Data You Don't Store Cannot Be Hacked

limiting uh data that hackers want um so in order to provide you with the best information if I could understand what industries you all work in that would be helpful so anyone want to share the industry that they work in industrial education retail utility can hear you I'm sorry utility utility utility okay anybody else consumer electronics consumer electronics anyone else Finance is that like banking Finance yeah okay Federal Federal Federal like military Federal Federal like FDA Federal uh agency okay like public agency or Big Brother non or you need to leave nothing that that Insidious okay okay fair enough fair enough um what do you guys feel like the biggest issue is when it comes to removing the data that

hackers want Social Security numbers date of births that kind of stuff I'm finding it finding it finding it in terms of on the network or how do you so if you got a really large organization and you need to like go through and find things to sanitize might not always know where every is so actually finding it before somebody stumbles upon it can be a challenge good point okay finding it what else where are the other issues with getting the data that hackers want out of the infrastructure completely well identifying what that data is first because if you just say well I have this data is important to me I want to keep this under wacks if you haven't defined

it it's pretty hard to say point to it say well this is import we need to move this or secure this one for okay fair enough what else where other the issues with getting Social Security numbers dat of births credit card numbers out of the infrastructure getting buy in for management to be able to delete that store Deb getting buy in for management that's our that's everybody in here problem right budget right how many how many people here do a monthly security report for your for your executives nobody have you ever seen one no okay it's not what I'm talk is about I'm going to explain to you while I get the PowerPoint connected so the

monthly security report is a report that you create to give Executives insight into what's happening in your environment because that that report is going to be your foundation for every argument you make regarding budget so what would what do you think that report would intend take a guess how about spam how many fishing emails were blocked that month I gave the first example what do you think come on you guys don't participate I'm going to sing and my son's in the ADV okay so I think you'll be better off how big is your organization huh how how many spam messages you're Block in a month that that was my I'm giving the first uh suggestion I think on the

report we should put how many fishing emails were blocked that moment some type of vulnerability assessment vulnerability assessment if we have an IPS at the perimeter what can we you can can we use that to say we had this many P scans or this many uh intrusion attempts right right okay so what else do we want to put on there if they were successful if they were successful we have a problem definely a monthly report that's a everybody might be in trouble at that point um so okay we can say uh if they were successful with Spam uh Barracuda has a very uh very interesting feature where they actually tell you spam messages that it did not

block now if you can tell me a Spam message that you didn't block why didn't you block hey I didn't come up with it but this is what they do so uh that would be an instance where you could say okay we got 10,000 spam attempts this month we had 50 go through now if I'm an executive I want to know why the 50 went through you got to be prepared to answer uh that type of question um so keep keep theity rep going what else do you think we should have on there spam vulnerability assessment kind of thing what else what else would scare the hell out of been executive virus is found virus is found perfect example

straight to the point what else data lost data lost sorry again maybe it's going to go in the day but if you're if you're summing doing a summary M if somebody lost a laptop okay so let's let's say for example a Healthcare Company then right cuz we've seen that right uh lost stolen laptops that have medical records on there that would be a good thing to put on report how about how much that cost the company right we want to put that on the report too because it's okay A Lost laptop we had to inform 100,000 people of this issue there's going to be cost associated with that and if that happens more than once in a year that's a that's

a real problem uh what else do you think we should put on the report some of your health desk tickets related to security um yeah even not necessarily all all the password you know reset but if you can see hey you know by the way some these lowle tasks that you know you're saying it aren't that big of a deal this is how now it relates into security or if this is going to lead to a potential problem that hey well this person keeps getting malware you know something else on their machine that can go to your budget or your argument for your security training yeah that rolls into what the gentleman in the back was saying yes uh virus

attempts and things like that so generally the security report is uh it's not in the presentation but it's a foundation for every argument you make regarding security no matter whether it's buying uh security uh appliances um buy buying cloud-based monitoring whatever it is you're going to an executive and you're saying I need $50,000 for this I need $100,000 for that and all you're providing is your word maybe you go to SS and get some information maybe uh they they've had some security awareness training you're building onine that nothing nothing helps like the security report so if you don't do one I'll strongly recommend that you start doing one uh my contact information is at the end feel free to

reach out we can work on it together I have a template I continue but it's a really great idea to help increase not only just awareness of the attacks that happen but to increase budget as well which helps all of what we're trying to do all right so jumping into the power Point while we're here today data you cannot data that you don't store cannot be hacked first we want to talk first we want to explain what it is that we're talking about what data are we talking about we we're talking about data that hackers want the way I classify this is my classification it doesn't necessarily align with the way the industry does it

so I want to set that up front sorry uh Pi everybody knows what that is first of all identify information sensitive information it's a general term different in every environment you go in and I'm want to explain how I Define the two uh I Define pii by the law and the reason I Define it by the law is because if there is a pi breach then it requires a data breach Disclosure by law so we keep I keep those terms together cuz we know exactly what we're talking about we're talking about credit monitoring we're talking about the whole shebang of data breach aftermath okay so give anybody guess why driver's license number isn't r that VAR from state to state as to

what the breach laws are for the threshold as well as your U announcement of the it's a good answer it does vary from state to state but that's not why anybody else guess why driver license numbers in red come on I'm getting a song Ready I'm going to start singing it no okay because prot it is the one that most people don't know is on the list as far as the law is concerned so as Security Professionals we might know but if you ask a financial aid person or someone who deals with pi and regular basis if a driver's license number equals a social security number in terms of data breach they don't know so that's why it's in red and when you

walk away today and you're going back to your security duties keep in mind people do not know driver's license numbers are on that list you have a breach of just names and driver's license numbers that is a data breach it requires disclosure and you might have to do some identity protection from that uh at any point you have a question please stop us and uh we can talk about it everything else here standard SSN credit debit card number bank account number uh so now sensitive information this is where uh we have a lot of

fun so as I said I structure my sensitive information based on the way I like it to be Pi goes with the law period that's the way I do it now sensitive information is very different and it's a little more complicated first one is self-explanatory intellectual property we know that infrastructure anybody tell me why infrastructure is on this list why do you want to give out your list of your assets your IP addresses or something that hey if I have map of this is important this here's how I can connect to it architecture any kind of notes regarding s regarding the uh infrastructure how many servers you have what's in the DMZ you know which application server does

what which resources have Pi all that's a part of infrastructure information but it's not pii however we need to protect it like pii so we put it on the SI list the sensitive information list Hippa is not on the pi list however because of the Hippa law we have to protect it it's on the SI list why is why do we have vendors up here because that's a v that could be a vector of attack then explain how how could it be if someone is able to compromise a vendor have access to your sensitive information through the vendor is that Home Depot got lacked right through a vendor that's the word on the street but you know the jury's the L on

that uh so let's use a real let's use an example we're C Target Target yeah Target jur still I'm tell uh we're sitting in womon University right okay so let's say womon University uses company a for their data center air conditioning right well if I know that now I know who's going in the data center right can't fix it if you don't go in so if I wanted to do something hostile well then I might go get a job at that company or I might just pop the dude upside his head and take his uniform and go to work for him the next day whatever the case is however now I know a third party way to get access to

that organization third parties are just as liable to be used as a tool for hackers just as going directly to the organization make sense yeah okay contacts contacts is pretty much the same as vendors the people you know if you are one of the great people who are on LinkedIn hey I'm a system administrator for Geico and then you're on Facebook and you have your family your friends you know you guys are going to the local pub that evening all those are contacts I don't have to come straight to you I can go to the contacts around you and and use them as a tool to get what I need uh usernames passwords stelf exclamatory anybody don't

understand why they're up there all right great dat of birth question of the day why are date of births here but not on the pi list because the law does not have them on the pi list now for this we're talking about Delaware Pennsylvania and Maryland there may be a few states that do have but the surrounding states do not have pii on do not have sorry date of birth on the pi list that's why date of birth is up here if date of births are breached with names does it constitute a data breach disc closure everybody's looking at me like what if names and data births are breach does it constitute a data breach

disclosure it's a trick question yes no why yes because you can go after the birth certificate so before you can say yes or no what do you have to ask yourself what's state are you in okay so when we talk about preventing data breaches preventing data breach disclosures and all the costs that come with it the first question you have to ask yourself is what state are you in what laws are you governed by because the law governs data breach disclosures everybody understand that okay so we already talked about some of the industries that you're in uh my friend in the back said utility okay I imagine utility might have some Unix servers yes may maybe some old ones

probably maybe even a main frame or 10 um and so we're going to have applications there we're going to have databases we're going to have everything that's listed up here so how can we today plan over the next 5 to 10 years on completely removing pii from the environment using a utility company let's say a water company you give them your name date of birth social security number they do a credit check are they storing that information yes do they have to store it I'd argue no who's going to tell them that though I think the security professional with their handy dandy security report should walk in and say you know what I think we need to plan to get of this now

picture this as a security pro you walk in you ask for funding to protect the perimeter to protect the data but what happens when you team up with the infrastructure guys and you walk in and you say hey let's go in together but when you plan I want you to plan this way now you're going in and you're going in with the infrastructure budget which is always bigger right always bigger and it's just a change to what they're doing it's not additional funding for security you see what I'm saying so now we're not talking about security budget we're talking about infrastructure budget to do things a different way another short question if there are no social security

numbers what is your risk your risk of being breached for identity death or what what is your risk for having a data breach that results in identity death if there are no soci Security numbers in your

environment so you go and talk to an executive you say hey we have 3 million Social Security numbers here that equals let's say $25 per social security number $75 million that we could CH chug out if they're breached and in 5 years we can have infrastructure with zero soci Security numbers and that equals z million are we not speaking executive language now right did you not just make a new best friend you know and you're taking the infrastructure guys with you because you're not talking security you're talking infrastructure but it has the effect of reducing the risk to zero now that's a you know that's an example that would take a lot of work but some some

companies some organizations some Industries they have the ability to make these changes to remove this data from the environment completely they just need someone to start the conversation so why while you're doing perimeter defense database Security Service security you also got to say you know what yes we want to secure the infrastructure but why don't we get rid of this data that's going to cost us a lot of money that's that's what I want you to think about oh you did go ahead

this is this is Michael junr in case you didn't know he's my my 8-year-old twin um so Payment Processing Apple pay leads the way does anybody know why Apple pay leads the way not a clue any anybody know why we say Apple pay leades the way and not Google pay not Chase pay not any other other electronic payments Payment Systems maybe maybe they connect to your Apple ID instead of your name they give me a commission check to say they used like a generate a random number every single transaction so you can't be harvested crypted virtual numbers for transactions instead of the actual car numbers we get that's that's a part of it so I'm going to break it

down for you iPhone 6 plus when I added the car to here my card went to one place a chip hardwire to this phone it does not go to that go to Apple servers that is the first important point it does not go to Apple servers ever secondly the chip like everything else in Apple's iPhone is segregated it cannot be hacked across the network so in order to do a mass hack you'd have to have 50,000 phones now apple is upfront about this information Google is not and if you know Google like I know Google there's a server somewhere sitting with them guard numbers and you'll figure it out when they say oh Google pay was breached

100,000 card numbers compromis and then you'll know they're storing the car okay that I'm serious that's what's going to happen uh so go back uh if you are processing cars in your environment okay please do not store the carard numbers if you need a record of transaction store the last four if they can't get the record by the last four then the record doesn't get got but we're talking about $15 per card number if you have a 100,000 transactions $100,000 different cars that's $1.5 million for what what what benefit did that provide you know so we really have to start looking at removing this information from the from the environment and if we're not storing it it's not going to

be in transit right somebody brought up Target earlier help me understand how PIN numbers got breached I I'm sorry I'm lost how do you breach PIN numbers they're only in transit so what you're telling me is that not only did you compromise a server but you were actively recording Network traffic it doesn't get more ridiculous than that bottom line it it just doesn't Okay so if you don't store it it can't be in transit so there's no server to hack there's no credit card data to sniff on the line again data breach avoided let's look at an example I'll use oneu as an example there's a bookstore here well let's say for the sake of this conversation the

bookstore only accepts Apple pay what is the risk of data breach for the bookstore zero zero 0 million and I like to add the million because if there was a risk it'd be a million dollars attached to it so 0 million is the risk if they only use Apple pay because the systems in the bookstore never receive the credit card numbers that's the frame of mind that we have to get Executives thinking how do we get rid of this data uh lastly EMV does anybody know why EMV is a joke it is the punchline and everywhere I talk so we put a chip in a car and we say if you go to a terminal it's going to check to make

sure that that chip is in the car well did anybody shop online this mon I did I shopped online yesterday uh what's the question you want to ask did they check my chip right no how so what does EMV have to do with online shopping nothing so how did we fix the problem oh we didn't sorry we just mandated something that didn't fix anything thanks but okay uh so EMV yes it works it keeps people from taking TV bank's nice uh debit card printer and printing cards at home and going to the store and swiping away it did not however touch online banking fraud how we have a government mandate that forces people to comply that

doesn't fix a single damn problem I don't know it's frustrating I I mean it really pisses me off okay so I guess I that anymore I'll start getting emotional um know the law do your research two things I want you to do when you walk into that executive's office I want you to have a data breach report that they have been getting monthly I want you to have the law because that is where the money comes from it comes from the um what data requires data in disclosure if you align your Pi the way I do then if any PI is stolen you know that that's the data breach disos uh disclosure um does stolen encrypted data count as a

data breach can anybody answer that question good what was that maybe not if you have a good key on it you notice you said a good key not just encrypted um sure so why not that goes back to the law some states some states say if it's readable data some states say if the data is encrypted it does not constitute as a data prach it depends on the state law that your organization is governed by but that has to go with you I I don't want to get into encryption in this talk but encryption is your next best friend so if you're in an environment where you have limited the amount of Pi in the

environment but you cannot remove it 100% the very next step is encryption right so you want to take that in there with you the law says if we encrypt the data then it's not a data breach well if your all your Pi is encrypted and the keys are not on the same server as the

pi I'm going to share here in a minute if your data is your bi is encrypted please don't store the keys on the same server on the same subject on the same infrastructure put them somewhere else please um there are some state laws that said if the keys were compromised it is a data so want to serious you want to make sure keys are somewhere safe away and not copied all over the infastructure um so what is the risk right going back to the risk question what is the risk if Will you Social Security numbers are stolen they are encrypted the keys are were not even stored in the infrastructure what's the risk nothing right my favorite term term $0

million that's the risk so when you talk to the executives you're speaking executive speak throw that Million Dollar on there this will cost $50 million readable Social Security numbers well encrypted Social Security numbers cost 0 million ever as long as the keys remain away it there's no there's no risk so tell me what your Executives excuse can be what do you think their excuse can be to that argument kind of hard right you got to think hard you got to find one because when you're talking those millions of dollars what can they say um when does the data breach have to be reported very very important various by state also a part of your plan if your

Pi is stolen you have to know know how long you have to report that why is that important well if your Pi is not encrypted because you didn't talk to your executive yet because everybody's going to talk to their executive when they leave right yes okay so if that happens you have to know how long you have well if your detection time isn't fast enough well then you have a whole another issue if it has to be reported within 30 days and you're only looking at certain things every 30 days you have a problem in your process that's going to cost your organization a whole lot of money so you want to look at that stuff so

that your your process aligns with the law uh what happens if a vendor is breached for your customer data any Cloud fans in the room Salesforce taking over the world what happens anybody want to answer that no you want me to sing a song I had a song already my son's got a dce I think what's going to happen is both you going to be nope agency yeah there's going to be a lot of money taking from somewhere uh so the answer is that vendor is going to say hey excuse me sir um 100,000 of your customer records were uh were uh breached we're still investigating but we just want to let you know cuz the law

requires us to let you know in two weeks have a nice day and we're going to go and you are going to piss in your bags and then after that figure out the aftermath of a $100,000 100,000 record reach it falls on you the customers gave you I.E your organization the data it doesn't matter now you can go after the vendor and say hey you didn't secure do it right where you going to there's no there's no way to like

[Music]

contractualization accountable for not protecting data so my first question is no not they're not just going to hold him account they have to uh go through this audit process or some kind of monitoring over a set of years and show the FTC that they are protecting data so my question is is OPM going to be on that list do other federal government agencies also get subjected to that cuz no I'm confused no you know I I really am so to directly answer your question the FTC is creating oversight for large organizations um contractually you can put that in there but understand the process you against the vendor the customer against you right the media doesn't care about the

vendor unless it's s for Salesforce is anybody else waiting for Salesforce breach notification I am it's coming just a matter of time uh so understand what the situation is going to look like before it happens take that with you into your executive meeting we can sue them but the responsibility falls on us as the organization who the customers gave the data to very very important uh so here this is an excert straight out of the Delaware law I just wanted to show you some examples uh m r are what they Define as Pi C is a little more complex account number credit or debit card number in combination with any required code access code or password that will permit

access to a resident's Financial account that's a great area um and there's a lot of legal room for battle in there but for the most part social driver's license number bank account numbers now what I do want you to take away personal information does not include publicly available information so when we talk Pi we want to make sure we talk about very specific Pi we don't want to let any anyone misconstrue the conversation okay so anything that might be personal but isn't on the list we want to make that argument very clear to Executives so because you know they're going to go somewhere they're going to go to a conference and somebody is going to say yeah yeah well if names and phone

numbers are breached that's a data breach and you have to tell the state and you have to do a data breach disclosure and they're going to come back and be like I just found this out oh my God they're going to call you at 3: in the morning we need a DAT of re disclosure we're going to get fired you know Godzilla's coming so you need to know the law you need to be able to pull this up and say hey no here's the law names and phone numbers are not on it go back to to sleep okay you need to know that stuff there is always somebody who knows nothing about security putting information into an executive's ear why

because Executives control budget it's an issue every security professional in the world has to face anybody ever experienced that someone goes to a conference comes back and grabs them yeah anybody has not experienced it okay great we're all speaking the same language Marland law social security number drives like number credit card number debit card number same little clause in combination with required security code uh there's a new one an individual taxpayer identification number just in case someone has I've never actually seen that but just in case someone has a number that Associates with paying taxes that's not a social security number that is included in marn law we didn't see that in Delaware though did we know the know

the law know the state's law that go know the law that governs your organization uh this is Maryland law continue same publicly available information poliy Pennsylvania law social driver's license number statification number Financial number same thing the term does not include publicly available information so going back to Executive support that's what this is all about you get with the infrastructure team you guys devise away over the next 5 to 10 years the organization can get rid of all stored Pi completely right well when you go to that executive you have to make sure you explain the Z million that is your that is your opening Point your closing Point your punchline your everything there is0

million of risk if we do this Executives go back executive support will lead to Project funding why because we're trying to transition the infrastructure that's going to take funding but it's easier to get infrastructure funding than it is to get security funding we all agree on that infrastructure serves the environment security is the the uh red line on the budget that everyone hates but they don't want to end up on the news so they they pay for it you're the guy that keeps getting infrastructures way yeah exactly infrastru structure wanted to bring in all new stuff and no security had to get that IPS you know so we this is another way for us to make

some friends we don't get a lot of opportunities to make friends so we have to take advantage of it uh Project funding sometimes it might be something very small that you have to do other times it might be completely it might be completely stirring the organization's infrastructure in a different direction talking about t 20 hundred million dollar don't let that discourage you once you have the right people on your side you can make a change in your organization that other organizations have not made yet and having that executive support will bring the funding necessary having that infrastructure support will bring the funding and the expertise to say hey security Guy saying it but hey what he's proposing fits what

I'm doing too so we want to make friends we want to get that support so that we can steer our organizations in a different direction you know breaches will always occur you know is anyone familiar with the zero day uh Market anyone not familiar with the zero day Market everyone understands what it is so yeah it is that's right uh there are more and more companies coming up that you will not see on CNBC they are not publicly traded companies you'll not hear them talked about like cyber art uh who get paid lots of money to find zero dates so much that now they package them in a nice package that is exploitable from the perimeter Cisco at

the perimeter to uh an IPS or a load balancer all the way to the data center they'll create a nice little package with the bow and sell it for $20 million now used to be the NSA was the only buyer of this information who do you think's buying now everybody China Chinese what do you think Europe did as soon as Edward Snow started leaking stuff think they just sat there and said hey we're going to put up more defense cuz they're trying to take our stuff oh no they went bought them some zero days and they went the war you know you let me tell the Cyber War started whenever Snowden started sharing everything he shared I don't I

don't agree or disagree with him I stay out of that but one once you once these countries found out that the level the United States has taken it to you best believe that they stepped it up and this is how they do it there is no other way to hack on a massive scale than the zero day Market um so we talked about improving infrastructure is more important than than security op um and we have about 10 minutes left so what I like to do is look at some real life examples I Shar sh a lot of information with you about transitioning to a certain place but you know there's always different Industries and different infrastructures in the

room so anybody willing to share some information or tell me why this would be a problem for them we can engage about it we can talk about it and work through it new volunteers federal government well I can you be a place used to work sure examples of the best way you can do it forf Investment Group okay if I'm giving you know I'm not a real fan of them um asset tra asset management companies so they're doing a lot of stock trades M um yeah I'm sure some of the secret sauce has now because they're not actually doing retail it's institutional they're not going to have uh Pi of individual um Social Security numbers

however they're doing retirement plan something like that so there is a tax a he associated with it which if you're doing that type of level you're not talking about you know M PA's you know $30,000 $2 million is $200 million at a time that if I got into this and drain this lots of money and other things so in their case um there's going to have to be some record that says um Brand X company Tax ID number uh they gave us $2 million for to trade needs to be allocated in 40% fonds uh 20% overseas 5% growth the rest of you know whatever but they have to have some pretty detailed information so it it's not often talked

about in the media but business idenity theft is far worse than consumer idenity theft you far worse it doesn't get any media attention okay but just with the tax idea alone nothing else not only Can you steal an organization's identity you can open an office a bank account credit card processing you can even start getting some of their customers if they're in a different part of the world just from the tax ID number business verification is a tragedy right so that in itself is a good reason to move away from having e numbers in the environment right they don't need the eim numbers to track the transactions they need them when the customer first comes in to to authenticate that

customer right business credit check and then because of that they then use the EIN number through the lifetime of the customer but is it necessary no it's not so in that scenario I'm looking at a way to simple customer ID that when a a company comes in and they bring a $200 million retirement plan you have to accept the E first you have to do that credit check but after that they get a customer ID the customer ID follow their money for the lifetime of the customer the Ein after that uh credit check gets removed in my in my world that's that's what I'm aiming for that's when you start the conversation with the infrastructure people and then you kind

of work through it's not going to be Perfection and they might say no it can't go away okay but can we limit it down to one server or two servers can we determine where it's going to be in transit you know all that that's when all the nitty-gritty part of the details comes out but you got to start the conversation with the infrastructure folks first that's why I use Apple pay as an example because the credit card number never leaves it's a virtual number you know and so if that virtual number is compromis it's not a DAT to breach disclosure and it really doesn't mean anything because they can't do anything with it that does that make

sense any other examples got two minutes left I have time to a song I will call somebody like so there's a few companies out there that kind of collect information about you your mother's B name all the different things can could they act as a surrogate for the verification or authentication of that customer looked into that model where where you have a trusted party that even it turned out to be the government you mean kind of like kind of like reproducing the credit check process but without the without the pi it would be something they keep it and nobody else needs to have it they would they would have a key or something that allow they're trusted to go to that ball

so so the problem with that is that we have publicly traded companies that manage identities I mean I don't understand how that's allowed a really big in that area too yes experion one of experion Partners supposedly uh caused uh data breach that uh so when a data breach occurs and the company comes out and blame someone else do you think anyone verifies that do you think anyone could verify that the HVAC vendor caus targets data groups well when the final report comes out the report is type it on paper does anybody actually go say hey show me the logs show me the IP addressing show me where your network touched my network the the nitty-gritty details of it I

don't think so these companies get on the get on the in front of the camera like any other time in the world it's about what's best for the company not necessarily the truth so you got to be careful with that uh that's all I'm say about talk one onone that kind of stuff compy pays off a vendor to take the hit or they just say you're going to take it we paid you enough money over the last 20 years you're going to take this hit the HB company didn't make a public response that I know of so I think that that's a good that's a good model to look at even taking it Taking social out of the process of

validating a consumer or Ein out of the process of validating a business now for businesses you have um uh what's what's the name of the company uh D brass street right yeah you have D brass Street which you have to give them your EIN to sign up but when someone searches you they're not searching you from your EIN they searching from your business name contact information that's a good start but they don't necessarily compete with the credit girls you know so it's it's it's a great area it's a good thought it's something to think about people like us can drive that kind of change if we get that executive support and say hey we need to start

doing things differently in order to protect the company and the first organizations that do it are the ones that that are they're the Pioneers they're the ones that are going to set the stage going forward my signs back on the computer so I have a slightly different persp okay uh view um I come from like the Frontline consumer uh customer service so uh just the way I understand it from where my job is Simplicity for the customer is like number one for most execs right so like when you say remove uh identification from the you know to verify customer um what would you do to replace like Social Security numbers because again giving them a customer

number customers don't remember things and I will attest the thousands of phone calls I've taken they do not remember things they create themselves no remember the social nothing else so I mean that that's an argument you have to overcome it's like cool but now the customers won't like us because we make them remember something else I spend days having people Bret their passwords that they said 5 minutes ago and it's really funny so so I say let him be mad and the response is well man we don't want your social security number to be stolen by Romanian hackers and them buying yachs on your credit so we got rid of that that's why you need Executive support it has to be

driven from the top and it and it needs to be a campaign not hey here's our policy but hey we are Blackwater and our organization is serious about protecting your identity so you're going to need to remember this information because you can't bring us your social we don't have access to it then when you do it from that level from the top down it will be change but you'll never end up in the payer for dat breach 0 million now let's say there's there's other stuff that you can use that people aren't going to forget right and the social has been the last four the social has been used so much I me goodness it's everywhere uh

let's say secret questions right give them the option to create their own and say okay well it has to be you know within these constraints but they create their own your first school you're not going to forget your first school unless you have that you know most people remember first your first crush or different security I mean i' I've heard so manys about that cuz I've heard that being an issue too some customers hate doing that like people can find that information about me and I'm like how people can find the last four your social where where'd you go to school Starbucks exactly so so so usually I get a big fight over that right but yeah

lying needs to be a part of the process not lying like just to tell a lie but hey this secret question isn't here for you to actually answer the question correctly per se it's here for you to create a username and a password but it's a secret question format right so if the question is who's your first girlfriend and your answer is Camaro or Corvette or oh no those might be people's names I don't know a or something something that's not a name but it's it's it's your username and password except they're giving you the username you're giving them the password back people are the issue and so in an environment like what what you're talking about we would lose the

Battle of completely removing it because it would be too much change to fact but what can we do we can get a direct portal to experion on now if we get a direct portal to experion on and we're using the information on experence servers are we storing it what's our risk to data breach 0 million that's why the conversation is so important security Pros we go in and we start it the infrastructure people are going to push back that's what they're supposed to do smile say we can work together and find another solution but there's so many ways to do it now pass the buck exper out already has the liability you're not giving them anything they

don't already have you know does that make sense yeah so uh those environments are tough and they're going to be hard to change wor University same kind of ordeal got students coming in right they're they're dealing with their life and this University they are more working students than there are 18 year olds coming out of high school so these people have a lot going on they can't deal with a whole lot of change this would be a perfect example of a place that that could Implement some kind of direct access to a credit bureau to do authentication and then when they come back to this system there's no pii it's just okay we validated who you are using

exper on now we're going to process the request reset the pass we Cas say well I was just going to say for what it's worth uh the company that I work for actually does that that's the the billing thing that we do is we store pii for other companies so that they don't store pii nice we give them an ID number and they can retrieve from the ID retrieve it they can use it from the ID things like the card numbers and things like that we use a processor that's awesome it's all on our side as long as you don't have day yes keys are stored on different systems I personally have worked on that you

know I'm telling you my ass I'm waiting for the Salesforce breach to hit the news it's coming I promise you cannot be Cloud that long and not have breach unless you're a I'm sorry and they're not out so you know uh that's all our time guys thank you very much I hope it was helpful to you let me know if you have any questions should I should have asked you an hour ago