March 24, 2025 • 51 mins
Every dealership has fallen victim to a cybersecurity incident – they just might not know it yet. In this eye-opening conversation with Kevin Landers, IT veteran and cybersecurity expert at RocketWise, we pull back the curtain on the digital threats silently targeting equipment dealers across North America.
Forget what you think you know about hackers. Today's cyber criminals aren't lone wolves in hoodies targeting specific businesses – they're sophisticated organizations with marketing departments, R&D teams, and even customer service representatives helping their "clients" execute attacks. As Landers reveals, "If you can log into a Gmail account, you can suddenly become a malicious actor. That's how easy it is." These operations cast wide nets, looking for any vulnerability they can monetize.
Most alarming is how long these breaches remain undetected. According to Landers, the average intruder lurks in compromised systems for 290 days before discovery. This extended exposure explains why annual security assessments – though required by insurers and regulators – provide inadequate protection. One dealership declined a security review only to suffer a devastating breach six months later that took them offline for nearly a month and corrupted historical data essential for business decisions.
The conversation explores practical solutions for dealerships, including structured approaches to security assessments, vendor compliance reviews, and data protection strategies. Landers stresses that cybersecurity isn't just an IT concern but a fundamental business continuity issue affecting employees' livelihoods and customers' operations. For leaders feeling overwhelmed by the challenge, he offers reassurance: "Don't buckle to the overwhelm. It's a race that doesn't end, and you're just going to have to pace yourself."
Ready to strengthen your digital defenses? Listen now to understand the threats you face and the steps you can take to protect your business before it's too late.
Visit us at LearningWithoutScars.org for more training solutions for Equipment Dealerships - Construction, Mining, Agriculture, Cranes, Trucks and Trailers.
We provide comprehensive online learning programs for employees starting with an individualized skills assessment to a personalized employee development program designed for their skill level.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:02):
Aloha and welcome to another candid conversation.
Today we're joined by, Ibelieve, an extremely good man,
Kevin Landers, who also is veryknowledgeable in the world of IT
, and I want to broach withKevin the subject of data
(00:24):
security and the fact that verysmart people, bad actors, have
been hacking a lot of businesssystems around the world and try
and increase our understandingand knowledge of that world.
So with that as an introduction, Kevin, welcome aboard.
(00:44):
With that as an introduction,Kevin, welcome aboard.
Maybe you can tell everybody alittle bit about you and then
give us a read on what you thinkis going on with data security
and risk.
Speaker 2 (00:55):
Yeah, absolutely Well , thank you for having me.
I can attest that there will beat least one additional person
that will listen to this podcast, and that'll be my wife,
because you specifically saidI'm a very good man.
I think you said very good man,maybe it was just good, but
anyway, um very, very would workalso there you go, um, but yeah
(01:18):
, so, uh, you know, I guess, uh,for my part, um, I have been in
IT for, oh man, longer than I'dlike to admit at least 24 years
, oh gosh, longer than that.
So we'll just go with more than25 years.
How about that?
And in the past, I guess, sevenor eight years of that, our
(01:43):
company, our team over atRocketWise, we've shifted our
focus, our primary focus, to theequipment dealership space, and
that said, yeah, I meancybersecurity.
You know it's been a hot topic.
There's tons of money beingpoured into and solutions being
(02:07):
poured into this space.
Oddly enough, on one end, youhave all this money, need it, um
, who may not realize?
Or, uh, may be burying theirheads in the sand, as it were?
(02:28):
Uh, to the need, um, so, um,you know lots to talk about,
lots of, lots of differentavenues that could be covered
here.
Speaker 1 (02:40):
So let me.
Let me put another paragraph infront of that.
The 25 years prior to Kevinhitting the space, I was
involved running data processingshops, computer shops, running
software companies and back inthe early days, for our concern,
(03:13):
most of the consultants thatwere involved in the space of
assisting businesses had servedprison terms.
Today the world is the platform.
In my early years it wasstrictly North America.
So we have a very much morecomplicated situation to deal
with and, as Kevin is mentioning, there's all manner of money
(03:34):
being put into this, but theaudience our audience, I think
has to have a betterunderstanding of what's going on
.
I think some of these men andwomen running these businesses
have been hacked.
It has cost them money, it hascost them data loss, it has cost
their businesses time.
Speaker 2 (03:59):
So some of them are sensitized to this, but the vast
majority don't really know whatwe're talking about.
Yeah, I mean, it's very true.
I mean going to events, whetherit be an AED event or any of
the other associations out there.
You know, it's not uncommon tohave this conversation.
Someone candidly revealed that,yeah, they've fallen victim to
something, whether that be giftcard scams or phishing attacks
(04:21):
or whatever.
Have you ransomware, etc.
Phishing attacks or whatever.
Have you ransomware, et cetera.
But at the same time, you getthat mindset of but I don't need
it, I'm not a target.
So it's odd havingconversations when those two
things are said in the sameconversation.
(04:42):
But yeah, I mean, there's areason why there are tons of
companies pouring money intothis and developing solutions to
prevent all the things that areout there.
On the flip side, there's tonsof money and effort being put
(05:03):
into the space of creating theseissues, discovering
vulnerabilities that are outthere that can allow someone to
take advantage of a company, andhappy to take this conversation
wherever you like it.
Speaker 1 (05:09):
Well, go down that path.
For a second, does RocketWiseoffer a service where they will
come in and review a dealershipfor vulnerability?
Speaker 2 (05:23):
Yes, we will.
In fact, it's a core offering.
Actually, it's something thatthe FTC says you're supposed to
be doing at least once a year.
Cyber liability insuranceproviders also say that any
organization they're covering,99% of them say that they have
to have that in place at leastannually.
And so, yes, we do offer that.
(05:44):
We have different you knowdifferent levels of it, but the
goal is to come in, meet withexecutive leadership,
stakeholders in an organization,a dealership, take them through
some very high level Q&A maybetakes about 30 minutes going
(06:07):
through Q&A just ask them somequestions about processes,
procedures, type of data they'rehandling.
And then after that, at thevery high level, we execute some
scans on a handful of computers.
We execute some scans on ahandful of computers, pull that
(06:37):
data into a series of reportsand then we have a follow-up
meeting to go over it, to do areport of findings.
We've never had a dealershipwhere we haven't found something
, whether it's potentiallysomething already in the system,
potentially someone having keyvulnerabilities in place, people
(06:57):
where their passwords are outin the open.
No-transcript to businessowners in these dealerships or
(07:36):
at least, like I said, keystakeholders, whether that be
executive or what, and you know,ultimately at the end of the
day, we're supposed to.
We have expectations.
We have expectations in allsorts of areas of our company
the sales sales department.
We have an expectation that oursales folks are smiling and
(07:56):
dialing, they're researching ourprospects, they're researching
our internal accounts of ourcurrent clients, they're looking
for ways to serve them and thatthey're doing all these series
of tasks to bring in newbusiness and or grow existing
business and doing all thethings it takes to do that.
(08:18):
And we see that as a criticalaspect of our business.
And so we have all thesedifferent metrics and different
things in place to inspect whatwe expect there.
Right To know whether the teamas a whole is hitting the mark
or if there's one or twoindividuals that need to go on a
PIP or however.
You've got that all structuredand we do the same thing on the
(08:40):
service side and we do the samething on the service side, part
side.
We've got all sorts of metricsand we know what we expect and
we know how to inspect it.
But IT is one of those areasthat, even if we have internal
IT team members, if that's not afunction that we're outsourcing
completely somewhere else,anyway, in both scenarios
(09:05):
leadership for the most part,has no idea what to expect.
They expect that they're safe.
They're expecting that theirsystems are up.
They're expecting their systemsare in pristine condition, but
they have no idea how to expectthat.
They have no idea how toactually, you know, uh, go
(09:26):
underneath the hood and makesure that things are the way
they should be.
It's not like we're walking outto a piece of equipment, um,
you know, unscrewing a knob andchecking the oil.
Um, it's, it's much morecomplicated than that, and um,
so I would, you know, I'd saythat probably, for the most part
, those folks are, they'reintimidated by that.
(09:48):
I mean, you know, and that'sone of the things we try to
eliminate tech, speak Right andput it in layman's terms, where
the rest of the world canunderstand outside of the, the
world of the geek, and and tryto bring that down and help them
understand.
Okay, these are some of thethings you should expect.
(10:09):
These are some of the thingsthat, when you inspect that,
maybe you don't know how toinspect it, but this is an
indicator that that is good orthat we have a problem there.
And so, whether we're doingthat one-off for a dealer or
we're doing it on a recurringbasis.
So whether we're doing thatone-off for a dealer or we're
doing it on a recurring basisagain, insurance companies FTC
say you know need to have itonce a year.
(10:29):
Reality is, if you have abreach, on average the average
is that someone has been in yoursystems for 290 days before you
ever find them.
So basically, the FTC and cyberinsurance companies go hey, you
should check it at least onceevery 365 days.
(10:49):
I kind of advise clients toinspect that more often, ideally
monthly, because the last thingyou want to do is inspect
everything you're clean and then365 days later you find out
somebody's been in there for 290.
And then it's a.
(11:10):
You know you're a day late anda dollar short.
So anyway, I'll pause there.
Speaker 1 (11:16):
So that's no, that's a good place to pause.
So this initial work withdealers that you perform at
RocketWise can be done remotely,correct.
Speaker 2 (11:27):
Yeah, the entire thing is done remotely.
Literally it's jumping on acall 30 minutes of time longer
if they have Q&A, if they havequestions that we need to answer
, and then executing it remotely.
We simply send somebody thingsthat they can click on the
computers and then, uh, thefollow-on is like a again about
(11:51):
an hour call.
Uh depends on if there are alot of questions.
Speaker 1 (11:54):
Let me label it.
I don't know what you call it,but I'm going to call it the
inspect what you expect, review.
If I started day one with thatphone call, day day one, how
long is it before you can givethem back a report?
Is it five days, 10 days, two?
Speaker 2 (12:14):
months.
Yeah yeah, on average we can doit in about four or five days
From initial call.
As know, the part that'sdependent on the equipment
dealer is that middle part whichis running the utility on their
computers that does our scans.
And then it takes two businessdays for us to generate the
(12:35):
report, put a good bit of timeinto it.
Speaker 1 (12:37):
We're trying to, you know, present them with valuable
information and then like Isaid, a follow-on call Okay
information and then like afollow-on call, okay.
So to help the audience that'slistening to this, can I suggest
you write me a blog thatdefines and describes the
inspect what you expect servicethat you provide and, even
(12:59):
though it's going to be a bit ofa promotional piece, that we'll
put it up as a blog in the formof explanation as soon as you
get it to us yeah, absolutely,I'll get our team on it the um.
So we have the inspect what youexpect, an over an overarching
review to get a positionplacement as to where you are
(13:22):
and probably a risk assessment.
We also have, down that otherchannel playing catch-up, the
insurance industry trying toestablish some insulation for
themselves against an insuranceclaim for damages.
The damages can be, as you said, gift cards as small as, but it
(13:45):
could also be invoices formachinery.
That's three, four or fivemillion bucks that gets paid in
a complete scam, the ongoing.
So we have the inspect toinspect to expect program.
I would suspect that it wouldbe a good idea for a service
from RocketWise to be in on avery regular basis, at least
(14:10):
weekly, randomly evaluating asystem.
Do you do that as?
Speaker 2 (14:16):
well, solely talking about in terms of inspecting
things, then, yes, from a riskassessment perspective, yes,
from a, if you need securitythings in place, like antivirus
and MDR and XDR and EDR and Idon't expect any of y'all to
(14:42):
remember that or even know whatthat is but there's a long list
of all the things you need tohave in place that are actively
not only protecting your systemsbut sending alerts,
notifications to folks,departments that are looking
into those issues as they'rereported to their systems, and
acting on them and uh, andacting on them, uh.
(15:09):
But on the inspect what youexpect portion, um, yes, we
actually, uh, we do thoseactually monthly.
So we do monthly scans and thenwe either meet monthly or
quarterly with our clients to goover the results and if it's an
ongoing basis, we're we'reliterally reviewing.
Okay, in the past, this is whatis what we had last time.
This is where the score was.
These were the 20% of the itemsthat we said we would work on.
(15:32):
That would move us 80% of theway in a positive direction.
You know who are thestakeholders, who's responsible
for those items, what are thestatus updates on those?
Now, here's our new baselinefor today.
Where we sit today, you can seethese things have improved.
You can see that we now havenew challenges ahead of us,
because security is a bit of amirage.
(15:54):
You never arrive to a state offull security as soon as you do,
you know, take a second or afraction of a second to pat
yourself on the back.
And now you got more work to do.
So you know from there it's OK.
These are the new challenges wehave.
Again, what's the next 20percent of the things that we
can do to get us 80 percent ofthe way there?
(16:16):
Where do we need to put ourfocus?
Who's responsible for that?
So someone inside of adealership is another vendor.
Is it your dealer managementsystem or your ERP?
Is an issue with that that weneed to take to those folks to
get addressed?
Is it an issue with your OEM?
All right, probably that mightbe hard to accomplish, but there
(16:37):
have been times when OEMs havelistened to hey, your entire
dealer base is exposed herebecause of this.
Thing needs a little bit ofattention, needs a little bit of
being taken care of.
Same thing with the ERPs, etcetera.
But so, again, it's identifyingwho's responsible and what
things do we need to moveforward and-.
Speaker 1 (16:58):
Right.
Speaker 2 (16:59):
Okay.
Speaker 1 (17:01):
So I'm going to bring it back into the dealership, as
you did that.
In the parts department, wehave a daily knowledge of the
back orders that are outstanding.
On the service department,we've got a daily knowledge of
the work orders that arefinished and haven't been
invoiced.
On the sales side, we get callreporting on finance.
(17:21):
The bill hasn't been paid.
So now the IT group or I'm goingto call it technology generally
has the same kind of toolsavailable, same type of metrics
available, to do this evaluationon an ongoing basis.
Who owns it?
What do we do?
How do we solve a problem?
(17:41):
As we find them and go forward.
Then let's move on to the otherside of the table, the tools
that are there that we need tohave there to protect us
somewhat.
So it's not the inspect whatyou expect anymore, it's
creating.
I'm going to call themfirewalls, because it's a word
(18:03):
that people seem to understandbut creating tools.
You provide solutions, toolsthat will stop hacking or
identify hacking or protect yourpasswords or the portals of
entry, whether it's an OEMmanufacturer or a DMS provider,
irrespective.
(18:23):
And that complicates thingsbecause it's not internal
controls solely.
We sometimes have to haveshared responsibility for these
things.
Speaker 2 (18:33):
Yeah, and I'll pause before I go to that rabbit hole
to just share.
This is one area where it kindof gets into policies and
procedures.
Where it kind of gets intopolicies and procedures and all
of these businesses, thesedealerships, there should be a
(18:57):
type of compliance program inplace for them.
And part of that is going to beidentifying what are the
questions that we need to haveanswered by all of our
third-party providers, whetherit be our ERP, our OEM, our
phone company who put a phonesystem in our network, etc.
And they should be doing, atleast annually, what is called a
(19:20):
self-assessment questionnairefor those vendors, and that's
basically having a standard listof questions you want to know
the answer to and putting it infront of your vendors so that
they answer them.
That's going to pay off ifyou're involved in any kind of
(19:40):
legal issue, ieinsurance-related, ftc, etc.
But that's going to help youalso gauge where your risk is.
Speaker 1 (19:51):
So stay with that for a second, kevin.
Do you have such aquestionnaire that you sell to
dealers to assist them, or thatyou would guide a dealer on
doing with outside third-partysuppliers so they know what
needs to be done and how it'sdone, because you show them how
it's done?
Do you do that as a service aswell?
Speaker 2 (20:14):
So, yes, so, as part of our compliance program, we
actually have a tool whereby wego in with the dealer, show them
how to input the informationfor all of their current vendors
, and then our system willactually automate the process of
sending and collecting theself-assessment questionnaires
from those vendors, and it willgo ahead and send it annually.
(20:36):
So if you plug the vendor in,we get their answers, it's
stored in that system so thatyou have, you know, collected,
you know collection of those allin one central place and then
as far as yes, as far asselection, or even evaluating
your current vendors, we doassist with that.
(20:58):
We identify, you know, even ifit's something like as simple as
Internet service, right,identify.
These are the things that we'relooking for.
What's the problem we're tryingto solve, you know, and what
are the, what are the questionswe need to ask, and and so forth
, and basically coming up with aconsistent way of evaluating
that um.
Speaker 1 (21:21):
So do you have any kind of a catchy phrase on that?
I'm going to call this vendorcompliance reviews, but I don't
know what you call it.
Speaker 2 (21:30):
Well, that, specifically, is just this.
Well, I think you're talkingabout overall.
I don't that specific part ofsending out the questionnaires
is just our third-partyself-assessment questionnaire.
It's part of a larger offeringour clients as a service
(21:51):
offering, which is basicallyoverall.
It's a system that allows themto build out their policies and
procedures, keep track of them,revisions on them, the approvals
on them from executiveleadership and basically also
putting those policies in frontof your team members and making
(22:14):
sure that they've read them andcollecting evidence that they
have.
Speaker 1 (22:17):
Okay, so let me try and put a wall around this thing
.
What we need from a dealer or adistributor in the capital goods
space is.
We need a list of every singlevendor that provides services to
the dealership Number one andthen number two you have a
(22:41):
questionnaire developed that canbe used with each of those
vendors specific to that kind ofindustry.
Example the telematics network,example, password management,
example, data dictionary.
So you have both of thosethings available Vendor
(23:02):
compliance I'm going to call itvendor compliance review, for
lack of another term andspecific then recommendations
that you make to address thoseproblems.
Correct, yes, correct Okay.
Speaker 2 (23:20):
The reality is that, even based on these
self-assessment questionnaires,you may very well get results
back that are not pleasantregarding that vendor, and it
may very well be that it's goingto be impossible and or timely.
I mean, if they tried to resolveit, it would take a long time
(23:40):
to resolve it, and or thevendor's just not interested, or
you're not loud enough or noisyenough or represent enough
revenue to them to be concernedabout it, and so you may still
find yourself in a positionwhere you can't part ways with
that vendor.
You depend on them and you haveto, and so it becomes a question
(24:03):
of all right, how do we put inother policies, other technical
controls or physical controls orwhatever kind of control it
needs to to be important thatyou've identified those things
(24:23):
and that you've taken the timeto document it, because, at the
end of the day, if there's abreach, hopefully you have
insurance that covers it, andwhen you call down an insurance
provider, you're going to wantto make really sure that you did
everything you could to preventit and that you documented it,
so when the insurance company islooking at it, they don't have
(24:43):
a reason to walk away from thetable and leave you high and dry
and potentially turn around,like Travelers Insurance did in
the last year or so, andactually sue you for not
actually holding up to what youtold them you were doing.
And then if you've got thosethings in place and you've
(25:04):
covered yourself as best as youcan well you know then you've
done due diligence and that'sthe big thing is due diligence.
Speaker 1 (25:14):
Go ahead.
Speaker 2 (25:16):
Well, an example would be there is an ERP, a
dealer management software.
I won't name them, it wouldn'tbe hard to find them.
I won't name them, it wouldn'tbe hard to find them.
But they had a data breach andthe FTC took them to task over
that data breach, leveraging theGraham Leach-Bliley Act, or
(25:46):
also known as FTC safeguards,because of a portion of that act
.
Ultimately, they had a databreach and there was nothing
that any of their dealers couldhave done to prevent it.
They use that software period.
They use it.
They don't control it.
Now, ideally they could have hadself-assessment questionnaires
in place and they could havegotten the best of answers and
(26:06):
at least they've done duediligence.
But on the back end the dealermanagement system provider the
high level of it is they wererunning out of disk space on
their servers.
So they asked a guy in the ITdepartment to get extra storage
to make backups and move thesebackups off on the storage to
free up space.
So the guy did.
(26:27):
He went to basically theequivalent of a Best Buy.
A local retail establishmentbought a consumer-grade hard
drive that plugs into yournetwork so you can back up over
the network, plugs it into theirinfrastructure, backs up
accomplishes this task, but whathe doesn't know is there's a
(26:49):
software update for that devicethat patches a vulnerability on
that device and now that it's onthe network it's accessible to
the Internet and poof.
All the data for severalhundred dealerships and all
their customers got swiped, andso the FTC came down on them and
(27:09):
went after the actual dealermanagement system.
Speaker 1 (27:12):
We're in a place today, kevin, that I
characterize it this way thatwe're 30 years behind on the
technology that's availablebeing implemented, the things
that we're reading about today.
We're so far behindimplementing those things
(27:34):
Artificial intelligence, machinelearning, all of this stuff.
I'll give you just a simpleexample.
There's a thing up on YouTubefrom 1993 called BMW augmented
reality, which shows atechnician walking out to a
vehicle, putting on glasses andbeing instructed what the repair
was, with a diagram of it.
(27:56):
And we could go.
I mentioned this to you lastweek.
We can go across a hundreddealers and find nobody using
that.
That's 30 years old already.
Yeah, that having been said,these third party vendors, they
are in the same place that adealer is, except their
(28:16):
influence is orders of magnitudegreater.
So let me just freeze framethere for a second.
There's some very smart peopleon this planet that are in
jurisdictions that we're nevergoing to be able to touch, that
have found means to make moneyby doing illegal things, and
(28:38):
that's not going to stop as longas that genie's out of the
bottle.
There's going to be more andmore people, and we're never
going to be smart enough to beable to avoid everything but
those things that we are awareof and there are many of them
and you deal with them every day.
There are tools that we canemploy that will reduce our risk
(29:00):
.
Really, all this is is riskmitigation, and there almost
needs to be a body, a person, afunction.
You know, chief technologyofficer is a term that's bandied
about.
I think that's going to becommonplace.
There'll be somebody in adealership or businesses in
general within five to 10 yearswho has responsibility for this.
Today, there isn't.
Speaker 2 (29:21):
There isn't.
I mean well, for the most partthere isn't.
I mean kind of to your pointthat these things are not
necessarily new.
Even this position is notreally new.
It's just slowly making its wayinto.
(29:42):
That's a position that's beenout there for quite a while,
where you know there's anindividual or team of
individuals that are solelyfocused on the security of you
know, the information that youpossess.
So I wouldn't even say thisreally even should fall to a CTO
or an IT manager, it director.
(30:04):
This is more specialized, needsto be more specialized, because
it's something that goes beyondyou know.
Do you know how to set up aprinter?
Do you know how to set up anetwork?
Well, the question becomes doyou know how to secure those
things?
You know and do even morebeyond that.
You know and, to your point, onthe other side of this, the
(30:25):
flip side, the malicious actorside of it, you know you're not.
We have this idea.
I mean you Google hacker, go toimagesgooglecom, type in hacker
and it's all dark rooms withsomebody in a hoodie and their
face is blurred or they'rewearing one of these white masks
(30:47):
or whatever, like they were inan episode of scream or
something, and we have this ideathat it's this guy sitting in a
dark room who's going.
Who am I going to attempt toattack today?
Oh, acme Machinery.
That's my target for today andhis whole focus for the next
(31:10):
indefinite amount of time issolely hacking into Acme
Machinery.
And this leads into people atlike Acme Machinery going I'm
not a target, nobody'sinterested in my company,
nobody's coming after me.
Well, that's true.
Nobody's interested in yourcompany, nobody's coming after
me.
Well, that's true.
Nobody's interested in yourcompany.
They're interested in dollars.
Your company just happens tohave dollars and they may not
(31:32):
have targeted you because todayyou have these sophisticated
businesses.
I mean, yes, there are nationstates who have teams and all
this sort of stuff.
Sure, let's put that all in abox over to the side.
There are basically businesseswhere they have, you know, sells
(31:53):
, a marketing team, they have aresearch and development team,
they have a customer supportteam.
They have all these differentteams like a well-established,
organized business and they'rein the business of developing
malicious tools.
And some of that is useddirectly against folks, directly
(32:16):
in a malicious way.
Some of it is let's just useour systems to gain access to a
plethora of computers out thereand then let's actually set up a
software as a servicesubscription model whereby, if
you're a 14-year-old kid that'sbored at home during the summer
(32:39):
and you have access to mommy ordaddy's credit card or Apple Pay
account, simply set up your ownlittle account over here in our
software solution and, for youknow X amount of months, we'll
give you access to 100 computersand you just tell us what you
want to do.
Do you want to do ransomwaretoday?
Sure, okay, great, we haveaccess to these machines.
(33:01):
We're just going to deployransomware for you and you
basically don't have to know howto do any of this.
Ron, if you can log into aGmail account, you can also
suddenly become a maliciousactor.
That's how easy it is.
And it's even easier because ifyou try it and it doesn't work
(33:21):
they have customer servicepeople.
Doesn't work, they havecustomer service people.
They have better IT supportthan most Fortune 500 companies
where you literally just call inand they chat with you and they
go.
Hey, so sorry, you're having abad day and you're not breaking
in the money from yourransomware activities.
Let us hop right in and see ifwe can help troubleshoot this,
debug it, fix it for you and getyou back on your merry way and
(33:43):
they will even give you yourmoney back if it doesn't work.
So you know it's a businessmodel and it's.
You know we can take it back tothe ag world.
It's that old broadcast method.
You know you want to plantgrass, you don't.
You know you don't plow a rowand put in individual seeds, you
(34:05):
just cast seed out everywhere,right, I mean, okay, there may
be more to it, but you cast allthis out or take it to a shotgun
approach.
You put in a shotgun shell.
You don't aim for a bullseye,you aim in the general vicinity
and you send out all thesepellets.
That's how they approach thismalicious activity.
(34:25):
It's not, hey, I want to hitAcme Machinery or I even want to
hit the machinery equipmentdealer space in general.
It's, I just want to hitcomputers.
And so if I can detect issuesout there, if I can spread
through email and breach youremail accounts, then great, and
then I can send all my stuff outand once we get a fish on the
(34:49):
hook, then I can look in to seeexactly what kind of fish it is.
Is it a trout, is it a bass?
Is it a CFO at an equipmentdealership?
Is it a CEO at an eye company?
And then I can research itfurther.
Speaker 1 (35:05):
I'm going to dig in deeper than that.
Even I'm going to start from adatabase and the fact that we
have data all over the place inour dealerships and we don't
have any control of the data.
Nobody owns a particular datafield.
(35:25):
Then we bring in differentsoftware businesses to interact
with our database.
They have their own databases.
So, as an example, a customerprofile example, and I'll have a
call reporting system, I'llhave a marketing system, I'll
have a market coverage systemand I'll have three different
(35:50):
pieces of software.
They're all updating a file,all updating a data field, yet
they don't communicate with eachother.
So my data analytics, whichhave become really critical in
this world of artificialintelligence, are flawed.
I don't have accuracy orcontrol on my data.
(36:12):
So data security is a piece,the data analytics is another
piece.
Data dictionaries, I mean.
There's a whole host of thingshere.
We've been concentrating onselling equipment.
That's where this whole worldstarted and I'm trying to make
the guy who's on a shovel I'mtrying to make his life easier
by giving him a machine Terrific.
(36:34):
I did that, but then I got intothe situation.
Well, this guy needed tounderstand how to fix that
machine.
So he either fixes it or hehires somebody to fix it for him
.
Now I'm exposed because I gotsomebody other than the owner
messing with something.
So here I've got a business, Irun it manually and then all of
(36:57):
a sudden I bring in a dealermanagement system and a lot of
those folks anymore don'tunderstand the business that
they're providing the softwarefor.
So let me name names for aminute.
Here We've got Microsoft in it,we've got Oracle in it, we've
got Infor in it, we've got SAPin it, we've got JD Edwards in
it, we've got big players andevery single one of those, as an
(37:19):
example, they're all clients ofmine and they make their money
consulting.
They don't make their money inselling the product.
They make their money inadapting and adjusting that
product to fit the dealer'sneeds.
But nowhere in there doeseither side to your comment on
this insurance industry vendorcompliance.
Nobody looks at that.
(37:41):
Nobody looks at that.
And I don't know, if I'mlooking at your space, how many
people are out there competingwith you?
There's some big majors, butnot very many people are
specializing in your area ofexpertise, are they?
Speaker 2 (37:57):
uh, not within our.
Yeah, no, they're not and?
Speaker 1 (38:01):
and the other side of that is how the hell do you get
your message out there throughvehicles like this, through
associations or meetings, annualconventions, etc.
But I, I'm, I'm one of theseidiots.
I want to help you get thatmessage out there.
So let's, let's have you writea blog post on the inspect what
you expect, and we'll start withthat one and get it out there.
(38:24):
I put one up last night calledpeople over profits, which we
talked a little bit aboutyesterday or last week, where
I'm a little bit annoyed atmyself as well that the
standards and metrics that weuse in the industry haven't been
touched for about 30 years andthe world has changed.
So I've committed to next year,I'm going to update all of that
(38:47):
stuff and put it out onavailable for people.
Part of that has to be and itwasn't in those days, but part
of that has to be data security.
So I'm going to be coming backto you over the next couple of
months and saying, okay, we needto have a chapter, we need to
(39:08):
have a section on IT, which wedon't have.
Another thing that I wouldsubmit that needs to be looked
at there's consulting companiesout there, like what I used to
do that go out and do dealershipreviews.
It's a finite number of peoplethat do that.
Some of them are big namesEverybody knows Accenture,
mckinsey, those types of folksbut it's the ones that are out
there at the ground level thatare important to me and you,
(39:32):
because they don't do any datasecurity or risk compliance
reviews when they do thosedealership operational reviews,
and that should change.
Yeah, agreed, I hope this isgoing to be the beginning of a
change in perspective for ownersand the executive suite in all
(39:55):
distributors and OEMs.
I had a client last year whohad their system disabled for
over a week.
They could not use the systemfor over a week because the bad
actor was able to get in througha modem on the network because
(40:18):
there was no shielding on themodem.
I had one of my formeremployers not have the ability
to do invoicing for the partsbusiness for several months in a
multi-billion dollar business.
I had a case where I had to runa parts business at over 50
(40:40):
stores manually because the harddrive had a warped platter in
it and could not function.
We have no idea how vulnerablewe are to technology.
We really literally can't doanything without a computer
being involved.
Speaker 2 (40:59):
Yeah, well, and there's such a demand for cloud.
These days Everybody toutscloud.
Cloud really is just a fancymarketing person's way of saying
data center.
Your data's sitting on a serverin somebody else's data center
right, and somebody else's datacenter right.
(41:22):
And now we think, if we go tothe Google or we go to the
Microsoft or the Amazon of theworld, that it's all taken care
of for us.
But again, it's sad to inspectwhat you expect because it's not
.
If you actually read the enduser license agreement, when
you're signing up that agreementthat you're saying, hey, I'm
the end user, this is what I'magreeing to.
(41:48):
Microsoft and Google both tellyou, hey, we don't back your
data up, we have our own backups.
And if the fans were to turnbrown, all of our services go
down.
We're going to go to thosebackups, we're going to try to
restore services from thosebackups.
And if all of our services comeup, great, that's awesome.
If your data happens to bethere when you log in, wonderful
.
If it's not, eh, not ourproblem.
(42:10):
We told you you needed to backit up and you would think, okay,
well, it's Google, it'sMicrosoft, and what are the
chances?
Well, you know, back last monththere was a over a billion
dollar organization overseasthat somebody in that works at
(42:32):
Google.
Basically, I mean the 500,000foot view of it is they deleted.
They flipped the switch,deleted data and you know that
companies whose revenues in thebillions.
Their data was gone.
Fortunately someone had backupsgoing to a system outside of
Google so they were able torecover, but they were down for
(42:54):
a good bit.
So you know, it's one of thosethings I mean it's just yeah, we
do have a lot of peopletouching our data these days.
I mean I would just yeah, we dohave a lot of people touching
our data these days.
I mean I would be surprised ifthere's a single company out
there, a dealer at least, thatdoesn't have someone externally
touching their data.
Interesting, it's just not theworld we live in.
Speaker 1 (43:15):
Yeah, interesting little comment Learning with
those scars, our employeedevelopment education business.
Speaker 2 (43:21):
Learning Without.
Speaker 1 (43:23):
Scars.
Our employee developmenteducation business, Canada will
not allow anybody who deals witha school to have a server that
is not in Canada.
It's the only country in theworld in which that exists.
Now I've had discussions withthem.
Our server now is in Canada, sowe don't have to worry about it
(43:44):
.
But when I'm talking to thegovernment I say, well, how do I
know where the server is ifit's on the cloud?
And that just gives you a smallillustration.
The other thing about the databackup you're talking about my
daughter and I are the principalowners of our classes and she
now has a 5 terabit and I have a5 terabit disk drive that we
(44:06):
back everything up every week,both of us, her computer to hers
and my computer to mine, sothat we're covered.
Because, god forbid, I wouldhave to recreate that.
Speaker 2 (44:22):
I'm not going to live another 70 years to do it those
hard drives are in differentlocations there, right, yeah,
that's right.
Speaker 1 (44:28):
That's exactly right, so I think this is an important
subject, kevin.
Speaker 2 (44:34):
I think it's a critical subject.
Speaker 1 (44:47):
I really appreciate the time you're spending with us
and I appreciate your knowledge, and I want to try and extend
your reach a little bit furtherinto the industry, if you don't
mind.
I'm sure you won't.
So let's let's view this as thestarting pistol going off on a
race that's probably not goingto be ever ending, because the
bad actors are just as smart aswe are and they find places
before we do.
That's for downshifting.
Speaker 2 (45:04):
Absolutely.
Speaker 1 (45:05):
Have you got any kind of closing remarks you want to
throw?
Speaker 2 (45:08):
out at the audience.
No, I mean nothing more thanjust you know, ultimately, you
don't have to.
You can't accomplish all thisovernight.
Don't be discouraged oroverwhelmed by it.
If you're listening to this andgo, man, we've got more issues
than a reader's digest withregards to our IT.
(45:29):
Don't buckle to the overwhelm.
Don't buckle to.
You know, it's just too much todo.
This is to your point.
It's a race that doesn't endand you're just going to have to
pace yourself, and so it's justtaking, taking small actions
(45:49):
today, the things that you cando today that get you 80% of the
way there, and um, and justkeeping after it and being
diligent about it.
Um, I guess, if I were, you know, in leadership, it may not be
that the equipment dealers aremaking headlines for being taken
(46:12):
a task by the FTC for databreaches or local state
governments for data breaches.
They may not even be making theheadlines for breaches with
insurance companies, and ifthat's true, then fine, that's
great.
But if that's your only reasonfor doing it, then for not doing
(46:36):
it is that you know they're notmaking headlines.
I think it goes back to ifyou're being a steward of the
organization, you've got to payattention to this aspect,
because this is the one aspectthat whoever is in charge of IT,
whoever is managing it, if it'sdone wrong to your point, it
(46:56):
can take a company out ofcommission.
It can close the doors of acompany for the most part or put
them way behind.
There is a dealership Iliterally called and offered the
risk assessment one day no,we're good, we have no interest
in it.
Six months later they were downfor almost a month because of a
(47:19):
data breach.
And you know, some companiesdon't recover from that.
That's right.
That's right.
I spoke to someone later aboutit and they were like you know,
looking at our data.
You know we look back and we'relooking over our trends and
there's a whole month to twomonths because there's another
(47:40):
month of recovery where theywere doing things manual and now
they had to key it all in.
It's like there's two or threemonths of our data.
That makes no sense.
We can't make any businessdecisions off any of that data
because none of it's right.
It's a whole black hole for asingle month.
And so my thing is just you know, if you're in leadership,
(48:01):
realize this can take thecompany out, but, more
importantly, it's going toaffect those folks who work for
you, their livelihoods.
It's going to affect yourclients, who depend on you to be
there to keep their equipmentrunning so that they can serve
our communities.
It goes beyond to your pointpeople before profits.
Yes, at the end of the day,we're all running a business and
(48:22):
the goal of running anybusiness, even a nonprofit, is
to make profit so you can keepdoing things.
But the ultimate goal, theultimate purpose of that really
should be the people we'reserving and the way in which
we're serving them, the problemswe're solving for them, and I
think that in itself should beenough to make somebody go.
You know what?
I need to take a look at thisone aspect of our company where
(48:47):
we don't.
We have a blind spot.
We don't know what to expectand we do not know how to
inspect it, even if we did.
Speaker 1 (48:53):
I'll give you one very simple illustration.
In the 70s I'm running acomputer shop, two computers
supporting, I think it was, ninestores, maybe 11.
And we went online and we hadto be concerned with recovery.
So bring it out into today'sworld and you have a power
(49:16):
outage and the power goes outfor 30 minutes.
So the power comes back.
At what point was the data lastaccurate when the power went out
?
And where do you restart thebusiness from that point forward
(49:39):
?
Because I've been operatingmanually for the last 30 minutes
.
I have to re-enter that.
In what sequence?
Because my on-hand will be out,my credit limit will be out,
all manner of things we don'teven know today.
Every single dealership issubject to power outages.
Where their computer center is,every cloud location, every
server everywhere is subject toa power outage.
(50:01):
I haven't heard anybody tell medefinitively what their
checkpoint recovery system is.
Ask that question alone, and itcauses some eyebrows.
Kevin, thank you very much forthis.
I appreciate it.
(50:23):
I hope the audience hasappreciated it.
Those of you that areinterested in this keep your
eyes peeled.
Kevin has written as acontributor for us in the past,
but will be in the future, andwe'll be posting this podcast
somewhere in the next week or so, and hopefully we get Kevin up
to give us another blog beforethat time passes.
So thank you everybody, mahalo,and I look forward to having
you with us at the next CandidConversation.
Aloha and welcome to another candid conversation.
Today we're joined by, Ibelieve, an extremely good man,
Kevin Landers, who also is veryknowledgeable in the world of IT
, and I want to broach withKevin the subject of data
(00:24):
security and the fact that verysmart people, bad actors, have
been hacking a lot of businesssystems around the world and try
and increase our understandingand knowledge of that world.
So with that as an introduction, Kevin, welcome aboard.
(00:44):
With that as an introduction,Kevin, welcome aboard.
Maybe you can tell everybody alittle bit about you and then
give us a read on what you thinkis going on with data security
and risk.
Speaker 2 (00:55):
Yeah, absolutely Well , thank you for having me.
I can attest that there will beat least one additional person
that will listen to this podcast, and that'll be my wife,
because you specifically saidI'm a very good man.
I think you said very good man,maybe it was just good, but
anyway, um very, very would workalso there you go, um, but yeah
(01:18):
, so, uh, you know, I guess, uh,for my part, um, I have been in
IT for, oh man, longer than I'dlike to admit at least 24 years
, oh gosh, longer than that.
So we'll just go with more than25 years.
How about that?
And in the past, I guess, sevenor eight years of that, our
(01:43):
company, our team over atRocketWise, we've shifted our
focus, our primary focus, to theequipment dealership space, and
that said, yeah, I meancybersecurity.
You know it's been a hot topic.
There's tons of money beingpoured into and solutions being
(02:07):
poured into this space.
Oddly enough, on one end, youhave all this money, need it, um
, who may not realize?
Or, uh, may be burying theirheads in the sand, as it were?
(02:28):
Uh, to the need, um, so, um,you know lots to talk about,
lots of, lots of differentavenues that could be covered
here.
Speaker 1 (02:40):
So let me.
Let me put another paragraph infront of that.
The 25 years prior to Kevinhitting the space, I was
involved running data processingshops, computer shops, running
software companies and back inthe early days, for our concern,
(03:13):
most of the consultants thatwere involved in the space of
assisting businesses had servedprison terms.
Today the world is the platform.
In my early years it wasstrictly North America.
So we have a very much morecomplicated situation to deal
with and, as Kevin is mentioning, there's all manner of money
(03:34):
being put into this, but theaudience our audience, I think
has to have a betterunderstanding of what's going on
.
I think some of these men andwomen running these businesses
have been hacked.
It has cost them money, it hascost them data loss, it has cost
their businesses time.
Speaker 2 (03:59):
So some of them are sensitized to this, but the vast
majority don't really know whatwe're talking about.
Yeah, I mean, it's very true.
I mean going to events, whetherit be an AED event or any of
the other associations out there.
You know, it's not uncommon tohave this conversation.
Someone candidly revealed that,yeah, they've fallen victim to
something, whether that be giftcard scams or phishing attacks
(04:21):
or whatever.
Have you ransomware, etc.
Phishing attacks or whatever.
Have you ransomware, et cetera.
But at the same time, you getthat mindset of but I don't need
it, I'm not a target.
So it's odd havingconversations when those two
things are said in the sameconversation.
(04:42):
But yeah, I mean, there's areason why there are tons of
companies pouring money intothis and developing solutions to
prevent all the things that areout there.
On the flip side, there's tonsof money and effort being put
(05:03):
into the space of creating theseissues, discovering
vulnerabilities that are outthere that can allow someone to
take advantage of a company, andhappy to take this conversation
wherever you like it.
Speaker 1 (05:09):
Well, go down that path.
For a second, does RocketWiseoffer a service where they will
come in and review a dealershipfor vulnerability?
Speaker 2 (05:23):
Yes, we will.
In fact, it's a core offering.
Actually, it's something thatthe FTC says you're supposed to
be doing at least once a year.
Cyber liability insuranceproviders also say that any
organization they're covering,99% of them say that they have
to have that in place at leastannually.
And so, yes, we do offer that.
(05:44):
We have different you knowdifferent levels of it, but the
goal is to come in, meet withexecutive leadership,
stakeholders in an organization,a dealership, take them through
some very high level Q&A maybetakes about 30 minutes going
(06:07):
through Q&A just ask them somequestions about processes,
procedures, type of data they'rehandling.
And then after that, at thevery high level, we execute some
scans on a handful of computers.
We execute some scans on ahandful of computers, pull that
(06:37):
data into a series of reportsand then we have a follow-up
meeting to go over it, to do areport of findings.
We've never had a dealershipwhere we haven't found something
, whether it's potentiallysomething already in the system,
potentially someone having keyvulnerabilities in place, people
(06:57):
where their passwords are outin the open.
No-transcript to businessowners in these dealerships or
(07:36):
at least, like I said, keystakeholders, whether that be
executive or what, and you know,ultimately at the end of the
day, we're supposed to.
We have expectations.
We have expectations in allsorts of areas of our company
the sales sales department.
We have an expectation that oursales folks are smiling and
(07:56):
dialing, they're researching ourprospects, they're researching
our internal accounts of ourcurrent clients, they're looking
for ways to serve them and thatthey're doing all these series
of tasks to bring in newbusiness and or grow existing
business and doing all thethings it takes to do that.
(08:18):
And we see that as a criticalaspect of our business.
And so we have all thesedifferent metrics and different
things in place to inspect whatwe expect there.
Right To know whether the teamas a whole is hitting the mark
or if there's one or twoindividuals that need to go on a
PIP or however.
You've got that all structuredand we do the same thing on the
(08:40):
service side and we do the samething on the service side, part
side.
We've got all sorts of metricsand we know what we expect and
we know how to inspect it.
But IT is one of those areasthat, even if we have internal
IT team members, if that's not afunction that we're outsourcing
completely somewhere else,anyway, in both scenarios
(09:05):
leadership for the most part,has no idea what to expect.
They expect that they're safe.
They're expecting that theirsystems are up.
They're expecting their systemsare in pristine condition, but
they have no idea how to expectthat.
They have no idea how toactually, you know, uh, go
(09:26):
underneath the hood and makesure that things are the way
they should be.
It's not like we're walking outto a piece of equipment, um,
you know, unscrewing a knob andchecking the oil.
Um, it's, it's much morecomplicated than that, and um,
so I would, you know, I'd saythat probably, for the most part
, those folks are, they'reintimidated by that.
(09:48):
I mean, you know, and that'sone of the things we try to
eliminate tech, speak Right andput it in layman's terms, where
the rest of the world canunderstand outside of the, the
world of the geek, and and tryto bring that down and help them
understand.
Okay, these are some of thethings you should expect.
(10:09):
These are some of the thingsthat, when you inspect that,
maybe you don't know how toinspect it, but this is an
indicator that that is good orthat we have a problem there.
And so, whether we're doingthat one-off for a dealer or
we're doing it on a recurringbasis.
So whether we're doing thatone-off for a dealer or we're
doing it on a recurring basisagain, insurance companies FTC
say you know need to have itonce a year.
(10:29):
Reality is, if you have abreach, on average the average
is that someone has been in yoursystems for 290 days before you
ever find them.
So basically, the FTC and cyberinsurance companies go hey, you
should check it at least onceevery 365 days.
(10:49):
I kind of advise clients toinspect that more often, ideally
monthly, because the last thingyou want to do is inspect
everything you're clean and then365 days later you find out
somebody's been in there for 290.
And then it's a.
(11:10):
You know you're a day late anda dollar short.
So anyway, I'll pause there.
Speaker 1 (11:16):
So that's no, that's a good place to pause.
So this initial work withdealers that you perform at
RocketWise can be done remotely,correct.
Speaker 2 (11:27):
Yeah, the entire thing is done remotely.
Literally it's jumping on acall 30 minutes of time longer
if they have Q&A, if they havequestions that we need to answer
, and then executing it remotely.
We simply send somebody thingsthat they can click on the
computers and then, uh, thefollow-on is like a again about
(11:51):
an hour call.
Uh depends on if there are alot of questions.
Speaker 1 (11:54):
Let me label it.
I don't know what you call it,but I'm going to call it the
inspect what you expect, review.
If I started day one with thatphone call, day day one, how
long is it before you can givethem back a report?
Is it five days, 10 days, two?
Speaker 2 (12:14):
months.
Yeah yeah, on average we can doit in about four or five days
From initial call.
As know, the part that'sdependent on the equipment
dealer is that middle part whichis running the utility on their
computers that does our scans.
And then it takes two businessdays for us to generate the
(12:35):
report, put a good bit of timeinto it.
Speaker 1 (12:37):
We're trying to, you know, present them with valuable
information and then like Isaid, a follow-on call Okay
information and then like afollow-on call, okay.
So to help the audience that'slistening to this, can I suggest
you write me a blog thatdefines and describes the
inspect what you expect servicethat you provide and, even
(12:59):
though it's going to be a bit ofa promotional piece, that we'll
put it up as a blog in the formof explanation as soon as you
get it to us yeah, absolutely,I'll get our team on it the um.
So we have the inspect what youexpect, an over an overarching
review to get a positionplacement as to where you are
(13:22):
and probably a risk assessment.
We also have, down that otherchannel playing catch-up, the
insurance industry trying toestablish some insulation for
themselves against an insuranceclaim for damages.
The damages can be, as you said, gift cards as small as, but it
(13:45):
could also be invoices formachinery.
That's three, four or fivemillion bucks that gets paid in
a complete scam, the ongoing.
So we have the inspect toinspect to expect program.
I would suspect that it wouldbe a good idea for a service
from RocketWise to be in on avery regular basis, at least
(14:10):
weekly, randomly evaluating asystem.
Do you do that as?
Speaker 2 (14:16):
well, solely talking about in terms of inspecting
things, then, yes, from a riskassessment perspective, yes,
from a, if you need securitythings in place, like antivirus
and MDR and XDR and EDR and Idon't expect any of y'all to
(14:42):
remember that or even know whatthat is but there's a long list
of all the things you need tohave in place that are actively
not only protecting your systemsbut sending alerts,
notifications to folks,departments that are looking
into those issues as they'rereported to their systems, and
acting on them and uh, andacting on them, uh.
(15:09):
But on the inspect what youexpect portion, um, yes, we
actually, uh, we do thoseactually monthly.
So we do monthly scans and thenwe either meet monthly or
quarterly with our clients to goover the results and if it's an
ongoing basis, we're we'reliterally reviewing.
Okay, in the past, this is whatis what we had last time.
This is where the score was.
These were the 20% of the itemsthat we said we would work on.
(15:32):
That would move us 80% of theway in a positive direction.
You know who are thestakeholders, who's responsible
for those items, what are thestatus updates on those?
Now, here's our new baselinefor today.
Where we sit today, you can seethese things have improved.
You can see that we now havenew challenges ahead of us,
because security is a bit of amirage.
(15:54):
You never arrive to a state offull security as soon as you do,
you know, take a second or afraction of a second to pat
yourself on the back.
And now you got more work to do.
So you know from there it's OK.
These are the new challenges wehave.
Again, what's the next 20percent of the things that we
can do to get us 80 percent ofthe way there?
(16:16):
Where do we need to put ourfocus?
Who's responsible for that?
So someone inside of adealership is another vendor.
Is it your dealer managementsystem or your ERP?
Is an issue with that that weneed to take to those folks to
get addressed?
Is it an issue with your OEM?
All right, probably that mightbe hard to accomplish, but there
(16:37):
have been times when OEMs havelistened to hey, your entire
dealer base is exposed herebecause of this.
Thing needs a little bit ofattention, needs a little bit of
being taken care of.
Same thing with the ERPs, etcetera.
But so, again, it's identifyingwho's responsible and what
things do we need to moveforward and-.
Speaker 1 (16:58):
Right.
Speaker 2 (16:59):
Okay.
Speaker 1 (17:01):
So I'm going to bring it back into the dealership, as
you did that.
In the parts department, wehave a daily knowledge of the
back orders that are outstanding.
On the service department,we've got a daily knowledge of
the work orders that arefinished and haven't been
invoiced.
On the sales side, we get callreporting on finance.
(17:21):
The bill hasn't been paid.
So now the IT group or I'm goingto call it technology generally
has the same kind of toolsavailable, same type of metrics
available, to do this evaluationon an ongoing basis.
Who owns it?
What do we do?
How do we solve a problem?
(17:41):
As we find them and go forward.
Then let's move on to the otherside of the table, the tools
that are there that we need tohave there to protect us
somewhat.
So it's not the inspect whatyou expect anymore, it's
creating.
I'm going to call themfirewalls, because it's a word
(18:03):
that people seem to understandbut creating tools.
You provide solutions, toolsthat will stop hacking or
identify hacking or protect yourpasswords or the portals of
entry, whether it's an OEMmanufacturer or a DMS provider,
irrespective.
(18:23):
And that complicates thingsbecause it's not internal
controls solely.
We sometimes have to haveshared responsibility for these
things.
Speaker 2 (18:33):
Yeah, and I'll pause before I go to that rabbit hole
to just share.
This is one area where it kindof gets into policies and
procedures.
Where it kind of gets intopolicies and procedures and all
of these businesses, thesedealerships, there should be a
(18:57):
type of compliance program inplace for them.
And part of that is going to beidentifying what are the
questions that we need to haveanswered by all of our
third-party providers, whetherit be our ERP, our OEM, our
phone company who put a phonesystem in our network, etc.
And they should be doing, atleast annually, what is called a
(19:20):
self-assessment questionnairefor those vendors, and that's
basically having a standard listof questions you want to know
the answer to and putting it infront of your vendors so that
they answer them.
That's going to pay off ifyou're involved in any kind of
(19:40):
legal issue, ieinsurance-related, ftc, etc.
But that's going to help youalso gauge where your risk is.
Speaker 1 (19:51):
So stay with that for a second, kevin.
Do you have such aquestionnaire that you sell to
dealers to assist them, or thatyou would guide a dealer on
doing with outside third-partysuppliers so they know what
needs to be done and how it'sdone, because you show them how
it's done?
Do you do that as a service aswell?
Speaker 2 (20:14):
So, yes, so, as part of our compliance program, we
actually have a tool whereby wego in with the dealer, show them
how to input the informationfor all of their current vendors
, and then our system willactually automate the process of
sending and collecting theself-assessment questionnaires
from those vendors, and it willgo ahead and send it annually.
(20:36):
So if you plug the vendor in,we get their answers, it's
stored in that system so thatyou have, you know, collected,
you know collection of those allin one central place and then
as far as yes, as far asselection, or even evaluating
your current vendors, we doassist with that.
(20:58):
We identify, you know, even ifit's something like as simple as
Internet service, right,identify.
These are the things that we'relooking for.
What's the problem we're tryingto solve, you know, and what
are the, what are the questionswe need to ask, and and so forth
, and basically coming up with aconsistent way of evaluating
that um.
Speaker 1 (21:21):
So do you have any kind of a catchy phrase on that?
I'm going to call this vendorcompliance reviews, but I don't
know what you call it.
Speaker 2 (21:30):
Well, that, specifically, is just this.
Well, I think you're talkingabout overall.
I don't that specific part ofsending out the questionnaires
is just our third-partyself-assessment questionnaire.
It's part of a larger offeringour clients as a service
(21:51):
offering, which is basicallyoverall.
It's a system that allows themto build out their policies and
procedures, keep track of them,revisions on them, the approvals
on them from executiveleadership and basically also
putting those policies in frontof your team members and making
(22:14):
sure that they've read them andcollecting evidence that they
have.
Speaker 1 (22:17):
Okay, so let me try and put a wall around this thing
.
What we need from a dealer or adistributor in the capital goods
space is.
We need a list of every singlevendor that provides services to
the dealership Number one andthen number two you have a
(22:41):
questionnaire developed that canbe used with each of those
vendors specific to that kind ofindustry.
Example the telematics network,example, password management,
example, data dictionary.
So you have both of thosethings available Vendor
(23:02):
compliance I'm going to call itvendor compliance review, for
lack of another term andspecific then recommendations
that you make to address thoseproblems.
Correct, yes, correct Okay.
Speaker 2 (23:20):
The reality is that, even based on these
self-assessment questionnaires,you may very well get results
back that are not pleasantregarding that vendor, and it
may very well be that it's goingto be impossible and or timely.
I mean, if they tried to resolveit, it would take a long time
(23:40):
to resolve it, and or thevendor's just not interested, or
you're not loud enough or noisyenough or represent enough
revenue to them to be concernedabout it, and so you may still
find yourself in a positionwhere you can't part ways with
that vendor.
You depend on them and you haveto, and so it becomes a question
(24:03):
of all right, how do we put inother policies, other technical
controls or physical controls orwhatever kind of control it
needs to to be important thatyou've identified those things
(24:23):
and that you've taken the timeto document it, because, at the
end of the day, if there's abreach, hopefully you have
insurance that covers it, andwhen you call down an insurance
provider, you're going to wantto make really sure that you did
everything you could to preventit and that you documented it,
so when the insurance company islooking at it, they don't have
(24:43):
a reason to walk away from thetable and leave you high and dry
and potentially turn around,like Travelers Insurance did in
the last year or so, andactually sue you for not
actually holding up to what youtold them you were doing.
And then if you've got thosethings in place and you've
(25:04):
covered yourself as best as youcan well you know then you've
done due diligence and that'sthe big thing is due diligence.
Speaker 1 (25:14):
Go ahead.
Speaker 2 (25:16):
Well, an example would be there is an ERP, a
dealer management software.
I won't name them, it wouldn'tbe hard to find them.
I won't name them, it wouldn'tbe hard to find them.
But they had a data breach andthe FTC took them to task over
that data breach, leveraging theGraham Leach-Bliley Act, or
(25:46):
also known as FTC safeguards,because of a portion of that act
.
Ultimately, they had a databreach and there was nothing
that any of their dealers couldhave done to prevent it.
They use that software period.
They use it.
They don't control it.
Now, ideally they could have hadself-assessment questionnaires
in place and they could havegotten the best of answers and
(26:06):
at least they've done duediligence.
But on the back end the dealermanagement system provider the
high level of it is they wererunning out of disk space on
their servers.
So they asked a guy in the ITdepartment to get extra storage
to make backups and move thesebackups off on the storage to
free up space.
So the guy did.
(26:27):
He went to basically theequivalent of a Best Buy.
A local retail establishmentbought a consumer-grade hard
drive that plugs into yournetwork so you can back up over
the network, plugs it into theirinfrastructure, backs up
accomplishes this task, but whathe doesn't know is there's a
(26:49):
software update for that devicethat patches a vulnerability on
that device and now that it's onthe network it's accessible to
the Internet and poof.
All the data for severalhundred dealerships and all
their customers got swiped, andso the FTC came down on them and
(27:09):
went after the actual dealermanagement system.
Speaker 1 (27:12):
We're in a place today, kevin, that I
characterize it this way thatwe're 30 years behind on the
technology that's availablebeing implemented, the things
that we're reading about today.
We're so far behindimplementing those things
(27:34):
Artificial intelligence, machinelearning, all of this stuff.
I'll give you just a simpleexample.
There's a thing up on YouTubefrom 1993 called BMW augmented
reality, which shows atechnician walking out to a
vehicle, putting on glasses andbeing instructed what the repair
was, with a diagram of it.
(27:56):
And we could go.
I mentioned this to you lastweek.
We can go across a hundreddealers and find nobody using
that.
That's 30 years old already.
Yeah, that having been said,these third party vendors, they
are in the same place that adealer is, except their
(28:16):
influence is orders of magnitudegreater.
So let me just freeze framethere for a second.
There's some very smart peopleon this planet that are in
jurisdictions that we're nevergoing to be able to touch, that
have found means to make moneyby doing illegal things, and
(28:38):
that's not going to stop as longas that genie's out of the
bottle.
There's going to be more andmore people, and we're never
going to be smart enough to beable to avoid everything but
those things that we are awareof and there are many of them
and you deal with them every day.
There are tools that we canemploy that will reduce our risk
(29:00):
.
Really, all this is is riskmitigation, and there almost
needs to be a body, a person, afunction.
You know, chief technologyofficer is a term that's bandied
about.
I think that's going to becommonplace.
There'll be somebody in adealership or businesses in
general within five to 10 yearswho has responsibility for this.
Today, there isn't.
Speaker 2 (29:21):
There isn't.
I mean well, for the most partthere isn't.
I mean kind of to your pointthat these things are not
necessarily new.
Even this position is notreally new.
It's just slowly making its wayinto.
(29:42):
That's a position that's beenout there for quite a while,
where you know there's anindividual or team of
individuals that are solelyfocused on the security of you
know, the information that youpossess.
So I wouldn't even say thisreally even should fall to a CTO
or an IT manager, it director.
(30:04):
This is more specialized, needsto be more specialized, because
it's something that goes beyondyou know.
Do you know how to set up aprinter?
Do you know how to set up anetwork?
Well, the question becomes doyou know how to secure those
things?
You know and do even morebeyond that.
You know and, to your point, onthe other side of this, the
(30:25):
flip side, the malicious actorside of it, you know you're not.
We have this idea.
I mean you Google hacker, go toimagesgooglecom, type in hacker
and it's all dark rooms withsomebody in a hoodie and their
face is blurred or they'rewearing one of these white masks
(30:47):
or whatever, like they were inan episode of scream or
something, and we have this ideathat it's this guy sitting in a
dark room who's going.
Who am I going to attempt toattack today?
Oh, acme Machinery.
That's my target for today andhis whole focus for the next
(31:10):
indefinite amount of time issolely hacking into Acme
Machinery.
And this leads into people atlike Acme Machinery going I'm
not a target, nobody'sinterested in my company,
nobody's coming after me.
Well, that's true.
Nobody's interested in yourcompany, nobody's coming after
me.
Well, that's true.
Nobody's interested in yourcompany.
They're interested in dollars.
Your company just happens tohave dollars and they may not
(31:32):
have targeted you because todayyou have these sophisticated
businesses.
I mean, yes, there are nationstates who have teams and all
this sort of stuff.
Sure, let's put that all in abox over to the side.
There are basically businesseswhere they have, you know, sells
(31:53):
, a marketing team, they have aresearch and development team,
they have a customer supportteam.
They have all these differentteams like a well-established,
organized business and they'rein the business of developing
malicious tools.
And some of that is useddirectly against folks, directly
(32:16):
in a malicious way.
Some of it is let's just useour systems to gain access to a
plethora of computers out thereand then let's actually set up a
software as a servicesubscription model whereby, if
you're a 14-year-old kid that'sbored at home during the summer
(32:39):
and you have access to mommy ordaddy's credit card or Apple Pay
account, simply set up your ownlittle account over here in our
software solution and, for youknow X amount of months, we'll
give you access to 100 computersand you just tell us what you
want to do.
Do you want to do ransomwaretoday?
Sure, okay, great, we haveaccess to these machines.
(33:01):
We're just going to deployransomware for you and you
basically don't have to know howto do any of this.
Ron, if you can log into aGmail account, you can also
suddenly become a maliciousactor.
That's how easy it is.
And it's even easier because ifyou try it and it doesn't work
(33:21):
they have customer servicepeople.
Doesn't work, they havecustomer service people.
They have better IT supportthan most Fortune 500 companies
where you literally just call inand they chat with you and they
go.
Hey, so sorry, you're having abad day and you're not breaking
in the money from yourransomware activities.
Let us hop right in and see ifwe can help troubleshoot this,
debug it, fix it for you and getyou back on your merry way and
(33:43):
they will even give you yourmoney back if it doesn't work.
So you know it's a businessmodel and it's.
You know we can take it back tothe ag world.
It's that old broadcast method.
You know you want to plantgrass, you don't.
You know you don't plow a rowand put in individual seeds, you
(34:05):
just cast seed out everywhere,right, I mean, okay, there may
be more to it, but you cast allthis out or take it to a shotgun
approach.
You put in a shotgun shell.
You don't aim for a bullseye,you aim in the general vicinity
and you send out all thesepellets.
That's how they approach thismalicious activity.
(34:25):
It's not, hey, I want to hitAcme Machinery or I even want to
hit the machinery equipmentdealer space in general.
It's, I just want to hitcomputers.
And so if I can detect issuesout there, if I can spread
through email and breach youremail accounts, then great, and
then I can send all my stuff outand once we get a fish on the
(34:49):
hook, then I can look in to seeexactly what kind of fish it is.
Is it a trout, is it a bass?
Is it a CFO at an equipmentdealership?
Is it a CEO at an eye company?
And then I can research itfurther.
Speaker 1 (35:05):
I'm going to dig in deeper than that.
Even I'm going to start from adatabase and the fact that we
have data all over the place inour dealerships and we don't
have any control of the data.
Nobody owns a particular datafield.
(35:25):
Then we bring in differentsoftware businesses to interact
with our database.
They have their own databases.
So, as an example, a customerprofile example, and I'll have a
call reporting system, I'llhave a marketing system, I'll
have a market coverage systemand I'll have three different
(35:50):
pieces of software.
They're all updating a file,all updating a data field, yet
they don't communicate with eachother.
So my data analytics, whichhave become really critical in
this world of artificialintelligence, are flawed.
I don't have accuracy orcontrol on my data.
(36:12):
So data security is a piece,the data analytics is another
piece.
Data dictionaries, I mean.
There's a whole host of thingshere.
We've been concentrating onselling equipment.
That's where this whole worldstarted and I'm trying to make
the guy who's on a shovel I'mtrying to make his life easier
by giving him a machine Terrific.
(36:34):
I did that, but then I got intothe situation.
Well, this guy needed tounderstand how to fix that
machine.
So he either fixes it or hehires somebody to fix it for him
.
Now I'm exposed because I gotsomebody other than the owner
messing with something.
So here I've got a business, Irun it manually and then all of
(36:57):
a sudden I bring in a dealermanagement system and a lot of
those folks anymore don'tunderstand the business that
they're providing the softwarefor.
So let me name names for aminute.
Here We've got Microsoft in it,we've got Oracle in it, we've
got Infor in it, we've got SAPin it, we've got JD Edwards in
it, we've got big players andevery single one of those, as an
(37:19):
example, they're all clients ofmine and they make their money
consulting.
They don't make their money inselling the product.
They make their money inadapting and adjusting that
product to fit the dealer'sneeds.
But nowhere in there doeseither side to your comment on
this insurance industry vendorcompliance.
Nobody looks at that.
(37:41):
Nobody looks at that.
And I don't know, if I'mlooking at your space, how many
people are out there competingwith you?
There's some big majors, butnot very many people are
specializing in your area ofexpertise, are they?
Speaker 2 (37:57):
uh, not within our.
Yeah, no, they're not and?
Speaker 1 (38:01):
and the other side of that is how the hell do you get
your message out there throughvehicles like this, through
associations or meetings, annualconventions, etc.
But I, I'm, I'm one of theseidiots.
I want to help you get thatmessage out there.
So let's, let's have you writea blog post on the inspect what
you expect, and we'll start withthat one and get it out there.
(38:24):
I put one up last night calledpeople over profits, which we
talked a little bit aboutyesterday or last week, where
I'm a little bit annoyed atmyself as well that the
standards and metrics that weuse in the industry haven't been
touched for about 30 years andthe world has changed.
So I've committed to next year,I'm going to update all of that
(38:47):
stuff and put it out onavailable for people.
Part of that has to be and itwasn't in those days, but part
of that has to be data security.
So I'm going to be coming backto you over the next couple of
months and saying, okay, we needto have a chapter, we need to
(39:08):
have a section on IT, which wedon't have.
Another thing that I wouldsubmit that needs to be looked
at there's consulting companiesout there, like what I used to
do that go out and do dealershipreviews.
It's a finite number of peoplethat do that.
Some of them are big namesEverybody knows Accenture,
mckinsey, those types of folksbut it's the ones that are out
there at the ground level thatare important to me and you,
(39:32):
because they don't do any datasecurity or risk compliance
reviews when they do thosedealership operational reviews,
and that should change.
Yeah, agreed, I hope this isgoing to be the beginning of a
change in perspective for ownersand the executive suite in all
(39:55):
distributors and OEMs.
I had a client last year whohad their system disabled for
over a week.
They could not use the systemfor over a week because the bad
actor was able to get in througha modem on the network because
(40:18):
there was no shielding on themodem.
I had one of my formeremployers not have the ability
to do invoicing for the partsbusiness for several months in a
multi-billion dollar business.
I had a case where I had to runa parts business at over 50
(40:40):
stores manually because the harddrive had a warped platter in
it and could not function.
We have no idea how vulnerablewe are to technology.
We really literally can't doanything without a computer
being involved.
Speaker 2 (40:59):
Yeah, well, and there's such a demand for cloud.
These days Everybody toutscloud.
Cloud really is just a fancymarketing person's way of saying
data center.
Your data's sitting on a serverin somebody else's data center
right, and somebody else's datacenter right.
(41:22):
And now we think, if we go tothe Google or we go to the
Microsoft or the Amazon of theworld, that it's all taken care
of for us.
But again, it's sad to inspectwhat you expect because it's not
.
If you actually read the enduser license agreement, when
you're signing up that agreementthat you're saying, hey, I'm
the end user, this is what I'magreeing to.
(41:48):
Microsoft and Google both tellyou, hey, we don't back your
data up, we have our own backups.
And if the fans were to turnbrown, all of our services go
down.
We're going to go to thosebackups, we're going to try to
restore services from thosebackups.
And if all of our services comeup, great, that's awesome.
If your data happens to bethere when you log in, wonderful
.
If it's not, eh, not ourproblem.
(42:10):
We told you you needed to backit up and you would think, okay,
well, it's Google, it'sMicrosoft, and what are the
chances?
Well, you know, back last monththere was a over a billion
dollar organization overseasthat somebody in that works at
(42:32):
Google.
Basically, I mean the 500,000foot view of it is they deleted.
They flipped the switch,deleted data and you know that
companies whose revenues in thebillions.
Their data was gone.
Fortunately someone had backupsgoing to a system outside of
Google so they were able torecover, but they were down for
(42:54):
a good bit.
So you know, it's one of thosethings I mean it's just yeah, we
do have a lot of peopletouching our data these days.
I mean I would just yeah, we dohave a lot of people touching
our data these days.
I mean I would be surprised ifthere's a single company out
there, a dealer at least, thatdoesn't have someone externally
touching their data.
Interesting, it's just not theworld we live in.
Speaker 1 (43:15):
Yeah, interesting little comment Learning with
those scars, our employeedevelopment education business.
Speaker 2 (43:21):
Learning Without.
Speaker 1 (43:23):
Scars.
Our employee developmenteducation business, Canada will
not allow anybody who deals witha school to have a server that
is not in Canada.
It's the only country in theworld in which that exists.
Now I've had discussions withthem.
Our server now is in Canada, sowe don't have to worry about it
(43:44):
.
But when I'm talking to thegovernment I say, well, how do I
know where the server is ifit's on the cloud?
And that just gives you a smallillustration.
The other thing about the databackup you're talking about my
daughter and I are the principalowners of our classes and she
now has a 5 terabit and I have a5 terabit disk drive that we
(44:06):
back everything up every week,both of us, her computer to hers
and my computer to mine, sothat we're covered.
Because, god forbid, I wouldhave to recreate that.
Speaker 2 (44:22):
I'm not going to live another 70 years to do it those
hard drives are in differentlocations there, right, yeah,
that's right.
Speaker 1 (44:28):
That's exactly right, so I think this is an important
subject, kevin.
Speaker 2 (44:34):
I think it's a critical subject.
Speaker 1 (44:47):
I really appreciate the time you're spending with us
and I appreciate your knowledge, and I want to try and extend
your reach a little bit furtherinto the industry, if you don't
mind.
I'm sure you won't.
So let's let's view this as thestarting pistol going off on a
race that's probably not goingto be ever ending, because the
bad actors are just as smart aswe are and they find places
before we do.
That's for downshifting.
Speaker 2 (45:04):
Absolutely.
Speaker 1 (45:05):
Have you got any kind of closing remarks you want to
throw?
Speaker 2 (45:08):
out at the audience.
No, I mean nothing more thanjust you know, ultimately, you
don't have to.
You can't accomplish all thisovernight.
Don't be discouraged oroverwhelmed by it.
If you're listening to this andgo, man, we've got more issues
than a reader's digest withregards to our IT.
(45:29):
Don't buckle to the overwhelm.
Don't buckle to.
You know, it's just too much todo.
This is to your point.
It's a race that doesn't endand you're just going to have to
pace yourself, and so it's justtaking, taking small actions
(45:49):
today, the things that you cando today that get you 80% of the
way there, and um, and justkeeping after it and being
diligent about it.
Um, I guess, if I were, you know, in leadership, it may not be
that the equipment dealers aremaking headlines for being taken
(46:12):
a task by the FTC for databreaches or local state
governments for data breaches.
They may not even be making theheadlines for breaches with
insurance companies, and ifthat's true, then fine, that's
great.
But if that's your only reasonfor doing it, then for not doing
(46:36):
it is that you know they're notmaking headlines.
I think it goes back to ifyou're being a steward of the
organization, you've got to payattention to this aspect,
because this is the one aspectthat whoever is in charge of IT,
whoever is managing it, if it'sdone wrong to your point, it
(46:56):
can take a company out ofcommission.
It can close the doors of acompany for the most part or put
them way behind.
There is a dealership Iliterally called and offered the
risk assessment one day no,we're good, we have no interest
in it.
Six months later they were downfor almost a month because of a
(47:19):
data breach.
And you know, some companiesdon't recover from that.
That's right.
That's right.
I spoke to someone later aboutit and they were like you know,
looking at our data.
You know we look back and we'relooking over our trends and
there's a whole month to twomonths because there's another
(47:40):
month of recovery where theywere doing things manual and now
they had to key it all in.
It's like there's two or threemonths of our data.
That makes no sense.
We can't make any businessdecisions off any of that data
because none of it's right.
It's a whole black hole for asingle month.
And so my thing is just you know, if you're in leadership,
(48:01):
realize this can take thecompany out, but, more
importantly, it's going toaffect those folks who work for
you, their livelihoods.
It's going to affect yourclients, who depend on you to be
there to keep their equipmentrunning so that they can serve
our communities.
It goes beyond to your pointpeople before profits.
Yes, at the end of the day,we're all running a business and
(48:22):
the goal of running anybusiness, even a nonprofit, is
to make profit so you can keepdoing things.
But the ultimate goal, theultimate purpose of that really
should be the people we'reserving and the way in which
we're serving them, the problemswe're solving for them, and I
think that in itself should beenough to make somebody go.
You know what?
I need to take a look at thisone aspect of our company where
(48:47):
we don't.
We have a blind spot.
We don't know what to expectand we do not know how to
inspect it, even if we did.
Speaker 1 (48:53):
I'll give you one very simple illustration.
In the 70s I'm running acomputer shop, two computers
supporting, I think it was, ninestores, maybe 11.
And we went online and we hadto be concerned with recovery.
So bring it out into today'sworld and you have a power
(49:16):
outage and the power goes outfor 30 minutes.
So the power comes back.
At what point was the data lastaccurate when the power went out
?
And where do you restart thebusiness from that point forward
(49:39):
?
Because I've been operatingmanually for the last 30 minutes
.
I have to re-enter that.
In what sequence?
Because my on-hand will be out,my credit limit will be out,
all manner of things we don'teven know today.
Every single dealership issubject to power outages.
Where their computer center is,every cloud location, every
server everywhere is subject toa power outage.
(50:01):
I haven't heard anybody tell medefinitively what their
checkpoint recovery system is.
Ask that question alone, and itcauses some eyebrows.
Kevin, thank you very much forthis.
I appreciate it.
(50:23):
I hope the audience hasappreciated it.
Those of you that areinterested in this keep your
eyes peeled.
Kevin has written as acontributor for us in the past,
but will be in the future, andwe'll be posting this podcast
somewhere in the next week or so, and hopefully we get Kevin up
to give us another blog beforethat time passes.
So thank you everybody, mahalo,and I look forward to having
you with us at the next CandidConversation.
Popular Podcasts
NFL Daily with Gregg Rosenthal
Gregg Rosenthal and a rotating crew of elite NFL Media co-hosts, including Patrick Claybon, Colleen Wolfe, Steve Wyche, Nick Shook and Jourdan Rodrigue of The Athletic get you caught up daily on all the NFL news and analysis you need to be smarter and funnier than your friends.
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com