Security Market Watch
SMW #8 - Small Business Security Compliance Ft. Matt Vatter, Executive at Accelerate2Compliance
Are you a small business owner wrestling with the complexities of security compliance? Let us clear the fog. Join us for a riveting conversation with Matt Vatter, Executive of Operations at Accelerate2Compliance. Matt's rich background at the State of Minnesota has paved the way for his current role, where he helps small businesses stay on the right side of Cybersecurity Compliance. His insights on the unique services his company offers - primarily to dealerships in the automobile, power sport, and marine industry - are sure to provide value.
Security compliance need not be a thorn in your side. Listen as Matt delves into the terrain of small business security, shedding light on the auto dealership industry's conservative stance on security. Matt's expertise illuminates the challenges these businesses face - from the view of security as a cost AND an investment, to dealing with high turnover, to the struggle of implementing security measures with limited resources. The need to understand the SEC rules and regulatory frameworks such as NIST and ISO will also be underscored - essential knowledge for any small business owner.
Are you a small business owner wrestling with the complexities of security compliance? Let us clear the fog. Join us for a riveting conversation with Matt Vatter, Executive of Operations at Accelerate2Compliance. Matt's rich background at the State of Minnesota has paved the way for his current role, where he helps small businesses stay on the right side of Cybersecurity Compliance. His insights on the unique services his company offers - primarily to dealerships in the automobile, power sport, and marine industry - are sure to provide value.
Security compliance need not be a thorn in your side. Listen as Matt delves into the terrain of small business security, shedding light on the auto dealership industry's conservative stance on security. Matt's expertise illuminates the challenges these businesses face - from the view of security as a cost AND an investment, to dealing with high turnover, to the struggle of implementing security measures with limited resources. The need to understand the SEC rules and regulatory frameworks such as NIST and ISO will also be underscored - essential knowledge for any small business owner.
Welcome to this episode of Security Market Watch. I'm your host, josh Bruning, and my guest today is an executive of Operations over at Accelerate to Compliance, matt Vatter. Matt, thanks for joining me today, and in person. This is our first in person show. It's virtual, but you're the first to bless, grace us with your presence at the studio.
Speaker 2:Being in the studios. Yeah, that's pretty awesome. Thanks for inviting me on, josh, nice to see you again.
Speaker 1:We did one of these what probably a couple of years ago I'm thinking, yeah, about a year, maybe a year and a half ago, it hasn't really been that long. It's been a long time.
Speaker 2:Wow, yeah, we did it. We did a Zoom and did it that way. Yeah, it was good.
Speaker 1:And we met at an ISSA conference and you were a panelist and at that time you were the assistant commissioner for enforcement at the state of Minnesota. Yeah, the Department of.
Speaker 1:Commerce Department of Commerce and I just had to talk to you because you know at the time, well, I still work for Trustmap, but at the time I was there on Trustmap Business and what the panel was talking about really resonated with this idea of not just compliance, but what do you do next? Sure, and I think that's what's really trying to hold those people accountable and hold those businesses accountable for the sake of the patrons and the residents of the state of Minnesota. So tell us a little bit about your new gig over at Accelerate to Compliance.
Speaker 2:So I left the state of Minnesota in January and kind of took a little bit of a pause in my professional life for a little bit. Accelerate to Compliance was a company that I've known probably for at least four or five years. The principles from that I did some guest speaking at some events that they had sponsored and I really liked what they were doing for small business. And Accelerate to Compliance and at the time that I had originally met them was called Risk Smart Advisors had developed a proprietary tool that helped people that fell under the FTC safeguard rules to put together the written information security programs from a policy perspective, from a training perspective and from an overall programmatic management perspective. Nice, simple, easy tools that most small businesses could very easily implement and get on that road to compliance. So I had worked with them previously and serendipitously, in probably November of 2022.
Speaker 2:Greg Fleiter, the CEO of the company, said hey, we hadn't talked in a while, let's grab a drink. So we had a little bit of a happy hour and we were discussing things and he said so what's your plan, what are you doing? And I kind of talked to him about that and, lo and behold, a couple of weeks later the situation arose where I was going to be leaving the Department of Commerce and reach back out to Greg and told him what my timeline looked like and he says that's awesome, let's talk in March or April and I want you to come on board with us. So I came on board with Accelerate to Compliance mid-April of this year and rapidly learned the tools from the inside from an administrative perspective, and I've been working with clients since.
Speaker 1:So when you are an operations executive, that seems like a very broad term, a very broad title. What exactly does that entail?
Speaker 2:Well, you kind of hit the nail on the head. It really is broad. Accelerate to Compliance is a smaller company. We have a very limited group of professionals that help businesses, so you really do kind of have to take on a little bit of every role. So I do client onboarding, I do client support, I do training management training support, we do troubleshooting, we do administrative work behind the scenes with our tools, we do some counseling, we do some client consulting. It really is a very broad scope business development, things like that.
Speaker 2:What we try to do is be very there for our clients. One of the things that has come up with companies that do similar things to us is that what I call and I have a different voice every single time I call. So I have to rehash everything that we've already done, every conversation I've had with every customer support person ever. So the nice thing about our company is that there's only a couple of voices that you talk to and we share that information and we make sure that if I'm working with a client, that I talk to my colleagues about some of the things that the client is having trouble with, some of the things that I've worked with them on, to ensure that, if I'm unable to take a call, that my colleagues can step right in at the same level and do the same thing that I was doing.
Speaker 1:Can you say the headcount over there?
Speaker 2:We have got six employees in the company.
Speaker 1:The customer experience must be so much better with a small shop like that.
Speaker 2:I'm biased, but I think so. We spend time with our clients. We've got a big, strong customer base. We've grown 700% in the last year. But the way that we're structured, we're able to have a good, strong, hands-on approach. Our tool is very self-supporting and it's very intuitive, so it's fairly easy to use. So it limits the amount of friction points, if you will, for small businesses. So that's a good thing, because it means that if I'm a small business I can figure most of this stuff out without too many problems. But when I do need to have support, I can place a phone call and somebody picks up the phone and can take care of my problems.
Speaker 1:What is your primary customer base? You mentioned the FTC safeguard rules, so I'm guessing financial services.
Speaker 2:Yes, we have. Right now our biggest vertical is in the automobile dealer, the power sport, the marine dealer, motorcycles, things of that nature. Very recently the Federal Trade Commission came out and clearly stated that they consider automobile dealerships and the like that generate loan information, lease information, those types of deals. They consider them to be financial institutions because they handle financial data for consumers. If you can imagine, if an automobile dealership sells 10,000 cars a year, that's 10,000 financial transactions that are processed through a dealership, right? So all of that information, all that customer information, is shared in the digital platforms and in their hard copy platforms and there's a responsibility to protect that information.
Speaker 2:And the FTC has come out and kind of reemphasized that. And there were a significant number of automobile dealerships, marine dealerships, so on and so forth, rv dealerships that did not have strong information security programs on hand, if any at all, and they were kind of caught by surprise when the FTC kind of made this statement about a year and a half ago. So we've been working primarily for the last you know the time that I've been with the company on enabling those types of entities to be compliant with the FTC. They really want to. It's been very nice to work with these organizations, understanding their responsibilities and saying, hey, listen, it's not that we didn't want to do this, we just didn't realize that this was something that we had to do.
Speaker 2:So we've been giving them the tools to do that.
Speaker 1:So auto dealerships are notoriously conservative when it comes to security, you know. So with compliance, are you seeing that there's a big investment push to be compliant, or is there a lot of resistance? And this is a perspective I'm coming from. When you approach an auto dealership with maturity, right so to go beyond compliance, it's a tough sell because just sort of in and that's the world that I'm in.
Speaker 2:And so in our circle.
Speaker 1:it's very it's well known that trying to get them to spend a little bit more on security has always been sort of a challenge, right, and I could see why Sure. So, the questions are thin. Well, maybe not in the last few years, during COVID with the extra sales, but how has that industry received compliance and are you seeing any movement to go beyond compliance?
Speaker 2:Well, first of all, I don't think that that mindset is unique to the automobile industry, automobile dealership industry or that niche. I think that most small businesses have traditionally looked at security as a cost and not an investment in their business. I think that the mindset is starting to change. I see a broad scope in the clients that we deal with. There are some of them that are like, hey, I just need to check the box, make sure that I don't get thrown in jail, right? And then I have an increasingly large number of clients that are you know what. This is important.
Speaker 2:We want to do what's right. We understand we have a budget and we understand that we can't do everything we want to do today, but what we'd like to be able to do is do the things that get us to a good, secure point now and then put a plan in place to help us grow over time as we learn more, as we understand more. And then, as you're well familiar with, it's a balance of technological investments, investments in personnel. Are we doing the proper thing, from a leadership perspective, to provide oversight for the actions of our employees in the environment that we have? So, and that's not just unique to our clients in the automobile dealership space or the RV dealership space or that niche. It really is kind of across the boards with a variety of the different professionals that we deal with it that have that type of information responsibility.
Speaker 1:This is going to be a really broad question and it might not be fair, but what are some of the challenges that these companies face and maybe not even just limited to the auto industry, but your clients in general? What are some of the challenges that they're facing when it comes to implementing security?
Speaker 2:Well, I think the big part of it is that a small business has so many hats to wear. If you own a small business, you manage a small business there's a ton of hats to wear. Usually, the security hat is the smallest and weirdest hat that you're going to pick up and try to put on, because it's not something that businesses normally have as a part of their foundational DNA. It's usually one of those things that I have to come to and it's very unfamiliar and foreign to me. Yeah, so that's a big one.
Speaker 2:A second one is turnover. There are many of these organizations that they don't have the same employee base for a year. So you bring somebody in, you give them the mandatory training, the baseline training, that they need to be competent and relatively understanding of the security architecture and the requirements that we have to secure personal and private information. And three, four, six months later they're gone and onto something else. So turnover, I think, is another big problem of it. And then again you mentioned it, thin margins. You have a couple of months of soft sales and you got to take a look at where your expenses make sense. So we understand that. So we try to make sure that we have an affordable tool, something that fits easily within that monthly expenditure piece of it, and something that can be easily implemented as you cycle through employees.
Speaker 1:Okay, sec, big changes coming and they say it's in October. But they've been moving the goalposts for the last year or so. So let's say it's going to be in October and the SEC is going to impose all these rules on financial institutions and publicly traded companies. What is and I'm asking this question to everybody who's working in software I'm guessing that Accelerate 2 compliance is a software company.
Speaker 2:We are a managed solutions company. We're not necessarily a software company.
Speaker 1:Yeah, I should have asked you that. I just assumed that it was a software company. I've got the software lens on. Everything is software, but nevertheless, okay, managed solutions, same thing. What are you doing to prepare for these SEC rulings that are right around the corner?
Speaker 2:Our company is primarily focused on the FTC side of the house the Federal Trade Commission and not the Security and Exchange Commission two completely different regulatory avenues. That said, understanding the SEC rules helps us to see where some of those bleed overs are and where some of the hard lines are. So most of the companies that we deal with are not SEC compliant or regulatory types of companies. There is some bleed over with some of the business systems that they have, especially if you look at insurance companies, brokerage houses and things of that nature. They have dual roles in some of their responsibilities under the FTC and under the SEC. So what we try to do is maintain some awareness and visibility on what's happening with all of those federal regulatory areas and, to a certain extent, what happens in the state. Obviously, we have a familiarity with Minnesota laws because we're a Minnesota-based company, but we have to be aware of things that are happening in rest of the states and territories as well, because we do business all over the United States.
Speaker 1:What are some of the regulatory frameworks that that you're seeing your customers demanding that they need to fulfill?
Speaker 2:Well, we use primarily NIST and ISO as our kind of as our ballpark, if you will. That's the framework in which we tend to look at when we do an analysis of our programs. Hipaa is another one, because we have a portion of our tool that can be used by organizations that have to be HIPAA compliant. So those are the three big ones, the PCI.
Speaker 1:DSS.
Speaker 2:That is another framework that we look at and understand and try to use contextually when we put our tool together. So our assessments are a derivation of tools but based in compliance requirements. So we don't just simply take one of the national standards, reorganize the questions and then call it our tool. So we try to make sure that our tools for our clients are catered in specific to their regulatory needs. So the larger standards ISO, nist, hipaa they're very broad and comprehensive and I did a HIPAA assessment when I was working with another cybersecurity company. It took us down there six months to complete the assessments, put the documentation and stuff like that together.
Speaker 1:Let me guess you're doing it all in spreadsheets.
Speaker 2:Well, yeah, a lot of it was that way. We worked with the client and the tools that they were using in order to do it. So we did it on a consultant basis and it took a long time to do. It's very detailed and very in-depth Most of the businesses that we work with. They don't need to go that deep and they're just not that complex of an organization, right. So spending that much time in an NIST framework or in an ISO framework or in the HIPAA framework or something of that nature, if they don't specifically have to meet those levels of compliance, then there's really no reason for them to invest the time and the effort into doing it. As you've probably experienced, if I put a 300-questionaire in front of somebody and say I need for you to go through this, there's going to be a lot of small businesses that are going to say my risk reward.
Speaker 1:So would they prefer someone else to do it, so like a facilitated assessment, or do you just have to strip it down?
Speaker 2:No, I think that when you look at organizations that have to meet that level of compliance, then hiring a consultant to come in and do the lion's share of the work with your subject matter experts in-house is the way that a lot of those businesses are going to trend. We try to make ours so that a small business owner and we've got mom and pop shops that have five and six people that work for it right, with a little bit of help, they can use our templates and build a written information security program and do a self-assessment very easily.
Speaker 1:Love it.
Speaker 2:It's straightforward.
Speaker 1:Love it. So whenever I think of mom and pop shop, there's an ice cream shop right across the street called Sebastian Joe's. Every time I ask or I think about a solution that's designed for mom and pop shops or a consulting firm that's designed for mom, I'm going, I'm thinking, okay, so can I walk into Sebastian Joe's, talk to the owner and make a case for compliance, or make a case for security? Sure, do you see clients that are that small going for compliance and if so, what regulations are they under? I'm guessing something like PCI DSS, because they take card payments.
Speaker 2:Yeah, I think for a lot of small businesses, especially retail-based organizations, that's going to be the primary place to be is the payment card compliance piece of it.
Speaker 1:Does the government ever kind of I don't even know like who enforces these regulations?
Speaker 2:at the end of the day, Boy, that's a great question because regulatory enforcement falls across a broad scope of areas. The federal and state governments work together In a lot of it, where there will be certain things that the federal government, probably from the Department of Justice, will ask states to help implement for them. When they see things like that, there will be some local regulatory enforcement at the municipality and at the state level, depending on where it is and who it falls under. When I was with the Department of Commerce there were 22 industries that we regulated, so we had state-level enforcement authority on that and there were opportunities for us to work with the federal government where we would do work with them and on their behalf. So there's no clean answer to that question.
Speaker 2:There is alphabet soup of regulatory authority that, depending on what industry you're in, what the situation is where the concern from a regulatory compliance perspective might be, will dictate who's coming in to do the investigation.
Speaker 1:But is it random, or are you kind of like that's small fish, those are small potatoes. We're not going after that guy.
Speaker 2:Now I can't give you a blanket answer on that one. In my experience, what I have seen is that, unless there is an egregious occurrence, the likelihood of some type of a large three-letter agency coming into your organization and doing an investigation is kind of low. If you're a part of a large breach that has tentacles into a larger webinar organization, you're going to be swept up in it. That's going to happen. If consumers complain about things that are happening in your organization, then somebody is going to ask questions. Usually it's a state-level regulatory authority that's going to come in and start asking some questions. If you've done nothing, the likelihood that you're going to face fines and sanctions is pretty high. If you have some of the basic blocking and tackling in place.
Speaker 2:My experience has been that most of these authorities are going to want to work with you to make sure that you're doing the things that you need to do to protect your consumers. Most small businesses want to protect the people that they're servicing. That's what they want to do. Very rarely are there deliberate, egregious actions. You know that people perpetrate against their clients. Now does it happen? Absolutely it does. There are bad actors out there, right, and when those actors are found, actions are taken against them.
Speaker 1:Mm-hmm. So, okay, yeah, I've never really Explored the way that that works. You know, you say you think I work with PCI DSS, all the time.
Speaker 1:But you go into a Mama pop shop and you say you need to spend I don't know, let's say, fifteen thousand dollars a year to become compliant. It's usually more than that, but mm-hmm, whatever the price is, you come in and you say you need to do this, you have to do this, and they go why? You know. Nobody that I know has ever gotten breached. So why should I do it? You know, and as a security person, we tend to go, you know, because it'll protect your, your customer, your customers, your partners, your shareholders. Well, they don't have share shareholders. If they're, if they're small, or they might have a very tiny.
Speaker 2:Instead of shareholders or there but in, but along those lines. A lot of times with those small businesses like that, the shareholders are friends and family and you know folks that that I've asked To stake me in my business as I start to try to grow this. This passion of mine and in my, my experience, is that that's even, I think, sometimes more important than if I have this Anonymous group of folks that simply bought a stock right. So I'm protecting my grandparents, I'm protecting my parents, I'm protecting my friends, I'm protecting few. You know former business partners that I had that that saw something in me and Stake me for this business. So you know, do you really want to risk something that is that Every single security expert in the world says will probably happen to every small business at some point in time during their history, even some of the basic blocking and tackling to put these things in place? If you think about it, fifteen thousand dollars, if that's what it is, annually in investment.
Speaker 1:You know what all your data, data and holding it for ransom probably, that's probably less than the truck that you're leasing.
Speaker 2:Yeah, yeah, so so it.
Speaker 1:Maybe it comes down. Everybody's got their reasons for yeah, and it's perspective right.
Speaker 1:You and I both know that yeah, so let's break this down a little bit. The risk aspect, right. What are some of the risks that small businesses are taking by not staying compliant? So, when people are usually maybe somebody's watching this right now or listening to it and it's very abstract, right. What I usually get from my friends is you know, my, my data isn't that important. What are they gonna want to do with it? You know so and unfortunately, a lot of businesses take the same approach, right?
Speaker 2:So we have ransomware that is a risk, so they steal your data.
Speaker 1:They lock it up, they encrypt it and they say you're not getting it back until you pay us more than fifteen thousand dollars. Yeah, get guaranteed. What are some of the other risks to small businesses?
Speaker 2:Well, I you know, I I Kind of like to flip the switch a little bit on the risks of not being compliant. Growing up in a security world, we've always learned that you can be compliant, not secure, but you'll never be secure and not compliant, right? So I like to look at it from the other perspective. Let's think about how I'm securing those things that are important to my business For working the digital realm. How is it, though, I have a comprehensive approach, with technological solutions, policy solutions and People focused solutions? They're gonna help me to mitigate vulnerability within my organization, right? So we all know that people are the weakest link in our security chain, so I like to think about it from the perspective of what can I do to increase the level of awareness among my employees that are working with data and information, that are processing data and information, that are collecting data, information and In using it to do those business functions that I asked them to do?
Speaker 2:Being sloppy with how I handle emails probably one of those big vulnerabilities being sloppy with how I handle Social media stuff Instagram, facebook, snapchat, whatever you're using, you know even LinkedIn. How are you using those Social media tools to advertise and promote your business? Because the information that you're collecting Within your organization, is that what you're then using to do your advertising via social media. So are we doing things smart and are we mitigating the Compromization of our client information? So, you know, do I use a social media post that uses the first name, the last name, the names of all the children, the City that they live in, the product they just bought, and, you know, is there any other Signifying information that happens to be in a photograph that I'm using on that post? You know, it's just being smart, and a lot of people aren't doing things like that Because they're malicious. They're doing it because they just don't understand how cyber criminals can use that information To kind of build their attack.
Speaker 1:That's the thing, yeah, that's the thing. So, and that's what I tell my friends, I'm like there's so much that's going on outside of your purview, outside of your awareness, that you don't understand. It's not that they're just gonna steal your data, right? Is that? They're gonna steal your data to get to your mom's data, to get to your mom's bosses data to get to your mom's bosses you know, ceos data and bring down the entire company, and you could have done something to prevent that. It's. It's just, it's extrapolation from data and by the time the crime is committed, it might not impact you.
Speaker 2:But you're a part of it.
Speaker 2:Well, and and the what we learn from, like threat intelligence, is that Threat actors don't get their information in one bucket. It doesn't come to them in a Manila folder that says here's all the stuff you need to do in attack. Right, it is the compilation of data from a variety of different sources. It's you know. How is it that I can put all of these different bits, parts and pieces together in order for me to then do something with it? Right, it's the difference. But when we take information and it gets gleaned down into intelligence, there's a continuum of data and information that then turns into actionable intelligence, right. So that's what cyber threat actors are looking for. They're looking for all those bits, parts and pieces that they can somehow put together and then turn it into, you know, a viable attack on an institution. So think about it.
Speaker 2:I think human nature a lot of times that if you can make it personal and kind of, do analogies with what we do day in and day out and how it would affect ourselves and our families, and then extrapolate it out to how it's gonna affect your business. So, for example, Facebook, Instagram awesome way to tell people how much fun you're having on vacation, right, Well, but you're also telling people that you're away from your house for two weeks yeah, you know or a week or whatever. And I know that this is the case because the people that live right across the street from me about two years ago were on vacation in Puerto Vallarta. We saw their Facebook posts their house was broken into. Well, somebody figured out that from their Facebook posts that nobody was there for two weeks, right?
Speaker 2:So, fairly easy pickings if nobody is at your house. You know so I you know personally. We just came back from two weeks in Europe. There was not a single post on any social media that talked about our trip to Europe until after we got back and we were sitting in our house.
Speaker 1:Yeah.
Speaker 2:I didn't even know you were in. There you go.
Speaker 1:Did you have a good time?
Speaker 2:Yeah, I had a wonderful time. Wonderful time. I highly recommend Croatian, the Dalmatian coast, oh, you know the Adriatic If you haven't been there. It's an awesome trip. It's beautiful, the people are wonderful, the vistas are as breathtaking as you're gonna find any place in the world. Awesome time.
Speaker 1:I loved it. It reminds me of, you know, the movie Home Alone. So Marvin Harry and they were just like staking out for weeks up until the family left.
Speaker 1:If Marvin Harry existed today, they probably just hop on Facebook and they'll just go. The McAllisters aren't gonna be. You know. They're saying that they're going to blah, blah, blah for X amount of time. They've got this many people are going, and here are all the friends and family that are also going, and then Kevin would probably be at home tweeting like my parents left me. I'm living alone.
Speaker 2:I'm living alone. Yeah, I'm an 11 year old kid that has no parental supervision right now and I'm scared to death and what's gonna happen, yeah, so yeah, I mean, excuse me.
Speaker 1:That's part of that traveling. There's a little residuals there from the airplanes.
Speaker 2:Oh, no, problem cut that out, we're good, but those are the things I think everybody needs to have a healthy level of paranoia when we think about working in the digital world that we work in, right.
Speaker 2:Protect your personal data. Protect the data and the information of the people that you interact with. Don't share things that people don't want shared. Right? If you're a prolific Facebook poster, please be cognizant of the folks that you interact with and whether or not they want to be on social media. There's a large number of people that choose to not have a social media presence. I'm one of them. I'm on LinkedIn, that's it. I don't have an Instagram account. I don't have a Twitter account. I don't have a Facebook account.
Speaker 2:I don't like to put myself in a place where things could be manipulated or misinterpreted right, so I try to stay off of those platforms as much as possible.
Speaker 1:I wish I could say that you're being paranoid, but the truth is, the risk exists.
Speaker 2:Well, it became very apparent to me when I first became a public official. I saw things in the media that came directly from social media. Right Now, when I posted on Twitter, I was never malicious, I was never mean, I did my best to try to just make a public commentary, but that can be used against you, right? Everything can be taken out of context and used in a way other than what it was intended.
Speaker 1:Even your voice using your voice putting it through AI and calling somebody and saying, hey, I'm trapped in my car, come get me. And they get you to respond right away because that's what they try to do, they do anything to get you to respond, just without thinking, and we don't really think about that nearly enough.
Speaker 2:And I think it's important for us now to think about all of that stuff. Right, how can your kids be exploited through digital and social means? Right, there's a cognizance that we all have to have what risk do you put your friends and family at if you do certain things in the digital world? Right, so, just being aware of how all of that stuff works I'm not suggesting that, you know, being a hermit living in a cave, that's unrealistic, right, but just have an awareness of where that is. And I think that, as professionals, security professionals it's incumbent upon us to share these things with people, right? And then it's not whether you use it or not, that's completely up to you, but you know, I think, eliminating some of the ignorance of what are the consequences of my actions, right. If you don't understand how that stuff can be used, then you can put yourself at an unknown risk, and I think that heightened level of awareness helps all of us to just be a little bit smarter in the space.
Speaker 1:I'm gonna ask a risky question here. When you were a commissioner, assistant commissioner, what were some of those big breaches that you encountered? Oh, just an example, just a little story for the audience for the people who are listening and watching.
Speaker 2:So I think some of it is the misuse of privileges that you're given. We've had folks that misused powers of attorney right and misappropriated funds on behalf of somebody that had given a power of attorney to somebody to act in their best interest but they didn't right. So we saw cases like that. I think some of the funnier cases that I saw was a professional using the information that they gleaned in their professional capacity as a dating service, you know.
Speaker 1:Like what? So let's break that down a little bit.
Speaker 2:So I've got you know you solicited information through your business right and then you know, you see that you know if you're a male and you see the name and you know financial positioning of a young female or a female. You then, instead of soliciting business now, you solicit dates you know, so it was.
Speaker 1:Did you see more men going after women looking at their financials?
Speaker 2:or Usually that's-. What kind of financials are you looking at, kind of the way you know well?
Speaker 1:Looking for a sugar mama or what Think of.
Speaker 2:well, the opportunity exists sometimes to open up doors for relationships that would not have been open to you unless you were in this professional area. So people use that you know, and these are just things to be aware of, right? Sometimes you will do things once without the intent to ever do it again, but nobody caught you and it became really super easy, right? So you know, I'm gonna take a check from a customer and I'm short this month on rent so.
Speaker 2:I'm gonna just use that money until I get paid, and then I'll pay it back and yeah, there's not a check and balance in place, right? So it was really, it was easy, I did it, nobody caught me. Then I did it a second time, paid it back. No harm, no fall, right? Well then, the fifth, the sixth time, I'll just cook the books a little bit and not pay it back.
Speaker 1:And that's how you wind up as one of those people like. Three years later you found that they stole a million dollars and they're like it was just I didn't know that anyone was gonna get hurt.
Speaker 2:I didn't mean to do it, I didn't mean to hurt anybody, but it was just really super easy.
Speaker 1:Yeah, and normal people. You know, these people aren't terrorists or anything.
Speaker 2:I worked in retail for a number of years in the early part of my life and we learned, you know, when you're in a management leadership position, you learn that the vast majority of theft comes from inside. It's internal within your organization. You hate it because this is a trust that you put in the people that you work with every single day and that violation of trust is really worse than the theft itself, right?
Speaker 1:Yeah.
Speaker 2:So those are the types of things I think that you need to take a look at within our programs and we think about security. You have to have a 360 degree perspective and a very holistic approach to it. So it's not only the external facing things, but it's that internal stuff. How is it that I put checks and balances so that good people, when put into a bad situation, are gonna make the right decision?
Speaker 1:Looking right into the camera, that person that found you. That seemed just like out of the blue and they were perfect and they came from heaven. They have been stalking you for weeks. They've been looking at all your data and misusing information and do they work at a bank?
Speaker 2:Do you?
Speaker 1:bank, at that bank, take a second look at that person and maybe they know a lot more about you than you know about them. So, public service announcement from security professionals.
Speaker 2:There you go. Yep, if it's too good to be true, it probably is. I think that the lesson is to take responsibility for your own security. Do checks and balances. Be smart about what you click on. We all have cell phones. We all use cell phones. I use cell phone for email every day. You use cell phone for email every day. Understand that your cell phone, your email message on your cell phone, gives you less information than the email message that you get in your laptop computer. So if something on your cell phone looks kind of hinky, don't open it until you get to your computer. Take a look at it on your computer. Check your URL. Make sure that the address that the sender is a valid sender. There's a Harbor Freight scam that's going on right now. It looks like a completely legitimate email from Harbor Freight. As soon as you kind of answer their survey questions, they say congratulations, you're a winner. All we need is for you to pay shipping. You're gonna get your. You're gonna get your pay.
Speaker 1:I have fallen for one of those things, and I'm a security professional. We all do.
Speaker 2:It's crazy, everybody does and then all of a sudden four charges show up on your credit card. So those are the types of things that I think education and awareness are certainly gonna take care of.
Speaker 1:Okay, well, matt, thanks for coming down again, and this is a really great conversation.
Speaker 2:I feel like we should catch up more. I enjoyed it. Yeah, absolutely.
Speaker 1:And it's still so hot here in Minnesota and I still don't have AC and that's why the cameras crap out every once in a while.
Speaker 2:But you know, it's time.
Speaker 1:I know you got to go. You're a busy guy and again, I really appreciate you coming down and for everybody you know what I'll have to. Let's do it this way. I'll get in, I'll get into the frame with you. Thank you for watching this episode of Security Market Watch, and you can check us out on Instagram. Check out our YouTube channel. Don't forget, don't forget. I've always wanted to say this. Do not forget to smash that like button and subscribe Matt.
Speaker 2:Thanks, josh, appreciate it and thanks everybody.
Speaker 1:We'll see you in the next episode.
Speaker 2:Have a great day.