Russell B. Hill:
Hello everybody, I’m Russell Hill. I’m your host of WTF and that is what the fix stops to all of you. And today I’m joined by.

Charity Dunning:
Hello, everyone. I’m charity, the co host here and we’re really excited. We have Justin shank in back with us. He’s the chief security officer of the intelligence technical solutions division of black breach of the security division. Justin, you’re gonna tell us about that. He is back for a then and now episode. You’re our first guest of 2026. And we’re gonna hear about

the cybersecurity issues that are affecting dealers in the coming year. So Justin, tell us your title has changed, things have been mixed up a bit. Tell us about.

Justin Shanken:
Yeah, so exciting stuff for BlackBreach and for us as you know last time I was on the show I was CEO of BlackBreach. We’ve been acquired by ITS. So that’s intelligence technical solutions. There are very large IT firm that really wanted a heavy hitter cybersecurity element, right? There’s a lot of IT companies out there and I think what we found is just because you have that golden wrench doesn’t make you the mechanic, right? So

to be needed a bunch of mechanics. So that’s where we came on. And so now my new role, I’m the chief security officer of the whole enterprise. And Black Breach is now the name of our security division. So we still have Black Breach. It’s just the name of the security, we keep it separate, because we still believe in that Fox can’t guard the hen house. So as I manage that, we have our security division as a separate piece. And we’ve been doing great things. We’re, we’re very excited.

Charity Dunning:
Excellent. Well, you told us that there’s some news that’s coming out in this coming year that affects dealers and OEMs and we’re the first to hear about it. So tell us about that.

Russell B. Hill:
Big news everybody. Come on, lay it on Justin.

Justin Shanken:
Big news laying it on. All right. So here’s what we got. Everybody’s familiar with the FTC and what’s been going on with that. And this news is predicated to cybersecurity, right? And what their compliance are. Well, Mercedes, and if you are a Mercedes dealer or you have a automotive group that has a Mercedes dealer within the group, you are now accountable. Mercedes is the first OEM to come out and say, hey, we’re taking cybersecurity seriously to the next level and you have to have

by the end of 2026, what’s called ISO 2701, or it’s called TSACs. They’re two very similar certifications. And you have to have that ready by the end of the year for your, not just cybersecurity, but your IT infrastructure. It’s actually broader. Now, cybersecurity is a very large element within that, but there’s even little touches of physical security.

There’s a lot in IT, there’s a lot in pay. It’s going to be a very big undertaking and the average dealer, it takes about a year to get it done, let alone you have to be audited for it to be approved. So you have to pass an audit at the end of it. So this is a very big initiative from Mercedes-Benz and Mercedes-Benz USA.

Russell B. Hill:
Is it just Mercedes-Benz?

Justin Shanken:
It is currently today. However, so we’ve seen this in the cybersecurity world. Europe, I think we’re all familiar with the terms like GDPR, right? They were the first ones to kind of take these leaps and go, hey, we need to have these extra protections. And I think you’re starting to see European OEMs doing the same thing. And if I were a betting man, I could see the Audis and BMWs and other coming along very quickly.

let alone probably really soon now that the initiative is going in that direction. The drive from the OEM is maybe even Japanese models, et cetera. OEM is going this way too. But for right now, as of today, it’s just Mercedes.

Now, what does that look like for dealers? Do we know specifically what that looks like or what they’ll be required to do or what exactly they’re trying to look out for?

We do. So ISO 27001, you don’t have to know that acronym. I mean, if you’re a Mercedes dealer, you’re have to learn it. But that is a type of compliance that is very well known and it’s global. That’s kind of why they went with that. There are others we’ve heard of that are like NIST and they’re all good, but TSEX is a newer one. It’s actually for automotive. The A in it literally is for automotive. It’s built off of this ISO model.

But it’s a little more streamlined because they know in bigger companies ISO may cover many things, but in automotive you don’t really need all that. So they created this and at ITS and BlackBridge, we have actually started working with that organization to become an auditor with them to better understand it because it’s very European. So we do know what’s needed. The problem is it’s very deceiving. So you would think, oh man, I’ve got all the way through 2026 to get this done.

anyone that has gone through an ISO, let alone an audit, it takes a year to get this right. It takes nine months to get these things set up and ready. So it is something that if you have a Mercedes Benz dealership within your auto group or your one rooftop shop, this is something you’re going to have to really look at very quickly and make some adjustments. The very first thing that all of our dealers are doing, because we cover a lot of Mercedes Benz,

is we have to do a gap assessment. And so we come in and we do this gap assessment and show them, hey, this is how far off your mark. And the problem is it just depends on the dealer. Some are very close and they’ve already been doing these things. Some are not so close. Some are good in two thirds of the areas. So we really have to identify that and create that roadmap and then just kind of follow the old break road.

How are the dealers receiving this news? I mean, it’s like, because I wasn’t a dealer, I was a general manager. It’s like, this is kind of like foreign language kind of stuff to me. So yeah.

It is as expected, right? Dealerships like to push back on everything, right? Yeah, who knew, right? Who knew? However, one of the things that’s been a little interesting, so we are working hand in hand with Mercedes-Benz USA, right? We’ve already worked and spoke with some of their C levels in this, and they are very adamant about having strong vendors and partners like us that know this space obviously really well.

One of the things they want though, ironically, is your question, Russell, how are the dealers handling it? You would think they would know that, but they really don’t. They don’t really know. Are they far off the mark? Are they all just kind of one step away? Is it going to be very expensive? What is this ask? And so that’s been the challenge right now for everyone is to kind of assess because each dealership is different. Each auto group is different. We work with many

many different sizes, scales, scopes, rooftop size, and even big ones that you would think would almost be there are not really there. And some small ones that have a smaller shop are a lot closer than you would think. So it’s been very challenging to assess that.

So change with dealers. It’s like, yeah, they’re on the cutting edge, but they also push back a lot too. Okay. Now, last time you were on the show back then, not versus now, we were talking about what happened with CDK. And is this something that’s evolved as that and many other hacks that have happened in between? And then finally,

This not only affects the dealership and maybe other OEMs will follow suit too, but how does it affect the vendors?

Yeah. These are all you pack that full of questions there. All right. Let’s let’s unravel that one step at a time. Let’s start back with CDK. Actually, let’s go back to FTC. So there’s FTC and then we had some incidents. There’s some predominant court cases right now in breaches right now. We’re following all of them. Yep.

that are paying out and I mean one rooftop planet Nissan my understanding and what we’ve got for information they paid out I think it was like six million dollars like five thousand two hundred and fifty per victim and That was one rooftop right and that’s out of Vegas. So those poor guys really got hit hard and that doesn’t include the cost of the downtime the ransomware, etc Then there’s CDK and now we have this incident then there’s 700 credit then we have that incident

I think what you’re starting to see is that the OEM see the liability. I think they are seeing the liability not only within dealerships, but within vendors, right? You’re bringing up vendor. I’m trying to tie this all together because really it’s one ecosystem as we know. Yep. Right. And so it’s very challenging to say, only work on this, but not this. And FTC kind of did that. They were like, hey, dealer, you’re responsible for everything, including the vendors. And they go, well,

How do I know from the vendor, right? Like, they’re either writing me a thing, they’re pencil whipping something, or maybe they are proving it, or maybe they’re not. Like, what’s the expectation here, and why am I in charge of that? And so we’ve seen CDK as a vendor, 700 credits a vendor, right? We’ve seen these big, and a lot of times the vendors are the ones that are dealing with the PII, the private information, the stuff that we need to protect for clients and customers. So I think what’s kind of evolved to

is that the OEM or at least Mercedes-Benz in this case has said, and in look in Mercedes defense, they are doing the right thing. I work in automotive is just one of our verticals, right? We work in entertainment, we work in infrastructure protection, we work in, I mean, God, we work in so many different HIPAA and hospitals and I mean, you name it. Every other industry does this. This is not new.

It may be new to the automotive community, but having a framework that we do for IT infrastructure and cybersecurity is not a new thing. So for Mercedes-Benz to come out and say, hey, everyone, we’re taking this step forward. We’re making it a mandate. Now, remember, I think there’s some people that might be confused. A few months ago, Mercedes did send out a thing that said, hey, these are some recommendations. And it was kind of a shot across the bow of like, hey,

This is not that, please don’t confuse those two. This is now a mandate, it will be done and it has to be audited. You have to pay for the audit, we have to set this up and then you have to get your gold star and say you’ve accomplished this. So it’s a very different moving forward, but it is very important and frankly, after this gets done, I think this will be a thing of the past. why weren’t we always doing this, right? So.

Our vendors going to have to do something to get this gold star as well. It’s to say, okay, if you’re gold star certified, then you can continue being a vendor with us or whatever.

So I think it’s going to be similar to the FTC. ISO is very broad. It’s very large, actually 2700. T-Sax is slightly more narrow, but it does encompass the vendors in many different layers. So I don’t think it will in the sense of I’m a vendor. Now, if you’re a vendor directly with Mercedes-Benz corporate, they may have that, whether it Europe or America, right? USA.

right now the vendors with the dealerships, it’s going to be like a trickle down effect, right? Hey, we now have to not just say we’re monitoring it, an auditor is going to come in and go, what happens from point A to point B? You have to demonstrate that. And if a vendor cannot demonstrate that to the actual auditor, well, I don’t think you’re out of here, but it will be one more expensive because how frustrating would it be would be this? Yeah.

here

Well, it’s going to be like this, hey, I’m paying for this as the dealer. We’re good because you would hire a company like us upfront to make sure you don’t want to get an audit and get a surprise. Nobody wants that, right? So we have to come in and we’re going to have to work with each vendor. We’re going to have to look at each road. I mean, it’s quite a bit to that. But if an auditor comes in and goes, hey, vendor, you blew it for them, that’s not going to be a good relationship. So that’s where you’re going to see vendor accountability.

All right. Here’s, here’s devil’s advocate. Okay. Hospitals, entertainment, HIPAA, all those things. And those places get hacked all the fricking time. So it’s like, okay, is this just another thing for somebody to make money on? Is it really necessary? I can see dealers push back and Hey, you know, Hey, what’s the deal, man? I mean,

Yeah. I look, we look at that also. again, dealerships have been targeted. We’ve seen this. yeah. So if you’re going to try to play the devil’s advocate game, and remember, I’m a former counterintelligence special agent whooped. I am very familiar whoop-de-doo with, you know, working with the attorneys and the threat scope and what happens with that. I’m very familiar with that. But the reality of it is it’s happening in this space. So if you were going to say nobody gets hit with this, why are we even dealing with it?

I think you’re going to have two bits of pushback. One, we deal with, as in the automotive industry, with a lot of private information. You do. You’re a bank at the end of the day in the sense of you’re giving out loans and credit and we’re collecting personal information and that’s how you sell vehicles. However, you’re also seeing a sense of the threat is already there, whether through vendors, whether through the dealerships, because even if

You go, well, CDK, that’s a vendor. 700 credit, that’s a vendor. Look at all the lawsuits that are happening right now. And I’m going to say this because I understand it from the attorney side. These are class action lawsuits and a class action lawsuit revolves around getting victims names. So you’re probably used to seeing those old commercials. Hey, did you take this pill where you stationed here because they had to advertise and spend money.

to get victim names to get more money, not in a breach. They go to the dark web and the cheat sheet is right there. It’s the victim names. So they’re the first ones on it now because they know how it’s extraordinarily cost effective for them to just start going, hey, know, Susan Smith, did you buy a car at the? Yeah, I did. You were breached. Are you even aware? No, I’m not. You want to be part of our lawsuit? Sure. Put me down.

And then they get these names and it’s kind of first to it. And so we are seeing these class action suits massive. And the number one thing that they have to prove that Mercedes is trying to get away from this is negligence or gross negligence. And what that means for everyone that’s not familiar out there is that did you even try to protect it? And I think in the cyberspace in the IT realm right now, when they’re going to court, they’re not. They’re being, they’re losing these obviously going

You didn’t even do these simple ISO things or this or you don’t have a frame. How are you? And they’re losing every time. And so this is a way forward to go. Now, if you come back and say, Hey, I own Schenken Ford, Schenken Toyota, Schenken Mercedes, right? Okay, great. I have put in this framework. We’ve done all these things. We have hired these firms. We have the help. We got audited.

No one can say you didn’t try. There’s no negligence there.

I see a clear distinction in my question earlier. Clear, very clear distinction.

That’s a powerful statement. Now you can see in a courtroom where you go, I did all these things. We even had an auditor third party auditor said we were good and we got hit because things happen. How do you say we didn’t try?

Let me tell you about a partner that’s actually helping dealers get ahead, Global Dealer Solutions. If you’ve been wondering how to use AI the right way in your dealership, especially on the fixed side, these are the people to call. Their team gets it. Not just the tech, but the real challenges that dealerships face every day. We’re talking about conversational AI that doesn’t just respond, it converts. It books appointments, follows up on list service leads, even answers customer

questions with actual relevance. It’s not replacing your team, it’s making sure your team can focus on what matters most, closing ROs and building relationships. But GDS isn’t just about AI. They train your staff, drive traffic and tighten up processes so your results stick long after the tool is turned on. And everything they do is built around one goal, growth that is real. If you want more service traffic, better follow up and a partner that’s always a step ahead

check them out. Visit gdsdealers.com, follow them on LinkedIn at gdsdealers, or just shoot them a message and ask, what would you do with my store? And see what they come back with. Global dealer solutions, process driven, people first, always on it.

Yeah. Justin, listen, I get these damn things all the time, or notifications that this bank was hit, Lowe’s was hit, Home Depot was hit, all these different places are security breaches and stuff like that. And it’s like, it’s almost like you get numb to them. Yeah.

Unfortunately, that is very true. We saw this with creditors, right? Equifax. We saw this. So I come from the land of having classified. I used to have a top secret clearance with all the bells and whistles, right? And when the OPM hack happened, Office of Personnel Management, that is literally the government organization that houses everyone’s clearance. And I hate to tell you going through that of decades myself, they know my

my my neighbors information, let alone mine. So the amount of data that was lost. So when you say you’re numb to it, I do understand. But it’s kind of one of those things. Do we just stop? No, do we quit? No, is it over? No, we tell clients like, do clients that care about, you know, their private information, because some don’t. But usually ones with higher credit scores do right, there’s there’s a correlation there.

And those are usually people we want buying cars. So you can’t, you know, just give up on that. and so as information evolves as well too, we need to make sure. And just so you know, just as much as the threat gets harder and harder, it’s a cat and mouse game. The blue side of it, the defense gets better and better too. So it’s not that one is really tackling the other. It’s more of that we need to invest.

huh.

in that to make sure that we’re balancing out the threat landscape. It’s asymmetrical warfare.

Yeah, well, it’s really great to see some positive steps heading in that direction because I’m kind of with Russell right after. You know, year after year, you’re part of class actions. You don’t even know it. I just got like, $9 from Facebook, like, at the end of last year, you know, my stuff is.

$10 what the hell

Hey, you get it big you got And think how much that law firm got

Right, the lawyers break out first. But it’s nice to see some changes happening and people caring because it really doesn’t feel like a lot of places do care about our privacy as much as we do.

And I will say this too. Having a good IT and cybersecurity infrastructure is good for business. It really is like I’m kind of confused when I hear the pushback of that. When you are more streamlined, whether a cloud, whether it just proper security things, it keeps these incidents that shut down business happen all the time. And most of these threat actors go after humans because we’re the soft target. Humans are we’re humans and we do silly things and

And yeah.

click on things we shouldn’t or give out information or they trick us. And really that will always be kind of the Achilles heel right now versus the technical side of like, a malware ran this way or a APT or bad threat actor works this way. So my point is that as long as we have people doing unfortunately silly things and some of these are very costly, they disrupt operations.

And having a good clean system like that is actually less expensive a lot of times because it’s leaner, right? You don’t have to have on-prem stuff. You can have cloud. If things are set up more properly, it’s kind of very efficient. So I think we need to get in the automotive space of not just looking at the lowest common. I know we do that. I know sales folks are just like, how

Let’s start negotiating the price for everything, right? And I do think that that’s a fair thing to do. But at the end of the day, you want to be lean and mean. You don’t want overhead. You want to have your infrastructure to work when you need it to and not be put together by popsicle sticks and bubble gum.

Yeah, yeah. Sherry, go ahead. I got a big one. It may take the whole rest of the show, because I’m going to throw something really heavy-duty out there.

Let me clear this up before we move on to your big one. there any other news items coming up for 2026 that we should be aware of or our listeners should be aware of?

You know, I think that’s kind of the biggest. I do want to kind of make one more note to that. Let’s talk to the auto groups. There’s the question we’ve got because we have lots of auto groups and Mercedes just happens to be one of their rooftops and they’re going, well, well, well, do we segregate this? Do we do? You really can’t. It would almost be it’s almost like having two of everything.

Right? So the concept now I will say the good news is is that most auto groups at a certain size already function as a bigger company anyway. That’s they’re usually buying up. They usually have a budget for infrastructure like this and it’s not as new. There’s a little bit of a gray area in the middle, but but I will tell you my recommendation for that because this question comes up all the time. How do we handle this holistically? Don’t try to just piecemeal one.

It’ll get really confusing and especially when you’re going to get audited. The rest of the news. think that’s kind of the big stuff. I think, you know, we’re seeing as you’re aware, new hacks that are happening from vendors or dealers were following these class action lawsuits like we discussed. And I think when those settle, they’re going to make big news, right? man, or you’re going to see the opposite, which we do in court cases where they settle quietly. And we don’t really see that.

But the ones that have so far made it to judgment have been kind of tough to swallow. And some of them are now at like 100 rooftops versus just one. So I can’t imagine the size and scale and scope of that. We’re just going to have to see and we have to follow that. that’s kind of that’s really the big news that we’re following into 2026 versus the threat landscape of what North Koreans are doing or

Russians or Chinese or some kid in the basement or you know what I mean? So It’s it’s part of the game

So this thing in my head, I think it’s going to, you know, maybe it just, I don’t know what’s going to happen, but so the last couple of years, two and a half years, whatever, I’ve been absorbing and learning as much as I possibly can about chatbots, AI, and it’s been, you know, really, and they’re, they’re wrong a lot of times, but you know,

That is.

recently read some reports on that too. don’t know who knows what the statistics really are, but I do know that everybody’s talking about AI AI. And it’s really been kind of a novelty now. It’s like, Oh God, here’s another AI. Everybody knows about chatbots. Everybody knows about them. Most people are playing around using it at some level or another. Now, I think 2026 things are going to really change because instead of being a novelty and people don’t really

Now it’s going to become more of utility and it’s going to start being used a lot more because we are in our company as well. Does that affect this at all? Because that’s your data that, you know what I mean? Is that. Yeah.

I’m going to, and this is, look, I do so many speakings on AI, like so many on what AI is and isn’t, and frankly, it’s so evolving so quickly. yeah. I mean, it’s just so fast. It’s very hard for even the experts to keep up with it, but I will say this.

Is there really any experts, Justin? Because when somebody tells me they’re an expert, I’m going, on what?

I don’t think you’re an expert. think you’re a pioneer. If you’re the first person, you’re the pioneer, which makes you better than the person who hasn’t done the trail, right? But but I will tell you, it’s also very challenging in the security phase. And let me tell you this. How many times Russell, how many times have you all heard, we’re under the radar? Right? We’re too small. We’re this AI is hitting

everything. They are setting up malware and AI because AI is not just a tool with a chatbot. It’s also being used for I mean, look, one thing I think your listeners need to understand if they don’t know already is that cyber threat and paying ransomware and all these is a billion and multi billion dollar industry and is literally the grossing

everything.

economy for some countries. I mean, it is their economy. It’s not going away. When you now add AI just like you would for any other industry. hey, we want to make it more efficient, bigger, faster, stronger, less expensive. It’s happening in this space too. It’s a business. So when you say, hey, we’re under the radar, the AI is hitting everything we are seeing.

Nope.

Big time.

It is just because it’s doing it at a rate of what a computer and not a human.

I mean, I don’t know if this is, I heard this from whatever Sundar with Alphabet, Google, et cetera, that the microprocessors are a hundred thousand times faster than the human brain.

Yeah, I always hear it in the sense of when they went to the moon, right? That a calculator, think it was something I don’t remember the details, but your calculator today has more computing power than they went to the moon. Yeah. And I think kind of doing, you know, I think we get into a stage of where we almost give up, right? It’s just so overwhelming.

Yeah.

I heard a very interesting thing the other day. listen to other podcasts and experts and I love listening to scientists. And you know how we like to say, man, we don’t have any time in the day, right? We’re busy. We have no time in the day. It’s actually true that we have less time. And here’s what they mean by that. I think our parents and even the generation before us and maybe just a decade ago,

We did not have to compute as much information as we do from our phones and TV and work and always being connected, always being connected. And that is putting stress on the brain where we’re just constantly overwhelmed, let alone adding AI. So when you hear people before, we don’t have time to be bored. And frankly, they’ve shown it’s healthy to be bored, right? It’s healthy for our minds to kind of get that.

And we’re not getting that as much anymore. And with the future race of technology like AI, it’s getting less and less because someone’s always trying to sell us something or get something to us. So it is becoming kind of a drain. It’s becoming very challenging of how we’re going to handle this, let alone the attacks from this, right? We’re not as sharp. Everything looks even better. In fact, we have new tools that we’re using.

that Russell, can take, Charity, same thing. I can take your podcast and just mirror your voice. And I’m making calls as you because there’s enough information from your podcasts and your videos that we can do that, let alone I could steal your identity and deep fake. But we’ve seen that. But what we haven’t seen as much is the phone calls. And we’re doing that right now as part of our social engineering testing. So the craziest thing about AI

from this type of asymmetrical warfare is we’re using it to defend and they’re using it to create more offensive capabilities. And now it’s becoming AI fighting itself. And it’s very hard for us. We’ve seen old 80s movies where every 80s movie literally talks about this, right? Every 80s movie is like the rise of or 90s, the matrix. I mean, everything from Robocop to…

You know, I mean, that’s what this is about. And now we’re starting to see it and it’s happening so fast. We really are struggling and even in the automotive industry where we see a lot of kind of a good old boy network, right? I think I can say that right. There’s a lot of these folks that go, hey, we have to prep for this. It’s coming. And if you don’t get in front of it, it may be a survival thing at the back. I do I really think that that will be it.

Thanks, sir.

What do you think, Charity?

Oh, I think it’s fascinating and you’re right, Justin. It is overwhelming. You’re just like watching AI fight AI and you’re thinking, well, where in the world am I supposed to fit in all of this? you know, where are the good old days when you just got the email from the King of Nigeria, you know, and.

I will tell you this, we built, this is just us. We built a tool that we were like, so there’s this term called zero day. I think I mentioned it last time on the show, but it’s basically something no one’s seen, right? And those are very deadly because Microsoft hasn’t patched them. Nobody’s seen it. And so they’re kind of a silver bullet. So the reality of it is this, the minute they use it, you got to get what you need because after they do a patch, it’s dead. So you got to use that silver bullet the right time.

We created a tool that literally used AI to try to create zero days. So they can look at stuff and it’s just and it’s doing it so where we used to have to have someone that stumbled across this hole, this gap, this breach, this capability. Now we’re trying to use it ourselves to help identify it first so we can patch it as a good guys because we do a lot of hacking. We do that, but we do it in the sense of

Hey, we want to make sure that we find it first. And so within your organization, and now with AI, it’s become very sophisticated and very dangerous.

Yeah. So Justin, would you say that the main way that companies like our dealers get hacked today is still through accidents with the staff, know, falling for one of those links in an email or, you know, another coworker being impersonated? Do you think that’s still the way the main way problems happen?

There is no main way, right? There’s many ways to skin a cat. However, it can be the easiest way. So remember, my job as a bad guy is to get money, right? I’m trying to make money. So that could be through ransomware, that could be through invoice fraud. So if you were doing it, we’ve seen that be the main way for invoice fraud, meaning I’m a vendor.

I’m a trusted vendor. You’ve worked with me for years. You’ve known Justin. Russell and Justin work back and forth all the time, but I get hacked and Russell doesn’t know that as the dealer. Then they’re using my email, legitimate email. They’ve hacked me and go, hey, Russell, they’ve looked and see when the invoices are. They know Russell pays me $3,000 a month on the third day. They change the invoice, but it comes at the right time. It’s the right amount of money. It’s not a million dollars all of sudden.

All right.

They’re trying to reroute it. That’s where invoice fraud comes in. So we see that because guess what you have to work with the controllers, the sea level, that’s people. Right? So yes, that’s kind of the main way we’ve seen that we stopped when it was 1.2 million at one time. It was they were moving into a new space. And they were paying for the movers and it was $1.2 million. And the moving company was not a sophisticated company. They got hacked.

And sure enough said, hey, wire it over here. Same amount of money, same invoice, everything looked normal. So we’re able to get in front of these things. So I think in that case, yes. When it comes to ransomware, not as much. Ransomware could come from that, like, open this email or give us credentials. But a lot of times it’s more of just getting some type of malware that can shut it down and then pay this. So there’s a lot of clever ways for them and they’re always evolving.

But unfortunately, it’s not just a silver bullet, like, let’s just train our people better. Well, we do need to do that. That’s not going to cover you still have to take care of the infrastructure side.

Yeah.

I got to tell you what, I see some very creative stuff that just, it’s like, it’s so good that I thought it was real. And, I did not click on it. And because I, I remember, no, that’s not how your bank communicates with you. mean, everything looks really legit. It’s scary. And so many people get duped. I mean, they’re so creative.

Let me give your listener some free advice. give you two things that are kind of little

Hold on, don’t give it free, maybe we want to charge for it. Go ahead.

You can charge later, but I always give them something. One, if you ever get an email or anything that is odd, never ever obviously click on it. We all know that. But never go to Google or Chrome or whatever your search engine is, Edge or whatever you use on Firefox, and type it in and go to that directly. So if it’s coming from a banking institution,

Okay.

Never just call the number that they have, right? The number you have, right? Their job is to it’s called man in the middle. They have to get in the middle, right? They intercept that communication where you think it’s that thing. So make sure because we do this all the time with our clients, you can click on that and it’s going to look just like that page. I don’t care if it’s a banking institution. I don’t care if it’s a vendor. I don’t care if it’s a login.

Okay. a minute, minute. The email comes in or the text or whatever, and you’re saying to copy and paste that URL or.

No, no, no, you don’t use anything from that email. so you, let’s say Russell, you receive an email from me as a bad guy. And I say, Hey, click on this link. And it’s from let’s say it’s a company you even know or a bank you use or whatever it is.

Yeah, they want that familiarity, I’m sure.

Yeah, go into Google, go directly to that bank page, never rely on what’s in the email because you may want to follow up on it. Hey, they’re saying work. And it’s always usually predicated on an emergency. you’re not paid up to date or you’re not it’s always called action, right? Like you would. And so you’re going man, did we not pay our domains this year? Hey, did we not? Yeah, you see what I’m saying? And these things seem legitimate. Usually, it’s a topic that confuses you.

Yeah.

and maybe even confuse your controller, right? And they’re the ones that handle the money. And so, and this happens all the time. No, no knock on them. The other bit of recommendation is LinkedIn. For you, for those of you that use LinkedIn, you must be aware that you get a lot of junk. Like you just get a lot of stuff. There’s a little secret that I do that it’s funny. It’s not a fail safe, but it works for 99 % of the mess. That’s pretty good. that wants to find me on LinkedIn, it’s a triangle.

little back black triangle because that’s what black breach our logo is that little triangle and it says Justin Schenken. That little triangle which you can do with any you can go on to anything and go to Microsoft and you’ll do it’s a code in the keyboard to do circles happy faces whatever it is blows AI’s mind as well as automated things. So what will happen is I’ll get these emails or messages either through LinkedIn and it will show either just the triangle which gives it away.

right? That that’s not how a human would do this. Or it will show that black triangle and my name. And I know that it’s just capturing that through a crawl. So it’s very much immediately showing, hey, this is not a human doing this. This is not a person. This is not from a real sincere or my colleague who I do know is using this and they’ve been hacked or compromised or something.

I see.

So it’s a very simple way. we had, I was in an AI symposium and the folks that we were talking to is a nonprofit and they were like, man, we usually steal it through LinkedIn, but this triangle is driving me nuts. It’s keeping us from using the, wants to do it a certain way and it’s not working. So that’s a very easy way for anyone to go find and you can, you can go to chat GPT or Google and say,

show me a list of what number code I could type in to get all these little pictures. And that’s a really good way you could put a card in front of it, you put whatever you want. But that’s a very easy way for your professional life to kind of screen those things.

Yeah, we Russell and I both do that we have stars next to our names and we’ll get I don’t know about you Russell, of course you would but I get dear star charity, you know, and then the other star and you can tell it’s just copy and pasted from a directory that they pull they skim the internet or something and sometimes it’s just dear star.

Exactly. it even messes with certain apps. So certain apps that try to find me and steal, were doing a deep fake off of me. And we do this stuff all the time. We’re a bunch of nerds. But we turn around and it was not it was really messing with the platform and not getting exactly what they wanted because of something that simple because it’s really trained to it’s really trained to look at things black and white ones or zeros.

So when you throw in a monkey wrench like that, it challenging for

Yeah, I guess when you blow it all the way down to the end, it’s all ones and zeros, right?

The end of the day.

Is there anything that that makes you nervous coming up in 2026, Justin?

think from a threat perspective, it really is AI and what we’re not seeing yet. And usually, you know, we call them viruses on purpose, right? These types of malware, they spread. And sometimes there’s something new that we’ve seen. I am worried about, I keep up with geopolitical events, whether what’s going on with Russia and Ukraine.

We’ve seen a lot of North Koreans in Ukraine and you may say, well, what does that have to do with cybersecurity? Well, what we’re starting to see is a very large North Korean threat. And the Russians are kind of paying that with cyber threat teaching. They’re teaching, they’re educating, they’re instructing them how to do this. Now, we’re starting to see these threats more coming out of North Korea. They’re escalated, God, 200 % at least. And they’re not very good yet.

not all of them are so they’re kind of giving away but that’s how we’re be it’s very tough to get attribution to say it’s this country of this threat. So as you know we start to see the news and we go man how does that affect it affects everything. All this is part of one big melting pot and so it is it’s overwhelming if you don’t have experts that are guiding you in this space it gets very challenging and it can’t just be again and I’ll kind of

It’s overwhelming, Justin.

finish with this. I, you know, I bought this software, I bought this golden wrench, I must be good. Well, are you a mechanic? Are you a carpenter? And the truth of it is no, and it would be the same thing for me, I take my vehicle to mechanics to get this done, because they know the software and the programs and the tolerance is same thing. So why are we just kind of winging it when it comes to it and we go well,

We kind of have that or for our cybersecurity needs. that’s, I think that’s just a continuous challenge.

I mean, it’s like, wow.

It’s a lot to take in, but I’m glad we’re hearing that OEMs are taking a step to offer more protection moving down the road. are there any goals that you have, Justin, for 2026? Is there anything you’re on the lookout for?

Yeah, I think just kind of education and awareness like what we’re doing now. I will say my Swami hat, my prediction is going to be that other OEMs are going to adopt this very quickly. I think you’re going to see we’ve seen this same thing with like California regulation and then the whole country basically is taking this on right? Same thing with European, you know, auto makers. I think you’re going to see others. I think very soon they’re going to go wait.

Every other industry is doing this. The other thing you have to keep in mind is we think very America. And unfortunately, that isolationism mentality, if you’re selling a Japanese vehicle or a South Korean vehicle or a European vehicle, they’re having pressures in their own country for cyber regulation.

And you are very disconnected from the heck we can’t even keep up with it here in America, let alone what’s going on in South Korea. So when they have those regulations that spill down, you’re starting to see a global movement of this. And I think it’s going to, you can either get in front of it and just go, hey, we went ahead and did these things and then kind of catch doll and we’re done. They got audited, we’re done with this, or we’re gonna keep kicking the can and putting band aids on it. And, you know,

Hopefully you won’t become the next lawsuit or victim or even… I am curious of what the OEMs teeth are gonna be. That I’m not very sure of. So if you just go to them and go, refuse. Now I don’t think that would be a smart thing to do, but I am curious of where that is going to come up. If they go, well, we’ll give you an extension or…

No, or maybe even help you pay for it. I don’t know. I’m kind of curious of which Well, that will go

The people that are in the know, you can already start to see it. If you want to stay where you were at, right? For example, think this is Albert, the significant problems and challenges we face today can’t be solved at the same level of thinking used to create them in the first place. So you got Lithias and Group 1s and all these corporate, I mean, they’re on a buying frenzy. And the longer it takes for…

people to adapt the shorter they’re going to be able to hang on to what they have. They’re just going to get gobbled up.

It’s a really good point. You know, and I haven’t really thought about it from that lens Russell, but you know, when you have lithium, these other massive auto groups that do already function like a corporate environment. And they’re already dealing with this and they’re already ahead of it and they already have put the infrastructure and budgets to this. Yep. When you go to sell, I mean, I’ve, I’ve been acquired myself, right? I’ve been through the and a process and I know in the automotive industry, it’s very quiet and we move very fast and

And in other countries.

we’re trying to get these things, if you’re not up to snuff, that will be held against you. There’s no doubt in my mind of, hey, we’re going to have to bring you to this level and you’re going to pay for it either now or on the back end. Yeah. And I really can see that we’ve actually worked quite a bit in &A’s, not just with automotive, but others to make sure that they don’t plug into a problem child. The plug happened because of what you guys are doing. you know, I think if you’re not

prepared to sell, they’re coming in thinking, we’re about to get a discount. We’re about to come in and move on because they couldn’t.

Let me tell you what, mergers and acquisitions have been really soft in this space for several years now. And some of the things I’m hearing for 2026 is, it going to be a full court press? There’s going to be a lot of changes and companies, you know, being consolidated, et cetera. Justin, if you didn’t watch the then…

versus now it’s like night and day. It has probably only been a year. Look how much has changed and look what’s coming for 2026 charity, please.

Yeah, well, the only thing I have left for you, Justin, is there are there any questions that we didn’t ask you today? Wish we had.

No, I think it’s always y’all do such a great job and I love, you know, working with y’all and I love the podcast. I love the output you guys have done just a fabulous job. I would be curious. The only thing I ask is, you know, as you get questions or maybe emails or comments with that, I, you know, we can always answer those as they go on because frankly, for some things, the jury’s still out.

Thank you.

We’re looking, even Mercedes-Benz USA, who I totally commend of getting in front of this and going, hey, we’re going to create a standard, is very curious of going, what are the problems we’re seeing at the tactical level? We’re making a decision strategically, but what are they seeing? So I love having my ear to the ground and y’all are the best for that.

Well, thank you. And I’ll tell you what most of, of, of what this shows accomplishes because of that young lady right there, charity and the research she does, but having you then and having you now, I don’t know if there’s going to be a then now now because then then and now, because in six or nine months having you on again, could we have you on again at some point in time?

Absolutely.

So much information, so much has changed from your talking point whenever we had you on then versus now. And boy, I’ll tell you what, all of you out there, you find them, love them, like them, ask them questions, ask us, we’ll make sure he gets those. I’m sure there’ll be some cross-pollination. And if I hear about an IPO, you know, maybe you can let us know about it we can get in on that. I don’t really know.

Ha

It’s hard having keys. You want to make sure the less keys you have the safer you are.

Justin, I got to tell you, man, it has been truly enlightening, informative, just awesome. And you coming on and what you shared with all of our guests. So, and you’re the first one of 2026 and there’s going to be a lot to come in process. Okay.

And I think it is kind of interesting when you go back and see what we were talking about a year ago and just the evolution over the last, I would say four years, let alone, and if you’re interested in seeing me at NADA, I’ll be out there as well and doing some speakings and talking as well. So if you ever, anybody’s interested, find me on LinkedIn and hit me up and be curious to hear what your situation is.

Thank you very much. Uh, this is another extremely successful episode of Debbie Tiff and that’s what the fixed stops to all of our then and now we got, we got, we got more coming in the future. We appreciate all of you out there, your support, your enthusiasm and the questions and wanting to come on the show and stuff like that. And we’re going to, we’re going to be ramrodding in 2026. Aren’t we charity?

We sure are. Thank you so much for joining us, Justin. We’ll talk to you again.

Thank you as always.