Cybersecurity with Craig Petronella - CMMC, NIST, DFARS, HIPAA, GDPR, ISO27001
Cybersecurity with Craig Petronella - CMMC, NIST, DFARS, HIPAA, GDPR, ISO27001
Navigating Cryptocurrency Security: Sim Swaps, Vendor Risks and Assertive Measures
What if you could protect your cryptocurrency from hackers with just a few simple security measures? That's what we're diving into today in our exploration of the fascinating yet terrifying world of SIM Swaps and cryptocurrency security. We'll shed light on a real-life cautionary tale of a victim who lost his cryptocurrency to these cunning cyber con artists and the ingenious way they laundered the stolen funds. Discover why you should never use your phone numbers for authentication and what you can do to protect yourself.
As we journey further, we'll unravel the complex web of crypto regulations and vendor risk management. With the SEC guidelines causing confusion, we'll debate the need for a more regulated crypto environment. Learn about the critical process of vendor vetting in industries dealing with confidential data. We'll also reveal the SPRS scoring system for assessing vendor security and why you must be assertive with vendors that don't prioritize security. Remember, when it comes to securing your crypto assets, the mantra should be "don't trust, verify." So, gear up for an enlightening episode that will help you navigate the murky waters of cryptocurrency security.
Support the show - Call 877-468-2721 or visit https://petronellatech.com
Please visit YouTube and LinkedIn and be sure to like and subscribe!
NO INVESTMENT ADVICE - The Content is for informational purposes only, you should not construe any such information or other material as legal, tax, investment, financial, or other advice. Nothing contained on our Site or podcast constitutes a solicitation, recommendation, endorsement, or offer by PTG.
Support the Show
Please visit https://compliancearmor.com and https://petronellatech.com for the latest in Cybersecurity and Training and be sure to like, subscribe and visit all of our properties at:
- YouTube PetronellaTech
- YouTube Craig Petronella
- Podcasts
- Compliance Armor
- Blockchain Security
- Call 877-468-2721 or visit https://petronellatech.com
Hey guys, welcome to another podcast. We've got Blake Ray Hello. Today we're going to talk about SIM Swaps, top cybersecurity and compliance news, and there was another story.
Speaker 2:Third party risk vendor management.
Speaker 1:Yes, third party vendor risk management. So SIM Swaps. What is a SIM Swap? A SIM Swap is when a bad actor impersonates you to the telecommunications or phone company. So they pick up the phone, use social engineering and basically steal your identity to persuade the caller or representative at the carrier to send you a new, or send the bad actor a SIM card a new SIM card with your phone number tied to it. So one of the things that people do, or that's recommended, to prevent a SIM Swap attack is, first and foremost, try to avoid using your telephone number, your cell phone mobile number, for SMS tokens, and what I mean by that is, when you go to a website and use the multi-factor authentication, try to avoid using your phone number to get the pin, because if that gets in the wrong hands AKA a SIM Swap well then they can get into those accounts and this is what has happened hundreds, if not thousands, of times especially targeting people that hold cryptocurrency or Bitcoin, and as those cryptocurrency values go up, so do SIM Swap attacks. So SIM Swap attacks they look for lists and people that hold crypto, and they know that people in mass generally do not adopt. Not saying you guys, your listeners, yours are smart ones. I'm saying that most people don't take cybersecurity seriously enough minimum effective dose of security on their own personal devices and systems. So the hackers know it's essentially low hanging fruit. So they go after the carrier. They try to figure out which carrier first. They do recon on social media, figure out their victim list and then they figure out who they want to target and impersonate. And it's happened so many times. There's been cases all different carriers have been attacked with this, and it's an ongoing problem.
Speaker 1:So you, as a consumer, the best things that you could do is try to protect your phone number as best as possible. And what does that mean? That means that you can call your mobile carrier. Stop what you're doing right now. Tell them that you want additional security on your account. Set up a unique pin number for when you call the carrier, ask for any additional security controls that they can offer you to prove your identity. So just make it more hoops to go through. I know it might be inconvenient for you, but I mean really, how often do you call your carrier anyway? So I mean nowadays, too, with the new iPhones and I'm sure that the new phones, droid devices, things like that they use what's called eSIM, so there's no physical SIM chip anymore, which helps. So but still there's risk there and it's still possible to move your. You know people can go get a new iPhone or a new device and still activate and move your phone number if they have enough information about you as the target. So all that, blake, you can comment.
Speaker 2:Yeah, yeah, I especially. Once you get a new eSIM it'll cancel your old SIM. So this actually happened to my dad, ironically, and his crypto got stolen. Yeah, essentially they were they were migrating his phone number to Google voice and then so anytime you would call his phone, it would say the Google subscriber, whatever, leave a message. And then he started getting, I guess they got text messages to his Google voice number for his Binance or whatever whatever crypto wallet, coinbase, and then they sent the money to themselves through Coinbase or Binance or whatever.
Speaker 2:And of course, you know me being the forensics guy I essentially kind of traced the breadcrumbs trail from wallet to wallet and essentially what they were doing was they were taking crypto and then they were dividing it. So, like they would take let's just say it was you know a thousand US dollars, they would send like 700 to one account and then 300 to another account, and then that 300 would be 100 there, 200 there, and then the 700 would be like 500 here, 300 there, and they just kept doing that, you know, pretty much infinitely. I mean, I think it took me maybe 20 or 30 like layers, and then it actually went to the biggest whale wallet in the world. So I find that super interesting. So the person who has the largest you know, that I was aware of and of course I looked on the coin.
Speaker 1:So so so that big whale wallet could be on an exchange somewhere though. So it's kind of so when you say that it's probably not an individual that owns that wallet. It's probably some exchange somewhere.
Speaker 2:Could be. But you know you can go to like I think it's the coin exchange or whatever, and it shows you like the most held the largest wallets and it traced right back to that wallet. So I found that a little interesting and, yeah, it happened multiple times to him. The second time they got into it they already tapped all of this crypto out and then, of course, there's nothing you can do. I mean the money's gone.
Speaker 1:Yeah, I mean I don't know if you've done this or not, but you can certainly fill out a report with the US cert and CISA and report it, which you should do. And if you've been a victim of that, you can certainly keep digging and keep digging deeper and try to kind of triangulate where I know you said big whale wallet, but it most likely is some exchange somewhere. But yeah, it takes a lot of time, like you said. I mean they do these, I'll put it, I guess money laundering, kind of looping kind of things to kind of keep moving the money and in different numbers, like you mentioned, and then they keep kind of how many layers of that deep right. And then you said that it ended up in some large whale wallet somewhere. So I suspect that it's probably at some exchange somewhere or dumped there somewhere and then further got distributed from that point or converted or something Just got to keep.
Speaker 1:Like you said, the breadcrumb trail. I mean it could be a really long trail, sometimes take countless hours. That's why this work is so specialized and it takes so much time. It could take years. Law enforcement is still using new technology to crack cases from 30, 40, 50 plus years ago with DNA and different kinds of tools that are new and they're catching criminals. So I mean, I'm sure, as time progresses and the tools get better, hopefully one day you'll be able to track it down. But yeah, I know that the short answer is there's nothing you can really do, but there is some things that you can do, and reporting it should be one of them. You can certainly reach out to an attorney and explore those options too. Sometimes they have access to different experts that can help.
Speaker 1:It really just boils down to I don't know how much money it was, but it boils down to is it worth it or not? Because you're going to end up paying for some of this stuff and sometimes it's not worth it. But I think the learning lesson and not talking down on you or anything, I'm just saying the learning lesson here is don't keep your money on, don't keep crypto on exchanges, keep them on cold wallets. We've talked about that before. I don't know if you guys are aware with the whole. People say Binance and then some people say Binance. I say Binance, but there's a whole crackdown happening with CZ, the CEO of Binance, and how he has stepped down and paid over. I think it was $4 billion. This was last week in fines, and then I heard a couple of days ago that they're not going to let him leave the United States until his hearing. So that's interesting.
Speaker 1:So I guess the takeaway here, looping back to Simswap attacks, is don't trust your phone number to keep you safe and don't trust anyone. Don't trust your carrier to keep you safe. Like I said, there's ongoing cases around. Whose fault is this? Is this the carrier's fault because you had cryptocurrency and you were trusting the carrier to not move your phone number? Could be. I do agree that you shouldn't have your phone number moved without your authorization and there should be safeguards from carriers to make sure that you prove your identity and maybe even make it so that you absolutely have to go into a store and you have to show two forms of government ID.
Speaker 1:My point here is that anybody around the world can call anyone else and a bad actor can wake up in a different country one day and say, oh, I'm going to attack Blake or whomever, and they can do that from anywhere in the world. And if we don't have carriers and companies that follow these security and regulations that are put in place, I mean, that's why these things exist, because if people didn't put security in place for anyone, I mean, look at that. This reminds me of back in the day. I don't know if you remember Blake, do you remember phone freaking? Do you know what that is? So phone freaking is? This is back when, I mean, 2600 is still around. But my point is that phone freaking was like the fun thing to do for board teenagers. Cyberpunks that wanted to hack into. This was kind of like before the internet, more in the BBS or Bulletin Board system days. That's a pretty good tip again board teenagers, board kids that wanted to break into carriers, phone companies, and the goal was to set up party lines.
Speaker 1:Back then cell phones weren't in everybody's hand, so it was old school pick up the phone, dial and call somebody. And most companies had corporate accounts with carriers, right. So they'd call like the company might have an account with AT&T or whomever and they would have their business phone lines with them. And this was back when T1s were more popular. And anyway, you had these at risk companies that were relying upon the carrier to set up their company dial directory. And sometimes these companies needed conference lines because maybe they were a global company and they needed people to dial in, kind of like what we're doing now with Zoom, right, only this didn't exist then.
Speaker 1:So they did it all by audio, all by phone. So what hackers in that day and that timeframe would do is they would hack into the phone carrier, break into the party line and either just goof around or lock people out or kind of like how, when COVID hit, a lot of people were hacking the Zoom channels and kicking the people out and doing crazy stuff. Well, they were doing this stuff back in the day, only with audio. So my point is back then, kevin Mitnick, you know, rest his soul. He passed away recently, right, but this was in a lot of his books. He used to do this kind of stuff and he went to prison for some of this that he did when he broke into some of the carriers.
Speaker 1:But my point, in kind of bringing this full circle, is those were learning lessons for companies and carriers and that's what caused regulation and regulation continues to evolve, as we've seen with CMMC in different kinds of regulation and there are different laws and regulations that these carriers need to comply with. In my opinion, there's not enough being done for companies and carriers, companies of all shapes and sizes around taking cyber seriously enough and taking compliance seriously enough to protect the consumers and to protect the companies. But I think the best thing that you and I can do as consumers is advocate is push back at the company or the other person on the other line and say, look, we want more security, I want more privacy, what are you doing to protect me, what can I do, what can you do for me and what can I do to protect myself? And then kind of bringing this full circle back to crypto. Never put crypto, store it for long periods of time in software or hot wallets. You know kind of best practices with crypto is.
Speaker 1:You always want to make sure that you have a wallet ideally a cold wallet and that you spend coins, send and receive coins to that wallet before making large purchases and savings to those wallets, because you don't want to set up a brand new wallet and then just go put your life savings in crypto or whatever. I'm not recommending any of this. This is not financial advice. My point is that you don't want to, in this case, trust a wallet, a software wallet or even a hardware wallet. You don't want to trust that they're going to store everything either. So you need to do things on your own, and what I'm saying to do on your own is test these things, make sure that they work properly. Send and receive small transactions. Always do that as a test before storing larger amounts.
Speaker 1:Never trust one wallet, even if it's a cold wallet. Use multiple cold wallets, different vendors. You know, for security I use multiple vendors for cameras, multiple vendors for different layers of the ecosystem, because, again, I feel like we're in such a trustless world. You have to verify everything and you can't, unfortunately, trust a single person, company or carrier. So there's some things that you can do on your own, as listeners, to kind of take matters into your own hands, because the fact of the matter is, all of our information is out there and we're all targets. So what are you doing today to make it harder and becoming less of a mark? At least, that's my philosophy on it.
Speaker 2:Yeah, I mean it's like putting all your eggs in one basket. You know that's the easiest way. I'm sure I mean your mom has told you that, or your dad or somebody in your family, you know. So spreading, you know, and with my dad's story, you know, obviously the hackers were spreading that money out, right, you know, because having it all in one place is too risky.
Speaker 1:Yeah, and that goes for exchanges too. You know, if you're trading crypto, like I said, try to avoid using your phone number for an authentication layer. You know, don't trade on a single exchange. You know, try to use multiple exchanges. Try not to keep a large amount of money on an exchange. Have a process to move it off the exchange to several different cold wallets, like Blake was saying, kind of spread things out so all your eggs are in one basket, because there could be a day in the future where one of those exchanges gets hacked or what happens and there's a government crackdown, they find some shady stuff happening, like what happened with FTX. You know.
Speaker 1:And then you know, if you guys have money on those exchanges, they can lock it all up and freeze it all up, and then it's going to take months, if not years, for you if you ever see that money again. So why would you put yourself at those kinds of risks when we've had so much corruption? And this corruption is everywhere. It's all over the place at different companies, different levels. It's just everywhere. So we need to take matters into our own hands and take security more seriously and do our part.
Speaker 2:Yeah, I mean I think in my opinion, you know there's probably going to get some heat for this, but you know I definitely want to see crypto regulated for those reasons. You know that it's kind of been for the past 10 years or so like the wild, wild West, you know like it. Just it needs to happen. I think you know that way people can feel secure. You know, investing in these crypto coins and I mean the fact is nothing, you know nothing really happens to these criminals, you know.
Speaker 1:I mean Well, I don't know if that's entirely true. As far as that, I mean, look at what. Do it agree?
Speaker 1:Yeah, I think your point is that and I think the speculation is that it's too easy. It's too easy for anyone to kind of create a crap coin and make a bunch of money and then rip people off and there's no regulatory framework around. You know the laws of the land, you know and I agree with that and I support that. I do think that there needs to be more regulation and, again, you know compliance around. What can you, what can you do, what can't you do? I do feel like our country in America is is lagging behind. I think that you know some other countries are more advanced in that regulation. I'm hopeful and optimistic with the whole. You know a lot of people are anticipating the Bitcoin ETF and the, the Ethereum ETF. Now, I don't know if you've heard about those things, but you know there are. Those are some real big players, like BlackRock and Fidelity Investments, and they're all now, you know, turning the corner on supporting Bitcoin and wanting to be the first to make it easy for people to buy Bitcoin on New York Stock Exchange, for example, and through traditional financial measures that are regulated. So right now we have, like, the grayscale Bitcoin trust right, and that's an easy way for people to get exposure to Bitcoin through the normal financial channels, like on the stock market, for example. You know you can buy MicroStrategy. You know they're a big supporter of Bitcoin. My point is that there's the traditional financial regulatory frameworks that exist now, with people trading stocks and derivatives and things like that, and then there's the Bitcoin and crypto world and, like Blake said, yeah, I do think that there needs to be more regulation and more you know of a blueprint of what you can and what you cannot do. Now I think that there's also I know Coinbase, for example, which is a popular exchange in America, has requested clarity from the SEC on you know what are the rules, you know what can we do, what can't we do, and they're getting a lot of friction and not getting clear answers back. So I think there's a lot of frustration there. So I don't know why it's taking so long to get the clarity that these companies need. I think that a lot of companies, especially exchanges, have moved out of America, which is sad to see, in my opinion. I mean, I think that America is a great country to start a business and I think, at least on the crypto side of things, it's become very difficult and people are scared that they're going to get cracked down by the SEC and get fined, you know. So I think that you know, people don't know what they can and can't do. There's not a lot of clarity there. So I 100% agree that there needs to be some clarity there, and I think that that is in the works, especially with this new Bitcoin ETF and Ethereum ETF, which is, you know, blackrock's, if not the biggest financial, I think they are the biggest financial company in the world. So you're talking just tons of money that is on the sidelines right now. So, anyway, that's the kind of the.
Speaker 1:I guess we went off in a little tangent, but you know, the point is, you know, for SIM swaps at least, you know, try to protect yourself, take matters into your own hands, and we'll, you know, kind of shift gears into vendor risk management from here, and it goes back to the don't trust verify methodology. You know, when you have a vendor that you want to do business with, or that vendor wants to do business with you, whatever, you should have a pot, a process around. How do you vet the security of that vendor? Are you exchanging confidential information? You know, in the, in the, the Dib or the defense industrial base and in the CMMC world you have typically the prime vendors and then you have the sub vendors and it's called a trickle down effect. So in our world with NIST and IST, 800171 and now 800172, and then you've got DeFars compliance and CMMC compliance. Now the point is the big primes that you know, the Boeing, the Lockheed Martin, you know the real big company names that you've heard of in aerospace engineering and defense. Those guys have a framework to follow, which is what I just mentioned with NIST and CMMC.
Speaker 1:And if you are a small company that helps the big company, you're considered a sub. And if there's what's called CUI or controlled unclassified information, or maybe it's even classified information, if there's some information flow that's sensitive, there's what's called a flow down from the prime to the sub. The sub they don't care if you're one person working out of your house or a thousand people working in a corporate building across different locations. You have to take all that same security of NIST, 800171, 172, cmmc. All that stuff you have to do just like the big prime. So there's no more. Oh, I'm this small company, we don't need to do all this stuff. No, if you want to participate in the ecosystem and have that supply chain and that vendor relationship and get that money, that grant money or whatever that business. You need to take that security just as seriously as that big company. So, going back to vendor risk management, you want to make sure that, at least on an annual basis, you're going through all the vendors you do business with and you're going through a framework like NIST 800171 and you're following along with.
Speaker 1:Do I have all these policies and procedures in place? Are they up to date? Are they customized for my company? What am I asking of my vendors? Are you asking for proof of a pen test? Are they allowed to do their own pen test or they have to do a third-party pen test? We recommend third-party testing because it's not, in our opinion, Like a tunnel vision approach. It's very fresh approach and there's teams that are doing this all day long and you know, using different team members and different expertise to exploit gaps in the system, so it's much more effective. But there are things that small companies can do on their own. They can do the policy work on their own. They can do the, the mappings or the adaptation of those policies and procedures on their own. So a lot of the heavy lifting can be done by the small company or even the larger company, but there should still be a professional that's hired to test it in the end, when you're done and you know, I think that the, the SPURS or the SPRS system, was a good way that the government, with the DFAR 70, 19 and 70, 20 and 70 21 that came out a few years ago now For defense contractors, they basically were like hey, we know that you guys are supposed to be compliant with NIST 800 171, but fact of the matter is we know most of you are not, because we're seeing all these headlines with hacks in the supply chain.
Speaker 1:So let's see how compliant you are. And that's where the whole SPRS scoring system came into play. And if you did not have a system security plan, you were automatically failed and you had a score of negative 203. And if you were Doing a great job, your perfect score is 110. And if you had any gaps whatsoever, you had to document them into what's called a poem, plan of action and milestone and you had a time frame of how and when you were going to fix that gap. And when you're done, then you get the points and there's a whole DOD methodology on how they calculate the score, then you're supposed to be uploading your score into the SPRS system on a regular basis and your score may change. You may lose an employee or a key stakeholder and Maybe that unwinds some of the security and you have to go back and rewrite your policies and remap things and and maybe you were A 110 at one point and now you drop back to an 80 and now you got to do some extra work and get yourself back up to. You know the speed.
Speaker 1:But my point is you can use this methodology to score your vendors. You can ask your vendors and put pressure on your vendors on. Hey look, can you show me your policies and procedures? Can you show us evidence of a pen test? When was your last security risk assessment? When was your last Vulnerability assessment? What did what was tested? What was not tested? What, what, what did the remediation look like? You know what I mean like.
Speaker 1:So if you get a vendor that you're doing business with and they're looking at you like they don't know what any of this stuff is, obviously that's a red flag. They're not doing anything for security, pretty much or very, you know, minimal. So and for the hills, yeah. So I mean that you know that these are things that you can do to kind of Essentially raise the bar, because if you do business with companies that take security more seriously, well then you're at a less likely risk of a breach, because a breach hurts everybody. So if one of your vendors has a breach and you're in a Financial or business relationship with them, it affects you too and you can get pulled into it, so you know. So it can get messy, especially in healthcare too, like. So if you're like a you know a software as a service vendor in healthcare and you're collecting patient health information and you're subject to HIPAA compliance and Something happens and there's a breach, well you, you're affecting clients that you do business with that could be hospitals, that could be clinics, so it just gets messy, and it gets messy really fast.
Speaker 1:So you definitely want to be careful with what vendors you do business with and how you're vetting them, and you want to do the vetting process at least on an annual basis. And you want to push back and you want to. You know a lot of these smaller companies especially. The quick answer is, oh, we can't afford to do that, we can't. You know, that's too expensive. Well, I mean, like I said, a lot of this stuff you can do on your own, and it doesn't necessarily always cost money either. So there are things that can be done that are more secure than doing nothing.
Speaker 2:Yeah, I think that's a great point to hammer home. You know, obviously it's dominoes, right, like if your vendor falls, you fall, and understanding that. And you know we have a lot of people that approach us that don't agree with that, but that's the truth, you know. Oh, I'm trusting this data with the vendor. I don't need to do this because the vendor does this. You know, it doesn't work like that.
Speaker 1:Well, look at the biggest misconception.
Speaker 1:Yeah, and look at you know, one of the common misconceptions that I hear is around password managers. A lot of people are scared to use a password manager because their belief is oh well, that vendor is, if they get breached, then I'm screwed, and there is some truth to that. However, if you're doing your own due diligence and you're doing your own methodology and protecting yourself, let's say you've got 10 different places, 10 different accounts, and you store those 10 different accounts on something like a last pass and those 10 different accounts almost every company supports multi-factor authentication. If you took those 10 accounts and you and you used an authenticator app with each of those accounts, well, if somebody got your password, they're still not getting in your account right, because they don't have your authenticator token. So my point is that if you make it harder Now, if you use a dumb password like password 123, and you reusing that password at multiple accounts, maybe five or seven of those 10 accounts well you're your own worst enemy You're making. Obviously you don't want your passwords to get exposed. I'm not saying that that's good or that's even tolerable. What I'm saying, though, is that, as a consumer, you can do more to protect yourself by using complex, unique passwords in addition to multi-factor, and choosing a multi-factor method not an SMS, not text message a authenticator app that is known to be more secure, like Google authenticator, microsoft authenticator, et cetera. Those are ways that you can take matters into your own hands that, yes, it does make it harder for you to log into your sites that you need to do business with or bank or whatever, but you're protecting, you're doing your part, you're taking advantage of the security that's being offered to you. If you're the type of person that's just you, minimum effective. Hey, give me the eight-character password or whatever, and I'm using the same one for the past 10 years. Well, I mean, now is the time to change that habit.
Speaker 1:But my point is that it is a myth that using a password manager is not as secure, because we're all human. I don't even know what my passwords are. My point is I have a proven methodology of complex passwords, tokens using software and different. I even use proximity tokens for certain things, or hardware tokens in addition to a software. My point is that you choose the methodology and the layers dependent upon what you're going to protect, and use all of the controls that are given to you and take advantage of them to protect yourself. Because if everybody were to follow this which I don't think will ever happen but my point is that if most people were to use what's given to them and the depth of what's given to them, then when a breach because it's not a matter of if it's when a breach happens, then you won't be suffering the damages from that, because, think about, let's kind of fast forward and play a game where, let's say, all your passwords were in last pass If you followed what I just said, who cares?
Speaker 1:Everybody's got your information anyway, right. But the point is that if you put in multiple layers to protect yourself, well, yeah, that one layer got compromised and that's bad. And then you just go and you move on about your day. You choose a better solution, you go back, you change your passwords, but you're the one that's still in control, you're the one that still has access to your account, because you took it seriously and because you had these extra layers in place, so you didn't suffer damages, whereas most people that were not doing that, yeah, now they suffered big time and maybe they even lost something like crypto, because they again weren't possibly using all the methodology around securing their accounts as best they could.
Speaker 2:Yeah, I agree 100%. You need to stay diligent. Obviously, look, it helps to reflect in words. Look at yourself, look at your company, look at your brand, look at yourself as a victim, like what would I do? Obviously, you know your vulnerabilities. I could tell you I'm not the best, strongest bodybuilder, right. So use those in your understanding of your company to help progress your security, right. Take that with if you're using a third party company consultants like us to help. Hey, I know I'm weak here. I know I'm weak there. You know, don't get defensive in that strategy. Don't be ignorant, because communicating that to, let's just say, you're seeking help to secure your business, like with companies like ours Just knowing that you know we can help streamline things a little quicker as well. So, yeah, I'm ignorant.
Speaker 1:The other thing just to add to that too is don't assume that big company or big healthcare vendor, hospital doctors, whomever don't assume that if they're a prime, oh, they got all this covered. No, that's not how it works. Again, we're trying to drive home the fact that when you do business with a vendor or a hospital, whatever, ask for the secure portal. If they don't have one, give them a secure portal that you manage and maintain from a trusted vendor. Don't send information via insecure text message or insecure email. Use an encrypted email platform. These are different, just examples of just. I'm not saying that they're silver bullets or cure-alls. I'm just saying that these are things that to look out for. If your law firm is sending you a questionnaire to fill and this questionnaire is pretty detailed around your first name, middle name, last name, social security number, birth date you know there's some stuff in there that's private Don't send it back to them via insecure email. Say, look, do you have a law firm dashboard that's encrypted where I can send this to you? Or if they are like, no, we just do this by email, then you need to be educated enough as a smart listener of our podcast and be like, no, I'm not going to do that. What other methods do you have? If they don't have one, you need to be one to give them a method and say look, we're going to use this. Simple things that are free, like signal. You could exchange encrypted messages with signal. There's all different platforms, different capabilities of each of these platforms. Not necessarily all of them cost money.
Speaker 1:The point here is that don't trust that big company or whomever has all this covered, because they don't. It's a common myth that, oh, they're a huge company or they're a big bank, they got all this taken care of, whatever. No, not necessarily they don't. We're here to educate you that most often they do not and that you should take matters into your own hands, especially when you're dealing with any kind of sensitive information. These extra safeguards that you're doing yeah, they put a hurdle in place, but they make it more difficult. In the event that something is exposed and there's a breach, it pays back dividends and protections to you.
Speaker 1:Look at what happened with Equifax. Equifax, all of us were affected. Now, if Equifax was encrypting, then the payload would have been encrypted to the bad actors. Again, I'm sure there's more to it in the investigation. I wasn't part of the investigation. My point, though, is that, again, big company. I think the knee jerk reaction is oh big companies got our back, they're securing us. Well, we find, more often than not, that the big companies, as well as the small companies, are still not doing enough for cyber and protection and compliance.
Speaker 2:Yeah, I know this one also. Don't give them more information than they need, even if it's on the form push back.
Speaker 1:Say look, why do you need my social security number? Why do you need this? There's information that you should push back on. Just because it's on the form, don't fill it.
Speaker 2:Yeah, same thing. Let's just say, for example, you're collecting information from your clients and then you're storing that information in X, y, z software. If you don't need their social security numbers and that software, that vendor doesn't require that that they have the social security number, why are you collecting it and why are you storing it there? I know that sounds obvious, but people do that. They try and make their life easy. Oh, I'm just going to get as much information as I can. I'm just going to put it all in one place. If you don't need your clients' social security numbers, like, don't collect it, don't store it. I know that sounds really obvious, but it happens and people do that surprisingly. They're like oh what if I need it later? No, no, don't do it. Yeah, I should probably definitely wrap up on that note. It's a good ending point, agreed.
Speaker 1:All right, thanks guys.
Speaker 2:See you in the next one.