What’s the real cost of ignoring your internal cyber risk? In this episode, entrepreneur and NoteAffect CEO Jay Tokosch reveals how insider threats—often unintentional—pose one of the biggest dangers to company data. He shares eye-opening stories about information leakage, explains why AI is both a cybersecurity threat and solution, and offers practical advice for CEOs navigating risk in high-growth environments. From mobile security innovation to the value of content protection, this conversation breaks down the strategic and technical moves leaders should make now.
—
Watch the episode here
Listen to the podcast here
Why Internal Mistakes Are The Biggest Cyber Risk You’re Overlooking With Jay Tokosch
We’ve got an amazing guest who has been the founder of seven successful companies, with NoteAffect being the latest venture. He resides in the scenic waters off the Chesapeake Bay. He enjoys boating, fishing, and crabbing in his leisure time. He’s also welcomed three new grandchildren in the last couple of years. I would like to welcome our guest, Jay Tokosch. Welcome, Jay.
Thanks. It’s a pleasure to be here.
I’m glad you could take the time here. I’m glad you could take time off the boat and join us.
I wish I could boat all day long. That could be a good life. Nothing wrong with that.
I’m right there with you. I’m a sailor at heart, or maybe a pirate. I haven’t figured out which one yet. Maybe with the mint white beard.
It’d be White Bread the Pirate. There you go. I like it.
Cybersecurity Vs. Cyber Risk: A Critical Distinction
We’re going to jump in here with like our lead question of how to get this started. Can you tell me what you think the difference is between cybersecurity and cyber risk?
Cybersecurity, to me, is protecting it before it happens, and cyber risk is the risk that you take when you don’t protect your data. To me, that would define the difference between the two of them.
What kind of risks do you see that come out of that side of things?
Data is probably more important than anything out there. I read something where they were saying that Tesla isn’t a car company. It’s a data collection company. I was like, “I’d never thought about it that way.” It collects all this data when you’re driving. It collects all the data that you’re doing. It’s nothing but that. That’s very valuable. To me, if you’re not protecting that value for both your own company and the customers you serve, you put all of that at risk. I wouldn’t even want to answer that. I wouldn’t answer for that if you lose it and someone attacks you.
It is amazing how much data we give to these companies with the trust in a simple click. We truly give them a bunch of data, personal emails, personal connections, and access to those emails. That’s one facet of how relationships are built. We define the data, but it’s being used for things. Protecting it is critical when it comes to that. I agree with you.
If you’re like me, even on the personal side, outside of being CEO of a company, I get mail and emails. My dermatologist said something. I’m paraphrasing. She said, “We got hacked, and your data was included in that. Here’s what we did to stop it, and here’s what we did.” What will they use that data for? I don’t know, but clearly, if it’s valuable and people are hacking it, it needs to be protected. We all have to be cognizant of this new world that we live in.
I had an identity theft happen with a bank that lost my data. I was traveling at the time and was getting multiple hits on my account to try and help with accounts and everything. It has since slowed down. It is that disheartening feeling that you get when you realize that something like that is happening.
You feel violated, right?
It’s one thing to get the email that says, “We lost your data.” It’s the second thing to be the target of the attacks that are happening. That’s the rough part.
No question. I’m sure we all do this. Once we get that, you have to read through it, and then they’ll give you options to react. You can go on, take your credit scores, and block that so that they can’t use and open up new accounts and do all these different things. It’s important to have due diligence both for your internal staff and for your customers. We take it very seriously, for sure.
The Biggest Cyber Threat: Unmasking The Insider
What would you say is the biggest or the most significant cyber threat that’s facing most companies? Is it just losing data? Is it insiders?
It’s one that we did a lot of research on, because we have a product ourselves that is collecting content. It’s not only collecting the content, but it’s collecting the people’s notes, interactions with the content, the audio, the whole nine yards. We built it, and I was like, “This is fantastic. I love it.” I then started thinking, “I have now opened up Pandora’s box, because normally, through a business meeting or whatever it would be that that content is being shared. I am now recording it. I give them access to go back into it. I give them access to interact with it. It’s always there for them. They can retrieve it anytime they want. They can search for it. This is fantastic.” I opened Pandora’s box because that also opens the way for them to be able to share that and do things with it.
I did a lot of research and found out that 67% of the time, company confidential information that gets shared outside of your company comes from your own internal staff. What’s interesting about that is that it’s not necessarily nefarious. It’s not necessarily that you have an employee who is trying to sell that information to another competitor or do those types of things.
Most of the time, the researchers were telling us that they didn’t know the level of confidentiality of the content that was shared. They thought that they needed to share it with another employee within the organization to get their work done or something of that nature. The problem with that, though, as I looked at it, was that they’re still sharing confidential information. There’s no control over it. That person could be sharing it with someone else.
A perfect example is, let’s say, you’re a manufacturer, and you built a new product. You’re going through prototype stages. You sit down with some of your executives and show them what’s going on, and they talk about some of the engineering that goes along with this. This is a real story, but I’ll leave out the names. After the meeting was over and the information was confidential about this new product, one of those managers went back to one of their engineers and said, “This was going on during that product. What do you think about this? Let me share this information with you.” They shared it with him.
That engineer then sat down with his other engineers who were in the area of the cubicle where he was, and he talked that over with them. They all wanted to do that. Those engineers happened to mention this new product that was coming out to some friends at a barbecue. What happened there? The CEO of the company found out that his top competitor knows about this that’s coming out and has started a campaign.
What happened there? Innocent, and yet you had a violation, and it came from your own internal group. While we can block hackers all we want, that represents a small amount compared to your own internal staff. That wasn’t nefarious. They were trying to help, and they thought that it was necessary to do that, but the content that was supposed to be confidential wasn’t protected. That became a problem.
It happens like that a ton of times. Social engineering in the bar, the barbecues, or any number of places with confidentiality or anything else can become a considerable problem. New product dev and betting your company on something like that can cause some issues along the way.
It’s hard to recover. There’s your story.
As a CEO, how do you think other CEOs should prioritize their cyber risk?
First off, as part of their HR package, that has to be thoroughly discussed with the staff, like, “Here are our processes. Here’s what we believe in. This is important.” You’ve got to communicate with your employees. We’re 100% virtual, so I have employees globally. In the EU, they have some different rules and regulations, but even here, we still need to protect ourselves and still need to communicate with the employees on how important it is to protect that and do that.
That’s the way that we’re handling it. At a minimum, the CEOs of companies need to do that. We’re in startup mode at this point. We do use our own product for our own meetings and things of that nature, which helps protect our content quite a bit. At a minimum, they need to do that. I do see other CEOs. I know the last company, when I sold it, as we got into it, they would have regular quarterly training that would test us afterwards. It’s an expensive idea, but a great idea. If you can afford that, that’s fantastic.
The Double-Edged Sword Of AI In Cybersecurity
The prices are coming down as it becomes more common. Employees have always been a high-risk endeavor. That’s why we do background checks. That’s why we do a number of these things to try and protect ourselves from making stupid mistakes. We’ll put it that way. Keeping track of that and making sure that the employees are doing the right things, even when somebody’s not looking, is important. Having that training and being able to fall back on that is always important. Let me ask you this. You’re in AI, right?
That’s right.
What emerging trends do you believe will have a profound impact on cybersecurity over the near future?
AI is a double-edged sword. You’ve seen the stuff with deepfakes. We have talked about that a million times over. It’s easy enough to use AI to fake an employee or fake different things to be able to get information. That’s the nefarious side of that. That’s doing that. We’re looking at it and using AI to protect us as well. We’re looking at using an AI agent that is looking at unusual activity and things of that nature from there. AI is a double-edged sword. It can be on the bad side of things, and it can be on the good side of things. I’m choosing to look at it from the good side to protect us, and looking at different ways and things that we’re doing with it from an AI agent standpoint that we’ve trained to be that protector.
That’s amazing. We’ll need to talk about that some more. Let me ask you this, though. Put yourself in the shoes of the CEO who found out that they’ve been hacked, whether it’s the first thing in the morning or whatever. What does that journey look like to you? How does that feel?
Knock on wood. I haven’t quite been there. We’ve had some things that were scarce, and we turned out to be okay. That fear alone was enough to make me sweat and raise the hair on the back of my neck. If that happens, you’ve got to be calm. You’ve got to be able to figure out, “Where did it happen? What did we lose? How can we recover?”
I’ve got a good team here. This team came from our technical side. They came from Cisco Systems. They have good backgrounds. They have great pedigrees. It’s hard for any CEO to keep up on this, whether this is your business or it isn’t your business, with all the things that are coming out, the ways that they’re trying to scam you, and security risks from that standpoint. You have to rely on your good people internally to be able to also help you for protection from that standpoint.
If that happens to you, think, “That’s not good, but how do I recover?” Now that I think about it, as we’re talking, you should probably start to build some sort of recovery plans, like, “If this could possibly happen, what will I do? Have that so that you can refer back to it when that does happen. I’m going to make a mental note here to go over my team with that because I hadn’t thought about that.
You’re not just reacting. You’re calmly saying, “These are the steps we’re going to take to get through this.” My team may already have that and hasn’t shared it with me. I’m hoping that that’s the case. If not, and I’m being straight up honest here, we will get that. We’ll have that. We do have that for our customers’ content. We do have that plan in place because some of the contracts that we’ve signed, we had to have that. We were forced to have that. Internally, not so much, but it is something that we need to do.
What I heard is that you’re making those cyber risk choices for yourself. The customer data is 100% protected. You’ve got all the protections around it, not just contractually, but what’s right to protect your customer data and to make sure that those things are done. Don’t get me wrong. Your internal data is important, but versus losing the trust of a customer if you were to lose a few documents or something, it’s a completely different story on your internal side versus losing a customer document.
A lot of customers need to go through that journey of understanding what data they have, what data is important enough to protect in that way, and what the cost is for doing that. You don’t have to have the same policy across the board, but you at least have to make those conscious decisions of what those look like. I commend you because you’ve done a great job of at least classifying the data. You can go back and take a look and see what the business requirements are. I’m glad that was an awareness that you recognized.
There are two areas immediately that came to my mind from what we’re doing. Those are the areas that I’ll focus on. The other stuff’s not a big deal. There is nothing there that I have to be as diligent about. We’ve always known that we had to be diligent with our customers’ data because of what we do. That’s been our focus. With a startup, you have to pick and choose. We chose our customers first and focused on that. From there, you come back to your own stuff later on. That’s where we’re at.
That is the typical startup mode. We see that a lot from our business standpoint, where cybersecurity gets second billing. That’s why we talk about the priority of where it should fit. Make money first. Get the money coming in and be able to afford it, depending on what kind of system you’re going after. There are certain industries that you can’t go after without having everything in place. For instance, if you’re doing HIPAA-qualified hospitals or something, you have to do HIPAA first. It depends on what regulations you have as well. That’s always a fun journey for people to understand, too. What are you working on that you’re most excited about?
Innovating Mobile Security: New Product Development
We have a couple of things in the pipeline. We’re working on a product. We’ve had this product already in place. We have a patent on it with regard to content protection. Let me go back and talk about what we do first. We take content that is normally presented in a business meeting, education in a classroom, or when you go to an event in a session. That content is generally up on the screen for you to watch. Your notes and everything that you do are all separate from that.
We bind those two together. We broadcast that content down to your digital device, whether it be your phone, tablet, laptop, or whatever. We allow you to interact with it. You can make notes on top of it, favorite the stuff, and do all these different things. We have a nice patent on that piece of it. That’s all kept together. This is what I was talking about before. You can refer back to it and pull it back up as many times as you want.
One of the things that we realized was that it was easy enough to block printing, emailing, or downloading that content, but because 72% of the time that content has some confidentiality portion to it, we needed to protect it. We needed to protect it from screenshots, screen recordings, and screen sharing, like the Zoom meeting we’re doing. If I have permission to go into that content, I could pull it up and share it with you, and nobody’s going to know that I did that.
We figured out a way to be able to block, detect, and report that information if we detect it, and they want us to report it or block it. We’ve moved that into the mobile phone piece. We’re excited about that because we have a customer who is in great need of that. They love it on the laptop. They love it on their computers and doing that. They want to be able to give access, which they haven’t been able to do on their phones before. We’re going to be able to protect them on their phones and do that. We have a patent on that piece, too, to be able to do that. I’m excited about that.
We’re also adding in as a part of that something that we’ve also had before with our shield protect product that will protect you from a mobile standpoint of downloading an app that could wreck your system. It’s real-time app scanning at the point of install. It’s automatically blocking intelligent warnings from that standpoint. There is static and behavioral analysis that goes along with it. It is reputation scoring as we go along.
The app is set up to periodically scan for unusual types of activity that could possibly be taking any of your data that your mobile phone has access to and doing something with that. We’re excited about that because it’s been two separate products. We’re joining those two together and making it available for the mobile phone.
That’s pretty amazing, I have to say. Between the security part of it, being able to stop the screenshots and everything else, that’s amazing. I’m glad to hear that there are more products like that that are coming out that help protect the data and take that data as seriously as we do. That’s awesome.
Most people access their data through mobile phones. It’s not always on the computer anymore. These customers have had these situations. In the federal government, for example, you can’t take your phone, put it in a locker, and go inside. That’s great, but then if you need to get in touch with that person, that’s a problem because they can’t easily get to them. They may need their phone for other things. You want to be able to use that technology, but you still want to be able to protect the content and the phone. You can’t rely on the employee to do that for you. Hence, what we’re doing.
The Entrepreneurial Journey: Jay Tokosch’s Seven Ventures
Tell me more about you. How did you get here? This is your seventh successful company. Tell me a bit more about that.
All of my companies have been centered around technology, mostly in software. Although I did have a hardware stint there for a short period of time. They say that entrepreneurs build products and services around their own needs. Certainly, that was the case for me. In my prior company, Core-apps, we built mobile applications for the event sector, such as conferences, trade shows, corporate, associations, and for-profit. We had some of the biggest shows in the world as customers’ CES. Most people recognize that one. They were an early customer of ours, a great customer. We were in Apple’s top five developers when I sold the company. I loved that.
What happened was I happened to go to a trade show. I was looking for specific booths and exhibitors at that trade show, and I was trying to use their paper map. I found out that the paper map was printed out a month before the show happened. Those exhibitors move around. Not the big guys, but a lot of exhibitors move around. They condense space and do all these things, so it’s not exactly accurate. That’s a problem. I want to know what time sessions go off and things of that nature. We came up with the idea of building that app. We did well with it for eleven years and sold that.
Internal Cyber Risk: You can’t rely on the employee to protect your data—you need the systems in place to do it for them.
It’s the same thing with NoteAffect. NoteAffect was one of those, for me, where I had the idea of putting all the content together because I would be, as a CEO, in back-to-back meetings all day long. When I’m done, I’m taking this pad of paper and I’m trying to figure out my own handwriting. I would try to run those initiatives through what I said I would do during my meetings, and I was failing. I wasn’t doing well.
My youngest son, who was home from college, was studying for a test. He had all these papers on our kitchen table with his notes written on them all over the place. I looked at it and I went, “He’s got the same problem I have, except different content.” I started thinking about that, and I started researching. I researched that the way we do things is passive, and it’s the least effective way to learn.
The best way to learn is interactive. How do we take that content and make it interactive? That’s what brought me to that from that standpoint. We used a lot of AI there. We look at things like engagement and participation because we want to help and understand what people want, their interest levels, at-risk students, and all of those things. That’s how it got started.
I started in the education space. Due to being so well-entrenched in the event space, people who were in the event space started hitting me up and saying, “We want to use this for an event. Why can’t we use this?” I’m like, “We call people teachers and students. I don’t think that’s going to go over. I need to modify it.” The base product is still the same. It’s still taking that content, making it interactive, and making it so that you can go back to it, search it, find it, and do all those things.
It has served us well. I’m excited about what we do. As soon as I started dealing with content, I started realizing how much I needed to protect that content. Hence, where we were with the patents and the things that we do. It led me down that road. That wasn’t the road I started out on. I started out on the knowledge retention road with the content and doing all that, but I realized I had to also protect it.
One Action Item To Rule Them All
Let me ask you this. If you were to give our audience members one action item out of this, what piece of advice would you give them?
As an entrepreneur?
Yes.
I coach a lot of entrepreneurs. One of the first pieces of advice that I give them is to make sure that their significant other is on board with this. I’ve had highs and lows. If my wife weren’t on board with this, I wouldn’t be here. You need that person to support you. It doesn’t have to be your wife. It could be your mother, another relative, or whoever’s close to you. From that standpoint, you want to make sure of that.
The next thing I would tell you to do is there’s a book out there called The Mom Test. I found that later on in my entrepreneurial career. It’s a short read. The gist of this book is not to ask your mom about the idea that you have for your new entrepreneurial venture. Since she loves you, she’s going to tell you, “It’s great. You should do it. You do all that.” She’s not looking at it objectively, and that’s not a great way to get started.
The Mom Test teaches you how to ask the right questions and who to go to. At the end of the day, it teaches you how to go back and sell to those people as customers. I found it very intriguing how this person, and I can’t remember the author’s name, put that all together. I’ve recommended that to a lot of the entrepreneurs that I’ve counseled. They’ve all come back to me and said, “I love this book. It’s the greatest thing.”
From there, I’ve put together a process, which works for me, that takes me through whether I’m going to follow through with this idea and do anything with it. I’m one of those people who gets up in the middle of the night and writes down ideas on a piece of paper because if I don’t, I’m not going to sleep. The next morning, I get up and look back over that. A lot of times, it goes back in the trash can. It doesn’t go anywhere. It was something I was thinking of.
If it does go past that, I built a process for myself. Others should do the same thing if they want to do that. The Mom Test is one of those processes. If I have that idea, I go back, re-read the book, write these things down, and then take myself through that process. It’s seven steps before I get to the point where I’m going to put money behind it and do something with it.
Put time, money, and love. That’s what it takes. You already answered my other question here, but I’m going to ask it anyway. If you could go back in time and give your younger self advice, what would it be?
If I go back and look at it, when I first started out, I didn’t know I was an entrepreneur. A lot of entrepreneurs think that, too. I was just doing things. I never thought much about that. As I look at it, building the process was the best thing for me. I wish I had that early on because I may have learned and wouldn’t have wasted time and money back then, but then I look at that and say, “I wouldn’t have learned to do this process if I hadn’t gone through that.” That’s a double-edged sword from that standpoint and going there.
Also, realizing what it takes to do this, you have to be all in. If you’re only half in, like, “I’m going to try and work my job to do this,” make that plan of, “Here are the goals I’m going to set for myself to hit doing that.” For a lot of people, as soon as it gets hard over here, they fall back and never get through it. Sometimes, the worst times that you have led to the best times that you have, and you appreciate it more.
Fail early, fail often, learn the lesson, take the lesson, and then move on and make it part of your life. Everybody has their own experience to fall back on. I love it. Where can people find you? How would you like people to reach out to you?
The best way to reach out to me is via email. I check that regularly. I always type with my phone, so that’s the best way to get there. You can also find out a little bit more about what I do from our website. Those are the best ways to get in touch with me. If you’re looking to become an entrepreneur and you want to hit me up on a couple of things, I’m happy to answer that. If you need protection, I’m happy to discuss that with you, too, and see if we’re a good fit. We can work from there.
Thank you. I appreciate you taking the time to speak with me here.
Thanks for having me on.
For our audience, thanks for tuning in. I hope you’ve learned something and will delve into those AI things and protection. There it is. That’s another great episode of the show. We hope to see you next time. Thanks again.
Important Links
About Jay Tokosch
Now leading his seventh company, he brings a wealth of entrepreneurial experience and strategic insight to his current venture. Residing on the waterfront along the Chesapeake Bay, he finds balance through boating, fishing, and crabbing—activities that reflect his appreciation for nature and relaxation. Over the past two years, he has celebrated the arrival of three grandchildren, adding a joyful new chapter to his personal life.
