sophisticated or understand change management from an IT perspective?
Speaker 2:I mean this comes down to even in dealerships and everywhere, to where, if you're making a change, document it Yep, so that way the person coming behind you or when you look at it later, you actually know what you did. And on the IT side, it also tries to focus on making sure you're doing a risk assessment of the change. Yep, if we're doing this change, are we going to introduce new risk while we're doing the change? Is there a risk there that we need to mitigate?
Speaker 2:Say if we're moving a server from one building to another, we need to make sure we don't leave it sitting outside, that someone can just walk off with it. Um, but yeah, it really comes down to to making sure those changes are documented, which I would think in every industry just bugs a lot of, a lot of people when they the tools aren't, aren't where they're supposed to be, or Well, I mean, I, I know.
Speaker 1:So I've suffered from change management, from the lack of it in some capacity. Right, it's like you know, dealerships are and I talk about this, you know, I wrote an article about this a couple years ago. It's like, oh, the dealership bought this new shiny thing, right? And if that process isn't implemented or deployed correctly through a change management process, it's like somebody's a stakeholder you get, you know, people to buy in what go wrong, what could go right. Is this the right thing? You know, if you don't have a management, a process to managing that change, it ends up being closet, wear, right.
Speaker 1:So the it guys usually have to jump through a million hoops to get this thing deployed. And then the ipad stands are sitting in the it room and it's like this graveyard of of poorly implemented processes and dealerships have these. This happens a lot, right? It's like if you implement at the dealership a proper change management process, it's going to make your dealership more profitable, it's going to make your dealership waste less money and you don't, you know, at the drop of a hat, implement these new tools that are going to sell you more cars, when you don't really have the operational capacity or momentum to make sure that that's implemented correctly and it's set up for success rather than failure. So if you implement that as a philosophy in the organization, it change management just becomes part of that, and so we do change management in general as as a company philosophy and then have those things implemented. So this is one of my favorite and because it's not necessarily it, it's just operational right in general so we talked earlier about the name on the building.
Speaker 3:There's a lot of family-owned car dealers around the country and that's the reason why a lot of people like to work in this industry, because it's a family type operation and along those lines they give a bit of autonomy from store to store because you know your honda dealer might not be the same as your, you know for dealer, as an example, for different reasons. So there's some autonomy. The point here in change management is the the honda store might say, hey, we're going to run this program and they go and make an, a decision. That's store-wide. It's not really discussed at the corporate level.
Speaker 3:Yeah, and it ties in with some databases, it impacts, it requires the phone system perhaps to be involved, and there it's touching systems that you don't think about because it's not your job to think about it. Your job is to sell more cars or do better customer service, but because you didn't, you know, take that back through the change management process, all of a sudden you've got to tie other vendors into it, because the thing doesn't work yeah okay.
Speaker 3:So hey, uh, all of a sudden this ai, for example that we put in place is not working. Oh, did you think about this vendor that's involved in? That vendor that's involved and, and what's that contract mean? We don't even know about that contract back at corporate, so when it's over we can disengage that hook, etc. Etc, etc. So the cetera, et cetera. So the process of the policy, I think, helps tie in all the vendors that might have to touch that project. That you don't realize, cause all you're dealing with is the salesperson from the AI company in this example that says it's going to be great, you're going to love it, and this is what it did at, you know, the input output dealership. They're making a million dollars. Oh, I need that.
Speaker 1:Yeah.
Speaker 3:But they're not. Their job as a salesperson is not to walk you through all the reasons why you might not want to do this. Yeah, but that's what a change management policy or procedure would do is pull in. Let me ask you have you ever walked into a dealership and they said we just bought this software and you were never involved?
Speaker 1:in the decision. It happens all the time.
Speaker 3:It happens all the time. Okay, Is there an IP address that that software touches? I should have been called. I should have been called. Yeah, yeah yeah.
Speaker 2:Absolutely Do.
Speaker 1:we have to push it out to all the PCs Exactly Like is this a reputable company? Yeah, and now that you're bringing that up, it brought up another point. For me, it's like if you're a multi-rooftop organization, you're only as strong as your weakest general manager, right. If the general manager found some Mickey Mouse company out there to use a South Florida term, right, a South Florida car business term. If it found some Mickey Mouse vendor out there and they get compromised, that's compromising your entire organization. That's compromising your entire organization. If they get and they're doing integration or hooks into your DMS or your CRM, you're only as safe as that vendor, right?
Speaker 3:So that's part of it, that's a big piece and in that example, if that policy doesn't exist, that GM didn't do anything wrong. Yeah, exactly he followed the lack of procedure. Yep, you know he's not wrong. It's just not a policy and a procedure that the family of dealerships has put in place which would have been identified in a risk assessment and would have prevented that kind of thing. Yeah, that makes sense, all right.
Speaker 1:so qualified individual, what would you consider to be? I mean, because it is vague. I mean NADA was like, hey, if everybody has to have a CISSP or a CISO or whatever you know, a CISO at the organization, like it's going to put the dealership out of business in some capacity or, you know very much, hinder the organization. But what do they mean by a qualified individual? What would you say You're?
Speaker 3:works 40 hours a week at the dealership actually shows up.
Speaker 1:It's a job application Can fog a mirror.
Speaker 2:You know, I just joke.
Speaker 2:I hate to kind of true. I hate to say this, but I think it depends, yeah, and it depends on the size of the organization. That makes sense. What? What are your risk? What do you have in place? If it's just a single computer, a three person firm, they're just working out of one room. My nephew knows how to run the computer and we've sat down internally. If it's a larger institution, it needs to be somebody that can engage with these solutions, that knows how to manage them or at the very least engage with appropriate people.
Speaker 1:Correct. Yeah, that's the you know. For me, I think if you have somebody with credentials right, security credentials, cissp you know CISM Security Plus for I would say it's a safe bet to say that that person you know with the proper experience could be a safe bet to do that. The good thing about what the FTC says is that you can outsource that and have somebody be your qualified individual for the organization.
Speaker 1:So one CISSP, which is one of the services that we provide, can be the security entity or the qualified individual for several dealerships, which makes sense, I mean. I think that flexibility is very beneficial in that case.
Speaker 2:Correct. Yeah, and I think that's where it comes into, that you don't need to spend tons of money to make this happen. You can engage with the right services, with the right companies and get everything that you need appropriately. Yeah, that makes sense.
Speaker 3:It says here appoint a single qualified individual to oversee the dealership's isp.
Speaker 3:That's not internet service provider, as we're throwing as we're throwing acronyms around okay, we're talking about their company's information security program, which goes back to the top of the list, which is the written documentation. So are you taking that in-house? Is there somebody in your dealership that's going to stop selling cars or doing HR or doing whatever they're doing now 70 hours a week and take over the ISP? Are you going to add that to the responsibility or could you use a little help?
Speaker 1:That's the idea, and you could even have that person oversee that as part of their responsibility in this world. Right? It's like you're not. You don't have an in-house counsel, but you have somebody that contacts. There's a liaison between you and your in-house and your outsource counsel, right, correct? They say, hey, we have, you know, so-and-so law firm that's take care of these things for us. You could have that liaison that preps everything for them. Same thing with the information security program. You can do the same thing.
Speaker 2:Absolutely yeah, and that brings up a good point. Is that? I think a good question to ask the dealerships, ask any business, is how much revenue does each employee generate?
Speaker 3:per hour.
Speaker 2:Yeah, and is that different for each of the levels? Because that helps inform. Should we outsource this or should we make somebody internally do it? Yep, Somebody's only generating $5 an hour in revenue. We can give them some more task.
Speaker 1:Yeah.
Speaker 2:But if they're generating $10,000, $20,000 worth of revenue because of the initiatives they're pushing forward, I want them doing that, not focusing on these things.
Speaker 1:Yeah, a lot of these dealerships have the guy right and the guy does all things right. He might be really a project manager and doing remodels and constructions and might be dealing with compliance and legal and might be this information security plan, might be part or program, might be part of his responsibilities and they're like the back of the house almost things that have this so qualified individual monitor and log all activity of authorized users and detect unauthorized use or access of customer information. This is a big one.
Speaker 3:I don't think there's any way around that except through some sort of. It program, that's not anything that can be humanly done.
Speaker 1:Period end of story. Yeah, and it can't be a manual process, right? If you have somebody that's doing this and reviewing logs or activity throughout every single entry point or exit point that the dealership has. I think the only way to get around this is, or to comply with this would be, with a security operations center that is 24-7, 365, monitoring, managing, addressing risks real-time within SLAs, which are service-level agreements, and you have somebody doing that. I don't know, unless you want to create your own, so, which is a possibility, right?
Speaker 3:at the bare, at the bare minimum, as long as it's logged and reported and the information is sent and somebody sees it.
Speaker 1:At a bare minimum yeah and a bare minimum, yep, yeah, that's the. The thing that I'm always, you know, telling my dealerships is like, okay, you can have a sock and comply and check the box, but if you go to the dentist and the dentist says, yeah, you have a couple cavities, go home it seems like you're in for a world of hurt right.
Speaker 1:There has to be something that's done. So there's that, the response part. They say, okay, we found a couple cavities, we drilled in, filled it with, you know, whatever dentists use, and then move forward. Right, it's like, oh, we address this. That's the stuff that we get from our organization that says, hey, we found some weird activity. Talking from, let's use Uzbekistan I'm sorry to pick on you, Uzbekistan, but saw some weird activity. We blocked it. It's no longer happening. We saw it as a malicious thing. We cut it off. No data. It had like a very small window and you know you keep moving forward and you just report it and log it and monitor and you did something about it and then move forward Right.
Speaker 3:Yeah, that's the dental analogy. You got a seed in your tooth. Yeah, okay, great.
Speaker 2:Yeah, and I mean and that ties back to the incident response plan. Yeah, you know, once we identify something, how are we responding to that incident?
Speaker 3:or event.
Speaker 2:So each of these really is interconnected.
Speaker 1:Yeah, absolutely All right. So penetration test what is a penetration test and how do you do that biannually so?
Speaker 2:I think on there it's biannual vulnerability assessments You're right, you're right, and annual pen test. Yes, you're right, you're right.
Speaker 1:It's annual pen test and biannual vulnerability test. Yes, correct.
Speaker 2:So here's the big difference A vulnerability assessment is kind of looking at everything but you're not actually running exploits. You're not trying to kick in the door. Yep, you may look at the lock and say, hey, I think somebody could kick that in, that's a vulnerability, whereas the pen test is actually going to kick the door and say, see, that actually blew that right off the hinges. You're going to need to fix that, by the way.
Speaker 1:And is this done by? So this is done by a term that we use in the IT industry a white hat hacker, right? So these are like good guys posing as the bad guys to make sure that your infrastructure system, pc's network, is all safe, secure and there aren't any known vulnerabilities. To do that right? If you put, you know, the full force of the north korean cyber operations coming after you, I mean that's not very reasonable, right? But if you have a qualified individual that is, an ethical hacker, that is just, you know, jiggling the doors and making sure all the windows are locked and making sure that you have updated your software, and what a reasonable person would do right, again, that term, what a reasonable individual would take action is do that right.
Speaker 3:So in a in a dealership environment, a penetration test is not just banging on your systems with a computer.
Speaker 3:But there's the social aspect of it and think about think about a car dealership where you've got lots of sales desks out in the open and a lot of sales people hot, hot desk. Yep right, they share a computer. I'm not there, you know, seven days a week. I'm sharing that with you, john and I'm, and so somebody can walk in with a backpack and a baseball cap, or they can walk in looking like a salesperson that should be there and they sit down at a terminal. What can they access?
Speaker 2:yeah absolutely so.
Speaker 3:There's the social aspect of a penetration test, to say, hey, when somebody comes and sits down at a desk in this dealership, do they belong here?
Speaker 1:Yeah, yeah, yeah Right. Who's going to stop them so?
Speaker 3:that's all part of it.
Speaker 1:I mean, I'm an IT guy. Right, I look like an IT guy, I act like an IT guy, I know how to say the right stuff computers and I walk into the it room and I can plug in a usb drive and nobody's going to ask me any questions and that happens all the time. So there is a a, like you were saying, a physical aspect of security. Right, it's not only, it's like the trust, but verify portion of this is say hey hey, no, you, who are you and why?
Speaker 1:where'd you come from? And you call the company and you know the AC guy that's going to come and fix the AC and the in the IT room and they just kind of walk in and he's like who are you? What are you doing here? And let me verify that you have access and permission to be. Exactly, yeah, it's not just so security awareness training for all employees. That's pretty straightforward, right, I mean.
Speaker 3:Commonly known as phishing training.
Speaker 1:Phishing training that you're getting. You know who's passing the test, who's looking at them. An annual cybersecurity training, a weekly micro trainings, top of mind. Don't buy Apple business cards for you know, so like apple gift cards for anybody.
Speaker 3:Let me ask you your thoughts on on this, because I'm of the idea that this shouldn't be an us versus them sort of an environment. Hey, we're gonna see how many people we can catch in fishing and then make an example out of them, because that creates a toxic environment yeah absolutely so.
Speaker 3:the idea is to say, hey, first of all, this piece of paper that we're going over requires us to do this. Okay, it's for the business benefit and we want to reward those who are paying attention, but for those that are not, we do have some training that we need you to take, because, as an organization, we're trying to get to a certain score. So when you implement a training like this, I've heard more people say my brother-in-law got fired because they clicked on a phishing email, didn't have any idea they were doing it. It's hard enough to find good people as it is, yeah, so you don't want to set up an us versus them but you want to present it properly.
Speaker 3:What's the benefit to the business and your ability to make more money and tie it to a positive reinforcement, but have a plan to help those that just don't want to listen like Like foster a culture of see something, say something.
Speaker 1:Right? Is that everybody's protecting this, that everybody and that's very operational Is to say we reward people that are always, you know, trust, but verify, that are always see something, say something, that are protecting the organization in general. Not a gotcha, right? It's like oh hey, you know you't, you clicked on that.
Speaker 3:You know today's your last day here's a policy I'd like to see implemented worldwide when somebody gets in any organization, not just car dealership. When somebody gets a phishing email, they seem to send it to me and say is this fishing? Or they copy 12 more people and say is this a fishing, just delete it it's fishing, delete it, you know don't give 12 more people the opportunity to click on it.
Speaker 1:That drives me nuts phil, if you're ever in a beauty pageant, that should be your answer. Yeah, like what's the one thing you want the world to have? World peace, world peace, peace. And people not sending me fishing emails emails don't forward a phishing email.
Speaker 3:You know trust your instincts.
Speaker 1:That's funny. Um yeah, it's like it literally is in the world. If it seems fishy, just delete it. You know, don't open the attachment, don't put your password you know this comes down to, though.
Speaker 2:It's really important for the business, to management, to have a commitment to this.
Speaker 1:Yep.
Speaker 2:Because one easy way to get around all of the security is, if management would typically do that, yeah, they would come in and say, hey, I need this real quick, just just get this done for me.
Speaker 1:Yep.
Speaker 2:Well, now, if somebody calls up or if you get a, an email like that is it is it really management, that's email like that is it?
Speaker 1:is it really management, that's that's working around it, or is this phishing? And it creates a lot of very good point. That's a very good point because the majority of them are you have a charismatic leader. You know so, like somebody at the head of it that is usually volatile and that if something doesn't happen, they'll blow their lid and then they're in a meeting and said hey, I'm in a meeting. Real quick, you need to wire $100,000 to XYZ and they've been tracking the movement.
Speaker 3:I'm buying this Porsche. I'm buying this Porsche, exactly.
Speaker 1:So you need to make that thing happen. If it doesn't happen, I'm going to blow my lid. And so, out of fear of somebody just making the boss happy, they're making a massive mistake and hackers understand that. Right, this isn't sophisticated. This isn't the guy in the basement in Russia doing this is just guys social engineering things on a regular basis at scale that are just preying on people's psychological tricks. They understand. It's like a magician, it's like somebody like a street hustler. They understand these things and they do them electronically.
Speaker 3:Everybody knows how hard it is to get good cars today yeah, and when you go hey, I got a line on this porsche or whatever it is.
Speaker 1:Everybody understands that it has to happen this fast or you might not get it yeah so and, and especially if you're like a charismatic, like somebody that that has a temper, you know, like a temper or you're, you're, you're temperamental, like if you say, out of fear, your organization might culturally say, pull the trigger on something because I don't want to get yelled at, and then it's um, two hundred thousand dollar mistake, right? So that's, that's the thing, that that that I'm like, oh crap, you know, you got to be careful about that, yeah I mean that that compromises everything yeah and that goes to, I think, risk acceptance yeah the, the people on top can say that this is how we want to run it.
Speaker 2:We're going to accept the possibility of these errant wires going out, or other things happening, absolutely.
Speaker 1:Yeah, you know, I had a kind of super odd request from somebody and like somebody had never called me before and he's like hey, can you change this person's password? And I was like dealer principal called me before and was like hey, can you change this person's password? And I was like dealer principal Really big organization. I'm like nope, I'm going to call the dealer principal and say, is this the right person? Am I okay to give that? And even if at the risk of pissing them off Because they're, you know, traveling to, you know, fiji or whatever, I'm going to say listen, I'm going to do this, even if it costs me, you know, some reputation or if it's a difficult conversation to have. I'm going to go that extra step and verify that you're you, because at the end of the day, I think that that's what I want people to do and to protect my organization.
Speaker 3:Tell me if you run into this in your organization. So you're at a management or executive level in your organization but you have techs that go on site with a specific task Correct organization. But you have techs, yeah, that go on site with a specific task correct and when they're on site, as they're walking through the bullpen, they're being tackled by salespeople say, hey, I need access to whatsapp, I need it for business, you know, or whatever it is. You know you get, uh, get, you got to unlock this because I need it for business, I need to be on ebay cars or whatever it is. You know that's been locked down for whatever reason. And I feel badly for your techs because, as they're trying to get to the IT closet to do their job, they get tackled.
Speaker 1:Yeah.
Speaker 3:You know, because, hey, that's the IT guy.
Speaker 1:Yeah.
Speaker 3:I'm not going to tell the boss I need something I'm going to tackle him and guilt him into giving me something I need, and I feel bad for your guys because they're put in a position that they shouldn't have to be yeah, and, and.
Speaker 1:For them it's like blame me, that's it like. My boss won't let me, that's it just blame me, I'll take all the blame. I'm fine with it, I'm comfortable with that of that feeling of being uncomfortable because I can be the bad guy, I, they don't have to lose face and they can be like listen man, my boss, I'll you know I'm like that.
Speaker 1:That's cool, like I'm I'm fine with that because I am willing to and through you, know trial and error and learning my lessons. In a couple occasions thank God it wasn't anything big but learn to say it's better to say no and to verify something than to be in a bad situation. But why?
Speaker 3:can't that be a policy?
Speaker 2:Yeah, of course you touch the IT guy when he comes in and you got to run around and do 50 laps and a culture, yeah and a culture exactly Like us.
Speaker 1:Internally, we have protocols like password resets. They have their protocol Terminations, they have their protocol New hires. They're like this guy is going to be, he's going to come on Friday and I need him, and like all the pressure of finding the right guy and if they, you know they might be iffy in taking the position, and like you got to verify it position and that, like you got to verify it and we have to get the email from hr that says this is the person and they've been in, processed and they get password and they get access to the system because if not, you know you might have a criminal on your hand that got through, hasn't gotten drug tested or background checked or whatever, and then we've just inadvertently given the keys to to the kingdom, you know. Yep. So the last thing is assess service providers. That's, I think, the last point in this big change and shift in the requirements is assess service providers. What's your take on that?
Speaker 2:This is an industry thing and it's really come about because of, unfortunately, COVID. Unfortunately, COVID. A lot of the problems that we're having with distribution, with getting products, really comes down to a supply chain issue that was never assessed before, and we can kind of see what the result is it's a mess. So it's on every front every regulation. This is becoming a very big thing. How are you assessing your suppliers and your supply chain? Okay, how can you make sure that, one, the people that you're giving the information to are going to keep it safe appropriately? And two, are they going to be able to provide the availability, Are they going to be able to provide the services to your needs in the business? And those are things that have to be assessed and actually, the risk with those suppliers. One of the things that we look at is just going down that brainstorm what would happen if this vendor got breached? What would happen if they got a rogue employee?
Speaker 2:what would happen, if um they just disappear?
Speaker 1:yeah, yeah, that they disappear. The company goes bankrupt and then there's some place that gets sold in an auction and it has a bunch of data in it. Right, it's not? Yeah, it's not even.
Speaker 3:It's not just supply chain. But if you got a marketing program that you're running with the local newspaper or whatever and they they say, hey, I need to hook into your database to pull this information, okay, so that's not supply chain. But back to our point earlier. Your DMS is secure on their end. Is the connection back to them secure on the other end? Yeah, and when does that marketing agreement with the newspaper end? So do we disconnect it the day it ends or are we going to wait for six months and do an audit? So it's not just supply chain but it's data interconnections as well Data pipeline connections.
Speaker 1:Yeah, I mean, I know at the beginning of our company people were like how do I know you guys aren't some guys in a you know garage, just running.
Speaker 3:Who's back in the garage running this?
Speaker 1:business or like how do you and that's this, this is that it's like say to, to verify that you're actually a company that has, and if you have, if you do have that infrastructure, what are your safeguards and what are your methodology? Because the businesses have changed right. There's some businesses that you might be a marketing company that doesn't actually have an office, that you're all over the place, so it gets more into the weeds. Like what are you using to secure those employees? Remote computers. Are they, you know, bringing their own device? Are they? Do they have, you know, an rmm on them that are getting patched and updated and you guys manage those pc? What does it look like? So you start, you almost have to become, as an organization or this financial institution, a lot more it savvy to be able to make sure that you're cying right yeah, and it also tying it back to the business comes down to availability.
Speaker 2:Well, we're engaging with this supplier for a reason yeah what if they go bankrupt and now they can't provide that service that we contracted them for? What's that going to do to our business? What if our IT company is no longer available and we can't get into our finance systems? So not just the data risk that's a big one but also how would this impact the business just being able to operate?
Speaker 1:Yeah, and I think it creates a new dynamic between you and your vendors. Right, as he's saying, you need to make sure that your vendors are also profitable. To say this has to be sustainable. If you like their product, this has to be sustainable for you as well as for me, because your sustainability is my success and that looks like. And also about appropriateness, right, it's not like maybe your janitorial services that you have in the organization aren't necessarily, you know, getting customer data, but they might have access to shredders or how are they processing that information? Or, you know you might it's people that you don't necessarily know about.
Speaker 3:Right, it's like maybe, like your detailing company or recon doesn't have to have anything but yeah, I had an example where I had a car dealer call me and say, yeah, we need the car detailing guys to be on our network. I'm like, no, I'm not doing that. If they want to come out there and connect to the internet, they can purchase their own broadband circuit and provide that. Provide that and not a problem, they'll pay for that. They'll be separate from you entirely, but to just say for convenience yeah, yeah they need to be connected into my network.
Speaker 3:There's.
Speaker 1:That's an unstarter yeah, that's an unstarter yeah, yeah and it's unfortunately a lot of. These safeguards make some aspects of business more cumbersome, but at least you know that you're safe, protected to the best of your abilities.
Speaker 3:So that leads to? How are we communicating across multiple rooftops? Okay, I mentioned, uh, whatsapp and some of these other. Now I'm in a law firm and they do a lot of business over an app that I would never put on my phone, but that those are things that require a conversation. Yeah, to say that's not your best choice. You know if you're using microsoft 365 with mfa for email, by the way, teams is baked in you know it's it's all part of it.
Speaker 3:You don't need WhatsApp or some offbeat application to communicate with the other person it's baked in. It's there. That's training, that's understanding. I don't like Teams. Guess what. It's not your dealership.
Speaker 1:I mean Teams is a core part of our business. We use it for everything and I could not recommend it more to everybody To say use Teams. It comes with a reputable source. Microsoft has been good or bad, or whatever you think about the company. They've been doing this for a long time. They do this for federal government.
Speaker 1:They do this for you know it's an operational system of the world and they do have some really robust safeguards to put in there. One of the things that one of my customers was talking to me about is record requests that they're using a Citrix share file for it. They said they no longer send it through email. They send a secure link. The person has to log into the system, put multi-factor authentication this is for the customer data and then they go into that, into that link, download it and then they have access to it. So you're you've provided the infrastructure and the scaffolding to be able to safely secure, transmit data and get it from a secure link. You can do that with you know one drive. You can do that with you know some of the pretty straightforward products, rather than just text messaging somebody their driver's license number or their stipulations for buying the car. It's like you can't do that for insurance information. All that has personal identifiable information. You can't do that anymore.
Speaker 3:Right, and one of the things that is being discussed more frequently, I think, is taking an email away from people and just using the VIN solutions for dealer track employees. Just you know you got an MFA to get into VIN solutions and there's an email provided, and can that be enough for that salesperson to live and do business on? Why does he need a separate email account?
Speaker 1:Who's he?
Speaker 3:communicating with there that he couldn't communicate with the VIN solutions. So you've got an expense saved by not having an external email and you've got the security baked into my dms but also you like policies and stuff.
Speaker 1:You can't really send that through event solution. I wouldn't have that in crm, but it might be for everybody. It might not be for everybody, but who's living and working?
Speaker 3:event solutions all day long. Why do they need to jump out of that to?
Speaker 1:do something?
Speaker 3:why, if you can't answer the question, why then there's a good reason for it? Yeah, if you can't answer the question, why then?
Speaker 1:why do they have the yeah, it's about appropriateness, right, it's like minimum, like what's not going to be your general manager.
Speaker 3:It's not going to be your, you know yeah manager, it's not going to be certain departments, but yeah that's just something that's being considered by some people that are looking at that and say, hey, I see you live in InvenSolutions all day long. Why do I need to provide you with another email address, which is another opportunity for you to do something stupid with a driver's license?
Speaker 1:Yeah, and it's that concept of you know, the principle of least privilege, right, it's like give only what you need Like only what you need, like, if only what you need, right, not anything more. You don't need access to any of the stuff. Yeah, and make you feel self important and everybody's a manager at a dealership. Like, no, no, like, let's appropriateness is really the group policy yeah about policies of the organization as well.
Speaker 2:So yeah, you know, I think a lot about when I, uh, used to work at the bank and I was very much a stickler that if you did not need to be in an area, you didn't get keys, you weren't allowed there, you could not even walk back there, and that caused a lot of friction. Some people felt like it was like we were excluding or like we didn't trust them, and what it really came down to was and what it really came down to was listen, if $50,000 goes missing out of the vault and you were back there, you're now getting investigated. Yep, a bad day.
Speaker 1:Yeah, a very bad day, very bad weeks.
Speaker 3:If you were never back there, you never even had access. You're not even on the list, yeah.
Speaker 2:You're not even being investigated. So it's not just protecting the dealership, it also protects each of the the list.
Speaker 1:Yeah.
Speaker 2:You're not even being investigated. So it's not just protecting the dealership, it also protects each of the individual employees. So I think some of that just comes down to how it's presented.
Speaker 1:Yeah.
Speaker 2:We're doing this to protect everybody all the way around and also help make things more manageable.
Speaker 3:Yeah, and you know if you ever worked on a company network. If there's a drive letter and you can double click on it, that meant you can have access to it, right? Yeah, hey, I can get to the f drive and there's data there and I can get into another folder.
Speaker 1:I guess they want me to have access to it. Yeah, absolutely right. Hey, it's information for everybody, right? Why? Why would you?
Speaker 3:yeah, I'm supposed to, I'm probably supposed to see that is the attitude. Yeah, so lock it down and they don't even know it's there.
Speaker 1:Yeah yeah, well, guys, I think this is a good place to stop. It's been awesome. Thank you, phil, for coming here. Pleasure john. Thank you, james for coming here. There's been an awesome, super informative information um conversation. Can you guys just tell how to get a hold of you if? If anybody's interested in and exploring more information about this?
Speaker 3:um phil, your company physically located in deerfield beach, florida, or universal-telcom on the web. Universal-telcom, again, been in business since the mid 90, focusing on communications and helping dealerships and all industries with their connections with you know how, and that's how you and I have worked together and working on that aspect of it, and then again partnering with James to get the companies that understand that they need to look at their business risk bringing James to the table to my clients and, uh, helping them to take that next level step.
Speaker 2:So universal-telcom- yeah, and the easiest way to get ahold of us is uh 844 input out. Uh, just 844 input out, or right on the website at inputoutputtech T-E-C-H.
Speaker 1:Perfect. Thanks, guys Appreciate it, john.
Speaker 2:Thank you. Thank you, pleasure.