Cash in the Cyber Sheets: Making Money From Being Secure & Compliant

In this episode of Cash in the Cyber Sheets, we’re trading ransomware for real parenting — because the biggest threat some families face isn’t just phishing emails, it’s predators hiding behind screens.This week, we’re talking about keeping your kids safe online without turning your home into a surveillance state or making every digital moment a standoff. You’ll get a practical, parent-tested playbook to reduce risk, build trust, and keep communication open.Here’s what we cover:How to set clear rules and smart tech boundaries that grow with your child.Why knowing your kids’ passwords could be the lifeline that saves them in an emergency — and how to balance that with privacy using the “family envelope” method.Why family contracts aren’t lame — they’re structure, clarity, and accountability rolled into one.The surprisingly effective “no devices in bedrooms” rule and why it might be your new favorite bedtime policy.How to help kids spot predators, fake profiles, and bad actors before they get in too deep.Creating an environment where your kids actually talk to you about what they see and experience online.We’ll also dig into the awkward but critical topics: body boundaries, consent, and how to talk about them without turning your kid’s face beet red.As always, this episode is packed with real advice, relatable stories, and security smarts with a side of dry humor.💡 Download the free eBook: Protecting Children Online  — your full guide to raising safer, savvier digital citizens.This is our last episode of the year, and we’re taking a short break to retool, refresh, and relaunch Cash in the Cyber Sheets in 2026 with a sharper, more interactive format. Stay tuned for what’s next — and in the meantime, stay safe, stay curious, and keep your kids’ devices out of the bedroom.

In this episode of Cash In The Cyber Sheets, we unpack three clauses that quietly decide whether your cyber insurance pays when it counts. No scare tactics, just the fine print you actually need to verify before a breach becomes a bill.First, waivers of subrogation. Your vendors love them. Your contracts team signs them. Your insurer may not. We explain what a waiver of subrogation does, why it can block your carrier’s right to recover from at-fault third parties, and how that can boomerang into reduced coverage or conflict with your policy conditions. We also walk through the practical fix: coordinating language between your vendor agreements and your policy so a well-intended waiver does not accidentally undermine the very coverage you bought. Think alignment, not after-the-fact apologies.Second, acts of terrorism and acts of war. Two phrases that look similar on paper but can be treated very differently in your policy. We break down how carriers distinguish terrorism from war, why some policies reference government determinations, and how that impacts cyber events that have geopolitical fingerprints. The point is not to debate headlines. The point is to understand what your form says, so you know when you are covered, when you are excluded, and when you should push for clarifying endorsements before renewal.Third, definitions. This is where companies get surprised, and where one organization recently saw a claim denied. Definitions drive everything from what counts as an “occurrence” to what qualifies as a “security failure.” If your loss lives outside those defined terms, coverage can evaporate. We outline a simple reading plan: print the definitions section, highlight any term that appears in insuring agreements or exclusions, and compare those meanings to how your team uses the same words in incident response plans and contracts. If the policy says “computer system” but carves out certain hosted environments, you need to know that now, not mid-investigation.If you have a renewal coming up or a vendor insisting on broad waivers, this episode is your quiet nudge to pause, read, and confirm. Your future self, accountant, and caffeine budget will thank you.

This shorter episode gets right to the point. We cover two high-impact issues we keep finding when helping clients clean up email deliverability. First, DKIM selectors. Too many teams set up one selector for one sending platform and forget the rest. Then messages from a marketing tool, ticketing system, billing platform, or CRM either fail to authenticate or limp by with soft fails that chip away at the domain’s reputation. Second, explicit subdomain records. For years many providers accepted a single set of records at the apex and quietly inherited them across subdomains. That is no longer a safe assumption. More vendors now expect explicit SPF, DKIM, and DMARC at the exact subdomain that sends, which means domains like mail.example.com, marketing.example.com, or help.example.com each need their own entries.We explain how to verify all required DKIM selectors, how to name and rotate them safely, and how to map each sender to the right selector. You will hear practical tips for 2048-bit keys, long TXT handling, and what to do when you have multiple senders behind the same envelope. We also outline why DMARC alignment depends on the right selector and how a missing record can make your alignment look wrong even when the signature is technically present.On subdomains, we walk through the common inheritance myths, when to set an explicit SPF with proper includes, when to publish subdomain DKIM keys and how to avoid copy and paste mistakes, and how to deploy a subdomain specific DMARC policy that respects your global policy while giving you the data you need. We share telltale signs that a subdomain needs its own records, such as vendor error messages, mixed alignment in DMARC reports, or inconsistent pass rates between platforms.Before you send the next campaign, run a quick audit using our free tool: https://www.inputoutput.com/email-deliverability-tool . It checks the basics and gives you a clear path to fixes you can implement in minutes.If you are a business owner, MSP, or the unofficial email firefighter on your team, this episode helps you prevent false spam flags, reduce bounces, and protect brand reputation. Fewer surprises in the DNS layer means more messages in the inbox, fewer headaches, and a friendlier relationship with your marketing calendar. Short, sharp, and very fixable.

Cybersecurity headlines love a good hack story. This week, we talk about something far sneakier that can cost you plenty even when nothing gets “hacked.” On Cash in the Cyber Sheets, we unpack how the False Claims Act can bite health care organizations and vendors when their compliance story does not match reality. Translation: you can be on the hook for big dollars without a single compromised record if your security attestations, certifications, or program claims are inaccurate. That is not a typo. No breach. Still massive exposure.We walk through real enforcement patterns where the government alleged false attestations tied to federal health program dollars. Think Meaningful Use incentive attestations about doing a proper security risk analysis, or software certification claims about logging and controls, or contract compliance certifications around cybersecurity safeguards. In each theme, the common thread is simple. Money flows only when specific conditions are met. If you certify that boxes are checked when they are not, the False Claims Act turns into a very expensive compliance teacher.For medical practices, this is especially relevant. Many assume HIPAA risk equals “what happens if we have a breach.” Important, yes, but incomplete. The bigger blind spot is whether your documentation and certifications accurately reflect the controls you say you run. Do you actually conduct and review your risk analysis at the depth required, or is it a quick once over with a template? Are your technical controls implemented as described in policies and vendor attestations, or are there gaps that would make those statements misleading? Are you relying on your EHR and other vendors to carry the compliance water without verifying their claims and your obligations as a program participant or contractor?We break this into practical takeaways you can act on. How to scope and document your risk analysis so it is more than a checkbox. What to ask vendors about certifications and test conditions before you trust their marketing. How to align policy words with operational reality so your attestations are truthful, specific, and defensible. We also cover how to prepare for auditors and investigators who will request evidence, not adjectives. No scare tactics, just straight talk, clear steps, and our usual professionally playful commentary to keep the compliance caffeine flowing.Bottom line for this episode. False Claims Act exposure can arise even when no breach occurs. Your best defense is disciplined documentation, controls that actually run, and attestations grounded in verifiable evidence. Bring your compliance team, your practice manager, and yes, your EHR rep. Everyone has homework after this one.

Think your cyber insurance has you covered? This episode pokes at the fine print that turns big promises into small payouts. We spotlight the exclusions that quietly gut claims, the sublimits that disappear faster than you can say “forensic invoice,” and the vendor clauses that spread your limits across more parties than you bargained for.What we tease out:The exclusions that look routine but erase coverage when it counts.How “shared” limits get sliced among you, vendors, and associates.A quick, practical way to ballpark how much coverage you may actually need.What subrogation can do to your vendor relationships after a payout.You will hear plain-English takeaways you can act on during your next renewal. Expect clear examples, simple checks you can run in under an hour, and a few dry laughs at the expense of legalese. The goal is simple. Stop paying for coverage that vanishes at claim time. Start asking the questions that turn your policy into a real financial backstop.Listen if you sign renewals, answer to a CFO, support clients as an MSP, or just prefer not to discover gaps during an incident. Bring your policy schedule and a highlighter. Leave with a sharper view of what you actually have and what to fix before someone says, “We thought that was covered.”

In this episode of Cash in the Cyber Sheets, we’re talking about something that should make every contractor, healthcare provider, and federally funded business sit up straight: the False Claims Act (FCA) is officially part of cybersecurity enforcement.Long used to combat fraud, the FCA is now being leveraged by the Department of Justice to go after companies that claim to meet cybersecurity requirements, but don’t. Whether it’s defense contractors missing DFARS controls or healthcare organizations failing security audits, the stakes have never been higher.We discuss two recent cases that illustrate how serious this trend is becoming:The Humana case, where whistleblower won $26 million and sparked questions about how far the FCA can stretch into compliance territory.The $4.6 million DOJ fine against a defense contractor for cybersecurity noncompliance, a “warning shot” to the entire industry.This episode isn’t about legal jargon; it’s about what this means for your business. If you accept federal contracts, reimbursements, or grants, you’re now playing in the FCA arena. Failing to meet security obligations can be viewed as deception, not just negligence.We explore how this shift affects:Whistleblower incentives and reporting risks.The DOJ’s expanding Cyber-Fraud Initiative.Compliance frameworks like NIST 800-171 and FTC Safeguards.The real-world financial consequences of “checkbox compliance.”Cybersecurity isn’t just about data anymore—it’s about dollars, defense, and doing what you said you’d do.👉 Stay ahead of enforcement trends with our monthly newsletter, iO™ SecCom Monthly, where we break down real-world cybersecurity and compliance news in plain English: https://www.inputoutput.com/newsletters/io-seccom-monthly 

Welcome back to Cash in the Cyber Sheets, where we talk about the messy, practical, and sometimes painfully honest side of cybersecurity. In this episode, we’re tackling a challenge that every organization faces sooner or later: creating and managing an Incident Response Plan (IRP).On paper, an IRP is simple. It’s your guidebook for what to do when, not if, a cyber incident occurs. But in reality, too many organizations stall out before they even get one in place. Why? Because they try to make it perfect from day one. They load it with every possible scenario, every escalation path, and every technical control, until the whole thing collapses under its own complexity. The tragic irony is that while chasing perfection, they end up with nothing. And when ransomware hits, “nothing” is not the strategy you want to be stuck with.This episode challenges that mindset. Instead of shooting for the flawless IRP, we explore how focusing on just a few quick hits can set the foundation you actually need. Think of it as building your IRP in layers. Start with the essentials: Who’s on the response team? How do you contact them? What’s the first step when malware shows up or a phishing attack lands? If you can answer those questions, you already have a plan that’s better than the blank page staring back at you.From there, the plan grows organically. You test it. You add detail. You refine as you learn. But even the “bare bones” version can guide you through those first chaotic hours of an incident. It might not be perfect, but it’s practical, and practicality is what saves businesses in the real world.We also discuss why momentum matters more than perfection. By starting small, you create confidence. You give your team something they can use, and you avoid the paralysis that kills so many initiatives. Over time, the plan becomes more robust, but from day one, you’re already better prepared.If you’ve been stuck in IRP limbo, this episode is your roadmap out. You’ll hear why less can truly be more, and how to avoid letting “perfect” be the enemy of “good enough to get started.” We’ll leave you with actionable advice and a nudge to finally put pen to paper, because even a short, imperfect plan can help steer your business through the storm.

Cash in the Cyber Sheets is where small and midsize business owners finally get the straight talk on cybersecurity without the jargon, the scare tactics, or the thousand-page compliance manuals. Each week, we pull back the curtain on the hidden forces that make or break your business online, from email deliverability to data protection, and give you simple, actionable steps you can use right now.Email is still the front door of every business and attackers know it. Spoofing, phishing, and spam aren’t just annoyances, they’re direct threats to your sales pipeline, your customer relationships, and your reputation. That’s why we spend time breaking down the three most important email authentication protocols you need to understand: SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting & Conformance).But here’s the thing: setting them up once isn’t enough. Every week, we see small businesses losing revenue because of common mistakes, missing DNS records, too many SPF lookups, expired DKIM keys, or misaligned domains that silently break authentication. In our episodes, we don’t just explain what SPF, DKIM, and DMARC are, we explain why they fail, how to spot the problems early, and what you can do to fix them before they wreck your deliverability.We keep it practical, with clear analogies and business-owner-friendly examples: SPF is your guest list, DKIM is your digital wax seal, and DMARC is your rulebook that ties them together. Whether you’re sending invoices, running email campaigns, or just trying to keep phishing out of your client inboxes, these protocols matter and we make them simple.👉 Want to check if your setup is solid? Use our free tools:SPF Record Check: https://www.inputoutput.com/spf-checkerDKIM Record Check: https://www.inputoutput.com/dkim-checker DMARC Check: https://www.inputoutput.com/email-audit 👉 Ready to go further? Get started with iO™ DMARC today:https://www.inputoutput.com/offers/opCLAKo8/checkout If you’re tired of losing deals to spam folders, if you’re done with spoofers damaging your brand, and if you want cybersecurity advice that speaks your language, subscribe now. It’s time to protect your inbox, boost your deliverability, and cash in the cyber sheets.

Have you ever sent an important business email and wondered if it actually made it to your client’s inbox? Or worse, discovered later that your emails were quietly landing in spam? You’re not alone. Every day, small and mid-sized businesses lose money, opportunities, and credibility because of one simple issue: email authentication.In this episode of Cash in the Cyber Sheets, we’re breaking down the three most important protocols you need to know: SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting & Conformance). Don’t worry, we’ll cut through the jargon and explain these in plain English so you can finally understand what they do, why they matter, and how to check if your domain is set up correctly.Here’s what we cover in this 15-minute crash course:What email authentication is and why it’s essential for inbox deliverability.How SPF works like a “guest list” for your email servers.How DKIM acts like a digital wax seal to prevent tampering.How DMARC enforces the rules and protects your brand from spoofing.The top three mistakes SMBs make when setting these up.Quick wins you can use to improve deliverability immediately. 👉 Want to see if your email domain is properly set up? Check out our free tools and resources:Tool: SPF Record Checker Tool: DKIM Checker Blog: How to Setup DMARC (Blog Guide) Blog: How to Setup Multiple SPF Includes for Your DomainFor deeper help, grab a free Email Audit  and discover if your emails are actually reaching inboxes.If you’ve been struggling with deliverability (emails going to spam, bouncing, or disappearing) this episode is for you. By the end, you’ll understand how SPF, DKIM, and DMARC work together, what happens when they’re missing, and how to take the first steps toward securing your domain.Cybersecurity doesn’t have to be complicated. Sometimes, it’s just about learning how to spell out the acronyms that keep your business safe. So sit back, grab a coffee, and let’s unlock the secrets behind the protocols running quietly in the background of every email you send.🎧 Listen now and take control of your email deliverability.

Welcome to Cash in the Cyber Sheets, a channel dedicated to helping organizations understand and strengthen their information security programs. Hosted by James from Input Output, we provide practical insights into policies, compliance, risk management, and the real-world challenges of securing technology in business environments.Artificial intelligence is transforming how companies operate, but it also introduces new risks that must be managed responsibly. This channel highlights the importance of structured policies and controls that address both the opportunities and threats posed by AI.Recent episodes focus on the development of an improved AI policy, shaped by input from multiple organizations, subject matter experts, an advisor to the FBI, the ISO 42001 standard, and penetration testing exercises. The result is a set of proposed controls that organizations can adapt and implement within their security frameworks. These include:AI Usage and Risk Management Establish practices to ensure AI is used securely, ethically, and in compliance with regulations.Acceptable AI Use Define and communicate policies outlining what employees can and cannot do when using AI systems.Personal Account Restrictions Prohibit the use of non-corporate AI accounts to protect organizational information from being disclosed or retained outside approved environments.Protection Against Exploitation Implement safeguards against prompt injection and malicious manipulation that could compromise data integrity or confidentiality.Data Retention and Deletion Define rules for storing and deleting data processed by AI, ensuring compliance with regulatory and contractual requirements.Legal Discovery Considerations Incorporate AI into legal discovery processes to support data preservation, retrieval, and production when required.Training Restrictions Prevent organizational data from being used to train or fine-tune AI models without explicit approval and safeguards.Role-Based Access Controls Enforce access restrictions so employees and AI systems only process the minimum information necessary.The goal of this channel is to make cybersecurity policy and compliance actionable for businesses of all sizes. Whether you manage IT, own a business, or oversee compliance, you will find guidance here to strengthen your security posture and align with modern risks.If your organization needs assistance developing or improving its policies, visit Input Output to learn how we can help.

Welcome to Cash in the Cyber Sheets, the podcast where we cut through the noise of cybersecurity and talk about the things that actually hit your business where it hurts — your bottom line. In this episode, we dive into one of the most deceptively simple yet frequently botched pieces of email security: your SPF record.On paper, Sender Policy Framework (SPF) sounds easy enough. You publish a DNS record that tells the world which servers are allowed to send emails on behalf of your domain. Done, right? Not so fast. In practice, most organizations end up with SPF records that resemble Frankenstein’s monster — stitched together with copy-paste errors, forgotten senders, and design flaws that guarantee your emails will be banished to spam folders.Here’s what we cover in today’s episode:The Human Factor — typos and copy-paste disasters that silently break authentication.Forgetting Key Sending Sources — from CRMs to marketing platforms, the usual suspects people leave out.Bad SPF Design Choices — multiple SPF records, exceeding the 10-lookup limit, and the cardinal sin of using “+all.”Maintenance Failures — when vendors update their infrastructure but you don’t update your record.Misunderstanding SPF Behavior — the myths around “From” headers, forwarding, and DMARC’s magical powers.If you’re thinking, “Uh oh, that sounds like my setup,” you’re not alone. Nine out of ten businesses have email authentication issues that cost them leads, clients, and credibility. The good news is that these problems are fixable once you know where to look.We’ve put together some resources to help you clean this up before your next marketing campaign dies in the spam folder:How to Improve Email Deliverability Setting Up Multiple SPF Includes Without Breaking Everything If you want to check your current email setup right now, run it through our free iO™ DMARC SPF Checker. It will show you exactly what’s working, what’s broken, and where you’re most vulnerable.And if you’re ready to take control of your email security and deliverability once and for all, explore our iO™ DMARC email deliverability tool. It’s built to keep your messages out of the spam folder and in front of your clients, where they belong.Because in the world of cybersecurity, protecting your inbox isn’t just about security — it’s about making sure your business actually gets paid.

In this shorter solo episode of Cash in the Cyber Sheets, James breaks down the four core structures often referred to as the Plan Do Check Act cycle that serve as the foundation of a successful information security program. While “pillars of security” might sound like something only a compliance consultant would get excited about (guilty as charged), the reality is these four steps are what keep your program from feeling like an endless game of whack a mole.We explore what it means to PLAN your program with intention, DO the actual work of implementation, CHECK to ensure controls are functioning as expected, and ACT on findings to continuously improve. This simple cycle is more than a framework. It is a way to create rhythm and repeatability so your security program does not collapse under the weight of its own policies.James also shares why approaching your program through the PDCA lens makes managing security not only easier but more strategic. If you are pursuing a certification such as ISO 27001 or PCI DSS or trying to align with frameworks like NIST or the FTC Safeguards Rule, applying this cycle ensures you are in a strong position when the auditors come knocking. Even if you are not certification bound, PDCA gives you clarity. It helps you understand where you stand today, where you are falling short, and how to fix it without wasting resources.By the end of this episode, you will walk away with a clearer picture of how to implement, manage, and review your security program in a way that feels less like chaos and more like controlled progress. Whether you are a business owner wearing the accidental CISO hat or an IT lead trying to get leadership buy in, these four pillars can help you build confidence, streamline your efforts, and stay ahead of both threats and compliance headaches.So grab your coffee (or something stronger,... no judgment) and join James for a practical, no fluff breakdown of why PDCA should be your new best friend in cybersecurity.

Artificial Intelligence is everywhere — from helping us write emails faster to predicting our next snack craving. But when it comes to workplace security and compliance, “everywhere” isn’t always a good thing. In Episode 65 of Cash in the Cyber Sheets, we pull back the curtain on a growing problem we’ve been seeing during audits and with multiple clients: employees using their own personal AI accounts for business purposes.On the surface, it might seem harmless — after all, they’re just asking a chatbot to draft a report or summarize meeting notes. But when that “help” comes from an account outside company control, you’re stepping onto a compliance landmine. Personal AI usage can easily trigger:Compliance Violations — Think FTC Safeguards Rule, HIPAA, GDPR, CCPA… pick your acronym.Data Incidents — Sensitive client data could slip into the training pool of a third-party AI without your consent.Contractual Breaches — Your agreements with clients, partners, and suppliers often forbid sharing certain information outside approved channels.Reputation Damage — One careless AI query can make your company look reckless, untrustworthy, or even incompetent.We’ll explore the real-world risks, how they manifest during audits, and the subtle ways this behavior undermines your organization’s compliance posture. We’ll also talk about what these incidents cost — not just in potential fines or legal action, but in the long-term erosion of trust with your stakeholders and the market at large.You’ll walk away with practical insights on:Spotting the warning signs of unapproved AI use in your organization.Implementing policies to control and monitor AI usage without stifling productivity.Educating employees on why “just using my personal account this one time” can be a very expensive mistake.Whether you’re a business owner, IT leader, compliance manager, or just someone curious about how AI can go from futuristic helper to security nightmare, this episode is for you.

So you've got frameworks, regulatory requirements, client expectations, and a million checkboxes to tick... but how do you actually write policies that make sense, get followed, and don’t make your staff cry? That’s exactly what we’re tackling in this solo episode of Cash in the Cyber Sheets.In this episode, James pulls back the curtain on one of the most common pain points organizations face—translating a mess of compliance obligations into clear, useful, and auditable information security policies.You’ll hear about:The disconnect between frameworks and real-world implementationHow to stop chasing “perfect” policies and focus on practical onesThe simple method we use at Input Output to create policy sets that are easy to build, communicate, implement, and auditWhether you're working with NIST, ISO, CMMC, HIPAA, GLBA/FTC Safeguards Rule, or a Frankenstein mix of frameworks, James walks you through a refreshingly human (and slightly irreverent) approach to solving your policy puzzle. You’ll hear how we bridge the gap between checkbox compliance and operational reality—with strategies that even non-technical stakeholders can wrap their heads around.You’ll also get a glimpse of how this approach supports ongoing audits, internal reviews, and policy updates without starting from scratch every time someone sneezes near a new regulation.So if you’ve ever stared at a blank “Acceptable Use Policy” and wondered where to start—or if you’ve inherited a pile of legacy policies that are 18 pages too long and 5 years out of date—this one’s for you.🧠 Practical. 🔐 Secure. 📝 Scalable. Tune in and learn how to write policies that work for your business, not just the auditor.

Ever had that heart-stopping moment when you can’t get into your password manager? In this episode of Cash in the Cyber Sheets, we’re back with Bryan Barnhart from Infiltration Labs to talk about exactly that—because it almost happened to both of us. We unpack the nightmare scenario of getting locked out of your own encrypted vault, the ripple effects it can have on your digital life, and why your carefully planned “secure” setup may not be as resilient as you think.From there, we dive into multi-factor authentication (MFA) alternatives—specifically YubiKeys and other hardware tokens—and how they compare to traditional app-based MFA. Spoiler: physical keys can save you, but they also introduce new risks you might not have considered.We also dig into the messy world of cold storage for encryption keys. On paper, it sounds like the ultimate security solution. In reality, it can leave you stranded if anything goes wrong—lost keys, corrupted backups, or just simple human error.But that’s not all. We vent about planned obsolescence—how updates and “improvements” often make devices and software slower, harder to use, and more time-consuming to manage. As tech professionals, we’re spending more and more hours on “basic upkeep” just to keep systems functional. Are these changes truly for security, or are they just making our lives harder?Finally, we ask a question for the audience: Can you think of a single software or system update that’s genuinely made your life easier? Or are we all just stuck in the endless cycle of patching, troubleshooting, and relearning?If you’ve ever:Forgotten a password and sweated bullets,Questioned if your MFA setup is enough,Wondered why your “upgraded” laptop runs slower than your old one……this episode is for you. It’s equal parts cautionary tale, therapy session, and practical advice on how to avoid digital self-sabotage.

In this episode of Cash in the Cyber Sheets, we dive into the gritty, behind-the-scenes realities of digital forensics and compliance with guest Bryan Barnhart of Infiltration Labs. Bryan is a seasoned forensics expert who has spent years testifying in courtrooms, untangling messy evidence trails, and uncovering the often-overlooked technical details that can make—or break—a legal case.Our conversation peels back the polished veneer of cybersecurity compliance and exposes the uncomfortable truth: weak evidence and incomplete logging are silently sabotaging cases every day. Bryan shares eye-opening real-world examples, including one case where a lack of proper logging didn’t just complicate the investigation—it directly swayed the court’s decision. The implications? If your organization isn’t proactive about evidence handling and log management, you might be setting yourself up for legal and financial disaster.We also unpack the myth of “simple compliance.” From legal holds to chain-of-custody requirements, complying with legal mandates isn’t as straightforward as ticking a box. Bryan explains how even well-meaning organizations can inadvertently violate legal requirements, often because they underestimate the complexity of digital evidence management—or worse, assume “IT has it covered.”Expect practical takeaways throughout the episode. Whether you’re a compliance officer, IT manager, or business owner, you’ll walk away with actionable insights on:How to strengthen logging practices to support forensic investigations.Why legal holds aren’t just “set and forget” and how to do them right.The cost of ignoring compliance (spoiler: it’s more than just fines).Strategies to prevent evidence gaps before they happen.If you’ve ever wondered how much trouble a missing log file can cause—or why so many organizations fail forensic scrutiny—this episode is your wake-up call. Tune in for a candid, no-fluff conversation about what really happens when compliance meets the courtroom.

We nearly locked ourselves out of our own password manager. Yep. Us. The security professionals. If that doesn't make you tighten your digital shoelaces, nothing will.In Episode 61 of Cash in the Cyber Sheets, we're pulling back the curtain on a real-world scenario that could’ve gone very, very wrong. We’re talking full-blown lockout from critical accounts — and the painful lesson that even seasoned cybersecurity pros can get caught in a trap of good intentions and bad configurations.This episode is your crash course on how to bulletproof your access controls, avoid common pitfalls, and uncover the sneaky Catch-22s in password recovery setups that no one considers until it's too late.Here’s what we cover:The true story of how we almost lost access to our password management vault.Why recovery phrases and backup MFA aren’t optional — and what to watch out for when setting them up.How bad UX design, “convenience” features, and conflicting recovery paths create dead ends even when you have all the right intentions.If you’re an SMB, MSP, or just someone who’d prefer not to lose access to your digital kingdom — this is your wake-up call. We break down what went wrong, what saved us, and how you can make sure your organization (and sanity) doesn’t get locked out.So grab your beverage of choice and prepare to double-check every login and backup you think you’ve got covered. This one’s not just informative. It’s a little too relatable.🔐 Listen now, and don’t say we didn’t warn you.

In Episode 60 of Cash in the Cyber Sheets, we dive into the rapidly morphing world of AI and its increasingly tangled role in third-party software, supplier relationships, and data access controls.Remember when vetting vendors was a once-a-year checkbox and not a full-contact sport? Good times. But now, thanks to AI creeping into every crevice of modern software—from CRMs to coffee machine firmware—the game has changed.Now every supplier, integration, and platform you rely on might quietly include AI. And that means your data, your customers’ data, and your business logic could be influenced (or exposed) in ways you never explicitly agreed to—or even realized. Worse, by the time you finish evaluating one vendor’s AI usage, the terms of service have changed again. It’s like chasing a greased compliance pig through a foggy maze.This episode explores:Why the growing use of AI in nearly all SaaS tools creates cascading compliance complexity.How T&Cs around AI use are changing at whiplash speed—and what that means for your contracts.The evolving (and frankly exhausting) need to re-vet vendors on an ongoing basis.How “silent AI integrations” can erode your data governance without triggering alarms.We’re not just sounding the alarm; we’re opening the floor. What are you seeing? How are you managing the ever-evolving AI-supplier matrix? We want to hear your stories, rants, and success hacks.Whether you're a CISO juggling vendor reviews like flaming swords or a founder wondering if your new billing tool has a secret AI feature rewriting your invoice terms, this episode is your reality check.💬 Comment. Vent. Share. Then come back for Episode 61—we’ll still be trying to make sense of it all.

In this episode of Cash in the Cyber Sheets, we dive into a real-world experience with domain registrars—those gatekeepers of your online identity who are supposed to help keep you safe and sound on the internet. But what happens when doing their job too well actually opens up an unexpected vulnerability?It’s a classic case of security intentions versus operational reality. We break down how a seemingly well-configured domain protection mechanism—meant to shield against unauthorized changes—ended up locking us out of critical functionality… right when we needed it most.This isn’t just a one-off anecdote. It’s a prime example of a broader problem plaguing businesses of all sizes: security controls and compliance measures that paradoxically introduce new risks. From “you must enable this setting to protect your domain” to “well now you’re unable to prove ownership,” we explore the domino effect of protections gone sideways.In this episode, we discuss:The real-world impact of overly rigid registrar controls.How security and compliance intentions can inadvertently create vulnerabilities.What this means for SMBs trying to do the right thing without accidentally doing the wrong thing.The lessons we’ve learned (so you don’t have to learn them the hard way).Whether you're a business owner, IT admin, MSP, or security pro, this episode will hit home. It’s a reminder that in cybersecurity, the road to hell is often paved with good intentions—and domain-level irony.🔐 Because sometimes locking the door too tightly doesn't just make things harder on you, but easier for the bad guys.

Another day, another “largest breach in history.” This time, it’s reportedly 16 billion records leaked in a massive data dump that has cybersecurity pros scrambling and the rest of the world asking, “Was I in it?”In this episode of Cash in the Cyber Sheet, we break down the facts behind this mega-breach—including what’s real, what’s speculation, and what you should actually do about it. Whether this turns out to be a compilation of old breaches or a fresh apocalypse, the message is the same: your password practices and access controls need to be air-tight.🔍 What You’ll Learn:The facts (and fiction) behind the 16 billion record leakWhat makes this breach so concerning (beyond just the number)How threat actors use this data in real-world attacksSimple steps to protect yourself, your users, and your businessWe’ll also use this as a teachable moment for business owners and IT teams: this is your cue to review your password policies, multi-factor authentication (MFA) setup, and your user access audits. You can’t control who gets breached—but you can control how far the fallout reaches.✅ Get Proactive with These Resources:What's a Good Password:https://www.inputoutput.com/blog/what's-a-good-password-security-best-practices MFA Best Practices Guide:https://www.inputoutput.com/blog/multifactor-authentication-best-practices 10 Steps for a Compliant User Access & Logging Audit:https://www.inputoutput.com/blog/10-must-do-steps-to-perform-a-compliant-user-access-and-logging-audit 🔐 Whether you’re an IT lead, a business owner, or just someone who reused “Password123” one too many times, this episode will show you how to tighten up your personal and organizational security. Because breaches are inevitable—but being easy to exploit doesn’t have to be.Hit play, panic just a little, and then take action.

If your marketing emails keep ghosting your prospects, it might not be a CRM problem, it could be your SPF record playing games.In this episode of Cash in the Cyber Sheet, we're diving into the murky waters of Sender Policy Framework (SPF) records. Whether you're an IT lead, a business owner, or just someone who’s tired of your emails landing in spam folders, this episode is your go-to guide for understanding the most common SPF issues and how to fix them like a pro.🔍 What You'll Learn:What SPF is and why it's critical for email deliverabilityThe most frequent SPF mistakes we see (spoiler: “Too many DNS lookups” is a fan favorite)How your SPF interacts with other email records like DKIM and DMARCPractical steps to validate and fix broken or misconfigured SPF setups🚨 Common Issues We Cover:Multiple SPF records (and why that breaks things fast)Incorrect use of “include”Exceeding the 10 DNS lookup limit (yes, this exists—and it matters)Legacy setups no longer aligned with current sending sourcesSPF is often “set and forget” until you find yourself in email purgatory. Even worse, an improperly configured SPF can leave your domain vulnerable to spoofing, which may cause you to lose more than just marketing traction. From client horror stories to real-world audits, we cover the nitty-gritty without the technical fluff. 🧠 Want to go deeper?Read our related blog posts:Setting Up Multiple SPF Includes (the right way)New DMARC 2025 Requirements: Why They Matter 🔧 Want to test your SPF right now?Use our SPF Record CheckerRun a full Email Record Audit with iO™ DMARCIf your email visibility matters (and let’s be honest, it does), this episode is not optional. Click play, fix your SPF, and finally escape the spam folder once and for all.

In this episode of Cash in the Cyber Sheets, we take a bold step away from convention and dig into one of the most misunderstood yet crucial components of an information security program: data classification levels.Most organizations default to CISA’s Traffic Light Protocol (TLP) for labeling data, but we’ve taken a different route. While TLP is helpful for public-private information sharing, it lacks the granularity and operational context needed for meaningful internal use. Our classification system was designed to solve that problem by clarifying risk exposure, enhancing threat modeling, and helping you understand where your crown jewels actually live.We walk through how our classification levels are structured, where they differ from TLP, and why those differences matter. You’ll learn how a refined data classification model improves risk assessments, supports accurate network diagrams, sharpens data mapping efforts, and gives threat modeling the clarity it desperately needs.You’ll also hear how vague or oversimplified classification systems can derail internal reviews, leading to incomplete threat identification and overlooked vulnerabilities. On the other hand, our approach gives teams a practical way to define what matters most, where it’s located, and how it could be exposed.This isn’t theory for theory’s sake. If you're conducting a risk assessment, building out network architecture, or performing a gap analysis, our model offers structure that translates directly into action. Whether you're a vCISO, MSP, or an overwhelmed IT lead trying to secure a growing business, this episode arms you with a better lens for managing sensitive information.Pour your drink of choice and join us for a conversation that could mean the difference between seeing risk in the fog and seeing it in high resolution.Check our our companion article about data classification at: What is a Data Classification Policy?

Think DMARC, SPF, and DKIM are just for your IT team? Think again. In this episode of Cash in the Cyber Sheets, we’re flipping the script on the idea that information security is the enemy of marketing. Spoiler alert: it’s actually your secret weapon.We break down how bad email authentication silently sabotages your best campaigns, why your beautiful emails may be ghosting inboxes, and how good compliance can boost deliverability, reinforce brand trust, and even make your sales team sound like heroes.Here’s what’s inside:Why poor security practices can tank your ROI — even if your marketing is on pointHow DMARC, SPF, and DKIM actually increase visibility and credibilityWhat BIMI adds to your brand’s professionalism (and your emails' survival odds)Real-world tips to integrate security into your funnel without strangling creativityThe tools we use — including our own iO™ DMARC, to make setup and management stupid-simpleIf your brand is sending emails with p=none and crossing your fingers they get delivered… it’s time to stop guessing and start authenticating.📥 Check your email setup with our free iO™ DMARC Email Audit Tool📚 Want a full DMARC breakdown? Read our blog: How to Setup DMARC🎧 Tune in, take notes, and find out why compliance might just be the creative catalyst your brand’s been missing.

Email Security Just Got Real: What Changed in 2025 with DMARCWelcome to another hard-hitting episode of Cash in the Cyber Sheets, where we pull no punches and call out the silent killers of your digital credibility. This week, we’re talking about something that sounds boring—but will absolutely wreck your marketing if ignored: DMARC.Spoiler alert: As of May 2025, if your email domain doesn’t have DMARC configured properly, your emails might never make it to your customers’ inboxes. Worse? They might end up being spoofed by cybercriminals impersonating your brand.In this episode, we get right to the core of:Why DMARC (along with SPF and DKIM) is the new standard for email trustworthinessWhat changed in 2025 with email providers like Google, Microsoft, and Yahoo—and why it matters to your bottom lineThe damage email spoofing can do to your brand reputation and customer trustThe actual business risks of ignoring this “invisible” piece of your cybersecurity stackHow to go from clueless to compliant in a few simple stepsWe break down what DMARC looks like in plain English (yes, even the scary TXT record stuff), share how forensic reports can give you visibility into spoofing attempts, and explain why email authentication isn’t just a technical task—it’s a strategic one.🔍 Want to know if your domain is at risk right now? Run a free domain check with our iO™ DMARC Email Audit Tool and get instant insights into your SPF, DKIM, and DMARC configuration.⭐ Need to make managing this stuff simple and non-headache inducing? That’s where iO™ DMARC comes in. It’s the easy button for email security and deliverability.📖 Dive deeper with our companion article: DMARC Is No Longer Optional: What Business Owners Need to Know in 2025If email is part of your business (hint: it is), then this episode is for you. Even if you've never heard of DMARC before—or tried to ignore it hoping it would go away—2025 isn't giving you the option anymore.So buckle up, press play, and let’s make sure your emails land where they belong.

Think a cybersecurity audit is just someone skimming your policies and handing out a report card? Think again.In this episode of Cash in the Cyber Sheets, we break down what a modern cybersecurity audit actually looks like when it’s done right — not robotic, not adversarial, and definitely not a waste of time. From smart scoping and stakeholder alignment to deep-dive control reviews and practical remediation guidance, you'll discover how the audit process can be a strategic advantage, not a corporate migraine.We’ll walk you through:Scoping: How the right questions up front ensure an audit that’s focused, not bloatedKickoff: Aligning teams and setting expectations (without the eye rolls)Policy Review: How what’s written down compares to what’s really happeningEvidence Gathering: Why “trust but verify” is more than just a sloganRisk Validation: Connecting control gaps with business risk and real-world threatsReporting: Translating findings into plain-English, prioritized remediation roadmapsWe also spotlight Input Output’s proprietary iO-GRCF™ — our framework that cross-maps your controls to multiple industry standards like NIST, ISO 27001, FTC Safeguards Rule, HIPAA, and more, all without creating duplicate work or cost.Whether you're preparing for a client review, chasing a certification, or just trying to avoid getting blindsided by your cyber insurer, this episode gives you the clarity you need.🔍 Want to dig deeper? Check out the companion article here: 👉 https://www.inputoutput.com/blog/What-Occurs-During-a-Security-Audit

If the phrase “information security policy document example” sounds like something only a compliance consultant could love… we’re here to change your mind.In this episode of Cash in the Cyber Sheets, we take a hands-on walkthrough of a real, downloadable information security policy document sample — the GOV domain sample from our Written Information Security Plan (WISP). This is the exact format and structure we use to help small and mid-sized businesses meet regulatory requirements, close security gaps, and document their programs like pros.So many SMBs and MSPs struggle to turn compliance frameworks into something practical. The GOV domain helps bridge that gap — and in this episode, we explain how you can use it to:Understand and apply common InfoSec terminology (like C.I.A., risk treatment, and stakeholder matrices)Align your policies with regulations like the FTC Safeguards Rule, GLBA, and ISO 27001Assign clear roles and responsibilities (yes, we break down who does what and why it matters)Plan internal audits, board reviews, and executive reporting with confidenceEnsure version control, scope, and applicability are clearly defined and maintainedCommunicate your security commitment across your organization and to external stakeholdersWe don’t just read you the policy — we explain what each section is for, how to use it, and why it helps you get compliant faster with less guesswork. If you’re an MSP helping clients get compliant, or a business owner trying to avoid regulatory pain, this episode gives you a real-world guide to doing it right.🧩 Why this matters: Using a strong, editable IT policy template saves time, reduces risk, and ensures you're not starting from a blank screen (or worse, a half-baked internet copy-paste). The GOV domain forms the strategic foundation of your InfoSec program and makes it easy to layer in the remaining domains later.🧰 Download the editable GOV domain information technology security policy template (Word + PDF): 👉 https://www.inputoutput.com/Information-Technology-Security-Policy-Template-Download  📘 Want the deep dive? We also wrote a full article breaking down the components of a good security policy and the GOV domain: 👉 https://www.inputoutput.com/blog/Information-Technology-Security-Policy-Sample-guide 

In this final episode of our FTC Safeguards Rule Compliance Checklist series, Cash in the Cyber Sheets wraps up with a deep dive into one of the most overlooked—but absolutely essential—requirements of the Safeguards Rule: reporting to your board of directors or senior leadership under §314.4(i).If you’ve been following our series, you’ve already tackled everything from risk assessments to incident response plans. But now, it's time to translate all that technical effort into a language executives understand. Because what good is a great security program if leadership never hears about it?In this episode, we walk through exactly what this reporting requirement entails, why it matters to both compliance and business strategy, and how to build a board report that’s insightful, digestible, and regulation-ready. You’ll learn how to craft a report that covers program status, control testing, audit findings, incident history, stakeholder feedback, and evolving risks—without getting lost in acronyms or technical jargon.We’re also drawing on Input Output’s field-tested ISP Management Review framework, giving you a practical, board-facing template to make your next report more than just a compliance chore—it becomes a strategic asset. From identifying internal/external risk factors to defining performance targets and summarizing stakeholder feedback, we cover it all.We’ll also tie it all back to the broader goals of the FTC Safeguards Rule. If your business collects or processes customer financial data, staying compliant isn’t just about avoiding fines—it’s about earning trust, building resilience, and making security a leadership priority.Whether you’re a CISO, compliance officer, or just the person voluntold to handle the next board update, this episode is your go-to guide for turning security data into executive action.🧩 BONUS: Check out our full blog article on §314.4(i): FTC Safeguards Rule Checklist: Reporting to Senior Managementand our FTC Safeguards Rule Compliance Checklist Infographic—your go-to visual aid for staying on track with every requirement.So grab your headphones, maybe a second coffee, and let’s make sure your next board report doesn’t just inform—it inspires.

🎙️ FTC Safeguards Rule Series: Mastering Incident Response Checklist for Compliance, Episode [#]: When Cyber Hits the FanIn the world of cybersecurity, it's not if something goes wrong—it's when. That’s why this week’s episode of our FTC Safeguards Rule Checklist for Compliance series tackles one of the most critical, and often chaotic, elements of your security program: your incident response plan.Under Section § 314.4(h) of the Safeguards Rule, financial institutions aren’t just expected to “try their best”—they're required to have a fully documented, thoroughly tested, and actively maintained incident response plan. And not just for the regulators’ warm and fuzzy feelings, but to ensure real-world readiness when that 2 a.m. breach alert starts blinking.In this episode, we dive headfirst into what a compliant and competent response plan really looks like. From setting crystal-clear objectives and mapping decision trees, to planning PR-ready breach communications and conducting root cause investigations without pointing fingers—we cover it all.We break down the seven required elements of an FTC-compliant response plan, share practical strategies for implementation, and explain how to make your program resilient enough to stand up to real threats—not just checkbox audits.🔍 You’ll Learn:Why vague workflows are the enemy of rapid responseHow to empower your team with defined roles (no “who’s handling this?” moments)What to say (and not say) when regulators, clients, or your CEO come callingThe importance of documentation, remediation, and rehearsalsWhy tabletop exercises should be your new team-building activity (sans trust falls)📥 Want the visuals to match the audio? Don’t forget to download our FTC Safeguards Rule Checklist for Compliance Infographic. It’s like a security roadmap with less jargon and more action—and it's designed for real-world use, not theoretical frameworks.📖 Craving even more detail? Be sure to check out the full companion blog article for this episode: Mastering Incident Response. We unpack § 314.4(h) line by line and offer Input Output’s field-tested tactics for compliance, recovery, and reputation defense.

Let’s face it—cybersecurity can feel like a never-ending treadmill powered by acronyms, compliance checklists, and the looming threat of the next data breach headline. But in this episode of Cash in the Cyber Sheets, we’re helping you catch your breath while staying compliant with the FTC’s Safeguards Rule.We’re continuing our FTC Safeguards Rule Checklist series, and today we’re focusing on what might be the most under appreciated requirement of them all: continuous improvement (FTC Safeguards Rule § 314.4(g)). Spoiler alert—it’s not optional, and it doesn’t come with a snooze button.In this episode, we’ll walk through:What continuous improvement actually means in the eyes of the FTC (hint: it’s not just about dusting off your policies once a year)How to evolve your Information Security Program based on testing, monitoring, and business changesWhy risk assessments aren’t just busywork—they’re your roadmap to smarter security decisionsThe easy ways you can show your continual improvement efforts as part of your routine ISP managementHow to make “security culture” more than just a buzzword in a PowerPoint deckWhether you’re the person who built your WISP from scratch or the lucky soul who just inherited it, this episode offers practical insights into keeping your program effective, compliant, and yes—even a little future-proof.We also highlight the tools and templates you can use to simplify documentation, streamline reassessments, and improve audit readiness without sacrificing your sanity (or your weekend).💡 Bonus: Be sure to download our FTC Safeguards Rule Checklist Infographic to follow along visually. Because a well-organized mind—and security program—starts with a solid checklist.So grab your coffee, cue up that compliance brain, and tune in to learn how to keep your security program moving forward—without spinning your wheels. Grab the FTC Safeguards Rule Checklist for Compliance here:https://www.inputoutput.com/ftc-safeguards-rule-checklist-for-complianceAlso, don't miss our companion blog article, "FTC Safeguards Rule Checklist for Compliance: Continual ISP Improvement", here:https://www.inputoutput.com/blog/FTC-Safeguards-Rule-Checklist-for-Compliance-Continual-ISP-Improvement  

In this episode of Cash in the Cyber Sheets, we’re diving into one of the most overlooked (and risky) parts of FTC Safeguards Rule compliance—managing your service providers.From contract clauses to risk reviews, we’ll walk you through what the Rule actually requires, what “reasonable oversight” really means, and how to avoid getting blindsided by a third-party security failure.✅ Learn how to select secure vendors 📝 What language your contracts must include 🔁 How to reassess providers without making it a full-time job🎁 Download our FTC Safeguards Rule Checklist Infographic to follow along. 📖 Want more details? Read the full blog post here.Because if your vendor drops the ball, you’re the one stuck holding it. Let’s make sure that doesn’t happen.

In this episode of Cash in the Cyber Sheets, we continue our series on the FTC Safeguards Rule checklist for compliance. Navigating compliance requirements can feel overwhelming, but we're here to break it down. This episode focuses on implementing robust information security policies, procedures, and training—key components to keeping your organization safe and compliant.We discuss how to develop a comprehensive Written Information Security Program (WISP), train employees on emerging threats like phishing, smishing, vishing, quishing, and social engineering, and maintain ongoing threat awareness through continuous updates and timely communication.From automated training exercises to posters and newsletters, we cover the best practices for keeping your team prepared. Don't miss out on these valuable insights!Download the 'FTC Safeguards Rule Checklist for Compliance' infographic to follow along and ensure your business stays on the right side of compliance.Also, check our our companion article: FTC Safeguards Rule Checklist for Compliance Series: Information Security Policies, Procedures & Training

Welcome back to Cash In the Cyber Sheets. This episode is a continuation of our FTC Safeguards Rule Checklist for Compliance series, and we’re diving into a part of the Safeguards Rule that too many companies overlook until it’s too late: ongoing monitoring and testing.In this episode, we break down § 314.4(d) of the FTC Safeguards Rule—what it actually requires, what regulators expect, and how to move from "set it and forget it" to "set it, test it, monitor it, and update it." Spoiler alert: hope is not a strategy, and ignorance is definitely not compliance.We’ll explore:What counts as "regular testing" and how often it’s requiredThe difference between vulnerability assessments and penetration testing (yes, you need both)How to build a proactive, risk-based monitoring program that aligns with real-world threatsAnd how to ensure your security program doesn’t just exist on paper—but actually worksIf you're serious about protecting sensitive data and staying on the right side of regulators, this is one episode you don’t want to miss.🔍 Download our FTC Safeguards Rule Checklist Infographic to follow along and track your compliance progress step-by-step.Also, check out our companion article at:FTC Safeguards Rule Checklist Compliance Series: Monitoring, Reviewing, and Testing Controls

In this episode of Cash in the Cyber Sheets, we continue our FTC Safeguards Rule Checklist for Compliance series by diving deeper into the practical implementation of security controls. Last time, we outlined the critical components of a risk-based approach—now, we’re getting into the nitty-gritty of making those safeguards work effectively in your organization.With the FTC’s updated Safeguards Rule now in full effect, businesses handling customer financial data must establish robust security measures to mitigate risks, prevent breaches, and maintain compliance. This episode breaks down the key controls required under 16 CFR § 314.4(c), including:🔹 Access Controls – Enforcing least privilege, MFA, and strong authentication to prevent unauthorized data exposure.🔹 Asset Management – Identifying critical data and systems, classifying risk levels, and prioritizing protections.🔹 Data Encryption & Alternative Safeguards – Securing data in transit and at rest, and implementing compensating controls when encryption isn’t feasible.🔹 Secure Development Practices – Building security into applications using OWASP best practices and proactive code review.🔹 Data Retention & Disposal – Establishing clear policies to eliminate unnecessary data storage and minimize breach risks.🔹 Change Management & Monitoring – Ensuring updates don’t introduce new vulnerabilities and leveraging logging for real-time threat detection.We also explore how businesses—especially those without a dedicated security team—can streamline compliance using Input Output’s Written Information Security Program (WISP), which provides ready-to-use policies, procedures, and incident response templates to simplify implementation.Staying compliant isn’t just about checking boxes; it’s about maintaining an adaptable security posture that protects your customers and your business. Tune in to Cash in the Cyber Sheets as we break it all down, making compliance easier (and maybe even a little fun).🔊 Listen now and take control of your security program! Grab your copy of the: FTC Safeguards Rule Checklist for Compliance InfographicCheck out our companion article for even more in-depth review of best FTC Safeguards Rule security practices at: FTC Safeguards Rule Checklist: Implementing Appropriate Controls with a Risk-Based Approach

When people think of security controls, they usually picture firewalls, antivirus software, and multi-factor authentication. But truly protecting your business goes beyond just technical solutions—it requires a mix of administrative, physical, and technical controls working together.In this episode of Cash in the Cyber Sheets, we continue our deep dive into the FTC Safeguards Rule Checklist, focusing on appropriate security controls. We’ll cover the essentials, including malware management, password managers, and MFA, while also tackling the often-overlooked administrative and physical safeguards that are just as critical.How do you determine which controls are right for your organization? What gaps might you be overlooking? We break it all down so you can build a security strategy that actually works—not just one that checks a compliance box.If you're serious about protecting sensitive data (and avoiding hefty fines), this episode is for you.

Regulatory compliance just took another sharp turn. The Beneficial Ownership Information (BOI) reporting requirements under the Corporate Transparency Act (CTA) have been halted—at least for now. But what does that really mean for small businesses?In this episode of Cash in the Cyber Sheets, we unpack the latest legal twists, including the U.S. Treasury Department’s announcement that BOI reporting will not be enforced at this time. Does this mean businesses are off the hook permanently, or is this just a temporary pause before new regulations drop?Join us as we break down the legal back-and-forth, what businesses should do next, and why staying informed is crucial in this shifting compliance landscape. If you're wondering what’s next for BOI reporting, this episode has the answers.Read more about the FinCEN BOI Reporting Requirements:https://www.inputoutput.com/blog/Beneficial-Ownership-Information-FinCEN-Reporting-halted 

Compliance isn’t a checkbox—it’s a strategy. This week on Cash in the Cyber Sheets, we continue our FTC Safeguards Rule Checklist for Compliance series with a deep dive into how to design your Information Security Program (ISP) using a risk-based approach.The FTC Safeguards Rule requires businesses to identify, assess, and mitigate risks to customer information—but what does that actually look like in practice? We’ll break down how the CIA Triad (Confidentiality, Integrity, and Availability) serves as the foundation of a strong security strategy and how to build a risk assessment program that not only checks the compliance box but actually protects your business.🔍 What You’ll Learn:✅ Why a risk-based approach is essential for compliance and security✅ How to align your ISP with the CIA Triad (Confidentiality, Integrity, Availability)✅ Key steps to conducting a proper risk assessment under FTC requirements✅ How to prioritize and treat risks to meet regulatory expectations🎁 Bonus Resources:📌 FTC Safeguards Rule Checklist for Compliance – Download our step-by-step infographic📖 Blog: FTC Safeguards Rule Requirements: What Every Organization Needs to Know📖 eBook: FTC Safeguards Rule - FTC Compliant in 10 Easy Steps 🛠️ FTC Safeguards Rule Compliant WISP (Written Information Security Program) You can’t secure what you don’t understand. Tune in now to learn how to take a proactive, risk-based approach to protecting your business and customer data!👉 Listen now wherever you get your podcasts! 🎧 #CyberSecurity #FTCSafeguards #RiskManagement #Compliance #InfoSec

The FTC Safeguards Rule is here, and compliance isn’t optional. But where do you start? This week on Cash in the Cyber Sheets, we kick off our educational series diving deep into the FTC Safeguards Rule Checklist—one critical requirement at a time.In this episode, we tackle the first (and arguably most important) step: designating a Qualified Individual to oversee your Information Security Program. Who should take on this role? What qualifications matter? And how do you ensure they have the authority and resources to keep your business compliant and secure?🔍 What You’ll Learn:✅ Who qualifies as a “Qualified Individual” under the FTC Safeguards Rule✅ Key responsibilities and expectations for this role✅ The risks of getting it wrong—and how to get it right✅ Actionable steps to set up your compliance foundation 🎁 Additional Resources:FTC Safeguards Rule Checklist for Compliance – Download our easy-to-follow infographicBlog: FTC Safeguards Rule Requirements: What Every Organization Needs to KnoweBook: FTC Safeguards Rule - FTC Compliant in 10 Easy StepsFTC Safeguards Rule Compliant WISP (Written Information Security Program)

In this episode of Cash in the Cyber Sheets, we sit down with Jerry Seigel from JASB Management, a seasoned expert in management training, executive coaching, and personal development. We dive into some of the biggest challenges business owners face and uncover what truly holds them back from reaching their full potential.From leadership blind spots to self-imposed roadblocks, Jerry shares invaluable insights on how to break through limitations and build a path to lasting success. If you've ever felt like you're stuck in a cycle of frustration, this episode is packed with practical strategies to help you take control and level up.Connect with Jerry Seigel:Website: https://www.JASBManagement.comListen now and start clearing the obstacles between you and your business success! 🚀

In this episode of Cash in the Cyber Sheets, we take a deep dive into the foundational principles of information security—the CIA triad (Confidentiality, Integrity, Availability)—and explore why these are no longer sufficient to meet today’s challenges. Introducing CIAPS (Confidentiality, Integrity, Availability, Privacy, and Safety), we discuss why businesses should adopt this expanded framework to remain secure, compliant, and aligned with modern expectations.

The First Step in Information Security - Laying the Foundation for a Robust ISP What does it take to build an effective Information Security Program (ISP) and what are the first things you need to consider when developing your information security policies and procedures?In this episode, we explore the critical first steps, including securing leadership commitment, forming an Information Security Program Board, and defining your organization's context and scope. Learn how these foundational elements set the stage for long-term security success.Whether you're a security professional or a business leader, this episode provides actionable insights to help you protect your organization in an increasingly digital world. Check our our blog to learn even more about how to develop your information security policies and procedures and set a strong foundation for your Information Security Program:What is the First Step in Information Security? Building a Strong Foundation with Leadership and Organizational Context 

In this episode of Cash in the Cyber Sheets, we continue our Dirty 13 series by tackling one of the most overlooked yet critical security gaps: MFA (Multi-Factor Authentication). While MFA is one of the strongest tools for securing accounts, its effectiveness plummets if it's not implemented or configured correctly.We’ll discuss the common pitfalls of MFA neglect and dive into best practices that can keep your organization secure:- The importance of break-glass accounts and how to set them up safely.- Why storing OTPs or recovery keys in your password manager is a risk.- Backup strategies for lost devices and how to avoid single points of failure. - The advantages of hardware authenticators like YubiKeys over SMS or email-based MFA. - How to safeguard your MFA strategy against phishing, SIM-swapping, and other vulnerabilities.Don’t miss this actionable guide to doing MFA right. Whether you’re an IT pro or a business leader, this episode is packed with insights to strengthen your security posture.Looking for more details? Check out our companion article: "Information Security Policies: Multifactor Authentication Best Practices", where we expand on everything discussed in the episode. Perfect for sharing with your team or referencing during your next security review.Read More: Information Security Policies: Multifactor Authentication Best Practices

In this episode of Cash in the Cyber Sheets, we are joined by Bryan Barnhart from Infiltration Labs to discuss the critical importance of incident response planning. Together, we explore Bryan’s extensive experience in the field, dive into best practices for effective incident response, and examine evolving trends that are making incident response plans a mandatory part of organizational security strategies. Whether you’re building your first plan or refining an existing one, this conversation offers valuable insights into staying prepared in today’s dynamic cybersecurity landscape.

From the 'Dirty 13' series, this episode tackles one of the most pervasive cybersecurity issues: poor password management. Join us as we explore the risks of sharing, reusing, and creating weak passwords—and share six simple steps to strengthen your security.Learn how to safeguard your accounts and reduce vulnerabilities. Don’t miss out on practical tips and expert insights! Want quick tips on how to make a really strong password? Download our infographic:How to Make a Really Strong Password - 6 Quick Steps Infographic Learn more about password best practices. Check out our blog:What's a Good Password? Security Best Practices for Creating Smarter, Stronger, and Less Annoying Passwords Explore more topics from the Cash in the Cyber Sheets - Dirty 13 series:Bad Data ClassificationMost Common Data Backup FailuresMost Common Physical Information Security Audit FindingsBackup Restore TestingMSP MisconceptionsIncident Response ManagementSupplier Risk ManagementAudit, Logging, & MonitoringInadequate Employee Security Awareness & Training

Small businesses across the U.S. are caught in a whirlwind of confusion as the Corporate Transparency Act (CTA) faces ongoing legal battles. With reporting requirements for Beneficial Ownership Information (BOI) being halted, reinstated, and halted again, where does this leave business owners? In this episode, we unpack the legal tug-of-war over the CTA, explore what this means for small businesses, and provide actionable insights to navigate the uncertainty. Whether you're a small business owner or a compliance professional, this episode is your guide to staying ahead in a turbulent regulatory landscape. Read more on the Input Output blog at:https://www.inputoutput.com/blog/legal-battle-over-boi-reporting

In this solo episode of Cash in the Cyber Sheets, we dive deep into the reinstatement of Beneficial Ownership Information (BOI) reporting requirements under the Corporate Transparency Act (CTA). With recent legal twists, including a federal injunction and a subsequent court decision lifting it, businesses are facing a fresh wave of compliance obligations.We’ll walk you through:The history and importance of BOI reporting in the fight against financial crimes.Key milestones and legal developments, from the CTA’s inception to the Fifth Circuit's reinstatement of reporting requirements.Practical steps for compliance, including the information businesses need to gather and how to submit it to FinCEN.Whether you’re a small business owner scrambling to meet the new deadlines or just someone curious about how the U.S. is tackling corporate transparency, this episode has everything you need to know. And yes, there’s some dry humor sprinkled in to keep things lively—because financial compliance shouldn’t feel like a life sentence (even if non-compliance might).Don’t miss it—your business (and wallet) will thank you.

In this episode, James continues the “Dirty 13” series, tackling one of the most common and costly audit findings: poor data classification.Without a structured approach to labeling and protecting data, organizations are left vulnerable to security breaches, compliance failures, and wasted resources.Join James as he explores:Why data classification is a cornerstone of effective information security.The risks of neglecting classification, from financial losses to reputational damage.Input Output’s tiered classification framework, designed to protect data while streamlining operations.Practical steps to build and implement your own classification system.Data classification isn’t just a security checkbox—it’s a strategic tool that can save your organization time, money, and risk.Want to go deeper? Check out our accompanying blog article for a more detailed look at strategies, frameworks, and tools to strengthen your classification practices.Why Poor Data Classification is a Cybersecurity Risk Your Company Can’t Ignore Explore more topics from the Cash in the Cyber Sheets - Dirty 13 series:Poor Password ManagementMost Common Data Backup FailuresMost Common Physical Information Security Audit FindingsBackup Restore TestingMSP MisconceptionsIncident Response ManagementSupplier Risk ManagementAudit, Logging, & MonitoringInadequate Employee Security Awareness & Training

In this episode of our Dirty 13 series, we dive into one of the most overlooked yet critical audit findings: poor backup practices. While backups are a cornerstone of data security and business continuity, many financial firms struggle to implement them effectively. From backups stored on the same systems they’re meant to protect to schedules that fail to meet regulatory retention requirements, we explore the most common failures—and their serious consequences.We’ll also discuss:The risks of incomplete system coverage.Why short backup retention periods can derail compliance efforts.The importance of encryption and routine testing to ensure backup integrity.Join us for actionable insights and practical strategies to strengthen your backup approach and avoid these all-too-common pitfalls. Don't let a poor backup strategy put your business at risk—tune in now!Read more about these backup failures, and their remedies at:Data Backup: Six Common Backup Failures That Can Derail Your BusinessListen, learn, and take action. Explore more topics from the Cash in the Cyber Sheets - Dirty 13 series:Poor Password ManagementBad Data ClassificationMost Common Physical Information Security Audit FindingsBackup Restore TestingMSP MisconceptionsIncident Response ManagementSupplier Risk ManagementAudit, Logging, & MonitoringInadequate Employee Security Awareness & Training

In this episode, we explore the recent court decision blocking enforcement of the Corporate Transparency Act’s reporting requirements. We break down what the CTA entails, why it faced legal challenges, and how this ruling impacts small businesses nationwide. Discover how this decision protects privacy, reduces regulatory burdens, and what it means for the future of small business compliance.

In this special Thanksgiving episode of Cache in the Cyber Sheets, we take a moment to step back from the usual technical deep dives and focus on the theme of gratitude. As cybersecurity professionals, we operate in a fast-paced, high-stakes environment, often facing immense pressure and increasing scrutiny. Yet, amidst the challenges, there's so much to appreciate.In this episode, we:1. Reflect on the critical work of cybersecurity teams who keep systems secure, recover from incidents, and drive innovation under intense pressure.2. Explore how artificial intelligence has sparked more robust conversations around data security and compliance, shining a necessary spotlight on key issues.3. Discuss the personal and organizational impact of fostering a culture of gratitude, including practical methods to integrate thankfulness into everyday workflows and meetings.4. Share insights into how gratitude can enhance teamwork, build relationships, and improve workplace morale.We also provide actionable tools, including a list of 20 ways to express gratitude to partners and employees, and templates to help you get started. Whether it’s calling out a colleague for their extra effort or expressing appreciation to vendors, gratitude has the power to transform how we work and lead.Grab them here:20 Ways to Show Gratitude & 4 Email TemplatesTune in as we dive into the profound ripple effect gratitude can have—both in the cybersecurity industry and in our personal lives.

In this episode of Cash in the Cyber Sheets, we dive deeper into the Dirty 13—the most common findings from information security audits. From daisy-chained power strips to sticky-note passwords, we unpack how these seemingly simple issues pose serious risks. Building on our latest blog, we highlight overlooked physical security controls, legal hazards like unmaintained fire extinguishers, and the dangers of unsecured visitor access. Tune in for practical tips, real-world examples, and a few laughs as we explore how to address these low-hanging fruits before they lead to high-stakes consequences.Read more at:The Dirty 13: The Most Common Audit Findings in Physical Information Security Explore more topics from the Cash in the Cyber Sheets - Dirty 13 series:Poor Password ManagementBad Data ClassificationMost Common Data Backup FailuresBackup Restore TestingMSP MisconceptionsIncident Response ManagementSupplier Risk ManagementAudit, Logging, & MonitoringInadequate Employee Security Awareness & TrainingInadequate Risk Management in CPA Information Security Programs