With so many issues in play when it comes to operating a business, boards of directors have a lot of information flying at them. One issue they must make sure they are not overlooking, however, is cybersecurity. In this CPA Conversations, Dan Desko and Troy Fine of Schneider Downs in Pittsburgh discuss what boards need to be aware of in areas such as data breaches, sophistication of cyberattacks, third-party vendors, mobile devices, and more.
By: Bill Hayes, Pennsylvania CPA Journal Managing Editor
The time for taking shortcuts on cybersecurity is over. Boards of directors of organizations need to know the risks of being delinquent in this responsibility. But with such a complicated subject matter, what aspects of cybersecurity must they be informed about on a high level, and how can CPAs help assess an organization's risk for cyber attacks? To give us a look inside this increasingly important issue for all organizations and their boards, today we are with Dan Desko, Shareholder, Cybersecurity and IT Risk Advisory for Schneider Downs in Pittsburgh. And Troy Fine, Manager, Risk Advisory Services at Schneider Downs.
Is it at this point still common to see boards of directors who think they can take shortcuts on cybersecurity, or do most pretty much get the message at this point?
[Dan] So, we do see from time to time cybersecurity not being very important or an important matter or line item in technology budgets. I don't know if it's boards or audit committees taking shortcuts, but I think it’s more along the lines of not having the right makeup sometimes on the board. And really sometimes not knowing where to start. Or the right questions to ask from a cybersecurity perspective. There's a lot of buzzwords floating out there, and cybersecurity by itself is somewhat of a buzzword these days. And we see a lot of boards that want to know where their organization stands from a cybersecurity perspective, but a lot of times don't know where to start. Sometimes we're recommending helping to build that approach. Where should they start? A lot of times we're talking about things like building out maybe a cybersecurity risk and control sort of gap assessment. Taking a look at how our IT organization, security organization operates today, comparing that against a tried-and-true framework, and helping them deliver sort of a project roadmap or a prioritized list of things to work on. Sometimes the very first entrée with a customer of ours might be something like a network penetration test or network security assessment where they would like to know, "Okay, where are we most vulnerable today?" From a technical perspective. Let's not focus on all of the processes and procedures just yet. Let's do a test from a technical perspective, show us where our biggest vulnerabilities are, our biggest holes are, and show us how likely it is for us to be breached. Part of my job is just constant education. I find myself spending a lot of my time just educating our customers on what they should be concerned about from a cyber perspective. And trying to raise the level of awareness and help them understand more about what they should be asking.
What do you think a board should know about data breaches? It's such a huge sort of technical topic. How far do you go into it with them, and how much should they know about the costs it could take for an organization to recover from?
[Dan] I think there's a lot of potential breach types out there when you look at things like ransomware and some of these disruptive types of breaches that occur. From a board perspective, I think the most important thing when you talk about those types of breaches is the operational downtime that can occur for that company. Right? If a ransomware attack occurs…for listeners out there that have not heard of ransomware, that is a form of malware that tends to take over your systems and potentially lock or encrypt the data that your organization uses essentially stopping your organization from using the computing resources, using your data, using your systems until you pay some sort of ransom. We've had clients run into these issues before, where they might be down for a week, two weeks or days at a time just dealing with the issue, trying to get systems restored, restoring from backups, troubleshooting all across their network, trying to remove the malware. So just from an operational perspective, the boards need to be thinking about, "Can we handle something like this? If we had to go back to pen and paper for a week, what sort of financial impact would that have on our company?" A lot of times, I think that's an often overlooked sort of risk. A lot of boards will focus on, "Okay, well, if they steal some of our data, what are the repercussions there?" And there might be monitoring and fines or fees you might have to pay, but look at the operational downtime, too, and that effect.
[Troy] I think, too, just to add, customer reputation is a big cost that I think is overlooked. Effectively, your customers lose confidence in you. That directly could then also impact the financials and bottom line as well. So customer reputation, I think from a nonfinancial aspect, could be an indirect cost that could affect the bottom line.
So, Troy, what does the SEC's new Cybersecurity Disclosure Guidance mean to public companies and their board of directors?
[Troy] So for those of you who are public companies that might be listening to this, you might have been aware of the 2011 guidance that came out. This guidance does build on that guidance. It was released, I want to say around February of 2018. There's two main areas of focus with this. Dealing with your disclosure control. So when you identify a cybersecurity incident, how are you communicating that to your board of directors or your personnel in charge of governance of cybersecurity? And on the flip side, once they get that information, what are they doing with it? Are they reporting it to the appropriate external personnel? Are they reporting it in their SEC filings? Things of that nature. And then the other piece of this that recently they're starting to crack down on a lot is insider trading problems. They're putting out new rules around when the incident is detected, if an insider understands when the incident was detected before it was disclosed to the public, cracking down on when they can trade, because they obviously know a certain information that will negatively impact the stock price. It's cracking down on the insider trading and putting rules in place. Just a couple recent examples that deal with this. For some of you out there that you might have saw that Yahoo was actually recently fined about $35 million. And this was directly due to misleading investors. Between 2014 and 2016, Yahoo suffered a major breach that I'm sure a lot of you heard of. The breach occurred in 2014, but they decided to make it public in 2016 when Verizon was in the middle of purchasing them. The SEC said, "This was a significant impact on your organization, and you misled investors by not reporting this, waiting two years to report it." So they directly fined Yahoo for misleading investors due to lack of disclosure of a significant security incident. For those public companies, this should be a warning sign. $35 million to Yahoo's not a big deal, but they are setting an example with Yahoo and potentially saying, "You better disclose this to us and not kind of hide it." And this ties well into, for those of you that have European citizen data, GDPR recently. You have to report to the appropriate authorities within 72 hours of identifying an incident. The SEC ruling doesn't necessarily tie you to a specific timeframe, like GDPR, but they are, if it's significant and you definitely are misleading investors, they're going to crack down. And then, too, the reason the insider trading…just remember Equifax and Intel, their executives actually, after detecting the incident, actually traded stock before it went public, so those are just some examples of this rule and why it kind of came into play.
I think a lot of this is about just so much is coming at boards of directors and the information that they need to know on certain things. So what do boards of directors want to know about an organization's cybersecurity risk management program? Because I imagine they can't go into full detail on it, so what is it that they need to know, and is there anything that they don't need to know?
[Troy] Yeah, so I guess the first thing if I was a member of a board, the first thing I would want to know is what type of data do we have and where is it stored? If you don't know what you have, you don't know how to protect it and where to invest the money and time to protect that data. Another thing that I'd want to understand is if there is a cybersecurity risk management program, what framework does our organization use to create those cybersecurity controls? Did we base it off a NIST? Did we base it off of ISO 27001? Are we in the health industry? Are we basing it off of HIPAA and HITRUST? So it's just understanding, yeah, we do have a framework in place, but is it sufficient to meet our needs, and is it appropriate for our industry? They might also want to understand now with these recent breaches, how are we assessing that risk management program? Are we bringing in outside parties? Do we assess it internally? What's the reputation of those outside parties? Going back to kind of the first question here, where do some people take shortcuts? Sometimes they have assessors come in, and maybe they just want the cheapest person to come in and provide them a good report so they can show it. But that's not always the best strategy. Sometimes you want people to ask the hard questions and take that extra time to really understand your risk. That kind of ties into question one there about maybe some potential shortcuts that organizations might take. And what are our biggest cybersecurity risks? Touching on Dan's point earlier about ransomware. The health industry's getting easier on a daily basis about ransomware taking on hospital systems. If I'm in the health industry, how are we protecting, how are we preventing ransomware? Is it our patch management process? Equifax breach was directly caused by lack of timely patches to their operating system. It's just kind of understanding what are our risks are, and how are we preventing those risks or mitigating those risks? If you have an incident response plan, are we testing that? Can we recover timely, and is it meeting our customer needs? And then they'd probably want to understand any penetration test results that you have from a third party, what significant findings there. I know we're going to touch on this maybe a little bit later, but vendor risk. How do we manage our vendors? Are they getting sensitive data? And then a big thing now is cybersecurity insurance coverage. There's potential there to help share some of that risk or mitigate the financial loss if a cybersecurity incident does occur.
So our audience is mostly made up of CPAs here, so I think that a major question is how can CPAs help assist boards of directors with assessing an organization's cybersecurity risk? What's their role in this process?
[Troy] Schneider Downs has a pretty robust cybersecurity practice now. And some of the things we do to help our clients, specifically what Dan was talking about, with penetration testing and vulnerability scanning. We're going to simulate an attacker and try to break into your network and get to the crown jewels. I don't know if a lot of CPA firms necessarily have that expertise right now, but it's definitely a growing area of our firm, and we're definitely taking a strong investment in that area. In addition, for some of you that might be aware, there is a new SOC examination out there. It's called a SOC for Cybersecurity examination. And it's actually in a test engagement that a CPA firm can perform on the entities cybersecurity risk management program. It's the same concept as a SOC 1 or SOC 2 report, except we're looking at the entity, and we're really focusing on how did the client identify security incidents, how are they recovering from that incident and then what controls are in place to prevent that incident. And if you have to disclose it, what are your disclosure controls? And then also I think a lot of CPA firms, they understand risk, and I think just kind of being a trusted adviser for our clients and understanding where our risk is, I think is really what a CPA firm brings to the table that some of these other non-CPA firms that are offering cybersecurity...they understand cybersecurity, but they might not understand risk, what's the ROI, and what do I need to focus on first here? Because obviously, CPAs, that's our bread and butter is focusing on risk and mitigating that. So I think those are the three areas where we offer a lot more services, but at a high level those are the three areas where we're starting to help our clients, and we're just seeing it growing every single day.
[Dan] Bill, I'll add to that. I think Troy made a great last point. I mentioned earlier about educating our clients about cybersecurity matters, and a lot of that educating too happens internally. So educating our other partners, educating our people, our managers that are in the field, our staff that are in the field so they know enough to be dangerous about the big cybersecurity risks. Just so they can help educate our customers, too. So it's not only incumbent upon our cybersecurity practice to get the word out, but we do a lot of education internally to make sure all of our staff are aware of the risks and are sort of beating that drum when they're out talking to clients. We take a great deal of satisfaction in helping the companies that serve our communities be more secure. That's sort of our mission. Any way we could accomplish that is a bonus for us.
Dan, a couple high-level type questions here about cyber attacks in general. Are there specific industries that are more susceptible than others when it comes to cyber attacks?
[Dan] That's a great question. Oftentimes when I'm talking to boards or audit committees, folks want to know, "What are others in our industry doing?" Cyber is one of those areas right now that it can kind of be the Wild, Wild West and not really dependent upon your industry so much as to what is the knowledge level from a security standpoint of your internal IT staff. Or do you have any staff related directly to security in house? So it's really dependent on a number of things and not so much the industry, but I will say there are definitely some industries that I think probably are a little more susceptible than others just based on some of the network security assessments we've done. I will say higher education institutions, just by sort of the open nature of their existence. Their networks tend to be a little more open as well. They like to keep things open and free for research and other things, and the universities across the country were some of the first internet users. We've seen higher education institutions be fairly vulnerable. I think the recent reports by law enforcement that show about the advanced persistent threats from Iran that hacked a lot of our nation's universities kind of proves that theory out. Manufacturing. We see a decent amount in manufacturing. Some professional services firms as well. I think with those types of organizations they often get lulled into this "Well, I really don't have or we really don't have really any sensitive data. We're doing business-to-business manufacturing or we're just providing some service for this business, and we don't hold a lot of their data." But at the end of the day, there's still a lot of risks that can occur. We talked about ransomware for example, and that risk that occurred to...that was a manufacturing firm that was kind of down and out for about a week. There was a professional services firm that we worked with that didn't have a lot of sensitive data, but what the hacker did was obtained access to their email system, got to know who their customers were, who their biggest customers were, who the players were at those customers, what their invoices looked like, so on and so forth. They created a brand new domain that looked very similar to the hacked firm, and then they started communicating with the customer. Eventually they got to the point where they sent the customer a fake invoice. They weren't successful in their scheme, but they got very, very close to getting a six-figure invoice paid from this company's customer. All through breaching their email system, learning about who they spoke with and so on. And that for this customer is one of their largest accounts, and you talk about shaking the confidence in one of your business partners. The business arrangement between those two companies survived, but it was put on hold for about two months until we could come in and do some analysis to show them that the problems have been remediated, and what they did to do that. The strain that that creates when that occurs is hard to realize or hard to plan for.
I think that kind of leads into the next question here, a question sort of about the sophistication level. I mean, my question is going to be sort of about the current forecast for cyber attacks. I kind of glean from what you're saying and news coverage, it's certainly on the rise. But the sophistication level: is that growing? You talked about it a little bit there about some of the things that these hackers are capable of. What are you seeing on that front?
[Dan] I think part of the rise that we're seeing is a lot of the tools that are used and the services that are used to carry out these attacks have come a long way. So for example, in the ransomware world, you could go out there and buy a piece of software that will sort of allow you to start your own ransomware enterprise. Hopefully, there's no one on this podcast listening for those purposes, but instead of being a cryptography expert or instead of being a Linux Command-Line expert and a networking expert, you really just have to download this piece of software that allows you to do some pointing and clicking to send some ransomware out. And then from there, it makes it much more easier for you to carry out those types of attacks. That's definitely a trend that we're seeing is a lot of these tools are being...they're open-sourced, they're on the black market, they're turning into a service model, so not only are these nefarious individuals or criminal organizations making money by hacking into your organization, but they're also making money selling their software to do that as a service to others. So, that's occurring. From a sophistication standpoint, I will say that most of the breaches and hacking attempts that we see today aren't extremely sophisticated. A lot of the ways that we're able to hack into our client organizations, a lot of times it's just by guessing bad passwords. Single-factor authentication, just having a user name with a password, is by far one of the biggest risks that we see out there today. It's very easy for us to access a service over the web, just by guessing a password or sending an employee a phishing email that steals their password. Usually most of the attacks start out fairly simple, just through social engineering, and then the sophistication occurs a little bit later on down the line when its time to exfiltrate that data. Yeah, most of the ways that breaches occur right now, it's the sophistication level. You'd think it's some sort of custom malware. People talk about zero-day malware. That stuff might occur at sort of a nation-state level, but if I'm trying to attack XYZ University down the road, that's not going to be my approach. I'm going to take a scatter-gun approach. I'm going to send phishing messages to 100 people, hope two or three of them give me their credentials, and then once I have sort of that working point onto their network, it's usually happy hunting from there.
So you talked about this a little bit there to a degree, but one of the things I've seen recommended for protecting customer data is what's called a layered defense. So if you could tell us a little bit about what that means, and what goes into it.
[Dan] In its simplest meaning, a layered defense is just making sure that the controls that you have in place back each other up. If one control fails, and you should almost assume that certain controls will fail within the hierarchy. So think about layers in an onion. So if you're able to penetrate the skin, that layer behind the skin, what is that going to do? Making sure that you have controls at all these different layers that sort of back each other up. I'll give you an example. We often get into discussions with our clients when we're talking about scope for a penetration test. Some of our clients might say, "You know what, we don't need phishing as part of this test because we already do phishing training every quarter or every year. We send our employees a phishing message to see if they will click." I say, "That's great. But the phishing that we do as part of a penetration test is not only to test the user, but we're also trying to test all the other layered defenses that might be protecting you behind that user." We always say, "Okay, you should almost expect that somebody will fall for a phish. Now if they do, can I deliver a piece of malware to their computer?" So that next layer of defense should be advanced antivirus or advanced endpoint protection on that machine that sort of spots the heuristics of that malware. If that doesn't get caught, how about me trying to raise my privileges from a standard user to an administrative user on that machine? There's things that you could do to alert on that or to stop that from happening. Are those defenses in place? No. Okay, well what about, okay, I got into Suzie's machine, now I want to laterally move from Suzie's machine to Jimmy's machine. What defenses do you have in place there? Do you have network segmentation in place? Do you have traffic monitoring in place? The goal is to think about the different types of threats that can occur and not have a one-to-one ratio of, "Hey, what are our assumptions that would stop that threat?" It's, "Okay, what are the layered controls we have in place to say, hey, let's assume Suzie fails the phishing test, what do we have behind that to sort of mitigate the risk of that happening, or the impact?"
What do boards of directors have to know about third-party vendors who handle sensitive data? Because it's a little bit tougher to control those, I would think.
[Troy] Yeah, don't give any third parties data. That's the rule. No, I'm just kidding. That's just not feasible, obviously, in this day and age. If I'm a board, the first step I need to understand is who are our vendors. I think a lot of these bigger organizations probably don't even understand how many vendors they actually use. And then on top of that, once they do identify them, it's what type of data are they actually getting or do they have access to? Not every vendor could be treated equally. The janitor vendor shouldn't be treated the same as your managed services provider. Right? So when you're performing this vendor assessment and understanding who your vendors are, you really have to understand how do I classify vendors based on risk? When you're doing your vendor risk assessments, you want to spend your time wisely, and you also want it to be spent in a manner where you're hitting the high-risk vendors more often than the lower-risk vendors. And that kind of leads into how are you assessing your vendors? It's one thing to say, "Hey, do you guys have a SOC report? Do you have an independent third-party come in?" And it's another to actually go in and perform your own audit if you have the leverage or perform interim procedures in between their SOC reports. Sometimes SOC reports come out only once a year. And your board might want to understand how are we assessing these guys quarterly? These guys are a high-risk vendor to us. If something were to happen to these guys, in the interim period, we need to know about that right away. Understanding how they assess vendors based on the classification and the risk. And then another key point is how are we transmitting data between our vendors? Are we using secure connections? Are they just putting the documents up on a Dropbox folder and we're going to retrieve them? I wouldn't call that a secure manner of transmitting data. So it's just understanding that data flow and where is the risk in that data flow. Kind of going back to Dan's point about the layered security, it's almost understanding that data flow and saying at each one of these touchpoints, what could go wrong and what are the threats, and how are we mitigating those threats. Sometimes when you ask the questions to these vendors, you find out a lot more than what you thought initially. Sometimes you find out they're using another vendor themselves that you guys weren't even aware of. That's another key aspect of vendor management is what we call fourth parties or fifth parties. Sometimes you have to keep going and digging and digging and say, "What do you do with this at this step?" It could be a long trail of vendors actually when you're using vendors. It's just understanding that data flow and understanding where it goes that'll help you kind of understand what other vendors they might be using. Privacy's obviously a big deal right now, especially with Facebook. If your vendors are getting personally identifiable information, are they in compliance with privacy laws and regulations? Obviously, GDPR again is coming down on that. And then if you guys are terminating vendors, do you have a good process to terminate those vendors and make sure they're deleting your data. Or if you need to get data from them, are there procedures in place and are agreements in place to where that's going to be a seamless process? And then I would say also understanding cyber insurance coverage for your vendors. If there's a breach that occurs with them, are they going to be able to sufficiently cover those costs potentially for your customers? We do a lot in the third-party assessment. I'm sure Dan can probably even add some more points to this one about some of our experiences if you want to with this one.
[Dan] We have a whole part of our cyber practice where we are hired to go out and assess vendors of certain organizations. We work with one organization that has tens of thousands of vendors. It's quite a big undertaking for them to sort of risk-rank those vendors and identify which ones are the most critical to them. Our team is sort of sent out, the boots on the ground in the field, to actually analyze those vendor organizations. And we sort of use a SOC report if they have one as really only the starting point in a lot of those cases. I would say having that SOC report, and they get some transparency into that vendor, is sort of crucial step number one. But then from there, looking at, like Troy mentioned earlier, the key points for data loss within an organization. Just thinking about the service they offer and the things that could go wrong and understanding what are those key controls they have in place to mitigate data loss. The other thing with third parties, too, I'll go back to the operational risk that we talked about earlier. If your organization is highly reliant upon a third party to carry out your service, your product, your supply chain, whatever the case might be, what would the impact of a ransomware attack of a breach of a whatever you want to throw in there, what would the operational impact of all those things be and what sort of incident response plans do they have, business continuity plans do they have, to ensure that they could continue to support my organization when those things occur.
Before I move onto the last question, it kind of blew me away there that number you gave just as an insight as to how big, and we talk about this as a sort of complicated process, but a client with over 10,000 vendors. That's what you had said?
[Dan] Yes. It's actually over 20,000.
20,000. Okay. That's a lot of data to have to look after. It gives people sort of an insight of how big and how sort of complicated this process can be for certain groups. You have to have some sort of process in place.
So Troy, moving to our final question here. Obviously again, we're going out to CPAs, so the accounting industry along with other industries, it's becoming more flexible, but that means that employees may be accessing client data on mobile devices. What needs to be done to ensure that that data's going to be safe under those circumstances?
[Troy] Yeah, that's a good question. Obviously a lot of us are moving toward technology and cloud technology and trying to become more automated and efficient. I think the first key item that I would recommend is two-factor authentication for any type of remote access into company systems. A lot of us, especially in the audit world, we're traveling on a regular basis. We're not going to be in the office. We're most of the time connecting remotely to our company's networks, so understanding that single factor which is the password, allows a potential remote person who's an unauthorized user to potentially access your system. So adding that second factor, such as a text message to your phone, a six-digit pin after you log in that changes randomly every time you log in, adds that second factor and makes it that much harder for somebody to guess your password remotely and log into your systems remotely if they had to. And this also includes cloud systems. So for anybody, if you're using cloud systems maybe to transport or transmit data between your clients and your company, understand that, that if it's a cloud system, and there's no other restrictions in place other than a user name and password, and you might not even have to be on your network to access it, that could be a huge risk. Your network might be very secure, but then all the data's actually in this cloud portal, in this cloud environment so it's understanding that risk too and saying, "Okay, it's not just my network. It's where am I accessing data? And where do I need to potentially put that two-factor in?" And then again with the travel a lot of us are using public wifi, hotel wifi networks. We should always, always be using a VPN if you're on those networks. And you should also make sure you're connecting to the correct network. Sitting at a Starbucks, it's very easy for somebody to set up a wifi network called Starbucks, you're just going to connect to it, and now they're going to perform a man-in-the-middle attack and get your information. A lot of times too, and we have these, we have mobile hotspot devices that we give to our employees. And it essentially creates your own mobile hotspot. And instead of connecting to the wireless, you're connecting to a mobile hotspot device, and it's password-protected, and you know it's secure when you connect to it. Another thing we like to recommend, if you're working at a CPA firm, don't use your work email and user name for other ancillary sites that you sign up for. I mean, if there's a breach that occurs at those sites, and you used your work email as your user name, an attacker's going to know where to try to guess your password if they got it from another breach. And then be smart when you're using email. If an email seems off, kind of like the example Dan was talking about earlier, pick up the phone and call the sender and make sure, if they're requesting sensitive data or a transfer of money from a high-up person in your company, if it doesn't seem right and your gut's telling you this isn't right, just pick up the phone and call somebody. That's usually the best defense is to just verbally communicate with somebody and say, "Hey, did you send this to me or did your email get hacked?" And then again, providing a secure means for clients to provide you data. Clients using Dropbox that's unsecure, and just a free version of Dropbox is not the most secure way to transmit data. Understanding how we're going to get data from clients and understanding how we're protecting that data when we're transmitting data to clients.
[Dan] And Bill, sort of the last thing I'll throw in is everybody loves to email everything these days just because it's so easy. Email by itself is a very unsecure method of communication, and there's lots of hops along the way over the internet where things could be intercepted. Not to mention, I don't know about you, but from what we've seen people tend to be pack rats. People don't generally go through and purge email every so often unless they're forced to. And if they're not forced to, they'll have emails going back years and years within their inbox that, depending on what's in there, could be enough to constitute a breach if their email gets hacked into. As a profession, as a firm, we take a lot of precautions just from an email standpoint making sure we're not emailing around tax statements or audit reports or penetration test reports unless we have a secure means to do so.
[Troy] I think it's important to communicate with your clients on how to transmit securely, because a lot of clients will just as soon just send you email, and now it's stuck in your email system. Right? Like Dan's saying. It's just really forcing them, and saying we have this other secure option, please use this and being upfront about it. I think that's a key component. And if they do need to give you data, let them know, "Hey, we don't want all your data. We just want the data we need." A lot of times when we're doing security audits, we need to get sensitive data on employees and we say, "We just want name," and sometimes people are sending the whole HR file and we're like, "No, we just want name. Please redact this information." I think it's making them aware of, "Okay, yeah, here's the data I'm sending to this auditor. Does he need all this data?" We don't want the liability on our end, and they don't want to expose their company to risk. So we really try to communicate upfront and say, "This is the data we need. We don't need anything more."
[Dan] Yeah, that presents challenges, too. A lot of firms like ours are required to have email archiving solutions for litigation purposes. While that email might make it through to Troy, and Troy will hit delete, we then have to go through a process through our IT department to actually access the email archives because that email will live in the archives if we don't go and do that. And that's certainly something we don't want to live out there. I guess another lesson learned is just by hitting delete on your local PC doesn't mean it's deleted from the server that's supposed to store that either.
First of all, great answers throughout this podcast, but so many great tips in that last one. I just recently got a new iPhone myself. I've been getting the notices about turning on the two-factor authentication. I've been pushing it off because I wanted to get to my scores quicker, but I think the first thing I'm doing when I go back to the desk is setting that up because the speed at which I do that task isn't that important. So guys, thank you so much for the great information you gave throughout this podcast. It was great having you here today. So thanks so much.
[Dan] Thanks for having us. I enjoyed it.
[Troy] Yeah, we appreciate it Bill. This is a passion of ours and any time we get to talk about it, we definitely enjoy it. So thank you.