Justin Shanken - The Cybersecurity Frontline - Protecting the Automotive Industry - Inside Digital Defense and Regulations

Show Notes

Step into the world of high-stakes cybersecurity with Justin Shanken, CEO of Black Breach and a former counterintelligence special agent with the U.S. Army, as he joins us to dissect the growing nexus between digital defense and the automotive industry. Justin trades tales of his journey from clandestine government operations to spearheading security in the private sector, offering a rare glimpse into the frontline efforts to shield businesses from the cyber threats lurking in today's digital shadows. As we navigate through the complexities of government regulations, like the FTC's latest cybersecurity policies, our discussion illuminates the contentious landscape companies must traverse to safeguard customer data and stay ahead in the cybersecurity arms race.

Our conversation with Justin is a masterclass in cybersecurity essentials, unwrapping the layers of protection mandated by regulations such as the Gramm-Leach-Bliley Act. We dissect the nuances between basic Multi-Factor Authentication and the expert-driven realm of penetration testing, demystifying the jargon and revealing the fine line between compliance and a proactive, resilient security posture. We also venture into the shadowy world of cybercrime, where savvy criminals operate with business-like efficiency, underscoring the ever-present risks during critical business junctures like mergers and acquisitions, as well as the cultural perceptions that shape our response to these incidents.

Wrapping up our intensive session, Justin and I cast light on the heavy cost of cyber negligence, particularly within car dealerships, where downtime can siphon revenue and ransomware can demand a king's ransom. The sobering reality is that a robust cybersecurity strategy is no longer optional; it's a cornerstone of modern business practice. As we advocate for the strategic outsourcing of training and liability management, we underscore the substantial benefits of expert involvement in fortifying your business's digital fortress. Join us for this episode—packed with insights, strategies, and unfiltered expertise—for an invaluable guide to navigating the turbulent waters of cybersecurity in the automotive industry.

Chapters

• 0:01: Cybersecurity in Automotive Industry
• 5:49: Penetration Testing and Cybersecurity Safeguards
• 19:47: Cybersecurity Risks in M&A Transactions
• 27:52: Collaboration in Cybersecurity Industry
• 34:35: Cybersecurity Challenges and Human Targets
• 44:45: Cybersecurity Challenges in the Dealership Industry
• 54:54: Cybersecurity Costs in Dealerships
• 1:05:16: Streamlining Training and Liability Management

Transcript

Speaker 1: 0:01

Dealer Tech Tuesdays is brought to you by VTechDealerIT, Guaranteeing your dealership premier of reliability, stability and customer support. Transform your Tuesdays into a powerhouse of growth. Contact us at wwwVTechDealerITcom. All right, today on the podcast we have CEO of BlackBreach. Justin Schenken, former special agent with counterintelligence with the United States Army, DOD, has done some pretty cool stuff in his career and currently CEO of BlackBreach. Welcome to the podcast, Justin. Thanks for having me.

Speaker 2: 0:39

Thank you for having me, john, I appreciate that.

Speaker 1: 0:41

Yeah, how are you liking South Florida so far?

Speaker 2: 0:43

Thanks, for having me, John. I appreciate that. Yeah, how are you liking South Florida? So far I do. It's very nice. I haven't been down here for a long time, so it's kind of a nice refresher and, of course, beautiful weather and I get jealous.

Speaker 1: 0:56

I mean Atlanta's not that bad, right, Not that bad, but it's definitely not Miami, yeah, I know what you mean. So, yeah, I know what you mean. So, justin, you and I have become, I think, fast friends in the past couple times that we've met, both of us being veterans, both of us understanding kind of the government world, and I figured it was a really cool thing to have you on the podcast, since you're in the automotive space, but from a really unique perspective, which is the perspective of the government apparatus, of securing the nation's most valuable assets. And, you know, combining that with FTC, your experience with that and then combining that with FTC new regulations in the automotive space and you have like a wealth of knowledge from that perspective that I'd love to dig into today. So tell me a little bit about how you got into this space, man, like why automotive and how did you get into this world?

Speaker 2: 1:53

Well, sure, first let me say thank you for having me on. That's very humbling. Yeah, it's been an interesting roadmap, you know, coming from the government side and from the agency side of the house and just the bureaucracy that goes with the government coming into. We've always worked with private industry and protected that for classified contracts, specifically everything from large organizations that you've all heard of the Lockheeds, the Boeings, the, you know, et cetera, all the way down to mom and pops, to academia and colleges that are doing research. So it has been a really good career and positive career to be able to have so much exposure to so many different elements and size and scope and then for it leading us we. One of the things that that I learned over I I managed that piece for about 12 years was that cyber security and the threats in cyberspace is is the threat yeah it's the threat right.

Speaker 1: 2:54

It's the evolving threat. It's cat and mouse.

Speaker 2: 2:57

Um, you know, the days of somebody jamming things down their pants and running out the door are long gone, right, and we and we all know that. But I think what we've seen in industry is that we, we know these things are threats and we read about them and we read about breaches, but it's almost like, oh, that's far away. Right, that's not me, that can never happen to me. And the irony is it's it's capturing so many people. I mean, at this point now, it's like crying wolf. I mean, how many times, you know, between the last major breaches, do you just get an email that says, hey, do you care when? There was a time that it was huge. We were like, well, what do we do? How do we manage this? So what ended up happening?

Speaker 2: 3:42

When I started BlackBreach, we were very fortunate to work with some Mercedes-Benz dealerships as well as with NADA, who's a great organization, by the way. They're phenomenal and do speaking engagements and kind of bring our unique perspective, like what we're doing today from the cybersecurity piece perspective like what we're doing today from the cybersecurity piece, and, as you know, and I'm sure you've talked about on the on your podcast here is that the government has had to get involved to create these regulations. Now, that's been very controversial, right? Some folks are much against that. Some folks are saying, hey, it's about time, you know. But the ultimate goal is to protect the client or the customer the customer and the customer information.

Speaker 2: 4:25

So, regardless of your feeling and I'll kind of stay away from that piece it's happening, it's here. But I do want to remind everyone in the dealership space this is not centric to dealerships. In government contracting right now it's called CMMC, in health it's HIPAA, there's finance, there's a regulation for cyber security everywhere and the government has taken um and us as Americans, just in the way our economy works. It's. It's very open, right um, there's not been one stance that the government says everyone has to operate this way. And so I heard this isn't mine, I wish I could claim it, but there was a general I was listening to and he said I think of cyberspace and cybersecurity as if we took a Cessna and we're strapping missiles to it.

Speaker 2: 5:13

You know how it's just so hodgepodge to that and I do agree with a lot of that where it's really tough. So when we get to, in this case, dealerships, they feel like it's new to them, but the reality of it is it's kind of being spread across the board with protecting our interests, protecting our assets from everything from nation state actors to cyber criminals.

Speaker 1: 5:36

I mean GLB at this point, is 25 years old right, yeah, it is.

Speaker 1: 5:40

You know, it's like man, it's a quarter of a century old, you know, come on, guys we're. You know we's like man, it's a quarter of a century old, you know. Come on, guys, we're. You know we're overdue for this and you know, okay. So I wanted to ask this question for somebody that is an expert in this field, and would you consider the safeguards that GLBA is enacting? Is that, you know, the beginner step of securing an organization? Is that middle of the road? Or is that, like you know, the, as you would say, as somebody would say, is that the most secure computer on the planet is a computer that's never been turned on, right, that's still in the box, absolutely, and you know, and there's a balance between operations and securities, like where, would you say, the safeguard rules are? In that I, I don't know, let's say, thermometer of. You know basic securing and, most complex, biometric. You know DNA samples and you know taking your firstborn to hostage to secure an organization.

Speaker 2: 6:36

Absolutely Signing away your firstborn.

Speaker 1: 6:38

Yeah, exactly.

Speaker 2: 6:39

No. So we have reviewed this intimately. So Black Breach one of our big claims to fame when this was all coming to, or one of the things we were very proud about, was that we wanted to tackle this at 100%. We have to work with other elements. It is not something that you have to work with your IT element, with the cybersecurity element. I'm sure we'll talk about that more later, but we really wanted to tackle this.

Speaker 2: 7:03

So we spent quite a bit of time calling FTC, you know, speaking with the attorneys there, looking over what was publicly, looking over the questions, looking over the concerns, talking in 20 groups of what, and from us looking in, the results are very minimal. I mean, they're very first step. So when we say things like have MFA and for those of you that don't know, it's just multi-factor, right, two-step authentication that's not really a cybersecurity thing. That's just putting a lock on your door, right. So the culture has been a little bit different and those things are very minimal. But when you do get to things like penetration testing, well, now you're starting to talk about what real cybersecurity is right, where you're having experts that are testing measures and doing those types of elements, and so I do think there's a bit of a mix, but the majority of it is also and I've noticed, and this is my personal opinion has been written by attorneys, right, and that causes confusion. So you know it's been written very much from a legal standpoint and not necessarily by cybersecurity experts.

Speaker 1: 8:11

Yeah, it seems like the government has a knack for doing that.

Speaker 2: 8:15

After 20 years of dealing with the government in some capacity, whether military or agency level. I have noticed that, yeah, and that's obviously a very confusing of. What does this mean? Because when we speak compliance, we want a checkbox mentality Correct, and I respect that.

Speaker 2: 8:35

I'm not saying it's the best mentality, right, because it may check this, but that doesn't mean I break in another way or get you know, so we have to sit back and go hey, there's one part of this that we want to make sure we don't get fined, we don't get you know, we don't fall into the. You know we want to sell cars. Right, just let us sell cars, and I respect that 100%. I am, I mean, I own a company myself. Let us make money and do what we need to do. But then there's the other side of this. That's very much going well. Well, wait a second. We have to have and to us in this field, I I hope you would agree that from an it or cyber security, some of these things are very minimal, yes, and and even can help you sell cars correct and help your data stream and help you be more lightweight. And I think that culture is starting to come across, especially with our clients and what they've graduated to from security, but it's taking time. Yeah.

Speaker 1: 9:32

Yeah, you mentioned something important and I think it's important from your perspective to define is a penetration test. You know there's some companies out there that are doing a check-the-box pen test and that also has a spectrum for lack of a better term of what a pen test is. In your experience, what would pass the smell test of a penetration test level? Is that something that you're, you know, doing on a one time per year, twice a year, ongoing? You know how deep, how pervasive, what type of? Are you doing? Boots on the ground? Are you like social engineering, the organization, like what's something that you would say this is what a reasonable human being would do to properly assess the security measures of a dealership.

Speaker 2: 10:22

Yeah, that's a that's a really powerful question, yeah, so let's start with the first part of that. What we have seen, unfortunately and this isn't just in dealerships, We've actually seen this with other elements and other companies A penetration test is not. Let's talk about what it's not first.

Speaker 3: 10:39

Okay, okay, okay, that's a good thing, it is not a scan.

Speaker 2: 10:43

It is not an automated run and done. Okay, those are called vulnerability scans. There's a name for that. It's already got its own name. It's its own thing and it's powerful. It is very much a tool in the toolbox. But a penetration test is not just that right. There are certifications, there are skill sets, because one penetration tests can cause damage if you have somebody that's doing it incorrectly.

Speaker 2: 11:05

That's just the truth of it. Um, you need to be certified and have experience, and one of the things that people don't really realize is the only way to get experience in penetration testing is either a working for the government and you're getting the okay in the in the green light, or b you work for a company and you got a green light with it. Anything else unless you're in like an ethical hacker, which is like a club, and you're testing. But that's not. Those are kind of war games. Those are not real world experience.

Speaker 2: 11:33

Yeah, like bug bounties, exactly those types of things. Now, they're not. It's a great learning curve. So if you're doing it any other way, you're a hacker and it's illegal. Yeah, right.

Speaker 2: 11:44

So, you have to be really careful of what people are claiming are and are not. So I like to start with what it's not and that's a very simple so if you have a service or you're working with someone and one of the questions I always recommend asking because I like to empower the people I speak with and that's information, it's just what it is Ask the right questions. Hey, when you're doing this, are you running just a scan or do I have real humans that are coming in and looking at our network? Because remember what the name is penetration, vulner, vulnerability testing, and scans identify vulnerabilities. Penetration testing is going in those vulnerabilities and penetrating. That's why it's called, but it's gotten a little loosey-goosey lately. The other thing I would ask is what are your certs if I go to a doctor?

Speaker 2: 12:41

yep I was that old norman rockwell painting where the kids like pulling up his pants and he's looking at the painting on the wall, not a painting, excuse me. His diploma on the wall to make sure.

Speaker 1: 12:53

That's just what I think about every time I say this so ask them about their certifications.

Speaker 2: 12:59

It's not a secret. So if they have people that are running these things, if they are graduated to the level yes, we have people they come out and do this Then you need to ask about kind of the timeline of this. Right Reputable penetration testing is usually done. It could be done by hours. That could happen Because we have to realize that bad guys have enough time in the world. They can just keep going right. But in in business we're usually grouping this into hours and how we approach it, and so or it can be essentially by days or scope.

Speaker 2: 13:34

So, depending on what you're trying to accomplish with this, I would think for our viewers and with dealerships, the goal of this also is to find things. I think a lot of it elements are so terrified of getting poked in the eye and that is not the culture, and I want to remind all senior leadership out there because I think it knows this. It elements other cyber security. I think they get this, but they're very worried that their leadership sees this as a failure. This, this is why we do it. Yeah, of course. Yeah, that's why we're doing it. We're not doing it to say, fire this person or not work with them. That defeats the purpose. It's to have a series of checks and balances. That's why the Fox should not guard the announcement.

Speaker 1: 14:15

Yeah yeah, no, that's really good insight, because they try a weaponization of a pen test, which I don't think is the right approach. It's a test, it really is a test, and you either pass or fail. Or you got a decent score, you got a bad score, you're leading the pack or you're not leading the pack. And you know, I was talking to somebody that was that's a cybersecurity expert and went through HIPAA right 20, 30 years ago, and they were saying the same thing happened and it wasn't until, you know, some people touched the stove and that the the government, really like those lawsuits, started coming in and they said, hey, what is when a reasonable human being what actions are reasonable human being really look like when you're in a court of law? Right, it's like, are you doing all the things that a reasonable human being would be doing? And then we're going to start learning as this progresses. This is a journey. We're all on this adventure together.

Speaker 1: 15:08

Very much so. Yeah, we're all on this adventure together and we're going to figure out through the lawsuits what that looks like. Right, the class action lawsuits that you've been talking about in the past couple days. That, I think, is a terrifying development in this thing. You know you called it a long time ago to say, hey, there's going to be class action lawsuits like the ADA lawsuits are coming up. Yeah.

Speaker 2: 15:31

And that was very. It's unfortunate, but I did. Yes, I saw that coming down the pipe, because it's just, you know, history tends to repeat itself, Right?

Speaker 1: 15:41

I mean, that's just one of those things History tends to repeat itself, right?

Speaker 2: 15:43

I mean, that's just one of those things. And for those of you that don't know, this is bigger and I think we need to change the mindset of the culture in the dealership space, especially when it comes to cybersecurity. Right, and this is a first step, right? I think we're a year in. You know, when I was speaking with NADA and quite a bit of those at one time, you know it was very raw and new, and now we're kind of a year in and people are trying to figure out, okay, what are the costs, what does this look like, et cetera. But one of my biggest fears that has sadly come to fruition is that I realize that the majority of dealerships owned out there by older I mean, this is not to knock anyone but older folks, that these concepts are newer. It's not the way we've always done it, or whatever the culture is. A lot of them are family oriented, right, which is powerful. I think that's great.

Speaker 2: 16:35

But, um, the have been very much driven by the compliance mindset of FTC. What's the fine from FTC? What's the fine? What's the liability there? What's this? Compliance, compliance, compliance. Well, the lawsuit piece, and I think everyone needs to understand, because this is happening right now. In a recent case there's class action suits where attorneys now and everyone knows that type of model right. Oh, have you ever been hit by where you stationed at Camp Lejeune?

Speaker 1: 17:02

You know, I mean this thing because attorneys make a lot. Asbestos, asbestos, exactly right.

Speaker 2: 17:07

Everyone makes money. But now dealerships and this is happening, look it up are being sued for breaches. There's one that's happened. It was 51,000 names and identities that were leaked within the breach. And don't worry about FTC, worry about being sued, because FTC may choose or not, they can't pick everybody up all the time. They're starting a new thing, a new culture war, kind of going back and forth, of going like how much can we get? How do the vendors react to this? It just goes on and on and on. But if you have attorneys out there and I looked and did my own research, especially before I came on here I found four different separate law firms that were saying if you were involved in this breach, they're actively looking. And then it comes right to your doorstep.

Speaker 2: 17:58

And I'll make it even scarier. All they have to do is go to the dark web where it was breached to find the names breached and start calling. So it's not like before where you go. Who was stationed at Camp Lejeune? Who was, as best as I know? You're out there, the keys to the kingdom are on the dark web to have a sales list, to start calling. And yes, I think the average victim makes $12.

Speaker 1: 18:26

Yeah, the attorneys make 50% of multimillion dollar lawsuits.

Speaker 2: 18:32

So the liability we have to get out of the mindset. We need to start realizing that one breaches ransomware, losing data is bad and we can't hang our head in the dirt anymore. And we are dealing in a culture of technology right, where everything's moving so fast, right, it's very difficult. So having a third party or your IT or cybersecurity vendor like ourselves that keeps up with this for you, especially from the liability piece, is very powerful. It's more than just are you putting blank on our systems and looking?

Speaker 1: 19:12

for malware. So you said something when we were talking a couple days ago that was really interesting. Is buying a ticking time bomb when you're doing a buy-sell for a dealership, right? It's like, has that information been exposed of that dealer, you know that customer base, and are you buying that exposure? Right, it's like you're buying the you know the Trojan horse of these clash action lawsuits, and so that started really getting my gears going. It's like, oh crap, the implications of this is vast and wide.

Speaker 2: 19:47

I think you can look at this on two fronts. The major case study for this is not a dealership, it's actually Verizon buying Yahoo. Okay, if I remember right, I think it was Verizon buying Yahoo. Yahoo was so breached, was so penetrated that, if I remember correctly, verizon got like 350 million back.

Speaker 2: 20:06

Wow, yeah, because it was just, it was devastating. Now that's a huge case study. But to show, when you're doing M&A and I have worked with many dealers at this point and large auto groups that we're fortunate enough to have as clients that are constantly buying, they're constantly like, they're constantly buying and selling and I think for the dealership leadership out there that's very familiar with this, it's very quiet, it's very secretive.

Speaker 1: 20:34

Very secretive Because there's so many different 90 days out. Yes, it's very secretive.

Speaker 2: 20:39

So what we've tried to do and we do this for M&A, for other businesses, and what you and I were talking about before, you don't know what you're plugging up into, let alone what you just mentioned. They could be affiliated with the lawsuit piece as well, because I mean that one case study of 51 000 those names that's a lot of names yeah, right, but like compared to I mean, that's my minuscule there was what just the the mo, the mother of all breaches?

Speaker 1: 21:06

It was 15 terabytes or some absurd number of records that were exposed. It happens all the time.

Speaker 2: 21:15

Well, let alone the Equifax breach right. So that's. I'm sorry. All our credit information and then one that I fell into and you may have too if you had security Exactly. You're already there, I have the opm, the opm right. So for those of you that don't know, yeah, um, opm was the office of personnel management. They were a government organization still are that used to do the background checks for everyone now.

Speaker 2: 21:38

Now that's moved to dcsa, it's actually gone back to dod because of that breach, oh geez, and it caused a. But here's what I want everyone to know that is not, uh, ex-military veteran. If you have a clearance in the government, you fill out your neighbor's information. Yep, you fill out your blood type. Yeah, you fill out.

Speaker 1: 21:59

I mean, it is an exhaustive set of forms, comprehensive as's, as comprehensive as they can make it, but not just for you, your family, your neighbors, it's just so comprehensive Close acquaintances.

Speaker 2: 22:11

And that data is gone. Yeah, I mean a huge amount. Now it's funny how that was seen. That was actually seen from government to government as an okay attack and, even though that's wrong, they thought of it as a military to almost military. Where one of the fights that we've had is well. When you start going after private industry, well, now we're getting dirty, quote, unquote. So it's weird to hear the culture.

Speaker 1: 22:39

I've heard a lot of talking Like above the table.

Speaker 2: 22:42

adversarial engagement yes like oh, they're government people in the military government. That's okay. We don't want it to happen, Don't get me wrong.

Speaker 1: 22:51

Yeah that makes sense.

Speaker 2: 22:52

But the way that that attacks. So when it hits Equifax, well now that's below the belt. Oh, wow, so I've heard so many different, the culture changed so much, and again it kind of goes to that Cessna model that we were joking around about earlier of like we're still trying to find out from nation state actors, cyber criminals et cetera, and then dealers are just being thrown into this.

Speaker 1: 23:15

So there's almost, you know, and I've been wanting to ask you this question. It's like you know, there's nation state cyber criminals right. There's state sponsored cyber criminals, criminals right, there's state-sponsored cyber criminals. But there's also an extraordinarily mature element that are just run-of-the-mill white-collar criminals, that are in Romania, uzbekistan, latin America, all over the world, that have a very mature almosts, you know like dark msp model, that have, you know, helplines and monthly subscriptions for their phishing emails. And you know like, can you talk a little bit about how mature the, the dark msp, cyber security, the, the bad guys, what that that market looks like and how mature it is?

Speaker 2: 24:03

this is. I really love this topic.

Speaker 1: 24:05

Yes, this is a juicy one, I really do.

Speaker 2: 24:07

I really enjoy this because I love and I think your listeners will enjoy this too, because I think they'll respect it when I put it in this term they're a business. They're not. So when you said it's one guy in a basement, that's usually like the anonymous, it's usually eco-terrorismism ideology. Not to say it can't happen, not to say that somebody. But I was working, we were doing a forensics case last week and we looked back and it was saying you know, we're looking at the ransomware and it during the negotiations because there are negotiations, right, they're a business. They say, hey, we are the top. They were advertising themselves, just like a business would, right. They said, hey, we're the top. Whatever, we're not going to screw you over, for lack of a better term. If you pay us, we will not extort you.

Speaker 2: 24:59

So what you need to understand is when you're talking about all these places around the world, not just the typical nation state actors that we think of. They have floors, they have businesses, they have to them. It is a business. It is just like SDRs and cold calling, if I, if I go after they have a model for this and they make their money and they make so much more money from this than they do working locally. Yeah, right, and and so it's. I just want everyone out there to understand it is a business. So when you think I'm under the radar, that this small guy won't find me, that's not how it works.

Speaker 2: 25:49

They find a market just like you find a market, dealerships have become a major target right now, and I'll tell you why. One, because it is perceived, whether it's true or not, that you are extraordinarily affluent, the amount of cash, the amount of money that you have. I don't know if that's true, I've seen it go both ways, but that's the perception. Okay, and I think a lot of dealers want that perception. They want to look successful and my name's on it if it's family, et cetera. Two, if it is family owned, we know that the decision-making tower is short. I can probably get, instead of going through like a major, let's say, auto group, where it goes through, and they also are thinking you probably don't have the resources to protect yourself. Okay, so if I'm think about it, let's all put our hat on our bad guy hat.

Speaker 2: 26:43

I'm going to target someone who's got money. Why would I break into a house with no money? That makes no sense, right? I'm going to pick what we call soft targets, right? So soft target is just easier, right? If, if the house has you know, uh uh, guard dogs and AK 47, you know, uh uh guards sitting outside, guns, gates, guards, that's a hard target. I'm not going to do that. So I'm going to go after a soft target. The target needs that money. It needs to be in a market that I've been successful before, just like you would be right. Oh, we sell cars to this demographic, to this group, and they've paid out. It works, and so you know you can become a victim of circumstance, and so it starts to replicate and then it becomes a major problem, and that's what we're seeing right now. Yeah.

Speaker 2: 27:30

Ironically, I think some of that, even though it's good that the FTC and what we've done to help stop this. But it's also put it on the radar. So if you don't think that these groups don't read the news US news they do. All the time they're looking at what's breached because they'll go buy that data. They look at what's breached, they live on these things. And there's one last thing I want to say here. We always say there's no honor amongst thieves. That's not really true in this space that I've seen.

Speaker 2: 28:01

It is a business where they will share. I've seen no different than Reddit, a Reddit post on the dark web, where they will say, hey, I'm trying to break into blank, can anyone help me? And they will jump in and just tag team and help each other and it's all anonymous and do that. So I just want you to know it is not one person in their basement and even if it was, they have the power of the internet, the dark web, helping them. And so the adversary is very real and very timely and very fishnet approach of what I mean by that is it's not so surgical, it's not always picking. They'll go after a market and then just get as much as they can. They don't care if it's the top guy or the bottom guy, they just need money, yeah, so that that's you know.

Speaker 1: 28:47

And and strangely enough, there's ethics also within. You know, the, the thieves, right, like in there's, there's that, uh, pirate ethics in some capacity, right, it's like when they had the the pipeline uh hack, they were like, hey guys, we didn't want to. You know, we didn't want to stop the united in some capacity, right, it's like when they had the pipeline hack, they were like, hey guys, we didn't want to. You know, we didn't want to stop the United States Sorry, my bad, here's the stuff back and they kind of reversed it, right, in some capacity. It's like they don't want to.

Speaker 1: 29:11

That's why mid-level targets are such a great market, because if you affect 10% of the dealerships in the United States, that's a great payday for them. Rather than getting on the federal state sponsors of terrorism, where you get on the cyber terror list, or you get on one of those lists where there's Too much exposure, yeah, exactly, where they're spending billions of dollars to come after you, you're just like, oh no, no, no, we're going to go under the radar and we're going to be these little groups that are going to target these smaller dealerships and go after that. That's the, it's the prime target. You don't want to go after the whales and do a man in the middle attack and then have the attention of the globe coming after you.

Speaker 2: 29:49

Yeah, in fact, we've seen this quite a bit where guys get too big for their britches and it gets real scary, real quick for them In fact. Um well, I won't go totally into it, but I will say that there have been negotiation tactics to say, hey, so there was at one time, you may remember, where Russia and Putin said there was an agreement. Now this agreement has lapsed, we will not attack your infrastructure and vice versa. And you've got to understand. If you're a hacker and you just tapped into their infrastructure and you're sitting in in some element of russia or or another country that russia basically controls or influences, they, some folks would go, hey, this is infrastructure, did you know this? And they don't want to mess with putin in that?

Speaker 2: 30:38

and we'll go, here's your keys back, sorry, Sorry, we don't know Now that's changed right, and the culture with that, but I will say that they do want remember that fishnet approach. They don't know what they're always getting in that net. Yeah, that makes sense. So, one of the things I want to kind of warn and one of the tools we've actually spent quite a bit of time at black breach developing a tool where we can tell if you've ever been compromised or currently compromised. Right, it's only for windows systems right now, but it is very powerful. So what you're going to understand is why is this important and how does this, uh, how do these tools essentially work? Well, one, these things look for, um, known goods and that's what we all use. Right, these programs, these executables, et cetera, everything that we've got that's known good, got it Known bads? Okay, well, it's malware, okay, this is what antivirus does, is that special?

Speaker 2: 31:32

You know what it does, et cetera, but the key is is the unknowns, and so one of the things that you can understand is there is this term called zero day, and it's very popular in cybersecurity, but I don't know if you know anyone here would understand that. But zero day is a very simple thing of no one's ever seen it before and zero day, and so you can understand.

Speaker 2: 31:58

If you're a country now or an element that has the zero day attack, whether it against a Microsoft, these things happen. Microsoft, google, the biggest, the biggest organizations. They find a backdoor that no one's seen yet. Well, what's the first thing you're going to do when you use that golden ticket? You're going to patch it so it's worthless at that point. So that silver bullet has to be used, just right, you don't want to waste it. So a lot of these elements will get themselves on networks and just sit. They'll just sit that big, huge fishnet and try to see whether it from the previous conversation of hey, I want to make sure I'm not getting in over my head and it's a military target, and yeah, etc. Or infrastructure, you know, depending, uh, because infrastructure is targeted, no, no doubt that that's a huge concern. Or is this something that's right in my alley? But if they're going to use, like a zero day, they want to make sure they're using it on the appropriate target and using that silver bullet.

Speaker 2: 32:53

And so there's a constant battle of identifying these before, and that's something we attempt to do, and we work with the government because of my past and try to provide that data to them to make sure, if we can, we can find these unknowns that no one's ever seen in the wild before. We're saving, doing our part, essentially, and the government reciprocates that right. My, my comrades and, um, you know other agents that I work with uh, we're constantly discussing you know what, know what's new, what's out there, and so I just want you to know again. Having the right people backing you is powerful, right and keeping up with this information.

Speaker 1: 33:34

So would you say, like, how much of a growth have you seen in that private-public partnership tip of the spear kind of exchange? Are you seeing that you guys are, because there's. No, I don't think there's somebody that I've talked to before that's closer to the problem than you guys. You guys have talked to the FTC directly. You guys have spoken at NADA. You're exchanging with governmental organizations. You're exchanging with governmental organizations, you're exchanging with your peers. You guys are really, you know, at the tippy top of what this you know, protection for this industry is. Have you seen that grow over the years that there's more collaboration between private and public, or is that something that is because, in your case particularly, or are they saying, hey, there's some value here that we can collaborate with private institutions?

Speaker 2: 34:24

Yeah, there's a lot of great private institutions that are working on cybersecurity endeavors and very large companies, and data sharing and information sharing has been very positive. Right, there are challenges, like anything else, just because it is the TTPs, right, the procedures and techniques that are used for these attacks are always evolving, always changing and excuse me and getting more creative. I will say that we try to stay in front of that, that we try to stay in front of that and it is a full-time job. It is, I will say that, new industries. We've seen a lot of IT companies attempt to pick up elements of cybersecurity.

Speaker 2: 35:10

I do think it's important to kind of understand the difference between IT security and traditional cybersecurity. They're both equally important, one is not less, but they are different lanes. Yeah, and and and I think I'm going to go down this just for a moment you know, when you think of your MFA, multi-factor and firewalls and passwords and these things, those are traditionally encryption. You know, hey, we've got some encryption those are tools and concepts that are usually fall under the IT realm. Right, your IT will pick that up. When you think about, for the most part, socks not to say, an IT company couldn't have a sock I think that they could, and there's great partnerships out there. I think it should be a third party, though I very much believe that because it's very expensive and that's a full-time job.

Speaker 1: 36:01

Shoes to the shoemaker, as somebody would say.

Speaker 2: 36:03

Absolutely, absolutely. But when you're talking about keeping people from access, it usually wants to give you access. Hey, this is broken, I need it fixed. To continue access.

Speaker 2: 36:15

A lot of cybersecurity professionals want to do the opposite. We want to limit access how many admin accounts, et cetera? Which is still IT? There's still crossover there. We want to limit access how many admin accounts, etc. Which is still IT? There's still crossover there. Don't get me wrong, but when we're doing risk assessments and ransomware and you know, looking at the targets and tooling, god the tooling, the tooling. Tooling, just because you buy a product right, an EDR solution, sentinel-1, crowdstrike, you know Sophos, et cetera. Just because you buy a gold hammer, or I'll put this in, let's say, you have a gold wrench doesn't make you a mechanic, yeah, right. And so we've seen a lot when we do penetration testing, where tools have been bought and they're great tools, they're tools we use and they just haven't been calibrated properly, yeah, and that does no one any good unfortunately Not only calibrated correctly, they constantly have to be calibrated all the time, you know, in a regular, measurable, repeatable and trainable fashion.

Speaker 2: 37:16

Yes, and all the time. I mean just all the time. Now I will say traditionally the ramp up time. You know everybody takes about a month to understand your environment and then get there and then move from there. But as attackers get more and more sophisticated or clever, that has to be tooled into your gunskates guards Right, and we use this for we were talking about pen testing earlier in that we're always changing our TTPs Right and our techniques and doing things more clever we love using. We don't always do this, but we'll do social engineering attacks Right, and so we may do so.

Speaker 2: 37:56

One thing that I think people get so wrapped up when we say the word cybersecurity, they think tech, they think a bot. One thing that I think people get so wrapped up when we say the word cybersecurity, they think tech, they think a bot. They think they don't realize it is human beings behind a computer. They have wants and needs. They want to make that money, they want to buy that car, they want to do everything you want to do, they want to eat well tonight and they are limited to their knowledge. It is not some AI out there Now. Maybe in the future it might be right and we're actually working on that. Now I've got one of our senior guys is writing a great paper on AI and I'm excited we'll post that. But for right now I'm speaking as today we're still dealing with behaviors in humans, and so one of the things we like to do is we like to address that, and this is another thing that cybersecurity really does.

Speaker 2: 38:45

In phishing attacks, We'll do credential harvesting and make it look like a portal. It could be for your DMS, it could be for your login. You will not know the difference, I promise you, and we have the backstopping to do it. So when you put your creds in, we now have your creds. Then put your creds in, we now have your creds. Then we sit back and go okay, and these things are not that difficult.

Speaker 1: 39:05

They're really not, they're not technically difficult.

Speaker 2: 39:06

They're not, and I think it's really nice because when you do bring in the expertise and we show our clients what we've done, there's a wow factor. But it's like an old school magic trick, like when you pull behind the curtain you're like, oh, that's all you did and you go well yeah, it worked frankly. And it does, and some of the simplest things are the best.

Speaker 1: 39:26

Yeah, so, um, there's brilliance and simplicity. Yes, so can you explain? You know, maybe the some of the listeners don't know exactly what social engineering means. What does in? You know, just, layman, the most basic terms. What is social engineering?

Speaker 2: 39:47

Yeah, um, for for those of you out there that may not be everyone, I think at this point has heard of phishing, right, ph fishing, right. So phishing, phishing emails Okay, that's a form of social engineering. That's an example. So anything that's that's essentially attacking a person, a target, working on, um, you know, uh, defeating a human firewall, so to speak. Right, and what's the goal with that? Okay, I'm putting my bad guy hat on. I want to get someone with admin rights, right. Or I want to get someone maybe in leadership or accounting, all the controllers out.

Speaker 2: 40:15

There are huge targets, huge, right, because you just deal with accounting, you deal with the money you deal with. So if I were to mimic the GM or the owner or the owner's son, and then put some type of stress and you think it's coming from them, it could be spoofing. So that term is to look like someone you're not and say, hey, I need you to wire this to me immediately and it has to be by this weekend and this, and they just go yes sir, yes sir, and it's all through email and nobody gets a phone call. We deal with that all the time, yeah, and so, using those human techniques and pressure points, whether it your fears? Whether it your desires right the old blackmail yeah, very real whether it your concerns we manipulate those and bad guys manipulate those and then use that to make some type of cyber attack successful that that's such a a good way to put it's like um, you know it.

Speaker 1: 41:15

Thank you for that explanation, because I don't think any like. A lot of people understand that the person is the best target in an organization and the weakest the softest the softest, the most manipulatable is that person.

Speaker 1: 41:29

If you're a tyrannical leader that can be leveraged against you in so many ways, if you don't encourage trust but verify from everybody in your you know to use ronald reagan's term right, it's like trust, but verify from everybody in your chain that they're thinking that they're doing something right for the boss by buying 25, 500 apple gift cards and then scratching off the numbers and sending it to somebody. Be like hey man, hey sir, just want to confirm that this is the thing. If you don't have the you know, organizational culture to be able to provide a challenge of that. Or a multi-factor verbal because multi-factor can go in many ways right, you can be like hey justin, hey man, put your, you know, let me just verify, it's you, you know face? Uh, what's it? Facetime.

Speaker 1: 42:17

Or you can, you know, have a challenge word. It might be thunder lightning. You know to use a panda brothers term, sure, right, you can say you can, you know, have a challenge word. It might be thunder lightning, you know to use a panda brothers term, sure, right, you can say you can. Whatever you know, whatever methodology you devise, but always multi-factor authentication can be applied to everything that you guys do in the organization yes, but I do want to warn you on that.

Speaker 2: 42:35

If I have recruited, this is kind of going back to my past life, but but, but let's say I've recruited the controller, oh yeah, and she doesn't know it, he doesn't know it, that they don't know it. Okay, they're going to put in both levels of multi-factor. They think they're doing the right thing. It doesn't matter how many guns, gates, guards you have, if the right person walks in with a badge, and whether they know they're doing wrong or right. You know, if I've coerced them through an email, I didn't even make a phone call at this. Now, social engineering can get into phone calls, it can get into voice phishing, absolutely Text messaging and.

Speaker 2: 43:14

AI and so many. In fact, I saw this one it was like a black hat, where it was a woman and I love this because we need to be honest with ourselves of who we are and who we're not and it was a woman who made a phone call and she played in the back, a baby crying, and it just was a track. There was just this baby crying and she was calling a major company and it was during this. You know, they always have contests, right, how fast. And this woman is just acting, you know, desperate, and was like, I don't know, it's my husband's account and I've got to get this and, you know, traveling and the baby and I've got to get the login for something with this and they, they gave it to her.

Speaker 2: 43:52

And so we have, you know, human tendencies to, to care, which are good. These are, these are great things, but we need to understand, you know, where, where, where our weakest points are, and so we have a new service that we've put out there that we actually look at. So one thing that I'm always concerned with is we always think of email control as spam. That's been the traditional. We all know that spam is spam. Those are things that are not sophisticated. The stuff that we have now is actually behavioral. So we identify and this took a while. This was not something that was just overnight. We now have a setup for clients, um, that if these two people are talking and they've never talked before, and yet one of them and they're talking about money, that's a problem. Why? So we can find those behaviors and get in front of it Now, could it be legit? It could be.

Speaker 2: 44:46

Absolutely, but it takes a phone call. We stop that. We're able to get in front of it and we've had some very big successes with it recently. But I want to remind people that FTC does not cover this. No, so when you asked earlier and this kind of brings a full circle hey, is it? Is it good, is it medium? Is it? You know where are we at on on the scale of what the expectations are? It's looking at ransomware Um, very hyper focused in my opinion yeah but it's not looking at.

Speaker 2: 45:19

It doesn't say the word fishing anywhere in that, and I think anyone out there now, yeah, I remember when we spoke to the attorney before. The counter argument was well, it says a complete program well define complete we'll define that right again, written by attorneys and not really written.

Speaker 2: 45:35

So so where we at? But we all know fishing's a problem. It's 90, that's the newest stat. It's something ridiculous. 97, 98 of what all attacks are. Now the vector that is coming in through is through um, basically social engineering. It could be email, uh, whether getting you to click on something and download it. It's all coming to um, to the user first, and that's extraordinarily dangerous and it's kind of being missed in some capacity. We all know it's there but there is no check the block for it of where it is now.

Speaker 2: 46:08

So I would encourage everyone out there to really look for a lot of our dealership clients. It started with FTC. Right, we had kind of an FTC we still do in a box. We're covering a hundred percent, we're doing all of it. Hey, are we compliant? Yes, you're compliant. You guys are good, we're good, let's move on.

Speaker 2: 46:25

And as the culture has moved on over this year, it's been very positive, at least in our experience with our clients of going hey, we got a phishing attack. And I don't mean just okay, we have phishing training, we offer that, but phishing training only goes so far. Right, you take it course. Or we do simulated phishing attacks to help keep people on their toes. But many of these things, I think, help with a culture, but it doesn't cover all of it, and so it ends up opening up a conversation of going well, ftc doesn't really address this. You know we do, and it ends up we do need to get in front of it, we do need to do this, we do need to do that. So it has grown quite a bit. I will say it's been very positive in the last year. I think the dealership space is starting to go out. I'm getting it now.

Speaker 2: 47:14

I'm seeing it, I'm experiencing it.

Speaker 1: 47:17

Yeah, and I think that, um, this is a. I think there's a great growth opportunity in the organization as well, because you can do so much like by leveraging technology and understanding how technology integrates into an organization. You can leverage that technology to be a force multiplier, understanding the risk of it. Right, it's like you can have employees that are traditionally excellent but have to work from home. But as long as you do and create the right infrastructure where somebody can do that safe, securely, repeatable, trainable and measurable then you can have a workforce that is flexible, that can work from home. You don't have to have them in the dealership. You can have, you know, people that are praising cars remotely, and as long as they have the right tools to be able to do that and you have the right training, you can really become an extraordinarily agile organization. And that's, I think those things go hand in hand, right.

Speaker 1: 48:07

The threat comes in. You get a wake up call. Then the industry becomes more agile, it innovates more to address this new either governmental threat or, you know, malicious actors threat, and then you just be you, you fine tune the whole body of dealerships right, and I think that that's where some of this opportunity is coming from that? Because when you know and I would imagine that you guys see this as, like, the IT guys perspective of a dealership is completely different than traditional. Looking at it right, you can see the systems behind everything working.

Speaker 1: 48:41

It's like, why don't they do this? And then you can start putting the things together, but there's so much systemic resistance against that that it becomes difficult to drive and embrace change. So what's been the major resistance that you've seen for dealerships when they're having this conversation about cybersecurity? Or because you're a big hammer, right, I'm like you know, government dude coming in, cybersecurity, counterintelligence, all this experience and you know dealerships are like, whoa, I don't need that much stuff, I'm just a little tiny dealership. What's that resistance that that you get from them when you have this initial conversation?

Speaker 2: 49:18

Yeah, I would say first is always cost right, and that's fair. I think the other, one of the other things that we've had to kind of discuss for our value added and the return on investment, we've had to really talk about one. If you do this correctly kind of going back to what your comment was earlier you actually save a lot of money. There's a lot of money to be saved, in fact, when you set up the way we've set up. You don't need antivirus anymore, you don't need like these other things you have been paying for at some point has now matured into a bigger, better product and you don't need the duplication of effort, right, and you don't need the duplication of effort, right. So one of the things we try to do now we don't know what we're going to save you until we get in and start working.

Speaker 2: 50:03

You know seeing behind the curtain, so to speak, but it's always cost is the first one, I would say. The second challenge has been communication right Of what they're seeing out there. Well, this company just kind of does this and they're saying they're okay and we go. Well, I can't speak on, obviously, behalf of other companies, but we've spent an exuberant amount of time of making this correct and being doing the right things, and making it very cost effective too, and making the price model make sense right Charging it.

Speaker 2: 50:42

We personally charge by endpoint. I could see other different models doing different things, but we have to look at the tools and what it costs and how those things are done, and some of the things that I've heard from other clients that have transitioned over are not traditional cybersecurity company models and not just us. I mean big boys that do this, that know what they're doing, and you can tell that there's some confusion in the space and we are starting to get clients from those either A, because they've had to do all the work, and that means they have to take on the liability too. So I love to talk about liability just because of my background and I'm used to thinking about it all the time, but I want we've worked with so many different insurance companies. One thing I hope for the folks listening out there if you fill out a form yourself whether your own risk assessment or your own form you essentially are now stamping that off for that liability. So let me give you an example.

Speaker 2: 51:45

In an insurance cybersecurity insurance means they send you a form because our clients send it to us. We fill it out for them, right? We're experts, we're covering it. Yep, you have this or no. They're asking for something new, because that's changing yearly. Yes of of, because they don't want to pay out. They're tired of paying out. In fact, they did a survey and people were asked what's your cyber security plan? And they go it's my insurance, oh god, yeah. And and so what does an insurance company go?

Speaker 2: 52:12

oh yeah, they're not, I've heard all sorts of different things of how they're reclassing certain ransomware, of if it falls under terrorism, they're not paying out. If it falls under this, it may not pay out. So a lot of these things are being written different. So let's get back to that liability. Now you're the one filling out that form, nobody's sitting with you, and if you quote, unquote, pencil whip, this you're good for now.

Speaker 2: 52:34

You'll get your insurance, but the minute that there is an incident, they come back and hire folks like us to verify that you've done what you've claimed to do but yet still fell victim, correct? Well, if that pencil whip doesn't hold up to it and you're filling out all these things yourself, again, the liability is so costly on the back end, is so costly on the back end. And I think the icing on the cake is and I think everyone's seen this through NADA and FTC has put this out that the new regulation coming out is stating that if you are breached as a dealer, you now have to self-report. Yep, you have to self-report. Yep, I think there was this concept at first of going well, wait a second, I can well. Did anybody sue?

Speaker 1: 53:20

at first of going. Well, wait a second I can well did anybody sue? Yeah, did anybody do this? Yeah?

Speaker 2: 53:22

anybody notice that? Did we survive? This did yeah. Were we able to get off scott clean? Can we you know now if you're self-reporting? I don't know where that information goes. I'm not privy to that, I don't know. You know what, what happens out there with that or what will be the next steps, but these things are becoming this exposure protecting our clients, pii or personal information is expected now. So, yeah, this is all evolving so quickly and I know in the dealership space that there at least it feels like. I'd ask you like do you feel like it's been kind of the status quo for so long, or has there been other compliance measures over the last few years that have?

Speaker 1: 54:05

It's a good question. So, california, there's been some states that have been ahead of the curb, right. So CCPA right, which is the California Consumer Protection Act or Privacy Act, I can't remember which one it was started doing that right. They started saying, hey, these things have to happen. And so a lot of our California dealers we were doing, you know, we had SOC partners doing 24-7 monitoring, 365, with the big boy tools that we all have, and we've been doing this for years. And you know, one of our growth issues was that we're like hey'm staking my reputation, I'm making sure that we're protecting you guys and making sure that you guys are safe, secure and able to do business. And so, you know, dealers were like why do I need all this stuff? I'm at, you know, I'm willing to go as far as being at risk of not being in compliance and I'm like that's a terrible strategy.

Speaker 2: 54:54

Um, it is well, and I I will jump in that, not only from the um, let me. Let me put it this way, because I've heard that one too, and it is very shocking to me. It's shocking, um, forget the ftc, fine right, because do you get fined, do you not? Who knows?

Speaker 1: 55:11

um, like, define what a fine is and then you can. You know it can get you can get litigated, it can get. You know, minimized to forget litigation yeah, let's put that in a corner for a minute. Forget ransomware payment. Let's put that it can get you know, minimized.

Speaker 2: 55:18

Forget litigation let's put that in a corner for a minute. Forget ransomware payment let's put that in a corner for a minute. Let's talk about the cost of being down. Oh yeah, I mean seriously I think the average we did a study, we ran some numbers it was like $50,000. And of course, this is depending on the scaling right scaling right of your dealership, how many rooftops you've got, etc. Being down costs you blank. Now what if you were down at the end of the month?

Speaker 1: 55:48

yeah, absolutely right. I mean, if the average dealership in the united states does 70 million gross, like you can divide that amongst you know um what is it? 20 days a year, let's say 24, because they're closed on Sundays. Some dealerships are, you know, seven days a week. You can make that calculation relatively quickly.

Speaker 2: 56:06

You can do the average right and I would you know for the homework assignment for anybody out there. I would encourage you. You know your numbers. There's no doubt in my mind right, I've seen these dealers speak and it's been exceptional, of how well they run their companies right. Um, but you can run some easy numbers to go. The cost of this is now way, way, even if it were to happen for five days, because usually the average downtime is from one to two weeks.

Speaker 1: 56:34

Yeah, there was a big group that just on the west coast.

Speaker 2: 56:38

That got hit and they've been down for two weeks I mean just the, was a big group on the West Coast that got hit and they've been down for two weeks. I mean just the amount of money, let alone how well that spread into how many locations and rooftops.

Speaker 2: 56:47

Right, and then your employees want to get paid. Yep, I mean, it just is a— it's a disaster. It's a disaster, it's a butterfly effect, yeah, so I just want to encourage everyone to look past the. You know there's the FTC element, the compliance. There's the liability element we've discussed of. You know the lawsuits, the class action, the. You know so many different angles that that can mutate into. There's the ransomware element. If it were ransomware, of paying the fine, the fee, whatever it is. There's the downtime payment and then the last thing and I would throw this to you because you're an IT superstar is things get broken. You have to fix IT. There is usually cost on the back end of doing backups et cetera. And again, I don't want to overspeak because I'm not an'm not an it guy. This would be to you, but I mean, maybe you can speak on that. Like what do you think it would be? Just from, from cleanup or going to backups or finding that or re hitting the reset?

Speaker 1: 57:50

oh, yeah, I mean that, that is. I mean we're talking about hundreds of thousands of dollars to get a dealership back up and running after a catastrophic event like that. And it's a lot like the fram guy. It's like pay me now or pay me later, you know, yeah. And like somebody was talking about um, you know the the horse eating the oats. It's like you want the, the oats that. You know the oats that have been through the horse are a lot cheaper, yeah like yeah, it's kind of it's that scenario right?

Speaker 1: 58:15

it's like you want to be, you want, you want to be in a scenario where you're protecting, you're doing the best effort that you can to be able to protect your organization and that is unfortunately a new cost that comes to the dealership. But you don't want to be in the, you don't want to be after the what do they call it? Right of the boom.

Speaker 1: 58:32

You don't want to be right of the boom because you're picking up the pieces of your organization. I've seen dealerships that have gotten hit with that and then they do a buy-sell because it's unrecoverable. They're selling the dealership, they're getting out of the business.

Speaker 2: 58:48

Their 100-year legacy family business is destroyed by this lack of strategy. Okay, well, let's flip that. That's so funny. You should say that. Remember what we said before. Now you're the guy buying. Yeah Well, you're buying, you're getting a great price. You may be, you're seeing the numbers, but it's because you are going to pick up that damage and you may not know that and those things may not be discoverable if you don't have. So a lot of times we're brought in during a buy, sell you know to, to verify that. Hey, what is just their cyber hygiene? How are they looking? Is everything on the up and up? And the good news is, when you do that, you can do it relatively quickly. It doesn't have to take, it doesn't have to hold off the deal or anything but man during that due diligence. It's, I mean, that's a great example of that.

Speaker 2: 59:29

It's tough, it's tough.

Speaker 1: 59:31

So you know, for an organization that, let's say, you know somebody is afraid of having this conversation, what do you think is there are the steps that they can start with, little by little, just kind of understanding this and finding the right company to partner with? You know what's. What's that process look like? Because I know it from my it perspective. Right, I'm like I find I become friends with guys like you. You have my back, you look at my what you know. You check my stuff right.

Speaker 1: 1:00:02

So I'm not it's not the the, the fox guarding the henhouse, right, absolutely I want to. I come from a qa background. I want guys that you know have your type of pedigree that are making sure that I'm doing stuff right. But how do you have because that's you know to me the cyber security side is the, the part that is, you know, locking everything up.

Speaker 1: 1:00:21

But first you have to have doors right. You have to have doors and windows and not holes in the wall, right, it's like everybody's an admin and they're using mickey mouse, you know email, or they're using whatever, and there's no domain. There's just kind of a hodgepodge and you know people can walk off with the data, they can put it on usb drives whatever, like there's just kind of a hodgepodge and you know people can walk off with the data, they can put it on USB drives whatever, like just you know kind of the typical disaster. That's what you're walking into a dealership how do you approach that? Somebody that's so far from being an FTC compliance. What do you recommend for somebody that's like that?

Speaker 2: 1:00:55

Yeah, I think one thing is what your listeners are doing here. They're listening, right, you have to educate yourself. If I go to buy a car, I don't go, you know, I go to an expert to buy a car. I go to a trusted source to buy a car, right, if I'm doing it properly in my opinion. Right, I hire a CPA to do my taxes. I am not a guy to do my own taxes, right, I mean, that is not what I do. And so I think you know, for your listeners out there, just kind of getting this type of information is a good start.

Speaker 2: 1:01:26

We work with clients all the time, or customers that are, you know, first, coming on and interested in it. You know there's lots of information out there to read on, but I will warn you, it gets very exhausting really quick. There are so many different threats and you're like, hey, I want to, um, I want to find a trusted source in my. Well, I'm care about dealerships, right, let's just talk about deal, I don't, I'm not really care what Russia did to, you know, ukraine today, right, or what cyber attacks have happened. So I do think reaching out to, uh, to trusted sources, is the first step, right, listening to those things, starting to understand uh where it is and maybe reading the FTC requirements yourself. Many folks and I I've given uh several briefings. I think they're still up on NADA. In fact I I'm pretty sure uh the crew out there, cause they're they were great think they're still up on NADA. In fact I'm pretty sure the crew out there because they were great, they're still up there. You can just hear those webinars that I did and I'm sure others have too, and then talk through that and really understand it and that way you know the right questions to ask when you're interviewing a possible partner. You know, to take on this, what the liability would be. Ask these hard questions, because a good partner in this space should be able to answer it. Or I always find acceptable to go, hey, I can, I've got a guy or a gal on the team that I can bring in to do that, but but it's, it's education and you know, reach out to us.

Speaker 2: 1:02:57

We have a blog on our page too, where we're just posting a new thing about the cloud and how everyone thinks that the cloud is so secure because it's in the cloud. And, frankly, there was a 20% increase. This is a Harvard Business Journal article, there was a 20% increase in cyber attacks last year and there were three main reasons, and we've been riding on those three, and one of them is the cloud, and so people would ask well, wait a second, wait, wait, wait, wait. I thought the cloud fixed all my problems, because it's the cloud and the reality of it is it's not configured correctly. It's not. These are why we still do penetration. There are humans that are setting these things up and these environments are all different. That's why you have XDR.

Speaker 1: 1:03:42

Yes, exactly right.

Speaker 2: 1:03:46

So AI and where that fits, et cetera. Now, I know your folks out there probably don't need to be, or want to be, experts in cybersecurity. I understand that. But have a trusted partner, have people that are reputable. Certifications make a difference, experience makes a difference, Pedigree makes a difference yeah.

Speaker 1: 1:04:04

So, justin, how do people get in contact with you? I want to make sure that you know people. If they have questions, if they want to ask you know further, explore, becoming more secure as an organization. How do they get a hold of you?

Speaker 2: 1:04:17

Yeah, our website is wwwblackbreachcom B-L-A-C-K-B-R-E-A-C-Hcom. You can go on there and get that. But if you want to get ahold of me, I feel fine giving out my email. It's jshanken S-H-A-N-K-E-N at blackbreachcom, so if you send stuff to me, I may send it to others. You know I'm I'm not answering everything myself. I've been pretty busy lately. But we would love to, you know, communicate with you.

Speaker 2: 1:04:52

If you're saying, hey, can you even review what we're currently doing? We have lots of options, and I think the misnomers for us is one they look at us and our backgrounds and go, oh, they must be super expensive. No, it scales to you. It scales it's by endpoints, right, if you're this size, then it's this price. If you're that much bigger, then it's that much more, which I think is reputable. The other thing, too, is that I think a lot of folks are wanting to kind of sit down and go, hey, what are we doing? Does this make sense? What's our return on investment? But I think our biggest thing is not only the liability, which we've talked about so much, but we take it off your hands. We fill out these things for you. I'll give you a great example. The lowest level is training, right? Well, we get all the emails from your folks. Set up the training, do the training, send it out to them, make sure it's done. If it's not done, we tattle and go.

Speaker 2: 1:05:49

Hey, you know how much time that takes the average person that's trying to do that, like I think some of those simplest things go under the radar of like well, such and such can handle that. Or I can pick that up as an extracurricular and after a year now we're starting to see the folks that took that first approach and said we're not Just you do, it all right.

Speaker 1: 1:06:11

Yes, yes, take this off my plate. Yeah, take it off my plate.

Speaker 2: 1:06:14

Yeah, make it happen, absolutely.

Speaker 1: 1:06:16

Yeah, but Justin, this has been great man. I'm really looking forward to doing this again. Thank you for coming down. I really appreciate it. I think our listeners are going to gain a lot of information from this podcast, especially coming from somebody with your background. Yeah, so I really appreciate coming down, man.

Speaker 2: 1:06:31

Yeah, no, this was great, Super easy. Anytime I'm in Miami. You can't argue that, right? Yeah and uh, I really appreciate you having me. It's, it's humbling. Thanks, man yeah, appreciate it.