Simplifying Cyber
This show features an interactive discussion, expert hosts, and guests focused on solving cyber security and privacy challenges in innovative and creative ways. Our goal is for our audience to learn and discover real, tangible, usable ideas that don't require a huge budget to accomplish. Shows like “How It’s Made” have become popular because they explain complicated or largely unknown things in easy terms. This show brings the human element to cyber security and privacy.
Simplifying Cyber
Cybersecurity for Entrepreneurs
Ever wonder how to protect sensitive data when you don't have an IT department? In this revealing conversation, two pharmaceutical industry veterans who recently launched their own consulting businesses share the cybersecurity challenges they never anticipated after leaving corporate America.
Katie Hewitt, founder of BioVenture Advisors, and Laura Viaches, president of Endeavor Pharma Solutions, spent over 20 years each at Eli Lilly before venturing out on their own. Their transition from having robust corporate security infrastructure to becoming their own CISOs overnight offers powerful lessons for entrepreneurs handling confidential information. From Katie's experience juggling client demands before even setting up a domain name to Laura's methodical "stealth mode" approach to building secure systems, their contrasting journeys highlight different paths to the same goal: protecting client trust.
The conversation reveals startling gaps in the healthcare consulting ecosystem, where clients with valuable intellectual property rarely audit the security practices of their advisors. "I'm more surprised that's not a question they're asking," notes Katie, highlighting how even sophisticated biotech companies often overlook security verification until regulatory requirements or funding rounds force the issue.
Cybersecurity experts Aaron, Todd, and Cody offer practical advice for entrepreneurs navigating these challenges without enterprise budgets. Their recommendations focus on process-first approaches – identifying critical assets, working in client environments whenever possible, and implementing basic controls like multi-factor authentication before investing in complex solutions. The group explores how AI tools create new security considerations, particularly around meeting documentation and data retention.
Whether you're launching a new venture or helping clients through their growth journey, this discussion delivers actionable insights about balancing security with entrepreneurial agility. The most valuable takeaway? "If you're a small business entrepreneur, you are the CIO and you are the CISO," Katie reminds us – taking this responsibility seriously from day one can transform security from a burden into a competitive advantage.
Welcome back or welcome for first-time guests. To Simplify and Cyber, this is a new format for us, a little bit of a living room style in person, no more Zoom. We might be online from time to time, but we are really big here about having in-person experiences and really leveraging other people's experience to learn and grow together. So we're excited to have a couple really longtime friends and colleagues. We all work together at Lilly, but I'll let Katie and then Laura introduce yourself and then we'll get into our topics. So we're going to cover starting new businesses and questions you guys have about cybersecurity in the early days, and we're going to tap into both of their experience to learn a little bit more about M&A deals and payer deals and cybersecurity related to the healthcare markets that you guys have supported for so long. So I'm excited for the conversation and, without further ado, katie, if you want to give us your story, Sure Well, thank you guys for having me.
Speaker 3:It's really a pleasure to be here and since starting my business I've learned a lot from you three on cybersecurity and all things technology related. So I started BioVenture Advisors in January after 25 years at Lilly, the first 15 years on the commercial side of the organization.
Speaker 1:You made it a quarter century. I was there 17, but that's a momentous achievement.
Speaker 3:Thank you. It's a long time to be at one company. Yes, so yeah. And then the last 10 years I was in corporate business development doing transactions of all types with venture funds or biotechnology companies or other platforms that would be helpful in biopharmaceutical platforms, that would be helpful in biopharmaceutical development, manufacturing and then commercialization. So now at BioVenture Advisors, we provide advisory and negotiation services to biotech companies and venture funds who are interested in doing a deal with a collaboration partner in-licensing, out-licensing, mergers and acquisitions really any type of transaction.
Speaker 1:If you want a deal, call Katie and I'm going to put you on the spot with a personal question. What is one fun fact that people that know Katie might not know about you, or people that don't know Katie can learn about you?
Speaker 3:One fun fact, so I'll give you a couple. I'm a mother of two, I have two teenagers. I'm a black belt in taekwondo. And I in my free time enjoyed power paragliding.
Speaker 1:Wow, I'm going to have to follow up with you offline on that one. That sounds pretty awesome.
Speaker 5:I did not know that.
Speaker 1:All right, Laura.
Speaker 5:Hi everybody. Laura Viaches, thanks so much for the invitation to be here today. I'm president and founder of Endeavor Pharma Solutions, a boutique pharmaceutical market access consulting firm. Like Katie, I spent over two decades at Eli Lilly and Company, the vast majority of that in their market access division. I have now transitioned into entrepreneurship and I work with a range of clients. I work with pharmaceutical clients that are anywhere on the development spectrum, so I have some clients that just have an idea and they're looking to get venture funding to get that idea into clinic. I have clients that have assets in phase three of development, clients that are getting ready for launch and clients that have products already on the market.
Speaker 5:The idea behind my business is, when it comes to pharmaceutical market access strategy, clients that are getting ready for launch and clients that have products already on the market. The idea behind my business is, when it comes to pharmaceutical market access strategy, it's never too early to start and it's never too late to improve, and that's exactly what I do is I help my clients with their strategy development or I pressure test the ideas that are already in place, looking for opportunities, improve and basically act as a technical thought partner in this very complicated world of pharmaceutical market access. I also work with companies that have complementary products and services to pharmaceuticals and help them with their market access challenges. And, lastly, I work with venture capital private equity firms, either to assist with the valuation of companies or, to the extent they already have investments in place, help them work with the management team to drive to profitability.
Speaker 5:A little bit about me outside of work. I'm married, I have two kids. I enjoy traveling the world. I've been to over 50 countries and added a few to the list this year, so that was really exciting and I've just really enjoyed this transition from corporate America into entrepreneurship and the chance to meet new people, learn new things and consider myself a lifetime learner, and when it comes to things like cybersecurity, I'm excited to learn more today.
Speaker 1:So, again, thank you so much. We're looking forward to it and you know it's been seven years of you guys watching me and us have so much fun and you had the FOMO and had to join the entrepreneurial crowd. So, speaking of that, let's start with the entrepreneurial jump and journey and you start a business. There's so many things to focus on to get your first deal and infrastructure put in place and internet Maybe Todd might've got a few calls on getting some things set up Right.
Speaker 1:But give us kind of that 30, 30, 60, 90 view of kind of what you were focused on nervous about and then kind of, if at all cyber was on your mind, even if it was for gotta worry about that in the future yeah, I think, and we took different approaches, so it's a great way to start.
Speaker 5:Uh, so I chose to go into a little bit of stealth mode for the first two months and build that back office infrastructure, which gave me time to at least start along the learning journey, because I had to get a website in place, email accounting, all those things behind the scenes, and so that was important to me to get that work done before I went out and actively started marketing my firm.
Speaker 5:I'm glad I did that, because it was way more complicated than I expected. I did find some of the AI tools to be very helpful. I'm a big fan of Claude by Anthropic, and so that helped a lot, because you really become the CIO immediately. There is no help desk to call, and so, at the same time, it was a very rewarding learning journey too, because there were things that I just never fully appreciated the difficulty that now I know how to do. I know how to problem solve some of the tech challenges that I come into. But I'm glad I took the move that I did, because it was a full work week to get those things in place before I went live with my business. But I know, katie, your business got off to a very quick start.
Speaker 1:Let me guess, Katie, did you have three statements of work before you even had a domain name?
Speaker 3:Yes, I did.
Speaker 2:Call it the virtual street cred. You know, you're like, do I have a website? Check Email check.
Speaker 3:A lot of the companies I'd worked with. Once they heard I was leaving Lilly, they were interested in continuing to work with me because they needed to do some deals. I was fortunate that Laura had a head start, so I relied very heavily on Laura and her learnings. If not for her, I don't know.
Speaker 1:She was just copying off her paper.
Speaker 3:Well, she got the domain name first Work smarter, not harder. Agreed, but I find now that I'm playing catch-up, which is where you and your team have been invaluable as I have hit these challenges, having you as friends and collaborators, but I know a lot of small companies don't have a network.
Speaker 1:We'll get into it with, like, ip protection later. But when you mentioned smarter, not harder, like I heard a quote like there's, there's really very few new ideas, and I think I like to think about benchmarking, like there's a legitimate way to borrow things from others. And then, as we get into the later conversation about intellectual property and pharma and there's, you know, the theft side of it, what's that? What's that balance for you guys like, especially maybe katie, from a deal standpoint, like where is borrowing ideas from maybe something you've seen and where is the hey, we have an NDA and we can't necessarily take that.
Speaker 3:Yeah, well, I think you know, in the biotech space, the research, data and the intellectual property of these companies is their most valuable asset. So if I'm going to be receiving that information, I have to keep it in a secure manner and have the internal processes in place to document that I'm doing that. I'm building that right on a case-by-case basis as we go and every day it gets a little easier. But when I started, there's nowhere you can't Google it and there's no easy cheat sheet for how do you do it the right way, right, smarter and you go into Google, it's going to give you a lot of products and a lot of things that don't necessarily make sense.
Speaker 3:Yes, I think that's where having friends like you who can answer quick questions and I don't need you to necessarily do all the work for me, but point me in the right direction Um, I think that's what was most helpful is at least starting down the right path. I went down a couple of wrong paths. Uh, initially we won't won't name names of companies that were not easy to work with. But, yeah, every day we get a little bit better.
Speaker 1:Excellent. That'd be a cheap move to name the name online.
Speaker 3:Very cheap move, yes.
Speaker 4:I am kind of curious, as you're starting to work with these companies. What are some of the questions they're starting to ask you? Are they starting to rise questions around, hey, how are you keeping my data secure? Or what are some of the examples that have been thrown at you from your partners and your customers?
Speaker 3:I'd say, if anything, I'm more surprised that that's not a question that they're asking, which raises a bit of a red flag for me. A lot of these individuals that I'm working with I've known for a long time and so they trust me personally for a long time and so they trust me personally, but there's rarely an audit done on my cybersecurity practices, and as these companies go to do larger transactions investors are going to put tens of millions of dollars into these companies. They're going to have to have some kind of process in place and documentation to support it or they won't get the funding. So I think that's a huge area of opportunity, again, if you start with the end in mind and build slowly you can get a sizable infrastructure in place without a lot of capital invested, when you don't have it so early on.
Speaker 1:You're building your services, you've got a website, you've got customer relationships. You probably start to get some data and put it into whether Microsoft or a structured business platform repository. But what, what, what, if anything, keeps you up at night right now about ransomware or any kind of you know manipulate. You know a fake deal that's not real or like. You think about hiring people and you're hearing about deep fake people that are actually North Korean individuals that are getting these jobs in the U S. Like what at your scale at this moment? What? What concerns you at this moment?
Speaker 5:So you know, I think one of the biggest challenges I've found is you're working with a lot of different software platforms because you're calling in the clients and so you know, just start high level examples Some work with Zoom, some work with Google Meet, some work with Teams. So I find myself a lot of times you're getting onto a call and you know having concerns getting into the meeting. There's time pressure, etc. And so you know, one of the best cybersecurity defenses I always thought was you know, does this look normal to me? You know, or does this? You know some person you haven't heard of saying click this link? That doesn't look normal.
Speaker 1:It's like a pause You're giving yourself the like. Don't fall into the fear of the reaction.
Speaker 5:Yeah and so. But when you're working with a bunch of different companies, you're working with many different platforms, many different people, et cetera, and so that expands and so that maybe you know I've forced myself to just have a heightened awareness of like, okay, does this make sense before I click this link, et cetera. You know that that's been one of the early challenges is I've had just to acquaint myself with a lot of different platforms. Every email I get is an external email from the client, because I am the only employee of my firm.
Speaker 1:It's a big shift coming from corporate right.
Speaker 5:And so that was probably one of the early challenges. And with that comes connectivity issues, as you're signing into different instances, going through Microsoft Authenticator with different emails. I mean, there's just a lot of new things very quickly. And again, my area of expertise is pharmaceutical market access, it's not IT. I've had to quickly educate myself, and continue to do so every day, to be prepared to do my job, because those are the platforms on which I do my work.
Speaker 1:So, for new entrepreneurs or if you're in a new venture, beyond calling Todd, which is or phoning a friend, I was going to say phoning a friend, which means calling Todd Katie, how else are you guys learning, like online? Have you invested in any kind of training program Like how are you learning both the technology side of kind of not having a dedicated IT staff for the first time in 25 years and then just on the cyber front, some of the risks you talk about, like how are you educating yourselves?
Speaker 3:It's a lot of work. Right now I think I have eight different email addresses because each client I work with right I have an email address for that client. They all have their own file server system where they store information. So you know, when I click send on an email, I have to make sure I select the right You're hopping account hopping.
Speaker 3:Yeah, but again, it's a lot of information to keep straight just to send basic day-to-day communication. So I've had to build the discipline to stop and slow down and double check these things. But as science moves fast and deals move fast, that's where I have concern. Is that people with all good intentions trying to move fast? It's really easy if you don't have your information appropriately stored, attaching the wrong file to the wrong email and it goes out. And if it's, that's right.
Speaker 1:Is it fair to assume and I've seen and been part of examples like in an M&A deal, mergers and acquisition you've got your data rooms, you've got your systems. My guess is that the most common breach of a deal is an inadvertent human mistake of copying the wrong person from the wrong client. Have you seen that in the industry, where it's a human mistake because they haven't built the mechanics and the slowing down and it's just an accident, Is that the biggest risk that you see?
Speaker 3:I don't know that there's one biggest risk.
Speaker 1:I mean.
Speaker 3:Last week was the bio conference, the biggest partnering conference of the year, and there were two companies who were doing large M&A transactions and the data was leaked a couple days before the transactions closed and picked up by financial time. So it can be as easy as just a conversation Someone overhears in the hallway right, or, you know, throughout the process of due diligence.
Speaker 1:Was there? Were there any specific like? Was that an insider leak? Was that an inadvertent? Was there?
Speaker 3:anything to the story there, it's unknowable at this point right now.
Speaker 4:Yes it was at best. I've been on certain routes on planes where you know a lot of deals are happening for certain industries. You get on the plane and you see the folks on a regular basis and I've sat there and I've listened. I'm like that's a deal that hasn't happened. I should not be hearing this conversation, but it's openly discussed.
Speaker 1:So the cost for learning of a deal is $300 to $500 on Southwest from Tuesday at and they're wearing shirts saying I'm making a deal, don't talk to me. Cone of silence.
Speaker 3:But I think a lot of the concerns I hear from biotechs is they're working with big pharmaceutical companies that said the company will take their information and use it inappropriately. Companies that said the company will take their information and use it inappropriately. By having a data room where you can track who downloads information, who looked at it for how long, you have a record of who's seen your confidential information right, and then having that data can be really helpful. If, a couple of years down the road, the company you're working with just happens to coincidentally launch a product that looks very similar to yours, without having those kinds of records, it's really hard to demonstrate that there's been. Just happens to coincidentally launch a product that looks very similar to yours. Without having those kinds of records, it's really hard to demonstrate that there's been anything done wrong. And especially intellectual property protection is evolving on the tech side. It's pretty clear on the product side for pharmaceuticals, but on the technology side there's still a lot that needs to be sorted out.
Speaker 2:When you're working with clients too, I'm sure this comes up at some point. But when, typically, do you see them raise a flag like I need to have more focus here, Because I'm sure part of it's just we've got to survive, right, we have things we've got to survive and get off the ground. But usually when do you see in the deal and they're saying we should revisit this, we should figure out our strategy for this, like we should revisit this, we should figure out our strategy for this.
Speaker 3:Usually when that is necessary for them to take the next step. It is rarely a thought about in advance of being needed.
Speaker 1:So incident-driven or customer?
Speaker 3:requirement-driven or diligence-driven.
Speaker 4:That feels very reactive.
Speaker 3:There's a handful of companies I work with who have COOs who are very experienced and have done this before and you can tell a market difference in how they've set up their internal systems. You can tell really quickly if they have any experience at all or little to no experience.
Speaker 1:And on that an experienced CO, that it's not their first rodeo, that they know that this is going to bite them at the wrong side, that they know that this is going to bite them at the wrong side, like from some of our clients that are kind of emerging companies or high growth companies, the ones that are the toughest to manage. I mean, they're high dollar for us, so I don't hate the opportunity, but they've waited to the very last minute and they either have a breach that's put some extra pressure or, more likely, one of their customers is like we are not going to move forward with this deal or you're gonna pull the deal if you don't have a sock to or ISO or one of the certifications, and the worst thing that a company can do, the most expensive way to do it, is by Bringing a team like ours or whoever in to throw a Hail Mary you know 90 yards in the final hour.
Speaker 3:And that's not something you want to be negotiating. If you've built it the right way all along, you have the infrastructure in place. If you're doing it under duress on a really short timeline, and it's not sustainable, right?
Speaker 1:So the companies, we've done this. It's like we're back the next year trying to re-plumb it back together.
Speaker 3:Which isn't bad for your business? Again, it's not bad.
Speaker 1:But I would rather have a relationship where we're building it over three years than like everything at once in a big bang and then we're fixing it because there's a lot of churn, there's a lot of pain for both the organization and then at that point cyber is seen as an impediment because you got to do it all at once. So, like stepwise approach, like I would advocate for that, if founders and growth company leaders can kind of, you know, start early and make easy bets that don't have to be something bigger than they need, I have a hunch it's 10x the cost to do it at the last minute.
Speaker 3:It's probably more than that right, because then you're responding to their request to build something and if you're working with a really large company, they're going to have really high standards. And if you're a 20-person biotech burning through your Series A funding, you don't have the capital for an enterprise-wide cybersecurity program. And if you're responding to a request and you have to meet, right clear the bar that they give you, it's better to have some foundation, to say we're close and have the dialogue there around. It will help us understand what minor incremental changes might need to be made to a stable foundation, versus start from scratch and build it.
Speaker 2:In two weeks you can close the deal because it's so hard, because you think about it a lot of times, like right around the policy or process, not a high, high hill to climb or to overcome. Operationalizing thatizing that within a company is where. So to your point about the Hail Mary, yeah, you can churn out 10, 15 processes to satisfy a compliance framework and then, yes, but then to get that operationalized, and now I have this small company trying to do these processes in parallel with my. Yeah, it's such a tough thing and I have a lot of friends in the NDBC market and a lot of their, some of their seed companies that are like build, build, build and the culture is very laid back and they want to grow. And then they get their first deal, even before diligence. They'll get through signing and then later on they're looking and saying, well, hold on, we just attested, we need to have this certification. So what does this mean? And they go back to the board Now we are obligated contractually to have this attestation certification.
Speaker 1:So let's transition the conversation. We've asked a lot of questions of you of kind of your first, you know, 30, 60, 90, and some of the M&A stuff. We'll get back into that in a bit, but let's turn the tables and let you guys ask us questions. You are where you are now. Now how can we take 60 years of cyber experience and help you and some of the listeners that might have businesses or they're part of companies that are in similar stages?
Speaker 5:Yeah, I'll go ahead and start. So one of the questions I have is what are some of those ideas that are low investment but high impact that small business owners can do in terms of cybersecurity? So things like SharePoint sites, et cetera. But I'm particularly interested in now that AI has become so prevalent in daily work. How should small business entrepreneurs think about how they use AI in terms of cybersecurity and keeping their own intellectual property safe, as, along with their clients intellectual property safe?
Speaker 1:So I'll start with a fun slash scary story of what not to do, and then, todd, I think you've got some examples that I know you're already cooking up.
Speaker 3:Doesn't sound good.
Speaker 1:So I was at a founders event. It was like a breakfast event and there were about 20 founders there and we were having kind of casual conversations outside of the main event and one of the CEOs was we're talking about AI. He's like I was the only cyber founder I think that was in the discussion, so we were having a little bit of a cyber conversation. He's like Aaron, you're going to be impressed with me. Ai has been transformational.
Speaker 1:I get a lot of requests from my bigger clients that are Fortune 1000, fortune 500, about my cyber program. I clearly don't have one. So what I've found to do is I insert a prompt into ChatGTP and ask it to fill out the questionnaire that the company has given me with answers that are reasonable enough to pass, but not overstating what we would have, and I, my face kind of went white and I'm like that's not a, that's not a strategy, right, like it's probably fraud, like it is fraud and it only takes one audit or a follow-up question or whatnot. So to me, the thing not to do is let's have AI generate the answers to the tests that are right, without doing the homework and taking the course, and there's things like back to the what can you do in small increments?
Speaker 1:They shouldn't be representing their. They've arrived in the three-year mature program. They should be saying to your point, like you're not looking for perfect when you're evaluating these deals or customers You're looking for, hey, they're small, they're taking some good steps. We don't expect them to be an Eli Lilly-sized cybersecurity program. So that's what not to do. But, todd, you've probably got some examples of the starting blocks of what to do.
Speaker 4:So a lot of the tools and the things that are out there for security have been catered to large companies that have large budgets out there. I will say AI is starting to shrink, that I wouldn't say they're down to the one person level, but if you call them they'll usually give you access to some of these just endpoint monitoring. The companies you're working with they really care about their data. Where's it going? Can you tell me where is it going and is anybody watching what's going on behind the scenes? Those two questions, if you can answer those, I think start to move the needle forward. If you do get questions, you can answer it and they'll probably move along because they know you're a small consulting org and they're not going to dig in and say, hey, I need a SOC 2 or I need to see your ISO certificate.
Speaker 1:They'll probably ask you. They might ask, but having an expert that can help you navigate that. I guarantee that both of you from a customer will have a request Do you have a SOC 2 or an ISO? And the right answer isn't always because, Cody, you've helped. Some firms spend $500,000 for a 30-person company to put in a SOC 2. And while that may be the answer for a specific business, there's probably a more minimum viable product way to show that you have that support and right size it, because SOC 2 was really invented for cloud and software companies to attest that their solution is solid.
Speaker 1:It's not a ubiquitous one size fit all to validate a boutique consulting company.
Speaker 5:But tell me about some of the best practices. So, for example, I prefer to set up a SharePoint site with clients that's on their instance that I can access and when I'm done working with that firm they can remove my access. I never download the material, things like that, things like double-checking your emails before you send them Kind of the ounce of prevention is worth a pound of cure. Tell me also about AI. So, for example, I never put any client information into AI, even if I'm like trying to develop a contract. I might say things like my client or my company, without using names, et cetera. Tell me other things you've seen, because these are things that like cost nothing but are high impact.
Speaker 1:Let's start with. Start with and I'll let Cody and Todd their expertise is grew up in the infrastructure and SharePoint and Microsoft and all that. But let's start before we jump to AI of foundational basics. And I'll start with Laura, the fact that you're coming up with a strategy, even if it's not written down on paper, to say my go-to is to work in the client environment. I'm not going to do data transfer, I'm not going to do data storage, I won't have to worry about it. That is the cleanest and safest way to start. But that doesn't mean that they're not going to email you something and all that. So, kind of from a setup standpoint, the basics. Let's start there.
Speaker 2:I was going to say assess yourself before you wreck yourself.
Speaker 2:I think really it's three questions. I always say what are your critical assets? Where are they located and who has access to them? Those are three non-technical questions that you can thought there and then from there it's like, go to the critical assets. You can't do it all.
Speaker 2:So to your point about client data, top of the tier, most important. So I can either take on the responsibility of owning myself or not. My choice right now I'd rather use a client environment. So I think that again is like how you handle the sensitive, what data is the most protected, and then start there and then that cause. Then you can kind of follow the money and then from there kind of branch out to the nice to has. But a lot of it's education, how you handle things. And it's that, that piece of just saying, okay, this is where I got to focus. I can be a little more lax on this stuff because it's not as important. But you can't be the max 10, focus on everything. It's just it's not possible and especially if you do, it's like you've like cement shoes on, you can't move fast.
Speaker 2:And to your point earlier. It's a very fast paced thing Speed is key.
Speaker 4:Yeah, I mean AI can come in pieces of these, but keep the data in the client environment right, You've got that covered. You talked about Authenticator.
Speaker 3:You've already jumped through that hoop of turning on MFA. What if you can't keep it in the client environment?
Speaker 4:So I think that next question is where are you going to keep it? My answer is try to put it in some sort of cloud repository Because if you end up with, I've got a lot of client information on a laptop, this on a laptop. This happens all the time We've dealt with this. Laptops get lost, they get stolen, they break and you're stuck and now you're trying to get somebody to recover data. That is very expensive. Best you can make that laptop disposable so you can work anywhere anytime, and your information is in some whether it's Box, SharePoint, doesn't really matter.
Speaker 1:So that simplifies A lot of businesses start with with maybe they have a personal Microsoft license, tenant license even if you don't even know what a tenant is environment, and then a lot of times let's keep it cheap. So, like the business essentials, a lot of companies early on they've bought something through GoDaddy and they resell Microsoft licenses. So both of you guys, cody, cto at an MSP in a prior life and Todd, setting up a lot of kind of startup type businesses within a larger company, knowing that sometimes you start in these lower tiers and this is not a Microsoft commercial like how do they navigate? Like they're probably not jumping all the way to the top tier enterprise version, but how do you make those choices to understand what kind of SharePoint controls you might put in place if you can't stay in the client environment all the time, which is never possible?
Speaker 4:Yeah, we just spent some time with somebody else doing this. The default, the low tier one, is great for storing the information, but it has no effect of monitoring what's happening. You're blind. So if something does happen, you don't have a place to go back and look. There is a tier up in the Microsoft side that's pretty easy to go up. I think it's somewhere in the $20, $21 a month. It gives you some basic monitoring. It'll start to alert you if there's issues and it'll start to close things down behind the scenes, wrapping around your identity. That's a really easy one to step up to without having to go shopping for a whole lot of tools. You turn that on. It's got some AI behind the scenes, that's just doing it. I mean, we love. It's easy to make fun of Microsoft and grumble about all their tools and things like that, but they've got a pretty nice offering. Where it just is almost becomes a checkbox. Turn a few features on. It's protecting the phishing links that are coming in. It's watching for those things.
Speaker 1:And a good example would probably be like if you've had some of those basic controls put in place a passport number or a credit card, if it's in a Word doc, you might have seen if this is on in your environment. You might see an alert like that. It either stops it or alerts you like hey, this just went out. So some of that's called data loss prevention. It's a basic version of that around privacy data. But those are the types of things especially Katie and your business probably everyone here's business of like the inadvertent things that you might not be able to prevent yourself from that one day. When you're in a rush making a quick mistake. Most of those mistakes are recoverable and good humans working with each other to rectify. But yeah, I think there's some basics that can be explored.
Speaker 2:I think also too, looking at those foundational processes. The first part is define success, Because the tools, I think, are almost like an airplane cockpit there's a thousand buttons you can turn on. It's your point, how do I know which ones are relevant to me right now they all look kind of cool and then if you kind of walk in without a success criteria, then you start turning things on because it sounds great and then next thing you know it's like I just lost a lot of time and I may have locked myself out of my own environment. So I think process, when you're a smaller company and there's less than people, then your automation enforcement is easier because there's five people. If you're dispersed and you've got, you know, 20, 40, 50 now in different states, that's when you'll lean more on the technology because you need to have that extra like automation or enforcement behind the scenes.
Speaker 2:So define, like the process first. Hey, if we handle this data, we use these tools. This is how we're going to do it. We're going to recommend to do you know, or require MFA as you get larger. You can't just shout that to the person next to you or text that person. Now you look at the technology. What can the tool enforce when I'm not around? And that's kind of how I kind of back into. It is like what is my man? Hours going into enforcing this process? But the first thing is to find that controller process of what our company policy is and then look at like, okay, these tools can enable that or speed it up.
Speaker 1:But I always say you walk into the, the tool first, without a success criteria.
Speaker 2:it's like going to the grocery store hungry. If I go to Costco without an idea, I'm walking out a broke man. But if I'm like, okay, I'm getting 40 ounces of peanut butter, which is not right. I hate peanut butter, but then I walk in and Throw some tomatoes on top of it Then you're going to wreck yourself.
Speaker 1:Speaking of assessing yourself before you wreck yourself, cody, you kind of mentioned understanding what's most sensitive and focusing on that so kind of early on in your business. You're obviously adding a lot of different client types. Would you each be and we don't have to rattle through the answers here but would you each be able to say, like, what are the top five information types that would be most sensitive, either within the customers you're working with or the um, the ip that you're developing within your company, your secret sauce, your strategies? You know? Could you write that down in less than two minutes, or has that been something you've you've given thought, okay, good, good, and you guys came from a company that did that, so I, yeah, awesome yeah, a lot of credit there too.
Speaker 5:I mean we got great training and cybersecurity and you know different exercises to keep those skills sharp and you know I appreciate that it's important you know whatever environment you're in, whether you're a consumer with your own data or whether you're a company. I appreciate that training.
Speaker 3:And I think it's the founders that haven't worked in a large multinational corporation just don't know what they don't know if they haven't been in that environment and seen what good looks like.
Speaker 1:This is none of our first rodeos right. We're not the skateboard hover around riding through the hallway type startups here. Right, we've seen what can go wrong and how to do it from a solid standpoint.
Speaker 3:One other piece that has kept me up at night and it's around the angle of AI is a lot of these programs now are keeping meeting minutes and records of things that were talked about that historically weren't documented and those documents are discoverable. Talked about that historically weren't documented and those documents are discoverable, and you don't want those documents to be stored longer than by law, right? Perhaps you want them, so I guess there's the problem of when your data is leaked. How would you advise small businesses to right, don't keep your receipts that are 25 years old, maybe? What's that right balance of how do I know how long to keep things and where do I store them? And then how do I systematically purge the information I don't want to retain?
Speaker 2:It's a timely thing. This is a very common thing we see now the big buzzword is records, information management. It's like the enterprise thing and that's to your point. It's like how long do I keep data? What's our policy? And then to your other point of like what's my requirement? Because once I don't need it, purge it because you're subpoenaing other things your right to defend and there's a mixed bag there because sometimes you're required by certain frameworks on what data you have.
Speaker 2:You have to hold certain things. And then again I go back to the process. What do you have to do first with the process? Operation is that process, and at some point technology can help to enable that. But again it kind of goes back to what I have to do first and where that balance is. We always say that's legal advice, that's something we can't advise on. We can help to enforce or help build an efficient policy for how big you are. That's realistic, but it's a very common thing. People think, oh, I want to keep everything forever. Could be great in some industries, other industries. If you're in manufacturing, or especially in the IP and bio side, keeping things isn't necessarily always the best idea.
Speaker 4:But how do I kind of go through and purge and I would encourage, if you're concerned about it, it's okay. I've been in a lot of meetings where those AI agents pop up and like, hey, I think this is a fairly confidential meeting, can we turn that off? And usually, more often than not, what I've gotten is, yeah, I've been struggling to turn that thing on.
Speaker 1:It keeps popping in. Let me turn that off. Here's the scary thing that technology has been so consumerized. You can find it on apps. You can find it on little wrist strap devices that you can wear and record in live meetings. The world is changing in how easy and accessible that is and how quickly it can summarize a lot of information into meaningful, usable elements, which is super helpful. That's the good news. We use it and we have a defined policy of how and when we will use it so we don't accidentally abuse that trust of a client or a prospect or whatnot.
Speaker 1:But my most concerning thing is there's so many of them out there and some are good and safe and have controls and some who knows where the data is hosted? In some cloud in another country and they're just on the app store because they've passed them. You know apple's test of, you know basic security, app app security, not their data practices on the back end. So I think using a trusted, if you're in microsoft, pay for microsoft copilot, if you're, if you're in, if you're a google environment, like, there's some good other third party or app tools. But like you need you need to vet those and you don't know how to vet them. Like, obviously, leverage an expert.
Speaker 4:That kind of maybe yeah I I will say this is a number of years ago, but it wasn't that long one of the the larger um communications firms that did a lot of the telepresence stuff we I was on the phone, I was trying to vet their product and I was like, hey, you allow people to share information like upload documents during chat and during these meeting sessions. Where does that go? Can you share that securely? And their CISO was on the phone. He's like actually I wouldn't share anything confidential. He goes the video, the audio. We've got that secure. But we're a year away from where the storage where those attachments go is secure. I would not use that, at least for another year.
Speaker 3:That's good to know.
Speaker 4:And that. So just asking that question, they were very transparent, going yeah, I wouldn't do that just yet.
Speaker 2:That goes back to our policy, which is a company procedure and policy. Sometimes small firms will say hey, I see the recordings on here. Can you please turn it off? We're not because I'm not sure what will be discussed. Right, you can air the site or you know maybe to your point about the confidential. Hey, see, this is confidential for our set process and policy. This is where we go in this data and we're going to store it here at SharePoint. So that begins with knowing that process first and that procedure, and then technology can turn those things on.
Speaker 4:And I think we're at time now.
Speaker 1:Yeah, maybe one wrap-up question just to roll it. Advice for your fellow entrepreneurs.
Speaker 5:What is one thing walking out of here that you'd recommend to the audience of simplifying cyber and taking some initial steps to get better from where they're at? So I would say you know, if you're a small business entrepreneur, you are the CIO and you are the CISO and it's your responsibility to learn about the tools out there, learn about the risks out there, take it seriously just as you would any other aspect of your business, like marketing, sales, accounting, etc. Because if you understand it, it's a great opportunity and a source of competitive differentiation. If you don't understand it, you're at risk.
Speaker 1:Yeah.
Speaker 3:I'd say along those lines if you don't want to build the technical capabilities to do the day-to-day administration, you can call people like Todd who will help you set up the system so that you can't break it. But I agree, if you don't understand it and set those guidelines for your organization, you're going to find yourself in a really tough position 1-900-GET-TODD.
Speaker 1:Oh, that works.
Speaker 5:I feel like we're going to put Todd's phone number in the show notes and, on that note, thanks everyone for coming this was a fun conversation.
Speaker 1:Appreciate it.
