1 00:00:00,000 --> 00:00:01,800 I was thinking like superpower. 2 00:00:02,700 --> 00:00:03,500 Oh, yeah. 3 00:00:03,700 --> 00:00:07,200 Or my other thought was mediocre power. 4 00:00:07,200 --> 00:00:12,900 Like it's not a superpower, but it's like I'm mine would be like finding 5 00:00:12,900 --> 00:00:16,300 like the right wrench or like socket. 6 00:00:16,800 --> 00:00:19,700 Yeah, every time working on every time and grab. 7 00:00:20,000 --> 00:00:20,400 Yep. 8 00:00:20,900 --> 00:00:21,600 Like that one. 9 00:00:21,600 --> 00:00:22,700 Oh, that's an eight. 10 00:00:22,800 --> 00:00:23,300 Yep. 11 00:00:23,300 --> 00:00:23,900 Okay. 12 00:00:24,300 --> 00:00:28,400 So I knew that less useful with the USBC, but that one that was from 13 00:00:28,400 --> 00:00:31,600 ages ago where everyone's like, I want to get the USB right every time. 14 00:00:32,200 --> 00:00:32,700 Yes. 15 00:00:32,700 --> 00:00:33,200 Yes. 16 00:00:33,200 --> 00:00:33,900 Exactly. 17 00:00:34,400 --> 00:00:35,100 Exactly. 18 00:00:35,600 --> 00:00:40,800 It easy when you get to know, you know, the layout of the plug, but yeah, 19 00:00:40,800 --> 00:00:45,400 it's a quality of life power rather than a superpower. 20 00:00:46,000 --> 00:00:46,400 Yes. 21 00:00:46,400 --> 00:00:46,900 Okay. 22 00:00:47,400 --> 00:00:47,900 Okay. 23 00:00:48,100 --> 00:00:49,500 Now I need to think about that one. 24 00:00:50,400 --> 00:00:51,000 Anybody else? 25 00:00:51,000 --> 00:00:52,700 Or we could do or we could do superpower. 26 00:00:55,200 --> 00:00:56,700 I like the quality of life power. 27 00:00:56,700 --> 00:01:00,400 I feel like that's, yeah, it's, it's hard to answer. 28 00:01:00,400 --> 00:01:03,300 I feel like you had the best one right there being like, right? 29 00:01:03,400 --> 00:01:07,700 I was like, that one's like tapped to your quality of life power for you. 30 00:01:08,100 --> 00:01:13,800 The other one, if it helps anybody is like in the kitchen, if it's like measuring 31 00:01:13,800 --> 00:01:17,500 something, like no matter what the scoop is, it's always like the right 32 00:01:17,500 --> 00:01:18,000 measurement. 33 00:01:18,000 --> 00:01:20,400 You don't have to like, like level it off. 34 00:01:20,400 --> 00:01:22,000 It's just like, right? 35 00:01:22,200 --> 00:01:24,100 So it's just like, here we go. 36 00:01:24,100 --> 00:01:27,100 I like that. 37 00:01:27,100 --> 00:01:28,200 I don't have an answer though. 38 00:01:28,700 --> 00:01:34,100 Um, I know that's a, I like the measuring one a lot. 39 00:01:37,200 --> 00:01:38,400 You can have similar ones. 40 00:01:38,500 --> 00:01:39,000 It's okay. 41 00:01:40,500 --> 00:01:43,600 I suppose we could be in agreement of having the same ones, but. 42 00:01:44,100 --> 00:01:49,200 Or you're like always like you have like an internal clock that 43 00:01:49,300 --> 00:01:51,100 always tells you like even. 44 00:01:51,100 --> 00:01:52,400 You're so good at this. 45 00:01:52,400 --> 00:01:56,200 Damn it, you're like literally I was about to say that because I was 46 00:01:56,200 --> 00:01:57,700 going to do it specific to. 47 00:01:58,000 --> 00:01:59,700 I need to go now because. 48 00:02:00,400 --> 00:02:03,400 Oh yeah, like exactly how long it takes to travel 45 minutes. 49 00:02:03,400 --> 00:02:04,500 You're yes. 50 00:02:05,000 --> 00:02:05,400 Yep. 51 00:02:05,900 --> 00:02:09,400 I was actually thinking like this is less relevant now with streaming, 52 00:02:09,400 --> 00:02:12,900 but like imagine if you always knew when your TV show was about to start 53 00:02:12,900 --> 00:02:13,700 during cable. 54 00:02:14,400 --> 00:02:15,200 Yeah. 55 00:02:15,600 --> 00:02:18,200 And you could be like, oh now I need to turn the tail off. 56 00:02:19,300 --> 00:02:19,800 No. 57 00:02:19,800 --> 00:02:22,800 And during ads, like you know exactly how long the ads going to be. 58 00:02:24,000 --> 00:02:31,700 I don't think any of you are an age where you did have to be in that mindset. 59 00:02:32,100 --> 00:02:35,900 And there is a level of anxiety that may come from that. 60 00:02:36,000 --> 00:02:38,800 That isn't necessarily 10 years behind this one. 61 00:02:38,800 --> 00:02:41,500 I lived in that for most of the nineties. 62 00:02:42,100 --> 00:02:44,600 Who's going to say 80s in Australia. 63 00:02:45,000 --> 00:02:45,700 And exactly. 64 00:02:45,700 --> 00:02:49,500 That's how far behind we were trying to carry that idea over to be like 65 00:02:49,500 --> 00:02:53,900 my mom would have us clean at night if like my dad was working late 66 00:02:54,400 --> 00:02:55,600 during commercials. 67 00:02:55,700 --> 00:02:56,000 Yeah. 68 00:02:56,000 --> 00:02:58,700 Like, okay, it started, but we have stuff to do. 69 00:02:58,900 --> 00:02:59,700 Exactly. 70 00:02:59,700 --> 00:03:00,200 So go. 71 00:03:00,800 --> 00:03:04,200 Or if we had to record something for mom or dad, the stress of trying to make 72 00:03:04,200 --> 00:03:08,300 sure we like hit it right or worse when we're like, no, no, I can do this 73 00:03:08,300 --> 00:03:11,100 and I'm going to cut out the ads. 74 00:03:12,600 --> 00:03:15,600 And just the intensity of us like sitting there with the recording button. 75 00:03:16,000 --> 00:03:18,100 Not even entertained. 76 00:03:18,100 --> 00:03:19,100 Yeah. 77 00:03:19,100 --> 00:03:22,300 I was the youngest person on this podcast and I think everybody's done 78 00:03:22,300 --> 00:03:26,100 because I was like, I have to do the yeah and grab a snack. 79 00:03:26,100 --> 00:03:28,600 I was like, but did I get Tevo when I was eight? 80 00:03:28,900 --> 00:03:29,400 Yes. 81 00:03:30,200 --> 00:03:31,100 Yes, I did. 82 00:03:31,800 --> 00:03:32,700 So I didn't get him up. 83 00:03:32,700 --> 00:03:33,100 Parents got it. 84 00:03:33,100 --> 00:03:34,100 Let's put it that way. 85 00:03:34,400 --> 00:03:35,100 Spoiled trap. 86 00:03:36,100 --> 00:03:42,800 I was going to jump off and say we had antenna TV like, you know, so like 87 00:03:42,800 --> 00:03:47,100 getting the right, but getting the right every time you're just like, 88 00:03:47,100 --> 00:03:48,100 there it is. 89 00:03:48,100 --> 00:03:49,100 That would be awesome. 90 00:03:51,600 --> 00:03:52,600 You guys are so good. 91 00:03:52,600 --> 00:03:55,100 I'm realizing that I don't think I'd like that much ease in my life. 92 00:03:55,100 --> 00:03:57,100 I'm like, I like making a mess when I cook. 93 00:03:57,600 --> 00:03:58,100 I don't know. 94 00:03:58,100 --> 00:04:01,100 I like digging through stuff and I never put stuff back in the right place. 95 00:04:01,100 --> 00:04:01,600 I don't know. 96 00:04:01,600 --> 00:04:04,600 There's a part of my brain that can't even think about making something. 97 00:04:05,600 --> 00:04:06,100 Easier. 98 00:04:07,100 --> 00:04:11,100 Kind of like easy as a quality of life power there. 99 00:04:11,600 --> 00:04:16,100 What if every time you cooked it never stuck to the pan? 100 00:04:16,100 --> 00:04:19,100 It would make Andrew happy. 101 00:04:19,100 --> 00:04:20,100 Not this Andrew. 102 00:04:20,100 --> 00:04:21,100 My Andrew. 103 00:04:22,100 --> 00:04:24,100 I don't give a shit about your pants. 104 00:04:28,100 --> 00:04:34,100 As the person who bought me the pot holder that has Cinderella on it that says, 105 00:04:34,100 --> 00:04:35,100 I don't do dishes. 106 00:04:36,100 --> 00:04:37,100 I don't do dishes. 107 00:04:37,100 --> 00:04:41,100 There's my quality of life that if Andrew ever was no longer in my life for some 108 00:04:41,100 --> 00:04:45,100 horrible, horrible reason, I want dishes to be magically clean. 109 00:04:45,100 --> 00:04:48,100 I think that's a full blown superpower. 110 00:04:48,100 --> 00:04:51,100 And I think we like that's amazing. 111 00:04:51,100 --> 00:04:53,100 That's just called paper plates. 112 00:04:56,100 --> 00:04:57,100 Okay. Just my coffee pot. 113 00:04:57,100 --> 00:04:58,100 Magic clean. 114 00:04:58,100 --> 00:04:59,100 Clean every time. 115 00:04:59,100 --> 00:05:01,100 By the time said, just the coffee pot. 116 00:05:01,100 --> 00:05:02,100 You should. 117 00:05:06,100 --> 00:05:08,100 Well, I think that's our opener. 118 00:05:08,100 --> 00:05:14,100 So today on our tech for business podcast, Kelsey and I are joined by 119 00:05:14,100 --> 00:05:19,100 Ann, our quality assurance analyst and GRC specialist, Matthew, our VC. 120 00:05:19,100 --> 00:05:24,100 So and Andrew, our customer strategy advisor. 121 00:05:25,100 --> 00:05:29,100 We're discussing something that applies to I think all industries in one way or 122 00:05:29,100 --> 00:05:32,100 another, and that is compliance. 123 00:05:32,100 --> 00:05:36,100 So to start us off, where, where are we today? 124 00:05:36,100 --> 00:05:41,100 And are there any recent trends or developments that you're seeing in compliance 125 00:05:41,100 --> 00:05:44,100 and its requirements? 126 00:05:45,100 --> 00:05:49,100 I'll start by saying that if you don't have a compliance requirement, you should 127 00:05:49,100 --> 00:05:51,100 have a compliance requirement. 128 00:05:52,100 --> 00:05:56,100 And I'm going to set the tone for the whole podcast by saying that out front. 129 00:05:58,100 --> 00:05:59,100 In short, where are we now? 130 00:05:59,100 --> 00:06:03,100 Well, you probably, if you're listening to this, you probably listen to the other 131 00:06:03,100 --> 00:06:04,100 podcast. 132 00:06:04,100 --> 00:06:06,100 So you've probably heard us all talk about this a little bit. 133 00:06:06,100 --> 00:06:12,100 You've heard me do the alphabet soup that is the NIST, CMMC, HIPAA. 134 00:06:13,100 --> 00:06:15,100 We have podcasts for a lot of these already. 135 00:06:15,100 --> 00:06:19,100 But the short version is that there is a lot of different compliance requirements. 136 00:06:19,100 --> 00:06:21,100 They span multiple industries. 137 00:06:21,100 --> 00:06:28,100 And one thing that we're coming up to now is that a lot of these are not 138 00:06:28,100 --> 00:06:29,100 outdated. 139 00:06:29,100 --> 00:06:31,100 I think that's the wrong way to put it. 140 00:06:31,100 --> 00:06:36,100 They are reaching the point where they no longer span the gamut of everything 141 00:06:36,100 --> 00:06:41,100 that we use on a day-to-day basis of everything we need. 142 00:06:41,100 --> 00:06:43,100 A lot of them being updated. 143 00:06:43,100 --> 00:06:48,100 CMMC v2 came out a year and a bit ago now. 144 00:06:49,100 --> 00:06:54,100 It's still being updated and finalized and probably will continue to be for a 145 00:06:54,100 --> 00:06:55,100 little longer. 146 00:06:55,100 --> 00:07:02,100 So, FTC guidelines got updated and they go into effect, I think, on the 9th of 147 00:07:02,100 --> 00:07:04,100 June this year. 148 00:07:05,100 --> 00:07:07,100 I think it's the 9th of June. 149 00:07:08,100 --> 00:07:11,100 NIST CSF 2.0 has been announced. 150 00:07:11,100 --> 00:07:16,100 The NIST 800-171 revision 3 updates are currently open to comments. 151 00:07:17,100 --> 00:07:21,100 We're seeing that these currently in place and currently, 152 00:07:21,100 --> 00:07:27,100 I've forgotten the word that I'm looking for, but effectively these 153 00:07:27,100 --> 00:07:30,100 compliance requirements that are in place, these frameworks that are 154 00:07:30,100 --> 00:07:32,100 currently being used, are getting updates. 155 00:07:32,100 --> 00:07:36,100 It's been 10 years since there's been a HIPAA update of any kind. 156 00:07:37,100 --> 00:07:42,100 So, we're noticing these changes come through and at the same time there's 157 00:07:42,100 --> 00:07:44,100 a big push for AI. 158 00:07:45,100 --> 00:07:48,100 In the past six months it's gone from not something we would ever really 159 00:07:48,100 --> 00:07:53,100 look at to something that many of us use even if it's not for work purposes 160 00:07:53,100 --> 00:07:54,100 just for fun. 161 00:07:55,100 --> 00:08:00,100 So, as part of this, we're talking about what's changing, why it's changing, 162 00:08:00,100 --> 00:08:03,100 what those changes may look like, not just in the short term, but also in the 163 00:08:03,100 --> 00:08:11,100 longer term, as well as how it's going to impact us and everyone, really. 164 00:08:11,100 --> 00:08:13,100 Yeah. 165 00:08:16,100 --> 00:08:18,100 Is that a brief enough overview? 166 00:08:20,100 --> 00:08:22,100 Yeah, for sure. 167 00:08:22,100 --> 00:08:26,100 That was quite a large overview. 168 00:08:27,100 --> 00:08:34,100 So, I don't know if someone wants to kind of go into more details about those 169 00:08:34,100 --> 00:08:42,100 things or just the growing importance of compliance and data and security. 170 00:08:43,100 --> 00:08:50,100 We're continually looking for that crossroads of where the controls related to 171 00:08:50,100 --> 00:08:58,100 the speed of technology keep it at that X and not way behind like 10 years of 172 00:08:58,100 --> 00:09:04,100 HIPAA or not yet ratified in a sense like CMMC. 173 00:09:05,100 --> 00:09:12,100 I think that kind of, we want it to be somewhere near the speed of technology 174 00:09:12,100 --> 00:09:18,100 and that seems like a daunting task, but getting that compliance mindset 175 00:09:18,100 --> 00:09:25,100 added to where these policies and requirements are developed within the 176 00:09:25,100 --> 00:09:30,100 tools that we see, I mean, there's my dream, maybe. 177 00:09:32,100 --> 00:09:36,100 Wait a second, let's think about how this will impact HIPAA. 178 00:09:38,100 --> 00:09:44,100 And when, I think we've spoken about this before, but the original HIPAA 179 00:09:44,100 --> 00:09:48,100 requirements, the original requirements that came out in the early 2000 and 180 00:09:48,100 --> 00:09:54,100 mid-2000s, do you remember how out of touch with what was actually going on 181 00:09:54,100 --> 00:09:59,100 they felt, specifically like password requirements or lack of requirements 182 00:09:59,100 --> 00:10:04,100 or lockout tools. I felt like back then there were a lot further away from 183 00:10:04,100 --> 00:10:08,100 that point you were talking about that crossover point than they are now. 184 00:10:10,100 --> 00:10:16,100 Yes, just it, I'm at a loss for words. 185 00:10:16,100 --> 00:10:20,100 It is just, yeah. 186 00:10:20,100 --> 00:10:24,100 It's better now is what we're saying, is what I feel at least. 187 00:10:24,100 --> 00:10:29,100 It is much better. It is like so many other compliance requirements 188 00:10:29,100 --> 00:10:32,100 and how any industry tries to keep up. 189 00:10:33,100 --> 00:10:39,100 We have historically been behind the curve. We do make leaps and bounds 190 00:10:39,100 --> 00:10:43,100 and trying to make environments meet the requirements that you have as far as 191 00:10:43,100 --> 00:10:49,100 compliance, but I know it will never be at that speed, but we have made 192 00:10:49,100 --> 00:10:54,100 a great headway in trying to keep up. I don't mean to spin it negatively. 193 00:10:54,100 --> 00:10:58,100 It is an uphill battle though all the time. 194 00:11:00,100 --> 00:11:07,100 So with HIPAA not being up to date within the last decade, 195 00:11:07,100 --> 00:11:13,100 is there a standard that we go off of from CIT? 196 00:11:13,100 --> 00:11:24,100 I believe it's NIST, but if we're saying somebody is coming in for HIPAA, 197 00:11:24,100 --> 00:11:29,100 we're saying, okay, well, you actually should look at NIST because that's a better one 198 00:11:29,100 --> 00:11:34,100 and it will meet all of our HIPAA requirements or how does that work? 199 00:11:34,100 --> 00:11:39,100 So unfortunately, or fortunately, depending on how you want to look at it, 200 00:11:39,100 --> 00:11:43,100 most recently, and this has been going on for a while, but it's really come to the forefront. 201 00:11:43,100 --> 00:11:46,100 Most recently, there's things coming up called crosswalks. 202 00:11:46,100 --> 00:11:51,100 NIST has done this for HIPAA and a crosswalk is basically taking all the stuff from one framework 203 00:11:51,100 --> 00:11:54,100 and making sure it aligns correctly with another. 204 00:11:54,100 --> 00:11:58,100 So NIST has released a document for their NIST cybersecurity framework. 205 00:11:58,100 --> 00:12:05,100 We shorthand that to the CSF that directly correlates NIST CSF with HIPAA. 206 00:12:05,100 --> 00:12:13,100 That is not normal and finding people that do that or finding ways to do that is quite difficult. 207 00:12:13,100 --> 00:12:18,100 There is a number of frameworks that claim to or that can. 208 00:12:18,100 --> 00:12:22,100 There's a number of tools that can, but generally you don't want to do that. 209 00:12:22,100 --> 00:12:27,100 And the reason for that is that if you're following HIPAA, 210 00:12:27,100 --> 00:12:31,100 the person who you have to impress is not the board of directors, it's the auditor. 211 00:12:31,100 --> 00:12:36,100 And the auditor doesn't want to see NIST language, they want to see HIPAA language. 212 00:12:36,100 --> 00:12:43,100 This is very true in the financial industry if you try and show them all your documentation with different names 213 00:12:43,100 --> 00:12:46,100 and try and explain how they correlate. 214 00:12:46,100 --> 00:12:47,100 They don't care. 215 00:12:47,100 --> 00:12:53,100 Yeah, because the FFIC has a specific handbook that says, 216 00:12:53,100 --> 00:12:58,100 here's how you judge if this meets the requirement for auditors. 217 00:12:58,100 --> 00:13:06,100 So there's very specific rules and given that it's best to follow one and follow the one that you have to meet. 218 00:13:06,100 --> 00:13:12,100 Having said that, if you don't have one that you have to meet, then this CSF is a great starting point. 219 00:13:12,100 --> 00:13:18,100 It is the one that we recommend and pushes our guideline for customers. 220 00:13:18,100 --> 00:13:23,100 And as I mentioned at the very start, it is getting an update to version 2.0 shortly. 221 00:13:23,100 --> 00:13:29,100 I think the draft may actually be out, I'd have to confirm, but it is being worked on. 222 00:13:29,100 --> 00:13:36,100 And to tie in with something I think you meant from the question, 223 00:13:36,100 --> 00:13:40,100 one of the big changes that happened from the original HIPAA to the version that we see now, 224 00:13:40,100 --> 00:13:45,100 and this is across the board in every change, is that they're less about do X. 225 00:13:45,100 --> 00:13:52,100 They're not saying you have to have AES-128 encryption because that got updated very quickly. 226 00:13:52,100 --> 00:13:59,100 They're saying ensure you have up to date and what's the language they use. 227 00:13:59,100 --> 00:14:05,100 Industry standard encryption at rest. 228 00:14:05,100 --> 00:14:11,100 So what they're doing with the phrasing now is trying to remove that part that ages it. 229 00:14:11,100 --> 00:14:16,100 So that, exactly, to make it a little more modular. 230 00:14:16,100 --> 00:14:22,100 One of the things we find those times when you see it now where they're explicit about what it has to be, 231 00:14:22,100 --> 00:14:25,100 feel a little bit out of date for that reason. 232 00:14:25,100 --> 00:14:32,100 CMMC has a FIPS requirement, which is a great requirement, very, very useful, 233 00:14:32,100 --> 00:14:38,100 but also has that same feeling of how long is it going to be until this requirement is out of date. 234 00:14:38,100 --> 00:14:43,100 So in short, there's nothing wrong with following, and you should follow the one that you're actually required to meet. 235 00:14:43,100 --> 00:14:49,100 But if you don't have one you're required to meet, NIST CSF is a great starting point. 236 00:14:49,100 --> 00:14:53,100 And it's not in crazy language. 237 00:14:53,100 --> 00:15:00,100 It's not you don't have to understand or break down FFIC regulations to understand it. 238 00:15:00,100 --> 00:15:07,100 You don't have to read their definition of what a person is to understand how to complete their regulations. 239 00:15:07,100 --> 00:15:15,100 And you don't want to, to be honest, it was just a crazy day trying to get through those documents. 240 00:15:15,100 --> 00:15:21,100 So, yeah, NIST CSF is a great starting point. 241 00:15:21,100 --> 00:15:32,100 I always come back to, if we're looking ahead as compliance and the different agency and oversight, 242 00:15:32,100 --> 00:15:44,100 what makes I know that many of our industries have higher security requirements than, say, my family would? 243 00:15:44,100 --> 00:15:50,100 However, big comma, my family touches every part of those industries. 244 00:15:50,100 --> 00:15:53,100 There's education, there's banking. 245 00:15:53,100 --> 00:16:04,100 So when Matthew does say something like, this is a guideline that you should be familiar with, do I expect my husband to go read this? 246 00:16:04,100 --> 00:16:11,100 No, but do I think it's a solid framework to look at for even yourself? Absolutely. 247 00:16:11,100 --> 00:16:17,100 And again, I don't expect anyone to just like hunker down and let's go read some requirements. 248 00:16:17,100 --> 00:16:24,100 But it's a good solid framework to say, does this, do we really need this? 249 00:16:24,100 --> 00:16:27,100 Do we, do we at a base level need this? 250 00:16:27,100 --> 00:16:36,100 Or does my bank do this? Does my, does my, my kids school do this for information protection? 251 00:16:36,100 --> 00:16:38,100 How are they protecting this? 252 00:16:38,100 --> 00:16:45,100 How are their compliance of my information or my children's being met? 253 00:16:45,100 --> 00:17:01,100 So there's so much crossover that it really is, it becomes everybody's interest and problem and whether or not we decide to look forward and try to keep up with where those go is kind of up to us. 254 00:17:01,100 --> 00:17:02,100 Exactly. 255 00:17:02,100 --> 00:17:21,100 And it may not be, you know, a four, three or four letter agency specifically that is requiring this of, you know, of a business, but it's the insurance agency that you'll probably hear from first if it's not one of those others, because they're going to say, 256 00:17:21,100 --> 00:17:33,100 okay, cyber insurance, what, here's what you have to show us. And a lot of those are based off of, you know, those established frameworks. 257 00:17:33,100 --> 00:17:34,100 Exactly. 258 00:17:34,100 --> 00:17:39,100 So it's kind of that foot in the door of going, okay, so you're starting to do this. 259 00:17:39,100 --> 00:17:59,100 And okay, so now we're going to start requiring this and we've seen it time after time where it's a requirement in those frameworks and those those standards and then insurance being better than the government agency sometimes goes, oh, okay, we should require that they can update it a little bit 260 00:17:59,100 --> 00:18:03,100 sooner on that yearly policy. 261 00:18:03,100 --> 00:18:14,100 So you've made a good point, Andrew, that I discuss and I discuss this regularly and I bring it up here, which is that we tend to it tends to follow the money, right. 262 00:18:14,100 --> 00:18:18,100 And this leads into something that I want to talk today about meta. 263 00:18:18,100 --> 00:18:30,100 So just this week, meta was hit with a $1.3 billion fine from the GDPR rules in the EU, because of how they were transferring data. 264 00:18:30,100 --> 00:18:37,100 So this is a thing called data sovereignty, which is data for a country that relates to people from that country should stay in that country. 265 00:18:37,100 --> 00:18:40,100 The EU works this way. 266 00:18:40,100 --> 00:18:42,100 And so transferring data back and forth. 267 00:18:42,100 --> 00:18:49,100 And then saying it was only in one location when it wasn't in just one location resulted in a $1.3 billion fine. 268 00:18:49,100 --> 00:18:52,100 Now, is meta going to pay that? 269 00:18:52,100 --> 00:18:53,100 I don't know. 270 00:18:53,100 --> 00:18:59,100 Obviously, there's a lot of stuff that's going to go into this, but meta has insurance. 271 00:18:59,100 --> 00:19:02,100 So if meta is not paying it directly, their insurance is. 272 00:19:02,100 --> 00:19:11,100 And so all of a sudden, insurance companies back here in the US are going to be saying, what if we get hit with that? 273 00:19:11,100 --> 00:19:15,100 Could we pay that type of fine for our customers? 274 00:19:15,100 --> 00:19:28,100 And so what they're going to do is they're going to update their reviews for next year to cover the questions that would have caught meta having this so that they wouldn't have had to pay out for meta. 275 00:19:28,100 --> 00:19:30,100 So they're trying to trick. 276 00:19:30,100 --> 00:19:36,100 They're basically getting their own affairs in order, which therefore requires you to. 277 00:19:36,100 --> 00:19:42,100 $1.3 billion is the largest fine of this type, and it's going to make a lot of people pay attention. 278 00:19:42,100 --> 00:19:47,100 So following that money and seeing that the insurance companies are saying, I'm not going to pay that out. 279 00:19:47,100 --> 00:19:53,100 How can we make sure we don't in the future is where we see a lot of these changes come through, especially if they're unexpected. 280 00:19:53,100 --> 00:20:02,100 Yeah, and if anybody's not familiar, that is the parent company of Facebook, Instagram, WhatsApp, and those applications. 281 00:20:02,100 --> 00:20:03,100 So thanks. 282 00:20:03,100 --> 00:20:07,100 Straight in the zone again. 283 00:20:07,100 --> 00:20:08,100 Yeah, no, no, no worries. 284 00:20:08,100 --> 00:20:12,100 That's how I'm just like, I'll just let that know. 285 00:20:12,100 --> 00:20:14,100 We've all been on this right. 286 00:20:14,100 --> 00:20:20,100 Not everybody knows that meta, they split off and did all kinds of crazy stuff. 287 00:20:20,100 --> 00:20:22,100 So yeah. 288 00:20:22,100 --> 00:20:23,100 Yeah. 289 00:20:23,100 --> 00:20:29,100 And prior to this $1.3 billion fine, the largest was for Amazon, it was $805.7 million. 290 00:20:29,100 --> 00:20:32,100 Now, those fines are huge. 291 00:20:32,100 --> 00:20:41,100 And I'm sure those of you who work and do your cybersecurity insurance reviews notice changes in 2021 and 2020. 292 00:20:41,100 --> 00:20:49,100 Now, obviously COVID was a large part of that, but I guarantee there are questions on those forms that come directly from that Amazon payment as well. 293 00:20:49,100 --> 00:20:53,100 And so we're going to see more changes for that same reason. 294 00:20:53,100 --> 00:21:03,100 So while we can't 100% tell what changes are going to be short term and long term, we can use some of these to gauge what we're going to see going forward. 295 00:21:03,100 --> 00:21:10,100 The, we have a podcast on cybersecurity incident response plans. 296 00:21:10,100 --> 00:21:29,100 And that podcast goes into a lot of how to create them, as well as covering the fact that we're starting to see more and more of them required as part of cybersecurity renewals and people getting their cybersecurity renewal rejected for their insurance if they aren't having certain things in place. 297 00:21:29,100 --> 00:21:34,100 That change I noticed around 2021. 298 00:21:34,100 --> 00:21:47,100 The precursor for it, I don't know, but I do know that all of a sudden people were being requested a document, a policy document with proof that they're using it and updating it that previously had been completely ignored. 299 00:21:47,100 --> 00:21:48,100 Ignored. 300 00:21:48,100 --> 00:21:49,100 Yes. 301 00:21:49,100 --> 00:21:52,100 Yeah, they no one even knew what it was called. 302 00:21:52,100 --> 00:21:54,100 Unless you were already fortune 500. 303 00:21:54,100 --> 00:22:00,100 So the these things trickle down. 304 00:22:00,100 --> 00:22:09,100 Data sovereignty I want to mention again because I do think it's a big one and it's going to keep getting more and more important, which is making sure your data doesn't go elsewhere. 305 00:22:09,100 --> 00:22:17,100 Microsoft is is on this already. There is a lot of ways to make sure your data stays in the US and doesn't leave the country. 306 00:22:17,100 --> 00:22:21,100 Definitely look into that if you have any concerns about it. 307 00:22:21,100 --> 00:22:23,100 There's ways to make sure that happens. 308 00:22:23,100 --> 00:22:33,100 Same with AWS. Amazon Web Services can make sure the same thing if you're storing that data in the cloud. 309 00:22:33,100 --> 00:22:42,100 And that's it that and correct me if I'm wrong, but that that's an EU policy correct. It's something that they passed and that is in those countries. 310 00:22:42,100 --> 00:22:55,100 Yeah, so obviously my knowledge of Australian law on this is a little bit more filled out than my EU law, but Australia and the EU both have data sovereignty laws, especially for medical health data. 311 00:22:55,100 --> 00:22:57,100 Yeah. 312 00:22:57,100 --> 00:23:13,100 But it does expand the GDPR is very blatant basically saying I'm not sure on the exact language, but I think it's anyone who's like the information of anyone who's a member of the EU that relates to their location or identifying information about them. 313 00:23:13,100 --> 00:23:21,100 In relation to certain things that that we would consider pretty benign like the association of a person to an email. 314 00:23:21,100 --> 00:23:34,100 Yeah, that's that's how granular it gets and it is pretty eye opening to see how other people preserve privacy and to Matthew's point. 315 00:23:34,100 --> 00:23:49,100 I would not be surprised in any way shape or form if we start seeing those kind of compliance requirements trickling in within the US we are all about information sharing until we're not. 316 00:23:49,100 --> 00:23:52,100 That's my experience anyway. 317 00:23:52,100 --> 00:23:54,100 Yeah. 318 00:23:54,100 --> 00:24:06,100 So obviously, and I, we spend our 90% of our day staring at compliance requirements or working with people to help them get better. 319 00:24:06,100 --> 00:24:14,100 Andrew, you're, it's a little different for you. You work more with the customers on on business needs and how to make sure it's being implemented. 320 00:24:14,100 --> 00:24:32,100 What type of things. Do you think they can be done because I want to kind of pull back from that. Hey, here's exactly what the policy says and here's exactly what the requirement is and talk about how you found it can be implemented maybe a little bit easier or without causing undue harm or stress to the organization. 321 00:24:32,100 --> 00:24:33,100 Yeah. 322 00:24:33,100 --> 00:24:51,100 Honestly, the biggest thing is communication when it really breaks down to if you're having a security audit, if it's a cyber security audit or insurance policy renewal, communicating with us and saying, Hey, this is what we're doing. 323 00:24:51,100 --> 00:24:53,100 What can I do? 324 00:24:53,100 --> 00:25:09,100 We've done a really good job to CIT's horn a little bit of making sure the things that we've have seen in insurances and insurance requirements are included in our managed services contracts. 325 00:25:09,100 --> 00:25:20,100 If that is email encryption. If that is spam protection. If that's EDR. If that is cyber security audits. I can go on. 326 00:25:20,100 --> 00:25:35,100 I can go to the website. CIT dash net.com. I'll plug it for all the things that are included in our manager services contract and you'll see that a lot of the things that are included in any level of our manager services contract. 327 00:25:35,100 --> 00:25:52,100 It takes a lot of those boxes. So part of what I see is just trying to help explain to the customer before Matthew and Anne come on of. Okay, what does it look like to implement EDR? Are there any hurdles? 328 00:25:52,100 --> 00:26:08,100 Here's why you should implement EDR or this is why you should have this policy and doing that on a quarterly, by annual basis. 329 00:26:08,100 --> 00:26:28,100 So we're looking at a baseline of what we expect our customers to have, just like insurance has that we have our own because we want our customers to be safe. We want our customers to make sure they don't have any incidences or greatly reduce any risk of that. 330 00:26:28,100 --> 00:26:46,100 I can never say 100% we're going to stop everything because we can't, but we can do a heck of a lot to make sure that we can stop it from spreading or getting out of control. 331 00:26:46,100 --> 00:27:01,100 So really just having conversations of why you should start implementing a certain password change, communication of that to the team of why it's important. 332 00:27:01,100 --> 00:27:27,100 One of the bigger ones is multi factor is having that and it can be a bear for some environments because it's okay. So I'm longing into here and okay. So I need my phone now and the things that come with adding another security tool. 333 00:27:27,100 --> 00:27:39,100 I think it's also talking and knowing that the technology behind it of going, okay, well, there's features that we can do to help. One of the examples is, you know, geo fencing. 334 00:27:39,100 --> 00:27:49,100 So if you're within a certain area with like the business, it's not going to ask for it, because it knows that you're inside the building. It knows it's you. 335 00:27:49,100 --> 00:28:13,100 So if you're out it at Starbucks or at your house, it's going to do that second verification. So I think, again, the communication of what some of those features are, why they're there is really big and something that I like having because it usually ends positively. 336 00:28:13,100 --> 00:28:29,100 It goes from a frustration with a technology and a certain regulation that somebody is forcing upon them to, oh, this is why I should have it. And it becomes more of a personal choice instead of a forced choice. 337 00:28:29,100 --> 00:28:48,100 Yeah, I think that's a great way to put it. There's so many times when I see people coming to us and reaching out because they are in a bind in that they've been given two or three weeks. This is to the 338 00:28:48,100 --> 00:29:04,100 point where when the FTC updates came through, many car dealerships found that they were actually falling under those requirements. And so all of a sudden they went from not having official requirements to me to having a lot to me. 339 00:29:04,100 --> 00:29:22,100 That's tough. That's scary, especially when the numbers were included in how much this is expected to cost. And those numbers are not small numbers. We're looking six figures to implement and recurring fees throughout the year. And that's a requirement for the FTC guidelines. 340 00:29:22,100 --> 00:29:39,100 So as part of that, our goal and a lot of what I know Andrew does is prepping for that. By the time you've met with Ann and I, we're probably already saying, OK, here's where you're missing something or here's what you should do next. 341 00:29:39,100 --> 00:29:53,100 From my understanding, Andrew, it's more about kind of prepping them ahead and saying, let's let's plan for this. And that's is that kind of why the the NIST CSF came up if you don't have one already? How can you not get blindsided by some of these? 342 00:29:53,100 --> 00:30:18,100 Yeah, like that's really the what's coming down the pipeline, right? Well, what can I expect? And then is there a Blake up? I always said because my mom did but a reader's digest version, a cliff notes version of like those standards somewhere that like you can just be like, Hey, here's this, you know, here, you know, password requirements, 343 00:30:18,100 --> 00:30:32,100 multi factor EDR. Is that somewhere that you know somebody can go to and really just have a, you know, look at a page digested being like, OK, this is what they're requiring now? 344 00:30:32,100 --> 00:30:39,100 Welcome to my favorite topic. No. 345 00:30:39,100 --> 00:31:01,100 The short version is that this is one of the hardest things to try to communicate because there really isn't an easy way in it. I maybe that's a side tangent for some consulting firm somewhere to a bridge readers digest a bridged version of 346 00:31:01,100 --> 00:31:05,100 every 500 page. 347 00:31:05,100 --> 00:31:15,100 I don't want to make this like Turbo tax so it does apply doesn't apply expand it does apply doesn't apply. 348 00:31:15,100 --> 00:31:28,100 I'm thinking that there's a couple of tools I want to I want to call out for doing the closest thing we can find but I'm with Anne on this. It's, it is too difficult to do that. 349 00:31:28,100 --> 00:31:45,100 Because if you do, FTC released a document called what your organization needs to know. And it's a list of nine items that you should meet to meet the FTC guidelines, but it is thoroughly simplified. 350 00:31:45,100 --> 00:31:49,100 And I have, but it feels also like it's in 47 parts. 351 00:31:49,100 --> 00:31:50,100 Exactly. 352 00:31:50,100 --> 00:31:58,100 It does step three, I think has 12 subsets in it you have to meet. So it's not quite just nine. 353 00:31:58,100 --> 00:32:06,100 But on top of that, by the time I've, I like to make sure I'm understanding these and speaking with people who read these just like I do. 354 00:32:06,100 --> 00:32:20,100 So I sit on a lot of webinars that talk about these. And so many times I see people just trying to cliff notes that cliff notes version that the FTC required, which means they're simplifying an already simplified thing. 355 00:32:20,100 --> 00:32:35,100 And so you may be getting information and I think most of the people in this call got my maybe a little sassy comments during the last webinar I sat in on, because it felt like they had simplified it to the point you wouldn't have met those requirements 356 00:32:35,100 --> 00:32:36,100 anymore. 357 00:32:36,100 --> 00:32:47,100 So what can you do instead? Well, the first one is read the requirements in full. Yes, I know that's boring. But if you want to understand it, it's really the only way to do it. 358 00:32:47,100 --> 00:32:56,100 If you have to meet more than one, or if you want to have something that kind of bridges everything, there are some tools that I use. 359 00:32:56,100 --> 00:33:11,100 A big one is called the secure controls framework, which is a I believe a nonprofit that works very hard to crosswalk every single type of compliance they can find into a single document. 360 00:33:11,100 --> 00:33:24,100 They have renamed most of the documents for that reason and most of them are reworded in some way, but it is a fantastic, more like a gigantic Excel spreadsheet. 361 00:33:24,100 --> 00:33:29,100 It is an I chart, but it is absolutely fantastic in that regard. 362 00:33:29,100 --> 00:33:38,100 Exactly. It's a lot of auditors and GRC analysts working together to create something that means they don't have to do 20 different Excel documents. 363 00:33:38,100 --> 00:33:43,100 They can just do one and find out everything they meet because of it. 364 00:33:43,100 --> 00:33:50,100 Something like that can be useful, but your best bet is if you don't want to read it and if you don't want to know, reach out to someone like us. 365 00:33:50,100 --> 00:33:58,100 We have read them and talked about them at length, not just in this podcast. 366 00:33:58,100 --> 00:34:07,100 Sometimes not having that in your brain is better. It allows you to do your actual job instead of thinking about all this like we do. 367 00:34:07,100 --> 00:34:13,100 That's great. It's higher somebody if you don't know, right? Exactly. 368 00:34:13,100 --> 00:34:16,100 Yeah, no, that's, thank you. 369 00:34:16,100 --> 00:34:26,100 The last thing I'll mention kind of on that the FTC guidelines came through and they now have their very first requirement is a is designate a qualified individual. 370 00:34:26,100 --> 00:34:34,100 And this is a person in your organization or a contractor for your organization who understands the rules of what the FTC is requesting. 371 00:34:34,100 --> 00:34:41,100 They don't have to be a VC. So they don't have to have a specific title. They don't have to have specific education requirements. 372 00:34:41,100 --> 00:34:49,100 The goal is that they understand how the FTC guidelines work and the safeguards rule and how you can meet it. 373 00:34:49,100 --> 00:34:57,100 The reason for that is so that you have designated someone in your staff whose job it is to understand this so that you can meet it better. 374 00:34:57,100 --> 00:35:05,100 If there is no one on your staff that can do that right now, reach out to someone else. CIT does offer that service. 375 00:35:05,100 --> 00:35:12,100 But it's a requirement now that someone on your staff knows this and so saying, oh, we just didn't know. 376 00:35:12,100 --> 00:35:20,100 It's never been an excuse, but it's even less of an excuse now because it's the first thing on the list. 377 00:35:20,100 --> 00:35:27,100 And then to end on a kind of lighter note because I realized that kind of got a little heavy, didn't it? 378 00:35:27,100 --> 00:35:34,100 There is so many other things that are coming out. Technology is constantly changing. OpenAI we didn't even really touch on how it may be changing some of these. 379 00:35:34,100 --> 00:35:42,100 But keeping an eye open for what's happening, what's coming through and realizing that anything that's hit the Internet, anything like OpenAI, 380 00:35:42,100 --> 00:35:46,100 even if you aren't using it, is going to change the processes that are coming through. 381 00:35:46,100 --> 00:35:53,100 They're probably going to have to have something in the next round of cybersecurity renewals. I'm just waiting to see what the questions are. 382 00:35:53,100 --> 00:36:12,100 Great. And coming from a less technical resource, I always lean back to adding to what Matthew said in that ignorance is not bliss here and it can get you in trouble. 383 00:36:12,100 --> 00:36:23,100 But putting your head in the sand too and not kind of being at least marginally aware of some things is not going to do anyone any service. 384 00:36:23,100 --> 00:36:34,100 Do I expect my husband to know about chat GPT? No, not really, but a general awareness of what it is and why it's had an impact. 385 00:36:34,100 --> 00:36:42,100 Probably good to talk with kids about. No, you may not use this for your homework. 386 00:36:42,100 --> 00:36:52,100 As a very last thing, and you gave me an idea, you mentioned people not just reading it, not just popping up randomly. 387 00:36:52,100 --> 00:37:03,100 I think I'm going to have to start printing off just random security control frameworks, maybe just a couple of the NIST CSF items and just leaving them around the house. 388 00:37:03,100 --> 00:37:08,100 So my partner can find them and be like, Hey, what's this? And I just get to talk about it. 389 00:37:08,100 --> 00:37:17,100 Post it notes of each subset. 390 00:37:17,100 --> 00:37:23,100 I wanted you to find that to quiz me. 391 00:37:23,100 --> 00:37:34,100 I love it. I love that idea. I love this. Leave it. It's like a little Easter egg hunt of information and learning. 392 00:37:34,100 --> 00:37:48,100 This is amazing. You know, I think we got some really good helpful action steps, which I love, you know, as a person kind of coming in and listening or a business or maybe you're just out on your own. 393 00:37:48,100 --> 00:38:08,100 Definitely have some great ideas from this podcast. And if you have any questions or you need help with compliance or you want to talk to any of these people, please reach out to us at info at cIT-net.com or head out to our website at cIT-net.com slash podcast. 394 00:38:08,100 --> 00:38:22,100 Thank you, Anne. Thank you, Matthew and Andrew for joining us today. And we'll be back next week with an all new episode.