Episode Transcript
[00:00:00] Speaker A: Foreign.
[00:00:18] Speaker B: Welcome to Ever Changing Technology. I'm your host, Jim Bradfield. And this show is all about helping you adapt, lead, and thrive. And in a world that's moving faster than ever, you know, whether you're a business owner, tech enthusiast, team leader, or whatever, we bring you the insights to keep up and get ahead.
Today's conversation is one every regulated business leader needs to hear. How do I adapt and navigate complex cybersecurity compliance requirements? You know, with clarity and confidence?
How do I find expert guidance to carry us through the treacherous waters? You know? Our guest, Mike Semel, knows exactly how to answer that. Mike is the leader of Semel Consulting, a compliance and business continuity expert. Mike calls himself the compliance ologist. Pretty cool word there, Mike. I like that.
A certified specialist in cybersecurity and compliance, Mike's group helps clients build business continuity plans based on international standards. Mike's team skills are based on formal training and certification as well as decades of firsthand experience. And my team and I actually collaborated with Mike's team several years ago on an insurance audit for a healthcare organization that thought they had all their bases covered until there was a data breach. And we'll talk about that one later.
Mike, welcome to Ever Changing Technology.
[00:01:48] Speaker A: Thanks, Jim. It's great to be here with you again.
[00:01:51] Speaker B: Good.
So the problem facing many in the audience is they thought they had excellent operational and security standards, but when breaches happen, audits prove otherwise. So, like driving, which requires that we follow rules, including stopping at stop signs. Have we identified all the cybersecurity requirements we have to meet? You know, often the list includes a lot of requirements at once. So, Mike, what are some of those requirements?
[00:02:20] Speaker A: So, Jim, when you said owners of regulated businesses or leaders of regulated businesses, a lot of businesses don't think that they're regulated.
So we know that they're the ones with really tough regulations like HIPAA and the financial service regulations and defense contractor regulations. But in the United States and in most countries around the world, every single business is subject to at least one regulation.
Here in the United States, state data breach laws protect Social Security numbers. I have never met a business owner that didn't have the Social Security numbers for the employees. And even people that work for them that aren't employees, contractors, you have to have their Social Security numbers.
People don't think that cyber insurance policies or regulations, but when you fill out the application and you send it in, you've committed to implementing the cybersecurity that's on the insurance application.
And then we're seeing more and More contracts between two different businesses that have cybersecurity requirements. So a corporation hiring a law firm will put in the contract for the law firm, you need to secure our data.
And they do that as part of the contract because they want to be able to sue the law firm if there's a data breach and their sensitive information gets lost. We see it with funding sources. We work with nonprofit organizations, and when they get funding through a state agency or some foundation, there's often cybersecurity in the contract.
So when we think about regulations, it's not just laws.
It can be anything that someone else makes you do.
[00:04:12] Speaker B: Wow. I mean, I. I guess if I had a business and I didn't realize I was regulated, I think I would.
I would probably cry once I found out that I was, man. So, you know, I guess listeners, you got to really make sure. Have we measured our cyber security against our requirements to assure everything is aligned? And Mike, you know, how do they go about that?
[00:04:40] Speaker A: The first thing you have to do is understand some of the rules, but you don't have to become an expert in the rules. So going back to that idea about stop signs, if the person that taught us how to drive, taught us how to hold the steering wheel and taught us what the brake pedal did and the accelerator pedal, and you and I are old enough to remember what that third pedal did, the clutch pedal, but a lot of people don't know what that is anymore, how to put the car in gear.
So if they just taught us that and then said, let's go driving, what did they miss? Well, what do you do when you see a stop sign? What do you do when you see a traffic light or a school bus?
What do you do in the different colored lane markings and the signs in parking lots about, you know, who's allowed to park in what space?
We had to learn those things, but we didn't have to be an expert in the law.
So the first thing is, what is it that we're required to do? And the, the first requirement for all the businesses, I just said every state has a data breach law is understand what your state breach law is, but also the way that the states have implemented them, they determine your responsibility to comply with their law based on the information, whose information you have in their system.
So if you're in the Connecticut or New Jersey area and you have information about New York residents because they come to your organization for their. For your products or services, the New York attorney general says, well, if you breach, if you have a data breach, you have to follow New York's breach law. Some of the breach laws simply say, here's what you do if you have a breach. Others, like Massachusetts and Florida and California, say, here's what you must do to protect the data.
So that's the place to start. But if you're in health care, you have to understand what HIPAA requirements are. If you're accepting Medicare or if you're working with private health plans, those contracts require HIPAA compliance. If you are in financial services, and they've broadened the term, we think of a bank as a traditional financial service or an insurance company. And of course they are. But car dealers are now under the listing of financial services, try to get out of a car dealership without filling out the credit application. Right.
So that's now considered a financial service. College financial aid offices, lenders, tax preparers, believe it or not, who's got more Social Security numbers than anybody? Tax preparers. They weren't covered by a federal law. Now they're covered by the FTC safeguards rule.
So this is where we've seen things changing, and my advice is either work with an attorney or an accountant or a consultant that knows these things and pays attention to them to keep you out of trouble.
[00:07:37] Speaker B: Awesome. So consultants like, oh, say, Simil Consulting, for example.
Yeah.
[00:07:43] Speaker A: What we do most of the time, people will come to us and say we need help with HIPAA or something specific, and we're the ones that have to explain to them, well, you're in Florida, so you also have to comply with fipa, which is the Florida Information Protection Act. Sometimes they don't know that.
[00:08:03] Speaker B: I wouldn't have known that. Yeah, that's. That's pretty.
That seems overwhelming. But, you know, with audits and investigations and lawsuits after the data breaches and all the ransomware attacks and things like that, they start out with a document demand, right. From somebody. So how do they make sure. How do people make sure they have the documentation to process, prove what they were doing and that they were doing the right things?
[00:08:28] Speaker A: It's a challenge because I used to run an IT company, and when we performed services, we would just put some basic information down in the ticket. You know, somebody requested a service, we had a service ticket. We'd put down what we did and it would stay in the ticket. The problem in today's world is that the. A lot of times the data breaches will go back months or even years where the hackers entered a system, and then by the time you get the ransom note or your information appears out on the the Dark Web FOR SALE the investigators from the insurance company will come in and look and say, hey, they entered your system 10 months ago. So we need to see all your security reports for the last 12 months.
I can print one for today, but I can't go back any more than you could go back and say, prove your, your weight or your physical fitness from a year ago. But if you had been keeping records, you would have that to provide.
So the first thing is that whether you have an internal IT department or you're outsourcing your cybersecurity to an IT managed service provider, in my opinion, it's worth paying them to produce monthly reports that you can create and store in a library.
So if you're audited, investigated or sued, you have the data to protect yourself. The worst case scenario in my mind is you did everything right, but you don't have the documentation to prove it. That's. That even hurts worse than if you screwed up and did everything wrong.
[00:10:05] Speaker B: Wow. I mean, and so I guess the thing about that is that businesses that are relying on outsourced MSPs, managed service providers, you know what happens if you know that that kind of thing happens in the msp, who has a contract with them doesn't keep that data.
Are they, are the customers responsible for handling that data themselves?
[00:10:30] Speaker A: Ultimately, the customer is always responsible unless there is. Unless the managed service provider has included in their service in the doc, you know, in the contract that we're going to provide you with documentation and they don't do it.
But when I was a managed service provider, I go way back to when there weren't that many regulations or that many regulated clients, we were not providing the documentation. Once we saw that these regulations were coming into effect, HIPAA, for example, in 2005, when the security requirements came in, we went to our healthcare clients and we said, you're paying us to secure your network and we're doing it, and we can prove we're doing it. What we're not providing you with is all this documentation that costs money. We have to take time.
If, if you were doing something and it takes you 15 minutes, it can take you another 10 or 15 minutes if you had to write down every step that you had just performed. So it can sometimes take hours and hours to create documentation.
We said to our clients, you need it, you're going to be the ones that need it for an audit. We cannot produce it for 10 months ago, the day that you ask for it. Here's what IT costs and some paid and some didn't. And I remember one client who said to me, we're getting audited. We need all this documentation.
And I said, hey, Jeff, we offered it to you, but you didn't take it. In fact, I had you sign a letter saying, we offered it to you and you didn't take it. Because he didn't want to pay us X number of dollars a month for the documentation.
And it ended up costing him because it was his burden to prove that those things were being done. He was paying us to do them, and we did it. But he didn't want to pay the extra fee for us to create all the necessary documentation. It shouldn't be assumed that it's included.
[00:12:26] Speaker B: Wow. I, um. So basically what you're saying is you better make sure that you've got a contract with your IT professionals who are supporting you or your MSP or whatever you want to call that.
So, you know, just real quick, are there any shortcuts to providing compliant IT services or adding those things for guys like us who are doing IT consulting as well?
[00:12:55] Speaker A: Yeah, there are. And I hear almost every day from one of the IT professionals who says, look, I really don't have time to learn all these things and I want to just stay doing it. I don't want to become like a compliance consultant and have to learn all the things about HIPAA and the Federal Trade Commission rules.
So there are frameworks. So we have laws and regulations, and then we have frameworks. So the Centers for Internet security CIS, has what's called the CIS controls. NIST. NIST, which is the federal government. The U.S. federal government's national Institute of Standards and Technologies has several frameworks. They have the cybersecurity framework, which they use simple English to describe. It's the cybersecurity framework, what's called the NIST csf. They also have another publication that's not so friendly in its name, NIST 800, 171. Those are the. That's the framework for defense contractors. And then they have 853, which is for government agencies.
So if you're a small business, you should implement either some of the CIS controls and they have implementation groups.
So if you're a small business and you don't have a lot of risk, you can put in a basic level of cyber security, then you can work your way up. The challenge that we have in my consulting business is that we'll have somebody like a small medical practice that says, well, we're just going to implement the real basics. It's not that Easy because HIPAA has specific requirements, so you can't just wing it on your own.
But there are ways for managed service providers and IT departments to implement cybersecurity according to a framework that will align with the HIPAA requirements. The problem with the frameworks is that they have all these cybersecurity requirements in them. But if you read the HIPAA rules, there are some additional things, like you have to train your employees in hipaa. That's something extra that you still have to do.
[00:15:05] Speaker B: So, Mike, we'll continue that in the next segment because it's really interesting, it's very detailed and I really appreciate you being thorough here.
So coming up next, we're going to look at what happens when a healthcare organization fails an insurance audit and how to turn setbacks into solutions.
And we're back. I'm Jim Bradfield and this is Ever Changing Technology here on NOW Media Television.
Welcome back to Ever Changing Technology. You want more of what you're watching? Stay connected to Ever Changing Technology and every NOW Media TV favorite live or on demand, anytime you like, Download the free Now Media TV app on Roku or iOS and unlock non stop bilingual programming in English and Spanish on the move. You can also catch the podcast version right from our website at www.nowmedia.tv.
from business and news to lifestyle culture and beyond, Now Media TV is streaming around the clock. Ready whenever you are. We're joined again by Mike Semmel, a leader who's helping businesses, health care facilities, government departments, and really any regulated organizations develop their compliance and business continuity plans for state data breach laws, credit card security, contractual cybersecurity requirements, and really, the list is endless. Mike in this segment, we're going to discuss what a healthcare provider does who has just failed their insurance company audit.
So the problem facing many in the audience is that a failed insurance audit feels catastrophic. And it often reveals deeper compliance gaps tied to HIPAA state laws or contracts. So really, I guess, Mike, the concern is what's the value of your policy? Right. If you have a one million dollar policy, you got a one million dollar problem. Two million dollar policy, you have a two million dollar problem. So it's important to know the risk. So could you kind of address that a little bit for us, please?
[00:17:13] Speaker A: Sure.
So, Jim, anything seems expensive until you find out what the downside risk is if you don't do it.
Okay. Whether it's our health or, you know, taking care of our cars and things like that. So this just generally in life, why do we maintain things? It's so that they don't break and that they don't cause problems or in some cases hurt us. So when it comes to failing a security audit by an insurance company, first of all, most insurance audit failures are based on what I call self inflicted requirements.
When you fill out an application to buy insurance and we're talking cyber insurance, it asks you questions, do you use multi factor authentication on all your systems? Do you encrypt data?
Do you have a firewall? All these technical questions and in many cases a business owner doesn't really understand the terminology, so they'll bring in an IT managed service provider or an IT professional to help them. The challenge with that is that those IT professionals are always thinking about the systems they manage.
So we've worked with a lot of businesses, healthcare organizations that outsource services to IT managed service providers. So when they're filling out their application and IT says we use multi factor authentication and all those things, the answer comes back, oh yeah, we've got IT set up on Microsoft, but all the patient records are in a different system.
So this is one of the ways that we have seen companies, healthcare providers fail audits because they read the question as do you use like multi factor authentication? And you say, yeah, we're using it on this one system. So the answer is yes, they're thinking the insurance company are using it everywhere.
So the first thing is, if you know what your policy is worth, you know that $50,000 is a lot of money, for example. But if $50,000 is going to give you $2 million of insurance protection, that may be a different discussion.
And as you said, the questions on the insurance policy, if you fail that audit, my question to the health care organization is, are you also failing your HIPAA audit at the same time because the requirements are similar, your PCI audit because you take credit cards and there are data security requirements for data or for card processing and do you have contracts that require cybersecurity?
So an insurance audit failure could actually be a symptom of a much bigger problem.
[00:20:02] Speaker B: Yeah, and one of the things that happened when we worked with your team on a Southern California healthcare provider, you know, they had a giant breach and got a 25 million dollar bang from, you know, the authorities. And there they said that they had a program and they gave the program to them. It may even have been a program that you developed. I think it was, it was very, very, very thorough. And it turned out that they hadn't actually checked on their stuff internally.
So one of the things that had happened is instead of air Gapping, which, you know, is obviously the, the key for any kind of data that they is too sensitive to be, you know, left on the Internet.
One of the, one of the IT guys had opened a back door and left that back door open so that he could call in from home and, and, and, and access all their data from, from his house. Well, that's great. You guys had put together some awesome security for these guys and yet there was no security at all at his house. He had no firewall, he had no security, he wasn't even using anything on his computer. So boom. Bob's your uncle now. They got a data breach, they breached his stuff and they, they caused the $25 million. Ouchy. The insurance company came back, if you recall, and said, hey, you know, we're covering this. And then they did their own audit and brought you in again to take a look at it and whoops, turns out every back door was, was open and you guys had us come in and help fill that out. And so that's really a big deal. And I guess, you know, for the viewers, I mean, that's the kind of thing, right, where audit failures just, just happen because some human error. Isn't that mostly the case?
[00:22:01] Speaker A: It's human error or it's, it may not be an error, it just may be sloppiness or somebody trying to take the shortcut.
So an error is actually insurance can protect you against an error and they'll look at an error and say that was a one time accident, something failed. You know, machine didn't get its patches or updates and it became vulnerable. But everybody did the right things. What you described is not an error. It was somebody doing the wrong thing, not undoing it. If they needed to get access for five minutes, they left the door wide open. Imagine leaving the door wide open to your house or your office for that amount of time and then trying to claim that you were, you know, on your theft insurance, that your alarm was on and your doors were locked and all those things that, that's unfortunately some of the things that we find when those happen. We had a IT managed service provider that was supporting one of the healthcare clients.
And I called up the president of the company and I said, hey, the servers are missing all these critical security patches and you know, I need you to double check this because we use these tools that go under the skin to look at that stuff. And he called me back and he was so angry. He said my senior engineer decided that he didn't think that Microsoft's critical patches were all critical.
So he stopped doing them.
And this guy was so mad because in his contracts with his clients, it said that they implement all the Microsoft security patches within 24 hours.
So they had to go and catch up on that stuff. But it's as simple as this.
When you've got that much risk to your data, to lawsuits, to insurance failures, have somebody verify and make them prove it. So getting monthly reports to show these things, you may have an issue for 29 or 30 days, but at least you can catch it and fix it instead of having that issue for six months.
[00:24:09] Speaker B: Yeah. And really, Mike, that's really what you guys do, right? I mean, and that's absolutely, you know, just your wheelhouse. So, you know, for anybody who's really looking for aid in their cybersecurity and regulatory compliance issues, how do they get in touch with you?
[00:24:30] Speaker A: Well, we've got a simple website. My last name is Semel and we are Semel, Semel Consulting. So you can go to Semel Consulting. You can see what we do. If there's anything that we might be able to help you with, we'd love to. We work with a lot of IT managed service providers. We don't sell IT products and services, so they refer us to their clients. We go in, handle the compliance. We do business continuity plans.
And then if the client does need to buy something, it's not because we're trying to sell it to them. It's because we're telling them you've got a gap.
And then we send the business back or we send the client back to talk to their managed service provider. So it's truly a win. Win.
[00:25:12] Speaker B: Yeah, that's, that's amazing. And I can really vouch for him personally because, you know, I've worked with these guys and everybody that we've ever spoken with in this business says, man, seminal consulting is just the cat's meow.
So really, you know, we really appreciate you being on the show. And up next, I want to talk about preparing for the inevitable data breach. These are things that are going to happen. It's not if it's going to happen, but when. So we want to talk about how your company continue to operate through chaos.
And we're back. I'm Jim Bradfield, and this is Ever Changing Technology here on NOW Media Television.
Welcome back to Ever Changing Technology. Still with me is Mike Semmel, and we're discussing in this segment business continuity planning. So the problem facing many in the audience is believing they can avoid breaches entirely, when in reality the key is preparing to recover quickly and legally. So the average downtime, I guess, from in a Ransomware attack is 22 days, right, Mike? I mean, that seems like a long time.
[00:26:25] Speaker A: Oh, it can be a really long time when you can't deliver your products and services for 22 days.
[00:26:31] Speaker B: Yeah. And. And I guess, you know, one of the things that you told me before is that Jaguar Land Rover was down just recently over a month after from a cyber attack, and they lost production of 1100 cars per day, I guess.
So how do you make sure. When you get brought in, how do people make sure that they get a good business continuity plan so they can deliver their critical products or services during that IT outage?
[00:27:01] Speaker A: Well, Jim, it's bigger than it. It could be a lot of different types of outages. So the reason I'm saying that is that if you just focus on it and you look at servers and backups and email and all the data flow, sometimes it's a lot more than that. It can be a power outage or an outside communication outage where it's not the it, but it's. It's linking to the rest of the world.
Business continuity planning is something that every business has to do, and here's why.
You're not going to be judged based on having an incident unless you were really negligent. Where you get judged is how long it takes you to recover.
And when you look back at the CrowdStrike incident, when almost every business in the country was affected, the two companies that are still in trouble over CrowdStrike 1, you would imagine CrowdStrike, right?
[00:27:58] Speaker B: Yeah.
[00:27:59] Speaker A: The other one is Delta Airlines. And the reason that Delta is still in trouble over the CrowdStrike incident is they took longer to recover than all the other airlines, and the finger got pointed at them. You didn't have a good recovery plan.
So this is where customers judge you, regulators judge you, lawmakers can judge you, but it can kill your reputation. So when we do business continuity planning, we tell our clients, you can't prevent the incident from happening. You should try. You should try everything. But we've got a place in Florida, and we were hit by two hurricanes within 11 days last year.
So as much as you can do to prevent it, things happen when it comes to data breaches. It's how fast can you recover, how prepared are you? There are legal ramifications.
So depending on the type of data that's lost in the data breach, the data that did get breached, you may need to notify state regulators, federal regulators, we have a small insurance agency In Florida, just a local one location insurance agency.
We asked if they had signed any contracts with cybersecurity in them, cybersecurity clauses. And they said no. I said, well, you'd be the first agency that we ever worked with that didn't have contracts. Please look. They came back with 73 contracts. Oh, cybersecurity clauses. You know what? Everyone said if you have an incident, you need to notify us.
So we had to build an incident response plan. Not on how to, like, recover backups and stuff, but if you had an incident, how do you notify? Who do you notify? Like, what's the phone number? What's the email address to let these contractually obligated partners know that we had an incident? So you're not breaching your contract.
Those are the hidden things. When it comes to incidents, there are legal requirements to notify the people whose data was taken within certain time frames.
So this is where, again, companies have gotten in trouble.
You do everything you can to prevent the breach, but what you really need to do is shorten the time to recovery, make sure you're aligned with all the legal requirements.
Again, people will forgive you or understand that even the best companies, large companies, Jaguar Land Rover, government agencies, the Office of Professional Management for the United States Government was breached. But it's not just were you breached, it's were you prepared to respond properly.
[00:30:49] Speaker B: Yeah, that's.
That's actually.
Wow. I mean, that is scary. So, you know, again, what we're saying is it's not if, it's when. And, you know, you've got to make sure that you've reviewed everything with your regulations, your contract agreements, you know, go through everything. Right. I mean, that's kind of the big deal. That's what I'm hearing you say is even, even insurance companies don't even know that they have requirements, and they put in cyber security for those things, and they don't have a response, a way to do response. I mean, that's just, you know, that's amazing. And then, so if you, if you.
[00:31:30] Speaker A: Have a cyber insurance policy, you need to stop when you have an incident long enough to find out. And. And you may need to bring a lawyer in to find out if you can recover. I mean, it seems like. Seems logical. Let's just go recover from the backups. However, your network is a crime scene. Remember that hacking is a crime. Your network's a crime scene. The forensic investigators may need to create evidence for a civil lawsuit or a criminal trial, and they need to check systems to make sure. That when you recover your data, you're not bringing the, the same malicious software back in for the next breach. That's happened to a lot of organizations. They recover and they bring in the same malicious software and then they go down again immediately.
[00:32:19] Speaker B: Yeah, I guess that's so in, you know, reality, it's not just reviewing the laws and regulations and agreements and things like that, but it's, it's reviewing your networking systems and making sure that you didn't just bring the system same bad guys in. I mean, that's a, that seems like a really big deal.
You know, do you find that pe there's like repeat offenders for things like this that, that people just don't learn and they, they bring that thing in and boom, they're in trouble again.
[00:32:49] Speaker A: Yeah. In fact, there was a HIPAA penalty last year, the year before, for a company that was breached on a weekend. They recovered, they were breached the next weekend, they recovered, they were breached the next weekend.
So my response was, well, they should change.
Low learners.
[00:33:07] Speaker B: Happy Halloween. Right? Oh man.
[00:33:09] Speaker A: Yeah, it was something. But, but this is, I mean, how did the hackers get in? They put malicious software in that gave them the back door into the network. That's why the forensic investigators need to identify how the breach happened and then they have to remediate that so that you can bring systems back up and they're clean.
[00:33:29] Speaker B: Yeah, remediation, I guess, is really the key to everything. And I guess, you know, it's very thorough. Right. I mean, just how long does something like this take?
[00:33:38] Speaker A: Well, when we're in the IT business, we hear all the vendors, these online backup vendors, and we hear managed service providers say, oh, we can press a button and recover you. And we use these air gapped systems and all that. But the problem is, I'll go back, that the endpoints, the computers on people's desks may be infected and they need to be checked to make sure they're clean. To be brought back in, you may need to get lawyers involved because when you have a breach, the IT people, whether it's an internal IT department or an outsourced managed service provider, think of it as a technical problem that they can solve.
They don't always appreciate that a data breach is a legal problem and an insurance problem.
And if you do everything to recover and you recover fast, you go back to your insurance company and they say, we're not paying your claim for your downtime, then you've lost and you may not get insurance again. Insurance companies have lawyers that they have already contracted with that are ready to help. They have forensic teams that they've contracted with, believe it or not. You remember the Denzel Washington movie where he was negotiating with the little girls kidnappers.
Insurance companies have ransomware negotiators who can negotiate the ransom with the hackers and even get a little bit of the data back, the proof of life, to know that they really can recover the data and then they'll get the they may pay the ransom. That's up to the insurance company. Even though the FBI says don't do it, sometimes insurance will pay.
[00:35:21] Speaker B: Well, you know what, in coming up, we're going to wrap up with Mike's final insights on cutting through the noise and figuring out how to take care of all that kind of thing. So clarity and compliance and building true resilience.
And we're back. I'm Jim Bradfield and this is Ever Changing Technology here on NOW Media Television.
Welcome back to Ever Changing technology.
Don't miss a second of this show or any of your NOW Media TV favorites, streaming live and on demand whenever and wherever you want.
Grab the free Now Media TV app on Roku and iOS and enjoy instant access to our lineup of bilingual programs in both English and Spanish. Do you prefer podcasts? Listen to Ever Changing Technology Anytime on the Now Media TV website, www.nowmedia.tv, covering business, breaking news, lifestyle culture and more.
Now Media TV is available 24 7.
So the stories you care about are always within reach.
So we've been unpacking big questions with Mike Semmel on how to successfully navigate regulatory compliance issues and develop cybersecurity business continuity plans.
Now we're closing out with how Simil Consulting can assist you in developing strategies to navigate those treacherous compliance and continuity waters.
So the problem facing many in the audience is confusion, misinformation and belief that hope alone is going to protect their business when real strategies are what's needed. There's many so called experts that have no formal training or certification.
Mike, can you expound on that situation and what SEMML has to offer?
[00:37:20] Speaker A: GEORGE and so let's talk about formal training and certifications for a minute. There are a lot of people in different industries that have come up through and just learned, you know, from the seat of their pants and they have good knowledge.
But I've been in the IT industry for over 40 years and what I've discovered, and in some cases the hard way, is that those people did not have the right training and they built up 40 years, 10 years, 20 years, 30 years, 40 years of bad practices so I've always valued formal training and going through and we're not talking about college degrees. In the IT world there are a lot of certification programs where you can go and get formal training. There are organizations like CompTIA and ISC2 and ASACA, the Disaster Recovery Institute, the Cyber AB if you want to get into CMMC, which is a certification program for defense contractors. So there are these organizations that have formal training and they may not deliver the training. These may be just the testing and certification organizations and they license training centers.
But what I found is that the people that go through the training and get the certifications have more value to me when I had my IT company and what I see in IT departments than the ones that say, well, I've been doing this for 20 years, that's nice, but I want to make sure you're doing it right.
From the beginning I've believed in getting my own training. So when I learned About HIPAA in 2004, I went and got a HIPAA certification and then we started delivering HIPAA aligned IT services.
I then in 2006 got certified for business continuity planning.
In my non business life I was a rescue captain in a fire department and I was the Red Cross Disaster Services senior executive in our region and I worked on the IndyCar Rescue Team for 19 years. So I had an emergency services background and I leveraged that and my Red Cross experience into this business continuity certification. I used to think business continuity planning was buying a plan and filling out some phone numbers. There are 10 steps to business continuity planning and we've been able to help businesses not by understanding what their businesses do, but by understanding the planning process and then going into their businesses and applying it.
That's different than people that say we're going to do a plan and then they just fill out the basic phone numbers.
So that's an example of where the certifications come in. So I maintain certifications in cyber resilience in CMMC which is for defense contractors. I've written a certification course for HIPAA and that qualifies nurses and doctors for continuing education credits.
So I think that's what separates the pros from the wannabes, which is to be able to prove that you have the knowledge through certifications. Of course you need to have testimonials, experience, all the other things. But the certs are what really differentiates you.
Every time we touch a client site it is with a certified professional and we guarantee that.
So we don't do anything that is not according to some rule or regulation. And what that does for us is it gives us legal protection, but it also gives our clients the ability, if they were ever sued or if they were investigated by a regulator, which happens regularly, not because of anything bad, but just regulators do audits.
And our clients have all passed the audits. That is what separates us from others, and that's what we're proud of.
[00:41:24] Speaker B: Well, you know, that's a very impressive background, and I really can appreciate that. And, you know, it's interesting that a lot of our.
A lot of people that have been on our show recently have been firefighters and, you know, and disaster recovery people. People and things like that. And they have developed, you know, these kinds of things into, you know, understanding the physical part of that, you know, makes them think about it mentally, I suppose. And so they're looking at that in. In the bigger picture, and they can see those things where others of us just can't.
[00:42:02] Speaker A: Yeah. As I say, they call them disasters for a reason.
And one of the things we've learned about business continuity planning is that it's never exact. We can plan for a particular type of incident, and maybe it.
What really happens means that we can apply 80% of that particular plan. So, you know Mike Tyson's old line, that your plan lives until the first punch is thrown. Right.
So when it comes to business continuity planning, think about that and don't think, well, you know, we don't need a plan because it's never going to be accurate. Think about the stress and the pressure you're under in those time constraints to recover quickly, and that you don't have to make 80% of the decisions. You only have to make 20% after the event happens. And you have a good plan that is solid gold. And we've helped clients survive Superstorm Sandy.
When we had a client on Long island that was the largest federal credit union, it was the Bethpage Federal Credit Union, which is now the Four Leaf Credit Union.
They got hit. And we had built in to their plan that if there was a hurricane coming, they could get a fuel truck delivered to their parking lot to be parked next to the generator.
The local power utility said they'd be down for three days if there was ever a hurricane. They were down for 12 days, but they had power.
We helped a company recover from the Joplin tornado, and the Joplin tornado ripped the whole town apart. There are. There's a documentary on Netflix and there's a lot of information you can find about that.
But they told us that we shortened their recovery by two weeks.
That's what I'm talking about when it comes to planning. You cannot avoid hurt Superstorm Sandy. You can't avoid the Joplin tornado. But we were able to cut the recovery time in half. That solid gold.
[00:44:08] Speaker B: Yeah. You know, and that's remarkable. And I guess one of the things that you can.
[00:44:13] Speaker A: What.
[00:44:14] Speaker B: What happens is people don't want to spend money for these kind of things. Right. And I guess how do you.
How do you get it across that it's really a valuable expenditure for them to develop these plans and to put somebody like you into position to make sure that they're safe and sound?
[00:44:37] Speaker A: I use the same logic that my doctor uses with me.
So I went to my doctor one day and I showed him some pictures of my young grandsons.
And the doctor checked me out, checked my weight, checked my cholesterol and everything. And he said, well, you need to make some changes. I won't get into what the changes are.
But I. But I looked at him and I said, you know, that's like inconvenient or something. He says, you want to watch your grandsons grow up.
So he made it personal.
We did a business continuity plan for a company that works with some very large companies here in the United. In the United States who. Everybody would know who they are. And this was a supplier to one of two. To a bunch of these big companies.
And they said that they got a demand from one of the big companies that they have a business continuity plan that meets the international standards and everything we do is according to the international standards.
So as we were talking to the company owner, he was complaining about the price and how expensive this was. He just wanted to just keep focused on his business.
And I said to him, is it a mistake that your last name is in the company name?
And he said, well, no, it's a family business. And I said, well, how long do you want it to last? You want it to last to the next generation?
And he said, well, yeah, I want it to last for the next 50 to 100 years. I said, forget the fact that one of your customers is demanding you have a plan.
What makes you think your company's going to survive any sort of disaster if you don't have a plan? And then what. What is your family and your next generation and the generation after that going to do to earn a living 50 years from now?
[00:46:19] Speaker B: Right.
[00:46:20] Speaker A: His whole approach.
[00:46:22] Speaker B: So basically what you're saying is hope is not a strategy. That's very clear. And so what's your final advice? We got about a minute. What's your final advice to companies that are in need of your services.
[00:46:35] Speaker A: So I look at the world through the risk prism and I'm not an optimist. I'm a pessimist by nature. I mean, I worked in disaster services. I worked in the fire service, worked on the Indy car rescue team. We had to plan for the bad things that were going to happen so we could recover from them.
So my advice is every day is not rosy. We see bad things happen to people in other places every single day.
And what we need to do is assume they're going to happen to us and be prepared.
[00:47:08] Speaker B: Perfect. So, Mike, this has been really insightful. We really appreciate it. So where can people learn more more about your work and connect with you? For guidance on compliance and resilience, visit.
[00:47:21] Speaker A: Semelconsulting.Com S E M E L consulting.com and there's a way to contact us through there. There are descriptions of the different products and services and the types of clients that we work with. And we'd love to talk to you.
[00:47:36] Speaker B: Perfect. So Mike, thanks again for joining us today. You've really shown us that compliance and cybersecurity aren't just about avoiding, avoiding fines or passing an audit. They're about protecting your business and people and legacies, especially right the family legacy. So for our viewers, remember, in a world where cyber threats are constant, preparation, resilience and action will always outshine fear and hope.
I'm Jim Bradfield. This has been ever changing technology on NOW Media tv.
Stay prepared, stay secure.
And join us next time for more insights into the future of business and technology.
