WEBVTT - Cyberattacks Are a Growing Restaurant Concern 0:00:20.079 --> 0:00:22.840 Welcome to Chopping It Up. I'm your host, Mike Haleon, 0:00:22.880 --> 0:00:26.320 the senior restaurant and food Service analyst at Bloomberg Intelligence. 0:00:27.000 --> 0:00:29.440 I've got a great guest today. I'd like to introduce 0:00:29.480 --> 0:00:34.040 Deborah Nika, Senior manager of Cybersecurity and Privacy. She's also 0:00:34.080 --> 0:00:37.720 the privacy services leader at Cone Resnik and she's also 0:00:38.000 --> 0:00:41.720 been named Top twenty five women in Food Service and Hospitality. 0:00:41.760 --> 0:00:42.600 Thanks for doing this. 0:00:42.520 --> 0:00:45.040 Deborah, Thank you so much for having me on. Excited. 0:00:45.240 --> 0:00:47.839 Yeah, this is this is cool because this is a 0:00:47.960 --> 0:00:52.000 topic that's, you know, become increasingly important. You know, I'm 0:00:52.040 --> 0:00:55.880 old enough to remember when investors didn't really care so much. 0:00:57.800 --> 0:01:00.640 You know, I remember trading stocks in the early two 0:01:00.640 --> 0:01:03.920 thousands and Target or Walmart and somebody would have a 0:01:03.960 --> 0:01:07.440 security breach and you know, the stock would trade down 0:01:07.480 --> 0:01:09.440 for about five minutes and then I would go back 0:01:09.480 --> 0:01:12.560 higher than when it was traded prior to the news, 0:01:13.080 --> 0:01:15.480 and it was just kind of people thought it was 0:01:15.880 --> 0:01:18.080 a cost of doing business. But things have changed a 0:01:18.120 --> 0:01:20.759 lot over the last two decades. 0:01:21.600 --> 0:01:24.640 Yeah, I mean, you know, it's we're not living in 0:01:24.640 --> 0:01:28.160 that world anymore. Unfortunately, we live in in a economy 0:01:28.200 --> 0:01:31.040 where a breach is no longer blip on the radar. 0:01:32.319 --> 0:01:36.240 A cybersecurity or privacy incident is you know, tip of 0:01:36.280 --> 0:01:39.400 the iceberg, and everything that comes, you know, under the 0:01:39.480 --> 0:01:42.720 water that you don't see is you know, loss of 0:01:42.720 --> 0:01:46.400 investor confidence, loss of consumer confidence. And it really is 0:01:47.240 --> 0:01:49.960 not a fun place to be having to crawl back 0:01:50.080 --> 0:01:54.760 up and refresh your brand image and capability. 0:01:55.760 --> 0:01:58.160 Yeah that's great, and so can you I guess before 0:01:58.240 --> 0:02:00.800 we really dig in here, can you please tell the 0:02:00.840 --> 0:02:03.880 listeners a little bit about your background and the cybersecurity 0:02:03.920 --> 0:02:05.200 practice at Cohen Resnik. 0:02:05.760 --> 0:02:09.760 Yeah, so I am. I am a self you know, 0:02:09.919 --> 0:02:13.600 I am a data geek. I am so excited about information, 0:02:14.040 --> 0:02:16.480 and you know, spend the very early years of my 0:02:16.600 --> 0:02:21.360 career decades ago, wanting to be an academic librarian. I was, 0:02:21.520 --> 0:02:24.280 I was really going down the path of like I 0:02:24.320 --> 0:02:27.200 want to sit in a crusty old library and just 0:02:27.440 --> 0:02:30.320 like go through archives and books all day every day. 0:02:31.320 --> 0:02:33.560 And living in New York City, you really quickly learn 0:02:33.760 --> 0:02:38.080 like that's not sustainable. Like I could be a librarian 0:02:38.080 --> 0:02:41.079 and eat beans, or I could like take this knowledge 0:02:41.480 --> 0:02:45.240 that I've built up and figure out how to you know, pivot. 0:02:45.280 --> 0:02:49.120 We love that word pivot right, pivot into the corporate space, 0:02:49.680 --> 0:02:52.519 and it was the earlier days of what today we 0:02:52.639 --> 0:02:57.040 known as big data and really the early start of 0:02:57.240 --> 0:03:01.520 companies figuring out, hey, we have all this information and 0:03:01.680 --> 0:03:05.000 how do we use that information to make data informed decisions? Right? 0:03:05.880 --> 0:03:08.120 Gone are the days where an executive licked their finger 0:03:08.160 --> 0:03:09.679 and like put it up in the air and to 0:03:09.720 --> 0:03:12.960 figure out which way the wind was blowing on a deal. Right. 0:03:13.880 --> 0:03:16.880 So my career has really followed that data life cycle, Right, 0:03:16.880 --> 0:03:19.440 how do we collect information, how do we curate information, 0:03:19.720 --> 0:03:23.240 how do we use information and flow it through our 0:03:23.280 --> 0:03:27.079 technology systems? How do we use that information to make 0:03:27.200 --> 0:03:31.960 data informed data informed decisions? And then, you know, ultimately, 0:03:32.000 --> 0:03:36.160 after a what I'll call a big Brother moment mid career, 0:03:36.680 --> 0:03:38.440 I was like, hey, we've got to really do more 0:03:38.480 --> 0:03:41.920 about protecting the data, right and protecting the people that 0:03:42.000 --> 0:03:45.960 are ultimately the ones that are impacted in that you know, 0:03:46.480 --> 0:03:49.160 by that data. So four years ago, I mean it 0:03:49.280 --> 0:03:51.760 started way earlier, but four years ago had the great 0:03:51.760 --> 0:03:55.760 privilege of coming over to Cohen Resnik part of their cybersecurity, tech, 0:03:55.800 --> 0:03:59.960 risk and privacy practice and our you know, our mission 0:04:00.080 --> 0:04:03.680 in market if you will is to help companies understand 0:04:03.840 --> 0:04:07.240 that cyber and privacy don't need to be scary, if 0:04:07.240 --> 0:04:11.720 they don't need to be these unattainable only technology driven capabilities. 0:04:12.000 --> 0:04:15.080 But how do you use cybersecurity programs? How do you 0:04:15.240 --> 0:04:19.520 use competency around privacy, compliance and management to actually drive 0:04:19.680 --> 0:04:23.560 value in your business? Right? So if it's a transaction, right, 0:04:23.600 --> 0:04:26.000 how are you preparing your company to make sure you're 0:04:26.000 --> 0:04:29.120 getting great valuation? How do you make sure that you're 0:04:29.160 --> 0:04:34.440 prepared to answer the hard questions of the underwriters of 0:04:34.560 --> 0:04:37.000 how are your systems and how are your data secure? 0:04:37.760 --> 0:04:39.880 How are you running your business? How are you growing 0:04:39.920 --> 0:04:42.680 your business? How are you sustaining that growth? Cyber and 0:04:42.720 --> 0:04:46.640 privacy are front and center to that equation. But before 0:04:46.680 --> 0:04:49.359 we go any further, I think it's one of the 0:04:49.360 --> 0:04:51.560 places I really like to start and chatting about this 0:04:52.279 --> 0:04:57.080 is what is cybersecurity? What is privacy? Because when we 0:04:57.120 --> 0:05:00.560 say cybersecurity, I can guarantee you half more audience is 0:05:00.600 --> 0:05:03.000 going to think of a hacker sitting in a room 0:05:03.080 --> 0:05:07.960 somewhere at night, tugging red bulls in a dark hoodie, right, 0:05:08.960 --> 0:05:14.320 trying to crack code. And it's not that cybersecurity. There 0:05:14.320 --> 0:05:17.120 are three main tenants of cybersecurity that we call the 0:05:17.200 --> 0:05:22.719 CIA triad. Confidentiality, so information in your ecosystem is being 0:05:22.760 --> 0:05:28.680 maintained in a confidential manner. Integrity that the information in 0:05:28.720 --> 0:05:33.760 your systems can be relied upon. This is extremely important 0:05:33.800 --> 0:05:36.679 for public retreated companies, especially when you get into things 0:05:36.720 --> 0:05:40.560 like Starbine z Oxley, compliance and availability that your systems 0:05:40.600 --> 0:05:44.000 are available when you need them to be right. And 0:05:44.040 --> 0:05:48.160 then we layer on this wrapper of privacy, which historically 0:05:48.320 --> 0:05:52.120 legally has been defined as the right to be left alone. Right, 0:05:52.440 --> 0:05:55.840 But for companies that means you know, when, how and 0:05:55.880 --> 0:05:58.719 to what extent can you use the information that you've 0:05:58.760 --> 0:06:02.960 collected about your customer, about your population, about your consumers. 0:06:03.839 --> 0:06:05.800 So you know, love, I always love to lay that 0:06:05.839 --> 0:06:08.880 out because it really helps contextualize when it means, when 0:06:08.920 --> 0:06:11.560 it means bringing this into your business, How does this 0:06:11.600 --> 0:06:14.719 actually impact the decisions that you might be making about 0:06:14.760 --> 0:06:16.960 a new business line, a growth of business line, an 0:06:16.960 --> 0:06:22.040 investment in the technology, an investment in a membership rewards program, right, 0:06:22.839 --> 0:06:25.480 putting an app out there to let folks, you know, 0:06:25.680 --> 0:06:29.360 order ahead, So it makes an impact. 0:06:30.080 --> 0:06:33.400 Cool, and so you know, there's there's a few different 0:06:33.400 --> 0:06:35.840 types of cyber attacks. You know, I guess if you 0:06:35.839 --> 0:06:39.760 could talk about them a little bit and maybe what 0:06:39.760 --> 0:06:43.080 what customers should be particularly worried about right now. You know, 0:06:43.120 --> 0:06:46.240 I think I've read something recently about ransomware attacks being 0:06:46.360 --> 0:06:49.320 up over one hundred percent year over year, uh, and 0:06:49.360 --> 0:06:52.800 things of that nature. So I guess maybe the the 0:06:53.960 --> 0:06:56.760 you know, biggest issues are may depend on the size 0:06:56.800 --> 0:06:58.320 of the company, But if you can kind of give 0:06:58.400 --> 0:07:00.040 us some color on that would be. 0:07:01.680 --> 0:07:04.440 So. So ransom I would definitely say ransomware is what 0:07:04.480 --> 0:07:07.800 we're seeing get the most, the most news coverage, if 0:07:07.800 --> 0:07:11.760 you will. Right, So, ransomware in simplest terms, is your 0:07:11.800 --> 0:07:15.480 systems have become unavailable a threat actor. Right. It can 0:07:15.560 --> 0:07:18.600 be somebody who is out there for monetary you know, 0:07:19.120 --> 0:07:21.480 monetary gains. They just want to access your system to 0:07:21.560 --> 0:07:27.280 be able to get paid. That that that that ransom, Right. 0:07:27.320 --> 0:07:30.920 It could be political, right, It could be a activist 0:07:31.000 --> 0:07:34.520 that is not in agreement with something that you've said 0:07:34.600 --> 0:07:37.600 or put out there in the marketplace, which we see 0:07:37.640 --> 0:07:42.240 impacting right our our industry today. So somebody comes in 0:07:42.400 --> 0:07:45.920 takes over all of your systems, a system, a critical 0:07:45.960 --> 0:07:50.600 financial system. The point of access into your environment and 0:07:50.720 --> 0:07:53.360 doesn't let you doesn't let you back in until you've 0:07:53.400 --> 0:07:56.800 agreed to pay a fine, right, or a fee or 0:07:58.560 --> 0:08:01.720 some sort of cost value. The other thing we're seeing 0:08:01.760 --> 0:08:06.520 a lot, interestingly enough, is the theft of intellectual property. Right. 0:08:06.600 --> 0:08:10.679 So we live in a very fluid marketplace. Intellectual property 0:08:10.720 --> 0:08:15.280 theft doesn't really get that much airtime, but it is. 0:08:16.040 --> 0:08:21.120 It is especially especially important. I I worked with a 0:08:21.520 --> 0:08:25.120 company a few years back, and this was a transaction. 0:08:25.360 --> 0:08:27.880 So you know, we said, okay, what's your what's your 0:08:27.920 --> 0:08:30.240 crown jewel? Right, what are you the most afraid of 0:08:30.320 --> 0:08:33.280 would get exposed? And they're like, there's only one there's 0:08:33.280 --> 0:08:35.199 only one thing that we're worried about. I said, okay, 0:08:35.840 --> 0:08:39.760 what is it? And they go our recipes? Like, if 0:08:39.840 --> 0:08:44.640 our recipes walked out the door, we're out of business. 0:08:45.080 --> 0:08:47.840 There's absolutely no reason for us to continue getting up 0:08:47.840 --> 0:08:51.640 in the morning. Right. So, where we normally think of hey, 0:08:52.040 --> 0:08:54.840 hackers coming in, our threat threat actors coming in, they're 0:08:54.880 --> 0:08:58.640 taking over our financial systems, they're taking over our employee data, 0:08:58.679 --> 0:09:03.320 they're changing numbers in our finance system. So we're actually 0:09:03.360 --> 0:09:05.360 paying them when we think we're paying a vendor or 0:09:05.400 --> 0:09:08.679 our employee, right, this company was like, hey, if this 0:09:08.840 --> 0:09:10.760 recipe gets out the door, we're done. 0:09:11.080 --> 0:09:11.280 Yeah. 0:09:11.280 --> 0:09:13.400 It's literally their secret sauce. 0:09:13.600 --> 0:09:16.000 Literally, and you know, like I'm a native New Yorker, 0:09:16.120 --> 0:09:20.360 we're very, very you know, proud of our pizza industry. Right, 0:09:20.559 --> 0:09:23.760 generally speaking, can you imagine if your favorite pizza place 0:09:23.800 --> 0:09:26.080 all of a sudden had like a new dough recipe, 0:09:26.160 --> 0:09:29.040 new sauce recipe, like the whole nine yards, Like, I'm 0:09:29.080 --> 0:09:32.240 not going back there, yeah, right, And you can say 0:09:32.280 --> 0:09:36.079 the same thing up uphill right for larger industries, right, 0:09:36.120 --> 0:09:38.920 if you're gonna change something and all of a sudden 0:09:38.960 --> 0:09:41.640 you're like, hey, that's what we made money off of. 0:09:42.760 --> 0:09:44.400 First thing that came to my mind was the Kernel 0:09:44.440 --> 0:09:49.280 secret recipe. It's worth a lot, man, it's worth a lot. 0:09:50.080 --> 0:09:54.480 Oh yeah. So, in addition to restaurant companies, what other 0:09:54.520 --> 0:09:58.719 types of clients are seeking your help? Other industries, other 0:09:58.840 --> 0:10:01.079 verticals who seeking your help? 0:10:01.200 --> 0:10:06.479 Yep. So so where our team very proudly is industry agnostic. 0:10:06.960 --> 0:10:08.800 What I focus on day and day out is what 0:10:08.840 --> 0:10:14.200 I'll call the hospitality adjacent companies. Right, are manufacturing firms 0:10:14.200 --> 0:10:17.240 that are coming in and maybe you know producing producing 0:10:17.280 --> 0:10:22.920 items our consumer retail company. Real estate. Everybody always forgets 0:10:23.000 --> 0:10:27.040 that that real estate is a bigger market than just 0:10:27.160 --> 0:10:30.559 the you know, the industrial real estate side of things. 0:10:31.480 --> 0:10:34.160 A lot of noise being made, especially in states like 0:10:34.200 --> 0:10:37.080 Illinois on biometrics, Right, what does that mean for the 0:10:37.160 --> 0:10:40.760 smart building space? What does that mean for real estate 0:10:40.800 --> 0:10:44.600 companies that are putting technology in to help them manage 0:10:45.160 --> 0:10:49.400 from afar technology companies a lot of noise today. 0:10:49.480 --> 0:10:49.640 Right. 0:10:49.679 --> 0:10:54.280 We saw Apple and the Google play Store start putting 0:10:54.800 --> 0:10:59.079 controls in place around what kind of applications security posture, hygiene, 0:10:59.120 --> 0:11:03.280 privacy posture and hygiene could be put out there. And 0:11:03.320 --> 0:11:05.920 then of course, you know, we can't ever forget that 0:11:06.000 --> 0:11:11.080 the financial services industry spend a good amount of time 0:11:11.120 --> 0:11:17.520 they're doing cyber privacy diligence in support of transactions. Right, 0:11:17.559 --> 0:11:23.160 So what is a potential company's potential acquisition look like 0:11:23.200 --> 0:11:25.960 from a cyber security lens? Right? What kind of risk 0:11:26.440 --> 0:11:29.080 is present in their environment? What does that look like 0:11:29.240 --> 0:11:33.439 for uh, the the you know, let's call it private 0:11:33.480 --> 0:11:36.240 equity company that that's that's going out and buying them, right, 0:11:36.280 --> 0:11:39.560 that the risk comes with it? How does that impact 0:11:39.880 --> 0:11:43.600 the reps and warranties insurance. How does that impact money 0:11:43.600 --> 0:11:45.800 that that may be set aside an escrow uh to 0:11:45.920 --> 0:11:51.640 cover potential potential liability obligations. Uh. You know, especially in 0:11:51.679 --> 0:11:57.400 consumer and hospitality, they're very they're very people centric industries. Right. 0:11:58.960 --> 0:12:01.480 Nobody wants to be the company that bought the other 0:12:01.559 --> 0:12:03.760 company and all sudden to find out that, hey, there 0:12:03.840 --> 0:12:07.840 was a breach of a million records of personal information 0:12:08.040 --> 0:12:11.600 and we're doing business in California and all of a sudden, 0:12:11.679 --> 0:12:14.560 you're you're running a foul of the AG's office in 0:12:14.600 --> 0:12:19.760 California with CCPA and cpr A. Right, there's a lot, 0:12:19.960 --> 0:12:23.080 there's a lot of contentious conversations that are happening of 0:12:23.120 --> 0:12:27.199 what is the obligation of covering that risk in the transaction? 0:12:27.600 --> 0:12:27.960 Okay? 0:12:27.960 --> 0:12:28.240 Cool? 0:12:29.360 --> 0:12:32.160 And so you know, are you seeing you know in 0:12:32.200 --> 0:12:36.000 the research that consumers are significantly changing their behavior following 0:12:36.040 --> 0:12:38.319 cyber attacks And I guess, hows how's that changed over 0:12:38.320 --> 0:12:39.280 the last decade or so? 0:12:39.920 --> 0:12:43.040 Yeah? Really, really good question. So the greatest shift that 0:12:43.080 --> 0:12:47.800 we've seen is in upfront conscientiousness by the consumer. Who 0:12:47.880 --> 0:12:52.040 am I getting into business with? You know? What are 0:12:52.080 --> 0:12:55.679 they doing with my information? Is this brand doing right 0:12:55.760 --> 0:12:59.880 by me as a consumer. A lot of we all 0:13:00.040 --> 0:13:04.319 remember the days of the Target breach, right, and most 0:13:04.400 --> 0:13:08.439 forget that Target was breached because of their HVAC system. Right. 0:13:08.520 --> 0:13:11.360 It wasn't that Target went out and willingly did something 0:13:11.440 --> 0:13:15.040 that was running a foul of their of their customers. 0:13:15.800 --> 0:13:17.640 A big Target fan here, This is not this is 0:13:17.679 --> 0:13:19.640 not a knock on Target, right, this is the reality 0:13:19.640 --> 0:13:22.199 of the world that we live in. And you know 0:13:22.240 --> 0:13:25.960 the response was okay, well, Target was required right to 0:13:26.040 --> 0:13:29.840 go out and get credit monitoring service for their customers. 0:13:30.520 --> 0:13:32.960 Most people still think that it was Target's goodwill. But 0:13:33.000 --> 0:13:35.840 they went out, I got credit service monitoring for their customers. 0:13:35.880 --> 0:13:38.520 That's not the case. They were required to do it, right. 0:13:39.000 --> 0:13:44.160 But today we very much still see this conscientiousness by 0:13:44.559 --> 0:13:47.199 consumers to say, you know what, I'm not going to 0:13:47.240 --> 0:13:51.440 opt in. I'm not going to download an app that 0:13:51.720 --> 0:13:54.640 is knowingly using my information. We're seeing a lot of 0:13:54.679 --> 0:13:58.360 it now, right with the way that there's this conscientiousness 0:13:58.360 --> 0:14:01.040 of how is big tech using our information? How are 0:14:01.600 --> 0:14:07.319 they monetizing my information for their own their own purposes. 0:14:07.760 --> 0:14:11.199 In a post ro v wead world, right, there was 0:14:11.280 --> 0:14:13.640 a lot of a lot of light that was suddenly 0:14:13.679 --> 0:14:16.360 shown on well, there are all these these apps that 0:14:16.440 --> 0:14:21.560 help women, and what are their practices around cybersecurity? How 0:14:21.600 --> 0:14:26.400 might my information be compromised there? So there's certainly this upfront, 0:14:26.480 --> 0:14:29.040 you know, conscientiousness, and on the flip side, right, there's 0:14:29.080 --> 0:14:32.600 a lot of brain reputation that that is impacted when 0:14:32.680 --> 0:14:35.000 the own no moment happens, not if the owned no 0:14:35.040 --> 0:14:37.960 moment happens, but truly when, right, what did the brand 0:14:38.080 --> 0:14:44.160 do to protect my information? What was their social contract 0:14:44.160 --> 0:14:48.200 that they had with me? What information did they give 0:14:48.240 --> 0:14:51.600 me in their privacy policy, their terms and conditions upfront 0:14:51.640 --> 0:14:54.160 about how that information they were collecting about me it 0:14:54.200 --> 0:14:57.280 was going to be protected. So we are seeing a 0:14:57.320 --> 0:14:59.280 little bit of a shift. We're seeing a lot more 0:14:59.320 --> 0:15:03.840 noise come out when a brand is impacted. And the 0:15:03.880 --> 0:15:07.080 reality is in the marketplace is that we're no longer 0:15:07.120 --> 0:15:09.560 living in a marketplace where there's only one makeup store, 0:15:09.680 --> 0:15:11.960 or there's only one retail shop, or there's only one 0:15:12.000 --> 0:15:14.080 shoe store that you that you can shop in. Right, 0:15:14.160 --> 0:15:17.800 so brands have to take that proactive stance of saying 0:15:18.280 --> 0:15:21.720 we are in custodians of this information. We have built 0:15:21.720 --> 0:15:24.520 this reputation in the market with our customers. We have 0:15:24.640 --> 0:15:28.200 to do right by protecting this information, using it with fairness, 0:15:28.360 --> 0:15:31.600 using it with transparency, because the reality is that if 0:15:31.600 --> 0:15:34.120 our clients want it to walk away, it's going to 0:15:34.200 --> 0:15:37.080 be that much harder for us to reacquire that client. 0:15:37.200 --> 0:15:40.320 Yeah, more costly as well. Yeah for sure. Yeah, it's 0:15:40.320 --> 0:15:43.240 really really interesting. You know, I think there's definitely been 0:15:43.280 --> 0:15:44.400 more attention paid to it. 0:15:44.480 --> 0:15:44.640 Right. 0:15:44.680 --> 0:15:48.360 You have have people in the media, you know, looking 0:15:48.440 --> 0:15:51.240 at you know, TikTok terms of service and things of 0:15:51.240 --> 0:15:54.520 that nature, right, And so I think I don't know 0:15:54.520 --> 0:15:56.720 if it's hurt their user base at all, but you know, 0:15:56.760 --> 0:16:00.440 you have people definitely more cognizant of what's being cappedured, right, 0:16:00.480 --> 0:16:02.520 and what's being used and how it's being used. So 0:16:03.480 --> 0:16:06.320 I think that's a good thing. And when anytime, consumers 0:16:06.320 --> 0:16:10.280 are willing to educate themselves, right, So, what are the 0:16:10.320 --> 0:16:13.920 main vulnerability points both at the restaurant level and at 0:16:13.920 --> 0:16:14.640 the corporate level. 0:16:14.880 --> 0:16:17.880 Tough question, and I hate to sound like a consultant here, 0:16:17.920 --> 0:16:20.280 but I'm going to give the first consultant answer, which 0:16:20.280 --> 0:16:24.000 is it depends. It depends what the ecosystem looks like. 0:16:25.280 --> 0:16:28.320 I'll say that, you know, even up to like four 0:16:28.400 --> 0:16:31.800 or five, six years ago, when we had these types 0:16:31.800 --> 0:16:34.640 of conversations with brands, it was like, oh, well, I'm 0:16:34.720 --> 0:16:38.320 PCI compliant, my credit card data is safe, and you're like, okay, 0:16:38.360 --> 0:16:41.280 that's fine, and I am so happy that you got 0:16:41.320 --> 0:16:49.920 through the PCI questionnaire, which is like totally counterintuitive. Let's say, 0:16:51.360 --> 0:16:56.240 but now we're beyond credit card information, right, and I 0:16:56.280 --> 0:16:59.840 think that what the what the questions are now that 0:16:59.840 --> 0:17:03.160 these companies should be asking themselves, especially in a post 0:17:03.200 --> 0:17:07.480 COVID world, is what does your technology landscape look like? Right? 0:17:08.040 --> 0:17:13.920 Are you using cloud based platforms to support your orders 0:17:14.000 --> 0:17:17.080 your fulfillment? What does that look like? How are you 0:17:17.320 --> 0:17:19.959 how are your restaurant locations or how you know, how 0:17:20.000 --> 0:17:23.600 are your store locations interconnect one another? What does that 0:17:23.600 --> 0:17:27.840 that mesh of network look like? How are you granting 0:17:27.920 --> 0:17:32.800 access to your systems? How is your customer interacting? Right? 0:17:32.840 --> 0:17:35.080 Are they coming in making a purchase and that purchase 0:17:35.119 --> 0:17:37.080 is being shipped? Are they coming in making a purchase, 0:17:37.119 --> 0:17:39.200 the purchase is going out the door with them? Are 0:17:39.200 --> 0:17:44.840 they ordering ahead for pickup? Right? So this this you know, 0:17:45.040 --> 0:17:48.560 night what we'll call ninety percent reliance on technology has 0:17:48.600 --> 0:17:50.760 really changed the game of where you need to look 0:17:50.800 --> 0:17:55.719 for the technology related risks. Your apps? Right, who's developing them? 0:17:55.760 --> 0:17:58.480 Are they developing them in a secure manner? Are they 0:17:58.280 --> 0:18:01.680 are they being updated? How is information that you're collecting 0:18:01.720 --> 0:18:06.600 about your consumer being protected and used right through that app? 0:18:06.960 --> 0:18:10.640 Again above and beyond just credit card information? Right? How 0:18:10.640 --> 0:18:14.760 are you granting maintaining access to your point of sale systems? 0:18:14.800 --> 0:18:17.080 What kind of point of sale systems are you using? 0:18:17.240 --> 0:18:20.159 Are you are you pushing the you know, are you 0:18:20.240 --> 0:18:23.280 pushing onus onto your vendors to make sure that they're 0:18:23.359 --> 0:18:26.240 behaving and coding and developing their own software in a 0:18:26.280 --> 0:18:30.000 secure manner? Right? How is it information going from store 0:18:30.040 --> 0:18:33.879 location back to HQ? Right? What is your what is 0:18:33.920 --> 0:18:38.440 your cyber hygiene, privacy hygiene and posture look like at headquarters? Right? 0:18:38.480 --> 0:18:41.760 And that is logically right? How are folks get how 0:18:42.080 --> 0:18:44.760 are folks interacting with your systems? How are they getting 0:18:44.800 --> 0:18:48.639 into your buildings technologically? Right? What controls do you have 0:18:48.720 --> 0:18:51.600 in place around your technology systems? Again? How are you 0:18:51.680 --> 0:18:54.760 working in partnership with your vendors to make sure that 0:18:54.760 --> 0:18:57.119 that if you're if you're using a cloud based system 0:18:57.119 --> 0:18:58.840 and you're like, oh, yeah, you know so and so 0:18:59.000 --> 0:19:03.040 companies responsible for security because they're providing me this platform. 0:19:03.720 --> 0:19:06.720 Guess what, buddy, read the fine print because that risk 0:19:06.800 --> 0:19:09.720 transfer that you think that you're making is not really there. Right. 0:19:09.720 --> 0:19:12.040 There are obligations that you've got on your side to 0:19:12.080 --> 0:19:15.840 make sure that you've got appropriate controls in place. How 0:19:15.880 --> 0:19:20.280 are those systems interacting with one another? Right? What does 0:19:20.280 --> 0:19:23.639 that interface look like between your systems? How are you 0:19:23.840 --> 0:19:28.639 educating your people and your users to maintain a sense 0:19:28.720 --> 0:19:32.240 of cybersecurity hygiene? Right? You know one of the latest 0:19:32.280 --> 0:19:36.960 statistics out there is sixty five percent of cybersecurity incidents 0:19:37.000 --> 0:19:39.080 start with your people. Somebody click the link that they 0:19:39.119 --> 0:19:44.000 shouldn't have, right, and we're we're a click happy bunch humans. Right, 0:19:45.200 --> 0:19:47.760 So are you educating your people on hey, don't click 0:19:47.760 --> 0:19:50.840 the link. If your finance team is getting requests for wires, 0:19:50.840 --> 0:19:53.760 are they calling the person to confirm that it's a 0:19:53.840 --> 0:19:57.239 legitimate request? The account number has not been has not 0:19:57.280 --> 0:20:02.000 been compromised in an email transit? Are you? Are you 0:20:02.160 --> 0:20:05.560 doing technical testing of your boundaries? Right? Are you having 0:20:05.600 --> 0:20:08.320 an objective third party come in and look at at 0:20:08.400 --> 0:20:10.800 all of this And I think the other piece that 0:20:10.920 --> 0:20:12.880 really really gets lost in all of this is are 0:20:12.920 --> 0:20:17.439 you empowering your information security and your privacy teams to 0:20:17.600 --> 0:20:19.800 do what they need to do? Are you giving them, 0:20:20.040 --> 0:20:22.359 you know, the monetary support. Are you giving them the 0:20:22.480 --> 0:20:25.920 right human capital to be able to do this? Are 0:20:25.920 --> 0:20:28.880 you giving them a seat in the conversation to say, hey, 0:20:28.920 --> 0:20:31.679 here's where we are today, Here's where we need to 0:20:31.720 --> 0:20:34.320 be in the future to meet all the obligations that 0:20:34.320 --> 0:20:39.879 we're putting out there. Right. Are you educating your board again? 0:20:40.359 --> 0:20:43.920 You know, the SEC has proposed proposed rules out there 0:20:44.000 --> 0:20:47.600 for publicly traded companies that you know, in the future, 0:20:47.640 --> 0:20:49.680 should these rules pass, you're going to have to have 0:20:49.840 --> 0:20:53.720 board educated members, right, really be aware of what what 0:20:53.760 --> 0:20:56.840 does cybersecurity mean? Right? And and you've got to be 0:20:56.880 --> 0:21:00.119 able to train your board on what cybersecurity risk look 0:21:00.320 --> 0:21:04.200 like for the company. So I think where we talk about, 0:21:04.240 --> 0:21:06.960 you know, what is the vulnerability to a brand? What 0:21:07.000 --> 0:21:08.720 you know, you've also got to really weigh what the 0:21:08.800 --> 0:21:11.840 impact is going to be. Right. You could have let's 0:21:11.880 --> 0:21:17.680 say a single location Wi Fi go down, it sticks, right, 0:21:18.200 --> 0:21:20.560 It could be malicious intent behind that, it could just 0:21:20.600 --> 0:21:23.639 be the fact that it's Wi Fi and it's not 0:21:24.040 --> 0:21:27.600 always going to be friendly, right, But what if your 0:21:27.640 --> 0:21:30.400 critical application goes down? What if your CRM goes down? 0:21:30.480 --> 0:21:33.480 What if your order payment system goes down? Right? And 0:21:33.520 --> 0:21:35.639 it is a threat actor? You know, what does it 0:21:35.680 --> 0:21:38.679 mean for your business to be out of you know, 0:21:38.800 --> 0:21:42.200 out of technology service for four hours, for eight hours, 0:21:42.359 --> 0:21:45.479 for three weeks? How many dollars are not coming in 0:21:45.520 --> 0:21:48.400 the door because of that? Right? So you've really got 0:21:48.400 --> 0:21:51.159 to understand what are your crown jewel systems, What technology 0:21:51.200 --> 0:21:55.520 do you need to keep safe? And what what investment 0:21:55.640 --> 0:21:58.280 are you willing to make as a company to make 0:21:58.320 --> 0:21:59.720 sure they stay safe. 0:22:00.840 --> 0:22:04.160 Yeah, that's great. And you know what I found when 0:22:04.160 --> 0:22:05.679 I was doing a little bit of legwork before we 0:22:05.720 --> 0:22:08.840 spoke that was interesting was like how much they spoke 0:22:08.840 --> 0:22:14.119 about employees and protecting employee data, right, because I've just 0:22:14.160 --> 0:22:17.800 been thinking about you thinking about it at the consumer level, right, 0:22:17.880 --> 0:22:20.359 and the credit card data and the loyalty data and 0:22:21.080 --> 0:22:24.760 all that kind of stuff, But obviously securing employee data 0:22:24.800 --> 0:22:25.359 is important too. 0:22:25.480 --> 0:22:30.720 Right. So without naming names of brands, because I feel 0:22:30.720 --> 0:22:33.359 for the brands, irrelevant of size of these companies, I 0:22:33.400 --> 0:22:36.399 feel for the brands that are dealing with this. The 0:22:36.440 --> 0:22:40.760 state of Illinois gifted us some new laws around bio 0:22:41.400 --> 0:22:45.360 biometric information. Right, So I think you're spot on. When 0:22:45.400 --> 0:22:48.600 companies think about data, we're always thinking about consumer We 0:22:48.680 --> 0:22:51.720 really also need to include employees in that. And the 0:22:51.760 --> 0:22:55.800 reason I bring it up is because it is not unmanageable. 0:22:55.880 --> 0:22:57.960 Again speaking in broad strokes here, I don't want to 0:22:57.960 --> 0:23:01.920 throw any any companies under the US on this. Right. 0:23:03.800 --> 0:23:07.040 When we think about employees, I'll give you this scenario. 0:23:07.119 --> 0:23:10.959 An employee walks in the door. You're using, you know, 0:23:11.800 --> 0:23:17.800 upper right quadrant technology for your employee timekeeping systems, and 0:23:17.840 --> 0:23:21.320 your employee comes in, they scan their thumbprint, they've clocked in, 0:23:21.800 --> 0:23:26.160 they work the shift, scan back out, end of day. Right, 0:23:27.240 --> 0:23:29.720 How are you protecting that information? Are you? Did you 0:23:29.760 --> 0:23:32.280 give disclosure to your employees that you're going to be 0:23:32.359 --> 0:23:36.480 using your biometric information to do this? How are you 0:23:36.600 --> 0:23:40.960 maintaining the security of that information that you're collecting. How 0:23:41.000 --> 0:23:46.840 are you maintaining information that your employee and their health 0:23:46.840 --> 0:23:50.439