How Reliance on AI Technologies Places Smaller Businesses at Risk of Ransomware Attacks With Taylor Hersom

Intro  0:01  

Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels  0:21  

Hi, Jodi Daniels here. I’m the Founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional, providing practical privacy advice to overwhelmed companies.

Justin Daniels  0:36  

Hello, Justin Daniels here is my wife smirks at me slash co-host. I am a Corporate M&A and Tech Transactional Equity Partner at the law firm Baker Donelson. I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I am the cyber quarterback helping clients design and implement cyber plans as well as help them manage and recover from data breaches.

Jodi Daniels  1:02  

You make data breaches. This episode is brought to you by Red Clover Advisors. For everyone who has no idea what redcloveradvisors.com does, we help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, ecommerce, professional services and digital media. In short, we use data privacy to transform the way companies do business together. We’re creating a future where there’s greater trust between companies and consumers. To learn more, and check out our best-selling book, Data Reimagined: Building Trust One Byte At a Time, visit redcloveradvisors.com. Well, hello, giddy host today.

Justin Daniels  1:25  

I thought you told me we should be lively. Why are you so excited about a data breach? It’s not fun. I’m sorry, audience that data breach. Very sorry. Have to be monotone. What do you want me to do here today?

Jodi Daniels  2:09  

I don’t know. I don’t I don’t know. You could get us started. Let’s get this party started.

Justin Daniels  2:17  

I want to hear you introduce our guest because of what?

Jodi Daniels  2:20  

Oh, you’re right. Now, all right, right, right. Oh, my goodness. Okay. Well, so Taylor, welcome to our silly fest. We have Taylor Hersom, who is the Founder of Eden Data and is a cybersecurity compliance nerd, (his word not mine) that is hyper-passionate about building world-class cybersecurity programs for startups and beyond. He has dedicated his craft to helping even the earliest stages of organizations realize the benefits of putting data privacy first, from brand recognition to customer loyalty and turning that investment into substantial ROI. So Taylor, welcome to the show.

Taylor Hersom  2:59  

Jodi and Justin, thanks for having me. I’m loving the energy. This is going to be a great episode. I can already tell.

Jodi Daniels  3:06  

Now, it’s your turn to get started. I can speak now. Yes, you can.

Justin Daniels  3:09  

Well, here’s how I’m gonna do it. It’s Taylor, tell us about your career and how you got where you are today.

Jodi Daniels  3:16  

And now it’s good to ever listen to us ever again. Well, you said

Justin Daniels  3:19  

I was too lively. Well, data breaches. Taylor, tell us man, how’s your career evolved? You know, talk to us? Absolutely.

Taylor Hersom  3:27  

I’ll keep it high-level. I started by selling my soul to Deloitte. Was there for a number of years doing IT audit in the financial space. So for mostly publicly traded companies, and then I transitioned into being a chief security officer, I quit my job the week before COVID started thinking that I had all these opportunities. They all went to hell in a handbasket because the world went to hell in a handbasket. And, and so out of necessity, I said, “Man, I got to, my wife’s gonna kill me.” So I need to figure out how to make some money here and started my career on Upwork. And that’s where I trend it’s not my career, I guess my company started on Upwork and doing consulting and transition that into to what Eden Data is today.

Jodi Daniels  4:12  

I knew I liked you. I also started my career at Deloitte and I worked alongside your team, but I was on the financial statements audit side.

Taylor Hersom  4:22  

Your team was way smarter than — Yeah, I could not do what you do. Not at all.

Justin Daniels  4:28  

And Taylor, whether I make money or not, my wife usually wants to kill me anyway.

Taylor Hersom  4:33  

Okay, that makes me feel better.

Jodi Daniels  4:35  

Ah, okay. That’s okay. We’re gonna bring this back to security today. So we mentioned just a little bit in the intro, but why should companies especially smaller ones care about security?

Taylor Hersom  4:49  

Oh, my goodness. So that ‘s a great question. I feel like everybody has a different answer to it. But in reality, we have become a world driven by data. And data is definitely the most precious commodity that we have. A lot of people don’t understand what that statement means they think that just a bulk repository of data is valuable, more valuable than cash. But in reality, it’s what that data says it’s what its plans to our fighter jets, it’s proprietary information on a publicly traded company, it’s your personal health information, that is what is valuable. And so every single company in the world has become some sort of data company. And therefore, there’s, there’s a need for us to be able to protect said data because of the value of it. And because of the implications it has on individuals globally, as well as businesses. I think the other thing, though, that’s the personal side, on the company side, it’s also something that investing in security allows you to build trust with your customers, You guys nailed it at the intro. But essentially, right now, we are building brands by building loyalty, by building trust with our customers. And in order to do that, you have to give your customers the sense that you care about them. And you care about the data. They’re giving you the information they’re giving you the relationship you have with them. And so security allows you to accomplish that.

Justin Daniels  6:16  

Taylor, I want to ask you a follow-up question, because when I go on shows, I’m very clear as to why startups don’t care about security, because it doesn’t drive revenue. But an interesting offshoot of that is, is I still see an even series A deals or even growth stage where private equity firms venture capitalists don’t make security the priority it should be. But I’d love to get your views on what you see, when you’re dealing with some of your customers who might be VC-backed.

Taylor Hersom  6:46  

Honestly, you’re completely correct. We don’t get customers who wake up and say, Darn, I really care about my customers’ data, and therefore I want to protect it. And so I’m going to invest in protecting that data. It is usually “I am about to lose this deal.” I am some small startup that is suddenly selling to Walmart and Walmart saying I need my stock two at a station or I need my ISO 27,001 certification. And so their security is indirectly tied to revenue and that case, however, I think that a lot of times what we’re seeing is that they want to care about it. It’s just that startups are classically running lean, and they’re being driven by VCs. I think a lot of the issue that you touched on, Justin is driven by the VCs and private equity groups, because they are the ones saying, if you need to be constantly growing, if you’re not a billion-dollar company, then you suck is basically the message that’s been being given. And because of that, things like security are looked at as a cost center, even when in reality, they are revenue generating, it’s just not as tangible as you can tie to marketing and, and to your sales and things like that. So that was a long-winded answer. But I do think it’s a, it’s a more complicated situation, and they simply don’t care. I think it’s just simply that it’s not their biggest priority.

Jodi Daniels  8:05  

I see the contract piece all the time on the privacy side as well. They get this contract and includes all kinds of provisions for GDPR. They’re going to be global, I’m going to process data from the EU person helped me become GDPR compliant overnight. Can you do can I just or my favorite one is I need a cookie banner, so that I’m compliant? No, yeah, there’s a lot more, everyone, to complying with the privacy law, especially GDPR, than the cookie banner. And the same is true for CCPA. So a lot of times people think it’s some of the outward facing pieces. And there’s actually so much that’s on the inside. And hopefully, all of these companies don’t just sign on the dotted line and say that they have it all. I’ve seen that too, which we don’t want that either.

Taylor Hersom  8:05  

There’s a lot of contracts floating out there right now that someone is just blindly agreeing to the terms set forth by a bigger organization. And I think that when regulations start to come more into play, and that they start going after more than just the Googles and the Facebook’s of the world, or the enterprises start to pursue legal action against the companies that that they do business with, because of have been neglecting to actually protect their data like we’re gonna I think we’ll start to see a shift in the market. But today, I’m not seeing a bunch of that. I think the ones you’re seeing are the ones that are publicly noted, which are the solar winds of the world that are exposed, either directly or indirectly through a vendor.

Justin Daniels  8:08  

Oh, Taylor, one of the things I want to ask you about, you know, we’ve talked about, on many shows, and I’m sure you’ve seen this about the threat of ransomware. But one of the interesting things that I wanted to talk about is I work with a lot of midsize companies, but then I work with Red Clover, and Jodi shows me all the interesting ideas that entrepreneurs have around using artificial intelligence. And what I’d love to learn Little bit more from your perspective as they look at it as, hey, this is a way to run really lean, but they don’t appreciate what are the cybersecurity risks and privacy risks around AI? And I’d love to know, does this conversation even come up in your work or they’re just going full speed ahead and damn the torpedoes.

Taylor Hersom  10:18  

Unfortunately, it is more the latter, we are the ones that are having to drive the conversation for our customers. And we typically are the ones finding out after the fact that AI is being used in some form throughout the organization, I think that everybody is very much jumping on the bandwagon of AI. And so they’re starting to use it in many different departments for many different use cases. But unfortunately, it’s back to shadow IT which we’ve never solved for, this is just a new form of shadow IT you’ve got these tools being used in an organization that you have no knowledge of, and that’s a big problem. And now you have Open AI announcing this last week, where they are essentially expanding out their capabilities to be able to use their platform to build basically any kind of automated function and any kind of assistant but the problem is, is that it’s a open call on on API’s, and it’s going to create so many vulnerabilities and implications for SaaS companies, especially, I think it’s gonna get worse before it gets better, unfortunately, because nobody is back to they didn’t give a damn about security. And so why would they give a damn about security around AI?

Jodi Daniels  11:28  

This could be one of the mistakes that you might share. But what are the common mistakes that you see companies make, that if they actually addressed it would make a significant difference in data protection?

Taylor Hersom  11:43  

I think a lot of times that well, we actually just talked about a really good one, which is that a lot of times the customers that you are doing business with are outlining the things you need to be doing in order for them to do business with you. And we have a lot of startups that will just blindly sign contracts, we’ve seen it, and not our customers, we’ve tried to educate them on that. But we see a lot of startups just blindly signing these agreements, when in reality, you could be taking those requirements and start to be building a baseline security function, you are protecting yourself legally, of course, with your customers. But you are also of course addressing risk in your environment. I think that if people just took a little more time to get Legal and Security together, or even just legal, and whoever is managing security, if you don’t have someone that if you have someone wearing multiple hats, if they just came together and came up with a game plan and put a little more focus on that aspect, there would be a much lower risk to their business. And they would also have a bigger impact on security as a whole throughout the organization. So I think that’s a huge gap area today, that doesn’t get it at least in the startup world.

Justin Daniels  12:52  

Well, Taylor, I’m just curious for your perspective, again, as it pertains to startups is, how often do you see them have publicly traded companies? And do they have any idea of what’s coming their way in December when the SEC cyber rules become live?

Taylor Hersom  13:09  

How many of them are serving publicly traded companies?

Justin Daniels  13:12  

Yea then if they are, do they have any sense that come December, they’re going to be in scope for the SEC cyber roles, because if they have a data breach, and it’s material to the publicly traded company, a publicly traded company, in turn will have to report it to the SEC. Right?

Taylor Hersom  13:26  

Yes, this is another area that I think everybody’s got their head in the sand. I think even beyond just the startup world, nobody really understands the implications. And then you also have these various privacy standards that have been released, but they haven’t made a huge impact. So you’ve got GDPR, you’ve got CCPA, that turned into CPRA. And there are some high profile legal cases around them. But they haven’t impacted the average startup founder or they haven’t impacted the average s&p. And so I think that because of that, it’s like the boy who cried wolf. I think that people look at this as just oh, this is just another. This is just another example of a regulation of them trying to get us to do something that we don’t actually really have to do. And until people start to feel the pain, I don’t think we’re going to see a snowball effect of people adopting privacy standards, people adopting better security standards. So

Justin Daniels  14:23  

So you recently talked about, you know, how ransomware is a big threat. We touched on AI, but what are some of the other threats that you’re seeing today? Like, for example, I’m seeing SIM swaps becoming more INVO. What are you seeing out there?

Taylor Hersom  14:38  

Interesting. I definitely think that network attacks across the board just we’ve seen a lot more of an uptick with our customers that have SaaS platforms that they’re providing some kind of business solution to another business and they have a publicly facing app. They are starting to there’s an uptick in the amount of attacks and attempts on those applications. As on their websites, those sorts of things. And a lot of the speculation is because of the increase in nation state driven attacks. So we’re certainly seeing that as well. China and Russia are up ticking like crazy in terms of the amount of attacks that they’re putting out. And there is also this higher drive for intellectual property and data in general. So we’re seeing the results of that just in the threat intelligence and vulnerability management programs that we’re building for our customers.

Jodi Daniels  15:31  

We talked a little bit before and Taylor, you said, a lot of times these companies are gonna get a big contract, and it says, I need to be stuck to compliant, I need an ISO certification. And they go to Google and try and figure out what is it that they have to do to pop some service companies like Durata, and Vanta, and some others, and that will be a magic bullet. But I know that Eden Data works with a number of those companies. From my implementation standpoint, can you share more about what do these companies offer? And for a company looking to utilize one of these services? What is involved?

Taylor Hersom  16:11  

Oh, yes, this is, this is an area I’m passionate about, I certainly think that the the increase in the use of GRC platforms and compliance automation platforms and all these other buzz terms that they’re using, I think that its overall net positive. But I do not think it’s the panacea of compliance by any means. And unfortunately, a lot of the marketing out there is that it is and you can, you can get socked to in a matter of weeks, and everything’s super easy. But all it is, is putting documentation out there that allows you to pass an audit, it doesn’t really impact like people do not have a deep understanding that you have to go and implement processes that address risk in your environment to reduce your risk posture. And so a lot of these GRC platforms are focused purely on compliance and helping you get through sock to ISO GDPR as quickly and efficiently as possible. And we leverage the tools because we think that there’s a couple of great benefits of these platforms. One is automation. I’m a big advocate for automated controls. I think humans are our pesky and busy and they make mistakes. And if we can take as many controls off of their plates, that things that a person has to do to address a risk, if we can replace that with a system doing that same thing, in order to address a risk that is a much more effective, effective process. And so these platforms, they can integrate with your background check provider, they can integrate with your AWS or Google Cloud or wherever your platform is hosted. And you can integrate with all of these different systems pull data in and get alerts on a continuous basis versus in a manual manner when you have to log into those platforms manually to be able to check for different compliance and security checks. So for example, like do you have logging turned on for all of your s3 buckets? Do you have encryption turned on for all of your s3, buckets, things like that. It’s very helpful. So that’s one mechanism. And then I think the other mechanism is just having a central repository for all the things you’re doing related to security and compliance. A lot of customers don’t matter, a lot of companies don’t have that. It’s all over the place. They have policies in one place and procedures in someone’s head, and they don’t have anything very standardized. And so these platforms allow you to at least have a central location where you say, This is my procedure. This is the policy associated with that procedure. This is the person that owns that procedure, and I get a reminder to that person every time this procedure needs to be executed on. It’s kind of like the nagging mother in law. So I love it. And I think that it creates a lot of efficiency in your security program. I just don’t think it solves for what we’re talking about today.

Jodi Daniels  18:54  

If I have a central place for all my policies, one of the challenges is the people in the company actually might need to know about the policies. Are any of these tools creating or have anything where they are the central place for the rest of the company? Or can you share a How are companies essentially sharing out their policies to their employees? Right, I might create it in one place. But now what is the best practice that you’re seeing in terms of how to share the actual policies. So Jodi, the employee knows what to do.

Taylor Hersom  19:26  

This is one of the big features that I love about these platforms, there are a few of them out there that do not have the feature of being able to share policies and acknowledge their acknowledgments in there. And I think that’s insane, because you need to be able to have, as you mentioned, a central repository with an edit with the Audit History audit log of the policy itself, and you need to be able to share it with all employees and capture their acknowledgement of the policy. So you have more than just someone telling you, hey, I read it. You actually have the ability to You can even record like how long they spent in the policy before acknowledging it and little things like that. So you can start to see adoption rates and then of course meet the compliance requirements related to sock two and ISO which have compliance requirements around acknowledgement of policy. So they are I know, Draaga does this we work heavily with Jada, and a couple other of the platforms do this as well. And it’s an awesome feature.

Jodi Daniels  20:24  

It’s a very good feature. Thank you for sharing. Are you excited about this feature? You’re thinking about this feature?

Justin Daniels  20:32  

I could be. So, Taylor, when you’re not involved running your cyber company, and you might be out at night, you’re at a cocktail party hanging out with somebody like Jodi, what might you give someone if they say, Hey, what’s your best security tip? At a party?

Taylor Hersom  20:55  

Best Security tip at a party, I feel like everyone is always covering the same ones like the multi factors, advice of the world, like that still rings true. And people still suck at that. But if I were to give something that’s a little more non-traditional, like, some of my friends don’t realize that like using Apple Pay, I tell everyone use Apple or Android Pay whenever possible, and stop using putting your credit card information everywhere. Because Apple Pay is the equivalent of a one-time code just like with the OTP password. Secondary authentication. So I tell people all the time, use Apple Pay use Android Pay use something like that, rather than just using your credit card. And that’s online and in-person. Let’s see what else. Yeah, VPN, I feel like that one gets thrown out a lot. But people still just don’t friggin’ use VPN, they don’t invest in a good router for their houses. Like, I think a lot of businesses, especially in the post world of post-COVID world, we’re so concerned with our network security at the at the AWS or GCP layer at the infrastructure layer, but we don’t focus on what about what Betty Sue has at home, and how she’s protecting her WiFi connection, every time she logs into any of our third-party applications or in house applications.

Jodi Daniels  22:12  

And when you’re not building a security consulting company, what do you like to do for fun?

Taylor Hersom  22:18  

Oh, my gosh, this is like, gonna be such a lame answer. Because I really just love to work. And I’m a security nerd. And I love what I do. So I spend a lot of time probably too much time on the business and working with customers and whatnot. When I’m not doing that. I’ve got a bunch of dogs running around. We have multiple dogs. And so I go on a lot of hikes and walks and stuff with them. I’m an avid reader, I like to go snowboarding in the winter, even though I’m in Austin, Texas, so I gotta get on a plane to get somewhere that has any kind of inclination, but those are a few of the hobbies that I love to do.

Jodi Daniels  22:55  

Do you have a favorite spot for your snow activities?

Taylor Hersom  22:58  

I do actually changed in the last year I got to go to Lake Tahoe. And I went to Heavenly I think is what it’s called where you can you can snowboard in California, you can snowboard in Nevada. And it’s amazing. It’s beautiful. You’re overlooking the lake. Yeah, that’s my highlight. Maybe it’ll change the season. But I’m definitely going back to Tahoe.

Jodi Daniels  23:22  

And where can people find you if they’d like to learn more and stay connected?

Taylor Hersom  23:28  

I’m active on LinkedIn and Twitter not much else. So those are the two spots: Taylor Hersom on either of those. I would love to connect with folks and I’m here to nerd out on security and compliance anytime.

Jodi Daniels  23:42  

I’ve seen security as fun. You do that you spend your free time reading all kinds of fun and interesting things.

Justin Daniels  23:49  

Yes, I do. I don’t it’s kind of if you’re going to be in this industry there’s always something new learn every single day.

Taylor Hersom  23:58  

Any good books, Justin or Jodi, that y’all have read on the topic of security compliance or privacy that from the last six months like anything that is a highlight reel.

Jodi Daniels  24:08  

No, you can’t do that. Yeah. No, you can’t. Because do you have any answers that you’d like to share?

Taylor Hersom  24:15  

You were gonna blog here I mean, besides, besides you all’s book, of course, is what I’m interested in.

Justin Daniels  24:22  

I read an interesting book by a New York Times author about the black market for zero days all over the world. I’m trying to remember the name I read it. It’s I think it’s like why the why the world ended it’s all about the zero day.

Taylor Hersom  24:39  

Oh, This Is How They Tell Me the World Ends?

Justin Daniels  24:40  

Yes, that’s it. You got it.

Taylor Hersom  24:42  

Phenomenal book, phenomenal book.

Justin Daniels  24:44  

I got through it. It was a little dense, but I learned a lot and how scary it is and how people don’t appreciate that cyber threats and zero days are like a weapon of mass destruction.

Taylor Hersom  24:59  

Battlefield Cyber just released like just a couple months ago and that’s the book I’ve been reading presently. And I highly recommend it as well.

Justin Daniels  25:07  

Michael McLaughlin?

Taylor Hersom  25:08  

Yes, exactly.

Justin Daniels  25:09  

I know Michael.

Taylor Hersom  25:11  

Yeah. What a phenomenal book thus far. I’m halfway through. So maybe it’s yeah, it’s that’s another one I give a recommendation on.

Jodi Daniels  25:20  

Well, perhaps we needed to have a book club podcast next. Taylor, we’re gonna say thank you for stopping by and joining. These are some really helpful tips and we are glad that you were here to be able to share them. So thank you so much.

Taylor Hersom  25:33  

Thank you so much for having me to both of you. And thank you for the listeners for taking time out of their day to listen this podcast.

Outro  25:44  

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click subscribe to get future episodes and check us out on LinkedIn. See you next time.