Making Billions: The Private Equity Podcast for Fund Managers, Alternative Asset Managers, and Venture Capital Investors
Thanks for listening to another episode of Making Billions with Ryan Miller: The Private Equity Podcast for Fund Managers, Startup Founders, and Venture Capital Investors. This show covers topics connecting you to some of the best investment funds that won in their industry—from making money and motivation to alternative investments, fund managers, entrepreneurs, investors, innovators, capital raisers, money mavericks, and industry titans. If you want to start a business, understand investment funds that won the game, and how the top 0.01% made it, then this show will give you the answers!
Making Billions: The Private Equity Podcast for Fund Managers, Alternative Asset Managers, and Venture Capital Investors
Protect Your Fund From Cyber Security Threats
In this week's episode of Making Billions, I bring on my dear friends Mathew Carr and David Williams from AtumCell. These guys support fund managers to secure their data, lower their risk, and prevent massive litigation from these attacks. Securing your operations while outsmarting the criminals are all critical skills we need, in our pursuit of Making Billions.
SIGNUP FOR OUR NEWSLETTER:
https://mailchi.mp/d41cfc90bd9f/subscribe-to-newsletter
Youtube:
https://www.youtube.com/channel/UCTOe79EXLDsROQ0z3YLnu1QQ
Connect with Ryan Miller:
Linkedin: https://www.linkedin.com/in/rcmiller1/
Instagram: https://www.instagram.com/makingbillionspodcast/
Twitter: https://twitter.com/_MakingBillons
Website: pentiumcapitalpartners.com
Free cybersecurity scan: www.atumcell.com/billions
David William’s email: d@atumcell.com
Matthew Carr’s email: m@atumcell.com
[THE GUEST]: Matthew Carr is the Head of Research & Technology at Atumcell, a cyber security company serving PE firms and portfolio companies. He’s held senior roles at IKEA, IBM, and SecureLink and is frequently interviewed by leading media outlets.
Dave Williams is the CEO at AtumCell. After Harvard, he worked in North America, Europe, and Asia wit
Can't keep up with AI? We've got you. Everyday AI helps you keep up and get ahead.
Listen on: Apple Podcasts Spotify
DISCLAIMER: The information in every podcast episode “episode” is provided for general informational purposes only and may not reflect the current law in your jurisdiction. By listening or viewing our episodes, you understand that no information contained in the episodes should be construed as legal or financial advice from the individual author, hosts, or guests, nor is it intended to be a substitute for legal, financial, or tax counsel on any subject matter. No listener of the episodes should act or refrain from acting on the basis of any information included in, or accessible through, the episodes without seeking the appropriate legal or other professional advice on the particular facts and circumstances at issue from a lawyer, finance, tax, or other licensed person in the recipient’s state, country, or other appropriate licensing jurisdiction. No part of the show, its guests, host, content, or otherwise should be considered a solicitation for investment in any way. All views expressed in any way by guests are their own opinions and do not necessarily reflect the opinions of the show or its host(s). The host and/or its guests may own some of the assets discussed in this or other episodes, including compensation for advertisements, sponsorships, and/or endorsements. This show is for entertainment purposes only and should not be used as financial, tax, legal, or any advice whatsoever.
Ryan Miller
Hi, my name is Ryan Miller and for the past 15 years have helped hundreds of people to raise millions of dollars for their funds, and for their startups. If you're serious about raising money, launching your business, or taking your life to the next level, and the show will give you the answers so that you too can enjoy your pursuit of making billions. Let's get into it.
As founders and fund managers, we are stewards of sensitive information. We know that and so to the hackers. But did you also know that startups and investment funds are some of the most targeted companies for these hackers? So in this week's episode of making billions I bring on my dear friends Matthew Carr and David Williams from AtumCell. These guys support fund managers to secure their data, lower their risk and prevent you from massive litigations from these attacks, securing your operations while outsmarting The criminals are all critical skills we need in our pursuit of making billions. Let's get into it.
Hey, welcome to another episode of making billions. I'm your host, Ryan Miller. And today I have my dear friends David Williams and Matthew Carr from AtumCell. Matthew and David are cybersecurity experts at their firm AtumCell. They help founders and investment funds to protect themselves and their investors from catastrophic losses from hackers and data breaches. See Matthew holds a national security clearance where he helps to protect critical infrastructure of entire countries against some of the most vile threats out there today. So what that means is that Matthew and David understand what can cost you and your company's billions in losses and how to fortify you against one of the largest cybersecurity threats today. So David, Matt, welcome the show, fellas.
David Williams
Hey, Ryan, it's great to be here. You know, we love the show. And they always entertained by it. We all learn something, too. And I always really enjoyed some of the recent episodes, and I won't give it all the secrets away. But Fred Cary really impressed me with his secrets.
Ryan Miller
Well, it's certainly a pleasure to have you guys. And thank you, you're very kind. Yes, the show has done very well. And it's because of brilliant guests like you. And you mentioned, Fred, and many of the others that have gone before, I've been so so impressed with everything that you guys have done with AtumCell and securing national security threats, but still bring it home to the entrepreneurs, the founders and even emerging fund managers. If there was ever a group that gets targeted, it would be anybody that deals with money, and especially new companies, emerging funds, those things tend to be highly targeted. I get spam and phishing emails all the time. That's probably light stuff compared to what you guys deal with. We're gonna get into that in a minute. But before we do, maybe can walk me through how did you guys even get into this industry? How did you become experts with that? Well,
Matthew Carr
thanks for having me, Ryan, and very kindly mean to call me an expert, I guess others might agree with you as well. But I've been doing security professionally for more than 12 years now. But it's always been a passion of mine going right back to school. I remember disabling the parental controls so we could browse the web freely. And I was quite lucky. I went to school that we got taught programming and this back in the 90s says, there's some schools don't you know that today, so I got an early start. My mom was in the movie industry. And she had one of the first MacBooks from Claire's work. So that kind of stuff, say I got good internet access early. And my interest has been ever since I published a lot of research in the areas of cyber terrorism, it's that sort of attacks on physical equipment, physical infrastructure, even relating to things like economic terrorism, and also like novel research around areas like penetration testing, and red teaming and presented those other sort of large cyber conferences like DEF CON B-sides and more, I do, in fact, protect critical infrastructure against threats. We call it adversary simulation. So my job is to go in there and basically pretend to be a bad guy and and test the defenses that the good people have set up that work has led to the discovery of a couple of zero days that affected national security. I believe these countries that I've worked with are the most safe for it.
Ryan Miller
Wow, so all's I heard is you're a modern day superhero. That's phenomenally impressive. So thank you so much for the work that you've done. That's only half the story, David, you're equally the rock star and your work has gone on to help and you get Matthews expertise into the business world. Maybe we could talk a little bit about your role at AtumCell and how you became an expert.
David Williams
So thank you, Ryan. Luckily, I had a bit of a head start on Matisse. And so I was born about 20 years earlier, and my mom didn't have a MacBook or she wasn't on the internet because neither one of those things existed when I was getting started. But I did get my start actually fooling around with with computers back in the mini computer and mainframe era. And I had a job actually at a hospital, a VA hospital working over the summer did some of the first programming on decision support for diagnosis of patients. So had my start working with technology and healthcare, went on from there, did consulting, went to Harvard business school, worked for Boston Consulting Group on technology and healthcare, and in particular started my own healthcare consulting firm back about 20 years ago or so. And then Matthew and I teamed up when one of his associates contacted me to say, hey, we scan the whole internet. And did you know that the most vulnerable organizations in the world are hospitals in the US and I said, You know what, they're vulnerable. They're lousy customers, you know, who's a better customer, private equity firms and other financial managers. That's how we got together.
Ryan Miller
Wow, that is phenomenal work. And I know me and all my colleagues and even people listening in 100 countries around the world are certainly grateful to know that there's guys like you that are working hard to secure funds. I mean, there's a lot of impact both in the upside and the downside when it comes to private investments in regardless of whatever direction your startup or your fund goes. If there are people who are waging some attacks on your company trying to steal customer data, or worse some capital, just note there's guys like David and Matthew and AtumCell are there securing that now that being said, maybe you could walk us through a little bit of AtumCell your company and how it relates to the private equity and startup world.
David Williams
You know, Ryan, you said something very important back there about cybersecurity being both downside. And upside. Interestingly, most people think just about the downside, which is, hey, what if I get hacked, somebody steals my money I, you know, somebody's going to do competitive espionage on me. But there's actually in this day and age and upside to it, which is that data privacy and cybersecurity are things that people want to know, they want to know, I'm working with an organization that is actually protecting my data. And they're very aware of it. And so it's not just a downside, it's also a possibility to build great value. What we do is work with private equity firms, in particular in the middle market, who are now seeing this as very important to them. They're finding, first of all, as you said, that they're right in the middle of anybody that wants to be a scam as we go where the money is, the portfolio managers want to deal with this. But when their limited partners come and say, Hey, what's the what's the cybersecurity posture of your portfolio companies, they say, I don't really know, I have no way to measure that. So we actually help them to look at cybersecurity across the entire portfolio, find the vulnerabilities, make those remediations track and report progress and stay ahead of emerging threats.
Ryan Miller
Man, thank you so much for that in the work that you've done. Maybe you can walk us through a little bit of how you help PE firms or even any firm really to find vulnerabilities walk us through a little bit of what you do and what people can expect it to get someone like you or anybody in this industry?
David Williams
Well, the most important thing to know is that we bring something called the hackers perspective, a lot of approaches to cybersecurity are based on compliance, a checklist, here's all the things to go through. Well guess what the hacker who's the one that you really have to worry about? They don't have a checklist. They don't have a scope of work. And I'm going to let Matthew explain what we actually do there.
Matthew Carr
Yeah, so thanks, David. As David said, you know, hackers don't care about policies, they don't care about checklists, they don't care about certifications. There's a saying in sort of red teaming and adversarial work. And that's by any means necessary. And so that really does encompass our approach, we take an impact based approach. So we look at where the impact of the businesses but first of all, as David said, we start with the hackers perspective. So that's if someone just has your domain name, or they have a company name, what can they find out. So our scanner starts by looking at all the open data, data leaks, stuff on the dark net, picking all that stuff up. That's what we find passwords. That's where we find the documents. And in fact, the scans that we've done, have helped. I can't name names here, but help some very large companies identify data breaches before they were even aware of them themselves. Part of that scan identifies infrastructure, we commonly with companies we work with, find things that they didn't even realize they had online. That's a key part of it as well, like what what is exposed, what is out there don't include systems that we were told were developed only systems but are in fact available to anyone with an Internet connection. Once we look at that, and we've mapped everything, all the information tight together, then we basically look for vulnerabilities within those things, which can be known and unknown. We also look for poorly configured systems. And interesting sort of take away from my experience, and red teaming and pentesting is everyone talks about vulnerabilities and vulnerabilities are given IDs. So if anyone's ever got an email, it says CV 2023, this suddenly affects something else, I can actually count on one hand, the amount of organizations that are breached using known vulnerabilities, the larger the organization, you will typically always find a poorly configured server. And in fact, that's actually often more fruitful, because if you've got one back configuration, then it's likely they're gonna find many more deeper within that. So scanner also picks up things like the configuration side of stuff. And usually during that stage we find a lot, then we typically go on to an internal scan, once all the outsides cleaned up, we will say that there's no point looking at the inside, if there's a way in from the outside. And once those are buttoned up, then we can look at the maturity roadmap is really another thing that's worth getting crosses. Security isn't like a point in time, it's not a bad, it's not a metal, it's not a certification, it's a it's a way you operate, it's the way you think it's the way you defend and protect, that that needs to be ongoing as your business changes, unless you have a business that literally does nothing new, doesn't even change anything, when you go into work, never sends an email never makes a call, then surely don't have to worry about it and keep up to date with it. But that's not how things work, things do change. And so you actually really want to look where you're at on a maturity scale, and always keep pushing that forward.
Ryan Miller
Yeah, I love that. And you know, often in private equity, venture capital funds, even startups as well, we're stewards of some very sensitive information, which inherently brings a little bit of risk. Now, the go to thing that most of us whether you went to business school or not, intuitively, you would say, well, if I've got risk, I will get some insurance policies to protect that risk. However, insurance companies know the more of the risk, the higher the premium. So my thought here is that perhaps those people that want an insurance wrapper around their company, their fund, or their portfolio of companies that they hold within their fund. My assumption here and keep me honest, tell us is that your work will also not only reduce risk, but probably reduce insurance premiums, giving a higher valuation profile, likely that's up to the market. But have you seen that your work on improving downside risk also helps companies to improve valuations and risk premiums?
David Williams
Right, one of the things we do it, we call it insurance readiness scan. And so what we'll find is that the insurance companies will most of them use at least some sort of a questionnaire. So I might also use the more primitive version of this sort of scanner that we have. And so we'll help a company get ready for their insurance negotiation. By doing that the scan ourselves will say insurance company is going to ask you these questions. They may do this type of a scan. And so we actually do first of all feasibility scan to make sure they can they're in a good spot before they put that application in. We help them clean things up and do the insurance readiness scan so that they are ready to go out to the market. So What it does is it enables them first of all, to be able to get cyber insurance not to have so many exclusions, and potentially depending on the carrier to get better premium as well. Now over time, that does translate into higher valuation for the company. And that's where to go back to the point about upsides and downsides. The upside is that if you are an organization that can demonstrate that you are keeping the data safe on your customers, and your vendors and your partners, you're going to be more valuable in this world. So we do see this happening. My job is also to simplify and to take all the technical wizardry that Matthew and his team come up with, and translate it very simply. But whether or not you understood everything that he said before about what he does is one of the things that a hacker thinks about is if there's a mis configuration, they can go and say your computer is my computer, which means that they can do whatever you can do with your computer, and actually, frankly, more because they know what they're doing with it better than you.
Matthew Carr
Yeah, and I would just like to add to that, Ryan, it might be interesting for your listeners is why that's changed in the cybersecurity insurance industry. That's because like when they first offered cyber insurance, they will look at things like you know, like act of God or capital event, right, something that would potentially harm the insurance firm, or the underwriter and so they looked at cyber attacks, like they're gonna be siloed, like it's gonna be attack is gonna be attacked, they're gonna pair it here, we're gonna pat that was actually the not picture of ransomware, which changed everything, right, that hit mostly hit some of the big names that you know, bought companies to its knees, because that really opened their eyes to actually we can have one now where that becomes a capital event through loads of tiny hacks that compound together and create that same issue. So they're a lot more aggressive on that. That said, there's potentially controversial view, not all things insurance brokers asking you to do for your insurance policy actually makes you more secure. And I'd argue I've seen, I've seen things they asked you to do that actually create risks. So just bear in mind, I think there's actual security things that are actually going to make you more secure, there's compliance and those two aren't synonymous, right. And then there's the insurance requirements, the compliance and insurance requirements are important. But if you really care about security is the first one you should focus on whilst you're doing the other two activities alongside
Ryan Miller
Wow, well said!
David Williams
Ryan, before we leave this insurance topic, I can't help but tell you a story, which is that sometimes the portfolio managers add value by negotiating insurance on behalf of their portfolio companies, or they'll bring in a group and get more attention that way. So one of the things we've seen hackers go after is the private equity firm itself and say, instead of looking at 35 Different companies in the portfolio separately, why don't I go and find the one that master list that shows what is the cyber insurance limit on the policy for each one of the companies. And then I know as a hacker, I can go and Ransom each of the companies for their insurance limit that's happened. And that is a case of not adding value. If you are a private equity firm,
Ryan Miller
oh, my goodness. So they're smart, in many ways, the evil geniuses behind hacking you, they are able to back into the market economics of how much they can scam you. One of the things that I've noticed in investment funds is there's one clause where people can pierce the veil of protection through an LLC in a limited partnership. And that is typically in the fund world is something called gross negligence. Now, my assumption, keep me honest. But my assumption here is if there is something in your company a risk, for example, that you either knew and knew about it and didn't do anything, or you should have known about it and still didn't do anything, it could be argued that you were grossly negligent. Now that I would say some people could argue that your lack as a fund manager or an entrepreneur, I mean, relatively larger entrepreneurial company, I would argue that some people could take a run of you for saying you should have known or you didn't know, and you didn't do anything about cybersecurity risk. So my assumption is that all of this wonderful stuff that you've done, one of the biggest things, at least in my brain, is that you helped to protect emerging fund owners and entrepreneurs against that gross negligence claim that if something happens, they can't pierce that corporate veil and come after you personally. Would you agree?
David Williams
Yes, I would you agree so so when you think about the term due diligence, someone's making an investment, they need to be diligent, they need to do it in a way that's going to be professional and covers the bases, cybersecurity is become part of due diligence, some of the things that we find are, for example, the CEO of a company that's being acquired or is going to have an investment made in it, they may use their company email on some third party account that was hacked, and we find a password on the dark web. And the password might be something like password where the password might be the name of their company, or a common way that entrepreneurs are proud of their company. So I'm not a lawyer. But I would say that if you go and you are investing in a company, where the CEO has his work, email leaked, and is using the password of the company name, and you knew about that, or you could easily have found that because we found it, that would be something that would be questions. That's just one example.
Ryan Miller
Wow, that so so this is very serious stuff that you guys are able to help. Now, I'm just wondering, with all of your vast experience and industry experience and knowledge in hacking in helping people to protect themselves against people like that, maybe you got two or three things that you can give our listeners around the world, maybe help them understand the importance of it, what are some of those deep analysis things that you can provide for our audience?
Matthew Carr
Okay, so I'll start with a technical one. I'll give you a big win for an organization quick tip for people that are actually managing billions or large amounts of money. My biggest advice would be use a dedicated device user devices updated regularly that you don't install third party apps on and that you literally just use the banking for financial transactions. Yeah, that would be my biggest takeaway as dedicated device does so much because it It adds so much complexity. If you want to go one step further, if you use an apple WebViews, like a regular PC, they get an iPhone, right, because they're different operating systems, they talk different languages, so dedicated device for that. But if you're an organization or you you own one and a charge of making sure it stays secure, my biggest win would be preventing computers to communicate to each other internally. So like 10, 20 years ago, we relied on these file sharing features of operating systems and windows, you've got the little thing in the tab on the side of your file browser, it says network, and you can see all the computers in there. If you have been to a hotel or something, you can see the risk in that because you click the Network tab and you see other people's computers and you see the files that are unknowingly sharing with everyone on the network. And that's just one side effect. But it really seemed behind that is the ability for the computers to communicate. And that's what really what powers that things like that file sharing on Windows. So if you limit that you're gonna pretty much kill ransomware in its tracks, not through some fancy, expensive solution, just purely from the fact that it might infect one computer, but it's not gonna be able to go anywhere and set back out to the internet, right. So it's ransomware literally works by infecting another host and another one and propagating throughout your network. And the way that it does that is by abusing these features of operating systems that allow computers to talk to each other on the network on the local network. And you're also really going to eliminate 80 to 90% of other attacks. Because again, if I get onto a computer and I can't talk to anything else, then you've really got to be lucky to have landed in the one that has the keys to the kingdom, right, like the database passwords have keys, most of the time, the campaigns are going to come in through a department that aren't necessarily paying attention to that risk, you know, hate singling them out. But I see all the time, the marketing department right there used to signing up for loads of services, they used to try new platforms, so they get a lot of emails, sneaking money into them is often a vector that works, right, they love to click on stuff. That's basically what they want. They want clicks. So they used to click in whereas, you know, other departments are sort of more experienced with that, like the finance department, they're naturally in tune to risk. So they're pretty hard on that. So to eliminate any of those concerns to stop the computers being able to talk to each other internally. The thing there Ryan is, before you do that, make sure that you don't rely on any internal system to communicate with like a file server. And if you do before you block that ability, make sure you allow that to continue to communicate.
Ryan Miller
Brilliant, how important is it to implement something simple, I'm gonna go through a very, very basic, but what about firewalls? Is there a spectrum of how strong a firewall can be? Is there something people could do right now with firewalls in their company?
Matthew Carr
Yeah, absolutely. And here's a big one. I'm glad you mentioned that. Because what I often see is firewalls are configured to prevent things coming in. And that's all well and good. But an analogy I give is like if you have a house party, and you invite guests over, but you're worried you're suspicious of beer that might be not be as honest as you would like, you're not concerned about what they come in with, right? Because it's obviously it's usually a gift for you a bottle of wine that good greetings, but like you're concerned with what they're leaving with, are they leaving with your possessions with your jewels with your most expensive items, what I see on corporate networks is everyone's focused on what's coming in, no one prevents things going out. And so my biggest sort of advice is for people to check that and basically limit the ability for things to talk and communicate and reach out because that's really what matters. Like if if an attacker can get in, that's one thing and they skilled attacker probably will, but what matters more is the ability for them to exfiltrate terabytes or gigabytes of your customer data or your intellectual property or something like that, check that you've got your outbound firewall rules where you want them because most of the time we see that wide open,
Ryan Miller
man, thank you so much. So stricter firewalls don't just think about the the naughty stuff coming in. But kind of the good stuff going out. Both of those are a risk for companies, investment funds. And that can be a ton of stuff. I mean, we know the breaches, I remember, I'm not a cybersecurity expert, but I do remember Home Depot a few years back, they got hacked pretty hard and lost a ton of money on their valuation. I remember the Equifax or at all like 1000s of people's social security numbers were taken. I mean, there's a lot of good stuff in a company that can be taken out. And that also is important. The brilliantly said, Thank you for that. Now, I'm wondering on on a second piece, one thing I understand about startups and when you're dealing with investors, whether you're a fund manager or startup, you both deal with investors, there's a lot of information going back and forth. Now for those people that throughout the world that are less informed on cybersecurity matters. A lot of times they'll say, Look, I'm going to send you a document, I'm going to password protect this thing. All right, I'm doing my thing or cybersecurity, aren't we? What? What do you guys see, as far as securing documents with passwords? Is it a good idea? Is there a better way? What have you found?
David Williams
Well, Ryan, you may not be a cybersecurity expert yet, but you're heading in that direction. It's what I would say. So we'll all wait to wait to hear you do your own show on cybersecurity, because you're exactly right on passwords. How often have you seen this happen? Right? Someone sends you a password protected document because they really want you to look at this, you know, they really need to be careful with it and they want it to be confidential. And then they'll send you the password either in the same email or another email. Or if they're really fancy, they're going to text it to you later. Well guess what if I'm a hacker, and I'm not, but I know some and I come onto your system, I'm going to look in your email and you're sent files and I'm going to actually just search for passwords and I'm going to find the document and I'm gonna find the password and I'm gonna have all those documents that you sent with the password right there, I can open it up. Same thing on the receiving end people receive a lot of documents that were sent that way you know, you're gonna get all the passwords and the and the documents that way so it is a good idea to password protected document. However, don't send the password by by email or text instead, we actually have a free tool because we see this happens so often and go to AtumSeal.com That's at ATUMSEAL.com. Put the password in there, and it will generate a link that can only be opened one time. So then you copy that link and you send it, you don't send the password, you send the link, and then they can open the link, the password is there, they can put it in, put it in their own secure place. That way, what happens is that when a hacker comes in, finds your email, they'll just find all these useless links that they can't open, and they'll have the password protected documents. So that is a big one, Ryan, and we see there's a trade off between security and convenience. So you want to be secure. But then hey, I got this great pitch, but I'm going to send it to this investor. The last thing I want to do is bother him or her with I've had it was password sign into secure email and all that. That's why we created Atumseal, keep it super simple break that trade off between security and convenience. AtumSeal is both
Ryan Miller
Wow, I love that. So AtumSeal: a t u m s e a l. So like sealing an envelope is kind of the same thing. But so yeah, so don't send the document with the password in the same email.
David Williams
Yeah, and again, it's like the idea with a seal. Like in the olden days, like back in the George Washington days, you would send something and you put your seal on it right. And when you'd send it with a courier to see if they were trusted. Now the courier might open it, but the recipient then would know it opened it, they tampered with it. Same idea here, sure somebody could intercept that link. But if they open it, and then the next time, you know, when the real recipient gets it, they'll say hey, I can see this has been tampered with because somebody already opened it. That's the concept behind the sealant.
Ryan Miller
Brilliant and what what a great product. Thank you for that. Let's see if I can get three useful tips out of you. I mean, we got to we got more than that, to be honest out of this whole interview. But these are tactical things that people need to start thinking about implementing right now. That's what we're trying to do is to help you level up around the world is saying listening to AtumCell this company with David and Matthew, they're giving you stuff that you can do right now to level up and obviously reach out to them, contact them, they'll help you to really go the full gamut. But they're been extremely generous for coming on the show and just giving us some of their wonderful wisdom. Now that being said, that wonderful pump up and not that I've ever sent an email with a password in it. Of course only everyone else does that. I've certainly never done that right, wink wink. Right. Okay, so that being said, final thing on that, you know, one of the big things in managing fund or raising capital, right, there's a very high stakes negotiation. The thing that we commonly do, whether you're founder or fund manager is you set up what's called say, a data room or a deal room, something like that. In that room, you have a ton of sensitive information, banking, information, bios, background checks, financial disclosures, legal documents, there's all I mean, and more I can keep going. But you get the idea. This is a one centralized place that I assume is kind of a honeypot for a lot of hackers. What are some inside viewpoints or tips that you can give for people that are building data rooms, but doing it with cybersecurity in mind?
David Williams
Well, let me introduce it. Now. Let Matthew describe it. So in the data room itself, the first time Matthew had seen a data room, because he hadn't been on the financial side of more on the on the cyber side. He said, You know, we're working on due diligence. Do you know that just gave me access to everything? And I said, I said, Yeah, did you know they always do that? Did you know that when you are working on a deal, and you tell the banker, hey, I need data room access for these people. And then it just sits on the end these 10 other people working with me, and they give somebody let's say, a low level financial analyst who's maybe doing quality of earnings work, they give them access to literally everything in the data room. And I imagine with him, that had been a mistake. So I'll just I'll tee that up to Matthew For there.
Matthew Carr
Absolutely. And I think it's really important. When I saw some of these documents, there's obviously a lot of sensitive stuff there. So I think really what applies is sort of need to know mentality, and that that's easier said than done. We talked about gross liability earlier, you might even find there's some of that inside there. Right, depending on what you've collected, depending on what you're sharing European laws. They talked about personal information, how personal is that information? So this stuff, again, it goes back to our impact mentality. If someone can take that information, do something with it. If you're doing due diligence on the technical company, you have technical due diligence documents, right network diagrams, all this kind of stuff. That's an attackers Goldmine, right? That takes all the homework out of it for me, I know what to attack and where I know the people to attack. I know that people to impersonate This is purely from the cyber side, if you're looking at it from the legal side of GDPR. Like, what information do you have? So you can basically employ a tactic document classification, you should really do that anyway, if you're serious about security, but basically look at stuff like what could truly be public, the way I see this is my public. I mean, if I literally took all these documents and posted them on social media, is that okay? Right? That's, to me, it's public, if you can do that, like your website is public, all that kind of stuff. Sure. And then just really just like up the ante, we use document like DC, one, DC two, document classification, one that's public, and it goes way on to, like restrictive, so try and apply that at least theoretically, and then restrict access. So all a lot of tools, or data and tools are like that common cloud services that people use, they have the ability to share exactly what folders you want with who so that's what you should do. I what I see is, you know, I'm gonna call it output. It's the lazy approach, right? It's just, you know, you click Share on the root folder, and you share it, I would say to people just watch out for the risks that might impose. And we know, we don't know if data rooms could have been the source of attacks in the past. I mean, from what I've seen, it would not surprise me at all. And another important thing as well is like when you're done, are they cleaned up? Are they removed? Is access taken away from people who had it? Do you need to keep it if you do, maybe when encrypt it, while it's sort of rest on a document storage, but with security, you also need to go back and review the things you've done the access you've given and make sure that you revoke it.
David Williams
Ryan, I want to mention that the data room is an area where all the jewels are stored, but at that point you already conscious about security and giving access, there's a lot of things we refer to as sort of in the pre data room process, right, because you only get to a data room sometimes if you have an LOI assigned, or maybe a little bit before that. But there's a lot of confidential documents that are exchanged ahead of time. And those documents tend to sit out there, and you need to have protection for those as well. So that's where AtumSeal comes in. And that's where starting off and using a secure mechanism, like even like Google Drive with access control is a way to do that. So don't forget about the pre data room either,
Ryan Miller
man that that is brilliant. There's a lot. So the easy go to ones Dropbox, Google Drive, iCloud, there's, there's many of those, like pretty retail servers that you can use. I know there's another company called Digify.com. I haven't used them full disclaimer, but there are other ones that apparently they claim to have a little bit more stricter protocols as far as securing your data. So there are data room solutions that obviously the more secure and more robust you have, there's always gonna come with a small price tag to that. And then there's maybe more free solutions. But like I said, in the words of Matt here, just don't give access from the root file or don't give everybody access to everything, learn to control that access. Is that a fair summary?
Matthew Carr
Yep, it is. And I would just add one more thing that I think it's important for people to know. And it's, to me, security is about culture and mindset more than products and things that you buy and write any, like having that mentality and a key thing for anyone to do both personally and in business. It's just mind what you keep what information you store, right? Because that is the risk right there. But we often say to ourselves, and our clients, a hacker can hack what doesn't exist, right? If that data is not there, they can't hack it. Right is that's profound, right? But it's true. And so you really want to get into the mindset of just keeping a check on that anything that's really sensitive. For me, I backup in multiple external drives that disconnected is known as cold storage. So they're not constantly attached to the workstation, you would have if you wanted this data. And my operational security mindset is saying, don't say this out loud, but I'm gonna say it is if you wanted this date, you'd have to break into my office and physically steal it, right? Because you can't hack it. So if you have that sort of mindset, that's gonna really make a massive difference. Again, you can't hack was not there. That's just a fact.
Ryan Miller
That's brilliantly said!
David Williams
Ryan, I know, you have listeners all around the world. And there's different data protection regimes in different places. So for people in the US, they hear about GDPR, the way you usually hear about it, and this is the data protection scheme. In the European Union, the way you usually hear about is a big fine against somebody like Facebook or Google for violating it, there is some real logic to it, which is that collecting minimum amount of information, you know, we have the mentality, especially in the US, there's a lot of consumer data, I'm gonna collect all the browsing data, I'm gonna collect all the data that anybody is, is sharing with me in any form, and I'm going to keep it forever. And I'm going to use it for analysis, or I don't know what I'm gonna use it for, but I'm gonna keep it well, a hacker can get in, they can breach that data. And then how are you going to feel and how's your reputation going to take a hit? When do people that just actually apply, let's say, for cellphone service, and didn't even go with you, their information is hacked, and it's out there. So you want to have the minimum amount of information. A good way to start with that is when you're founding a company, you'll put in data privacy, by design, minimum collection of data by design started off early, rather than years later, trying to go back and to deal with it. So minimum amount of data collected, it's a different mentality.
Ryan Miller
Yeah, brilliantly said. So as we wrap things up, is there any last minute things anything you want our listeners to know? Or ways to contact you anything at all?
David Williams
For sure. I would say, you know, I know we said this is the making billions podcasts, I think the way you're going and plus with a little bit of inflation before we know what's going to be Making Trillions. So people, you might want to reserve that, that bookmark if you if you haven't done a speaking of bookmark I mentioned already, Adam seal at UNM, s ea l.com, where you can generate those one time links for the passwords. But we also do this hackers prospective scan that Matthew was talking about early on. And that's a way for an organization to find out, hey, what can a hacker see about you. And the truth is, if anybody in network security is out there, anytime you plug something into the internet, and put it online, you're gonna get a lot of people looking at, let's say, people from Russia, China, North Korea and elsewhere, they actually have similar scanners to what we have the differences, they don't tell you what they found, they just act on it will tell you. So we've actually set up a special link just for the making billions listeners. And if you go to AtumCell.com/Billions, that's A T U M C E L L.com/billions, we have an opportunity, you can get a free scan, and just put in your URL, do a free scan for you. And we'll show you what a hacker could see about you. So that was the way that I would say if you want to contact us, you can also look for us on LinkedIn with AtumCell, or you can send an email and easiest way to do that send an email to me, that's D @ AtumCell.com or Matthew M @ Atumcell.com.
Ryan Miller
Perfect. So improving settings in your network getting stricter firewalls, implementing atom seal to protect your documents, control access to your data rooms, only to people that need it. And finally, we said just collect the minimum amount of information and delete it. And when it's no longer needed, you do these things, and you too will be well on your way in your pursuit of making billions.
Wow, what a show. I hope you enjoyed this episode as much as I did. Now if you haven't done so already, be sure to leave a comment and review on new ideas and guests you want me to bring on for future episodes. Plus, why don't you head over to YouTube and see extra takes awhile, you get to know our guests even better. And make sure to come back for our next episode where we dive even deeper into the people the process and the perspectives of both investors and founders. Until then my friends stay hungry focus on your goals and keep grinding towards your dream of making billions
