Nathan Austin of Mytech Partners: Five Things Every Business Needs To Know About Storing and Protecting Their Customers’ Information

Know your assets. You can’t protect what you don’t know exists. Data, physical assets and cloud services need to be identified so you know what data lives where in order to secure and protect your customers’ information.

It has been said that the currency of the modern world is not gold, but information. If that is true, then nearly every business is storing financial information, emails, and other private information that can be invaluable to cybercriminals or other nefarious actors. What is every business required to do to protect its customers’ and clients’ private information?

As a part of our series about “Five Things Every Business Needs To Know About Storing and Protecting Their Customers’ Information”, I had the pleasure of interviewing Nate Austin, vice president of business development for Mytech Partners, Inc.

Nathan Austin brings over 20 years of IT business management experience to his current position as VP of Business Development. After co-founding Mytech Partners in 2000, he has focused on helping clients achieve four times more value and productivity from their IT investments through implementing a proven IT strategy that is aligned with client goals. Mytech serves the small and medium business community as a Managed Services, Security and Consulting Provider and strives to “Make IT Easy” for the respective clients they serve. Additionally, Austin is the author of the upcoming book: “Capitalism & Community: a partnership for a better tomorrow” .

Austin is active in both the business and IT communities, speaking at events nationwide, and at international industry peer groups, vendor partner events and technology trade shows. As part of the national IT community, Austin has participated in the Heartland Technology Group (HTG) peer organization since 2006 (now IT Nation Evolve Groups), and for seven of those years he facilitated one of the owner peer groups. In addition, he served on the board of a local Minneapolis non-profit called Cookie Cart for seven years, an organization providing life and job skills through youth employment at two Twin Cities, MN bakeries.

At home in Minnesota, Austin married his beautiful wife Shaina in 2013, and feels blessed to spend life with his best friend. Austin also earned a black belt in Tae Soo Do, and for balance and recreation enjoys reading, running, fishing, golfing and snowboarding.

linkedin.com/in/nathanaustin

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

What I remember about growing up is that I was involved in lots of activities: from sports to school clubs, youth groups, and speech and debate clubs. I also had a paper route. I really enjoyed the different experiences and engaging with all the different types of people across the varied activities.

Is there a particular story that inspired you to pursue your particular career path? We’d love to hear it.

Ever since I had a paper route as a kid, I knew I wanted to own my own business, but I didn’t know exactly what kind of business. I worked in restaurants for several years and was getting burned out. The year was 1999 and the technology industry was booming. So, I left my job as a restaurant manager to get some Microsoft Certifications. I remember seeing a segment on the news with an IT company discussing Y2K and potential impacts to business. I remember saying to myself at that moment that I wanted to start an IT consulting business. What I didn’t know is the course of events that would lead to starting Mytech less than a year later.

Can you share the most interesting story that happened to you since you began your career?

One story that comes to mind is about a client in the medical industry that had recently completed an acquisition of another medical practice. The company had completed its due diligence process prior to the acquisition, however, they did not investigate any of the technology or IT systems. Mytech was hired to complete the integration of the new locations’ systems into the larger organization. Shortly after we started working on the integration plan, we found an active breach (meaning hackers were actively working in their system) in their primary practice management and electronic medical records systems. Neither the acquiring or acquired entities knew this was happening. We stopped our integration efforts, and got the executives, insurance and legal representatives involved so they could not only handle the attack, but determine how to handle customer communication, any regulatory reporting and any claw-back options financially due to the undisclosed (and unknown) active breach at the time of acquisition. This story is one of many similar situations where technology can be an asset and a liability. We have seen both sides over the years and we hope that by sharing stories like this other business leaders can avoid experiencing the same mistakes.

None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?

One person was a major catalyst by inviting Mytech to participate in an IT company peer group. His name is Arlin Sorensen. Back in 2006, we met Arlin at an IT conference. He invited us to participate in a new IT Company Peer Group that he was starting later that year. The concept of sharing financials, best practices (if we had any) and how we ran our business with our competitors did not seem like a good idea, but we gave it a shot. That decision and our future involvement in this group (in which we still participate to this day) has made all the difference in our ability to grow a quality company with a great culture! I am very thankful that we serendipitously ran into Arlin, and thankful for his vision, leadership and eventual friendship.

Are you working on any exciting new projects now? How do you think that will help people?

The most exciting new project we are working on now is helping organizations adapt technology to support their hybrid remote and on-site workforce. This includes conference room experiences and sharing white-board collaboration sessions with remote team members, better collaboration capabilities for documents, improving phone/voice services for remote workers and more dynamic security to account for home offices. Nearly every organization is evaluating how they are going to adapt to the hybrid workforce and how they can best support their team to stay healthy and productive. From a technology perspective, we are investing in solutions that we can deliver to our clients to help them today, and that support the future of hybrid work.

What advice would you give to your colleagues to help them to thrive and not “burn out”?

There are three tips that have helped me maintain a decent work/life balance over the years. I am not perfect at consistently executing these, and life ebbs and flows, but in general these three tips have helped me feel at peace relative to my work and personal life to avoid burnout.

1. Mindset. At some point in my career, I came to the conclusion that your to-do list will never be done. Your work will be there tomorrow; and the world miraculously doesn’t stop when you are not able to meet a deadline. Deadlines are important, but your health and mental wellbeing are MORE important. Being at peace with this reality has helped me stave off burn out over the years.
2. Check yourself with your partner and/or team. This is where you need to have some confidence AND humility to receive feedback on how you are impacting your home life (partner/spouse), and your work life (team). Find a way on a regular basis (no less than quarterly) to get feedback on how you are doing from their perspective. Be open to candid feedback so you do not get defensive; and consider adjusting your behavior. This will have a positive impact on the people with whom you live and work, and will help you avoid burnout.
3. Make time for what’s important. This seems obvious, however, too often busy professionals have their day filled with endless meetings and no time to actually get tasks done. The work ends up being done after hours or squeezed into cracks where the quality of work can suffer. Neither scenario is a recipe for success. Evaluate your most important activities (personally and professionally) and the amount of time you can or should allocate to them weekly, monthly and quarterly. Block off time on your calendar for the most important activities based on the time you should allocate to those tasks. This will not be perfect and inevitably those time allocations may need to adjust; however, you are at least starting to be realistic about what you can accomplish in a day and creating space to avoid burnout.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. Privacy regulation and rights have been changing across the world in recent years. Nearly every business collects some financial information, emails, etc, about their clients and customers. For the benefit of our readers, can you help articulate what the legal requirements are for a business to protect its customers’ and clients’ private information?

There isn’t a one-size-fits-all answer for every business. There are state, national and international regulations associated with protecting customer/client data depending on the geographies, industries, clients you serve, and the type of data you store. In general, our security assessor describes a “Prudent Person Principle” that is often applied if you are going through an audit, investigation, regulatory review, etc.: Can you demonstrate that you have completed due diligence and are taking steps to continually assess and improve your security posture? No business can solve every problem at the same time; however, you can make sure you are aware of the risks (complete an internal and/or external security assessment); prioritize which risks you are going to address according to their severity, impact and cost to mitigate; and demonstrate that you are following your plan or at least incrementally addressing the risks identified. Knowing your unique requirements and risks, and consistently demonstrating due care to continually improve how you protect your customers’ and clients’ data, is about the best that any organization can do. If a bad actor is out to get you, they will infiltrate your security — which is scary.

Beyond the legal requirements, is there a prudent ‘best practice’? Should customer information be destroyed at a certain point?

There are industries where regulations define the requirements for how long client/customer

data needs to be retained. Outside of adhering to any legal and/or regulatory compliance, very few small and medium businesses (SMBs) have a documented data retention policy.

Based on our experience of working with the SMB market for more than 20 years, the default document retention is everything forever. Unless someone spends the time to destroy data (which is rare), businesses have decades of information sitting idle in their file repositories. There are three key points that organizations should take from this question:

One, due to the risk of data being accessed and exfiltrated by bad actors, the current recommendations are to only retain the MINIMUM amount of data necessary to serve your clients and customers as protecting data is expensive; and Two, define your document retention policy to adhere to your legal and regulatory requirements (if any), or to the minimum length of time necessary to serve your customers and clients; and Three, once you have your document retention policy in place you need to adhere to the policy and ensure you have processes in place to destroy data that falls outside of your document retention policy definitions. If you define a policy and you do not abide by the definitions, you are open to more liability if/when a data breach or any legal proceedings occur.

In the face of this changing landscape, how has your data retention policy evolved over the years?

We continually evaluate our policy, as states such as California and Colorado have passed privacy rules for data and we work to annually review where we can improve. Also, many organizations do not have a data retention policy. Regulatory industries SHOULD have one but don’t always have a policy defined that meets or exceeds the compliance requirements. Another challenge driving how data retention policies are evolving is relative to backup requirements for regulations like GDPR. If you are subject to GDPR and someone requests for you to delete their personal data, the data must be removed from production AND backups that could go back YEARS! Due to the storage, backup and security expenses associated with data retention, the evolution of data retention policies is moving towards keeping the LEAST amount or the minimal amount of data to reduce the liability and risk of a breach.

Are you able to tell our readers a bit about your specific policies about data retention? How do you store data? What type of data is stored or is not? Is there a length to how long data is stored?

The most important aspect of our data retention policy is that we do not hold any client data. We do not store any credit card data. We hold information about our clients so we can effectively support them, however, we do not hold any of our clients’ data on our systems. That intentional part of our policy is to remove some of the risk by simply not allowing the risk to exist in the first place. Additionally, we are working to secure the data with multi-factor authentication; encrypting data in transit and encrypting some data at rest; and employing a most-restrictive access method where team members do not have access to data unless their role requires it. This is a constant evaluation of security protocols and authentication methods to incrementally improve our posture.

Has any particular legislation related to data privacy, data retention or the like, affected you in recent years? Is there any new or pending legislation that has you worrying about the future?

The Managed Services Provider (MSP) Industry has not had anything significant directed toward our space, but we believe some regulation is coming due to incidents where MSP’s were shown to be negligent, or a source of the attack. And there really isn’t any pending legislation that has our team worried currently. Candidly, I welcome additional scrutiny on the IT industry and more support from entities like the Cybersecurity & Infrastructure Security Agency (CISA), National Institute of Standards and Technology (NIST) and even having the Insurance Industry adhere to security requirements for underwriting Cyber Liability policies. The Small and Medium businesses of this country will not be protected until a higher bar is set for security expectations. Companies cannot protect the data they are trying to retain unless they have a robust security program that protects their critical assets. but our clients and their respective industries medical, manufacturing, financial, supply chain, utilities etc.

In your opinion have tools matured to help manage data retention practices? Are there any that you’d recommend?

The most readily available tools, that have evolved in recent years, leverage some of the data protection and retention capabilities of Microsoft 365 and SharePoint. Data can be categorized by content (such as credit card number or social security number) or by

setting (like confidential, sensitive, or top secret). Once you organize and categorize your

data by content or by setting, you can apply a policy to define how to handle that data. You can retain that data; you can prevent that data from leaving the organization and many other options for how that data is treated. This technology is referred to as Data Loss Prevention (DLP). It does require some planning to organize and categorize your data but when you do, you can apply policy to significantly increase your security posture and data retention capabilities.

There have been some recent well publicized cloud outages and major breaches. Have any of these tempered or affected the way you go about your operations or store information?

For the cloud outages (one happened on Tuesday December 7th with AWS that affected some services) and major breaches that have hit close to home, we have taken those opportunities to understand what happened and work to mitigate anything similar happening to Mytech. Adapting to new security vulnerabilities is a constant game of cat and mouse and unfortunately it will never be over. The July 2, 2021 Kaseya incident that affected thousands of companies in the US is one attack that hit close to home. Even though it didn’t affect us, something similar could have. One of our peers had around 2500 company and client devices encrypted within a couple hours before the July 4th holiday weekend. We have heard some of those stories, and we are working to take precautions and adjust some operations to mitigate an attack like that from happening to Mytech and our clients.

Ok, thank you for all of that. Now let’s talk about how to put all of these ideas into practice. Can you please share “Five Things Every Business Needs To Know In Order Properly Store and Protect Their Customers’ Information?” (Please share a story or example for each.)

1. Know your assets. You can’t protect what you don’t know exists. Data, physical assets and cloud services need to be identified so you know what data lives where in order to secure and protect your customers’ information.
2. Know your requirements. Understanding the data you have needs to be matched with the respective requirements to store and protect that data. Compliance and regulation are complex and vary by the customers you serve, geography, industry and data stored. Ignorance will not protect you or your customers’ data.
3. Define your company policies. Every organization has different risks and every individual has different risk tolerances. It is important to define and document how your organization, with your personal risk tolerances, chooses to handle data retention, storage and security of your customers’ information. Engage industry, legal and technical experts to help define your policies as needed throughout these steps.
4. Build a plan. Implementing the solutions to support your company policies can be a daunting task. No business can solve every problem at the same time so build a plan that prioritizes the risks you are working on to mitigate by impact and cost.
5. Presume breach. No business system is 100% secure, which means that a quality disaster recovery solution and incident response plan are critical to round out the storage and protection of your customers’ information. We also strongly encourage getting Cyber Liability Insurance coverage which can be extremely helpful when a cyber incident occurs.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-) (Think, simple, fast, effective and something everyone can do!)

One of my goals is to encourage every business (owner) to identify one or more nonprofit organizations to whom they can donate their services, products, time and/or money. If every for-profit business aligned with one nonprofit organization, every nonprofit in the US would have at least eight (8) companies supporting their mission to improve the communities in which we live, work and thrive!

How can our readers further follow your work online?

The best place would be Mytech.com, and I am always happy to connect with other professionals on LinkedIn.com/in/nathanaustin.

This was very inspiring and informative. Thank you so much for the time you spent with this interview!