What happens when the news cameras show up and your business grinds to a halt? Donna Grindle, CEO of Kardon, returns to discuss the "hair on fire" reality of a data breach. We move past the paperwork to explore why "calling IT" isn't a plan, the hidden costs of notification letters, and how insurance mazes can complicate your recovery.

Key Takeaways

• "Call IT" is Not a Plan: During a breach, IT will be busy containing the threat; you need an operational plan for when systems and phones go dark.
• The Paperwork Trap: Reverting to paper records stops cash flow because you aren't sending claims or bills—plus, you eventually have to manually re-enter all that data.
• Media & Legal Circus: If 500+ records are hit, you must notify the press. This often triggers immediate "ambulance chaser" lawsuits on social media.
• Tabletop Exercises: Don't find gaps in your plan during a crisis. Run practice drills to know who is authorized to speak for the company and what vendors to call.
• Insurance Realities: Open claims immediately to protect legal privilege, but be ready for insurance-mandated vendors that may span several time zones.
  
  

"Take ownership of it. Don't assume that somebody else in your office is handling it... You will likely lose your business or be on the verge of it if you are not prepared in some way." — Donna Grindle 

Key Concepts:

Security Incident vs. Data Breach - A security incident is a panic-inducing event that requires investigation, but it may or may not officially escalate into a data breach that requires regulatory reporting.

Incident Response Plan (IRP) - A comprehensive strategy that covers far more than just IT recovery; it must dictate how you communicate with employees, vendors, and clients during a crisis.

Tabletop Exercise - A low-stakes practice run of your Incident Response Plan to poke holes in it before an actual emergency. It helps you figure out exactly who is in charge, who you are calling, and who is authorized to speak publicly.

Links:

Kardon: https://kardonhq.com/

Help Me With HIPAA Podcast: https://helpmewithhipaa.com/

Timestamps

00:00 – Intro

00:54 – Cyber Incidents vs Breaches in a HIPAA Context

01:26 – Why Operational Continuity Cannot be an IT Responsibility

03:02 – Questions to Ask During a Tabletop Exercise

03:50 – Talking to Patients on Facebook

04:06 – More Questions to Ask During a Cyber Incident

05:13 – Even "Calling My MSP" Isn't an Incident Response Plan

05:37 – When a Cyber Incident Becomes a Breach

06:09 – "Can't We Just Send a Postcard?"

06:32 – Steps to Respond to a HIPAA Breach

09:03 – Final Summary: Shifting to Active Security Ownership

09:59 – Where to Find Donna Grindle & Kardon

A note from Jen: We built Practical Cybersecurity because we were tired of the fear-mongering in this industry. Security shouldn't be a secret club.

If you're trying to figure out PCI compliance or need a pen test, my team at SecurityMetrics can help you out: https://www.securitymetrics.com/contact/lets-get-you-to-the-right-place

But if you just want to learn how to protect yourself for free, start here: https://academy.securitymetrics.com/

Are your IT or cloud providers handling your security? Does your site claim you're "HIPAA Compliant"? Donna Grindle, CEO of Kardon and co-host of Help Me With HIPAA, delivers a massive reality check for small business owners. We break down the difference between gap analysis and a true SRA, why IT speaks a different language, and how the "CREMATE" method finds your data.

Key Takeaways

• Responsibility Can't Be Outsourced: Cloud apps and IT companies don't make you secure; you outsource liability, not responsibility.
• Real SRA vs. Gap Analysis: If your risk analysis lacks likelihood, impact, and strategy, it’s just a gap analysis—and you're exposed.
• CREMATE Your Data: Map PHI by tracking where you Create, Receive, Maintain, and Transmit it
• Business Associates (BA): If unauthorized access by a vendor would count as a breach, they are a BA.
• Documentation & AI: Use AI to draft policies from your bullets, but treat it like a fallible assistant and always verify the output.
• Frameworks: Use HICP 405(d) to get IT and management speaking the same security language.

"If you put on your website that you're HIPAA compliant, immediately I'm concerned." — Donna Grindle

Links:

Kardon: https://kardonhq.com

Help Me With HIPAA Podcast: https://helpmewithhipaa.com/

HHS Website: https://www.hhs.gov/about/agencies/asa/ocio/cybersecurity/security-awareness-training/index.html

HICP 405(d) Guidelines: https://405d.hhs.gov/

Timestamps

0:00 – Why a "HIPAA Compliant" Badge is a Red Flag

1:26 – Understanding HIPAA Covered Entities & Obligations

2:14 – The Difference Between Awareness Training and Security

3:18 – Why Your SRA Might Just Be a Gap Analysis

4:40 – Building an Inventory: You Can’t Protect What You Don’t Find

6:22 – Using the "CREMATE" Method for Data Mapping

8:21 – Why IT Cannot Be the "Department of No"

9:40 – Standardizing Communication with the HICP 405(d) Framework

10:41 – How to Document Your Policies (and Use AI to Help)

12:39 – The Easy Way to Tell if a Partner is a Business Associate

13:50 – Business Associate Red Flags

A note from Jen: We built Practical Cybersecurity because we were tired of the fear-mongering in this industry. Security shouldn't be a secret club.

If you're trying to figure out PCI compliance or need a pen test, my team at SecurityMetrics can help you out: https://www.securitymetrics.com/contact/lets-get-you-to-the-right-place

But if you just want to learn how to protect yourself for free, start here: https://academy.securitymetrics.com/

"I can’t think about cybersecurity this week; I’m thinking about 1099s."

You’re not alone. Many SMBs see the NIST Cybersecurity Framework (CSF) as an overwhelming manual for government contractors, not a local shop or startup. 

Jen Stone sits down with Daniel Eliot, NIST’s lead for small business engagement. We break down the new NIST CSF 2.0 Small Business Quick Start Guide —a "small-chunk" resource designed for under-resourced organizations to move from chaos to a structured program. 

In this episode:

• Why having "everyone" responsible means "nobody" is.
• How to build a "reasonable" security program while managing payroll and daily operations.
• Why taking security seriously helps you win bigger contracts and scale safely.
• The exact steps (MFA, patching, backups, and more) that even large orgs get wrong.

NIST Resources

• NIST (National Institute of Standards and Technology): https://www.nist.gov/
• Small Business Cybersecurity Corner: https://www.nist.gov/itl/smallbusinesscyber
• NIST CSF 2.0 (Cybersecurity Framework): https://www.nist.gov/cyberframework
• Small Business Quick Start Guide: https://www.nist.gov/publications/nist-cybersecurity-framework-20-small-business-quick-start-guide
• Contact Daniel and his team: [email protected]

Key Term Definitions

• The 6 Functions: Govern, Identify, Protect, Detect, Respond, and Recover
• MFA: Multi-Factor Authentication—essential for account access. 
• Patching: Updating software to fix security "holes." 
• MSP/MSSP: Local experts you can hire to manage IT security. 

Timestamps

• 00:00 – Many hats of small business owners
• 00:26 – Daniel Eliot and NIST’s Mission
• 02:25 – Exploring the Small Business Cybersecurity Corner
• 03:20 – What is the NIST CSF?
• 04:26 – The Small Business Quick Start Guide for CSF 2.0
• 06:52 – How to Identify Your Most Critical Assets
• 09:56 – When to Seek Help: Engaging MSPs and Local Resources
• 10:52 – Defining a "Successful" Cybersecurity Program
• 13:21 – Essential Fundamentals: MFA, Patching, and Backups
• 15:35 – How to Engage Directly with NIST 

Jen Stone (MCIS, CISSP, CISA, QSA) is a Principal Security Analyst at SecurityMetrics. With 25+ years in IT and 100+ high-level assessments, Jen specializes in making complex compliance actionable for businesses of all sizes. Outside of security, she is an aerial arts enthusiast and motorcycle rider. 

A note from Jen: We built Practical Cybersecurity because we were tired of the fear-mongering in this industry. Security shouldn't be a secret club.

If you're trying to figure out PCI compliance or need a pen test, my team at SecurityMetrics can help you out: https://www.securitymetrics.com/contact/lets-get-you-to-the-right-place

But if you just want to learn how to protect yourself for free, start here: https://academy.securitymetrics.com/

In this episode of Practical Cybersecurity, host Jen Stone talks with Curt Dukes, EVP and GM of Security Best Practices at the Center for Internet Security (CIS). Drawing on his 30-year career at the NSA, Dukes breaks down how small and medium businesses (SMBs) can implement "good enough" security without unlimited resources. The conversation focuses on Implementation Group 1 (IG1)—a prioritized set of safeguards that provide essential "cyber hygiene". Dukes introduces free resources like the CSAT (Controls Self-Assessment Tool) and CIS Workbench to help leaders move past the intimidation of technical jargon and establish a "standard of reasonableness" for their organization's defense.

CIS Resources

• 
  CIS (Center for Internet Security): The nonprofit organization that creates the global standards discussed in this episode.
• NSA (National Security Agency): The U.S. intelligence agency where Curt Dukes led defensive security efforts for 30+ years.
• IG1 (Implementation Group 1): The essential "Cyber Hygiene" tier of the CIS Controls designed for small businesses.
• CSAT (Controls Self-Assessment Tool): A free web-based application to track and measure your security progress.
• CIS Workbench: A collaborative platform to ask technical questions and get help from the security community.
• CIS RAM (Risk Assessment Method): A free methodology to identify security gaps and prioritize investments based on risk.
• CIS Benchmarks: Free, consensus-based configuration recommendations for OS and network devices.
• MS-ISAC (Multi-State Information Sharing and Analysis Center): The division of CIS providing threat intelligence for state and local governments.
• EI-ISAC (Elections Infrastructure ISAC): A dedicated team at CIS focused on securing election-related systems.
• The Community Defense Model (CDM): A data-driven report proving the effectiveness of the Controls against top cyber attacks.
• The Cost of Cyber Defense: A breakdown of the financial investment needed for various security models.

A note from Jen: We built Practical Cybersecurity because we were tired of the fear-mongering in this industry. Security shouldn't be a secret club.

If you're trying to figure out PCI compliance or need a pen test, my team at SecurityMetrics can help you out: https://www.securitymetrics.com/contact/lets-get-you-to-the-right-place

But if you just want to learn how to protect yourself for free, start here: https://academy.securitymetrics.com/

In this webinar, Matt Halbleib (Director of Assessments) and Lee Pierce (Director of HITRUST Sales) will discuss:

• How to determine which HITRUST Assessment type to choose
• How to prepare for a HITRUST Validation Assessment
• What to expect from a SecurityMetrics HITRUST Assessment

Ready to discuss your HITRUST needs? Request a quote here.

Read our new HITRUST 101 White Paper here.

A note from Jen: We built Practical Cybersecurity because we were tired of the fear-mongering in this industry. Security shouldn't be a secret club.

If you're trying to figure out PCI compliance or need a pen test, my team at SecurityMetrics can help you out: https://www.securitymetrics.com/contact/lets-get-you-to-the-right-place

But if you just want to learn how to protect yourself for free, start here: https://academy.securitymetrics.com/

Learn more about cyber risks for small businesses: 

Are you a small-medium business owner? Did you just get a message from your bank telling you to call SecurityMetrics? Are you worried about having a bad experience? Do you know what PCI even means? This episode is for you.

Learn how SecurityMetrics can help you navigate this regulatory landscape. We'll discuss:

• Why your processor is making you do PCI compliance: Did you know that nearly half of all cyberattacks target small businesses?
• What calling into SecurityMetrics looks like. Learn what information you need handy so you can get your compliance done as quickly as possible, and the questions you should ask to get the best service.
• Support Stories: Discover how other small businesses have successfully leveraged SecurityMetrics to achieve compliance.
• Tips and Tricks: Get practical advice on how to optimize your PCI compliance efforts and minimize risks, keeping your business and your customers more secure.

Whether you're just starting your PCI compliance journey or looking to improve your existing processes, this video will provide valuable insights and actionable advice.

A note from Jen: We built Practical Cybersecurity because we were tired of the fear-mongering in this industry. Security shouldn't be a secret club.

If you're trying to figure out PCI compliance or need a pen test, my team at SecurityMetrics can help you out: https://www.securitymetrics.com/contact/lets-get-you-to-the-right-place

But if you just want to learn how to protect yourself for free, start here: https://academy.securitymetrics.com/

Join us on this extra long episode as SecurityMetrics experts Jen Stone, Gary Glover, Aaron Willis and Chad Horton dive deep into the evolving landscape of PCI compliance for e-commerce businesses. With the deadline for PCI 4.0 rapidly approaching, understanding the new requirements for e-commerce is crucial.

In this episode, our panelists discuss:

• Understanding PCI 4.0 for e-commerce: Learn about the key changes and their implications for your business, especially if you're a small or medium-sized enterprise.
• Combatting e-commerce skimmers: Discover how attackers target online transactions and the measures you can take to protect your customers' data.
• The power of script analysis: Understand how script scanning can help identify and mitigate vulnerabilities on your e-commerce website.
• Securing dynamic content: Explore the challenges of protecting websites with constantly changing content.
• Choosing the right security solution: Weigh the pros and cons of agent-based and agentless solutions, considering the specific needs of your business.

Whether you're a seasoned PCI professional or just starting your compliance journey, learn this episode provides valuable insights to help you safeguard your e-commerce business and protect your customers' sensitive information.

A note from Jen: We built Practical Cybersecurity because we were tired of the fear-mongering in this industry. Security shouldn't be a secret club.

If you're trying to figure out PCI compliance or need a pen test, my team at SecurityMetrics can help you out: https://www.securitymetrics.com/contact/lets-get-you-to-the-right-place

But if you just want to learn how to protect yourself for free, start here: https://academy.securitymetrics.com/

Download the guide: https://www.cisecurity.org/insights/white-papers/from-both-sides-a-parental-guide-to-protecting-your-childs-online-activity

Are you a parent looking for guidance on how to keep kids safe online? Join us for a candid conversation with Sean Atkinson, CISO at the Center for Internet Security, and his daughter, Emma, as they discuss their journey of creating a guide designed to help families have conversations about online safety.

In this episode, you'll learn:

• Why open communication is key: Discover how Sean and Emma fostered an environment of trust and understanding about online safety.
• Common online dangers: Understand the risks your child may face, such as sharing personal information, cyberbullying, and meeting strangers online.
• Practical tips for parents: Get actionable advice on how to set boundaries, have difficult conversations, and create a safe online space for your child.

Whether you're a new parent or a seasoned digital native, this podcast will help you start conversations and find resources to help you protect your child in the ever-evolving online world.

A note from Jen: We built Practical Cybersecurity because we were tired of the fear-mongering in this industry. Security shouldn't be a secret club.

If you're trying to figure out PCI compliance or need a pen test, my team at SecurityMetrics can help you out: https://www.securitymetrics.com/contact/lets-get-you-to-the-right-place

But if you just want to learn how to protect yourself for free, start here: https://academy.securitymetrics.com/

Links from the episode:
https://405d.hhs.gov/

Discover the latest trends and threats in healthcare cybersecurity. This episode explores the real-world impact of cyberattacks on patient care, the vulnerabilities of medical devices, and the strategies organizations can implement to protect their sensitive data.

A note from Jen: We built Practical Cybersecurity because we were tired of the fear-mongering in this industry. Security shouldn't be a secret club.

If you're trying to figure out PCI compliance or need a pen test, my team at SecurityMetrics can help you out: https://www.securitymetrics.com/contact/lets-get-you-to-the-right-place

But if you just want to learn how to protect yourself for free, start here: https://academy.securitymetrics.com/

Confused about PCI DSS compliance standards? This video breaks down each available SAQ type, including: SAQ-A, SAQ P2PE-HW, SAQ D for Service Providers, and the newly introduced SAQ SPoC for PCI DSS 4.0.

Learn which one is right for your business based on your payment processing environment.

Learn about:

• Different SAQ types for merchants
• Eligibility criteria for each SAQ type
• Factors to consider when choosing a SAQ type
• Simplifying your PCI compliance

Listen now to learn what your business can do to protect itself from data breaches and be compliant.

#PCIcompliance #paymentsecurity #merchant #smallbusiness #cybersecurity

https://www.youtube.com/watch?v=XoR0Tt8uHl4 

A note from Jen: We built Practical Cybersecurity because we were tired of the fear-mongering in this industry. Security shouldn't be a secret club.

If you're trying to figure out PCI compliance or need a pen test, my team at SecurityMetrics can help you out: https://www.securitymetrics.com/contact/lets-get-you-to-the-right-place

But if you just want to learn how to protect yourself for free, start here: https://academy.securitymetrics.com/