PEP Episode 057 — Secret Revenue Imperative: Cybersecurity for Payment Processing with AJ Global Cybersecurity

Why Cybersecurity Is Now a Revenue Imperative for Payment Processors—and a Lifeline for Merchants

• AI-driven threat detection modeled on real-time counterintelligence strategies
• Cyber due diligence in M&A—why breaches can tank valuations overnight
• How to position cybersecurity as a value-added service to boost merchant retention and acquisition

Transcript

Christopher Dryden (00:00):

Especially when payments in many ways is a race to the bottom these days. This is a great way to get in with a merchant and say, Hey, how do you run your business? And are you aware of the potential harms that are just unknowing or unintended that could be coming your way? That I see happen all the time, and there are some really cost-effective approaches to just being ready for those. I think that’s a great sales strategy to get in. And even if they don’t want it, you’re talking to them about a way to protect their business. Unrelated to what you’re trying to sell though,

Jeremy Stock (00:40):

Welcome to the Payments Experts podcast, a podcast of global legal law firm. We hope you enjoy this episode today. We’re really excited we’ve got a remote podcast. Joining us in studio is global legal law firm, founding and managing partner Christopher Dryden, as well as our special guest joining us remotely, John Aronson of AJ Global Cybersecurity. You can find John over@ajglobalcybersecurity.com. John, we’re really glad to have you on this podcast. Looking forward to a great conversation. Thanks for

Jon Aronson (01:19):

Having me.

Christopher Dryden (01:20):

Alright, so let’s roll in. John, it was a pleasure meeting you at NEAA. It was a brief encounter, but it was nice to see that you were in the space. It was very interesting to see that you were speaking at a breakout session. I did not get a chance to go to it, but I saw your presence there as something that’s beneficial considering where payments it is been and where it’s going and where everything will continue to go in the business world, what’s payment related or not. But John came by our booth at NAAA and we started talking and I looked at his name badge and I saw what he did, and it wasn’t your normal payment sales guy or POS system or something along those lines. And John was there offering cybersecurity services. And when I started talking to him, he said, well, I’m in a breakout session.

Christopher Dryden (02:12):

You can actually come and listen to me at the breakout session. And I said, unfortunately, I can’t because taking off a little bit early, but I thought that this would be a great subject matter because we’re ancillary service providers in the space and I believe legal services for any business in a preventative fashion is necessary and is beneficial to the business. And then I thought about cybersecurity and what John was offering, and for me, I didn’t know enough when I was speaking to him, but I thought, well, this would be great to have on the podcast because this impacts every single merchant. Everything is through the cloud these days when it comes to payment processing, let alone business systems. And so when I was looking at, when I was thinking about this, I thought, well, this is perfect because as we said before we came on the air, look, nobody thinks that they need a lawyer until they need a lawyer.

Christopher Dryden (03:11):

And it’s the same thing with what you do it. Most people don’t do anything until the problem’s at their doorstep and then the price tag’s just so much greater when there could have been some preventative expense beforehand to keep away the major expense sort of taking on insurance. So that was my thought process for having you in. And so if you could give us your elevator pitch as just what you do, and it doesn’t necessarily have to be payment centric, it’s just like, Hey, what are the business services that you offer or that AJ Global Cybersecurity offers? And then we can kind of segue into like, how did you find us? Because I think you’re definitely needed in this space. I think most people think this is cost prohibitive and I’m sure it’s probably not. So I’m going to let you take it away.

Jon Aronson (04:09):

Well, thanks. Yeah, just like you said, you need a lawyer and it is too late. You need to have set the table prior to finding the right law firm to represent you. And we are, in the similar case, we serve businesses of all size, single mom and pop location to multinational organization that would have clients all over the world, independent sales organizations, processors, independent agents. Cybersecurity has become incredibly necessary at the SMB level and even at the upper mid market and certainly large cap space. And for years, the only thing that I really found out there that was a satisfactory solution to provide some level of preventive defense against a cyber attack or an incident was your traditional antivirus that’s going to come pre-canned on any operating system that you might receive when you buy it. And that’s awesome. It’s one piece of the overall defense.

Jon Aronson (05:13):

But the reality is, and we found this, that there’s about six different layers to a sound cyber defense. And what AJ Global does is we offer financial protection to an organization of any size, and we found a way to go ahead and create that to be a revenue neutral process at no or low cost of an entry point for the individual client. And we provide financial protection anywhere between $250,000 up to $25 million should there be a cyber event. But before we get into a traditional, okay, I have a cyber liability policy for X benefit, and if you have an event, you have to get through that event. AJ Global’s unique proposition is we offer quick reactionary funds to an individual organization as they’re experiencing the event itself. So take a ransomware experience as an example. The client wakes up, they go to work in the morning, they fire up their systems and nothing will turn on.

Jon Aronson (06:28):

They can’t get to their account receivable, they can’t get to their materials list, they can’t get to hr, they can’t get to their banking. Really, they’re blind and they may have one or two emails with an extortion and a demand for ransom, usually in Bitcoin or some form of crypto. And it says, give me 50,000 US dollars in Bitcoin by Thursday or we’re going to start smearing your company. And when that happens, the client has always done one or two things. They first of all panic and do nothing, which is probably the worst thing to do. Or they begin a negotiation with threat, but they have limited funds. Most SMBs don’t have many, much more than $50,000 on hand at any one time. And with the clock running, it’s really, really important to be able to go ahead and say you have some reserve cash reserve that they can go ahead and begin that negotiation to get their companies back.

Jon Aronson (07:23):

And I found that has been the missing link in my opinion, my professional opinion over the past five years where a client finds themselves in that situation and they just have not even remotely prepared for it. And because AJ Global has a way of implementing a protection, including this additional funds, and I’d refer to these as QRF, any active duty or prior service military would probably recognize the phrase QRF as quick reactionary force. Well, I plagiarized it and I call it quick reactionary funds. So over a period of time doing business with aj, the client sends funds to AJ Global and we cover a number of different things. We cover the technology to secure their businesses at every single entry point and computer, laptop, server, mobile devices that they may be using, and we put a piece of software on that endpoint or the computer itself. Once we do that, it comes with a couple of different things. It comes with QRF funds. We sit those QRF funds aside per client. We don’t co-mingle the funds at all. They sit off to the side and God forbid that a client should find themselves in the situation that I’ve just explained, they call us or make contact with us and we look into what they might have as an available balance in their QRF fund and we make it available to them within 24 hours usually. And that’s when,

Christopher Dryden (08:53):

I don’t know if we’ll even put this on the, if I ask questions that you don’t want to answer, you let me know because I sit here and I’m a thinker, and so I’m listening to you. And the first thing that I think is you just walked into licensed activity. You just walked into activity, you’re holding somebody else’s money for their benefit, and that is a depository or fiduciary function. And I’m wondering how you go about doing that. If that’s not something you want to talk about on the podcast, I’m totally cool, but I would be interested in talking to you about that at some point.

Jon Aronson (09:30):

We can scratch the surface of it because it is a pretty significant feature that AJ Global has come up with. And I know that we are the only organization that are currently doing that, at least that I’ve been able to find.

Christopher Dryden (09:42):

We have a trust account and it’s an FBO account, and I deal in banking as well as payments. And for you to hold somebody else’s money and trust, even from a, you could be triggering licensing activity because it’s either insurance or it’s fiduciary services. And so I was just wondering, just in my mind, how you go about being able to, because look, I think it’s great people are paying you for a service, a portion of which you tuck away for them for emergency funds. I think that’s great. But my question is how do you go about meeting all of the regulatory bullshit? Because you’re dealing with people in so many different states, you could be subjecting yourself to if there isn’t a federal standardization for the business activity that you’re doing, what does it look like?

Jon Aronson (10:35):

Well, we have gone through the appropriate steps to go ahead and create the fiduciary accounts that you talked about, and the funds are isolated specifically for the benefit of the individual organization that’s doing business with us. Again, I mentioned we didn’t, we don’t co-mingle and we are very, very sure that the clients that we do acquire, that we check with the states in which they’re operating to be able to go ahead and fulfill the obligations of AJ Global. Now, if we find out that that’s something that’s a little bit cumbersome or unclear on exactly how to go about doing it, then they can hold the funds,

Christopher Dryden (11:15):

Which is another great thing is just say, Hey, open up a sub account or a separate account and just dump this into it. Do you have an online portal where you give people reporting for what they have on hand at any particular time?

Jon Aronson (11:31):

Yes, we do.

Christopher Dryden (11:32):

Okay, cool. That’s great. Yeah, because that wasn’t something highlighted on your website at all.

Jon Aronson (11:37):

No, it is not highlighted on the website. It is a functionality, but a lot of the work that we do, even for our smallest clients is custom. And some of them may be like, well, we just want to take care of it ourselves, not a problem. That’s fine. But human nature typically kind of kicks in when they do that, and if they run short of funds somewhere else, they may tap into that, but that’s up to them

Christopher Dryden (12:02):

If

Jon Aronson (12:02):

They’re holding funds on their own.

Christopher Dryden (12:04):

Yeah, for sure. I get it. Is the way that you price it out, are you considering as part of the price point is almost like a rebate when they pay for something that funds go back in? Yeah,

Jon Aronson (12:17):

That’s exactly right. Yeah, it’s almost treated as a rebate.

Christopher Dryden (12:20):

Okay, cool. Really to

Jon Aronson (12:22):

Do is the simplistic but accurate way of doing it and making the client understand that by working together, that we’re showing them ways. Really that’s the consulting and AJ Global Cybersecurity Consulting. Not everybody has the same needs or desires that have to be met to prevent a cyber breach or an event. And God forbid if it happens, we need to train them the best possible way on how to go ahead and protect themselves in the heat of the moment.

Christopher Dryden (12:52):

So I want to step back a little bit. You were talking about the six layers of what you really need to put in as far as protections for handling or preventing a cybersecurity attack. Can you elaborate on what those are?

Jon Aronson (13:07):

Sure. The first layer would be the antivirus that we, or excuse me, antivirus services that we see on most of the operating systems that we’re using and necessary. That’s a really good first layer, but typically in my experience, it’s not exactly enough. The next thing might be an electronic detection and reporting solution. Okay, an EDR CrowdStrike is one of them. There’s lots of different eds that are out there. We use a couple of different ones, and that’s a really, really sophisticated low impact, meaning it’s not going to go ahead and bog down a system. It’s going to be constantly looking. But the important thing is too is that we’re looking in the past for any dormant threats that may be already on a system and already be on an endpoint, already be on a server, and if they are there

Christopher Dryden (13:58):

Some sort of troja horse

Jon Aronson (14:00):

That could be there. And a lot of the eds that are out there skip over them. They don’t see them. They don’t see them as clearly as the ones that we’re using. And when they don’t see that, then really the entire effort of that search for a dwell time threat is really useless. It doesn’t do any good to the client. They got to be found and when they are found, the third piece is that they need to be quarantined. They need to be isolated. These threats are extremely sophisticated. They can go ahead and be on a system. If we find a threat that we feel is a mid to high grade threat, we’re going to quarantine it. The endpoint can continue to operate, that individual can work on that computer, work on that server as where we’ve quarantined the threat. And then the fourth point is let’s go ahead and remediate that threat in the quarantine environment so it doesn’t escape or bleed out and contaminate other files and corrupt the system and even jump to another endpoint within the network.

Jon Aronson (15:11):

So there’s four pieces. The next thing is financial protection. If everything to the left of the bang that I just talked about occurs be financial, there needs to be financial resources made available to the client to go ahead and act. Okay. They have to be able to act. So in this situation that a detection solution may have failed and now the client is being extorted or there have been damages, this is when that financial protection needs to kick in. It might be in the QRF fund that we just got done talking about, or it could be an actual policy written by a rated insurance carrier that for a cyber liability policy and the benefits can jump from 50,000 to God knows what. We’ve got one that is considered to be, they’re considering it about $25 million is what they think they’re going to go ahead and

Christopher Dryden (16:13):

Meet. Are you brokering those or are you referring them? No,

Jon Aronson (16:17):

We’re referring them. Yeah,

Christopher Dryden (16:19):

I got a buddy in this payment space. I don’t find many people that do payment centric insurance policies, but I’ve got a buddy that created a chargeback liability policy. His name’s Kevin Men, and he’s probably somebody I should introduce you to. He’s been doing insurance and payments for close to 15 years. Really good guy. But he actually thinks about these kinds of things, and I know he has a cyber policy that he has offered out. But I think in conjunction with these types of services, it makes way more sense because as being an insurance provider, you’re just talking about the end event that requires the insurance versus all the things that could be preventative on the front end.

Jon Aronson (17:01):

That’s right. The insurance providers are, the business is a pile of ashes behind you at that point in time. You’re filling out a claim and hoping for the best for financial resources to come your way that you could do any number of different things with. And as you may know, and I’ve seen, and I’m not an insurance guy, but when I read the policies, I see sub limits. I see different elements that should give me a maximum benefit for a certain thing or a department for reconstruction or rebuild and brand rehabilitation is a big, big one. So that’s not what we don’t do the policies. We’re not a broker, we’re not licensed as a broker, but we have access to world-class insurance carriers that are happy to go ahead and underwrite or at least look at a liability policy, cyber liability policy. And they love the idea that we’re using a piece of software to be a continuous underwriting tool for them to see. So if our stuff

Christopher Dryden (18:05):

I, no, no, I think, look, putting these, coupling these things together, if I’m an insurance underwriter, I’m definitely thinking, oh, okay, well, it’s a lot easier for me to underwrite this type of policy when I’ve got this type of preventative work being done on the front end. And if it just happens, because you’ve got somebody who’s done something that is in some way, shape or form, maybe out of the, well, the insured is proactive, but the mousetrap gets better even for the guys that are perpetrating the cybersecurity events that require your services. And so everybody’s learning. That was actually one of the questions I had is when you’re doing your work, can the party perpetrating the intrusion? Can they see what you are doing? And is it like a cat and mouse chess game going on within this environment for you to do what you’re doing without being detected? I’m figuring it’s got to be some cool game. You’re playing in there a little bit.

Jon Aronson (19:07):

That’s above my pay grade, and that’s for the technologists. And they do play a cat and mouse game when they actually do the quarantine and drop the cell door behind the cyber criminal and lock ’em up. That’s a tactical event, and they are really, really good at it. And the cyber criminals are really good at detecting that that’s about to happen. And some of them will just leave the system itself and get out.

Christopher Dryden (19:35):

Yeah, I think that’s awesome. Just the idea of it, you are, I see the gamification of everything even in schools these days with my kids, but to watch this chess match that could possibly be going on, it’s kind of cool.

Jon Aronson (19:52):

It’s fast and it happens in seconds. So thank God the providers of our technology analogy use AI and machine learning to lure in a threat. That’s one thing. And then to allow that threat to enter a space to a certain level where they can go ahead and make a solid quarantine and keep ’em in there before they kill it, and then they dissect those viruses, they want to take ’em apart in a certain way that they’re going to extract certain DNA from that particular threat and therefore record it and share it amongst the entire network. So

Christopher Dryden (20:30):

We have, are you saying that they’re luring in new threats to almost like penetration testing to actually get new threats in kind of like a sandbox almost to try to get them to expose what the virus is so that they can fight with it and then potentially, is that an active thing that’s happening or are you talking about just when a threat’s identified within a customer’s system?

Jon Aronson (20:58):

Yeah, it’s in a very controlled environment, almost like a sandbox. You used that phrase just a moment ago. We’re not going to go ahead and roll the dice working in a client’s live environment. We’re going to do some things in a controlled environment and try to entice that threat to come in or actually go out on the dark web, get the virus and bring it into a controlled environment and detonate it on a sacrificial endpoint or server.

Christopher Dryden (21:25):

Then

Jon Aronson (21:25):

See quickly,

Christopher Dryden (21:26):

This is why I wanted you on, this is fascinating to me. This whole thing is extremely fascinating what you’re talking about.

Jon Aronson (21:33):

Absolutely. It’s pretty cool. It’s pretty fast. They’ve been very successful too. And that’s something that really, if anybody in the industry or even small business, midsize business ISOs, payment processors, financial institutions, when they’re looking at an organization to assist in an element or all of their cyber protection in those six different layers that I referenced, they really need to look at performance, live performance, and then what are the credentials, who they’ve been working for in the past, meaning the provider of the technology itself. When we did this, we found a technology that was so sound and extremely good at what they were doing, that when we asked the insurance carriers to look at their performance, which took a year and a half, by the way, they didn’t move quickly on this, as you can imagine, they looked under every single piece of code and saw dozens and dozens of sandbox type events that were impressive to the insurance company. And they said, okay, well, if you find a client, Johnny, and that organization wants to go ahead and protect themselves, they use this technology, we’re going to go through each one of these different layers of defense and we’re on the farthest side, farthest end to the right of the bang where we would be paying a cyber liability benefit, not to me, not to the technology provider, but to the end user. Okay. So that’s where it really is a differentiator, is that the client saw the damages and they’re getting paid directly.

Christopher Dryden (23:16):

So in some of the things that you’re describing in the services themselves, well, let me ask it this way. I think it’s a case study for what this podcast is about, and I think it’s probably better used. How did you get into the payment space? Where did you segue? I’m sure this was not the first vertical that you were focusing on, but somehow you made it over here. What was the event or the trigger to get here?

Jon Aronson (23:48):

Well, I joined the payment space in 1994 to door to door sales in Vermont.

Christopher Dryden (23:52):

Oh, you’re a lifer.

Jon Aronson (23:55):

Me too. Yeah. I started with Nova Information Systems back in 1994

Jon Aronson (24:00):

And have always just either directly worked in the payment space or worked for a financial institution where it was part of my responsibilities. And ultimately where I saw a need for what we’re doing in the detection side of things, threat detection, and then financial protection was when I would ride alongside a banker, a commercial lender, and they would go out to meet an organization that was looking to either be sold or to acquire another like business. And I would ask the banker, what are you doing in the underwriting space for the computers inside the acquiring business, the business to be acquired? And they would look at me and be like, nothing. And I said, so you could ultimately be financing the purchase of cyber threats on behalf of this individual that’s applying for the loan. And they were like, well, we never really thought about that.

Christopher Dryden (24:59):

Yeah, it’s like buying a sick dog, right? You don’t know. Yeah, you don’t know, right?

Jon Aronson (25:04):

You don’t know. I am not an insurance guy, but I filled out plenty of enrollment forms for health insurance, and it just triggered in my mind that cyber threats, dormant cyber threats are preexisting conditions for a piece of technology and an underwriter at a financial institution who is ultimately going to or not going to provide funds for an organization to buy another business. If I’m lending them money, I want to know how clean their network is, even if it’s one or two desktops or it’s a full on network of thousands of endpoints. And that was something that was incredibly expensive that nobody seemed to want to foot that bill. And I said, well, let’s go find an organization that can go ahead and do that for pennies on the dollar. And then once those financial protections are put in place, after we do the threat sweep and we find out what kind of things need to be remediated even up to the quarantine and kill side of things, let’s go ahead and financially protect those particular endpoints and make that transferable so the business owner can have the diagnostic test done on every single piece of hardware and software that’s within their business.

Jon Aronson (26:22):

We give them a report explaining these are the low grade threats, these are the slight concerns, and these are the real red ones that we need to either just get rid of that endpoint because it’s not worth trying to

Christopher Dryden (26:33):

Salvage. Well, look, I’m in litigation right now. I worked on a transaction to buy technology, and you would assume the know-how would come with it and a very important piece of the know-how didn’t come with it. And it was actually maintained by somebody who was misclassified as a contractor that was probably truly an employee, and he got into a dispute with the seller, and then we represented the buyer. Buyer didn’t get what they needed. They had a whole game plan. Exactly what you’re talking about was something that was probably should have been insisted upon in the transaction. So I see the need for it in a current situation that I’m in right now on the litigation side. It’s like it’s crazy these days, most transactions, at least in our space, are starting to involve some piece of technology. That’s how people are getting a greater multiple or an EBITDA multiple versus just selling revenue. I find this to be very applicable, meaning to ask you what was your background before? So you’ve always been on kind of the tech side of things.

Jon Aronson (27:43):

No, man, I never attended a college class. I’ve always saddled alongside people that were much, much smarter than myself, and I saw an opportunity to take existing world class projects, products and solutions and financial protection, and I welded it all together. That’s awesome. And I had brought it to the marketplace.

Christopher Dryden (28:05):

So who in the payment space do you have reaching out to you? Is there a triggering event or we hope not.

Jon Aronson (28:13):

We actually hope not

Christopher Dryden (28:15):

Well. But people that are coming to you in the payment space, do they have a particular footprint as an organization or is it something that happens that triggers, maybe not an actual breach, but something that may occur that brings them to you? How do you find people in the payment space making their way to you?

Jon Aronson (28:36):

So usually it’s one of two officers inside a payments company, and it’s probably going to be a CIO Chief Technology officer that is going to be in charge of the security of an organization or a payments organization. Ironically, more often than not, it’s the chief revenue officer that finds the most interest in what it is that we do. They’re looking to monetize their security platform and we share a variation of what you and I are talking about this morning and that would fit their organization and they consider moving forward with us by bulking up their security platform and then communicating out to their 50 merchants in their portfolio or their 500,000 merchants in their portfolio, that they are doing that in a proper way. And then saying, that costs money and to protect the information and the exchange of between us, the corporation, you, the company in which we serve and return back, that costs money. And so therefore a palatable, and I say palatable cybersecurity fee can be applied to the arrangement itself. It’s nothing to do with payment acquisition, none at all. This is

Christopher Dryden (30:04):

Are they reselling your services as, so I see this as a var, and ultimately this is something that can be offered out to a merchant, either existing or new merchant as something that comes along with the payment processing services. That’s like a bundled services in addition to other things that happen. And are they reselling for you and are you actually creating a potential profit center for them by reselling your services? I mean, how are you interacting? Or is it just that you’re providing end services for people in the space?

Jon Aronson (30:41):

No, there are two different phases of revenue generation on behalf of our process itself. One is for the client and the protection for that client, and then sharing of the overall expense directly with their individual merchants. Okay. That’s number one. That’s phase one, because that has done so well. Many of those clients using phase one, which is their protection, they turn to us and say exactly where you went and which is phase two. It’s a value added reseller service. Can we become a reseller on behalf of not only the technology, but also the AJ Global program and process? And that’s something that my partners on the AJ global side have said. Yeah, absolutely. But it has to be with proper education before you go to market. And there are a million things that probably pop in, and some of them are extremely relevant and others

Christopher Dryden (31:39):

Deconstructing all the red tape that goes along with potentially offering something like what you’re talking about. It’s like what we discussed before.

Christopher Dryden (31:50):

I could see that you need a more sophist, or excuse me, a more sophisticated partner to be the distribution partner of this type of thing, somebody who’s not just a small agent or something along those lines. But I do think it would be interesting for the people that our viewership and our clients that we service, ISO agent is just such a nebulous term, and it’s such a varying thing. I mean, it could be one guy doing his thing in high risk versus a whole organization, but I kind of throw ’em into the same category. It’s everybody under the 800 pound gorillas and above the merchants. Yeah, totally. So I’ve got my architecture of how I show people what the space is that we work in. But yeah, I immediately saw this being a potential profit center, one that provides security and safety, which I do believe is out there at all times. And it’s almost like you drive a car and you’re out on the road and you just never know when you might end up in an accident or something happens that would require your car insurance policy.

Jon Aronson (33:04):

And

Christopher Dryden (33:05):

I find operating a business and participating in the cyber world as we’ve gone to the cloud is no different than that. And I don’t see why people don’t see this. And if there are solutions that are not cost prohibitive to protecting a business, there’s so many people that run businesses that aren’t thinking about exit ways that they can be harmed. They’re just trying to make a buck and they’re just, but this type of thing, especially when payments in many ways is a race to the bottom these days, this is a great way to get in with a merchant and say, Hey, how do you run your business? And are you aware of the potential harms that are just unknowing or unintended that could be coming your way? That I see happen all the time, and there are some really cost-effective approaches to just being ready for those. I think that’s a great sales strategy to get in. And even if they don’t want it, you’re talking to them about a way to protect their business unrelated to what you’re trying to sell them, right? Ultimately sell

Jon Aronson (34:19):

Them. Exactly. Yeah, you got it. That’s exactly right. The financial protection is really what they want to hear about the tech. For a lot of the SMBs in particular, it is like, yeah, okay, I’ll get it. Sure. And then they don’t, and to your analogy, you might drive your car, well, I don’t know. You’re in southern California, so it might be hours a day if you’re trying to get from A to B.

Christopher Dryden (34:46):

I only got to go three exits, thank God.

Jon Aronson (34:49):

But you’re doing that for one, two hours a day. Your business, whether a small business has a e-commerce platform or not, they’re exposed 24 7 every day of the year, every day of the year, and they’re all convinced that proper cyber defensive security is financially unobtainable and it’s not. It’s really, really not.

Christopher Dryden (35:15):

No, I agree with you. I just think it’s a lack of information out there for people to tap into. I mean, one of the things that we really tried to do our podcast, we don’t sell anything. We’re not selling our legal services. I mean, I think people that view it see that we are actively engaged in the industry that they’re engaged in, and they see our level of knowledge and our level of interest in expanding our knowledge about what we’re doing and how we’re operating. But ultimately, our podcast is for branding, and we like to disseminate information because look, knowledge is power to anybody out there. I don’t care who you are. And having this type of knowledge on our podcast and to see that there’s cost-effective solutions out there just to get some minimal protection so that you’re just not a sacrificial lamb. Look, that’s one of the purposes of why we do what we do. It was one of the purposes of what, I saw you at the conference. I’m like, yeah, this guy should come on the podcast. This was like, this makes total sense to me because it’s something that I think people immediately disregard because they think, oh, I won’t be able to afford that, or I won’t get the benefit for the price. And I think that,

Jeremy Stock (36:31):

Or they don’t understand the danger. Even Chris, I think a lot of people don’t really understand even what’s at risk.

Christopher Dryden (36:37):

Oh, I agree. Even myself. I mean, I’m sure if you came in and analyzed our business, you would be pointing at things that I would’ve not even have thought of that potentially could be a problem for us. And I think having that knowledge allows you to be proactive or make the decision to not be proactive. I’m all about accountability. If I’m accountable, I’m accountable, it’s fine, but it’s where I duck my head in the sand and be an ostrich. I get what I deserve at that point in time. So I think that this is a really good way to educate people that there are things out there that you’re not thinking about that are beneficial for your business. Shit, if I’m a sales guy, I’m thinking that this is a way for me to connect with a potential person that I’m selling to in a way that I never imagined.

Christopher Dryden (37:27):

And I don’t think the educational process to learn about what you’re doing on an elevator pitch style to go out and market it to somebody is all that labor intensive. I mean, I think that this is a really good way for people to get out and get in front of folks and to show them, Hey, I’m not just your selling you payment processing. Let me tell you the other things about your business that I think that go along with payment processing that are really important. And so I personally appreciate you coming on. John, this has been educational for me. Last word, because we always give the person that comes on the last word. What do you think you would want to say to anybody that’s watching? I don’t know how many merchants really tune in, but I definitely know that we get viewers that are agents, and we do a lot of cross fertilization with guys that are ISOs that have a huge agent base. What you would want to share?

Jon Aronson (38:26):

Well, really what I would probably say to them is the protections can be extended to the masses with really not much more than an elevator pitch, but allow us to, or allow the industry to provide the resources. So it’s a quick assurance and just make the phone call, start the process, reach out to a provider that you think is going to go ahead and do a decent job in protecting your organization. It might be from a managed service provider or an MSSP, managed service security provider technologist, and just begin the program and the process itself. You’ll find that pennies on the dollar compared to what the real risk is. And ultimately, you can turn this into a revenue neutral or as you saw a systematic reoccurring revenue stream. We always tell our clients that we convert cyber liabilities to systematic reoccurring revenue, and that’s what we do for all of our clients.

Jon Aronson (39:31):

We talked about the banks. Banks can add this into their underwriting process. I’ve got a technology company, it’s an internet service provider. They’re looking at doing this and adding additional dollar cybersecurity fee to every single one of their individual client base because they’re increasing their protections on behalf of their clients. And it’s something that is in the news every single day, unfortunately. And it’s something that is becoming not easier to defend, but more you have more arrows in the quiver today than we’ve ever had in the past to be able to protect even consumers, small businesses, large corporations.

Christopher Dryden (40:15):

Okay. Jeremy, you got anything for John?

Jeremy Stock (40:17):

Yeah, just a quick question, John. I’m like, Chris, I geeking out on this stuff a little bit. My question for you is, and I can maybe even move this to a different part of the podcast, it’s 2025. I remember McAfee and these old back in the day, Chris mentioned the Trojan horse. Is this all the same old stuff or has it become incredibly more sophisticated? I’m just curious what the threats look like these days and are they using the same old methods?

Jon Aronson (40:53):

Yeah, the same old methods, yes. They’re probably the easier of any of them to go ahead and detect and defend and quarantine that. So they’re not easy for us to pick off. But the cyber criminals are extremely sophisticated today. They have so much more power behind them. There are nefarious organizations in foreign countries that have done nothing but target the United States, small to mid-size business and large cap companies. They want the disruption, and they don’t have to be successful in draining the corporate account. They just need to go ahead and get it on a social media platform that they were successful in getting in. So they’re magnifying the event. A failed attempt is almost equal in value to a full on robbery, which is crazy, but it’s the truth because that goes viral in a heartbeat, and they’ve got a whole platform standing behind them to market it.

Jon Aronson (41:54):

Unfortunately, the statistics of the cyber threat sophistication increase just during COVID from many of the three letter agencies went through the roof. Part of that was because we had employees tunneling back into work. We were all working remotely. We were all on unsecured networks trying to do our daily business, and that allowed the cyber criminals much more target rich environment. But man, they’re getting better at what they do. The technology providers have got to be as sophisticated or even better than the criminals, but there’s a lot more criminals than there are the defenders, and that’s always going to be the case.

Jon Aronson (42:41):

So that’s why it’s a six, seven layer process that we sort of got through all of it. The other pieces are equally important, but it’s not a pleasant environment. It’s not a depressing environment either. For as many newscasts that we see, unfortunately on a daily basis, there are thousands of success stories that are not talked about of where prevention was successful, detainment of the individual cyber threat, the kill and the dissection of the cyber threat, and then the extraction of the threat’s. DNA has been dispersed around the network and around the world, even to other three letter agencies here in the United States and around the world. That’s being very helpful. And that information is coming down to the individual businesses all around the world. 43% of cyber crime is against small to mid-size business. 43%.

Christopher Dryden (43:44):

Yeah. Not surprising. Well, look, how do people find you?

Jon Aronson (43:49):

Go to our website, AJ Global Cybersecurity. Give us a phone call. You have the template there is to just ping us, let us to learn a little bit about your business, and then we’ll come back with a customized option. If they choose to take it, they take it. If not, we hopefully have given them some information on how to protect themselves. And of course, we’ll be attending all the Bankers Association meetings. I’ll be at the southeast acquirers meeting next month, and then the Midwest and south in the Western states. So we’re doing a little bit more because we found some traction in this particular space, the payment space, and it’s near and dear to my heart since I’ve been in it or around it since 1994. That’s it’s still in my personal DNA too.

Christopher Dryden (44:34):

Well. That’s great. That’s

Jeremy Stock (44:35):

Pretty impressive,

Christopher Dryden (44:35):

John. That’s great. Well, John, thank you so much for coming on. Thanks so much for educating me and Jeremy, and hopefully our viewers on what you do and how it impacts our space and businesses in general. It’s been really enlightening. I want to thank you for your time.

Jon Aronson (44:49):

Thank you all for having me. It’s a pleasure speaking with

Jeremy Stock (44:51):

You. Thank you for listening to this episode of the Payments Experts Podcast, a podcast of global legal law firm. Visit us online today at globallegallawfirm.com.