In this episode, Managing Partner of XPAN Law Partners, Rebecca Rakoski, and Senior Account Manager at Contango IT, Schellie Percudani, talk about cybersecurity, especially for small businesses.
Today, Rebecca and Schellie talk about business privacy and security practices, cost-effective steps that you can take to protect your business, and the importance of cybersecurity insurance. Why do small businesses have to worry about cybersecurity?
Hear about ransomware attacks and how to react to them, data privacy laws and how they impact your business, and the value of hiring lawyers, all on today’s episode of The Healthy, Wealthy & Smart Podcast.
More About Schellie Percudani
Schellie is a Senior Account Manager at Contango IT located in Midtown, Manhattan. With 75 people, Contango IT services their clients through 4 key areas of technology.
IT Service/Support - We offer unlimited onsite and remote support for all covered users and devices with up to 60-90 second response time. In that same fixed monthly price, we also include asset management, budgeting breakdowns, disaster recovery planning, compliance requirement review and planning, technology road mapping, and a lot more.
IT Infrastructure / Cabling - Moving offices? Contango IT handles the technology side of the move through Cabling and IT setup.
Cybersecurity - 45 people strictly in Cybersecurity keeps Contango IT on top of the biggest buzz In technology. Risk? Compliance? Reach out, looking to help in any way possible. Even if it is just second opinion or advice.
Custom Programming - Front-end or Back-end development, Android, iOS, Web-based and much more. Winners of the Microsoft Best Use of Technology Award and the NYU Stern New Venture Competition
Any technology questions, reach out! With hundreds of clients over 4 services, Contango IT has seen it before.
More About Rebecca Rakoski
Rebecca L. Rakoski is the managing partner at XPAN Law Partners. Rebecca counsels and defends public and private corporations, and their boards, during data breaches and responds to state/federal regulatory compliance and enforcement actions.
As an experienced litigator, Rebecca has handled hundreds of matters in state and federal courts. Rebecca skilfully manages the intersection of state, federal, and international regulations that affect the transfer, storage, and collection of data to aggressively mitigate her client's litigation risks.
Rebecca is on the Board of Governors for Temple University Health Systems, and an adjunct professor at Drexel University’s Thomas R. Kline School of Law and Rowan University.
Healthy, Wealthy, Smart, Cybersecurity, Small Business, Privacy, Security, IT, Insurance, Legal, Hacking, Ransomware, Malware, Data, Technology, Data Breaches, Encryption
To learn more, follow Schellie and Rebecca at:
LinkedIn: Schellie Percudani
Subscribe to Healthy, Wealthy & Smart:
Read the Full Transcript Here:
Hello, Rebecca and Shelly, welcome to the podcast. I'm very excited to have you on to talk all about cybersecurity. So welcome, welcome.
Thank you for having us.
Yes, thank you. And
so this cybersecurity this for me as a small business owner, is brand new to me. Although it probably shouldn't be, but it is, but that's why we're talking about it today. But before we get into it, can you guys give a little bit more detail about yourself and what you do so if the listeners understand why I'm talking to you guys today?
So I, Rebecca McCroskey, I'm a co founder and managing partner of x Pam law partners, we're a boutique cybersecurity and domestic and international data privacy law firm, which is a really fancy way of saying we help organizations with their cybersecurity, and data privacy needs, right? I have been a practicing attorney for almost four years. I hate to admit that sometimes I'm like, I'm dating myself. But what's great is we really help businesses, small startups, all the way that big multinational corporations because right now businesses are it's, it's really a brave new world that we're facing today. And businesses are getting attacked literally from all different sides. And so we started x pant to really help businesses understand what their legal obligations are, and what their legal liabilities are. And I tell my clients, my job is to avoid those problems for you, or do my best or put you in the best position to address them if and when it becomes an issue. So that's
what I do in a nutshell. Great, thanks, Shelly. How about you?
Yes, my name is Shelly perky. Donnie, I am an account manager with contango it and we help businesses and our end organizations if I could speak, we help them manage their day to day it to help build a strong security posture. We also help them with cybersecurity, we have 45 people strictly in cybersecurity, we have 25 penetration testers, eight ethical hackers. So we have a strong, you know, posture to help businesses build a posture so that they at the end, I wouldn't say that they're not going to be attacked, but they are prepared for anything that could happen. And so we help them with that. Got it.
Well, thank you both for being here to talk about this, because we are seeing more and more things in the news lately about ransomware and cyber attacks. And so oftentimes, we think of that as only happening to the big businesses, right? So why should small businesses, which a lot of listeners that listen to this podcast, are entrepreneurs or small business owners? Why should we have to worry about this?
So, you know, from a legal perspective, obviously, anybody who's ever come into contact with the legal system knows, it's not just for large businesses. So from a legal perspective, you're going to be subjected to liability from your people who whose information you're collecting, call them data subjects, you can, you're going to have contractual obligations with your vendors and third parties that you use and share data with. So put that and then just put that aside for a moment, then you also have small businesses have a reputation. And in the small business community, I am myself a small business, I'm a small law firm, Chief law firm. And you know, your reputation is everything. And so part of your reputation nowadays is how you're handling security and privacy. What are you doing the data. And so it's really important for small businesses to realize it's not just the big guys, we hear about them in the news, the colonial pipelines and the JPS foods and the Equifax is of the world. What you don't know is that every single day law firms like mine are getting a call from small businesses going help. We just clicked on a bad link, we just got ransomware, what do we do? And that happens all the time. It really you hear about the big guys, but it's the little guys that are really, you know, bearing the brunt of it, I think.
Now, I would agree. And what we all have in common between the small businesses and the large businesses is we're all human. And like Rebecca said, it's human error. Somebody clicked on an email, and they didn't know you know, they weren't trained. Hey, this is a spoofing and phishing email. This is what they look like, this is what you need to look for. And so that's where we come in, and it's we're all human and we all make mistakes. It's just no Like, you know, you this is what to look out for.
Got it. And so what are some of the issues facing businesses today, when it comes to cybersecurity?
What ransomware is obviously one of the biggest issues, right. And for your listeners who don't know what ransomware is, it is, what happens is somebody clicks on a bad link, download the bad, you know, attachment to a file, and the ransomware is downloaded to the system. Depending on how sophisticated the hackers are, they can either deploy it immediately, which means your system starts to, they start to encrypt your files, or it can be that they sit in there and wait for Oh, I don't know, the most inopportune moment that your business has. And then they deploy the ransomware. I've had clients where they deploy ransomware, or they first delete backups before they deploy the ransomware to really add insult to injury there. So but so that's one of the big things and then the your entire system gets encrypted and you can't unencrypted it without the encryption key which you then have to pay for the ransom part of it. And, you know, we hear about the big ransoms, again, the 4.4 million from colonial the 11 million from JBS. But you know, I was speaking with a colleague the other day, and a law firm got ransomware for $50,000. Now, that's a lot to a small business, it's a lot to any business, but they try to make it it's almost like it's commercials with what they think that they can afford and pay and so that they'll pay because they want you to pay the ransom. So that's I think, I think that's probably the
number one I would say so too. And then you now you're on their list, because you've paid your
SIR now. Wow, they paid
from now you're on a list of this hacker of like, Well, you know, was easy to get in before. Yeah. So let's see how we can get in again.
Right? Oh, my goodness. Hang in and you know Rebecca's right.
And that's where you know, also patching and monitoring your systems having a good strong it. posture is important. Because they see that stuff, they see little inklings of, Oh, well, something's going on here. somebody's trying to get in, you know, so they can see that. And you know, you're only as good as your last backup, and where is your backup being stored? And you know, is that in a secure location? Because if not, guess what? It doesn't matter. Because your information is gone.
Oh, my gosh, yeah, that makes so much more sense. Now, even just explaining what ransomware is. I didn't realize so they hold the encryption key ransom. And that's what you're paying for.
Correct you in order to get your data back, you have to pay to get the encryption key. And people think Well, okay, so I'll pay the ransom. And I'll get the encryption. I'll get the encryption key. And it's like, like magic? Yeah. You do, to some extent, although there used to be honor amongst thieves. It's not always the case anymore. No. But the other thing is to keep in mind encryption is not perfect. So you're not going to get it back exactly the way it was before. And a lot of laws have been changed now. So the fact that you were ransomware, it is in and of itself, a reportable event for a data breach. So that's another aspect to it. I mean, we're talking more about the technical aspects with the ransomware. But this is the other part where you know, I always say like, ransomware is like three explosions. The first one, oh, my God, my computer has exploded, but yeah, my computer's, what do I do? And then the second one, which is how are we going to, you know, get back up and running. And then the third is really the legal liability that flows from it and holding it together.
Also to I mean, Rebecca, are you finding that now, too, they're not only holding it, they're selling the data? Yeah. So they're still older data copied it, they're giving you back access to it, but now they're gonna sell it?
Yes. So what it comes down to is yes,
there's a lot to do. At that point to now you've got to tell your clients, hey, I've been
hacked. And that's where that whole reputation part comes in, you know, where you're, you know, these are people who are interesting information to you data. You know, I mean, as a law firm, we obviously hold our clients data. But you know, if you're a business, you could be holding personal information of your clients and business partners. You could be holding sensitive data on your employees or social security, financial information, information about their beneficiaries, which could be kids and things like that. So it really is a problem that just expands exponentially. It's a rabbit Well, I guess you're falling down that rabbit hole for a while.
You're like Alice in Wonderland.
Right? Oh, my gosh. Well, now you mentioned Rebecca about laws? And does that? Could you talk a little bit more about like certain data privacy laws and how that works? And if you're a small business, what does that mean?
Sure, so different. So there are two sets of laws that you need to really be businesses need to be concerned about, right. So one of them are your your data breach notification laws, which won't really be triggered unless and until there is a data breach, there are 50 states, there are 50 different laws, it's super fun for businesses who have to deal with us, then you have data privacy laws, and because nobody can seem to get their act together to come up with a federal law, we are stuck with, again, a patchwork of laws. So different states have passed different laws. And that is in and around a data subjects rights, about the data that's being collected about from them. So for example, California has a law, Virginia passed the law, Colorado passed a law recently, I know there's a proposed one in New Jersey in New York, Pennsylvania, Texas. So you name the state, and it's probably considering Washington State has tried to have made several passes into data privacy law. And what's interesting about this privacy laws is it they're usually, there's usually a threshold, sometimes small businesses will meet that threshold, but you need to understand that and it's all about the data that you're collecting. So the data you're collecting is going to trigger or not trigger requirements under some of these laws. That same data is the attractive nuisance, if you will, to the hacker they want to, they want to so you know, I always say you can't have privacy without security. So they really do go hand in glove.
What would be like an app if you know this at the top of your head, but an example of data privacy law from one of those states that has them on the books like what would be an example.
So California has the California consumer Privacy Act, the ccpa, which was amended in November, when the good citizens of California had a ballot initiative to pass the California Privacy Rights Act or the cpra. And those types of so in and around that you have different rights, the right to deletion, the right to correction, or right to a ratio of three, you know, the right to be forgotten is what's commonly known as, or just some of the rights that you're entitled to. And so businesses that fall under the within the purview of the ccpa, which is in effect right now, the cpra, which will go into effect in 2023. And so if you are a data subject, and the business is is under those laws, you can, you know, say to the pay, I want to know what you're doing with my data, hey, I need you to correct or delete my data. And the business has a set statutory period of time to respond to that data subject Access Request. It's about transparency. So anybody who saw all those updated privacy policies online, that's all driven by privacy laws, there's one in Europe called the GDPR, the general data protection regulation. And it really is in and around transparency, and data collection, storage and sharing practices. So that's, I could go much deeper, but I don't want to put anyone to sleep as I talk about loss.
I think I think that's really helpful just so that people get an idea of like, well, I don't even know what that is, you know, and if you're a small business owner, you've got a million other things on your plate, because you probably don't have a dedicated IT department, you don't have a dedicated cybersecurity department, oftentimes, you're a solopreneur. Or maybe you have less than 10 employees, you know, so all of a sudden, all of this stuff has to come on to somebody. So I think just getting an awareness out there that it exists, is really important so that you can maybe look it up in your own individual state.
exactly. You definitely were Rebecca Sade is absolutely correct. There are people that do that they try to manipulate it and do it themselves. What they don't realize is once you're hacked, it's not just, Oh, no, they've got my information. Now I have to pay this ransomware. But guess what, oh, if you weren't following those privacy acts, you're also gonna get fined on that data, too. So you definitely don't want to be fudging any kind of information. You definitely want transparency.
Yeah. So hire lawyer. I'm a big fan of lawyers. I hire lawyers for for everything, because I don't I'm not a lawyer. I don't know how to do any of it. And I want to make sure that I am protected. So I 100% get it. Now, what? So we're talking about the pitfalls of what could happen if you have a breach, or issues facing businesses. So what can businesses do to help with cyber security? What are some things we can have in place to give us some protection and peace of mind?
Well, I would like to answer that this is Shelley, I'm someone who's there for simple and very effective basics that you could do as a business owner. And they're very cost effective. In fact, you know, you already have some of them in hand, as far as like Microsoft Office 365, all you have to do is enable your multiple factor authentication, that's a huge one, it's like leaving your light on in your house, if you're going out to dinner, they're gonna move on to the next house, because you have that layer of protection. And then, you know, security awareness training, educating your employees, educating yourself a lot of spoofing and phishing email looks like, that's huge that you know, it, it makes them aware. And that also, you know, it shows your employees that you're protecting them, you're protecting your clients, you know, it shows stability. And then also, you know, monitoring and patching your systems, you know, making sure that someone has an eye on what's going on. I'm looking for those little ticks that someone may be trying to get into your system, because a lot of people that you can have websites, you can tell by is your website going slower, that's usually a sign that someone might be trying to hack into your system. You know, so it's little things like that. And then also, you know, software and hardware encryption, that's a huge one. A lot of people, I know we have all our devices, it's our fingerprint or face that opens it. But if your hardware is not encrypted, they could just steal your laptop, pull out the hard drive, plug it in somewhere else, and guess what the data is theirs. And it's just the simple things that can help a business.
Yeah, so So to recap, the multiple factor identification that I get, and I do security awareness training, what what are these emails look like? What not to click on? monitoring and patching systems? So when you say patching systems, what exactly does that mean?
Well, that's where someone is patching in and they're, you know, they're making sure that your system is secure. And it's going somewhere in that secure like firewall, everything like that. So that is exactly
the basic there. There are systems like so for example, the Equifax data breach was a vulnerability in an Apache struts operating system. And when they found this vulnerability, it was it was a problem. People write code, people make mistakes, you need to fix it. Once they discovered the problem. They went, they were like, Oh, you need to apply this patch. It basically fixes the code. Well, if you don't apply the patch, if you don't have somebody who can help you do that you're not you're leaving your back door
open or even Yeah, or even like software, like it needs to be updated. So they're patching and updating, they're constantly monitoring, updating any software so like have you ever had where your phone doesn't work and because you haven't upgraded your system? Well that's kind of like it is for monitoring and patching. They make sure that everything is up to date everything is to code
right because if you're not patching and updating like Shelly said, you can actually leave a hole Yeah, and you're not the it's a lot easier for them to get in because you would not that system isn't being supported anymore by the Microsoft's or the Googles because they've moved on. You got to move on with them. Otherwise, you're you're gonna have a problem.
Got it. Got it. Okay, that makes a lot more sense.
They could do that themselves. Like oh, I can do this. I can do this. But as they're growing Their business, they don't have time to focus on that. And that's how little cracks happen.
Got it? Okay, that makes a lot of sense. And number four was making sure that your software and your hardware was encrypted. Right? And does that. I mean, this might be a stupid question. But does it come that way?
No, that's not a stupid question. I mean, a lot of us think that because, you know, I mean, we're on a computer right now that if I shut it and locked it, I opened it again, I could put my finger on it, it would open it, I wouldn't have to type my password in. But if my hard drive wasn't encrypted, didn't have that same protection on it, where someone could steal it, and then just pull out the hard drive, because these people are very talented, plug in the hard drive. So you need to make sure that your hard drive has that same protection with your fingerprint of code that, you know that if they would have to, they wouldn't plug it in somewhere else, they're gonna have to know that code, because it's not going to work.
Keep in mind, too, that encryption, like we're always talking about is, in most jurisdictions, if you have an encrypted hard drive, if even if they get it, they can't access it. It's not a data breach. So I like to say encryption is your get out of jail free card in most jurisdictions, okay. There are 50 of them. There's a lot, but in most of them, that's your get out of jail free card. So it's one of the biggest, that multifactor I guess, are probably two of the biggest bang for your buck. There they are. And how do you
know if your software and hardware is in is encrypted? Again, perhaps another silly question, but I just don't know.
So first of all, I don't encrypt my own hard drive. I know a lot about technology. But I, you know, I don't go to my dentist for brain surgery. professionals, who are IT professionals, like Shelley's company, and I say, here, encrypt my hard drive, and they take care of it for you. So having it's really important
night. Yeah, I can. And does that literally mean you hand your computer over to someone and say, encrypt my hard drive? Not necessarily No, no, okay.
No, no, no, a lot of times what you know, like our text can do, they can come in, they can work in remotely in and you know, just like when they have when we monitor and patch, they do it remotely. You know, if you don't even know what's going on. It's just and it shouldn't, it shouldn't interrupt your day, it should then to wreck your workflow. It should be seamless. And usually, you know, it's something that, you know, our techs are very, you know, highly educated, I love text, I always think, Oh, my gosh, what they do is so cool, because they can just, they can fix everything, and they just go in and they're they're magicians.
Got it? Got it. Okay, how it should be you.
I mean, a lot of times, and this is true, too. I think Rebecca, a lot of rules now are making sure that you actually have a credible IT team. Because if you don't, you can now get fined. Or
Yeah, there are different laws where you can if you're not doing the things you're supposed to be doing, if you're not monitoring if you don't have your asset, you know, management, those kinds of things. I mean, one of the classic examples of that is is HIPAA. Now they don't say you have to have it on teaching but they do say you have to encrypt your heart you know, encryption, or they say you show it or they say you have to monitor monitor your devices and let's face facts, do you want to be I don't want to be monitoring my devices, I want my IT guys or gals to be monitoring my devices, I want to be practicing law. So that's the beauty of it is that it's it's Charlie says it's running seamlessly in the background, and you're doing what you should be doing much with running
your business. Got it? All right. Now let's move on to so let's say you have all of this in place. You've done your basics for cybersecurity. Do you have to have cyber security insurance? Or can you just say, Well, I did all this. So what do I need the insurance for? No,
that's like driving around without your seatbelt on. Like, you know, I, I frequently wanted to ram the car in front of me, but I don't I don't do that. So cyber insurance. When I will tell you this as when I started my own law firm. The first thing I bought was malpractice insurance. The second thing I bought was cyber liability, a separate standalone cyber liability policy. They are getting more expensive, but for a small business depending on the data you're collecting, they can be very reasonable. But I sleep at night because I know that if something goes horribly wrong, it's there. All of the things you're doing. me that all The good cyber practices that Shelly and I have been talking about that just means they're going to cover you when the when the stuff hits the fan. Because if you're not doing all of that, you've probably told they've sent you a questionnaire with your cyber liability policy and you filled it out and you're like, Oh, do I have multi factor authentication? Oh sure. I encrypt my hard drive. If you lie to them, they don't cover you. But if you're doing all these good cyber practices, and you have insurance, it's you know that every single one of my clients first thing I ask, Where is your data? What is it doing? Where is your cyber liability policy? Those are the
those are the big three Yeah. Okay. To help you too, because how are you going to get that money out? Right, how do you get that money back? How do you recoup your business? I mean $50,000 is a lot Oh yeah. And you know, you're a small business and yeah, you you could take a hit you can take a loan but wouldn't it be better if somebody covered it for you it's kind of like you You get a car accident you know, it was like that rental car where your car is getting fixed. You would like to get a new car that new car smell
Yeah, cyber liability insurance is absolutely critical for small business every this statistic might be a little bit old, but I will pull it out anyway for just as an example 60% of small businesses will go out of business within six months of a data breach without live liability insurance. So that's an I know that statistic has gone up it's a it's a little stale, but I think that's about a year old and every year they put out new stats I just haven't brushed up on my statistics today. But
well that is true because as many business owners as I talked to in everything, you would not believe how many of them I've had friends that had successful businesses and everything was going great. They got hacked, and they just couldn't recoup the money that they need it breaks my heart because they never thought it would happen to them because they weren't trading money they weren't doing anything like that. It was just common goods like e commerce that they were just like, yeah, and then something happened.
I mean, I get a call at least once a week from a crime business person literally tears I don't know what am I going to do? I have a little bit of a policy or something. It's like a rider on my my general liability policy, but now it's going out because it runs out like that and so quick, and they're like now what do I do? I don't I don't have an answer for them. They're gonna have to you know, they have to pay for it out of pocket. A lot of them can't It is really heartbreaking.
Yeah. Oh my goodness. Well, so you know, we talked about some issues facing businesses today. basics for cybersecurity, the need for cybersecurity liability, which I am in the process of getting after speaking with Celli a couple of weeks ago, so I'm there I'm doing it I'm in. You don't have to I You don't have to tell me twice when it comes to important insurances, I will get it. So is there anything else that you guys wanted to let the listeners know when it comes to cybersecurity for their businesses?
Um, I think the first thing that businesses need to do is take a proactive posture. So doing the technical things that Shelley's talking about, shoring up some of their legal obligations, like I'm talking about with, you know, appropriate privacy policies, contract language and things like that. The other thing is, they have to also be aware of their vendors, which I think is another big issue facing organizations if you look at data breaches, it's not caused by an employee in the company it's caused by an employee at one of their vendors. And so you know, it's a big issue and so I would say that for all small businesses, all of the technical aspects and then make sure your your legal, you put yourself in a legally defensible position because unfortunately, these things are going to happen. And you want to make sure that you not just survive but thrive after after an event like this.
Yeah, and I agree with Rebecca, those are the key things that you need to do as a business owner, but it's also helping yourself to educate been growing your business and I know at times it can be scary because like, Oh my goodness, I got to talk to a lawyer. That's more money. Oh, I gotta have someone you know, outsource it person. When I've had my cousin, he knows computers, he knows everything. You know, everything's going but if you're looking to move your business to that next level, and you're looking to flourish, you really just like anything else, you need to make sure you understand and you are doing what is required of you to do to help your business flourish.
Got it. Well, this was great. I mean, hopefully people listening to this, it will set a match under them. To get them to really take a look at this in their business because like you said when you're a small business owner you've got a million things going on. But this is super important and I think something that people really need to focus on so I thank you for bringing this topic to me Shelly and for bringing Rebecca on because I think this is really great and I do hope that all the listeners out there will now start to take a better look at their businesses and are they protected Do they have the right things in place so thank you thank you now where can people find you? if they have questions? If God forbid they have a breach and they need a lawyer or they need someone to help do an IT assessment of their business so where can people find you? So
I obviously have a website expand law partners com Also you can follow us on Twitter and on LinkedIn please connect you can connect connect with me personally and my business we put out for small businesses out there who have a lot of questions we are constantly pushing out different topics raising issues bringing attention to different ones so please act x Pam law partners connect with us and hopefully will will provide you with some of that information that Shelley was talking about
excellent Shelly Go ahead.
You can reach me at contango it calm is our website I can also link in with me you know I love to meet new people and I always like to offer any kind of advice or second opinions I can help with if I if there's anyone I can point you into the direction to you know help your business I would love to do that.
Excellent. Shelley is a great super connector for sure. So definitely reach out to them now ladies one last question and I asked everyone this is knowing where you are now in your life in your career. What advice would you give to your younger self?
see somebody asked me this I'm gonna have to steal from my prior answer was start my law firm earlier. I wish I had done it earlier. I cherish the time I spent at a large law firm but I love what I do now. I love helping businesses so this I would do it earlier. So amazing. I would become an ethical hacker. Love that. I want to change my answer. That's a great answer. I love it.
I love it. Well, ladies, thank you so much for coming on the podcast sharing all this vitally important information. I do appreciate it. Thank you so much for having us. Pleasure and everyone. Thank you for listening. Reach out to these ladies if you are a small business because you may need some cyber help. Thank you for listening, have a great couple of days and stay healthy, wealthy and smart.