CyberSecurity Podcast Episode 1

June 22, 2022 · 26mins

Hi there. If you’re listening to this, it means you’d like to learn whether your company has a clear grasp of the risks of a cyber breach. If that’s true, you’ve come to the right place. This is Bill Hamelin from CCP Technologies.

And I’m joined today by Terry. Hey, how’s it going there, Bill? Going fine, Terry. How are you today? I’m doing great, doing great. What a great topic we got today for all our clients out there. I know you’ve done a lot of research on this and decided that this is very important to try to get out to our clients.

So let’s not waste any time. Let’s get right to it. Absolutely. Why are we doing this? Well, we know our clients are dealing with the cybersecurity challenge every day. They’re dealing with the decision about how should they react, how should they respond, should they be proactive, should they consult an expert?

How do you tackle this? And so we wanted to put together this podcast in order to provide some background and some thoughts from two experts. Myself, I come from the It security industry. And how about you, Terry?

I come I handle property and casualty insurance, so I deal with a lot of businesses anywhere from medical offices to contractors to other type of professional office exposures. You have a lot of people’s private, confidential information that have a duty to protect that information.

So we get a lot of things that they talk to me about and ask me about and how do I cover this stuff? Is it covered under my normal policies? And we get into some really interesting conversation. Right now, the market for cyber insurance is tightening dramatically.

More claims, they’re more expensive, and it’s harder to attain coverage. So it’s been very vital for somebody to have a great It person that’s involved with their firm and insurance guy who understands cyber insurance coverage.

Kind of mesh the two together. So that’s how me and Bill got involved and how we want to talk to people about this and the ever changing market that is. So we’re going to get into now is a little bit about what is a breach, how often does it really happen?

So, Bill, I ask you, you probably see this a lot because you’re dealing and get that call from clients science. What is a breach and what does happen when that curves? That’s a great question. Right?

So you hear this tossed around all the time. What exactly is this? So a breach happens any time your secure confidential data gets transferred to some untrusted environment, not necessarily a person, just to an environment that gets out there where it can be accessed.

This could be intentional, it could be unintentional. And the root cause, it might be different. But the bottom line is there’s some sensitive data that you have some level of responsibility for and now it’s some place you don’t want it to be.

This can come from malicious code hidden in an email. It can come from a macro on a website. It can come through good old fashioned credential cracking. As far as how long does it take for a breach to turn into a problem, you can think about this as like a leaking pipe in your home.

An attack usually plays out over the course of many days. It can even be weeks and months, depending on how much damage the attacker wants to do. The worst attacks usually take longer to come to fruition because there are a lot of different steps the attackers take in order to get access to your data, depending on what they want to do with it.

You can think of the kind of leaking pipe as drip, drip, dripping, causing additional damage. You can see the leak starting to spread in the ceiling. It gets weaker and weaker. All of a sudden you have a full fledged flood.

You got water all over the floor. So that’s a great metaphor and we’ve all probably experienced something like that in some ways, shape or form, how dangerous water is and how it spreads amongst once it gets going.

And I think you’re right. I think cyber is exactly like that what we get into those types of claims, even from an insurance standpoint. And a lot of people, I think, have a misconception that the person that is hacking into their computer is some guy wearing a hood and sunglasses and some room.

And it might be. But a lot of the times that we’ve seen some of these hackers or some of these events that take place are employees from within the organization who are releasing this info. So it’s not only exterior intrusions, but it’s employees or disgruntled employees who still have credentials to get back into the company that make this happen.

So that’s one of the things we see once you get breached, what are some strategies that people are starting to use to help protect themselves from these types of events occurring? So there are probably as many strategies for protecting yourself, your company, your team as there are different reasons and different outcomes of the attacks.

The bottom line is, because cyber attacks breaches can be so diverse, you really want to have a kind of multilayered, multifaceted sort of defense in mind. Some of this is having tools in place. Everyone knows about antivirus, people might know about email filters, but other pieces are more kind of people and business centric.

You need to have security training in place if you have a large team of folks and you definitely need to have it. Cybersecurity insurance. Terry I would just sort of be curious to understand how you think about.

Where that cyber insurance fits into that kind of protective mindset. Sure, yeah. A lot of the times when you buy business owners policy or a package policy, which usually contains things like general liability or property coverage, a lot of these carriers now are starting to put some data breach or little bit of cyber liability coverage in there, but they’re usually a little more expensive when you go that route.

They’re not as broad as maybe going out and buying a full fledged cyber liability coverage, which might have some broader coverage, not only different types of coverage, but maybe broader limits of coverage that someone could buy.

But as we’ve been seeing, the market starting to tighten up because they’re seeing more and more claims that are occurring, and insurance carriers are paying out on those claims, and they’re more expensive.

We’re starting to see that the rates are starting to increase for cyber coverage, and we’re also seeing them ask for more things to be put in place to even be eligible to purchase cyber insurance. And one of the things that I’m trying to engage my clients to do is to work with somebody like Bill if they do have an It, because I think there’s different levels of insurance agents.

I’m sure you could probably vouch for this, Bill. There are different levels of It professionals. There’s the guy that can come hook up your computer and get your network kind of set up, and then there’s the next phase where they’ve got laptops and they’re using Office 360, and they’re putting multi authentication and stuff in.

They’re doing all your monitoring of your systems. There’s different levels of professional care and advice that you can get. So I try to encourage my clients to deal with a firm like Bills that has the ability not only to help them with.

Purchase of computer equipment, setting it up, but then to protect the equipment and their systems after the fact. And a lot of carriers are asking for those types of things to be in place. And what they find is they can’t even buy cyber because they’re not doing some of the simplest things to even protect their data or their what’s called PII, their personal identifiable information.

So I think it’s very important to engage your It guy if you haven’t, and find out kind of where you stand with protection and engage your insurance person or reach out to Bill or myself if you feel like you need to do that to gain a little, maybe higher level of expertise in those areas.

But what I think a big misconception is we’ll talk about I want to ask Bill a little bit about this right now, is people think, well, it’s not going to happen to me, right? I’m just this little business here in Charlotte who’s going to want to steal my info?

So, Bill, I know me and you’ve dug into some of this. What are some of the statistics that you have seen when it comes to types of claims happening and percentages and things that are occurring in today’s market?

It’s an interesting question. Obviously, we hear about it in the news a lot more often than we used to. There are certainly statistics behind all that. There was a study done recently of 60 different insurance claims, cyber security insurance claims.

What we found really startling is in the last two years, the average ransom that folks are getting has risen from $247,000 for the ransom to $352,000 for the ransom. Wow. What’s that a 40% increase in two years.

So the ransom prices are going up. The number of cyber attacks just writ large has increased by 68% in a single year. And that was in. What’s really interesting about that is the number of attacks has gone up significantly.

The breadth of the attacks has gone down. They’re actually becoming a lot more targeted. At this point in 2020, there were 245,000 reported attacks that went up by 68% in 2021. Wow. And really interestingly as well.

95% of the breaches came from really three main industries, and that’s the government sector, the retail sector, and then the professional sector to include technology, some of the enablers for the rest of the data that’s out there.

And so it’s really interesting. We see it anecdotally every day with clients reporting an email hack. Someone takes over their email account and all of a sudden they’re spamming everyone on their contact list.

That’s sort of one of the most basic attacks is the hackers using your resources instead of theirs to do their ongoing dirty work. It’s happening every day, even in our local market among our relatively small number of clients.

I’d be curious, Terry, you know, during the Pandemic, as people are kind of shifting their attention, the reported crimes, etc. For have you seen anything across the insurance industry that indicates these changes in the way breaches are happening?

Yeah, I think the pandemic all in itself has created a massive change in how one businesses do business, whether it is from employees who used to be in an office environment within a building, brick and mortar that was protected to now working from their home or working from another area in their home, maybe on a laptop, or maybe even their own personal computers, which.

Don’t have the same type of security that an issued piece of equipment from a business computer equipment would have and monitored. So we’ve seen a dramatic increase of people working from home or outside of the business place, which has created huge opportunity for cyber criminals to infiltrate not only a business, but maybe coming through the employees networks outside of the business itself.

In fact, I think some fishing has increased by 600% since the COVID pandemic happened and 300% increase in reported cybercrimes during that period of time. 95% of the breaches are due to human error.

And again. That finds to be true mainly because in my opinion. It’s people moving outside of the controls of a brick and mortar type environment where they’re on a network and now they’re using a personal computer.

They leave them in their car. It gets stolen. They’re not putting the password protection on the laptop and just doing basic things that they need to do. Changing their passwords on a regular basis. So on and so forth.

So, again, those are the types of things that I think they should be talking to their It professionals about and their insurance people about in regards to what do I need to do to help protect this situation now that maybe has changed for me and how we do business and to buy the appropriate coverage to help protect that.

So I think when we get into that, that’s what I get. So what do I do? How can I protect myself? Terry, what is the insurance company asking for? And then what’s my It guy going to want to do? So, Bill, when someone calls you or say I refer a client to you and.

They say, hey, Bill, help me put security more on my systems. What are the types of things that you’re talking to them about? That’s probably the perfect segue into just talking about what some of the real specific steps folks can take.

I think we probably proved the point here that the risk is there, right. The world is evolving, and cybersecurity is becoming more important to all of us. So, yeah, what do we do? How do I know how much protection I need?

How do I know what risk I’m at? Well, the first thing you do as part of getting educated is you assess your risk. You work with a professional. You work with someone like Terry and myself to try to actually quantify, well, what is your actual risk?

Something that you taught me, Terry, that I just think is really fascinating. There are calculators out there on the Internet related to cyber insurance where you can determine, hey, my company is this size.

I’m in this type of industry. I deal with this many clients, these many records, and you can get a calculation of your risk and your exposure. That’s fascinating. You should do that right away if you haven’t done that before.

From an It security perspective, firms like mine, we can perform, and we’ll do it free of charge, a security assessment we’ll walk through. What does your network look like? How do you transit data around?

Do you email files? Do you have a secure website you use? Do you have a portal for some application you use in your business? We perform that assessment, and we can give you a security risk score based report and say, hey, you are kind of in this orange area.

You have a very critical business, and it is at risk. And so we would recommend the following things as part of a kind of layered security strategy. And so I think that’s where you start as you get educated.

And I think. You go from there because it is absolutely the case that there is no one size fits all when it comes to cyber security. But at the same time, there are absolutely best practices that you should be thinking about and you should be determining which of those best practices fit for your organization.

And so, as I mentioned, assess your risk in most organizations with more than just a handful of employees. And Terry, I love that you mentioned that the stat about 95% of breaches actually result from human error.

That usually means someone clicked on a bad link and a bad email, someone used reused a password. So it security training is one of the most fundamental and impactful things you can do. And then there’s the tools, right?

You can have multifactor authentication, which if you don’t have that now on everything, you can have it on you’re wrong and you need to do it right away. And we would be happy to help you with that.

Having up to date antivirus, having firewalls that are up to date, having an external penetration test done, a vulnerability scan done, these are all very specific, very tactical things you can do to protect yourself and that’s sort of being proactive in your security.

There’s also then the reactive side of this, the response side, and this is where it gets really interesting. As I mentioned, there’s no such thing as perfect security. You can use your entire budget on cyber security and there’s no one in the world that would guarantee you you’re not still going to have a problem though hopefully your risk becomes really low.

You need to be thinking about your response. And so Terry, I know from a cybersecurity insurance perspective, or breach related cyber insurance, there are a few things that you need to be thinking about and that you.

You can do. How do you advise your clients about engaging with you if there is a breach? Yeah, I mean, I think one just talking. I mean, one of our core principles of our agency is just education and talking to our clients in a language that they understand, not so much in or C’s.

And I think that has been what has made us successful over the years, is being able to educate them on not only what their exposures are, but how to transfer that exposure to an insurance carrier and have them pick up the tab when something goes wrong.

But what we’re seeing with the cyber is that there are some proactive steps that you have to be taking for you even to be able to obtain cybersecurity coverage now than what it was two years ago. So some of the things that Bill mentioned, like the multi factor authentication, offline backups, annual training with your staff, things like that are very vital.

And once you say you do them, you have to do them, because if you do have a cyber claim and they find out you don’t have multi factor authentication, which you indicated on an application, you might put yourself in a gray area where the claim wouldn’t be covered anyway.

So there are some very important things that you have to be doing, and you even have the option to purchase it. Now. Once you purchase it, you have the coverage. Usually get a hotline that you can call and say, hey, I’ve had a breach.

What do I do next? You know, you want to call your It person. There might be some damage control to do. One of the things that me and Bill found out about if you are hacked or you have an intrusion is that you do have to report it to the local news station for them to announce it to the public, which I don’t know about everybody out there who’s listening, but that sounds like a real big headache to have to deal with and.

First of all, how do you deal with it? What should you say, how should you respond? And those are things that insurance carriers help lines and the programs they have set up for cyber can help you deal with when you get into those type of situations.

So there are some damage control aspects to the whole response portion of it. And then obviously your It guy is going to be involved because he’s going to be undoing the situation of what just happened, whether it’s recovery of your files or to reinstall different new firewalls to block the intrusions, buy new computer equipment if it’s damaged and get a rehooked up.

So it’s a multi step recovery situation. In fact, we often encourage our clients to have a cybersecurity response plan, which in a few years, I believe some of the states are starting to make it mandatory for certain industries to have in place and have it ready to go in case something happens because of the importance of it and the protection of one’s privacy when it comes to your personal identifiable information.

So very important to have a plan, maybe have some coverage, whether it’s on your policy or whether it’s a fullblown cyber policy. But again, it’s talking to professionals who can educate you on these matters and not just the basics and have a higher level of understanding of it and have the ability to help you understand it so that you can make a great educated decision to help protect your business.

So, getting back to that, Bill, one of the things, I think one of the reasons why we wanted to do this is we’ve seen a great need here in our own community. In regards to growing city. There’s tons of businesses that are starting and it’s tough to start a business.

You only got so much money, your budget, profit, bottom line, and you got to spend money for these things to do it. But we both feel like this is something, one, that the community needs to be educated on and two, that you need to invest.

It has to be part of your budget to help protect all the blood, sweat and tears that you’re going to put into your business because it can go away in a heartbeat when it comes to one of these cyber attacks happening.

So I think get out there and I think Bill would agree with me. Talk to your It guy and if you don’t feel like you’re getting a great conversation with them, reach out to Bill. Same thing. Reach out to your insurance expert, see what they have to say about this and if they can help you and if you don’t feel confident with how you’re getting a response, feel free to reach out to us and we’ll try to talk to you and see if we can help you out.

But one is get an assessment, talk with professionals and make sure you’re working with a trusted partner. Bill, would you have anything to add to that before we wrap it up today? I’ll just say we went out in the direction of this podcast because we want to educate the community.

At the end of the day, businesses are local, businesses are people, and right now, those people and businesses are under constant attack. We want to ensure that our community is protected. Education is the first step.

Getting an assessment, which, as we mentioned, is not something you have to generally pay for. Getting an assessment to understand your risk is really the first step you can take. If you take anything away from this podcast, it’s go ask that question of someone you trust and get their honest feedback and.

Again, there’s no one size fits all here, but if you don’t ask the question, you very likely are not going to be protecting yourself in the most appropriate and effective way. And we just want to do everything we can to ensure that the cyber attackers are stopped in their tracks at every point we can.

So definitely appreciate everyone’s time. It’s fun to have these conversations. It’s fun to educate about how to protect against these cyber threats. Looking forward to the kind of next step in this process.

What do I do if I get breached? And go into a little more depth on that, terry, in our next episode, here the honest answer here. A lot of our clients, unfortunately, get breached, despite taking a lot of different measures.

In some ways, it may be inevitable. So we want to make sure that you’re prepared to efficiently, effectively, and conclusively deal with that. So I’m looking forward to that conversation with you, Terry, here in the near future.

Awesome. Me too, Bill. And that will wrap it up for today, folks. Again, Bill and I appreciate your time. Hopefully you’ve gained something from this podcast and look forward to talking to you in episode two.

Thanks again. All right, thanks, everybody. Stay vigilant. Bye.

Full Video link: https://www.youtube.com/watch?v=d6QnUsfzGLY
To learn more about proper cyber hygiene, contact us.