MetroHartford Alliance Spotlights Kelser and Hoffman Auto Group Partnership

The MetroHartford Alliance’s “Pulse of the Region” radio show recently dedicated an episode to the IT collaboration between Kelser Corporation and Hoffman Auto Group. The conversation is a great example of a premier Connecticut company taking a proactive approach to cybersecurity and technology infrastructure through a partnership with Kelser.

The relationship between Kelser and Hoffman takes place at the highest level of Hoffman’s business strategy. Kelser CTO Jonathan Stone serves as vCIO (virtual Chief Information Officer) for Hoffman.

Jon ensures that technology provides a competitive advantage for Hoffman and that the IT strategy aligns fully with their business objectives. Then the entire Kelser team implements all technology initiatives on a tactical, day-to-day basis.

One of the most compelling aspects of the “Pulse of the Region” conversation is hearing from Matthew Hoffman in detail about how the vCIO relationship works and why the partnership with Kelser is successful from his point of view. Here are a few highlights followed by a transcript of the radio show.

On what Hoffman Auto Group was looking for and how they chose Kelser:

MATTHEW HOFFMAN: We know how to service and sell vehicles, but when it comes to IT, it’s ever-evolving. It’s evolving faster than it ever has. We had a whole IT department before, and what’s gotten to the point is just the landscape changes. It’s not like it’s every week, every month. It’s daily.

We looked to form some kind of partnership with a company that’s staying on top of what’s going on in the world of technology, whether it’s cybersecurity or it’s the infrastructure of our company. We went about it by looking for a company that could help us with that, and we’ve been together, we’ve had a partnership, for about two years now.

We also looked at it with someone that would be local in the community, that holds a lot of the values that my family’s business has with community partnerships and nonprofit organizations and giving back to our community, which was very important to us.

On the importance of zero-downtime:

MATTHEW HOFFMAN: The other part, too, is someone that can consistently, 24/7, make sure that we’re functioning, because for us if our phones go down, our computers go down, anything like that, you know what, it costs us money and costs a lot of people their livelihood.

It was the combination between the technology and the customer service of someone, or happened to be Kelser at this point, where they can make sure we’re constantly up and running, whether it’s our phones or computers, etc. 

On how external IT interacts with internal compliance and other departments:

MATTHEW HOFFMAN: When you have a third-party partner like we have with Kelser, it does partner internally with compliance department. So it’s not just that you have a technology company you partner with and then everything’s just going to go away.

It does take, on a business’s end, making sure that you follow what they suggest and implement your other employees in having controls to execute everything properly at the present time and going forward.

So it’s everyone. It’s a team effort. Even though we don’t have someone internally, it’s still constant communication. It’s on a daily basis. It’s not like we talk once a month. It’s constantly. There’s different needs, things that have to be upgraded, or things we’re educated on. You know how we have manufacturer meetings, they have meetings with a lot of different vendors that we can look at if it’s something that we need to do to make our business for our customers simple and easy.

Interview transcript:

JONATHAN STONE: I’m Jonathan Stone. I’m the Chief Technology Officer at Kelser. We’re headquartered over in Glastonbury and we provide managed services to small, medium and large businesses in the region. Hoffman is one of our valued customers.

BRIAN BOYER: How did you get into this field? What’s your background?

JONATHAN STONE: I’m trained as an electrical engineer and a computer scientist, so it was a natural spot for me to land. I grew up in IT in the insurance industry.

BRIAN BOYER: Great. Well we’ll look forward to hearing your insight on this topic. Matthew Hoffman--Hoffman, we know the brand. Most people know the brand or have shopped at Hoffman at one time or another. But tell us a little bit about the group and your role there as well.

MATTHEW HOFFMAN: I’m Vice President/Dealer Principal of the Hoffman Auto Group. We have locations in West Simsbury, East Hartford, Watertown and New London, pretty much covering any vehicle that you would want to buy or service. We’ve had a longstanding relationship with Kelser and also with the MetroHartford Alliance. It’s great to be here with two great local organizations that help support our local economy.

BRIAN BOYER: Before we get into the specifics of this partnership, let’s talk a little bit in general terms. Why are we having this conversation now? Why cyber security now? I know it’s a big question but we’ll have a whole show on just that one question, but what makes this timely right now? You hear a lot on the news, these security breaches. Are organizations and companies prepared for this? Why is it timely right now?

MATTHEW HOFFMAN: If it can happen to an organization like yours, it can happen to businesses, whether they’re large or small, in and outside of our area.

JONATHAN STONE: Yeah, and I think from my standpoint, in today’s world it’s hard to separate the technology from the business. All the cyberattacks that are going pose a grave risk to businesses if they’re not prepared and not ready.

BRIAN BOYER: Sometimes employees and organizations are not even aware. You get an email and you open it without even thinking that it’s anything. You’re wondering, “Oh, what is this?” I want to ask you guys, are people aware that this is out there or are people naïve to it? If they are naïve to it, or they’re unaware, how do we educate them?

MATTHEW HOFFMAN: Well, you know, with our company, Brian, they are definitely naïve to it. They’re in the habit of getting so many emails on a daily basis and just opening them right up, not even checking where the emails are coming from. We have close to 600 employees. When you have a situation where they just open up the wrong email, it can cause serious problems.

When it comes to us with customer data, we need to protect that as an organization. It’s really the education and awareness that a company that company like Kelser provides in training our employees on what they should do when they’re opening their email or when they should just delete an email.

BRIAN BOYER: So Jonathan, talk a little bit about that. What can companies do to create that sense of awareness? Again, if you’re an employee and you’re just going through your emails and not really paying attention, it’s not necessarily malicious on your part. It’s the maliciousness of the person who’s phishing. How do we educate people to take a second look and not open that email, or make somebody aware of it?

JONATHAN STONE: I think just staring with the why behind why email is frequently the way these problems start. It’s the most direct way that people with bad wishes for us can get to all of our employees. We counsel and coach our customers to be thinking carefully about what they open, who it’s from, what they’re being asked to do.

Does it make sense? Is it something they expect? What kind of information are they being asked for? Is it stuff they should be providing? Is it confidential? Is it private? Do they know the person they’re sending it to?

And then looking for telltale signs in the email that maybe it’s not really the person that they think it came from. Does the email address match the address they’re used to seeing from the person? Do the weblinks that are embedded in the email make sense for what somebody’s asking for?

If you have a credit at Amazon and there’s a link in there and you hover over it with your mouse and the link doesn’t say anything about Amazon, maybe it’s not something you should be opening. So it’s awareness, thinking carefully, slowing down a little bit while you’re going through your email.

BRIAN BOYER: So what about this scenario? You get an email from your boss. They need something urgent.

MATTHEW HOFFMAN: Like a wire transfer, maybe.

BRIAN BOYER: Something like that, right? Usually, there’s money related. But you see something from your boss that’s urgent and you’re usually opening that email urgently. That’s phishing. Is that what phishing is? Can you talk a little bit more about that and even if it’s from your boss and it looks like it might be credible, why you should take a second or third look at it before you open it?

JONATHAN STONE: Phishing in general is targeting the information for a user in a personal way that it feels like something they should be responding to, putting phishing and social engineering together. Usually there isn’t a harm in just opening the email. It’s what you may do to it after you open it.

Certainly if you get that email from your boss, “I’m out of town and need the immediate wire transfer,” is he or she really out of town? Is the person the money’s going to somebody you usually send money to? Pick up the phone and call or text them. If it’s a large transfer, there’s no reason it couldn’t wait to be verified with that person on the phone. So slow down, think, be careful.

BRIAN BOYER: Let’s talk a little bit about the partnership now between Kelser and Hoffman. We’ve done several shows on cyber security. We’ve never had an auto group on. I’m curious to see the connection between cyber security and an auto group.

I go to buy my car, I’m not really thinking about cyber security. I’m not thinking about cyberattacks when I’m going to buy my car. So talk about this partnership a little bit and how it’s related to Hoffman.

MATTHEW HOFFMAN: Brian, we know how to service and sell vehicles, but when it comes to IT, it’s ever-evolving. It’s evolving faster than it ever has. We had a whole IT department before, and what’s gotten to the point is just the landscape changes. It’s not like it’s every week, every month. It’s daily.

We looked to form some kind of partnership with a company that’s staying on top of what’s going on in the world of technology, whether it’s cybersecurity or it’s the infrastructure of our company. We went about it by looking for a company that could help us with that, and we’ve been together, we’ve had a partnership, for about two years now. We also looked at it with someone that would be local in the community, that holds a lot of the values that my family’s business has with community partnerships and nonprofit organizations and giving back to our community, which was very important to us.

There’s a lot of third-party technology sourcing and security firms, but having someone who could give us the service that we need being close-by as well, so it just made sense to go this route after a lot of research, probably not just by the Hoffman Auto Group but by the Kelser Corporation, making sure that this is a strong partnership. Because even if you do have a third-party technology firm that helps you with security in your infrastructure, you still need to also have the people to be able to support that, not just for Kelser but for the Hoffman Auto Group.

BRIAN BOYER: So your slogan is, “Driven by trust.” It’s a good brand. We’ve heard that before. That trust comes with the quality of the product that you’re putting together, and also customer service and people believing that when they’re providing financial information that it’s kept safe.

Obviously, when it comes to buying a car, you’re basically signing your life away it feels like most of the time. In all seriousness, there’s a ton of financial components that are going back and forth. So how are you protecting not only - and Jonathan you jump into this, too - how are you protecting your business interest but also the interest of your customers through the cyber security tactics?

MATTHEW HOFFMAN: With having the relationship with Kelser, that was part of it, making sure that we have experts that are involved, because with “Driven by trust,” with that slogan, we take it very seriously. So when you have anyone, whether they’re purchasing or servicing their vehicle, that they know when they have their information, when we get their information, that it’s safe and that we have firewalls and ways to protect their interests as well.

That’s what brought us to that, is the ever-changing landscape, once again, of any business. We always pride ourselves on giving our customers the best experience, but also giving the best experience is protecting their data, their information and anything that would compromise their lives.

BRIAN BOYER: So, Jonathan, what’s the first step? Somebody that might be listening – and we’ve asked this question on some past shows but I want to ask it again cause it’s important – if there’s an organization that’s listening, and it could be a large corporation, a medium-size business or a small business, it might not be something that they’ve ever really thought of before.

Now hopefully we’re getting them to think about this because we know that it’s such an important topic of conversation. What’s the first step? What’s the first step in creating a strategy to protect your interest and the interest of your customers against a cyber attack?

JONATHAN STONE: A logical place to start is thinking about your capability and talent to deal with that internally, or do you need help? That’s an early decision that a lot of people work through. If you decide you don’t have the talent and resources internally, then going to the marketplace to understand who the players are. Certainly we’re one of the local players in that space.

We start our engagements with our customers usually doing some type of assessment to understand what their current state is. If I was on the customer side, I’d be asking myself, “Do I know what my current state of security is? What plans do I have in place? What technology do I have in place? How have I educated my users?” Then we work with our clients to build a plan to pull all the pieces together and close the holes up.

BRIAN BOYER: Are most businesses proactive about it or do most of them wait until something happens and then they say, “Oh, we should probably go back and fix this thing”?

JONATHAN STONE: It varies a little by industry and size. Certainly, some of the largest companies are very proactive about it. Some of the smallest companies are highly reactive to it and may not address it until something has happened that’s caused them a loss or issue or something was very close to happening and they looked over the edge of the cliff and know they need to be better prepared for next time.

BRIAN BOYER: So we want everyone to be proactive. Protect your interests. Protect the interests of your customers as well. But let’s be real. We’re human. We’re not always proactive on everything. Sometimes there are other business operations that we think about maybe before cyber security.

If there is a breach, what can be done to fix it or whatnot after the fact? Because I’m sure that’s happened. We’ve seen it in the news. It’s happened to some big companies and it could happen to anyone. It might just be something that happens spur of the moment. But what can be done after the fact to help get you back to where you were before?

JONATHAN STONE: I usually talk to our clients or prospective clients about, what is your plan for responding to the breach? That needs to be, even if it’s just on paper, needs to be ready before the event happens.

The first thing I counsel people to do, especially if somebody calls and says something just happened, especially if they’re in a regulated industry, then call number one is to your attorney to begin the process of shielding what happened under attorney-client privilege and then figuring out who and how you need to report the breach and then figuring out how to secure your customer’s data, what happened and closing it for the future. So have the plan before it happens. That’s the best case.

BRIAN BOYER: Who are the hackers? Are we talking about governments? Are we talking about a 16-year-old in their basement somewhere? Is it coming from all different directions?

It just seems very unpredictable where it could be coming from. Do we know who these individuals or entities are to even give us the wherewithal to be proactive? Or is it just, you just don’t know?

JONATHAN STONE: I think it’s hard to generalize across the whole space, but in the commercial sector, especially if it’s non-defense, it’s really people who are going about the hacking as a way to make money. It could be somebody offshore who does this for a living, could be people in this country or in North America. We don’t usually see the nation-state hacking against a non-defense commercial concern. That would be more reserved for somebody who had secrets to steal that could be interesting for another nation.

BRIAN BOYER: Interesting. Matthew, I want to go back to you. We’re talking about organizations being proactive or having to be reactive after the fact. What was the impetus for Hoffman Auto Group? Obviously, when it comes to cars these days, tons of technology involved. We know that, more so than ever before. But what was the reasoning for Hoffman to step in and get proactive and engage Kelser in this partnership and really be at the forefront of the cybersecurity?

MATTHEW HOFFMAN: Brian, like I mentioned before, it’s just, we realized with all of the technology we have to invest in, for our manufacturers, for third-party partners that we have, whether it’s for your CRM, your customer relation management tool or your accounting systems or anything along those lines, we’ve gotten to the point where there’s just so many moving pieces that we look at it is almost a requirement for all the different facets.

The other part, too, is someone that can consistently, 24/7, make sure that we’re functioning, because for us if our phones go down, our computers go down, anything like that, you know what, it costs us money and costs a lot of people their livelihood. It was the combination between the technology and the customer service of someone, or happened to be Kelser at this point, where they can make sure we’re constantly up and running, whether it’s our phones or computers, et cetera.

BRIAN BOYER: You’re listening to Pulse of the Region, brought to you by the MetroHartford Alliance. We are talking about cyber security today. It’s something that you hear in the news all the time and something that needs to be addresses in the business community and from a personal standpoint as well.

I’ll throw this out to both of you, but Jonathan this might be more for you. Let’s say I’ve done my due diligence and I own a business like Hoffman, for example. I have my cybersecurity plan in place. But maybe some of the institutions that I’m partnering with, financial institutions or other car dealerships, they don’t necessarily have a cybersecurity plan in place. How does that work? I’m doing what I need to be doing, but I’m working and partnering with people who are not necessarily doing what they’re supposed to be doing. So how does that impact me?

JONATHAN STONE: At the end of the day, it’s hard for you to control what’s going on in your partner’s environment, so thinking proactive rather than reactive, you as owning and controlling your business need to be thinking about the kinds of information you’re sharing with your partners. Do you need to be sharing all that you’re sharing?

If it’s a case where your partners have access to some of your systems, are you confident that you have that secured appropriately and have only given them access to what they really need? So it’s, to manage the risk, partitioning off things as best you can. Many times, there are things you can do contractually when you’re beginning a relationship to require the other party to adhere to certain cyber security practices or standards. We see that a lot when attorneys are working with big banks. The banks have very stringent requirements on how data has to be encrypted and kept safe.

Being Hoffman’s virtual Chief Information Officer, I blend understanding at least at a high level how Hoffman’s business works, and who are those partners that information is flowing back and forth with and making sure we’re being careful about who has access to what.

BRIAN BOYER: So we talked earlier in the conversation about awareness and creating awareness. I know that in your work with the Hoffman Auto Group, you guys implemented a simulated phishing attack last year. It was like, “We got you on this.” We talked about what phishing is. How do you implement a simulated phishing attach? I won’t ask you how many employees fell for it, but even if they did, that’s okay.

MATTHEW HOFFMAN: Or who.

BRIAN BOYER: They’re not with the organization anymore. But talk about what that simulation is. Then Matthew, if you could talk about how that helped you move forward. I’ll let you both talk about your roles in that.

JOHNATHAN STONE: With our client’s permission, it’s not something we’re ever doing as a marketing tactic without their permission, but with their permission we will pretend to be a hacker. We’ll put together an email that gets sent to all or some of their employees. Frequently we try to craft it in a way that there’s some internal knowledge baked into it, so as someone’s reading it, it feels like it’s appropriate for the business that our client is in.

Then we track who clicks on the call to action in the email, you know, “Click here to supply us your data,” or “Input your credit card.” Then we share that with our client’s management team after the fact. Then we put together a plan to educate and close the gaps that may have led people to click where they shouldn’t have clicked.

BRIAN BOYER: Matthew, I’m going to put you on the spot. Did you fall for it?

MATTHEW HOFFMAN: I did not fall for it.

BRIAN BOYER: Okay. Good, alright.

MATTHEW HOFFMAN: I would say, though, prior to this I’ve been coached. A requirement of Kelser is always to click on who the sender is. So if it says Jonathan Stone on it from Kelser then I know it’s one thing, but if it says Jonathan Stone and it has abc.com next to it on the right, then I know that this is a problem.

So that’s just getting your employees in the habit, if there’s a strange request on an email, that’s when you know to click the address next to the name, because it’s very easy for hackers to pose as Matthew Hoffman or Jonathan Stone, and it’s really not them. It could be someone locally. It could be internationally. It’s hard to know. These people who are doing this are hiding and there’s no way to ever find out and to find them.

BRIAN BOYER: And sophisticated, right?

MATTHEW HOFFMAN: Very sophisticated.

BRIAN BOYER: I’m kidding. I will not really ask you how many people responded to it, but I do want to know how you leveraged that exercise into a conversation with your employees to ensure that going forward, that they do need to be aware of this. How did that process play out for you?

MATTHEW HOFFMAN: After we had the whole phishing exercise that Jonathan Stone executed with Kelser, we sent a summary to all the employees that said “This many people responded to this,” along those lines, so they could get the scope of what could have happened even though this was just an exercise.

Then also when you have this as well is that when you have a third-party partner like we have with Kelser, it does partner internally with compliance department. So it’s not just that you have a technology company you partner with and then everything’s just going to go away. It does take, on a business’s end, making sure that they follow what they suggest and implement your other employees in having controls to execute everything properly at the present time and going forward.

BRIAN BOYER: So as far as sustaining this conversation and sustaining this action, Jonathan, I want to go back to you on this. Where are we headed with this industry as far the conversations that we’re having today that we clearly were not having 15 years ago?

JONATHAN STONE: Not even two years ago or one year ago.

BRIAN BOYER: Exactly. Two years ago. So going forward, what’s the conversation going forward? What should we anticipate from this industry and not only what should we keep an eye out for going forward but what can companies also do who have implemented a cyber security strategy? What can they do to keep it up-to-date and safe going forward?

JONATHAN STONE: I think it’s about never letting your guard down. Certainly the attacks in the cyber landscape is not going to get any better. We expect it to get worse with more people targeted in more terrible ways than they already have. So staying vigilant, staying current with the technology.

Microsoft Windows 7 support ended in January. You don’t have a plan to get off of that you should be in motion getting rid of it. Constant on-going education for your employees about what the risks are, and just getting the security to be top of mind for people, so they’re thinking about the email address on the email or the link and making sure it makes sense.

Hiring a firm to test and audit the controls or security you have in place. Some clients will hire us or someone else to try to break in, try to access their data, see if there are holes, see what we can get to, see how it can be better protected. Educate, test, validate. It’s like a continual cycle, can’t ever stop.

BRIAN BOYER: As we start to wrap up here, and I may want to have you guys here again to talk about this issue, but I do want to touch on it. As far as someone who might be listening, we talk a lot about talent, recruitment and retention at the Alliance, so this seems like a field now that maybe some high school, college students may want to look into.

It seems like it’s timely. If you’re in the IT industry it could be something that could be potentially lucrative to you as a career. What can we be doing as a business community to start training people to work for a company like yours and to help a company like Hoffman as well?

JONATHAN STONE: There’s all the traditional routes to working for a company like ours, having classic technical education in math, computer science, engineering fields, but then there’s also the path of very specialized degree education. As far as new degrees coming into being, like degrees in cyber security came into being faster than anything else I’ve ever seen before. People who are pursuing those degrees are coming out and finding jobs.

BRIAN BOYER: How would you say, the Hartford region, there’s a lot going on here. We’re the insurance capital of the world. That technology and insure-tech is growing. Our manufacturing industry, a rich history of that, healthcare, innovation, entrepreneurship, but as far as cybersecurity, how does Hartford compare to other regions as far as the number of companies who are engaging in it and the number of people who are working in the field?

JONATHAN STONE: The list of types of companies and industries you ran through without fail, solid IT infrastructure is at the heart of all of them. So it’s a very active area in the region.

BRIAN BOYER: That’s good, so something else we can be known for. That’s great.

MATTHEW HOFFMAN: Exactly, something else we can be known for, sure.

BRIAN BOYER: And we have to drive to our destination, so Hoffman Auto Group, thank goodness for you guys. I just want to wrap up here, but Matthew, as far as your next steps, I know that you have this partnership with Kelser and that’s great. What are your next steps as far as keeping everything, all your systems up to date and making sure that you don’t have to deal with a security breach at any point as far as your business goes?

MATTHEW HOFFMAN: Brian, bottom line is it’s a team effort. It’s working with the partner we have with Kelser, but also having great communication within our organization. With 10 locations and 9 different franchises and manufacturers that have all different requirements on their technology and their security, that’s the one word is the communication and then the transparency that you have with a company that you choose to partner with.

One thing with us is that Kelser, they know a lot of our employees and also that we have to hold people accountable because of what can happen if something goes wrong with a security breach. What Jonathan mentioned, too, is there’s things that are changing. We talked about Microsoft or anything where it’s going to make it so you can do business or not do business. That’s what it comes down to as well.

So it’s everyone. It’s a team effort. Even though we don’t have someone internally, it’s still constant communication. It’s on a daily basis. It’s not like we talk once a month. It’s constantly. There’s different needs, things that have to be upgraded, or things we’re educated on. You know how we have manufacturer meetings, they have meetings with a lot of different vendors that we can look at if it’s something that we need to do to make our business for our customers simple and easy.