Smart Tech Spending
Smart Tech Spending is a podcast designed to help growth-driven businesses and mission-driven nonprofits gauge the success of their technology investments and overcome the challenge of measuring their tech ROI. Hosted by Nicole Lefsky, cofounder and managing member of Jersey IT Group, each episode features an interview with an executive or thought leader discussing topics like: Are you spending too much or not enough when it comes to technology services? How to avoid unplanned tech expenses? What technology drives profitability? This show is ideal for business owners, managing partners, CFO's and office managers who oversee technology spending for their companies.
Smart Tech Spending
Protecting Profits from Cyber Scams with Michelle Schaap
In this episode of Smart Tech Spending, I’m joined by attorney Michelle Schaap of CSG Law who shares examples of how businesses can ward off financial and reputational damage resulting from popular email scams and discusses the legal obligations businesses and contractors have regarding the protection of information and breach notification.
What you’ll learn in this episode:
- The real-life financial impact on two businesses after an employee fell for a common email scam
- How company policies and staff training can help prevent miswiring of funds and financial loss for small and medium businesses
- The importance of a Funds Transfer Policy
- Who is responsible if a contractor or vendor in a supply chain is part of a breach
- Breach notification requirements for businesses in New Jersey
Michelle Schaap’s Bio
Michelle Schaap is the founder of Chiesa Shahinian & Giantomasi PC's Privacy & Data Security Group. She regularly advises on cybersecurity preparedness, counsels when data security incidents arise and trains companies on best practices for security procedures addressing both their business operations and their customers’ concerns. Michelle is a subject matter resource on cybersecurity and privacy for the New Jersey Small Business Development Corporation. She is a sought-after speaker and has authored numerous articles to educate business owners on privacy and cybersecurity risks and obligations.
Resources
Connect with Nicole Lefsky: https://www.linkedin.com/in/nicolelefsky
Jersey IT Group's Website: http://www.jerseyitgroup.com
Connect with Michelle Schaap: mschaap@csglaw.com
Michelle Schaap’s Phone: 973-530-2026
Michelle Schaap’s LinkedIn: https://www.linkedin.com/in/michelleschaap
CSG Law’s Website: https://www.csglaw.com/
Mentioned in the Episode
NJCCIC (New Jersey Cybersecurity & Communications Integration Cell https://www.cyber.nj.gov/
NIST (National Institute for Standards and Technology) Small Business Cybersecurity Corner https://www.nist.gov/itl/smallbusinesscyber
SANS https://www.sans.org/
CIS (Center for Internet Security) Controls https://www.cisecurity.org/controls
Thanks so much for listening!
If you enjoyed this episode, please take a moment to rate and review it on your favorite podcast player.
Don’t forget to subscribe to be updated when new episodes are available!
Protecting Profits from Cyber Scams with Michelle Schaap
[00:00:00] Michelle Schaap: And I will tell you what a lot of our clients - we're instructing our clients to do now is to make sure that when you're negotiating contracts, the contracts say, these are how we are going to make payments, whether it's by check, whether it's by wire, however, funds are being transmitted, that the contract says, if you receive notice of a change, you must pick up the phone and this is who you must call to confirm a change in payment terms. And if you fail to do that and you then make payment in response to a phishing email or a spoofed email or what have you, you and not we are responsible.
[00:00:41] Jersey IT Group: You're listening to Smart Tech Spending, a podcast designed to help businesses gauge the success of their technology investments. If you're looking to overcome the challenge of measuring the ROI of technology tools and services, avoid unplanned expenses and uncover hidden costs, you've come to the right place. Let's get into the episode.
[00:01:04] Nicole Lefsky: Hi and welcome back to Smart Tech Spending. I'm your host, Nicole Lefsky, managing member of Jersey IT Group. Today we are here with Michelle Schapp of CSG Law in West Orange, New Jersey. Michelle is the founder of CSG Law's Privacy and Data Security Group. She provides legal counsel when data security incidents arise and assesses risk management practices and advises on security incident preparedness. She's authored many articles and participated in extensive discussions around related topics, especially the consequences of a breach, which we're going to be talking about today.
[00:01:40] Michelle, welcome.
[00:01:42] Michelle Schaap: Thank you so much, Nicole. I'm happy to be here.
[00:01:45] Nicole Lefsky: Well, we're so happy to have you and have you shed some light on some topics that I don't think have been discussed in the depth that we're going to talk about them today. So I'm really excited to get into it with you. We had a little conversation before today's call, and I just want to share with the listeners some of the topics that we're going to be reviewing.
[00:02:02] One is the legal obligations for businesses in New Jersey regarding breach notification. We'll be discussing who is responsible if a contractor or vendor in a supply chain is victim of a breach, which may surprise some of our listeners and your legal recommendations to the degree that you can share them from your experience for businesses in New Jersey.
[00:02:24] Now, with the rising number of cyber attacks, businesses of all sizes are targets, and we know that especially small and midsize businesses who may not realize that they're a target are really vulnerable, because they don't have the infrastructure in place or process or budget allotted to protect and recover from a cyber attack.
[00:02:45] When we spoke earlier, we talked about evolving threats and you mentioned that most businesses don't think about wire fraud and the ramifications of wire fraud. And you shared a story with me. I wonder if you could share that story of a wire fraud incident that you experienced on behalf of your client and enlighten some of our listeners about the role of the subcontractor, the role of the main company, and the impact on them.
[00:03:14] Michelle Schaap: Absolutely Nicole. And when we talk about wire fraud, what we're talking about is people missending funds. And that could happen in the context of a real estate transaction. It could happen in the context of the sale of a business. It could happen in the context of simply paying a vendor. And what people are not realizing is how easily their employees are duped.
[00:03:39] So let's suppose that I hire you, Nicole and this scenario is similar to what happened to our client that we discussed. And I should also give you the backdrop that in this particular context, our client was doing a project for a government entity, and in the context of the contract with the government entity, there are representations of warranties as to the cyber preparedness, not only of the direct contractor, but also its subcontractors.
[00:04:07] With that backdrop, I'm the client, Nicole, you're my subcontractor, and we're working on this government project. I owe you a million dollars for part of the work that you've done for me. And the way that we have transacted business in the past is I've written you a check. I get an email from you that says payment for December's overdue. Please send a wire and here are the instructions. Well, I feel bad you haven't gotten payment. So I send the wire. A week later, you call me and say, Michelle, where's the million dollars? And of course I respond, What do you mean? I wired it to you last week. Here are the instructions. Well, low and behold, in this scenario, our client's subcontractor had been compromised.
[00:04:55] The Nicole of this story had been breached. They didn't realize they had been breached, but my client, the Michelle of this story, didn't do the basic, simple thing of picking up the phone and calling the call and saying, did you guys want us to wire these funds as opposed to how we had been doing business for the last three months?
[00:05:17] Well, here's the problem with this. Nicole's company, where our subcontractor's out a million dollars, my client has already paid the million dollars, Nicole expects to still get her million dollars. And by the way, says, Oh, and if you don't pay me, I'm going to stop performing. And you have to explain this to your customer, the government entity, because you can't not report this.
[00:05:43] And by the way, in this particular scenario, the subcontractor said, if you don't figure out how to pay me, I will be reporting it to the government entity. So even if our client was not inclined to disclose the information, they were being threatened by their subcontractor to be outed. Now, of course, in this scenario, the subcontractor isn't necessarily doing themselves any favors because they were the one that were breached, but, what limited case law that's out there, and it is very limited - it says that the party with the last opportunity to prevent the fraud, the me in this story, or my client who could have picked up the phone and said, did you change these terms, all things being equal, the court will hold that party more accountable, even though it was Nicole's system that was compromised.
[00:06:32] And the tricky thing is depending on, first of all, it assumes that you have cyber insurance or prime coverage, but even if you did, it wasn't my system that was compromised. So cybersecurity insurance would not cover that. And it wasn't Nicole's bank that allowed this to occur. It wasn't my bank that miswired the funds.
[00:06:55] And so it becomes a lot of finger pointing. What ultimately happened, there were certain concessions made. There was additional monies paid by my clients on top of the million dollars. And then there was also an agreement going forward to send additional work Nicole's way so that she had a promise of future income and maybe building into her bid, the lost monies, but it was a real problem. And again, we still had to explain to our mutual client, the government agency, what had happened. And especially with a government contractor, if you're responding to future RFPs, you have to disclose if you've had issues, not only in that agreement, but in a new scenario.
[00:07:42] So even though, and I know we're covering a lot of topics just under one scenario, but New Jersey doesn't have a proactive piece of legislation. There's no law in New Jersey that currently says that you as a business owner in New Jersey have to take measures to protect personally identifiable information. This scenario, this wire fraud scenario has nothing to do with the compromise of personally identifiable information. It has to do with what called business email compromise.
[00:08:10] And in this particular case, because Nicole's systems had been compromised, it wasn't a question that somebody was masquerading themselves as Nicole. They had injected themselves into Nicole's environment and were sending emails that were being forwarded and intercepted. The other thing that was interesting to note is that there were people copied from the subcontractor's company. Their emails were not legitimate. They were spoofed emails. But the party sending the email saying, "We have new wire instructions for you," that was in fact Nicole of it's story. Because there was a man in the middle that had set up a rule to forward and intercept Nicole's emails. And that's something else that wasn't happening on either side. Nobody was looking to see if rules were set up to intercept email. And I will tell you what a lot of our clients, we're instructing our clients to do now is to make sure that when you're negotiating contracts, the contracts say these are how we are going to make payments. Whether it's by check, whether it's by wire, however funds are being transmitted, that the contract says, if you receive notice of a change, you must pick up the phone and this is who you must call to confirm a change in payment terms. And if you fail to do that, and you then make payment in response to a phishing email, or a spoofed email, or what have you, you, and not we, are responsible. Sometimes we get all of that into a contract, sometimes we get some of it into a contract, but you've got to be cognizant of it.
[00:09:51] And you have to train your personnel to understand if they get an email that says payment instructions are changing, even if the contract doesn't say it. Cyber 101, pick up the phone and verify.
[00:10:05] Nicole Lefsky: Right. Verify. So critical. Now I'm curious on, in this situation with this particular company, was the bank able to recover any of the funds that were obviously rerouted to a bad
[00:10:21] actor's account?
[00:10:23] Michelle Schaap: So the problem with miswired funds is that if you don't contact the transmitting bank, within most 72 hours, preferably within 24 or 48, the odds of you getting the funds back are somewhere between slim and nil. In this case where a million dollars were miswired and we discovered the fraud within seven days, $35,000 was recovered.
[00:10:50] That's a huge hit for two small businesses in this transaction.
[00:10:55] Nicole Lefsky: Absolutely. And it behooves any company to take a look at their own supply channel and look at their own subcontractor relationships and see how information is currently communicated. My question for you is. What is a policy that you would recommend, or two policies that companies should implement today?
[00:11:16] You alluded to one, or indicated one rather, where you said that you've recommended that your clients revise their engagement agreement to reflect responsibility and what the process looks like if a change in payment should be made, that request process, is that the first thing that a company should look at doing, what their current contracts look like, and maybe adding or amending them?
[00:11:40] Michelle Schaap: That certainly is one step to be taken. A policy to be adopted internally is to talk about how wires can be authorized. And how wires or any form of payment need to be confirmed and training your personnel to that policy. As I tell my clients, the only thing worse than not having a written policy or procedure is following that in the exception.
[00:12:06] So for this particular client, we developed a Funds Transfer Policy. What the internal folks needed to do if they receive new instructions or contrary instruction and how that needed to be confirmed and in what fashion before funds would be wired. The other thing that some businesses are doing is actually putting it directly on their invoices.
[00:12:32] And saying, if you receive contrary payment instructions for this invoice, please call so and so. Now, of course, the tricky thing is that you could be getting a fraudulent invoice. So, what I tell my clients is, if you are smart enough to pick up the phone and verify, use the known phone number. Not the phone number on the new payment instructions, because if that's in fact a spoofed email, that's going to be a spoofed phone number.
[00:13:01] Nicole Lefsky: Great advice. Great suggestions. I don't think that many businesses necessarily think about the aspect of wire fraud, and I think they innocently think that their cyber policy will cover anything and everything, regardless of the source of the breach and who it impacts. So thanks so much for sharing that perspective.
[00:13:20] When you and I spoke a few days ago, you had also mentioned about New Jersey companies, their legal responsibility pertaining to breach notification.
[00:13:30] Michelle Schaap: So when we think about breach notification obligations - first of all, the obligations focus on personally identifiable information, sensitive personal information, protected health information, depending upon the type of business.
[00:13:45] So just going back to the first scenario that we discussed, let's suppose that confidential business information had been compromised. That wouldn't be triggered or require a notification under New Jersey's breach notification law. It might be an obligation to notify under the contract, and in this case it was. But it's not a question of reporting to a regulatory agency.
[00:14:10] But if you're a New Jersey based business, or if you have employees in or customers in New Jersey or former customers whose personal information you have, and that information is compromised and it's not encrypted. Or, it's encrypted and the decryption key is also compromised, there's a duty to report that information, not only to the state, but also to the impacted individual.
[00:14:37] And here's the problem, so let's suppose we're based in New Jersey. But we have employees in New York, we have employees in Connecticut, we have employees in Pennsylvania, and just to make life interesting, we have employees in Massachusetts. You have different breach notification obligations depending upon where that victim is located, not where your business is located.
[00:15:00] And so when you're responding to a breach, you need to be aware of where the victims are and what the timing triggers are in each of those jurisdictions. You would need to first determine that personally identifiable information as defined by each state's law, because 50 different states define personally identifiable information differently, whether that information has been compromised and whether or not it was encrypted. Because if that data were encrypted and the encryption key were not also compromised, then you wouldn't have a reportable breach. So for New Jersey, if I'm an employee of yours and you are compromised and you confirm that my name and social security number were compromised, you would have to notify law enforcement and then notify me unless law enforcement said, hold off, we want to investigate further from a criminal standpoint before you let the Michelle Schaaps know that there was a compromise. Different states have different obligations. There may be an obligation to notify individuals first before law enforcement or concurrently. Some states say you don't have to notify law enforcement unless it's over a certain number of individuals that were compromised. So you really need to understand. Which states laws come into place.
[00:16:23] In addition to worrying about personally identifiable information that may have been compromised, you also have to consider whether contractually you have an obligation to notify customers. So, let's suppose now it's not personally identifiable information, but in fact, let's say that you're a marketing firm and you're helping 1 of your clients launch a brand new product that's never hit the market before - it's the next wheel. And now you get compromised, probably under your confidentiality obligations with your agreement with that client, you have to notify that client if that information has been exposed.
[00:17:02] And here's the other tricky thing. New Jersey does not currently require you to provide credit monitoring services if you have data breach, however, Connecticut does, Massachusetts does, and several other states do as well. So let's suppose that I'm an employer here in New Jersey, but I have employees in Connecticut and Massachusetts as well. If they start comparing notes with the employees here in New Jersey and the New Jersey employees say, Oh, you know, it really sticks that we had this breach and now I have to deal with notify my credit card companies and I have to file paper returns and so on and so forth. And the employee in Massachusetts says, yeah, but Michelle's a really nice employer because she's given us two years of credit monitoring services and the New Jersey employee says, huh, because you didn't treat your employees equally because New Jersey law doesn't require that. Now, you've got a morale issue.
[00:17:57] Nicole Lefsky: A lot to think about. With the increasing number of remote workers and companies being located physically or their address being located in one state and having employees and customers in other states, that isn't something that one necessarily thinks about. And it's something important to take into consideration.
[00:18:16] Now when you and I were communicating before this interview today you had mentioned common law practices. Could you expand a little bit on that in terms of what's
[00:18:26] expected?
[00:18:28] Michelle Schaap: Absolutely. And actually, if you don't mind, before I expand upon the common law obligations, let me just go back and finish out the thought on the breach notification.
[00:18:37] Because, again, depending upon the states that apply, different states may actually mandate what the notice includes. So, going back to the example of G-d forbid your company were compromised, if you had employees whose personally identifiable information was exposed and they lived in California, California would dictate the form of notice. And if those employees were located in Massachusetts, depending upon the type of information that were exposed, you would also have to provide credit monitoring services.
[00:19:11] Going back to common law obligations. And the reason why that matters for New Jersey businesses is because unlike, I think we're up to 10 or 15 States now that have a proactive piece of privacy or cybersecurity legislation, New Jersey still does not. So unlike California, New York, Colorado, Virginia, Tennessee, Minnesota, Texas, Florida, the list goes on, New Jersey still doesn't have a proactive piece of legislation. However, New Jersey courts have recognized the common law duty to protect against foreseeable harm. And what the courts have said is that once you are collecting personal information with regard to individuals, you then have a proactive duty to take reasonable care in obtaining, securing, safeguarding, storing, and then securely disposing that information.
[00:20:12] And that obligation applies not only to the company, but if the company then engages a third party vendor to process that information in any way, that duty continues. So not only is there a proactive duty to maintain and secure that information within your own environment, but if you entrust it to a third party vendor, you have to vet that third party vendor and make sure that they're perpetually applying reasonable measures, so long as you've entrusted that information to that third party vendor. Many New Jersey businesses are vendors to businesses that are subject to proactive legislation, whether it might be HIPAA or Gramm Leach Bliley, under the New York SHIELD Act, under the New York State DFS regulations.
[00:21:00] They may all impose obligations on the vendors to regulated businesses. What businesses in New Jersey need to ask themselves... and by the way, their customers may be asking them already is... Are you a vendor to a regulated business? Are you a vendor to a healthcare provider? Are you a business associate to a healthcare provider? Are you a vendor to a company that's subject to Gramm Leach Bliley? Are you a vendor to a company that's subject to the New York state DFS regulations? If you're a third party vendor to a regulated entity that has proactive obligations under the laws to which they're subject, they're going to be imposing obligations on the New Jersey business, even without a New Jersey proactive law in place.
[00:21:51] As far as the legal actions in New Jersey, just by way of example, In re American Medical Collection Agency, and the citation for that is civil action 19 MD 2904 26-27 District of New Jersey, December 16, 2021, and that particular ruling again talked about the obligations of businesses to take reasonable measures to protect information that they are collecting, processing, using or sharing with a third party vendor.
[00:22:32] As to what those reasonable measures look like, and this is just by way of example and not an exhaustive list, you want to be training your personnel as to how they should be handling that information. What they should and should not be clicking on. You should have appropriate password protocols so that passwords are not 1234567, but rather robust passwords. Passwords should be not reused or rotated. You should also have multi factor authentication. Encryption of sensitive information and by the way, there's different levels of encryption. There's 128 bit encryption, which is generally a free solution, but not as secure as 256 bit encryption.
[00:23:17] Companies should think about patching systems and devices on a regular basis, and to the extent that they have a B. Y. O. D. Policy that is allowing employees to use personal devices to access the business environment that patching protocol needs to apply to those personal devices as well.
[00:23:38] Companies should make sure that to the extent that they are allowing employees to remote in, that they have a secure VPN. They should certainly have antivirus software, but keeping in mind that antivirus software only guards against known viruses, known attacks. So if you have a zero day compromise, something that nobody has seen before, that is the first time it's being seen in the wild, antivirus software is not going to protect against that. You should have logging in place so that you're monitoring what's going on in your environment. And you can go back and look at those logs if, G-d forbid, there were a compromise. There are many different things that fall into this concept of reasonable measures.
[00:24:20] Nicole Lefsky: So what do you think the first two steps would be for a company who does have employees in other states?
[00:24:28] Well, first you need to have an understanding of the information you have. So are we talking about customers? Are we talking about employees? Are we talking about former employees? Are we talking about prospective employees? Are we talking about former customers?
[00:24:44] One of our clients had a data breach a few years ago. They kept everything. They were data pack rats and they had information about employees that hadn't worked for the company in 25 years. Because they had the breach, they had an obligation to notify everybody. And here's the problem. Why, why are you keeping information about an employee who hasn't worked for you for 25 years?
[00:25:13] So for a business here in New Jersey, whether they stay in New Jersey, whether they relocate, before you can even think about what state's law is your subject, you have to think about what data do I have? Where is it being stored? Who is managing it? And how is it being stored? Once you've got your arms around where the data points are and whose data points they are, and where those individuals live, then, as part of your incident response plan, and in fact, we have this for our incident response plan. Not only do we have an employee census that we update periodically, and we keep a customer database, and for those clients for whom we've signed business associate agreements or other specific breach certification requirements, that's all baked into our incident response plan.
[00:26:03] In addition, we have printed out and part of the incident response plan, what the breach notification requirements are for New Jersey, for New York, for Pennsylvania, for other key jurisdictions. And then I also have printed out as part of our incident response plan, a listing of the statutory citations for all 50 states' breach notification laws, and each state has its own breach notification law.
[00:26:30] And if that's not enough to make you nauseous, I don't know what will. And by the way, I'm mentioning that all of these things are printed out. The reason they're printed out is really simple. If you're hit by ransomware, you're not accessing your incident response plan. You're not accessing your computer. So if you don't have it on paper, you are doubly dead in the water.
[00:26:51] Absolutely. Really important points. It leads me to ask you. What are some good resources for a business who is looking for guidance in terms of understanding where their risks are? I know New Jersey has the NJCCIC program, which is a great resource anyone can enroll for their emails and they'll alert you on different risks that are being reported in New Jersey and things to look out for. Any other resources that you'd recommend?
[00:27:22] Michelle Schaap: There's several resources available in the state and many of them are for free. I like to emphasize that, particularly for small businesses.
[00:27:30] And you mentioned the CCIC. NJCCIC pushes out a newsletter every Thursday, which alerts businesses in the state as to what is the latest and greatest of risks to businesses in the state. And in addition to putting out their alerts on Thursdays, if there's an imminent threat that has just been discovered, that will be pushed out separately. So for your listeners who are not already registered to receive newsletters from the NJCCIC, please do so when you're done with this. And in addition to having that weekly newsletter, the NJ CCIC also provides training. So to the extent that business owners want to have training for their personnel, they can get it through the CCIC for free.
[00:28:14] Some other things for small business and medium sized business owners to consider are, for example, NIST. That's the National Institute for Standards and Technology. And if you look on the NIST website, there's different flavors of their resources. Some are specifically geared towards small and medium sized businesses. So don't look at the full blown NIST. You'll get nauseous. It's 800 some odd pages. But, in a digestible format, NIST has resources for small business owners who have said, yep, I get it, Nicole, I've listened to your podcast, I know I need to do this, and they'll give you resources as to where to start, and again, that's a free resource.
[00:28:54] Another free resource for templates for putting together these written policies and procedures that we've alluded to is the SANS Institute, that's S A N S Institute, and that's also got free forms online. But, when you use a form, be really careful. In fact, I had to laugh. I did a privacy policy and terms of use for one of my clients recently. They were redoing their website, and I looked at what they had on their site to begin with. And it said, our company, blank, fill in your name here, blah, blah, blah. And that's what was posted on their website. So they had just grabbed the form and thrown it up there. The pros and cons of using a SANS resource is that you may not have everything that SANS has. So when you pull down these forms, read it. And customize it to your needs.
[00:29:46] Another thing to look at are the CIS controls. And again, that's a good starting point. These are available online for companies that said. Yes, I want to do something proactively and I don't know where to start.
[00:30:00] Nicole Lefsky: All great resources.
[00:30:01] I know as a practitioner, our company certainly lives by them and we implement them across the board regardless of regulatory compliance with our clients and their respective industries. NIST is really the backbone and what the HIPAA Rule relies on for providing further detail for those who need detail and may be subjected to being compliant with HIPAA.
[00:30:22] Michelle, I have to thank you so much for all of the great advice that you provided and suggestions and list of free resources. I know that growing businesses, this is something they can't avoid. They do have to prioritize it. And it is an area that can really bleed a company when it comes to the financial aspect, the reputation of their business. And really a lot of operational headaches. So anything we can all do as a community to help them avoid and recover quickly in the event that they are struck by a cyber attack, either directly or indirectly, we're there to do that. If there's a listener who would like to reach out to you, connect with you and continue to follow some of the great tips, I know on LinkedIn, you provide really great resources, articles, many different tips, you know, throughout the week consistently, what's the best way for them to reach you?
[00:31:10] Michelle Schaap: I can be reached at my office. I can be reached online, as you mentioned on LinkedIn. But in terms of reaching me at CSG, by the way, that's Chiesa Shahinian Giantomasi, don't try to say it. CSG is much easier. It's 973-530-2026, that's my direct dial, and I answer it regularly and often. You can also reach me by email at mschaap like Peter @CSGlaw.com.
[00:31:45] And I will tell you, if you are dealing with a data incident, potentially, and we never like to use the B word until we confirmed it's an actual breach, don't wait until the next business day. I had somebody contact me a few years ago that had a compromise, and they said, can you do a conference call tomorrow morning and I said, I can, but please explain to me why we're not speaking now. Time matters. And the sooner that you detect and contain and eradicate the threat to your system, the better off you'll be.
[00:32:17] And Nicole, before we sign off, the other thing that is worth mentioning to your listeners is threats are not just from outside. They're from within businesses as well. And if you see anomalous behavior, if you see a nine to five employee logging in at 11 o'clock at night, or an employee who's on disability logging in, there's something funky going on. You need to manage those access credentials.
[00:32:46] Nicole Lefsky: It's so true. Time is so critical.
[00:32:48] Certainly we speak to our clients about it all the time and we try to give them the reality if they were to suspect or we were to suspect that there was any type of cyber incident, it's all hands off. We always kid around. It's kind of like watching a competitive cooking show when everybody goes, you know, time's up and stand back.
[00:33:03] And that's, what's going to happen in the event that there is some sort of compromise or the potential to have it investigated. So. All great suggestions. Thank you so much. You've highlighted, I think, four major things that I don't think most businesses consider or take into part of their planning process and the implementation of making some change, recognizing where your critical information is in addition to your own company information, having a plan in place, implementing a cyber Incident, an incident response plan, looking at your cyber policy and understanding the details of it and speaking with good counselors from a legal perspective and insurance perspective and a technology perspective to make sure all the ducks are in a row really puts them on the right path.
[00:33:46] So thank you so much for being with us today and we look forward to speaking with you again soon.
[00:33:52] Michelle Schaap: My pleasure. And have a good afternoon.
[00:33:54] Jersey IT Group: You've been listening to smart tech spending hosted by Nicole Lefsky. Make sure you never miss an episode by subscribing in your favorite podcast player. And if you enjoyed this episode, we'd appreciate it if you'd rate and review the show.
[00:34:09] Thanks for listening.
