[Music] Welcome to the Future Is Human podcast where we explore the remarkable advancements shaping our world. Join me as we uncover the mysteries of science, technology and innovation. Is technology finally delivering on its unfulfilled promise? We’ll delve into the balanced power of the human imagination, discover the impact on society, ethics and the essence of being human. Let's shape the future together.
Welcome back to the Future Is Human Podcast today. We're diving deep into the fascinating world of cyber security, a cornerstone of our digital lives. Our esteemed guest is an expert in the field and will shed light on the challenges and opportunities as we navigate the complexities of a digitally transformed world. Welcome, Bill Haber, cofounder of tekrisq.com. Hi, Bill. Thank you for coming on the show.
You bet, Rick. Thanks so much. I appreciate the opportunity to speak with you today.
Absolutely. I'm excited. I manage a lot of our online cloud presence for our company. So, I'm really excited to get into this because I have a lot of questions around cybersecurity as I'm sure a lot of people listening do. Before we get into that and get into the meat of it, could you start by giving our listeners a bit of a brief overview of your background and how you got into the cybersecurity space?
Sure. Yes. So, I'm happy to do that. Look, my background comes from a diverse technology background, dealing with a lot of sensitive data, with cyber security solutions, working with networks and in fields that require a little bit of careful handling of data, which span telecom, spans health care and medical data and marketing data, and more. I've spent about 25 years in software startups, over 10 of them. The last of which is my own company, TEKRiSQ, but myself and my co-founder, Dean Mechlowitz, have a combined 50-plus years in a couple of the same companies, but a lot of different companies that include cybersecurity-focused companies, risk management companies, particularly in the insurance space when it comes to technology risk and software platforms that have a lot of obligations to comply with standards and security requirements.
So, I think rather than go real deep into each one of the things I've done, what I can tell you is we bring some interesting background to the insurance business and we essentially help independent insurance agents, as well as the underwriters they work with to diagnose cyber risks inside of small and medium-sized businesses who need people to help kind of shepherd them through those conversations. Many times, they have immature processes, don't understand the basics of cyber security, and need to be walked through some of that and helped to understand how to take the initial steps to protect themselves and put basic cybersecurity controls into place.
Yes. People need the help, without a doubt, especially, on the midsize. It’s such a unique size and place to be because cyber security is ever changing, right? With that said, in your opinion, how do you think the cybersecurity landscape has evolved over the last decade? I'm sure you've seen a lot of changes.
Well, it's certainly become an enormous market, right? We talk to investors in DC [Laughter] all the time who are interested in saying, “Tell us about your niche.” But not only is this - and some people call it a $600-billion market, some people call it bigger, but really cybersecurity has become a must-have in the modern world. It's something every business needs to pay attention to if they want to protect themselves from some of the most common risks because it has become very mainstream and predictable, and I think businesses need to look at cyber risk as something that will complicate their business, and it's important to be ready to defend yourself, and too many businesses just aren't. The reason I talked about the size of the cybersecurity market and quantify it is that by a lot of estimates, we've got over $10 trillion of theft happening by the bad guys in the cyberspace.
It's like drawing a line from the Rocky Mountains and wiping out all the business done west of it. It's growing at a huge rate and it's no longer practical to fly blind and ignore cyber risk. Companies need to be pragmatic about it, especially, small, medium-sized businesses who, outsource IT, certainly don't have an in-house technology person, can't afford a chief information security officer, and need really pragmatic ways to take themselves out of the crosshairs of risk and not be the low-hanging fruit. Cybersecurity theft has become an industry, and there's bad guys buying software from people developing capabilities and selling them to bad guys to better pick all of our pockets. [Laughter]
So, the amount of bad actors is growing exponentially, and we're at war. Each of our businesses are out in the world, at war with people we can't even see and may not even know are beating us. So, it's a big industry. A lot of the industry talks past clients with technology jargon that people don't understand. In my career, I've found that all of the success I've had is directly attributed to how simple and relatable I make complex topics to people when they're representing technology products. So, to be able to help businesses advance in this space, particularly the small and medium-sized ones, it takes a human touch. It takes relatability. It takes really being focused on pragmatic solutions that don't break the bank but get them started on a journey that will inevitably put the basics in place, remove some of their liability, address these risks, and build a culture of cybersecurity, which is really what we're all about, helping get that culture going.
Well said, well said. It sounds like you agree with the idea that the attack space has broadened or the attack surface, right? It seems like it's growing at a rapid rate. Is that fair to say?
Oh, yes. It's been growing at a rapid rate. It started growing out of control from the original cybersecurity breaches that went from servers and mainframes down to individual PCs right about the time that we were all starting to exponentially grow the number of computing devices from our smartphones to tablets, and now all the IOT devices that are part of our everyday life. From our thermostats to our Amazon Alexa services, listening, watching all the things that are happening in the world, and then right when we started to get some things in place, we all left the offices where all of our cybersecurity solutions were and started working from home which exponentially grew the attack surface. So, yes, there's no shortage of risk explosion happening.
Yes. That's a great point because the landscape really shifted unexpectedly, right? COVID really boosted that [Laughter] or initiated that, I think. So, you, you mentioned the IoT and a few other technologies. How do you think these emerging technologies like AI, Internet of things, blockchain, how do you think all that's influencing cybersecurity strategies?
We’ll look at each one differently. I mean, I personally think I've got some experience working with blockchain-based solutions and I think being able to have more permission views of data is a great thing, and that's part of what we want to bring to the market in our platform. Instead of insurance agents and their clients compiling all the sensitive data into a PDF sheet, they email each other unprotected, just permission views that people only get to have for short periods of time that get controlled by clients is a really good thing.
But when it comes to technologies like AI, it's another Wild West. I mean, I think in the 1800s, there was a Wild West where everybody did whatever they wanted, and you'd have to go out to a handful of states to live that way. Today, there are Wild West dimensions and AI is the newest one. It's arrived. It's the Wild West. It's as useful, if not more, to the bad actors as it is to ordinary individuals. We use AI in our business not only to help us with things like simple documentation challenges, et cetera, but we are planning to use AI in a way that helps with predicting cyber risks for small and medium-sized businesses and making that an underwriting tool.
So, instead of a lot of the guess work that cyber insurance underwriters go through to understand if a particular client has got the right culture in place and doing the right way or just going through the motions, we want to give them really good data and prediction methods based upon a lot of unique data sets so that they can make quick decisions. So, look, the pace of technology and to maybe drill this into a general point about that, the pace of technology continues to grow and grow. There are new opportunities to exploit people in many different ways in the cybersecurity realm. AI is the newest and what people will do, and if AI will turn into new problematic issues, but an equal opportunity and risk.
Yes, that's a great point, and something I haven't even really considered, I think, and most people probably haven't considered because most people are not ignorant, but innocent, and we don't realize and we don't think about, “Oh, all this new technology can be…” Obviously, we can leverage it as a tool for good, but all the mal actors or bad actors they're going to leverage it for the polar opposite, right? They're going to leverage it to do what they do. So, that's a very interesting and good point. Now, with the proliferation of IoT devices, what are some steps that consumers and businesses you think can take to ensure their security? Some simple steps, and probably not simple. [Laughter]
Well, look, when you talk about IoT, every device is essentially an endpoint that needs to be protected, and those continue to grow and will keep growing. We're a big believer in endpoint protection that tools like EDR solutions, endpoint detection and response are really effective at and they're starting to be required by insurance companies when people want a cyber insurance policy. But before that, I think that every business today, if they are not addressing a handful of really basic cybersecurity strategies, they better start to, quickly. Those include awareness training because what I can tell you is this: we work with hundreds of companies, new ones every day, and employee behaviors are very risky, and being able to teach your employees the expectations that you have of them to help protect the business and how to do that, that's your first line of defense. So, we recommend that to a lot of companies, especially if they're not doing things like doing security awareness training. These can be very simple, affordable things they participate in regularly and also includes, phishing exercises because a lot of the threats to businesses come right through the front door. They come in the form of emails.
There are really good ones out there. Let me tell you. Some of these guys are really good at what they do.
You bet. We make an effort to help people understand that. If you live in the Southeast and, you see a Chick-fil-A special that asks you to click on something to take advantage of it because you're probably going there once in a while for lunch, make sure you are looking at who it comes from and aware that this could be fraudulent. When it comes to holidays, gift card offers and all kinds of crazy things, they're extremely talented at making these look like the real deal. So, that's why awareness training is really important. Another is getting on top of managing all of your security credentials, and what that comes down to is peppering your username and passwords everywhere. We see a ton of people that use the same password for everything, and every time there's a breach they're notified, “Hey, your username and password might be out there,” and we can do dark web scans and see if people's credentials are out there in the public domain. If they are and they're using the same ones over and over again, guess what? You're going to be the victim of something sooner or later. So, we encourage people to, rather than use – it is pretty indicative of what's going on. People use the same password because they don't want to have to remember a lot.
What you should do is get a password vault, a simple solution that lets you have your own login to it, but generates unique passwords, complex passwords that are different for every different site [00:15:00], and you don't have to remember any of them.
A simple tool you just click on, get your access. You don't even need to know what the passwords are to any of these things. It'll manage that for you. That's really a basic that I think is super valuable.
Training, access controls or password management is great. I mentioned endpoint detection and response solutions which are really good for businesses. If you just find that your workforce despite all of these trainings, et cetera, sometimes make mistakes and there's too much sensitive data, there are ways to put up tools that block a lot of incoming messaging. We call them DNS filtering, domain name servers. All that really means is the bad guys set up new websites all the time to steal, and DNS filtering makes sure none of them can ever reach your employees. It can dramatically cut down the attempts coming through mailboxes and so can spam filtering and email filtering solutions. These are all things that TEKRiSQ, my company, provides to small and medium-sized businesses and we administer them for them so it doesn't take - they don't have to hire expensive resources. But they don't want to learn all this. They don't want to hire a bunch of technology people. They need humans that they can talk to, rely on that in the event of a situation, of an incident that threatens their business, they've got go-to people, and not everybody can afford to have them in-house. So, that's one of the reasons why we have a business.
Yes, totally. You’ve touched on a lot of good points and a lot to unpack, but I totally agree with you. There really is no excuse for businesses, regardless of the size, not to be proactive about their cyber security efforts, right? Retaining someone like yourself and your business goes a long way. Even some of the simple steps that you mentioned go along great way, right? Talking about it, the awareness campaign, that in and of itself is a great place to start, and I couldn't agree more. The password vault, I think that's an easy thing that nearly everyone can implement. I know -
Rick, one thing before any of those solutions, that a lot of regulators are requiring of businesses and is certainly a cornerstone of our business, and it's simply this, a cyber risk, a periodic cyber risk assessment. This is a conversation with cybersecurity experts about how you use technology to take a look at what's happening inside of each business, make some simple recommendations, and make an attempt to comply with those recommendations to protect your business. That's the first thing any business should do regardless of how mature their processes are or what solutions they're already deploying to help them with these problems.
You're seeing folks like the New York Department of Financial Services, the SEC with publicly-traded companies. You're seeing things like GDPR compliance that any financial services company has to comply with, and they're all asking, “Get a periodic cyber risk assessment.” We do that for clients. We make them fast, easy, and affordable. It takes as little as 30 minutes. Everyone should do one once a year because technology use changes very quickly inside of most companies. That's just a way to get a third party to say, “Hey, here's what we see could be problematic for you and here are some recommendations,” and then you can deploy any of those solutions from there.
Did you say 30 minutes? Is that all that it takes to do an assessment like that?
Yes. I mean, my cofounder, Dean's background, one of the things he used to do with one of the companies he worked for was comprehensive enterprise level cyber risk assessments, which would sometimes be multiple month engagements and cost tens of thousands of dollars or more. There would be a lot of discovery, but at the end of the day, the gist of the deliverables would be a few simple concepts in most scenarios. When we created this business, when we were looking at creating this business and saying, “How do we make this fast, easy and affordable for the small, medium-sized businesses who have the real problems?” The NIST principles in cybersecurity form the framework for a lot of these risk assessments.
So, we basically say, “What if we boiled it down to the gist of NIST and make these fast, actionable conversations that everybody can participate in?” We strip the technology jargon out of it and make it totally relatable and pragmatic for small, medium-sized businesses. They're human-driven because there're a lot of folks who post this on the web and say, “Take your own risk assessment and come here and spend as much time as it takes to answer a bunch of hard technology questions without any assistance whatsoever,” and guess what happens? They blow it off. [Laughter] They don't do it. It's like a homework assignment nobody wants, and really, you have to shepherd people through these to get the right answers. So, not only do we recommend people do those, but, really, you're going to see a lot more regulators require that of all businesses, and it's just good basic cyber hygiene. Think of it like a wellness checkup.
That’s a good analogy.
We all do that once a year, and it's not always because we're sick, and we're doing things proactively to make sure that we're managing our health. Not just seeing doctors when we have a problem, but seeing doctors to share data and put a finger in the wind and say, “How's everything going?”
That’s a good idea.
Yes. You touched on one of my favorite topics, which is the human element in technology, right? Hence the name of the show, but specifically the human element in cybersecurity, I think, is something worth exploring a little bit deeper and further. How do you see the balance between technology and the human element in cybersecurity? Because until I met you, I really haven't heard anyone inside in the cybersecurity space talk about the human element. It's all about the tech jargon, which sometimes is even complex for me, and I'm in tech, right? [Laughter] I'm in technology. I'm immersed in it. So, I can only imagine to the average business that isn't tech-familiar, right? Can you talk a little bit about that.
Yes. So, we think this is hugely important and hugely overlooked. If you look, a lot of the young, emerging, hot technology companies with AI on the backend doing something or other and appeasing investors and raising wild amounts of money, they're doing it fast, they're doing it at a distance, and it's increasingly becoming a less human, less service-oriented process. We do this in the insurance business, which is very much a relationship business.
It’s very much driven by human interaction. For the small and medium-sized businesses that work closely with insurance professionals, they go to them to solve business problems. They go to them to reduce risk. If you want to do a great job for them, you really have to meet them where they are. You have to make it relatable. So, we don't focus on tech speak as much as business outcomes when we talk about cybersecurity, and it's a big mistake I think a lot of cybersecurity companies make is talking past clients and over-complicating conversations trying to impress them with all the bleeding edge buzzwords and jargon. So, we do the opposite of that.
We don't see enough people doing it. There certainly is a camp of forward-thinking companies who are realizing results are the most important thing and delivering value is the most important thing to the longevity of the companies that they're building. So, nothing gets results like really good human interaction coupled with the use of technology…
…and I think you're starting to see more thought leadership coming out and being published and talked about on podcasts like this, which I think is a great, great topic to spend time on, which is how do you marry the two? How do we look in this ever changing, fast-moving pace of technology and say, “What are the things that technology does best? What are the things that humans do best, and how do they collaborate?”
Totally. Absolutely. That's something - not to make a plug, but that's something our parent company, Civicom, really prides itself on and was the foundation of our business. If you look at all of our technologies with Pagealive, one of our most recent projects, it's all about bridging the two. Somewhere along the lines, in my opinion, technology companies forgot what the underlying mission was, right? So, we're not just developing technology for the sake of developing technology, but we're doing it for the human element, right? At the end of the day, it's all about the person. It's all about the people we're serving, and it's not always easy, right? Blending those two elements, the human element and the technology element, isn't easy but critical in my opinion. You mentioned the insurance space. Is that the area that you guys focus the most on right now?
Yes. I mean, who TEKRiSQ is today is a company that's making cybersecurity accessible to everybody and helping the industry's agents and underwriters to be able to get better penetration of cyber risk products and services [00:25:00] with the clients who need them because most of the clients need some form of protection. They don't have the right things in place, but the insurance companies have learned that you can't just provide blanket insurance policies to people who aren't doing their end of - holding up their end of the bargain, putting some basic protections in place.
So, they have requirements these days. If you show up and want to buy a cyber insurance policy, you're going to be asked what of these things, some of which I've mentioned, do you have in place? If you have a blank stare, you might realize that you're uninsurable, and increasingly, boards and executive teams are looking at risk seriously, looking at technology risk, looking at their compliance requirements and realizing we have to be involved in these decisions. We have to be protecting the business and we have to have a cyber initiative in place, and in the event that we aren't as mature as we'd like to be, we need to be carrying a sizable insurance coverage for when things go wrong that can threaten our business. Not only to protect our business, but sometimes just to do business.
I can't tell you, Rick, how many people come to the agents we work with, who have decided not to look at insuring themselves against cyber security problems, and then suddenly say, “Hey, I need a cyber insurance policy. I have this big customer that we're closing a deal with and they want me to fill out this data security form to make sure I'm safe to share information with, and they're asking for all the same stuff that you guys said I needed and I don't know what to do, but I got to have this policy in place to do more business with the people I want to do business with.” So, a good cyber risk profile is becoming now the new credit report or the new Dun & Bradstreet. “Are you safe to do business with? Are you protecting customer data? We're planning in this collaboration to share data, and if you're not ready to do that, we can't work with you,” and that in itself, we think, is a good problem because it's the market curing the problem in a way. People can blow off cybersecurity responsibilities as long as they want, but it's going to cost them business, and it's going to cost them more and more business if they're not proactive about it.
Yes, that's a great point, and I actually appreciate that because I feel like it's forcing the necessary hand, right? We've seen this in other industries, even nontechnology related, but wouldn't be surprised if government starts to get involved further. We already have things like GDPR and other compliance regulations, but I really wouldn't be surprised to see that broadened in the nearer future because part of digital transformation is everything becoming part of the internet of things, going digital. So, I definitely think we're going to see a little bit more of that forcing of the hand, and I think it is ultimately for a greater good. Now, with that said, as we look to the future, what do you believe are the biggest challenges and opportunities in the realm of cybersecurity? I know you've already alluded to some of them.
Well, look, there's a lot of discussion today about war exclusions and nation state hacking, and frankly, those are big issues that have enormous impacts on very large companies, but where we're focused on is serving the small to medium-sized businesses, the underserved and overlooked side of the cybersecurity market, and they have more pragmatic risks. They're not likely to have their business destroyed by a nation state hacking event between China and the United States. It's more likely somebody is going to discover their credentials and study their business and look for the right opportunity to pounce and hit them up with an EFT fraud incident or something like that. So, education and helping people get started, we think, is the number one thing that needs to happen. Some of the regulators believe that the way to teach people that is to start increasing the fines and delivering a beating stick to the market, and that can be effective in some ways, but it can also be a real threat to business which isn't what we want to do, right?
Sure. Yes, it's a fine line.
We think that the more human of a process it becomes at a time when they're already looking at protecting their business, that's one of the reasons why we focus on the insurance space. Small businesses go to their insurance agent to carry certain things, to buy certain insurance products, to protect them in a basic way from general liability and workers’ comp to other simple issues. When they have that conversation, they also need to be having a conversation about what they're doing to protect themselves in cybersecurity. Too often the answer is, “Oh, well, we don't really know. I mean, we're a small business and not really a target and have our stuff in the cloud. So, there's probably not any risk of that,” but those, of course, are all myths. So, at that time, it's important to bring them into some quick, efficient education.
That's why we think a human-driven cyber risk assessment is the beginning of that process and it has to be positive, professional conversation that is filled with helpful suggestions and delivers quick value and then becomes actionable. When we deliver the recommendations of our risk assessments, we're also making it easy for them to buy and deploy the solutions we recommend so that there's not a whole series of hurdles to get started in this, but it becomes rather easy. Then from there, you can educate people more thoroughly with products like security awareness training and things like that. But I mean, to answer your question, we think getting in front of people and talking pragmatically in ways they understand about why this is important to each individual business, making it relatable, using industry-relevant storytelling, these things are what motivate people to take changes and to put their money where their mouth is.
Absolutely. I couldn't agree more and I really admire and respect what you guys are doing, especially, with the human element, right? Because it is something that's complex and being able to not boil it down, but meet people at face value, at the human level, I think goes a long way. The fact that you guys are making it easy for them, comparatively speaking, of doing it on their own is nice and I think people should reach out to you guys, and I urge people to do that and take advantage of what you're doing because I haven't seen a lot of companies out there doing quite what you guys do, especially at the human level. With that said, what is one message or piece of advice you'd like to leave our listeners with regarding cyber security in a digital transformed world? I think I know what you're going to say, but I want them to hear it from you.
Okay. I hope I'm not that predictable, Rick. [Laughter]
Well, you made it. Go ahead. [Laughter]
I would say this that you have some important relationships in your business that can help you in this area. Reach out to your insurance agent and say, “Hey, do you have any way to help me determine where I might have problems?” They should be well-versed in this, and if they're not, that's okay. We certainly work with a large national network of insurance agents who are very good and effective at this, and they use our process as a way to help their clients, but I think a lot of people are becoming aware that they need to do something in this space, that they're flying blind. If you are, there's some really good solutions in place.
We're not the only folks out there who provide any of this stuff, but I'd recommend finding somebody qualified to speak with and assess your business in one way or another. Many times, we make it free through our channels, our insurance agents that we work with, and do it kind of as a fact-finding mission that becomes a moment in time where we kind of start at the baseline. Where is there risk in your business? I think everybody should start to do that and, at least, get curious about the topic. It doesn't mean that you have to start this expensive initiative or this huge time-consuming thing. If there's one thing that we're really focused on and a lot of the industry is, is efficiency and making this an easier thing to do, but you got to protect yourself in this area.
I think a lot of businesses have skated by with a lot of luck not being breached today, but it's becoming almost impossible not to be detected as a target and the tools to sniff out all of your businesses that are running in the background and determine when the right time to pounce is, you're being profiled whether you know it or not and nobody goes to war with zero defense. You've got to be prepared. You got to be ready for when someone is trying to steal from you, and lots of people are, so get curious about it. That would be my advice.
Awesome. Well, I appreciate it, Bill. [00:35:00] Is there anything else you want to add? I think you covered all the bases of my questions, and I really truly appreciate it, and thank you for joining us.
Yes, I mean, the only thing I'd like to add is we've been talking about the human topic quite a bit, and we're constantly looking for better ways to meet people where they're at and become more accessible with human beings who can help them every day. That's one of the reasons why we're building out things like our website to instantly be able to have video discussions with humans and get some expertise that leads to products and services that you might be interested in looking more closely at. I think you're going to see a whole lot more of that.
I think you need to, and I think for too long we've been trying to automate everything and have machines do things and it's leaving people in the dust. The technology of the future is the marriage of humans and artificial intelligence to help businesses do all the right things to protect themselves. It's the judgment of humans that you want anyway when you go to experts, and it's what people should look for in cybersecurity.
Well said. Well said, and I couldn't agree more. Well, thank you. Thank you again for joining us, Bill. I really appreciate it. I'm sure this won't be our last conversation by any means. So, thank you everyone for joining us today on the Future Is Human Podcast. We're going to keep exploring the intersections of technology and humanity and what it means for our collective future. See everyone soon. [Music]
“Our website's customer service has never been better since we implemented the live video chat widget. Our customers love the personal touch and instant support that it provides, and it has helped us increase our customer satisfaction ratings."
”The live video chat widget is an innovative and effective way to connect with our customers. It has helped us build strong relationships. We have received many positive comments about the service. It is easy to use and has been a valuable tool for our business.”