JLD: What’s shaking Fire Nation, JLD here with an audio master class on will the Coronavirus create a data breach in your company. To drop these value bombs, I have brought Jodi Daniels on the mic; she is the founder and CEO of Red Clover Advisors, a boutique privacy consultancy that helps companies build customer trust while complying with global privacy laws such as GDPR and CCPA. And Fire Nation today we’ll be talking about identifying phishing email, how to create the best password, what a company’s biggest security risk is right now, and so much more as soon as we get back from thanking our sponsors. Jodi, say what’s up to Fire Nation, and share something interesting about yourself that most people don’t know.

Jodi: Well, hello, I am so delighted to be here with everyone, and thank you for listening. So, for the what I don’t know, I am going to be – it’ll be fun, so here we go. Does anybody have a map that maybe anybody maybe happen to know how the hell to do this, I don’t know if you can tell, but this is me just pretending to know. So, that was singing from my favorite Broadway show Dear Evan Hansen; people don’t know that I sing.

JLD: Amazing. I will tell you this, 2,584 episodes and you’re the first person to sing on the show, I am just to the moon, Jodi.

Jodi: Well, I like to be different, so there you go.

JLD: There it is. Well, listen Fire Nation we’ll be talking about will this Coronavirus create a data breach in your company and we’ve brought to Jodi on the mic, we’ve talked a lot about, in the introduction, what we will be sharing throughout this episode. But let’s just dive in, because there’s a lot to get to, a lot of really important stuff for you Fire Nation, so please take some notes. What are some clues, Jodi, to identify what a phishing email is?

Jodi: Yeah. So, there’s a couple and just to make sure everyone knows what phishing is phishing, and there’s all kinds of other fancy words. It’s come to text messaging; it’s like vishing, and smishing and I don’t know put a bunch of letters together and make it ishing. What happens is I’m impersonating, it looks like I’m a real email, but in actuality I’m not, I’m kind of spoofing, another fancy word, somebody else. And in the last couple months, it’s been up 350%, it's a tremendous problem, and it’s one of the easiest for a bad actor or a thread actor to try and take advantage of. So, one of the various easiest places is to look at the sender, it might say a name that you’re familiar with, but you can look at the actual URL or the email address of the sender, and you can tell cdc.gov.org, there’s no .org at the end of .gov.

Or if it came from Amazon Prime, it’s not gonna come from amazonprime@comcast.net. So, you look at that particular one, and if the email is a little sketchy, you’re not sure; I highly advise you, use the reading pane and mouse email providers to be able to look for some of these clues. Some of the other ones are poor spelling or grammar. Most emails don’t just say Dear Customer; they’re gonna say, Dear John, Dear Jodi, they’re gonna personalize it. If you get just Dear Customer, there’s probably a phishing email. Again, the URL, and you could also look in the footer because they might change the logo, they might change the address it doesn’t look like the standard footer that you’re used to getting.

There might be attachments; if you get attachments or links on these things, do no click, don’t open the email, don’t click the attachment, don’t click the link that’s how they get all the malware onto your computer. And the other big, big clue is going to be if there’s an urgent need or threat, like must act now, open right away, call us within an hour something like that most places that are gonna need urgent information are not gonna do that, they’re gonna wait to call you, they’re going to do other methods, or they’re going to say log into your account. And they wouldn’t even provide the appropriate link; they would just say go directly to our website and go do it.

So, those are gonna be some of the really common places to be able to identify a phishing email.

JLD: And Fire Nation, please don’t feel foolish, don’t try to hide it if something like this happens to you because it literally can happen to anybody, unfortunately. I’m gonna call Kate out now, this is a very diligent girl, she is not one to take things lightly or not, to investigate things, but I can remember it wasn’t too long ago, maybe two or three years she got an email from “Verizon” asking her to verify some things about her account. And guess what? She did that, but then she was like wait a second something about that was kinda weird, and she went back, and it was one of those things where a couple letters were off, a couple things about it, she called Verizon, like oh, no, we would never have you do that.

That’s something we would never do. And she had to go through this entire process as a result, and it was a really brutal and annoying time, but at the same time, she called herself on it, and she took the steps to correct it, so take action when these things happen. Obviously, it’s so Important to things that Jodi’s gonna be sharing today to protect yourself not having to go that route, but if you do, listen, at the end of the day, take positive action on that. A lot of people talk, Jodi, about two-factor authentication, they call it 2FA. What’s the most important step that we, as entrepreneurs, as small business owners can take in this area?

Jodi: Well, first, it’s to implement it on every place that offers it. And there’s a couple different ways to do it, and first, we’re talking about two-factor authentication. People might also might hear MFA, multi-factor authentication, same thing. Financial institutions or your bank has it, your credit card companies have it, and there’s also some software tools you can use. There’s Google Authenticator; there’s one called Offy. But the idea is – we’re gonna talk about passwords, we wanna have a good strong password, but let’s just pretend someone got past that. Well, the next layer is gonna be the two-factor authentication, and it tells you every time someone’s trying to log in, you get a notice, and it’s often like a six-digit one-time passcode that you enter in.

And it might feel, I’ll be honest when I first did it, it feels a little annoying now I got this one extra step, but it really is about three extra seconds of annoying, and you kinda get used to it, and some of the tools let you use it on multiple devices, some you can just can have on your phone. Different ways to accommodate, but it’s another defense to really make sure that the only people who are getting into your account and the people that you want on your team to be getting into certain accounts. And, today so many different places offer the ability to have the ability to have two-factor authentication.

One of the ones that I think people sometimes forget, oh, gosh, that would really a great place to have one is on your social media accounts. Because do you really want a bad actor coming in and taking over your social media account? We’ve all worked so hard to build our brands; I wanna know if someone from a different place that shouldn’t be is accessing that. You can go into just about every single social media account, set that up, think about all your different carts, and checkout pages, all of those can also have two-factor authentication assigned to them.

JLD: Fire Nation, three seconds now, can save you hundreds of hours later as far as trying to recoup and recover and repair, what Jodi just shared, I’ve known people who have had their social media accounts hacked and then people have posted crazy things on it. And guess what? The individuals that person spent years and years building as an audience just fled and were gone and are never coming back because they didn’t know what was going on. And they figured it was either a crazy person or this or that, but at the end of the day they left, they unsubscribed, they unfollowed, they did those things.

And it’s so brutal to see because so much time, so much effort is put into that and when you can just spend three seconds to use a two-factor authentication and save all of that; it literally is a massively brilliant investment. Now, Jodi, let’s be honest, your pet’s name, password, 1234, these are all terrible passwords, but people do it every single day of the week. How can we create the best password?

Jodi: So, it is true, people put their postinotes and stick them on their computer, and do all kinds of really interesting things because there are so many places, we need a password, there’s a gazillion, how on earth can you remember all of them? And a couple suggestions for passwords, the first is make it a complex phrase, Jodi loves purple, Jodi loves scissors, I don’t know, Jodi loves pens, Jodi loves whatever. Make a phrase, and then you can make the phrase a little bit more complex; you can have capital letters and lower-case letters. You can change some of the letters to symbols, so, maybe you always make your S a $, maybe you always make your I the number one.

You can make a system that works for you that you always will remember and that complex phrase where you then mix it up where you make numbers and symbols and capitals that, again, makes sense to you is one of the first ways. The second is to use a password manager like a LastPass, which is what I personally use, I love LastPass, and there are some others like Dashlane and OnePass. And if you’re not familiar with what a password manager does, it actually really does some awesome things. It lets you set really complex passwords that you would never, ever remember, and it stores it in that central password place, and you then have one master password that needs to be a really good password because it yours your absolute master password.

And that allows you to get into the account, now, what’s really nice about one of these tools is all of us have different team members who might be helping us, maybe they’re doing social media, or maybe they’re doing accounting, or maybe they’re doing building landing pages, and carts and funnels and all types of other activities, well, they need access to certain things, but you don’t always wanna share your actual password. You can share access via one of these tools, and they get the access they need without you compromising sharing your password. And the last piece that I’ll say is the absolute best connection of passwords, is to have both password and two-factor authentication.

So, I’ve had the fortunate opportunity to sit on panels and webinars with the United States Secret Service, which actually is responsible for – a big part of their jobs is electronic crimes, and they will tell you that the best layer of defense is a complex password plus two-factor authentication.

JLD: So, Fire Nation, there’s a lot here, and I really want you to understand that there are tools are available. I love that you shared LastPass it’s something I use as well because you picture that moment when somebody is like, I need to get into your account, and it’s a team member or somebody you hired, or somebody you’re working with. And so, you do give them access to that account, but you’re like, oh, my God, I have the best password, and if I give it to them, then it’s out there, and I gotta go change everything there’s room for error. But tools like LastPass to “share” your password without them actually having access to seeing it, but the LastPass allows you to share access to that account through the tools that they have.

And it’s really slick; it’s really sleek; it works fantastic and allows you to protect everything that you have going on in your world. Now, let’s talk about the why, Jodi. Why should companies implement defense and depth, why should they use that security approach?

Jodi: You kind think about a couple different analogies, so imagine the old days where you had a castle and the fancy royalty was inside, you had to have lots of layers before someone could enter the castle, you’d have the big wall, you’d have a moat, you’d have guards on all corners, you have guards at all the doors, you have greeters it was really hard to make it to the ideal goal which was the royalty. Or in a fun example imagine like a Tootsie Pop when we were kids, or maybe you still eat them, now you had to work really hard to get –

JLD: How many licks to get to that Tootsie Pop. I can see a picture of that owl right now.

Jodi: Yeah! It’s not super easy. If you make it, there are markets where it’s someone’s job to get personal data, and it’s not a matter of if, but when companies of all sizes will have a data breach. And small businesses, about ⅔ of them, are likely to suffer a data breach and of those, many of them will go out of business in six months. And a data breach is expensive. So, we want to avoid a data breach it’s expensive it’s up to $200 a record, that’s really expensive, its reputational harm, it’s distraction from our business, and a lot of hackers know that small businesses are busy doing all kinds of other things and they’re a prime target.

I actually had really a solopreneur talk to me once, and I gave her a variety of, much of what we’ve talked about today, and then came to me and said that her Dropbox and everything was hacked. Small business all the way up to big businesses, so we want to protect our data, and there are people trying to get at it really hard, that’s their goal of trying to get at it, and the more layers we have, the better off we can be to be able to help protect it. So, let’s take email and kinda tie a lot of what we’ve talked about. I have Microsoft email if I have Microsoft email, I have a really awesome password, but then I also use the two-factor authentication that Microsoft has.

And then I also use some of the additional security controls that Microsoft offers; I make it a lot harder for someone to try and get into my Microsoft account. The same would be true for any of the other tools that are out there. So, the more layers we have, the harder it’s going to be. And the last analogy I’ll give is kind of imagine your house and the one that has the alarm sign on it, and I’m a burglar, am I gonna go to the one with the alarm sign or the one without the alarm sign? I’m probably gonna go try the other one first and then maybe come to yours. So, it’s kinda the same idea we wanna make it harder for them to come and find us.

And that’s why these multiple layers, and there’s more than what we’re talking about, think about all the people on your team and access. Does everyone need access? Or maybe only a couple people need access. And how do you manage that? Or if team members come and go, how do you remove them? Add them to your systems and remove them from your systems? And what tools are we using? All of these and how we educate employees, all of these are gonna be part of our arsenal, our security, and privacy program to be able to protect our data.

JLD: Fire Nation, there’s a lot here, but what I really want to encourage everybody listening is just take that first step, start small, do one, or two, or three of these on a day to day basis and just kind of build-up to where now your entire platform is covered, but it doesn’t all have to be done today. It can be done one at a time, but as long as you’re moving forward with a plan, and using tools like LastPass, and really making sure you’re implementing all these great suggestions that Jodi is going through, you’re going to get here. So, don’t be overwhelmed; just take it one step at a time. And fire nation, we’ll be talking about a company’s biggest security risk, some hidden threats and certain laws that obligate companies to protect data. As soon as we get back from thanking our sponsors.

So, Jodi, we’re back, and before the break, we were kind of teasing what a company’s biggest security risk is. What is it?

Jodi? In my view, the biggest security risk is actually the people, and they’re also our biggest strength at the same time because it’s the weakest and strongest link. They’re the ones who are, including ourselves, using data all day long; and we’re the ones logging into tools and processing personal data, we’re collecting emails, we’re doing marketing campaigns, we’re doing finance and accounting activities, we’re prospecting we’re using all of this information, and we’re logging in and logging out and sharing with all the different folks. And so, if employees aren’t familiar with what they need to be doing, they might, inadvertently, send that email, oops, with everyone’s personal information on it.

Or, oops, they might have extracted all the W-9s and put it on the shared drive for everyone to see. So, the employees and making sure that they know how to spot a phishing email, that they know how to set strong passwords that when they’re at home and in this remote work environment that they have strong passwords on their wi-fi, and on their router. And for some people, they might even be using a personal device. Right, a lot of companies are using, not a company item where you can kind of wipe it all clean; they might be using personal, so mixing personal stuff with my work. And so, how am I going to protect my company data on a personal laptop?

Making sure that the employees understands their role and has that knowledge to be able to use the different tools and ideas that we’ve been talking about is really critical. And it’s the same whether you’re a small company or a big global fortune company. Employees are often some of the biggest areas where we wanna focus and kinda two different places. One is just gonna be good hygiene, making sure they know what to do, good safe practices, don’t click those bad emails, update – I’m sure we’ve all gotten those anti-virus software making sure that we’re scanning and things along those lines, updating all of the different software’s. I use Zoom all the time, they have an update every day, going out, I wanna make sure I update all of that.

The other is, what happens if we had to terminate an employee? You have a disgruntled employee situation, and could I take all of the files and sell them to somewhere? I have sort of an IP situation, but I also have someone who’s familiar with the code injects something, so you have the disgruntled employee plus just education, so employees are really one of the biggest places that I would start with.

JLD; Fire Nation people, your biggest risk, and your best assets. And just remember the phrase to err is human, to forgive divine. But when you err as a human in this kind of area, it can really cost a lot, and maybe it could be difficult if we get them. Let’s talk about some hidden security threats that may not be really aware to the common eye.

Jodi: Some interesting ones are how people can – Zoom is actually really interesting example, and there’s a lot of the different software and tools, I’m a huge Zoom proponent, so I don’t mean to be picking on them, but one of the issues was, was it locked down? And could people find their way into it? So, it’s understanding the different tools and software that you have and making sure it’s appropriately secured. An example, a lot of companies build tools on AWS, Amazon Web Services, or they use Google, and they’ll say I use them, so I’m good I’m secure. And that is true; they are a wonderful platform who has high security. The company also has to do a variety of specific steps to make sure that it’s secure.

It can’t only rely on the vendor. And I think a lot of times we think, oh, well, the vendor has it all taken care of, or the software tool has it all taken care of. And there’s stuff that we need to do; there might be different settings that we have to make sure that we set like do we have a password? Do we have two-factor authentication? What are the access controls in place? Do we have any type of network or firewall things that we need to add to it, so there’s other steps that we have to do and again talking about this remote work environment? First off, before Coronavirus, we had oodles of companies working remotely. Now we have literally the whole globe working remotely, and we have children at home as well.

So, we have a lot more people that are here, and our guard is also down a little bit, so we might be clicking a little bit more on some of those emails. We might be downloading information and going to a variety of different sites to get information we may not have realized. We also, for companies who might have someone who’s helping to manage their software and it’s sorta like they’ve outsourced their IT to someone, or they have a person who’s helping them do that, or maybe they’ve just taken it on themselves, it’s to make sure you’re always using the security software and patches. I mentioned before my own Zoom patches Microsoft is doing it, Google is doing it, things along those lines, but you wanna be remembering who has access to your information and where could the bad actor get into?

And have you closed off all the places that you can possibly do. Like your home wi-fi, does it have the it came with out of the box which is often password, or 123456, that right there is a really simple one kind of forgotten about. So, change your home wi-fi, change your home router, to make sure that they’re properly protected. Use a VPN, a virtual private network, and there are some great ones that are out there for smaller businesses, and we kind of talked about the layers of defense, it’s another really great layer to add on. It’s, again, another way to try and prevent the bad actors from making into our little fiefdom. It tries to tell them, no, we’re closed over here, don’t come and grab my information.

So, when you add all of those up, you prevent some of the hidden threats, which might be a computer that’s vulnerable, easily traceable, and found, other people can access the wi-fi and break-in. And one of the other fun ones is think about all of those IOT devices, your Luxes, and Siri’s, and Echo’s and other robots that you have going on in your house, or the ones that have cameras and things along those lines because they’re always listening. Now they’re listening for weak words, but the more weak words they hear, the more they’re kinda still always listening, or maybe they’re recording. And SMART TVs all these different places is where information is, or maybe you’re even sharing personal information on a text, is that text secure?

Right. I message between to iPhones is more secure between Android and an iPhone, as an example.

JLD: What laws are out there that obligate companies to actually protect data? What should we be aware of?

Jodi: There’s a couple. First is GDPR, so I have eight fancy letters that I spent all day long talking about, with is GDPR, the General Data Protection Regulation, it is EUs data privacy law; it’s gonna be to May 2020, so it’s coming up on its second birthday. It obligates companies to protect data that’s part of its definition and its name. If you don’t protect it, it can – it’s fine is up to 4% of global turnover or 40M Euro. So, a big hearty fine that’s there, plus you have to report it really quickly, and you might be working with customers, so maybe you’re a smaller business and you’re thinking the GDPR is never gonna come after me. But your customers might be bigger customers and to do business with them what I find all the time in working with companies is that the customer demands that they’re responsible and that they’ll be able to help them comply.

The other really big one that I wanna talk about is the California Consumer Privacy Act, affectionately known as CCPA. It became effective January 1st of 2020; it’ll be enforceable July 1st of 2020. And that particular law also requires companies to safeguard information, but more than that, if they don’t and there’s a data breach, there’s the potential for an individual private right of action, so put in class-action lawsuit of $100 to $750 per record. That’s a lot. Now, imagine the really litigious society we live in, there’s just lawyers waiting to pounce on companies that have a data breach, and serve a lawsuit up.

Now you gotta deal with the lawsuit, you gotta deal with whether it’s true or not true, you have publicity, you have negative connotation. You have all these things. That class-action lawsuit is a big one where companies really need to pay attention and kinda the same situation. Some our listeners might be a smaller company, but the customers that they’re serving are requiring them to comply. And there’s a couple other states as well, the New York Shield Act is a new law that requires companies to protect data, Massachusetts has its own, and there’s a myriad of other laws that are out there. Anyone in the healthcare space knows about HIPAA, and there’s many, many others.

And the last point I’ll say is to be able; obviously, there’s these laws, there’s fines, there’s consequences, there’s the risk of data breach, to start on any of these you have gotta understand the data that you have. The first steps we talked about how do I protect data from all these security measures to make sure that you’re complying with these laws and that obligate us is you have to understand the data. You have to know what you’re collecting, how you’re using it, where you’re sharing it, how you’re storing it to be able to know how to properly protect it, which vendors, which tools, which service providers, which contractors and even what data you have to really get started.

So, my first advice is for companies to actually start on what I call a data inventory, a data map to begin to understand the type of data that they have so then they can start going upstream to be able to protect it and make sure that they’re complying with laws.

JLD: I love that concept of a data map, and Fire Nation, again, for me, this just goes back to really dropping the overwhelm of all of this. Because if you have a map, guess what? You could just take it one step at a time; you can go piece by piece, bite by bite, site by site, password by password as you flesh out this whole data map. And one thing I also loved you talked about Jodi was the fact that a lot of customers and consumers they actually might start demanding these things even from the smaller businesses because that’s just what they want because they know the dangers that are out there. So, talk about how privacy is actually crucial to customer trust.

Jodi: Yeah. So, this is my favorite part; this is what I love about privacy, is it’s the differentiator, it’s the place where consumers today, 60% of them, ⅔ don’t trust companies because they don’t feel like their data is being well protected, or it’s being misused as well. So, companies of any size that are able to explain clearly here’s what we collect from you, here’s why we collect it from you, here’s what we do with it, here’s how we protect it. Hey, we care so much about your privacy and security we might even make it a feature of what it is that we’re talking about. We have a link that explains how we care about your privacy. Those companies have an advantage to the individual, to the consumer, to the customer and then those that are in the B2B market, like I said, I have seen time and time again companies not get business because they can’t comply or they weren’t able to comply fast enough.

And I also hear from the MNA community a lot or the investor community where they recognize the importance of privacy and security. And so, they’re investing in companies who put it first, who builds privacy into the design of their products and services and offerings, and recognize it’s just the right way to do business. It's transparent we know when someone buys a product and a service from you, they’re buying it because they think you’re going to deliver an amazing product and an amazing service. And we go through a lot of efforts on how to market it and how to make it a wonderful product, and service.

Well, to get that I have to give you my information, and in these laws that we just talked about, the personal data includes me the consumer, it also includes me the person at a company. So, company data like the B2B part is included, so when you get Jodi’s information, I’m going to trust that you’re going to do the right thing with it. That trust element is so crucial and connected to the brand it’s not just all the brand effort that we do while marketing, and making sure we’re a solid company, and stand behind our products. What we do with the data is equally important, it is your brand, because if you don’t use the data the way I expect or you have some type of a data breach am I going to keep doing business with you, am I going to keep referring you? Probably not.

And in this particular era, we’re realizing about all the devices that are listening to me, and watching me, and tracking me, and if I get the right value, I understand that, but I can only understand it by how you’ve communicated, and that is where privacy comes in. That’s how you create trust and support and long-term relationships with your customers.

JLD: Fire Nation, Warren Buffett says it best – it can take up to 20 years to build trust and five minutes to lose it. So, you’ve been working hard in your business to build up to know they can trust of your audience, don’t let some silly – just annoying hacker halfway across the world lose it for you in five minutes. Get that data map ready, implement these things; it’s critical to your long-term success. So, Jodi, of everything that we’ve talked about today, give us the one key take away you wanna make sure we really walk away with. And then share with us how we can learn more about you from you, and any gift or give away you have for Fire Nation.

Jodi: Absolutely. So, to me, the one-step, and I love how you summarized it earlier, which is take a step at a time, we talked about a long list of things, and you definitely are not going to all 10 of them all right now. Pick one go find your accounts and set up two-factor authentication, then after you set up two-factor authentication, then move on and keep doing the other multiple other items that we talked about. So, just take a step forward and pick something to implement today. And the summary piece I would leave you with is really our last conversation point, which is that your brand is everything to your customer, and privacy, and building a trust-based relationship. Privacy is an essential element to building that customer trust.

So, absolutely to me, trust and privacy are synonymous with each other. And I would love to connect with you, and so, I have built a awesome remote work security best practices guide that kind of summarizes so much of what we’ve talked about and lists a bunch of my favorite tools, and it is easily grabbable at redcloveradvisors.com/fire.

JLD: Fire Nation, you are the average of the five people you spend the most time with, and you’ve been hanging out with JD and JLD today, so keep up the heart as you head over to eofire.com and type Jodi in the search bar, that’s J-O-D-I, her page will pop up with everything we’ve talked about today. Links to all that jazz, best sure notes in the biz. And one more time Jodi, where do we get that best practice guide you created for us?

Jodi: Yes. So, the Remote Work Security Best Practices Guide with all kinds of awesome tips and tools, redcloveradvisors.com/fire.

JLD: Fire Nation, get over there, grab that guide assign to somebody on your team and guess what, have them start taking one step at a time have that person become the person who’s responsible for protecting your business, for protecting your customers, for protecting the future of what you’ve created. And Jodi, thank you so much for sharing this knowledge it is so critical to building a successful foundational long-term business, for that we salute and we will catch you on the flip side.