Learning Without Scars

Protecting Your Business: Unpacking Cybersecurity and Risk Assessments

Ron Slee & Kevin Landers Season 4 Episode 10

Send us a text

Is your business truly protected against modern cyber threats? Join us for a compelling discussion with Kevin Landers, an IT veteran with over 25 years of experience, as we unpack the complexities of data security and the critical need for ongoing risk assessments. Kevin shares how his company, Rocketwise, helps dealerships uncover and address security vulnerabilities, emphasizing the financial and operational risks that come with data breaches. Through his insights, you'll gain a deeper understanding of why regular security assessments are non-negotiable in today's digital landscape.

Explore the ins and outs of Rocketwise's "Inspect What You Expect" service, which provides monthly risk assessments to keep your business secure. Kevin explains the importance of having strong security measures like antivirus and detection systems, and the vital role of compliance programs within dealerships. We'll also discuss the shared responsibility between businesses and third-party vendors, highlighting the need for a standardized self-assessment questionnaire to ensure robust cybersecurity practices across the board.

In our conversation, we dive into the intricacies of vendor compliance reviews and their impact on overall cybersecurity. Discover the importance of having a dedicated Chief Technology Officer to oversee these efforts and how real-world data breaches underline the necessity for proactive measures. We'll also touch on the challenges posed by power outages and the importance of having effective data recovery plans in place. Don’t miss this episode if you’re looking to safeguard your business against ever-evolving cyber threats and stay ahead in the game of data security.

Visit us at LearningWithoutScars.org for more training solutions for Equipment Dealerships - Construction, Mining, Agriculture, Cranes, Trucks and Trailers.

We provide comprehensive online learning programs for employees starting with an individualized skills assessment to a personalized employee development program designed for their skill level.

Speaker 1:

Aloha and welcome to another candid conversation. Today we're joined by, I believe, an extremely good man, Kevin Landers, who also is very knowledgeable in the world of IT, and I want to broach with Kevin the subject of data security and the fact that very smart people, bad actors, have been hacking a lot of business systems around the world and try and increase our understanding and knowledge of that world. So with that as an introduction, Kevin, welcome aboard. With that as an introduction, Kevin, welcome aboard. Maybe you can tell everybody a little bit about you and then give us a read on what you think is going on with data security and risk.

Speaker 2:

Yeah, absolutely Well, thank you for having me. I can attest that there will be at least one additional person that will listen to this podcast, and that'll be my wife, because you specifically said I'm a very good man.

Speaker 2:

I think you said very good man, maybe it was just good, but anyway, um very, very would work also there you go, um, but yeah, so, uh, you know, I guess, uh, for my part, um, I have been in IT for, oh man, longer than I'd like to admit at least 24 years, oh gosh, longer than that. So we'll just go with more than 25 years. How about that? And in the past, I guess, seven or eight years of that, our company, our team over at RocketWise, we've shifted our focus, our primary focus, to the equipment dealership space, and that said, yeah, I mean cybersecurity. You know it's been a hot topic. There's tons of money being poured into and solutions being poured into this space. Oddly enough, on one end, you have all this money, need it, um, who may not realize? Or, uh, may be burying their heads in the sand, as it were? Uh, to the need, um, so, um, you know lots to talk about, lots of, lots of different avenues that could be covered here.

Speaker 1:

So let me. Let me put another paragraph in front of that. The 25 years prior to Kevin hitting the space, I was involved running data processing shops, computer shops, running software companies and back in the early days, for our concern, most of the consultants that were involved in the space of assisting businesses had served prison terms. Today, the world is the platform. In my early years it was strictly North America. So we have a very much more complicated situation to deal with and, as Kevin is mentioning, there's all manner of money being put into this. But the audience, our audience, I think, has to have a better understanding of what's going on. I think some of these men and women running these businesses have been hacked. It has cost them money, it has cost them data loss, it has cost their businesses time.

Speaker 2:

So some of them are sensitized to this, but the vast majority don't really know what we're talking about. Yeah, I mean, it's very true. I mean going to events, whether it be an AED event or any of the other associations out there. You know, it's not uncommon to have this conversation. Someone candidly revealed that, yeah, they've fallen victim to something, whether that be gift card scams or phishing attacks or whatever. Have you ransomware, etc. Phishing attacks or whatever. Have you ransomware, et cetera. But at the same time, you get that mindset of but I don't need it, I'm not a target. So it's odd having conversations when those two things are said in the same conversation. But yeah, I mean, there's a reason why there are tons of companies pouring money into this and developing solutions to prevent all the things that are out there. On the flip side, there's tons of money and effort being put into the space of creating these issues, discovering vulnerabilities that are out there that can allow someone to take advantage of a company, and happy to take this conversation wherever you like it.

Speaker 1:

Well, go down that path. For a second, does RocketWise offer a service where they will come in and review a dealership for vulnerability?

Speaker 2:

Yes, we will. In fact, it's a core offering. Actually, it's something that the FTC says you're supposed to be doing at least once a year. Cyber liability insurance providers also say that any organization they're covering, 99% of them say that they have to have that in place at least annually. And so, yes, we do offer that. We have different you know different levels of it, but the goal is to come in, meet with executive leadership, stakeholders in an organization, a dealership, take them through some very high level Q&A maybe takes about 30 minutes going through Q&A just ask them some questions about processes, procedures, type of data they're handling. And then after that, at the very high level, we execute some scans on a handful of computers. We execute some scans on a handful of computers, pull that data into a series of reports and then we have a follow-up meeting to go over it, to do a report of findings. We've never had a dealership where we haven't found something, whether it's potentially something already in the system, potentially someone having key vulnerabilities in place, people where their passwords are out in the open. No-transcript to business owners in these dealerships or at least, like I said, key stakeholders, whether that be executive or what, and you know, ultimately at the end of the day, we're supposed to.

Speaker 2:

We have expectations. We have expectations in all sorts of areas of our company the sales sales department. We have an expectation that our sales folks are smiling and dialing, they're researching our prospects, they're researching our internal accounts of our current clients, they're looking for ways to serve them and that they're doing all these series of tasks to bring in new business and or grow existing business and doing all the things it takes to do that. And we see that as a critical aspect of our business. And so we have all these different metrics and different things in place to inspect what we expect there. Right To know whether the team as a whole is hitting the mark or if there's one or two individuals that need to go on a PIP or however. You've got that all structured and we do the same thing on the service side and we do the same thing on the service side, part side. We've got all sorts of metrics and we know what we expect and we know how to inspect it.

Speaker 2:

But IT is one of those areas that, even if we have internal IT team members, if that's not a function that we're outsourcing completely somewhere else, anyway, in both scenarios leadership for the most part, has no idea what to expect. They expect that they're safe. They're expecting that their systems are up, they're expecting their systems are in pristine condition, but they have no idea how to inspect that. They have no idea how to actually, you know, uh, go underneath the hood and make sure that things are the way they should be. It's not like we're walking out to a piece of equipment, um, you know, unscrewing a knob and checking the oil. Um, it's, it's much more complicated than that, and um, so I would, you know, I'd say that probably, for the most part, those folks are, they're intimidated by that. I mean, you know, and that's one of the things we try to eliminate tech, speak Right and put it in layman's terms, where the rest of the world can understand outside of the, the world of the geek, and and try to bring that down and help them understand.

Speaker 2:

Okay, these are some of the things you should expect. These are some of the things that, when you inspect that, maybe you don't know how to inspect it, but this is an indicator that that is good or that we have a problem there. And so, whether we're doing that one-off for a dealer or we're doing it on a recurring basis. So whether we're doing that one-off for a dealer or we're doing it on a recurring basis again, insurance companies FTC say you know need to have it once a year. Reality is, if you have a breach, on average the average is that someone has been in your systems for 290 days before you ever find them. So basically, the FTC and cyber insurance companies go hey, you should check it at least once every 365 days. I kind of advise clients to inspect that more often, ideally monthly, because the last thing you want to do is inspect everything you're clean and then 365 days later you find out somebody's been in there for 290. And then it's a. You know you're a day late and a dollar short. So anyway, I'll pause there.

Speaker 1:

So that's no, that's a good place to pause. So this initial work with dealers that you perform at Rocketwise can be done remotely, correct.

Speaker 2:

Yeah, the entire thing is done remotely. Literally it's jumping on a call 30 minutes of time longer if they have Q&A, if they have questions that we need to answer, and then executing it remotely. We simply send somebody things that they can click on the computers and then, uh, the follow-on is like a again about an hour call. Uh depends on if there are a lot of questions.

Speaker 1:

Let me label it. I don't know what you call it, but I'm going to call it the inspect what you expect, review. If I started day one with that phone call, day day one, how long is it before you can give them back a report? Is it five days?

Speaker 2:

10 days, two months, yeah yeah, On average we can do it in about four or five days From initial call. As know, the part that's dependent on the equipment dealer is that middle part which is running the utility on their computers that does our scans. And then it takes two business days for us to generate the report, Put a good bit of time into it. We're trying to, you know, present them with valuable information and then, like I said a follow-on call Okay information and then a follow-on call Okay.

Speaker 1:

So to help the audience that's listening to this, can I suggest you write me a blog that defines and describes the inspect what you expect service that you provide and, even though it's going to be a bit of a promotional piece, that we'll put it up as a blog in the form of explanation as soon as you get it to us.

Speaker 2:

Yeah, absolutely, I'll get our team on it.

Speaker 1:

So we have the inspect what you expect, an overarching review to get a position placement as to where you are and probably a risk assessment. We also have, down that other channel playing catch-up, the insurance industry trying to establish some insulation for themselves against an insurance claim for damages. The damages can be, as you said, gift cards as small as, but it could also be invoices for machinery. That's three, four or five million bucks that gets paid in a complete scam, the ongoing. So we have the inspect to inspect to expect program. I would suspect that it would be a good idea for a service from RocketWise to be in on a very regular basis, at least weekly, randomly evaluating a system. Do you do that as?

Speaker 2:

well, solely talking about in terms of inspecting things, then, yes, from a risk assessment perspective, yes, from a, if you need security things in place, like antivirus and MDR and XDR and EDR and I don't expect any of y'all to remember that or even know what that is but there's a long list of all the things you need to have in place that are actively not only protecting your systems but sending alerts, notifications to folks, departments that are looking into those issues as they're reported to their systems and acting on them and acting on them. But on the inspect what you expect portion, yes, we do those actually monthly. So we do monthly scans and then we either meet monthly or quarterly with our clients to go over the results and if it's an ongoing basis, we're literally reviewing. Okay, in the past, this is what we had last time. This is where the score was. These were the 20% of the items that we said we would work on. That would move us 80% of the way in a positive direction. You know who are the stakeholders, who's responsible for those items, what are the status updates on those? Now, here's our new baseline for today. Where we sit today, you can see these things have improved. You can see that we now have new challenges ahead of us, because security is a bit of a mirage. You never arrive to a state of full security as soon as you do, you know, take a second or a fraction of a second to pat yourself on the back. And now you got more work to do. So you know, from there it's OK. These are the new challenges we have.

Speaker 2:

Again, what's the next 20 percent of the things that we can do to get us 80 percent of the way there? Where do we need to put our focus? Who's responsible for that? So someone inside of a dealership is another vendor. Is it your dealer management system or your ERP? Is an issue with that that we need to take to those folks to get addressed? Is it an issue with your OEM? All right, probably that might be hard to accomplish, but you know there have been times when OEMs have listened to hey, your, you know your entire dealer base is exposed here because of this. Thing needs a little bit of attention, needs a little bit of being taken care of. Same thing with the ERPs, et cetera. But so, again, it's identifying who's responsible and what things do we need to move forward and-.

Speaker 1:

Right.

Speaker 2:

Okay.

Speaker 1:

So I'm going to bring it back into the dealership, as you did that. In the parts department, we have a daily knowledge of the back orders that are outstanding. On the service department, we've got a daily knowledge of the work orders that are finished and haven't been invoiced. On the sales side, we get call reporting on finance. The bill hasn't been paid.

Speaker 1:

So now the IT group or I'm going to call it technology generally has the same kind of tools available, same type of metrics available, to do this evaluation on an ongoing basis. Who owns it? What do we do? How do we solve a problem as we find them and go forward. And let's move on to the other side of the table, the tools that are there that we need to have there to protect us somewhat. So it's not the inspect what you expect anymore, it's creating. I'm going to call them firewalls, because it's a word that people seem to understand but creating tools. You provide solutions, tools that will stop hacking or identify hacking or protect your passwords or the portals of entry, whether it's an OEM manufacturer or a DMS provider, irrespective. And that complicates things because it's not internal controls solely. We sometimes have to have shared responsibility for these things.

Speaker 2:

Yeah, and I'll pause before I go to that rabbit hole to just share. This is one area where it kind of gets into policies and procedures. Where it kind of gets into policies and procedures and all of these businesses, these dealerships, there should be a type of compliance program in place for them. And part of that is going to be identifying what are the questions that we need to have answered by all of our third-party providers, whether it be our ERP, our OEM, our phone company who put a phone system in our network, etc. And they should be doing, at least annually, what is called a self-assessment questionnaire for those vendors, and that's basically having a standard list of questions you want to know the answer to and putting it in front of your vendors so that they answer them. That's going to pay off if you're involved in any kind of legal issue, ie insurance related, ftc, etc. But that's going to help you also gauge where your risk is.

Speaker 1:

So stay with that for a second, kevin. Do you have such a questionnaire that you sell to dealers to assist them, or that you would guide a dealer on doing with outside third-party suppliers so they know what needs to be done and how it's done, because you show them how it's done? Do you do that as a service as well?

Speaker 2:

So, yes, so, as part of our compliance program, we actually have a tool whereby we go in with the dealer, show them how to input the information for all of their current vendors, and then our system will actually automate the process of sending and collecting the self-assessment questionnaires from those vendors, and it will go ahead and send it annually. So if you plug the vendor in, we get their answers, it's stored in that system so that you have, you know, collected, you know collection of those all in one central place and then as far as yes, as far as selection, or even evaluating your current vendors, we do assist with that. We identify, you know, even if it's something like as simple as Internet service, right, identify. These are the things that we're looking for. What's the problem we're trying to solve, you know, and what are the, what are the questions we need to ask, and and so forth, and basically coming up with a consistent way of evaluating that um.

Speaker 1:

So do you have any kind of a catchy phrase on that? I'm going to call this vendor compliance reviews, but I don't know what you call it.

Speaker 2:

Well, that, specifically, is just this. Well, I think you're talking about overall. I don't that specific part of sending out the questionnaires is just our third-party self-assessment questionnaire. It's part of a larger offering our clients as a service offering, which is basically overall. It's a system that allows them to build out their policies and procedures, keep track of them, revisions on them, the approvals on them from executive leadership and basically also putting those policies in front of your team members and making sure that they've read them and collecting evidence that they have.

Speaker 1:

Okay. So let me try and put a wall around this thing. What we need from a dealer or a distributor in the capital goods space is we need a list of every single vendor that provides services to the dealership Number one and then number two. You have a questionnaire developed that can be used with each of those vendors specific to that kind of industry Example the telematics network example, password management example, data dictionary. So you have both of those things available Vendor compliance I'm going to call it vendor compliance review, for lack of another term and specific, then, recommendations that you make to address those problems. Correct, yes, correct Okay.

Speaker 2:

The reality is that, even based on these self-assessment questionnaires, you may very well get results back that are not pleasant regarding that vendor, and it may very well be that it's going to be impossible and or timely.

Speaker 2:

I mean, if they tried to resolve it, it would take a long time to resolve it, and or the vendor's just not interested, or you're not loud enough or noisy enough or represent enough revenue to them to be concerned about it, and so you may still find yourself in a position where you can't part ways with that vendor.

Speaker 2:

You depend on them and you have to, and so it becomes a question of all right, how do we put in other policies, other technical controls or physical controls or whatever kind of control it needs to to be important that you've identified those things and that you've taken the time to document it, because, at the end of the day, if there's a breach, hopefully you have insurance that covers it, and when you call down an insurance provider, you're going to want to make really sure that you did everything you could to prevent it and that you documented it, so when the insurance company is looking at it, they don't have a reason to walk away from the table and leave you high and dry and potentially turn around, like Travelers Insurance did in the last year or so, and actually sue you for not actually holding up to what you told them you were doing. And then if you've got those things in place and you've covered yourself as best as you can well you know then you've done due diligence and that's the big thing is due diligence.

Speaker 1:

Go ahead.

Speaker 2:

Well, an example would be there is an ERP, a dealer management software. I won't name them, it wouldn't be hard to find them. I won't name them, it wouldn't be hard to find them. But they had a data breach and the FTC took them to task over that data breach, leveraging the Graham Leach-Bliley Act, or also known as FTC safeguards, because of a portion of that act. Ultimately, they had a data breach and there was nothing that any of their dealers could have done to prevent it. They use that software period. They use it. They don't control it.

Speaker 2:

Now, ideally they could have had self-assessment questionnaires in place and they could have gotten the best of answers and at least they've done due diligence. But on the back end the dealer management system provider the high level of it is they were running out of disk space on their servers. So they asked a guy in the IT department to get extra storage to make backups and move these backups off on the storage to free up space. So the guy did. He went to basically the equivalent of a Best Buy. A local retail establishment bought a consumer-grade hard drive that plugs into your network so you can back up over the network, plugs it into their infrastructure, backs up accomplishes this task, but what he doesn't know is there's a software update for that device that patches a vulnerability on that device and now that it's on the network it's accessible to the Internet and poof. All the data for several hundred dealerships and all their customers got swiped, and so the FTC came down on them and went after the actual dealer management system.

Speaker 1:

We're in a place today, kevin, that I characterize it this way that we're 30 years behind on the technology that's available being implemented, the things that we're reading about today. We're so far behind implementing those things Artificial intelligence, machine learning, all of this stuff. I'll give you just a simple example. There's a thing up on YouTube from 1993 called BMW augmented reality, which shows a technician walking out to a vehicle, putting on glasses and being instructed what the repair was, with a diagram of it. And we could go. I mentioned this to you last week. We can go across a hundred dealers and find nobody using that. That's 30 years old already.

Speaker 1:

Yeah, that having been said, these third party vendors, they are in the same place that a dealer is, except their influence is orders of magnitude greater. So let me just freeze frame there for a second. There's some very smart people on this planet that are in jurisdictions that we're never going to be able to touch, that have found means to make money by doing illegal things, and that's not going to stop as long as that genie's out of the bottle. There's going to be more and more people, and we're never going to be smart enough to be able to avoid everything but those things that we are aware of and there are many of them and you deal with them every day. There are tools that we can employ that will reduce our risk. Really, all this is is risk mitigation, and there almost needs to be a body, a person, a function. You know, chief technology officer is a term that's bandied about. I think that's going to be commonplace. There'll be somebody in a dealership or businesses in general within five to 10 years who has responsibility for this. Today, there isn't.

Speaker 2:

There isn't. I mean well, for the most part there isn't. I mean kind of to your point that these things are not necessarily new. Even this position is not really new. It's just slowly making its way into. That's a position that's been out there for quite a while, where you know there's an individual or team of individuals that are solely focused on the security of you know, the information that you possess. So I wouldn't even say this really even should fall to a CTO or an IT manager, it director. This is more specialized, needs to be more specialized, because it's something that goes beyond you know. Do you know how to set up a printer? Do you know how to set up a network? Well, the question becomes do you know how to secure those things? You know and do even more beyond that. You know and, to your point, on the other side of this, the flip side, the malicious actor side of it, you know you're not.

Speaker 2:

We have this idea. I mean you Google hacker, go to imagesgooglecom, type in hacker and it's all dark rooms with somebody in a hoodie and their face is blurred or they're wearing one of these white masks or whatever, like they were in an episode of scream or something, and we have this idea that it's this guy sitting in a dark room who's going. Who am I going to attempt to attack today? Oh, acme Machinery. That's my target for today and his whole focus for the next indefinite amount of time is solely hacking into Acme Machinery. And this leads into people at like Acme Machinery going I'm not a target, nobody's interested in my company, nobody's coming after me. Well, that's true. Nobody's interested in your company, nobody's coming after me. Well, that's true. Nobody's interested in your company. They're interested in dollars. Your company just happens to have dollars and they may not have targeted you because today you have these sophisticated businesses.

Speaker 2:

I mean, yes, there are nation states who have teams and all this sort of stuff. Sure, let's put that all in a box over to the side. There are basically businesses where they have, you know, sells, a marketing team, they have a research and development team, they have a customer support team. They have all these different teams like a well-established, organized business and they're in the business of developing malicious tools. And some of that is used directly against folks, directly in a malicious way. Some of it is let's just use our systems to gain access to a plethora of computers out there and then let's actually set up a software as a service subscription model whereby, if you're a 14-year-old kid that's bored at home during the summer and you have access to mommy or daddy's credit card or Apple Pay account, simply set up your own little account over here in our software solution and, for you know X amount of months, we'll give you access to 100 computers and you just tell us what you want to do.

Speaker 2:

Do you want to do ransomware today? Sure, okay, great, we have access to these machines. We're just going to deploy ransomware for you and you basically don't have to know how to do any of this. Ron, if you can log into a Gmail account, you can also suddenly become a malicious actor. That's how easy it is. And it's even easier because if you try it and it doesn't work they have customer service people. Doesn't work, they have customer service people. They have better IT support than most Fortune 500 companies where you literally just call in and they chat with you and they go. Hey, so sorry, you're having a bad day and you're not breaking in the money from your ransomware activities. Let us hop right in and see if we can help troubleshoot this, debug it, fix it for you and get you back on your merry way and they will even give you your money back if it doesn't work.

Speaker 2:

So you know it's a business model and it's. You know we can take it back to the ag world. It's that old broadcast method. You know you want to plant grass, you don't. You know you don't plow a row and put in individual seeds, you just cast seed out everywhere, right, I mean, okay, there may be more to it, but you cast all this out or take it to a shotgun approach. You put in a shotgun shell. You don't aim for a bullseye, you aim in the general vicinity and you send out all these pellets.

Speaker 2:

That's how they approach this malicious activity. It's not, hey, I want to hit Acme Machinery or I even want to hit the machinery equipment dealer space in general. It's, I just want to hit computers. And so if I can detect issues out there, if I can spread through email and breach your email accounts, then great, and then I can send all my stuff out and once we get a fish on the hook, then I can look in to see exactly what kind of fish it is. Is it a trout, is it a bass? Is it a CFO at an equipment dealership? Is it a CEO at?

Speaker 2:

an eye company and then I can research it further.

Speaker 1:

I'm going to dig in deeper than that. Even I'm going to start from a database and the fact that we have data all over the place in our dealerships and we don't have any control of the data. Nobody owns a particular data field. Then we bring in different software businesses to interact with our database. They have their own databases. So, as an example, a customer profile example, and I'll have a call reporting system, I'll have a marketing system, I'll have a market coverage system and I'll have three different pieces of software. They're all updating a file, all updating a data field, yet they don't communicate with each other. So my data analytics, which have become really critical in this world of artificial intelligence, are flawed. I don't have accuracy or control on my data. So data security is a piece, the data analytics is another piece. Data dictionaries, I mean. There's a whole host of things here.

Speaker 1:

We've been concentrating on selling equipment. That's where this whole world started and I'm trying to make the guy who's on a shovel I'm trying to make his life easier by giving him a machine Terrific. I did that, but then I got into the situation. Well, this guy needed to understand how to fix that machine. So he either fixes it or he hires somebody to fix it for him. Now I'm exposed because I got somebody other than the owner messing with something. So here I've got a business, I run it manually and then all of a sudden I bring in a dealer management system and a lot of those folks anymore don't understand the business that they're providing the software for.

Speaker 1:

So let me name names for a minute. Here We've got Microsoft in it, we've got Oracle in it, we've got Infor in it, we've got SAP in it, we've got JD Edwards in it, we've got big players and every single one of those, as an example, they're all clients of mine and they make their money consulting. They don't make their money in selling the product. They make the money in adapting and adjusting that product to fit the dealer's needs. But nowhere in there does either side to your comment on this insurance industry vendor compliance. Nobody looks at that. Nobody looks at that and I at that. And if I'm looking at your space, how many people are out there competing with you? There's some big majors, but not very many people are specializing in your area of expertise, are they?

Speaker 2:

uh, not with an r. Yeah, no, they're not and?

Speaker 1:

and the other side of that is how the hell do you get your message out there through vehicles like this, through associations or meetings, annual conventions, etc. But I, I'm, I'm one of these idiots. I want to help you get that message out there. So, let's, let's have you write a blog post on the inspect what you expect, and we'll start with that one and get it out there.

Speaker 1:

I put one up last night called people over profits, which we talked a little bit about yesterday or last week, where I'm a little bit annoyed at myself as well that the standards and metrics that we use in the industry haven't been touched for about 30 years and the world has changed. So I've committed to next year I'm going to update all of that stuff and put it out available for people. Part of that has to be and it wasn't in those days, but part of that has to be data security. So I'm going to be coming back to you over the next couple of months and saying, okay, we need to have a chapter, we need to have a section on IT, which we don't have. Another thing that I would submit that needs to be looked at there's consulting companies out there, like what I used to do that go out and do dealership reviews. It's a finite number of people that do that. Some of them are big names Everybody knows Accenture, mckinsey, those types of folks but it's the ones that are out there at the ground level that are important to me and you, because they don't do any data security or risk compliance reviews when they do those dealership operational reviews, and that should change.

Speaker 1:

Yeah, agreed, I hope this is going to be the beginning of a change in perspective for owners and the executive suite in all distributors and OEMs. I had a client last year who had their system disabled for over a week. They could not use the system for over a week because the bad actor was able to get in through a modem on the network because there was no shielding on the modem. I had one of my former employers not have the ability to do invoicing for the parts business for several months in a multi-billion dollar business. I had a case where I had to run a parts business at over 50 stores manually because the hard drive had a warped platter in it and could not function. We have no idea how vulnerable we are to technology. We really literally can't do anything without a computer being involved.

Speaker 2:

Yeah, well, and there's such a demand for cloud. These days Everybody touts cloud. Cloud really is just a fancy marketing person's way of saying data center. Your data's sitting on a server in somebody else's data center right, and somebody else's data center right. And now we think, if we go to the Google or we go to the Microsoft or the Amazon or the world, that it's all taken care of for us. But again, it's sad to inspect what you expect because it's not. If you actually read the end user license agreement when you're signing up that agreement that you're saying, hey, I'm the end user, this is what I'm agreeing to.

Speaker 2:

Microsoft and Google both tell you, hey, we don't back your data up, we have our own backups. And if the fans were to turn brown, all of our services go down. We're going to go to those backups, we're going to try to restore services from those backups. And if all of our services come up, great, that's awesome. If your data happens to be there when you log in, wonderful. If it's not, eh, not our problem. We told you you needed to back it up and you would think, okay, well, you know it's Google, it's Microsoft, and you know what are the chances. Well, and you know what are the chances.

Speaker 2:

Well, you know, back last month there was a over a billion dollar organization overseas that somebody in that works at Google. Basically, I mean the 500,000 foot view of it is they deleted, they flipped the switch, deleted data and you know that companies whose revenue is in the billions, their data was gone. Fortunately, someone had backups going to a system outside of Google so they were able to recover, but they were down for a good bit. So you know, it's one of those things I mean it's just yeah, we do have a lot of people touching our data these days. I mean I would just, yeah, we do have a lot of people touching our data these days. I mean I would be surprised if there's a single company out there, a dealer at least, that doesn't have someone externally touching their data Interesting. It's just not the world we live in.

Speaker 1:

Yeah, interesting little comment Learning with those scars, our employee development education business.

Speaker 2:

Learning Without Scars, our employee development, education business.

Speaker 1:

Canada will not allow anybody who deals with a school to have a server that is not in Canada. It's the only country in the world in which that exists. Now I've had discussions with them. Our server now is in Canada, so we don't have to worry about it. But when I'm talking to the government I say, well, how do I know where the server is if it's on the cloud? And that just gives you a small illustration. The other thing about the data backup you're talking about my daughter and I are the principal owners of our classes and she now has a 5 terabit and I have a 5 terabit disk drive that we back everything up every week, both of us, her computer to hers and my computer to mine, so that we're covered. Because, god forbid, I would have to recreate that.

Speaker 2:

I'm not going to live another 70 years to do it those hard drives are in different locations there, right, yeah, that's right.

Speaker 1:

That's exactly right, so I think this is an important subject, kevin.

Speaker 2:

I think it's a critical subject.

Speaker 1:

I really appreciate the time you're spending with us and I appreciate your knowledge, and I want to try and extend your reach a little bit further into the industry, if you don't mind. I'm sure you won't. So let's let's view this as the starting pistol going off on a race that's probably not going to be ever ending, because the bad actors are just as smart as we are and we don't. They find places before we do, that's for damn sure.

Speaker 2:

Absolutely.

Speaker 1:

Have you got any kind of closing remarks you want to throw?

Speaker 2:

out at the audience.

Speaker 2:

No, I mean nothing more than just you know, ultimately, you don't have to. You can't accomplish all this overnight. Don't be discouraged or overwhelmed by it. If you're listening to this and go, man, we've got more issues than a reader's digest with regards to our IT. Don't buckle to the overwhelm. Don't buckle to. You know, it's just too much to do. This is to your point. It's a race that doesn't end and you're just going to have to pace yourself, and so it's just taking, taking small actions today, the things that you can do today that get you 80% of the way there, and um, and just keeping after it and being diligent about it.

Speaker 2:

Um, I guess, if I were, you know, in leadership, it may not be that the equipment dealers are making headlines for being taken a task by the FTC for data breaches or local state governments for data breaches. They may not even be making the headlines for breaches with insurance companies, and if that's true, then fine, that's great. But if that's your only reason for doing it, then for not doing it is that you know they're not making headlines. I think it goes back to if you're being a steward of the organization, you've got to pay attention to this aspect, because this is the one aspect that whoever is in charge of IT, whoever's managing it, if it's done wrong to your point, it can take a company out of commission. It can close the doors of a company for the most part or put them way behind.

Speaker 2:

There is a dealership I literally called and offered the risk assessment one day no, we're good, we have no interest in it. Six months later they were down for almost a month because of a data breach, and you know, some companies don't recover from that. That's right. That's right. I spoke to someone later about it and they were like you know, looking at our data. You know we look back and we're looking over our trends and there's a whole month to two months because there's another month of recovery where they were doing things manual and now they had to key it all in. It's like there's two or three months of our data. That makes no sense. We can't make any business decisions off any of that data because none of it's right. It's a whole black hole for a single month.

Speaker 2:

And so my thing is just you know, if you're in leadership, realize this can take the company out, but, more importantly, it's going to affect those folks who work for you their livelihoods. It's going to affect your clients, who depend on you to be there to keep their equipment running so that they can serve our communities. It goes beyond to your point people before profits. Yes, at the end of the day, we're all running a business and the goal of running any business, even a nonprofit, is to make profit so you can keep doing things. But the ultimate goal, the ultimate purpose of that really should be the people we're serving and the way in which we're serving them, the problems we're solving for them, and I think that in itself should be enough to make somebody go. You know what? I need to take a look at this one aspect of our company where we don't we have a blind spot. We don't know what to expect and we do not know how to inspect it, even if we did.

Speaker 1:

I'll give you one very simple illustration. In the 70s I'm running a computer shop, two computers supporting, I think it was, nine stores, maybe 11. And we went online and we had to be concerned with recovery. So bring it out into today's world and you have a power outage and the power goes out for 30 minutes. So the power comes back.

Speaker 1:

At what point was the data last accurate when the power went out? And where do you restart the business from that point forward? Because I've been operating manually for the last 30 minutes. I have to re-enter that. In what sequence? Because my on-hand will be out, my credit limit will be out, all manner of things we don't even know today.

Speaker 1:

Every single dealership is subject to power outages. Where their computer center is, every cloud location, every server everywhere is subject to a power outage. I haven't heard anybody tell me definitively what their checkpoint recovery system is. Ask that question alone, and it causes some eyebrows. Kevin, thank you very much for this. I appreciate it. I hope the audience has appreciated it. Those of you that are interested in this keep your eyes peeled. Kevin has written as a contributor for us in the past, but will be in the future, and we'll be posting this podcast somewhere in the next week or so, and hopefully we get Kevin up to give us another blog before that time passes. So thank you everybody, mahalo, and I look forward to having you with us at the next Candid Conversation.

People on this episode