Stop Losing Your Data with Brian Gill

Brian Gill: There’s a reasonable chance we can’t help you, but we know more about it than you do, it’s financially risk-free, and nobody else is going to help you at all. It wasn’t because I was trying to make a bunch of money at that price point, because we weren’t. We were going to lose money at that price point, but we were going to lose a small amount of money, and we were going to learn the process, we were going to get exposure to casework. My intention was never to make money in the first couple years. In fact, we didn’t.

Joe Casabona: Brian Gill is a computer scientist, entrepreneur, and angel investor. Due to his firm belief that data recovery shouldn’t be a prohibitively expensive service, something I agree with, Brian founded Gillware. He and his team specializes in cyber risk assessment, data recovery, and incident response. Now that is a lot of scary-sounding stuff, but during our conversation, he makes it sound a little bit less scary. It’s scary if it happens to you, but understanding is less scary. Today we spoke about his journey in business growth, as well as how to protect yourself from hackers. He provides actionable tips that you can put into practice today, and some of the things he did to learn his chops in data recovery especially were very interesting to me. So I’m excited for you to hear this conversation, of course, after a word from our sponsors.

Break: This episode is brought to you by our friends at Ahoy! The easiest way to increase customer engagement on your WordPress site. Install Ahoy! Create a message box, configure a way to display it, and start seeing conversions come in. You can create messages for cart abandonment, up-sales and cross-sells, custom support, and so much more. Ahoy! Has flexible conditions that let you choose exactly where and when you want your message to be displayed. I’ve recently installed it on my own WooCommerce site, and I’ve already seen increased engagement. I know this because of Ahoy! and it’s powerful analytics and reporting. You will see ROI within days of installing Ahoy! If not sooner. That’s even more true for listeners of How I Built It. You can get an exclusive 20% discount on any plan. Visit UseAhoy.com/HowIBuiltIt and use the code HOWIBUILTIT at checkout. Use those today and increase your engagement in sales on your WordPress site. Thanks to Ahoy! for their support of this show.

Joe: Hey, everybody. Welcome to another episode of How I Built It, the podcast that asks, “How did you build that?” Today my guest is Brian Gill, the chairman of Gillware. He is a computer scientist, entrepreneur, and angel investor, and today we are going to talk about cyber risk assessment, data privacy, incident responses, and all sorts of other fun and scary topics. Brian, how are you today? Thanks for coming on the show. I am interested in talking to you today because we haven’t had a guest talk about some of the topics that we’re going to talk about today, but why don’t we start off a little bit with who you are and what you do?

Brian: Sure. Without going into my full backstory, I basically have surrounded myself with a bunch of really quality humans, and together for the last 16 years, my primary mission has been to help bail people out of data-related disasters. Whether that’s bad guys infiltrating a network, or data being stolen, or a server crashing, or a human making mistake and accidentally deleting all the pictures of their wedding or baby photos. We are a bunch of tech nerds who do everything we can to help people out of those crises. Then also once they’ve experienced those crises, we help them either back their data up or sometimes they’ll hire us if they got hacked, they’ll hire us as what we call a part-time CISO or come in and do monthly risk assessments to help them prevent the next attack. It’s just helping people out of disasters.

Joe: Gotcha. As somebody who has lost all of his photos and music before all of our music was in the cloud, or on a streaming service, I can definitely level with that. After that happened to me, I made sure to get an external hard drive, and of course today I have time machine on my Mac and Backblaze and Nas, and just lots of things. Because I have been in that situation, what I haven’t been in is what my company or my clients– Knock on wood, haven’t been involved in is stuff like a data breach. It sounds like you do some of the more personal computing problems, like data loss and recovery?

Brian: The recovery side of our business, we founded back in 2004, and that’s the data recovery company. That company– It’s a mix, maybe 40% of our clients are just normal people and consumers who lost their personal data on a laptop, or they dropped their phone in the toilet or that kind of stuff. Maybe 30% are small business owners with maybe 1-50 employees and had a server crash, or a chief executive or an accounting professional had a laptop hard drive crash, or an SSD go bad. Then the other third is large corporate America and the government, and we’ve done recoveries for almost 80% of the federal bureaus. It’s pretty much everybody loses data, on the data breach side of things we almost would– I don’t want to say “Never,” but our average size client who got data breached is probably 100-500 employees, maybe sometimes even larger. For the micro-sized businesses who get breached, they’re less likely to need an army of nerds to come in and address that situation.

Joe: Yeah, absolutely. So you serve all sorts of people doing all sorts of things, but I want to get back to the basics a little bit in your intro here. I also have my degree in computer science, I have a masters in software engineering, and I went the web development path. When I was in college and high school, I read Kevin Mitnick’s books, and I thought, “I want to do that.” But I decided to go the other route. What made you want to get into this particular field?

Brian: In general, I got my computer science degree from the University of Wisconsin, and that was right before the first big tech bubble, the first big web 1.0. I jumped on a plane and went out to the Silicon Valley and wanted to play the startup game, and joined a couple of startups. One of them is still around that was involved with e-commerce and that kind of stuff. I was primarily on the back end, development-style, database design, and things of that nature. A lot of back end programming, my forte was not the user experience, although that’s changed over the years. When that whole economy just imploded the valley was a horrible place, I would say 80% of my friends were out of work. I had a job, but it wasn’t at a startup, it was at a bank. So I had a job, but it wasn’t the type of job that I moved out there for, so I tucked my tail between my legs and said, “If I’m going to work at a bank I might as well do it in Wisconsin where I’m from and where all my family is. My brother had just had a couple of kids, and I wanted to be there for that, and I– Why pay the $3,000 dollars a month in rent? I tucked my tail between my legs and humped back to Wisconsin, and I was doing some consulting at some boring but wonderful companies like insurance companies and cheese manufacturers and all kinds of weird stuff. I wanted to start a company, but the economy was in the crapper, and there was a 0% chance of getting any bank loan. I knew I needed to do something that I could bootstrap with the $50,000 that I had saved up. So whatever I was going to do, I needed to be able to get to revenue within my budget. Because I wasn’t going to get any angel financing, I wasn’t going to– If you wanted $50,000 dollars angel financing for a new idea, they were going to take half your business back then. It was just a horrible time to be an entrepreneur. My brother Tyler, my younger brother Tyler was going to school at University of Wisconsin for his CS degree, and he’s about nine years younger than me. And he had a hard drive crash, so he was trying to figure out, “How do I get my stuff back?” He found two companies in the whole US that advertised for it, and both of them wanted $3,000 dollars. Again, back then this was a college tuition for a semester or more. He didn’t exactly have the budget for that, and it opened both our eyes to “How hard could it be exactly?” It turns out it’s pretty hard, but we had the right circle of friends, and one of my buddies was an electrical engineer, one of my buddies was a mechanical engineer. I had the computer science and e-commerce background, and we had all the pieces of the academic puzzle. The next question is, “OK. So there’s very few competitors, and the two that are out there that we could find were very prohibitively expensive. Could we start a company for less than $50,000, learn enough about how to do this that we could serve that underserved part of the market, and get out get it off the ground?” That’s where it came from, and it turns out we could.

Joe: That’s fantastic. I love that. I have a similar story of how I got into web development, essentially my church came to me, and they said “We want a website.” And I said, “I don’t know how to do that.” And they’re like, “We will pay you.” And I’m like, “OK, alright.”

Brian: “Sweet. Money’s great.”

Joe: Yeah, right. Exactly. And it turned out I loved it, so as you started to research starting this company and what it would take and the services you would offer, what did you end up doing? Did you look at these other two companies and copy their services, or–?

Brian: I’m weird. I know a lot of people do a lot of research and a lot of competitive research and a lot of planning, and we didn’t do that. I frankly have never even been to their websites. I might look at that and even get like intimidated, like “Oh my gosh. Look at how amazing these companies are.” Like, “I’m going to compete with them?” It’s better to be, and I don’t know, ignorant about it, so you don’t even worry about it. I have enough background in digital marketing where– Or, enough exposure where I knew if I was going to go read a bunch of other web content, I might accidentally steal some of it or copy it. Again, they were definitely 100% targeting the enterprise, and we weren’t going to even do that, so I don’t even know how useful it would have been. So what we did was we bought a few pallets of broken hard drives on eBay, which is a thing you can do, and we tried to fix a whole bunch of them. We decided, “If we can fix 50% or 40% or get data off some of these, then we’ll advertise that we do it.” And we did, we were able to pull data off about half, and we said, “OK. That’s good enough to launch a beta.” I still kept my day job, but I threw up an ugly, crude-looking website because again UX at the time was not my forte. But it was pretty simple, it was like “If you have a crashed hard drive or if you lost your stuff, we will take a financially risk-free look, and if we can help you, we will charge you $100 dollars. There’s a reasonable chance we can’t help you, but we know more about it than you do, it’s financially risk-free, and nobody else is going to help you at all. It wasn’t because I was trying to make a bunch of money at that price point, because we weren’t. We were going to lose money at that price point, but we were going to lose a small amount of money, and we were going to learn the process, we were going to get exposure to casework. My intention was never to make money in the first couple years. In fact, we didn’t. The company was always bleeding a little bit of money for probably the first two and a half years, but the whole time every month we got better at the troubleshooting, and we hired the right people where we had those gaps in our engineering squad, and we bought all the right tools to help us through that. We invested in our internal software processes to help do that stuff as well, and we got a nicer office. For me, I don’t do a lot of market research. We knew that there was a need because we experienced it, and we just dived in. I didn’t know if it was going to be a three-month venture or two-month venture or a six-year venture. It turns out its 16 years and counting, and I didn’t even quit my day job probably until month seven, where it was like “OK. I’m going to take a pay cut and lose my steady income and try to live off what this business generates and take a paycheck for the first time.” I did not do a lot of product or marketing research, we just dived into the pool and see what happens.

Joe: I think that’s interesting, because you essentially did something that I feel like people who make software can do a little bit easier, and that’s practice a bunch. I have two questions regarding the pallet of broken hard drives you bought, and the first is, did you find anything cool or did you figure out you could recover and then not look?

Brian: Yeah, we destroyed all the data we found, I’ll just come out and say that. But we found all kinds of people’s data, company data, stuff that they would probably be incredibly irritated if they knew that– And we don’t even know how did it end up on that pallet.

Joe: They could have given it to some store, and then they were like “We can’t do it, so we’re just going to sell it off.”

Brian: Maybe they sent it to some recycling center and that recycling center– There’s an undercurrent, an industry where companies will resell old IT equipment, and it could’ve come from there. Where they tested them, and they were dead so they couldn’t resell them, so they just chucked them on a pallet and threw it on eBay. Sounds like an incredibly stupid idea.

Joe: Especially because there are ways that you can fully erase a hard drive.

Brian: Not if they’re dead. That’s the problem.

Joe: OK, interesting.

Brian: The hard drives were dead, and they probably figured, “They’re dead so nobody can pull data. If we can’t zero fill them, then nobody can access it, so it’s safe to chuck it up on eBay.” But the $53 dollars they won in the auction and the $300 dollars in shipping which they didn’t get to book, it certainly was a very poor financial decision on their part and they probably weren’t anticipating that there’d be some lab of weirdos repairing and soldering the boards to put them back together and diagnosing which chips were bad, breaking them open and switching the motors out. They would have not probably anticipated that certainly if I was consulting with a company that was disposing of faulty equipment, I would not recommend chucking a pallet of them up on eBay. Incredibly stupid idea.

Joe: I just got rid of my wife’s college computer, and I took a drill to the hard drive.

Brian: That’s good idea.

Joe: I just drilled a hole. She was like, “Do you need to do this?” I’m like, “Probably not. But I’m going to because I don’t know what you have on there and you don’t remember what you have on there.”

Brian: No, a hammer– If you see the platters shatter or break or bend, or if you put a drill press through them, if you call Gillware or data recovery and say “I’ve got a hard drive and it’s been shot up with bullets or it’s been drill pressed a couple times. Can you get the data back?” Our answer will be, “Please don’t send that to us. The answer is no, and frankly, we’re one of the best in the world.” So, drill presses work great.

Break: This episode is brought to you by Pantheon. Starting a new project? Looking for a better hosting platform? Pantheon is an integrated set of tools to build, launch, and run websites. Get high-performance hosting for your WordPress sites, plus a comprehensive toolkit to supercharge your team and help you launch faster. On Pantheon, you get expert support from real developers, best in class security, and the most innovative technology to host and manage your websites. You can sign up a new site in minutes with a free account, and you only pay when it goes live. That is my second favorite feature to Pantheon, only to the easy ability to create dev staging and live servers and push to GitHub. It’s very easy to set those things up on Pantheon, so you can head over to Pantheon.io today. Again, set up a free account and pay only when it goes live. Thanks so much to Pantheon for their support of this episode and this season of How I Built It.

Joe: My follow up question then is I was going to ask if there are any telltale signs that you learned, “OK. This is recoverable, and this is not?” Because you offered a free assessment, essentially. What I did not realize while you were initially telling the story was you replaced pieces of the hardware to try to resurrect the hard drive.

Brian: Almost every hard drive that comes to us, or any solid-state device that comes to us, or any NAND chip on a phone, or any USB stick, or big server, anything that comes to us has already had savvy IT people plug it in and try to mount it read-only, and try to run data recovery software. We’re never– Nobody ever says “My hard drive is bad. I’m going to ship it across the country to Gillware.” That never happens, they always have their IT department at work, or a local break/fix computer repair store or a managed service provider. They always take the first crack, and then they say, “This thing is ‘Dead-dead.’ It doesn’t spin, and the computer can’t talk to it, it makes clicking noises.” That’s when we get tagged in, so we only get the worst of the worst stuff and have to deal with all kinds of problems.

Joe: Gotcha. That’s very interesting. Before we move on, I want to ask another question. So first of all, do you still do that risk-free assessment? Or is it like–?

Brian: Yeah.

Joe: OK, cool. How do you handle that? You get a hard drive, do you have pieces that you could swap in? Or can you now look at the hardware and say, “This is definitely super dead.”

Brian: Again, just for some perspective, our engineering crew is about a dozen people. The average person back there has roughly like 15-20,000 hours of troubleshooting experience. These guys are storage whisperers. If they were in the horse game or an equestrian, they can look at the horse and tell you if it’s going to win a race. They’re really good, and we’ve done over 140,000 in-lab recoveries over last 16 years. There’s almost nothing we haven’t seen before, almost. We also have a well-trained staff of what we call “Technical advisors.” People call us or email us, or they chat us on a website, and they give us a list of the equipment and the symptoms, and we’ll often be able to– We can’t really say 100% certainty, but we’ll say “There’s like a 99% chance we’re going to get your stuff back, and we can get the price even within a couple hundred dollars.” A lot of the time. And then sometimes people will call us, and they’ll describe something, and we’ll say, “Yeah. There’s about a 5% chance we can help.” I got a call maybe four days ago where a lady told me that she dropped her laptop, and the hard drive sounded like a maraca. That’s because the platters in a laptop are glass, and they had shattered. I told her there is almost a 0% probability anybody can help you because I explained what we just talked about. So anyway, we do the best we can on the phone. Because every time we pay to ship something in, because we that’s complimentary, and every time we talk to somebody for 20 minutes on a tech call, and every time our engineers have the device for 1-4 hours which is the average assessment period, we pay for all that. That’s not– It’s free for them, but it’s not free for us.

Joe: Right, you’re paying your engineers.

Brian: It’s in our best interest to help be as transparent as we can as early as we can so that people don’t send it in thinking it’s going to be one price, and then we completely bamboozle them with something much different. That’s not in our best interests, and it’s obviously not in their best interests. But anyway, they will see the equipment, and again if it’s an iPhone that’s dead, they will break it apart. They will look at the motherboard, and they’ll put it under basically some special equipment so that we can see if any chips are getting too hot. Just visually, it’s like “That one fuse that’s always bad is smokin’ hot right now.” That’s the type of thing that the assessment does, or we’ll assess the health of the platters themselves. So, “Yeah. It’s clicking, but the platters are perfectly pristine and clean.” We know we don’t exactly know how much effort it’s going to be, but if the platters are clean, we’re going to be able to get your stuff, 99% chance. The assessment is just really all about– We call it “A feasibility study.” The engineers come back to our business unit with a feasibility report that says, “Is this a 99 or 100 or a 50 or a five or a 0?” And the engineers basically have an estimate of the amount of work it’s going to be, and how much replacement parts are going to cost, and then we will basically tack onto our 20% margin which is what we aim for, and then we’ll present our customer with their bid. “If you want your stuff back, it’s going to cost $600 dollars,” or whatever it is. And then they can say, “Yeah. That makes sense for me,” or “No, it doesn’t.” If it does, we make a very short one-page human-readable contract that says “If Gillware recovers 95 or more percent of our pictures of our kids, we will pay them $600,” and then our guys go to work and do the real engineering.

Joe: Gotcha. Awesome. So we’ve talked a lot about the beginnings and your process a little bit, as we approach the tail end of this interview I want to turn it on to advice for the audience. We’ve all probably have had at least a scare with a data breach or data loss or something like that, a lot of the people who listen to the show make websites or have websites, many of them run WordPress. I know that WordPress is a big target, it’s a big content management system. What can–? Let’s say, “What can people do first to prevent data loss or a data breach?” Then we’ll get into “What if you didn’t prevent it? What should I do next?”

Brian: Couple quick things, because a lot of your audience are WordPress. Again Gillware, if you go to Gillware.com, that’s a WordPress site. Enable the two-factor plugin on WordPress, please, for the love of whatever you deem holy. You can go get a plugin, there’s a number of different ones out there, but if all you need to log into your website is a username and password you’re going to get breached. It’s not a question of “If,” it’s just you’re just waiting. So username and password, it’s not good enough for WordPress, it’s not good enough for anything. Humans are bad at making passwords, and most people have one or two passwords for every frickin’ thing they do. You’re going to be at a Starbucks, you’re going to be on a fake Wi-Fi, or you’re going to go– You’re going to get fished and go to the wrong Gmail.com with an “&” instead of an “A” or something, and you’re going to put in your Gmail credentials with that password. What happens at that point is the bad guys have your IP address, they’ve got your Gmail which can probably log– That’s probably your username everywhere, they’ve got a password that works for you. You are boned at that point, so you have to enable two-factor authentication on every service that allows it. Obviously, Google does, Facebook does, Twitter does, WordPress if you add the plugin, and it’s super easy. It adds about five seconds of work every time you log in, you log in with your username and password, and then you have your Google Authenticator app on your phone which is running a six-digit code that changes every 30 seconds, and if the bad guy gets your password but doesn’t have the right guess for the right million-digit number, then they can’t log on to your or your clients websites and they can’t encrypt all that data, hold it ransom, put a bunch of embarrassing stuff up there or put a bunch of weird stuff on your servers for other child predators to be downloading from. All kinds of bad stuff can happen even on just the website side of things. That’s just WordPress when it comes to the raw data and the videos and the pictures and the graphic design one of our biggest customers on the recovery side of things is graphic designers. They’ve got thousands of designs they’ve made, and they are terrible at backing them up. So, what is a backup? Now you mentioned you had an external drive and you had Backblaze and you put a lot of your stuff up in the cloud. Yes, yes, and yes. You’re in the 1%, 99% of people are doing it much worse than you. The key is that those backups need to be automated so you can’t– Ideally, you don’t have to do anything. Your time machine from your Mac, that’s stuff just happening. That’s what you want, and Backblaze is probably synchronized the same way. It’s just happening all the time, and that’s what you want. Now you want to make sure that Backblaze has a different username and password and different networking credentials, and if somebody hacked into your box, they can’t also go up to Backblaze and delete everything. You also want your backup to be– One of your backups to be offsite, and you want it to have different network authentication to get on there. You also– This is the painful part, especially for small business people who are so busy but even big businesses don’t do it adequately, which is you should audit those backups once every six months. Play a mock “Restore that,” or pretend you just lost all your stuff and understand “Oh my gosh, my payroll date is not up there.” Or “Oh crap. I was backing up one of my websites, but the other nine of my clients weren’t getting backed up.” A lot of people, they install some backup app or plugin on their WordPress site, but when the crash happens, they have no idea what to do. “I know I had a backup plugin, but I can’t log into WordPress to see it. I can’t even remember what the plugin’s called.”

Joe: Yeah, and to that point, if you’re using a free one they don’t make it necessarily easy to do that either. Some are going to back it up to the same server where your web site’s already hosted, which is silly.

Brian: Thanks for that. We’ve had, on the incident response side, by the way, we’ve had WordPress hosts get hacked and had all of the websites that are being hosted all got encrypted and the backups. So if your backup is happening through the same server, it’s not a backup. Again, if your crash happens and you don’t know what to do, then it’s still no good. So if you make yourself “Listen, once every three months I’m going to spin up another WordPress instance, and I’m going to restore from that backup, and I’m going to walk through the process,” you might find that you fully understand it, you’ve got it documented, and it’ll take you 15 minutes. Or if you’ve got a complex environment, you might find that it’s like five hours of work. That might be good information to know so that your clients, “Oh my gosh, we’ve had a crash.” You can tell them, “It’s going to be four hours. We’re going to be back in four hours,” because you know how long it takes. You also might find that you restore the site and it looks wonky. “Oh, crap. The style sheet is not backing up” or whatever. Or, “The fonts are all crazy.” Make sure your backup works and that you have a one-sheet piece of paper that has “This is the break glass in case of emergency. This is how we restore from a crash. This is the temporary site we’re going to put it on, and this is how we reappoint the DNS, this is how we move the files around.” If you don’t have that piece of paper and you’re getting paid to host people’s websites in your community, you’re doing it wrong.

Joe: Again, that’s fantastic advice. That’s why I always recommend hosts that will do the automatic backups for you. Sometimes I get frustrated with one of my web hosts because it takes a long time to restore from a backup. But that means it is somewhere that’s not the same machine that my website is already on, presumably.

Brian: Yeah. What you also find– Because we’ve been talking about WordPress for a while. But that’s great because a lot of your audience cares about this topic. But a lot of times when you’re looking at a WordPress host, it’s like “It’s $7 bucks a month for this plan, and it’s like $30 bucks a month for this other plan.” Almost everybody is going to choose the $7, but that $30 might have– There’s a phone number you can call and get support within 15 minutes, and the $7 dollar a month plan is not going to have that, and you’re going to be emailing. There might be an eight-hour lag before you get that response in that support. You might get it, but it might be a long time. Again, as the adviser who’s building people’s websites and helping them pick hosts and things of this nature and maybe even– Don’t pass along the $7 dollar charge to them, pass along the $30. You’re going to have some micro-sized businesses that are like, “That’s an extra $200 dollars a year. That might be a big problem. But I can give you the other one, but I need you to clearly understand how long it’s going to be if we do have a problem,” and as somebody that’s a service providing that service, make sure you get that in writing. “Dude, when we signed up I told you it might take 1-3 days to restore from a crash. You chose the cheap option, and here’s your initials where you bypassed my core product.” Because again, you have that conversation in 2019, maybe you signed him up in 2015, and he doesn’t remember that, and now he’s incredibly mad at you. It’s like, “No. Look at the contract. You opted out.”

Joe: Yeah, absolutely. I’m going to– I’ll just interject here and say try really hard at the beginning of a client project to get them signed up with backups and security maintenance so that you’re maintaining it if that’s something you want to do, because I’m going to say about 80% of the clients who get the “My security” offering do it after they’ve had a breach or after their website has crashed. I wasn’t managing it, and it crashed, and something got messed up, and then they decided to hire me. They had to pay me to fix it, and then they have to pay me, even more, to continue to maintain it.

Brian: My last little tiny tip and this is a nitty technical thing but if any of your listeners host 50+ websites or they have a couple big cornerstone clients with hundreds of employees that pay them a relatively large amount of money to do this hosting and do this stuff. The other thing that I would usually advocate for is a lot of times you can pay that WordPress host to set up and spend an extra 1-3 hours configuring that IP range at which you can edit or even log in to that server. So not the actual WordPress administrative page, but the server that’s hosting it. We have a three-factor authentication, so if somebody wants to get onto our WordPress instance first, they have to be on our business network or a handful of our employees’ home machines and with static IP addresses. Second, you need the username and password. Third, you need the Google Authenticator token. And we could still get hacked, and it’s all about how assertive or how focused a bad guy is.

Joe: How vigilant they want to be.

Brian: How intent they are to hacking you. If they’re super-duper intent, they might be out in our parking lot, and they might trick one of our employees to hack into our Wi-Fi somehow. They might pretend they’re a janitor. You’re never fully safe, which is why you need those things like restore plans.

Break: This episode is brought to you by Gusto. Now, small business owners wear a lot of hats. I know, I am one of them. While some hats are great, like doing this podcast and getting to talk to people, others like the “Filing taxes” and “Running payroll” hats are not so great. That’s where Gusto comes in. Gusto makes payroll taxes and managing a team easy for small businesses. Gusto automatically pays and files your federal, state, and local taxes, so you don’t have to worry about it. As a New Yorker supplanted to Pennsylvania, not paying my local taxes, thing bit me a couple of times. It would’ve been great to have Gusto then. Plus, they make it easy to add on health benefits or even 401Ks for your team. You can also get direct access to certified HR experts, too. This sounds like a pretty good way to kick off 2020 for your business, right? But here’s the thing. Deadlines for the new year creep up earlier than you think, and you’re going to want to get started now. I don’t know about you, but I know that I’ve started thinking about this stuff around this time and all of a sudden February or March is here, and I’m like, “I need to do something about my taxes.” So don’t wait, let Gusto make it easier on you. As a bonus, listeners get three months free when they run their first payroll. This is one hat you’re going to be glad you gave up, I certainly am. You can try a bonus and see it for yourself over at Gusto.com/Build. Get three months free when you run your first payroll, try a demo, and see it for yourself over at Gusto.com/Build. Thanks so much to Gusto for their support of this show.

Joe: As we wrap up here, I want to ask you two questions. The first one is, I generally ask people what their plans for the future of their business are. But instead, I want to ask you what does the future hold for privacy and data recovery? If you were– I know I’m springing this question on you, but it’s been in the news a lot lately. Especially with Facebook, what are they doing? Equifax is paying billions of dollars or whatever.

Brian: More like $800 hundred million.

Joe: OK, almost a billion. “Almost cool,” in the words of Justin Timberlake. So what’s the future hold data and privacy?

Brian: I think consumers are starting to wake up to a couple of things. You have Equifax, which was not the biggest credit bureau in the world. They’re close, but what might surprise people is I think they had, and I don’t know the exact number, but I think they had over 80 people. I did a quick search on LinkedIn after the breach to see how many security professionals worked at Equifax, and I think it was like 80 or 100. It was a large number. There’s a search, and if anybody uses this LinkedIn sales navigator, you can pretty much say, “Show me anybody that works at Equifax with this acronym CISSP on their on their profile.” And boom, it was a lot of people. They had the right staffing, and they were spending the appropriate amount of money to protect it, and they still lost all of it. Facebook clearly is one of the most profitable companies in the world. They have literally hundreds and maybe thousands of software engineers, and they have a wonderful privacy and security staff, and all this stuff happens. It’s really hard for a consumer to trust your personal information with these companies. With Equifax, you didn’t.

Joe: Right, exactly.

Brian: You didn’t even sign a piece of paper that said, “Equifax, here’s all my information. Sell it to people.” They just aggregated it, and then they lost it. They got fined a tiny amount of money in the grand scheme of things.

Joe: Especially in the business, they’re in.

Brian: Yeah. They should have been– It should have been $5-10 billion. It should have hurt. It should have nearly– There was three credit bureaus yesterday, there should be two now. They should be done.

Joe: To that point, I think Facebook has to pay $5 billion dollars or whatever.

Brian: Yeah, but again when you have like $50 billion in the checking account, it’s not that big a deal in the grand scheme of things. But at least with Facebook, people opted in to put themselves on the platform, and it was free. I think most consumers these days do understand that it’s free because they’re selling my information to advertisers. A lot of your listeners advertise on Facebook, I advertise on Facebook, and it’s very nice. I can say “I want to put this message in front of people that meet this criteria with this job title in this demographic, and they’ve been in their position this many years, and they’re 40-50 years old.” It’s wonderful as an advertiser, but people need to be– The regulatory nature, I would think if I wasn’t so skeptical that “We’re going to wake up as a country and our politicians are going to put the screws to these people.” I don’t think it’s going to happen. I think that the companies are evolving much faster than politicians can react, and these companies are deeply embedded in the political system. They have tremendous spending power for lobbyists, and they in a lot of ways are getting ahead of themselves to try to proactively write and help with the regulatory nature. Like, Facebook is probably going to write a lot of the regulations. Equifax might even be writing a lot of these regulations that are then going to be regulating them. The odds of this getting better in the near term I think are probably zero. So if the biggest companies with the hugest budgets in the world can’t keep the data protected, who can? Now I’m not saying that people shouldn’t take the baby steps like we were talking about with WordPress, and you shouldn’t have two factor to log into your email, and you shouldn’t back up your data off-site. You need to do all these things. I don’t know where does it all go? I think it’s going to be exactly how it is for the next ten years, and maybe in the future, there’ll be a new wave of politicians that are tech-savvy, and they grew up with this stuff, and they understand it, and they’ll pass regulations with teeth. But I don’t see much changing.

Joe: Yeah, absolutely. On that happy note–

Brian: That depressing, horrifying note.

Joe: I will ask you at in our last minute or so here, do you have any trade secrets for us?

Brian: Yeah, we’ve been talking about it. Bad stuff happens in business, and especially on the IT side of things, you’re playing the game. You’re on the field of battle, you plugin that network cord to your computer and somebody is going to be trying to hack it in five minutes. It’s just the way it works. With all these smart devices, probably people are trying to hack your refrigerator. I wish I was even joking about that, but I’m not.

Joe: You’re not. Nope, you’re definitely not.

Brian: There’s people who are listening to this right now who’s refrigerator is probably crypto– It’s probably mining cryptocurrency, and you’re like “Why is my electric bill up by $30 bucks?” It’s because the motherboard in your stupid refrigerator has been mining cryptocurrency for somebody in the Ukraine. By the way, it’s going to melt. So bad stuff happens, and you can bury your head in the sand and hope it doesn’t happen to you, and that is a horrifying attitude. It’s intimidating, a lot of this technical mumbo jumbo is super intimidating to people, especially business owners who get embarrassed about not knowing the terminology. The task can be so hard, it’s so daunting. “Where do I even start?” That can create a reverse inertia where people don’t– And listen if anybody’s watching at home, buy this thing. It’s a Yubikey, and I don’t have any relationship with them. It’s a password management system, and it replaces– It’s almost password-less. It’s a new U2F protocol, and you can buy them on Amazon for like $50 bucks. Then use this to log in everywhere, and the bad guys are not going to physically have that. Buy two of them so you can put a backup of that as well, encrypt your data on your computer, backup your data, have those disaster recovery plans and you can do it. Take baby steps. Anything you do is better than nothing, please take it seriously, understand that people are trying to hack you right now. Sometimes in business, we have these fake boogeymen, or we try to paint a picture of “If you don’t buy this product, you’re going to get wrinkles.” This is not that. There are, I think the latest estimate was like $4-5 billion dollars lost due to hacks in 2018. It’s happening to micro-sized businesses, normal people, WordPress hosts. It’s happening to everybody, so try to try to take some time out of your day to take it seriously, do a little research and at least do the basics of strong passwords or a U2F key. Make sure your backups are there, and you have a plan. It’s not a trade secret, and I think most people listening say, “It has been like six months since I’ve done a backup.”

Joe: Cool. Great. That’s fantastic advice. So Brian, thank you so much for joining me today. Where can people find you?

Brian: You can find me on LinkedIn. You can email me, Brian@Gillware. Call Gillware, we’re here, and I’m not hiding. So if you have any questions or concerns or want to get some product recommendations or know what baby steps you might want to take, feel free to reach right out.

Joe: Awesome. I will link those things and everything we talked about in the show notes today. Brian, thanks again for joining me. I appreciate it.

Brian: Thanks a bunch, Joe. It was a pleasure.

Joe: Thanks so much to Brian for joining us today. I love how he and his friends basically bought a bunch of dead hard drives to practice on to see if they can recover that data. I wonder exactly– We talked about this during the show, but it’s interesting to see someone resurrect something that somebody thought was dead and unrecoverable. Very fun. Thanks again to our sponsors, Ahoy! Gusto and Pantheon. They make the show happen, so you should go check them out and thank them. If you want to learn more about Brian and see all of the show notes, you can head over to HowIBuilt.it/141. If you want to create a podcast like this for yourself, it’s a question I get a lot, “How did you start your podcast? Where do I start?” I created a nifty workbook to help you do that. You can get that free podcasting workbook over at HowIBuilt.it/Liftoff. As in Podcast Liftoff, as in liftoff your podcast today. That’s HowIBuilt.it/Liftoff. Thanks so much for listening. Until next time, get out there and build something.