Transcript Insider Threats
00:27 hey good afternoon everybody happy
00:29 Friday uh it’s a little cloudy kind of
00:32 gross here in New hampster uh we’re so
00:35 excited to have our good friend John
00:37 back um uh Tim golden founder of
00:41 compliance scorecard where we help your
00:43 msps operationalize the governance risk
00:46 and compliance pieces within your
00:48 business uh let’s see Mr Tim how are you
00:53 today doing doing great doing great and
00:56 uh really excited about this episode
00:58 John Pryor and I uh former colleagues uh
01:02 I got an extra r on my name
01:04 there I’m fixing
01:07 it uh you know I like for the emphasis
01:11 um but John and I used to work um at a
01:14 company called IAP ocean Tomo which was
01:17 known for its uh patent and IP auctions
01:21 that were really bringing together all
01:23 the buyers and sellers of Ip uh globally
01:27 these auctions were all over the place
01:28 they were a lot of fun John was actually
01:31 a phenomenal live Auctioneer and we went
01:34 to kind of work on different different
01:36 careers I I started working cyber
01:37 security and John continues to be one of
01:40 uh the world’s top IP strategists so
01:42 really excited about this like Tim shner
01:44 inquisitive it um I work in the tri
01:47 state area helping small businesses uh
01:50 Finance accounting law firms uh to um
01:54 help with their secure it so Jesse
01:58 you’re up awesome awesome let me PA
02:00 Jesse up into the right spot so we have
02:02 the right things you know trying to
02:04 trying to do some new
02:06 stuff um yeah I like this cool new
02:09 scrolling thing you got going on Tim
02:10 that makes it look super fancy um trying
02:14 yeah so I’m Jesse Miller founder of
02:16 power PSA Consulting uh we help msps to
02:19 scale their Security Programs and do it
02:21 profitably um I’m as well like Tim said
02:23 I I love following John and Linkedin and
02:25 all the things he has to say and I
02:27 especially appreciate what he does from
02:29 a VC perspective because he actually
02:31 gets clients to listen about doing data
02:34 tagging and data prioritization and data
02:37 management techniques that always seem
02:38 to find their way to the back burner so
02:40 again excited for uh the the show today
02:44 and getting to some maybe some pragmatic
02:46 techniques that our listeners can take
02:47 away to start talking with their clients
02:49 about Insider risk and um how we can
02:52 start structuring our programs around
02:54 that awesome awesome and Mr John welcome
02:57 to the show uh thank you so much for
02:59 being here let’s get you up on
03:02 stage that’s great I mean thank you very
03:05 much guys for the for the welcome for
03:07 having me back uh really appreciate it
03:09 and I think to pick up on a couple of
03:11 comments I I’m really
03:14 uh psyched motivated about the intersect
03:17 of uh intellectual property and uh
03:20 information
03:21 security I don’t think either area are
03:24 given sufficient attention but I I
03:26 honestly do
03:27 believe living through the big
03:31 ever misappropriation of corporate
03:34 wealth in history through essentially
03:36 through trade
03:38 secret love it love it and I supp
03:44 appropriation go ahead I suppose I I
03:47 ought to give myself the opportunity to
03:49 say hello because I’m not getting really
03:51 good at doing that from time to time but
03:54 uh yeah Tim Tim golden founder of
03:57 compliance scorecard as I kind of
03:59 briefly said in the beginning we help
04:01 your MSP uh take this whole crazy scary
04:05 thing compliance and kind of break it
04:07 down into uh uncomplicated meaning and
04:10 uncomplicated methods for you and your
04:12 MSP to kind of operationalize compliance
04:16 risk and all that fun stuff and so we’re
04:20 really excited today uh like I said to
04:23 have John because you know we’re g to
04:25 talk about uh Insider
04:29 threat negligent or or malicious right I
04:33 know we have some topics here that we’re
04:34 going to kind of get through so uh let’s
04:37 just Dive Right In my
04:39 friends yeah yeah so um John you know
04:44 like I said he’s one of the world’s
04:46 biggest IP strategies strategist um I
04:49 wrote a white paper probably a month or
04:51 two ago about malicious Insider threat
04:54 and um specifically you know there’s
04:58 there’s different kinds of sensitive
04:59 data in a in a small business
05:01 medium-sized business large business
05:03 right there’s the data you hold on
05:05 behalf of customers which is usually
05:09 what Regulators are looking for you to
05:11 protect and a lot of the compliance that
05:13 Tim deals with is is you know focused on
05:19 you know customer data then there’s
05:21 proprietary and strategic data which
05:24 which John is referring to you know we
05:26 we’re witnessing some of the biggest
05:28 theft of corporate you know corporate
05:30 Assets in history right like employees
05:33 walking out of a firm employees not
05:35 being careful um and there’s two Insider
05:38 threats right there’s malicious Insider
05:40 threat and then there’s negligence right
05:43 so like just having bad cyber security
05:45 and your borders are open your walls are
05:48 open you’re easy to fish that would fall
05:50 under the negligent category and then
05:52 malicious is really this um Insider who
05:55 was aware of great assets um you know
05:60 proprietary assets could be anything
06:02 could be recipes could be uh you know
06:06 decks uh sales lists customer lists
06:08 right um and then taking those with them
06:11 or giving them out a competitor for some
06:14 kind of
06:15 compensation uh this malicious Insider
06:18 threat like we usually hear about in the
06:19 news like someone leaked secrets to
06:22 China right like from a you know that’s
06:26 that’s more of a national security
06:27 concern but this happens all the time uh
06:31 at corporate businesses so um John yeah
06:34 any any thoughts I I was going to refer
06:37 to a famous movie with I don’t think
06:39 it’s that famous with Julia Roberts and
06:41 Clive Owen and they’re involved in
06:43 corporate Espionage if anyone seen that
06:48 movie love the movies yeah if you
06:51 haven’t John it’s definitely it’s
06:53 definitely a weekend watch
06:57 yeah yeah I know but uh yes
07:01 yeah the the the the press that came out
07:04 at the weekend over the guy uh and we
07:07 shouldn’t bang on about China in
07:08 corporate Espionage but this I’m not
07:10 sure this was nation state Espionage but
07:12 he was certainly corporate Espionage the
07:13 guy had been working at Google for 15
07:15 years spent an inordinate amount of time
07:18 back in China but uh but nobody knew he
07:20 was in China because his mates were
07:22 still carding him into the office uh but
07:24 he was over in China
07:26 basically pip uh you know walking around
07:28 selling uh Google’s uh top secret AI uh
07:34 you know code essentially and hopefully
07:37 make money for himself off the back of
07:39 it uh what he was doing how he was doing
07:41 it Tim you know I was kind of surprised
07:44 Google allowed this to happen on his
07:45 mapbook he was saving it down to notes
07:47 then he was transferring it to PDF and
07:49 then he was able to send it out and it
07:51 wasn’t being tracked it wasn’t being
07:52 identified and so you know this guy who
07:55 was former FBI director of cancer
07:58 intelligence said you know BS are being
08:00 dropped here left right and center and
08:03 you know three simple steps one is I
08:06 know what your crown jewels are number
08:08 one you need to get much better
08:10 identifying what is a crown jewel number
08:11 two identify the employees or exposers
08:14 and this comes back to something you
08:15 said the other day Tim you know least
08:18 least risk lean function I think it was
08:20 and and then number three monitor those
08:22 employees and the crown jewels so if the
08:25 guy’s leaving and going to China know
08:26 about it and it’s not that hard to do to
08:30 ATT trct that kind of information but I
08:31 guarantee the vast majority of
08:33 businesses don’t have a
08:36 proper you know my experience not proper
08:39 idea what what their cran jeels are
08:41 because they change all the time of
08:42 course depending on what’s going on in
08:43 the business yeah yeah I think that Tim
08:46 golden Jesse before you jump in Tim Tim
08:48 actually did something so cyber security
08:50 we’re going to call this asset inventory
08:52 Asset Management right Tim like step one
08:55 yeah right so it’s it’s amazing how like
08:58 the parallels and the cycle of Ip is it
09:01 just Falls right into line with cyber
09:03 security as well exactly I mean you know
09:06 know know what you have know where it is
09:08 know who who has access and I think this
09:10 is where Jesse’s going right before I
09:12 steal his Thunder is no no go go for it
09:15 where where is it who has it you know
09:17 all that fun things right and so Jesse I
09:18 know you were gonna chime in so let me
09:20 pull you on up well yeah no I you know I
09:22 think it’s interesting and we talk about
09:25 uh like John mentioned the overlap of
09:27 Trade Secrets IP and cyber security
09:29 right while they there are some
09:31 different pieces there there’s kind of
09:32 like that ven diagram where they do
09:34 overlap in the middle and I think uh a
09:37 simple pragmatic reason to get a crown
09:39 jewels exercise done is that it helps
09:42 you Target and get aligned with the
09:44 business and actually strategically
09:47 position cyber security controls that
09:49 help the business protect what they
09:51 value most so Trade Secrets aside I I
09:54 still don’t understand why we’re not
09:55 doing crown jewels exercises and
09:58 identification kind of like the first
09:60 thing in the door that we do as vcos and
10:03 risk strategist for our clients because
10:05 when you sit down and force leadership
10:08 to think through what the most critical
10:10 things are and then align those things
10:13 that they’ve said are critical with the
10:15 controls were proposing all of a sudden
10:17 that’s telling a story and it makes a
10:18 lot more sense and we might discover
10:21 that hey we’ve been doing some things
10:22 that maybe we’re not getting a ton of
10:24 mileage out of and so maybe we should
10:25 shift efforts take money and shift
10:28 budgets and that becomes in a business
10:29 conversation I think it’s very powerful
10:31 to do all those things for the security
10:33 program even aside from Insider uh and
10:36 threat and IP protection right yeah so
10:40 I’m gonna I’m gonna be I’m gonna be the
10:41 guy right I’m gonna I’m gonna talk a
10:43 little bit through like you know we use
10:45 these words crown jewels right let’s put
10:48 this in terms that msps can understand
10:51 right I’m not gonna walk into my
10:53 customer and say to them uh hey let me
10:57 talk about crown jewels because you know
11:01 they’re GNA be like uh no like it’s just
11:04 weird to them right so if I’m an MSP and
11:07 I’m trying to have this risk
11:09 conversation this you know Discovery
11:12 conversation like how do I even walk
11:15 into that customer and be able to start
11:17 that right what is a pragmatic way for
11:20 us to do that yeah F first first thing
11:23 Tim if I may jump in is uh what’s
11:26 existential yeah if this went missing
11:29 this got lost somebody stole it with
11:31 that impact your ability to to carry on
11:33 as a business with that impact your
11:35 ability to make money right if so that’s
11:37 probably going to be one of your most
11:39 sensitive most valuable piece of
11:40 information yeah so existential number
11:43 one number two it’s then profit impact
11:44 if but it impacts on your profitability
11:47 and then the next one down is yeah
11:49 impacts on a business but not not that
11:51 major kind of thing so if you can
11:52 categorize things in those three three
11:54 areas that’s relatively simple to do
11:57 people get their head around in my
11:58 experience quite quite quickly you know
11:60 existential profit impact and just
12:01 general impact and see how you go but
12:03 I’ll be really Keen to see what you guys
12:05 how you guys do it as well that is wild
12:08 that you just said that John because I
12:09 literally have an explainer that I use
12:11 with my clients it’s like you were just
12:13 reading off of that and that’s funny may
12:17 be a little better than
12:18 mine but that’s it I think right what’s
12:21 a high level Crown Jewel is something
12:23 that’s existential to the business if
12:25 the CIA was compromised either the
12:28 confidentiality the integrity or the
12:30 availability of this data or system does
12:32 that pose an existential threat to our
12:34 business right and that’s that’s a
12:37 really easy way to think about it and to
12:39 your point uh Tim I think uh I I used to
12:42 call them when I worked in the MSP as a
12:44 as a ceso with our clients and with our
12:46 team we’d call them applications or line
12:49 of business applications so you could
12:50 call it critical systems you could call
12:52 it line of business applications that
12:54 starts to make more sense maybe to the
12:56 client when you’re dealing with a less
12:57 sophisticated organization right
12:60 gotcha all right so
13:02 streamyards having a little bit like
13:06 that was me streamyards having a little
13:08 bit of lagginess so thank you everybody
13:09 for your patience I think that might be
13:11 Elon with with the satellite that Jesse
13:16 uses something yeah
13:18 there’s you know yeah it’s all good
13:22 though so so uh so to kind of uh just
13:25 for the listening audience maybe I have
13:27 a little bit better connection I’ll just
13:28 restate with Jesse was saying and that
13:31 is instead of using words like crown
13:33 jewels maybe you use words like line of
13:38 business applications or what we like to
13:41 walk through like a risk I’m sorry a
13:45 revenue process what brings you know how
13:48 do you make money right walking into my
13:50 customer as an MSP and flat out asking
13:53 them what makes you money because in
13:57 that is the crown jewel
13:60 right oh well and we talked about this
14:03 uh on Wednesday with our good friend Joe
14:05 from lionard like as an MSP I can walk
14:09 into the baker I can talk to that Bakery
14:13 about like like is your freezer more
14:16 important than your
14:18 frier right or is you know the cashier
14:21 out front more important than uh the
14:25 milk right and so you can kind of start
14:28 to have that
14:30 conversation in the words that they’re
14:33 used to instead of Crown Jewel or line
14:36 of
14:37 business or apps or whatever having that
14:40 conversation in terms that they can
14:42 understand like for example hey do you
14:46 care about your milk as a baker or do
14:48 you care more about you know the the
14:51 cashier out
14:52 front I think yeah Tim it gets even like
14:56 fuzzier right like how long’s your
14:58 business been like if the average towy
15:01 came by like would they know the name of
15:02 your business right like that’s hard to
15:06 that brand and uh what you’re doing
15:08 that’s special in the market right like
15:10 that’s hard to kind of I don’t know
15:13 conve or or like unearth with the
15:17 customer usually right like as you said
15:19 you’re mentioning kind of hard assets
15:20 physical assets this idea of
15:23 intangibles um as you said what makes
15:26 them money I think is is really really
15:29 you know that deep conversation that’ll
15:31 unearth these risks right as well on on
15:34 like what’s it going to like what would
15:37 have what would have to happen to your
15:38 business for it to you know stop stop
15:41 selling right or or becoming you know
15:43 the place that people went in that in
15:45 that community so um you know I think
15:49 that I think that yeah and great comment
15:52 there uh uh if you want to pull that up
15:55 to him I don’t have access to it but
15:57 yeah so our good friend Bob hey Bob
16:00 thanks for listening glad to have you
16:02 here um you know do the do the things
16:06 right the the things
16:10 so Bob teaches Innovation actually and
16:13 deals with a lot of Ip and and Bob John
16:15 he’s a great person for you to connect
16:17 with um down in down in Louisiana he
16:21 he’s a he’s a professor or a visiting
16:24 Professor teaching about Innovation um
16:26 and we talk at length about this like
16:28 how startups protect protect themselves
16:30 uh what’s the best way for them to
16:33 protect IP to get you know a Competitive
16:35 Edge very early when they’re Scrappy so
16:39 there he is yeah so so Bob does bring up
16:42 a good question it kind of circles back
16:44 to that you know things to protect
16:46 physical cyber so on and so forth the SE
16:49 Suite so uh Jesse you wna you want to
16:51 chime in on a little bit and then you
16:53 know we’ll get John’s take on it too
16:55 well he you know he’s exactly right and
16:57 I think and this is no knock against the
16:60 SE Suite or any anything like that they
17:02 have a wide variety of business risk
17:05 that they’re dealing with and so cyber
17:06 security is one little piece of that and
17:08 we got to keep that in mind right but
17:11 when we start broadening that that uh
17:14 overlap and talking about what’s
17:16 important to the business and what are
17:18 business risks and how do our our Trade
17:20 Secrets and our intellectual property
17:21 affect that and how do we protect those
17:23 from a cyber lens and they’re
17:25 participating in choosing those things
17:28 again we want a mandate from the top
17:31 down to say the the executive team has
17:33 stated that these are the most important
17:35 parts of the business most important
17:37 data in the business most important
17:39 systems in the business and they have
17:41 mandated that we protect them and he
17:43 said they are emotionally invested
17:44 that’s what I really liked about Bob’s
17:46 comment because that’s true you’ve taken
17:48 them out of their Whirlwind of all the
17:49 other things that they’re doing and
17:50 you’ve allowed them to uh anchor in
17:53 their mind why cyber security is
17:55 important and why we need to do the
17:56 things that we say that we’re doing
17:59 gotcha that’s good stuff good stuff just
18:01 more comments coming in yeah it is of
18:03 course it is thanks
18:05 Bob yeah it’s Gotta come it’s got to
18:08 come from the top right You’ gota you’ve
18:10 got to get make them believe why it’s
18:11 important why they need to protect uh
18:14 their advantage and why they need to
18:16 empower employees and build this kind of
18:19 culture that um it’s not okay just like
18:23 walk out with lists and things like that
18:26 um I I put together some slides I don’t
18:28 know if we’ll get time doing but I
18:30 really talk about the life cycle and
18:32 there’s people processes in technology
18:34 and technology is really really only
18:36 there to enforce policies and the things
18:39 that we’re I think trying to wrap our
18:42 head around right now like having those
18:44 initial conversations with the business
18:46 leader and building policy right
18:48 building building a framework building a
18:50 way to think about like how we’re going
18:52 to protect this yeah and cyber security
18:54 starts to come into the picture at least
18:57 uh from a tool perspective um to enforce
18:60 those policies and and make sure that
19:02 employees do the right thing right so um
19:06 John yeah any any any thoughts on that
19:09 and I know
19:11 you’re
19:14 yeah sorry your band list pretty good
19:17 right now so yeah go
19:21 ahead yeah I don’t know what’s going on
19:22 with the UK and the the sort of
19:25 bandwidth but uh yeah I always say and
19:28 it’s a very simple to say and and
19:30 probably difficult to ra it starts and
19:31 ends with the employee and the employees
19:34 understanding if they’ve got a good
19:35 understanding of what intellectual
19:37 property is what’s most valuable in your
19:38 business and why it’s important to
19:41 protect and defend that the the battle
19:44 is largely
19:46 one uh because people are looking out
19:48 for it but it’s often not the case that
19:52 people have good understanding of what
19:54 it is I mean let’s be honest
19:55 intellectual properties is are very
19:56 nebulous Concepts anyway and the vast
19:58 majority people really don’t have a a
20:01 common understanding what intellectual
20:02 property is and they’ve never spent the
20:03 time to do so and that that in itself
20:06 potentially my my world at least my
20:08 small world at least is is an issue it
20:10 may well be the same with with with I
20:12 you know information security as well
20:13 but the terminology is designed to send
20:17 people down Avenues you know what
20:19 patenting a copyright and all that kind
20:21 of stuff it’s just gobbly go you know
20:23 but uh most people don’t fully
20:25 understand what what IP is and hence
20:27 they can’t be looking at to protect it
20:29 and and as you said top of the airl 10
20:32 the majority of the ma valuable
20:35 information the business is lost
20:36 inadvertently by insiders uh not
20:39 maliciously I think he said 56% or 26%
20:43 is is malicious so if you can if you can
20:46 train your employees you’re you’re
20:47 trying to reduce that 56% the the 26%
20:51 then you do need the technology as well
20:53 to come to bur that’s where you guys
20:54 come in to to help track what’s going on
20:56 and who’s who’s downloading and who’s
20:58 who’s exporting and so on and
21:00 so yeah yeah the whole the whole idea
21:03 around either you know negligent or
21:05 malicious right you know for me I start
21:08 to think of
21:11 um are we as a small business I’m put my
21:16 small business hat on are we as a small
21:19 business um are we are we just dumb and
21:24 you know ignorant and ill-informed
21:26 because we don’t know that that the uh
21:30 the employer employees going to just
21:32 grab the list and walk out the door is
21:35 that is it from like our executive piece
21:37 like oh I I never thought my sales rep
21:40 would take my list and go work for my
21:43 competitor is it that side or is it the
21:47 I’m an employee and and they’re not like
21:50 I want to make more money so I’m just
21:52 gonna steal their list and go to my
21:54 competitor that’s going to pay me more
21:55 money and I’m gonna bring my book of
21:56 business right so is it that whole you
21:59 know that whole neglect or is it
22:02 malicious you know or is it all of it is
22:05 it both sides of it when we think of you
22:07 know Insider threat and there’s a whole
22:11 big
22:12 conversation about where this relates
22:14 into supplier risk third party risk and
22:17 so on and so forth up and down the chain
22:20 but kind of bringing us back into the
22:22 sort of topic of today is it just
22:25 ignorance and neglect or is it bad Mal
22:29 ious employees or is it
22:32 both so Tim you write a lot on this but
22:35 I think a lot of it is uh Tim know that
22:38 is it’s uh it’s always been there Tim
22:41 golden it’s always happened and uh you
22:44 know the sales guy who became becomes a
22:47 CEO somewhere along the line in his
22:49 career he’s taking PowerPoints from one
22:50 business to the next and he’s he’s
22:52 taking contacts and CRM information from
22:54 one business to the next you know it’s
22:57 you know my skill actually when I’m out
22:59 there in the market not me but you know
23:01 is actually getting people to talk talk
23:04 over and above what they should be
23:05 talking about and I learned so much at
23:07 that
23:08 conference uh but Tim you you’ve written
23:10 a bit about this I’ve I’ve read a couple
23:11 of your articles it’s along those lines
23:14 I think yeah no absolutely Bob Bob had a
23:16 great comment there uh it’s everything
23:18 you’ve created right so I think that’s
23:20 the problem and it’s this it’s this
23:22 expectation when you start to work at a
23:25 at a company are you a partner or like
23:28 you do are you a business owner or are
23:30 you an employee and I think employees a
23:32 lot of times think that as they said
23:35 they created something they created a
23:36 deck it’s theirs but if any of you have
23:39 ever worked at a very large company John
23:41 and I have um you sign something when
23:44 you work you know you sign something
23:46 from the beginning that says like all IP
23:48 created is property of the company right
23:50 like yep I’ve even inv I’ve been
23:52 involved my name’s been on a couple
23:54 patent applications actually John John
23:56 was as well um
23:60 but my name’s on there as an inventor
24:02 but I am not the owner I’m not the
24:04 assigned right right you know I’m not
24:07 assigned rights of that IP so if you
24:09 have that expectation very early on like
24:11 bringing employees on and getting them
24:14 to acknowledge that that they are there
24:17 they’re being paid you know they’re
24:19 being paid to work at a company and the
24:21 IP that’s created is not theirs so they
24:23 can’t they can’t walk out the door they
24:26 can’t give it to a
24:27 competitor um
24:29 you know so I I think that’s really
24:31 important just that expectation setting
24:33 and you know maybe in a second here
24:36 we’ll talk about kind of the IP life
24:37 cycle but that’s really important right
24:40 confidentiality agreements we’ve had on
24:42 uh even non-competes which I don’t think
24:44 non competes are really needed anymore
24:46 because if you have this declaration and
24:49 acknowledgement of Ip from the beginning
24:53 it’s much less of a problem so um so
24:56 what you’re saying isor uh you know
24:59 there’s things right here we’re like I
25:00 said we’re not really getting into the
25:01 cyber security yet but we’re getting
25:03 into the people process policy the
25:06 governance uh aspects that Tim knows so
25:08 well so yes so what I was gonna say when
25:11 I was trying to rudely interrupt you
25:13 which I’m getting better at not doing
25:16 is is Oh you mean we should have a good
25:21 employment agreement or a good MSA or a
25:26 good contract as an MSP with our
25:29 customer and with our staff right Jesse
25:33 have you seen any of this kind of stuff
25:34 kind of flowing through in any of your
25:35 MSP
25:37 work oh yeah absolutely I mean I think
25:39 the I think the better msps are you know
25:41 having a works for higher Clause like
25:43 you would get with an independent
25:44 contractor and I mean I think that’s
25:46 especially important and John you can
25:47 probably talk about this at length later
25:49 but especially if you’re working with
25:50 independent contractors protecting IP
25:52 becomes even more difficult right so you
25:54 definitely have to have some Ironclad
25:56 language around works for higher and
25:58 having them declare any um previous IP
26:01 that they’re bringing in or maybe IP
26:03 that they’re not allowed to use you got
26:04 to kind of sus all that out with when
26:06 you’re you know bringing on contractors
26:09 however from a strictly MSP perspective
26:11 I know one thing sticks out in my mind
26:12 there was a there was a salesp person at
26:15 one of the msps I worked with that tried
26:17 to walk out with a customer list and um
26:20 we actually you know again being we were
26:22 very security focused early on and so we
26:24 kind of had a system uh when we noticed
26:27 things about an employee that made think
26:29 they might be leaving or there was
26:31 something wrong there we put monitoring
26:32 on what they were doing in the
26:34 environment what they were accessing
26:36 right and so we actually did find that
26:38 he was pulling down a customer list and
26:39 sending it to his personal email we were
26:41 able to catch that and um you know serve
26:44 him with a cease and assist and um
26:47 luckily we we nipped in the bud right so
26:50 um that that was a win but I think uh
26:54 you know do you catch that every single
26:55 time no but I think to your point John
26:58 it’s about educating other employees and
26:60 and maybe he didn’t know you know I
27:01 wasn’t in I was not in management at
27:03 that time in this MSP so I don’t know if
27:06 he was malicious or he just thought hey
27:09 I’m leaving I’m going to take the
27:10 customers that I’ve worked hard to build
27:11 relationships with and sell them
27:12 something at my new at my new job so it
27:14 could have been something that was
27:15 actually benign you don’t know but point
27:17 being is you know what do they say
27:19 whether it’s ignorance or malicious it’s
27:22 still the same
27:24 right oh Oh you mean you mean this there
27:27 you go NE or I’m getting better I’m
27:30 getting better yeah so uh you mentioned
27:34 uh you put in things to monitor you put
27:36 in things to hate to use the word catch
27:38 them right you know we know our MSP
27:41 audience loves tools we don’t generally
27:44 specifically call out tools but I wanted
27:47 to have just a five minute
27:50 conversation on are there ways that we
27:53 as an MSP for ourselves and our customer
27:58 to be able to like know you know you
28:01 know Sammy the salesman just downloaded
28:05 uh an Excel document of lists and put it
28:07 on a thumb drive and took it with them
28:10 is there tools that can do that is that
28:12 just DLP or is that M3 like how do we do
28:15 that from a practical standpoint since
28:18 our you know there’s a bunch of people
28:20 here listening and they love
28:22 tools well it’s difficult you know it it
28:25 is not perfect and that’s why I think
28:27 John is saying you know when when the
28:28 employee understands it you’re that’s
28:30 where you get 90% of the the issue
28:32 solved of course that doesn’t solve
28:34 militias right um so you know yeah DLP
28:37 is uh UEA is another one like you know a
28:41 Salesman is going to be accessing client
28:43 records right but probably not a
28:46 thousand client records all at once so
28:48 if we have alerts set up for uh
28:51 excessive record access or things of
28:54 that nature or certain type of exports
28:56 being run or better yet we don’t let
28:58 exports be run so if they are going to
29:01 try and take customers out they’re going
29:03 to have to go click on every record
29:04 individually and screenshot it we make
29:07 it uh more uh we make it more U what’s
29:11 the word we make it more difficult uh
29:13 for them to to to do that and so maybe
29:16 that dissuades them and says maybe I
29:17 shouldn’t be doing this so those are all
29:19 you know things you can do that’s a good
29:21 point like when you get to that
29:21 deterrent right so like they see one
29:24 person get caught and they’re like whoa
29:25 like I don’t think I want to I don’t
29:27 want to be that guy that’s getting sued
29:29 by the company yeah um in the financial
29:32 services world it’s much more common
29:34 people get you know there’s litigation
29:37 on non-competes or people stealing
29:40 things or UHC and one of the reasons why
29:44 there is litigation is because the
29:46 evidence and the logs that these
29:48 companies and their attorneys have are
29:50 so good Tim just mentioned DP right so
29:54 this logging and tracking and access um
29:57 the fact that they have
29:59 their as I said leas trust lean function
30:02 they have a very small surface area they
30:04 know exactly where their data is who’s
30:06 accessing it when they’re accessing it
30:09 over the last four weeks before they
30:10 left the company they’ve got a rock
30:12 solid case and yeah go ahead so you mean
30:18 they have like there’s technical
30:19 controls and non-technical controls in
30:22 order to like bring this thing together
30:25 right there we go there we go so uh this
30:28 this is really the life cycle here and
30:31 um identify protect right like detect
30:33 respond and recover like these sound
30:35 familiar right from in this perspective
30:38 um the same life cycle in IP right a lot
30:41 of the people that are involved in Risk
30:43 Management I mean a lot of the same kind
30:45 of steps five you know the fstep process
30:48 here but we start with I think the big
30:51 circle right there uh John can talk
30:53 about this because he this is really
30:55 where I think he’s heavily involved
30:56 probably with ndas and
30:59 confidentiality and employee handbooks
31:01 as Bob Miller mentioned all these things
31:04 that kind of build that expectation
31:06 build that acknowledgement from
31:08 employees that they they need to do the
31:10 right thing right data retention policy
31:13 is another uh non-technical control that
31:17 talks about like how long do we keep
31:18 data how long do we get rid of data um
31:21 and John you know maybe you want to talk
31:24 about trade secret cataloges right like
31:27 I think that’s a concept that don’t I
31:30 don’t get caught on the word trade
31:31 secret but like think about just
31:33 anything proprietary and maybe you want
31:35 to talk about like how you do that and
31:37 then we can kind of come back to that
31:38 diagram and talk about all the
31:39 enforcement once you have the data
31:42 classification and the data uh
31:44 cataloging I guess you’re you’re going
31:46 to talk about
31:47 right yeah sure uh thank you and uh just
31:52 going back to the very quickly to the
31:54 the employee and the entry and exit from
31:57 the the business the first thing they
31:59 they learn about as you said is
32:02 everything you create here is
32:03 ours it’s all proprietary and you can’t
32:06 take it with us and then as they’re
32:08 leaving the business it’s like okay so
32:11 as we said at the beginning everything
32:12 youve created here is ours and you can’t
32:13 leave with it and uh by the way uh you
32:17 know those those cany little HR
32:19 questions such as what’s that you’ve
32:22 learned while you’re here is going to be
32:24 most valuable to you in your new your
32:26 new role
32:29 uh but yeah so from a from a trade
32:32 secret perspective that valuable
32:34 commercial and inventive information
32:36 because we must remember as we’ve
32:38 alluded to it’s both a lot of people go
32:42 down the Avenue just being invented
32:44 either a pents or is a trade secret yeah
32:47 but also as Tim’s mentioned it’s
32:50 commercial information it’s the market
32:53 uh research it’s the product launch the
32:55 new product launch that’s coming up it’s
32:57 pricing it’s customer list it’s
32:59 profitability profitability information
33:02 it’s uh managerial relationships you
33:06 know who’s getting on with who who’s
33:07 who’s who’s about to leave the business
33:09 and you know
33:13 Etc have catalog your intellectual
33:16 property and by that I mean to have
33:19 captured it date stamped date stamped it
33:21 when did he have it and documented it
33:24 and if you haven’t done that it’s very
33:26 difficult to persuade the judge that you
33:28 actually own that information at a said
33:31 point in time so it seems a bit of an
33:33 own exercise but many businesses and you
33:36 guys you know in the information side of
33:37 things when you’re doing is information
33:40 stuff you are recording a lot of
33:42 information a lot of time and it’s not
33:44 too difficult to found to convert that
33:46 into something could be in a trade
33:49 secrets register but there’s two
33:50 components Trade Secrets register where
33:53 information is captured but not the
33:54 trade secrets and then separately you
33:57 document trade secret the code the
33:59 algorithm you know the customer list Etc
34:01 you keep that separate in a separate
34:03 separate
34:04 area a little metadata yeah so you’re
34:07 you’re basically hashing this stuff
34:09 you’re going going deep yeah yeah so
34:12 like je Jean points out here like you
34:14 know gotta audit gotta figure out what
34:16 you have gotta figure you know gotta
34:18 make sure that it’s changed managed
34:20 right all the all the things right so
34:22 you can’t protect what you don’t know
34:24 back to that whole conversation of of
34:27 you know what is it where is it how do
34:29 we protect it you know as as Bob points
34:31 out policies and procedures you know all
34:34 of that you know book of business all
34:36 that stuff right um but what is next
34:41 here in our little slide deck make sure
34:43 I get that up here right oh wait hey
34:45 wait a minute I jumped to The Tool Part
34:47 like 10 minutes ago
34:49 whoops the gun yeah I think Jesse
34:52 probably has a lot of experience on the
34:54 tool side you as well Tim right in terms
34:57 of uh some of the tools you can log
35:00 right so I think John was just really
35:02 talking about talking to the customer
35:04 putting him in that hypothetical mindset
35:07 yeah something really bad happened to
35:08 your company employees stole something
35:10 you’re going to be in front of a judge
35:11 in two years what kind of evidence do
35:14 you want to have right so you have a
35:17 strong case so I think you know Jesse
35:20 started to dig into that a little bit
35:21 Tim as well so yeah I think the zero
35:23 trust piece is a big uh a good way to
35:25 start enforcing that and creating uh
35:27 land in zones that’s you know you have
35:30 lease policy access to and only the the
35:32 right people should be storing the right
35:34 things there you know one thing we don’t
35:36 talk about products a ton but one thing
35:38 I like about Confluence from alassian
35:40 for example is the fact that
35:42 everything’s date tagged um you can
35:45 restrict uh you know space access and
35:48 they even have workflows now so you
35:49 could automatically tag something as
35:52 intellectual property if it’s completed
35:54 in a specific space and only give people
35:57 via SSO that are are supposed to be
35:58 working on and access to that space and
36:01 that’s just one small easy Tod do
36:02 example right but you’re getting all
36:04 that tracking all that stuff is created
36:05 and it’s just and then the training
36:07 piece is hey you guys can only work in
36:09 this space this is where when you’re
36:10 working on this project this stuff gets
36:12 created this is all intellectual
36:14 property this is all company own
36:15 material you need to treat it as such
36:18 and it’s not even a don’t take it stuff
36:20 it’s just hey it’s good hygiene security
36:22 hygiene but in the piece of doing that
36:25 you’re building in business process to
36:27 start creating that register and so I
36:29 would love to hear from John as to what
36:31 he’s seen pragmatically that will work
36:32 to start getting that catalog
36:37 created yeah so there are there
36:40 are but it doesn’t have to be that
36:42 complex um you can run it on a an Excel
36:46 spreadsheet right fine at the beginning
36:49 but you can very
36:51 quickly I I guarantee I consider most
36:54 most companies in their engineering
36:56 department TR for
36:59 group people very very quickly and then
37:01 you start to get an unwieldy amount so
37:03 you you do need to have key things
37:06 documented and captured as we’ve said
37:08 already you know what isn’t you need
37:10 some kind of code for it what some ID
37:13 tag for it what it is it some summary of
37:15 what it is and then date stamp you know
37:17 when was it created right when’s it
37:19 going to be reviewed who who owns it
37:21 that that goes to business process right
37:24 like I mean this is just another piece
37:26 we put into we’re all about document
37:28 mentation and process here in MSP world
37:30 right so a project close step is to
37:33 complete the the catalog steps as part
37:37 of the intellectual property tagging and
37:39 clean that up right and you’re looking
37:40 at you know maybe an hour is worth of
37:41 work that’s additional to make sure that
37:43 stuff gets recorded properly and you’re
37:45 then you have that built into your
37:46 system and it becomes uh just another
37:49 piece in the process that you’re
37:50 executing right so it’s that iterative
37:52 process people in process right people
37:55 in
37:56 process I want to roll
38:00 come
38:01 on I was going to roll back to uh one of
38:05 the comments that came in uh let’s see
38:07 if I can find it here uh yeah Jonathan
38:10 here talking about Bia right because you
38:12 know we were talking about how do we do
38:14 this how do we have that conversation
38:16 what’s the pragmatic way of actually
38:18 doing this alongside of our customer
38:21 right and you know a Bia business impact
38:23 analysis is a really good first step um
38:26 I have a lot of experience in Bas um and
38:29 how that can maybe tie into Insider
38:33 threat as one of the items in a Bia
38:37 Jesse I don’t want to go on and on about
38:39 Bas do you have a little bit of a little
38:41 bit of insight into Bia well you know uh
38:44 to to the question right I think how
38:46 this feeds into Bia I think we kind of
38:48 touched on that right from a really high
38:51 level is you know criticality of the
38:54 data is it existential is it extremely
38:58 uh important or is it a minor
39:01 inconvenience and that’s the way to
39:02 think about it you know that’s like
39:04 that’s like the easiest Bia you can do
39:06 right um and I always try to put that
39:08 into buckets is it existential like John
39:11 said um is it long-term damage meaning
39:15 it will it could be and I always try to
39:16 put time frame on it like can we recover
39:19 from this yes but it take us six months
39:21 to a year to get back up to where we
39:22 were from it so we have a year of either
39:25 reduced profits or no profits can we
39:27 weather that right and then you know
39:29 like look at a quarter a month or two
39:31 it’d be a black eye it wouldn’t be fun
39:33 but we can kind of we can kind of
39:35 weather that storm very easily right and
39:37 so yeah business disruption scenarios to
39:39 consider physical damage to a building
39:41 well maybe we’re remote so that’s
39:43 doesn’t really matter for us right so
39:45 it’s creating that Matrix of Impact
39:47 versus um versus urgency right at at the
39:51 end of the
39:52 day yeah and it’s interesting because
39:54 you know even just this you know this
39:57 resource from .ov around Bas
40:01 right we’re a SAS company right we you
40:04 know we work out of our home office our
40:06 people are remote we’re a SAS Company
40:07 New England just got nailed by some nor
40:09 Easter a couple days ago and I lost
40:12 power and I had a whole boatload of
40:14 meetings and a whole boatload of things
40:16 I was gonna try to get done and I had no
40:18 power and no internet what was the first
40:20 thing I did I went and pulled out my
40:22 business continuity plan and remember
40:25 well and started going through that and
40:27 was like like I have a threshold of how
40:31 long my house can be without power
40:33 before my sump pump fills my basement
40:36 full of
40:38 water right the talk about the physical
40:41 damage the talk about you know the the
40:44 interruptions the outages right all but
40:47 where does that kind of you know flow
40:49 into Insider threat like I’m talking
40:52 physical stuff well Insider threat can
40:55 be that disgruntled employee Insider
40:58 threat can be you know whether it’s
41:00 malicious or neglectful that human that
41:04 decides to take home the extra half
41:08 dozen of eggs because oh well you didn’t
41:10 use the whole dozen I’m just going to
41:12 take the rest home tomorrow and I do
41:14 that day after day after day and now I’m
41:17 the business is missing 30 dozen eggs
41:20 because a little over time right whether
41:23 it’s malicious or not
41:27 so um yeah
41:30 anyways and this is not like this idea
41:33 of
41:34 protecting proprietary strategic
41:36 confidential information I just made a
41:38 comment if anyone seen the movie
41:40 Oppenheimer uh in New Mexico right like
41:43 they had them separated in different
41:45 camps where each each speciality and
41:48 this is this leash trust
41:49 compartmentalized right like well the
41:52 people that understand this part of the
41:53 project and this part of the project
41:55 they’re all in separ separate areas and
41:56 they don’t intermingle
41:58 um so you know it’s this isn’t a very
42:00 New Concept Le trust and and just you
42:03 know how they how basically he was
42:05 worried about you know foreign country
42:08 the enemies right gaining that
42:09 information so they had them broken up I
42:12 don’t know if this was Oppenheimer is or
42:13 the the General’s idea but um you know
42:17 it’s this isn’t a New Concept uh just
42:19 from a least trust perspective but um
42:23 yeah so Tim we we have anything else on
42:26 that other on the document just on the
42:29 life on the life cycle
42:31 here I need to go back to the other
42:33 slide that I was sharing uh hold on let
42:35 me do that uh this one yeah I mean just
42:39 the technical controls here on the right
42:41 um these are all things like we said
42:43 that you can use to uh enforce these
42:48 rights and provide that evidence um so
42:52 you know it’s a it’s just yeah these are
42:54 all like as you said msps infoset guys
42:57 either you know if if it’s insourced or
42:60 outsourced it everyone loves the tools
43:02 and these tools provide great ability to
43:05 provide that zero trust great ability to
43:07 provide uh the tracking and logging um
43:11 the reminding as Jesse said before it’s
43:13 a little bit of a deterrent if the
43:14 employees know that there’s that that
43:16 there’s great logs um certainly when
43:19 I’ve worked on consulting jobs at Banks
43:21 and financial companies like I’m not
43:24 walking out of there with anything I’ll
43:25 tell you that
43:28 um the expectation and just the presence
43:31 of security is pretty high
43:35 so yeah John um any anything do they say
43:40 good locks make good neighbors yeah good
43:43 fenes make good neighbors
43:46 no
43:49 yeah um John I know your uh your
43:52 internet’s coming back and forth but
43:54 anything else to add really like you
43:56 know I I I
43:58 talk about as you said like why don’t
44:01 people realize the damages are so big
44:04 right like the fact that I guess are we
44:07 just used to people not knowing like not
44:11 maintaining their strategic Advantage
44:13 like talk a little bit about that on how
44:15 you when you’re working with your
44:17 clients like how do
44:19 you you know get that point across
44:22 because it’s not in the news right like
44:23 it’s not like malicious Insider threat
44:27 and you said like the biggest theft of
44:29 you know corporate corporate assets is
44:31 happening right now and we don’t think
44:33 about it so like how do you I guess how
44:34 do you get that message
44:38 across well what I like about you guys
44:40 is that you do the kind of likes really
44:42 well so it’s kind of like this it’s kind
44:43 of like that and I’m learning a lot from
44:46 from the way you do that because it is
44:48 about bringing it down to dising it down
44:50 to what’s what’s really important this
44:52 isn’t malicious this is this is a case
44:53 that happened to me
44:55 today big company uh very very
44:58 successful big tech company and one of
45:01 the top employees is doing a a master’s
45:04 degree outside of outside of work and
45:06 they said oh it’s fine isn’t I’m doing
45:08 it all about our strategy and this and
45:12 he goes
45:13 who hold on you’re doing your master’s
45:16 degree which is public
45:17 information
45:19 all about our strategy so people just ar
45:22 ar thinking about it but you know I I I
45:25 haven’t quite got these sort of uh the
45:28 sort of analogies down to a tea like you
45:30 guys have but it’s not something that’s
45:33 like somebody walked out with a bag of
45:35 money some somebody got the gold
45:36 somebody got the jewels somebody did the
45:39 business over because data isn’t that
45:42 easy for for the majority of people to
45:43 get their heads around and so it’s a
45:46 it’s not perceived to be a crime but but
45:49 a as you guys know when it when it
45:52 happens the companies aren’t chaning
45:55 about oh s we’ we’ve been done over by
45:57 an lead we’ve been done over by a
45:59 customer A supplier they suppress
46:02 learnings from it are minimalized
46:04 because it’s not it’s not sort of
46:06 processed and engineered and understood
46:08 and and and that’s a big issue I think
46:11 so it’s not it’s not socialized so
46:13 people are going oh that’s a big issue
46:14 it’s suppressed so people are going not
46:16 really heard about that and then the
46:18 learnings aren happening so you know
46:20 information is leaking and uh people are
46:23 suppressing it’s not not much of a
46:25 problem no 10 to 15 years worth of work
46:27 on our l s the chat GPT to that’s not a
46:30 problem at all no
46:33 really can I just have GP write my stuff
46:36 for me and say give me a protection
46:38 thing and let me just give that and like
46:41 how do I protect my stuff. GPT right
46:45 well there there’s that whole piece is
46:46 inadvertent training with trade secret
46:48 so it goes that that’s a great point you
46:50 brought up is hey if stuff is Trade
46:53 Secrets you can’t go dropping it into
46:54 chat GPT because we’re training the
46:56 model with proprietary information and
46:59 you might as well put it out there just
47:00 like anything else because you know ac
47:03 across the pond somebody one of our
47:05 competitors might type in how do I do
47:07 XYZ and they get this really great
47:09 answer like wow I can’t believe chat GPT
47:11 thought of that well they didn’t you
47:13 just fed that data right into the
47:17 model go ahead Walter had a great thing
47:20 about this like even things that aren’t
47:24 classified as sensitive just by you
47:26 having access to your environment
47:28 there’s this idea in investment research
47:30 called the Mosaic Theory like if you get
47:32 two pieces of non-public non-material
47:35 information you can come up with like
47:37 material information right like things
47:39 that actually move the needle and he’s
47:42 he made this point that you put in all
47:44 this information it’s not classified and
47:47 if it’s not sensitive they can it’s
47:49 still dangerous because like it’s
47:50 intelligent it can figure you know if
47:53 this than that right like it can think
47:55 of so I think really risky and I think
47:58 the classification problem this is going
48:00 to bring this issue to the to the
48:03 surface pretty quickly go ahead Sam
48:05 sorry oh without a doubt yeah yeah Bob’s
48:09 got a great comment about unintended un
48:11 unintentional disclosures right so yeah
48:15 I was just gonna make a joke about the
48:16 whole chat GP so in other words
48:19 everything that I want msps to be
48:21 searching for around what we offer for
48:24 services I should be training chat d
48:27 on and keep feeding it all the
48:30 information when you’re thinking
48:33 ofo go over to power grid when you’re
48:36 thinking inquisitive it or you’re
48:39 thinking you know IP and intellectual
48:42 property or compliance we should just
48:45 keep feeding it all of our stuff right
48:47 at least how about this this week and
48:50 maybe some you know how LinkedIn kind of
48:51 drips features in so other people may
48:53 have had this before I did but you know
48:55 um
48:57 well the the these group articles that
48:59 they’re get getting everyone to
49:00 contribute to like we’re they were of
49:02 course training an AI model and then on
49:04 my profile this week popped up like oh
49:06 want to know more about this subject
49:08 click the AI button and it’s literally
49:10 like almost reading back to me things
49:12 that I’ve
49:13 typed that I put that too and I was like
49:16 it’s the little star Sprite thing it
49:20 happened to me and I was like oh my God
49:22 like wait I just Jesse just wrote that
49:25 or Tim just wrote that I know that
49:27 because
49:28 what yeah yeah but but but like to the
49:32 Mosaic Mosaic Theory right you’re
49:33 talking about Tim is imagine that you’ve
49:36 been using learned trade secrets from
49:39 your job to respond to those articles
49:42 and all of a sudden LinkedIn is giving
49:44 that information away for free yeah
49:48 that’s and that’s what was laying down
49:50 yeah go ahead John just just jump jump
49:53 in F because uh the property is being
49:57 challenged like it’s never been
49:59 challenged before as we know copyright
50:01 llms Etc but if you think about if you
50:03 just bear with me for a minute think
50:04 about
50:05 inventions you either patents or you
50:07 trade secret or you publish if you
50:09 patents
50:10 nowadays within 18 months it’s published
50:14 Tim knows this better than most you know
50:16 two three maybe five years later you get
50:19 a granted patent but now that 18 month
50:22 point every single inventive llm in the
50:24 world is reading that thing and
50:26 inventing on the back of it before
50:28 you’ve even got a granted Pat MH and so
50:31 you know it’s it’s strategically you’ve
50:33 got to really consider whether you’re
50:34 patenting or whether you trade secing
50:36 and how you going to go go and approach
50:38 that and there was some stuff in the
50:40 news today about you know the uh the
50:42 weight loss drugs which you know
50:44 billions of people around the world are
50:45 going to be taking eventually uh they’ve
50:48 got a whole new AI invent invention tool
50:52 that’s come up with a different way of
50:53 getting around the patents of the the
50:54 current thing and you know dealt with
50:56 some of this side effect tissues and
50:58 Bing Bang BOS they’ve invented a newer
51:00 better prototype for for for weight loss
51:03 so from an
51:04 invention perspective it’s a whole new
51:07 gain now patn trade secret published
51:10 there’s lots of strategic measures to
51:12 undertake because of what you’ve just
51:13 been disc discussing on on the llms and
51:18 the
51:23 I’ve um no no but you know John and I
51:26 I’ve heard people say this and I’d love
51:28 to get it’s a hot take so I’d love to
51:30 hear your opinion on it but they said
51:31 you know it really has signaled the
51:33 death of the patent like we’re not going
51:35 to see patents anymore and I don’t know
51:37 if you if you if you say well let’s not
51:39 you know put it’s not to throw the baby
51:40 out with the bath water to on that you
51:43 know my opinion yeah well you know Tim
51:45 Tim’s Tim’s a a big uh it’s got a big
51:49 voice big set of thoughts on it’s very
51:50 clear in his opinions on this and I
51:52 agree with you know the pattern’s being
51:55 devalued quite subst particularly in the
51:58 United States in the last 10 years and
52:01 given what we’ve just discussed and
52:03 other factors you know in the last six
52:05 to eight years trade have got stronger
52:08 and stronger and stronger there’s a
52:09 whole bunch of case law coming out now
52:11 that’s really you know as I said to I
52:13 didn’t say to you but the UK has made
52:14 its criminal law now uh in certain
52:17 circumstances so you know it’s getting
52:18 stronger all the time so yes you know
52:20 panil trade secret uh or publish is is
52:23 is quite a substantial discussion but
52:26 but Jesse if something can if somebody
52:28 skilled in the art one of you guys knows
52:30 the area is likely to invent it in a
52:32 short space of time patent it right
52:35 because then you get some protection
52:37 right uh and or but you know trade
52:39 secret law you can claim prior user
52:41 rights if somebody else does pent it Etc
52:44 or you could publish it so yeah yeah
52:47 very very time I tend yeah and that that
52:49 was a bit of a looted question of course
52:51 I tend to agree with Tim is it seems to
52:53 me in most cases and it goes back to the
52:55 impact analysis what kind of data you
52:57 have how secret is it like if you’re
52:58 dealing more transactional you’re just
52:60 you’re winning off of like your
53:01 operational efficiency how much money do
53:03 you really want to spend trying to get a
53:05 huge trade secret program going right
53:07 but so it’s a it’s a risk analysis and
53:09 an impact analysis on the types of data
53:11 you have right but that said is it it
53:13 makes more sense to me that uh being a
53:17 pragmatist to just circle the wagons and
53:19 protect your data through a trade secret
53:21 program is going to be more effective in
53:24 terms of high value data me much of the
53:26 time you know and that’s just cover yeah
53:29 it’s going to cover all those bases
53:31 Jesse right it’s going to cover trade
53:33 secrets that are Tech you know I think
53:36 the trade secret term is extremely wide
53:38 and it could be even wider and the court
53:40 you know if they’re taking something
53:42 that they they signed and acknowledge
53:44 that they wouldn’t take and they took it
53:46 yeah that’s all there is so as John
53:49 started going to talk about case law
53:51 case law trade secret case law is very
53:53 strong and foreign countries are
53:55 stealing from us so
53:57 that’s not that’s not like you know the
53:60 political Narrative of patent trolls and
54:02 we didn’t even talk about that
54:04 but bad people theying people so uh
54:08 trade secret laws is you know everyone
54:10 agrees with um and yeah you know John
54:14 talking about you’ve talked about this
54:16 for a while trade secrets are much
54:17 easier to to take to court and win
54:19 because it’s very easy to understand
54:21 good and bad in a trade secret case so
54:23 the result the recent analysis says 86%
54:26 of uh 86% win rate for plaintiffs with
54:29 trade secret cases MH kind of 57% for
54:32 for other cases so that’s a really high
54:35 number difference on Trade Secrets
54:37 because they EAS to for the courts the
54:40 jury to get the heads around good guy
54:41 bad guy stole it didn’t steal it kind of
54:44 thing so really interesting on that side
54:46 as well almost at the five minute Mark
54:49 here Tim but one more thing I was
54:51 talking to Paul our our good uh Pat
54:54 broker friend and he was just talking
54:55 about like the invalidation r as well so
54:58 even if you patent things and you go to
54:60 try to enforce them uh chances are the
55:02 courts are going to say they’re invalid
55:04 so
55:06 but at least in the US yeah maybe not in
55:09 Germany or Korea or what not but Tim so
55:14 as we as we start to wind down here um
55:17 we always like to end with a couple of
55:18 key takeaways John I’m gonna pull you up
55:21 first John and and have you kind of top
55:24 in talk a little bit about like what
55:26 does is the one or two key takeaways
55:29 that we can have from today from
55:33 you
55:35 uh I can’t use the word Crown Jews can I
55:40 so identify what’s most valuable in your
55:42 business by doing that analysis that
55:44 says you know what’s existential what’s
55:47 Pro what’s going to have a profit impact
55:49 identify those things protect and look
55:51 at them secondly train your employees
55:54 spend the time giving them education
55:57 because if you go secret case and the
55:60 employee says have no idea what you’re
56:01 talking about I don’t know what trade
56:02 secrets are you haven’t got you haven’t
56:04 got a leg to stand on if you can
56:06 evidence that you’ve trained them and
56:07 they understood that you’ve got a leg to
56:09 stand on so yeah identify CR Jews Tim
56:12 and and training yeah awesome awesome
56:15 that you know that’s a really good
56:16 thought so uh identify your crown jewels
56:20 all right uh yeah we won’t dig get a
56:23 crols we already need that so uh M Mr
56:25 schner my friend
56:27 yeah no so like I said um I I had a post
56:32 yesterday lease trust lean function this
56:34 really fits into this trade secret
56:36 identification perspective your
56:39 employees need to acknowledge that
56:40 there’s proprietary strategic
56:42 information or data um you need to
56:45 protect it you need to use tools to
56:47 enforce that protection and you’ll
56:50 you’ll be better off and you’ll they’ll
56:51 build an understanding and
56:52 acknowledgement that like you know IP
56:55 that’s created on their behalf along the
56:57 company so that that’s really the big
56:59 thing um there is tons of malicious
57:02 Insider threat happening all the time as
57:05 John said no company is going to admit
57:07 it because they don’t have to because no
57:09 regulator is asking them to be to expe
57:13 like when they you know not if it’s not
57:15 customer data The Regulators don’t care
57:18 so just get that out there right now
57:20 that um no one’s really out there to
57:22 protect you you have to protect yourself
57:24 here and it’s not something you can I
57:27 don’t I’m not aware of something you can
57:29 ensure as well
57:31 so awesome Mr Jesse you are up my
57:36 friend yeah well I’m going to continue
57:39 um what John had to say about the crown
57:41 jewels and hey I have a I have a
57:43 training paper that I wrote back in 2015
57:45 that talks about Crown Jews Tim so just
57:47 so you know but to to continue that I
57:51 think yes you have to identify that and
57:52 it has to be mandated from management so
57:54 there’s a piece like identify it who
57:56 identifying it make sure that this is a
57:58 top down driven approach that management
58:01 is involved executive leadership is
58:03 involved in setting those standards and
58:05 it’s not just an exercise that’s being
58:07 done in the IT department so I think you
58:09 have to build consensus with the crown
58:10 jewels and then use that consensus to
58:14 identify the lowest hanging fruit in
58:16 terms of technical controls being ueba
58:20 which there’s some good stuff coming out
58:21 for now but even then just doing things
58:23 like least access and uh Z TNA zero
58:27 trust network access things like that so
58:29 I think those are the two things that
58:30 you can continue on from the strategy
58:32 piece to the Tactical piece when you
58:33 start to implement these
58:35 programs awesome awesome and so uh I
58:39 suppose I ought to have a key takeaway
58:41 too huh I always forget to like bring
58:43 myself up and talk about Johnny’s lug
58:45 tell me about it yeah well you know I
58:49 think as far as you know Insider threat
58:52 whether it’s uh neglect whether it’s uh
58:55 malicious whether it’s ignorance you
58:58 know all the things that we talked about
58:59 today you know from a business
59:02 perspective and from an MSP into that
59:05 business perspective starting to have
59:07 that conversation with your client and
59:10 begin with the risk conversation begin
59:12 with the revenue compet uh conversation
59:15 you know begin with the uh reputation
59:18 risk Revenue reputation what is going to
59:21 impact your client’s business as a whole
59:25 but even putting that part aside think
59:27 about your MSP yourself you have a lot
59:31 of proprietary information not just on
59:33 yourself but on all your customers as
59:36 well right when you’re thinking about
59:38 The Insider threat that can happen
59:40 within your own
59:42 MSP bring your team together have that
59:46 conversation talk about it from top down
59:48 approach about why you want to protect
59:51 this stuff have the why conversation
59:55 right not just just the you know Johnny
59:59 you know don’t do this don’t do that you
60:01 need to be able to have the why
60:04 conversation around why this stuff is
60:08 important all right so uh hey if y’all
60:12 didn’t know we have a podcast head on
60:15 over to team tim. live click on the
60:18 listen and you can subscribe and listen
60:21 to this podcast while you’re driving
60:24 while you’re mowing the lawn while
60:26 you’re you know dealing with the cows uh
60:28 Dr Jesse uh you know so we now have all
60:32 these episodes heading on over into a
60:35 podcast format we’re waiting for the
60:37 Apple piece to get approved so we’ll be
60:39 on the we’ll be on the Apple F and the
60:42 spotle cast and the you know all the
60:44 different podcast areas so feel free to
60:48 head on over to the see the team Tim
60:50 live at the bottom and and do and do and
60:53 do the thing do the thing so thank you
60:56 everybody um next week real quick let me
60:60 pull this up here uh conferences are
61:04 they worth it um you know a friend of
61:06 ours uh G she’s been she anyways I won’t
61:09 get into all the grory details this is a
61:11 little bit of a Hot Topic a little bit
61:13 of a controversial topic right are they
61:16 worth it are they worth it from a from
61:18 an IT MSP perspective are they worth it
61:21 from a vendor perspective oh my gosh
61:24 there’s been and we’re about to dive
61:26 into conference season I know we’re a
61:28 minute over here but I think this is
61:30 really important do the like things the
61:33 subscribe things the listen things and
61:37 make sure you come on over next week and
61:40 listen to this uh episode about
61:43 conferences uh thank you everybody for
61:45 for being here and we’re out my friends
61:49 let’s do
61:52 this subscribe now
Start the conversation today. We are eager to understand the risks and opportunities that drive your business.
Let’s discuss if LeastTrust IT is the right fit for your organization
Learn More
Tri-State Coverage
Our hybrid, on-site, and remote engagements serve New York, Connecticut, & New Jersey
