Back to videos
Why Cybersecurity & Insurance is Critical to Your Business
Do you know why you need both cyber insurance and cybersecurity? As cyber and ransomware attacks become more common, small businesses
are facing increasing cyber risks. 72% of small businesses that purchased cyber insurance did so after hearing about or being the victim of a cyberattack.
Prefer to read? (Transcription)
[00:00:00]
Why Cybersecurity and Insurance Is Critical to Your Business
KINDSEY: Good morning, everyone, and thank you for joining us this morning. Looks like it is right at 10 a.m. I’m just going to do a little housekeeping as people join in. At the bottom of your Zoom panel, there’s going to be a chat box and a Q&A box. Feel free to throw your questions in the chat box or the Q&A box and we’ll make sure to address those by the end of the webinar. I think that’s it. Tom, I’m going to go ahead and pass it over to you.
TOM: Alrighty then. Welcome, everybody, to the webinar. This is a unique one. It’s the first time we’ve done one on both cybersecurity and cyber insurance.
Davin joined our team last year, and he comes to the topic of today’s webinar from a unique perspective. He is both a licensed insurance agent, and now he is an infosec specialist, or an infosec consultant would perhaps be more accurate. Today, Davin is going to share with you this – it’s a closely related thing. I would not be surprised if many of you have cybersecurity insurance, but you don’t know what to do to get good cybersecurity defense in place. That’s what we talk about all the time, every time, and we try to approach it from different angles.
What Davin’s going to talk about is not only – historically, it hasn’t been a close relationship, but Davin’s going to talk about what we’re seeing in insurance right now from the underwriters and things because they’re getting hit nine ways to Sunday on cybersecurity claims. Some of them are leaving the business; others are raising their premiums 200-300%. Others won’t even underwrite a policy if you don’t have your ducks in a row, you don’t have good security. So we’re going to talk about all of those things in the next coming slides.
Having said all of that, I’m going to turn it over to Davin.
DAVIN: Thank you so much, Tom. I’m glad to be here today. That was a great introduction. As you see, I am a cybersecurity – Tom did mention infosec; you’ll hear that word tossed around a little bit between cybersecurity and information security. So don’t get confused if we switch that around a little bit, but I am a cybersecurity specialist with a background in insurance. I’m with IronTech Security. As you see, we’re a managed security service provider, which is an MSSP – which you’ll probably hear often, especially in the next coming months. We specialize in securing organizations, one-person firms, medium-size, large businesses, from information theft and breaches.
Before we get started, just for my curiosity, if anyone has experienced a cyberattack or knows anyone that’s experienced a cyberattack, put in the comment box a “Y” or a “Yes.” I just want to see what kind of audience we have here today.
TOM: Especially a ransomware attack.
DAVIN: Yeah, especially a ransomware attack. We’ll go a little bit deeper into ransomware attacks. Of course, if you’re not too fond of that term, you’ll learn about it today.
[00:03:27]
What You Will Learn
Like Tom mentioned, of course, we’re talking about cybersecurity and cyber insurance today. You’re going to learn about good cybersecurity practices. You’re going to learn about ways to protect your business in 2022, and not only your business, but also your clients. We’re here to learn about the questions and scenarios you should be asking – but overall, how to prepare for a cyberattack, for that ransomware attack. Regarding cyber insurance, of course, it’s continuing to change. It’s changing right now. There’s always changes in underwriting requirements that you all will be experiencing here soon, as well as current trends and overall increases in price projections as well.
Of course, this is about both cybersecurity and cyber insurance. We’re going to learn about why both are necessary and essential to your business, not only in 2022 but forever in the years to come. Cyber threats, you’ll learn today, they’re not going away. They’re happening every single day. They’re changing, they’re adapting, and so we have to as well.
Finally, we’re going to learn about what to do, the first steps to take, how to secure your business. We’re going to give you easy tips, step by step, what to do so there’s no confusion and you’ll have the tools and resources to overall protect your business and your clients in the right way.
[00:04:50]
Cybersecurity
First, cybersecurity. What is cybersecurity? Just a definition: it’s the art of protecting networks, devices, and data from unauthorized access or criminal use and the practice of ensuring confidentiality, integrity, and availability of information. Now that we know what cybersecurity is, we can move on to cyber insurance. No, I’m just kidding. We know a little bit about cybersecurity, but we’re going to dive in deeper, of course. But first we’re going to get some myths out of the way.
[00:05:21]
Common Myths
First, we hear this often, every single day. 24/7, that’s what we’re doing, cybersecurity. We often hear “We’re too small.” Like I said, we work with one-person firms to middle-size and large businesses, but just last week, actually – it’s January 20th. Last Thursday, a lady called me. She’s an entrepreneur, single-person firm, runs her own business. She’s been doing this for years, and she just, in this month of 2022, has had to change her phone number and all her login credentials three times in the past month, just in January of 2022. She’s experienced that and had to change all of those credentials and everything because of cyberattacks over and over and over again.
That goes into another myth that we’re going to talk about later, but you’re not too small. Just a one-person firm or a 100-employee company, you’re at risk. Everyone is at risk. That’s another reason why cybersecurity is important.
Another myth we hear is “Cybersecurity is expensive.” Like I said, that’s a myth because the bare minimum just to secure a workstation is $20-30 a month. Compared to the average ransomware payouts of over $100,000 – every 11 seconds, a company was hit by ransomware back in 2021, and that number is going to increase in 2022. The fact that paying victims only recovered 65% of their data – now, when you think of it in those terms, protecting your organization, your clients, your business for just a piece of what a ransomware payout is really doesn’t sound that bad.
The next one is what we hear very often, probably every single week: “Antivirus is good enough. I’ve got it, we’re good, we’ve been using it for years. That’s all I need.” That’s false. I’ll break it down very briefly. The way antivirus works is it’s looking for a malicious code, malicious logs that are already known. They have to be known, so they have to be 3-6 months old, be whitelisted, and then the antivirus is going to look for it and make sure that attack doesn’t happen.
But think of it this way: they’re looking for threats that are 3-6 months old. To put it in perspective, say you go home, your TV’s stolen, your security alarm doesn’t go off. What can you do? You can report it, but nothing happens. Your TV’s already gone. You’re sitting on the couch 3 months later and the security alarm goes off. That’s basically the same thing. The threat’s already happened. You can’t do anything about it, but then 3 months later, it catches it and it’s too late. So nowadays, people need something that can monitor and analyze and find threats in real-time, 24/7. We’ll talk about those in the tools that you can utilize for your company to have that security. But antiviruses are just not doing it anymore. They’re old.
Another one is “We already have cybersecurity insurance. We don’t need cybersecurity.” Of course, that’s what this whole webinar is about today: why both are essential. We’re going to debunk that myth throughout this presentation.
Next is “We’ve survived a ransomware attack. We’re all good. Won’t happen again, ever.” Of course, just from the first example of the lady experiencing a ransomware attack or a malicious cyberattack three times in one month, just one lady, you can see that that’s false. Factual is when you have a cyberattack, almost 75-90% of the time, they’ll create a backdoor. You think everything’s clean, everything’s clear, but the backdoor they created makes it easy for another cyberattack to happen, again and again and again. That’s what we see often. Businesses experience two to three cyberattacks in maybe the past 6 months or year, and now they’re finally getting something in place to make sure it doesn’t happen again, once it’s too late.
The next one is “Cybersecurity is an IT issue.” There’s a difference between information security, cybersecurity, and IT. I like to think of it this way. If I had a heart attack – knock on wood – I’d prefer a heart surgeon work on me. Now, there’s heart surgeons and there’s brain surgeons, and they both work in the medical field, but they both have their specialties, just like IT and infosec. They both work in the tech realm, but like I said, there’s a team of IT specialists and there’s a team of infosec specialists. They have to work together for the client to make sure their network is safe and secure and running smoothly, but they both have their specialties that they work on every single day, 24/7.
Tom, do you have anything to add to that? I know you’ve been working with these myths forever, so you’ve probably heard all kinds of things.
TOM: Yeah, a couple things. One of the reasons that there’s no such thing as being too small or being in the middle of nowhere is irrelevant is because the vast majority of these ransomware attacks aren’t the Colonial Pipelines or the JBS Food Supply or the meat packer up there – the ones you see on CNN that are $4-5 million, $10 million ransomware demands. The vast majority are the $5,000 and $10,000 ransomware. For the two of you that answered in the affirmative on that, that is the bulk of these attacks. And they’re automated and they’re done at scale. They don’t know who you are, they don’t care who you are. They deal with terms like “conversion rate.” They’ll blast out 100,000 emails. If just 1,000 people become a victim, multiply that times $10,000 each, on average, for the ransom payment – you can see that a $10 million payday for a week or two of work is very, very lucrative.
A little bit more about cybersecurity and IT. Every single day, this is something I stress more and more and more. And it’s not just me; Davin’s going to show you in a slide coming up – I think it might be next – it is two entirely different specialties. You want your IT people – and it doesn’t matter if they’re on staff or you outsource it or whatever – to concentrate on keeping everything running, not going down, not having helpdesk calls. Just make it run so that technology fades into the background so you can do your work. That’s why you invest in technology, computers and servers and routers and switches. It’s about the bottom line. It increases your efficiency, your profitability.
Cybersecurity or infosec is about protecting your organization, your people, yourself, your clients, and even your vendors. For some of you, we’re talking about protecting entire communities, maybe entire states, maybe the nation for some of you. It’s important to understand that that requires an entirely different skillset. It requires an entirely different way the organization runs. A cybersecurity organization is designed to be johnny-on-the-spot. A 4-hour service level agreement for a cybersecurity company is inadequate. That’s what a typical IT company has either promised you or that’s how they work. They don’t let a ticket just sit there with no response or a phone call with no response, and they try to get to you within an hour or two, no more than four. That’s best practices.
In our world, minutes count, just like a fire department. But if we’re not already in place, we can’t respond. So if you’re waiting – “I’ll contact a cybersecurity company if we have an incident” – you’re already behind the 8-ball. Companies like us, that’s not our specialty. When that happens, we have a client contact us with an event that happened last week or yesterday or they’re under attack right now, we don’t have any of our defensive tools in place. And that potential client becomes a threat vector to us, and we can’t risk it. There’s a whole different specialty in cybersecurity for that type of incident response.
But the key to it is putting it in place, and Davin’s going to show you that that’s not just me, it’s not just IronTech or Davin saying it; it is best practices for all businesses and organizations around the world, really.
DAVIN: That’s right.
TOM: Toss it back to you, Davin.
DAVIN: Thank you for the explanation and a little deeper dive there. From that, we’ve got the myths out of the way. We know what people are saying that’s not exactly true. Now we’ll move to what are actual good cybersecurity practices.
[00:15:08]
The 5 Things
That brings us down to the 5 things. Anne Neuberger is a White House Deputy National Security Advisor for Cyber and Emerging Technology. I have no idea how she fits that on her business card. But she’s a White House official that’s urged all businesses and really everyone to implement 5 best security practices. We call those the 5 things when we talk to our clients and individuals.
The number one thing is a skilled security team. That’s a skilled security team of information security specialists. What you should expect from them is, one, of course, the 5 things we’re going to discuss – but first, they should be able to help you reveal your current risk and vulnerabilities that you have right now. From that, you develop a plan to put some security controls in place to make sure those vulnerabilities are taken care of. Of course, they orchestrate that and they have plans, policies, and procedures in place to make sure nothing happens, and when something does, they can react and get to it quickly, make sure it’s taken care of, and overall make sure it doesn’t happen again. They have security tools that we’re about to talk about, such as the EDR.
What’s EDR? It’s an endpoint detection and response tool. Some people call it an endpoint threat detection and response tool. This is a tool that you need to monitor 24/7 in real-time. Like I said, antivirus is old, and this is what you need now. The way it works – it doesn’t look for malicious code, things like that. It’s looking for malicious activity, anomalies, things that shouldn’t be happening which usually result in a cyberattack.
For example, say you click on a Word document. When you open that Word document, there’s specific activity that’s supposed to happen every single time. If you click on it and something out of the ordinary happens, that EDR is monitoring, so when that happens it can isolate that activity, analyze what’s going on, and it’s using one AI and human specialist to analyze that threat and either kill it immediately or whitelist it and let it keep going through, and you go about your business.
To me, I put it into perspective as like a Ring doorbell. A lot of people have those. My mom even has one on her front door. It monitors the activity that’s going on outside, and EDR can also do inside. It’s monitoring what’s going on, and when someone comes up to the door, if it’s a threat, it lets the owner of the home know, and then you can either tell the threat to go away or allow it to go in. To put it into perspective, it’s an amazing tool. If everyone had this, the world would be a lot safer. You wouldn’t have to worry so much when you sleep at night. EDR is very, very important.
Next is encryption. Disk encryption is on most mobile devices and almost all iPads, phones, but it’s a technology that protects information by changing it to unreadable code for unauthorized users, attackers, possible cyber threats. Tom, could you tell them a little bit more about encryption and how it’s used?
TOM: Yeah. What Anne is saying here – and these are 5 things she pulled out of President Biden’s executive order for all government agencies that they’re mandated to have all of this stuff in place. What she’s doing with this letter – well, there’s a couple things. The U.S. government can’t stop this. They have limited means. They are designed for offensive cyber warfare, not defense. The United States doesn’t have a cyber mercenary force like Russia, and that’s where most of these attacks are coming from. There’s others from Iran and China and some other untouchable places for the criminals to reside in. But what she’s saying is you’ve got to turn on disk encryption for your stuff. You need to encrypt your data at rest.
What does that mean? That means your servers. That disk needs to be encrypted. Your workstations have to be encrypted, your laptops, especially any portable devices. Because if you lose it or it gets stolen, it’s real easy to read the data that’s on any of the disk. You might be thinking, “Nobody’s going to break into my office and steal a desktop or a server.” Well, I would argue with that. That still happens, believe it or not.
But more importantly, what happens to that equipment if you retire it or you donate it or you give it away or you recycle it? If that data is not encrypted, all you’ve got to do is plug it into a USB port and read it. It bypasses all the Windows security. Doesn’t even care what the operating system is because it’s got direct disk access. If that disk is encrypted, it can’t be read. There is a huge business on eBay and other sites where people buy used disk drives and mine it for data. Then they’ll sell it on the dark web, turn it over to Wikileaks, whatever they can do to make a buck. So you’ve got to encrypt all your stuff.
If you’ve tried it in the past and it slowed everything down, it’s not like that anymore. You will not notice that it’s running. It’s built into all operating systems, and it doesn’t cost anything to turn it on. I think Windows might turn it on by default on Windows 11, but don’t hold me to that. If you’re using any of the Apple products, it is on by default and it’s really darn secure. It’s something really easy that you can immediately turn on after you get off this webinar.
DAVIN: Yeah, very easy tool that you can do yourself, but of course, security team as well.
TOM: Do you want me to talk a little bit more about that EDR?
DAVIN: Yeah, add a little bit. What’ve you got for that? TOM: I think the important thing is to understand an EDR, endpoint detect and respond – an MEDR or MDR is managed. So if you’ve got a skilled security team, and any MSSP worth their salt is going to manage it, it has a neural net. Davin mentioned artificial intelligence / machine learning, whatever you want to call it – there are technical distinctions between those two terms, but we don’t want to get into that.
But in fact, our primary EDR, within seconds of a new threat being discovered anywhere in the world, every agent around the world is updated to look for that threat because it has a neural net. Those of you that drive Teslas and you have autopilot, every time you go down the same stretch of highway, all Teslas get smarter and smarter and smarter. It’s a very similar thing. So when it detects a new threat in Tokyo that just broke out, a brand-new undiscovered threat, using artificial intelligence it learns exactly what to do and immediately, at the speed of light practically, every single computer protected by that EDR around the world knows to look for it – knows what to look for and how to stop it. It’s really cool technology.
DAVIN: It is amazing. It really is. Like I said, that’s a reason why if you started with the EDR, your security level would be 10 times what it is now. Thank you for that, Tom.
Next we have MFA, which is multifactor authentication. A lot of you have probably used this for something, at least, but it’s a very valuable security tool, especially for remote work. Of course, since COVID, a lot of you here have probably worked from home or you might be working from home right now, or maybe some of your employees have. Maybe even a hybrid model – work from home half the week, other half in the office. If you have to remote in to your desktop at work or if you have to remote in to your server or any data, really, MFA should be required. It should be an essential security tool for all your employees for your whole organization.
To put it in perspective, if someone gets access to your credentials and you’re working from home, they log into your workstation, they have access to everything. But if they get your credentials and you have the MFA, they try to log in, they also have to steal your phone. Personally, my phone is always right here in my pocket, and it goes from my pocket to my hand to my head. It’s pretty hard to steal. That’s why MFA is a necessity. All of our clients are required to have MFA if they use remote work, and of course, we use MFA every single day.
It’s super easy. Simply type in your credentials when you log in, get a text to your phone, click yes, and you keep going about your business. Doesn’t slow down any operations, but it’s a necessary security tool that you have to have.
TOM: Yeah, and once again, this is something you can start using immediately after this webinar. From our perspective, you need to get another service product from us for remote desktop access, remoting in to an office computer, and there is a little bit more money for that. But you can do it for free with Google Authenticator. You can turn it on on your Amazon account, your Facebook account. How many people have gotten a message from somebody on Facebook that says, “Hey, ignore any messages from me, my account got hacked”? If they had simply turned on MFA, that would never have happened. And it’s free. You can do that immediately when you get off this webinar.
What Anne is saying in her letter is turn it on and use it everywhere it’s available. Bank accounts, social media – if you go into the security settings, you will be shocked by how available MFA is. And once you turn it on in a couple of places once or twice and learn how to use it, it’s a breeze after that. It’s not a big learning curve at all. And our technology, what we do with Windows Workstation, you don’t even have to type in a number. You just hit OK on your phone. It’s really neat.
Once again, the vast majority of the things that you need to turn on MFA for are free.
DAVIN: Yep. Next is one of the most important, partnered with that security team: continuous defense improvements. This is another part where that skilled security team comes in. Like I said, they’re information security specialists, cybersecurity specialists, and they live and breathe cybersecurity 24/7, all day, every day. They have to keep up with the changing cyber threats. You have to make sure that you have the best of breed, the best of the best security tools on your organization because you should not settle when talking about security. You wouldn’t settle for a wooden bolt lock on your front door. Somebody could easily kick that in. I’d prefer to have some brass or steel on my bolt lock on my front door.
It’s the same thing. You’re securing your organization, you’re securing your employees, you’re securing your clients and customers, and they deserve the best of the best security tools. So that’s what you should have. That’s what you need, and that’s what your security team can make sure you have. Those cyber threats change every single day, and the security tools have to adapt, and you have to as well.
Your security team should also keep up with what’s going on in the world. Tom, there’s been update after update after update with cyber threats going on overseas that will have an effect on the U.S. probably here in the next month or coming months.
TOM: Right now we’re on high alert over the Ukraine deal. And don’t kid yourself in thinking that you won’t be affected by that from a cybersecurity standpoint. Russia is already conducting cyberwar on Ukraine right now. Of course, they’ve done it in the past with Ukraine. They actually used Ukraine as a test run. All of the nation-states have developed really good cyber warfare. The Russians are masters of social manipulation, but they’ve got other really good offensive weapons too.
Let’s just say Putin is going to invade Ukraine. If he wants to keep the United States busy and make things chaotic here, all he’s got to do is put a message up to his criminal cohorts, his cyber mercenary force in Russia, and just say, “Attack all the law firms and water utilities in the United States at will.” Just imagine if it’s only 100 tiny water utilities or tiny, tiny law firms. That’s going to make CNN headlines, and everybody’s going to get nervous. And they’re going to be real attacks.
So we have to stay up-to-date on all of that. We have to stay up-to-date on new threat technologies, new tactics, techniques, and procedures that they use. We’ve got to stay up-to-date on who the threat actors are, all the way down to the groups, like REvil and other – it’s a huge business. The criminal hacking industry is a huge, huge business, and they’re very good. The days of phishing emails where it’s got a bunch of bad grammar and misspelled words are rare. When I see one of those these days, I get a chuckle. It’s like, wow, this is amateur hour. These emails that they use to plant ransomware are so good, they can fool infosec specialists. The reason I know that is because we simulate those attacks every week in our office, and there’s only one person in the company that’s got a perfect score on them.
DAVIN: And that is not me, I can tell you that. [laughs]
TOM: And it’s not me, either. But I’m telling you – the president of the company, 3 or 4 months ago, he had to do something with his Gmail or Google account or whatever it was – I don’t know if he had a new phone or a new laptop or whatever it was – and just coincidentally, he got one of those test simulations, one of those phishing simulations. It was purported to come from Google Authentication for his account. He fell for it. And that’s all it takes. So don’t think you won’t be fooled. These are top-tier con artists, masters of psychological manipulation on compromised websites or these emails that people get.
Your skilled security team’s job is to stay on top of things and to continuously change your defense posture to match what’s happening in the real world. And the skilled security team, the EDR – you can’t buy EDR off the shelf. You’ve got to get it from a professional security organization. What it means, and what Anne is saying here, is this is not do-it-yourself anymore. You don’t just go buy an internet security suite at Best Buy anymore. It’s not adequate. I think it’s about useless, myself. But that’s what Anne’s saying. You’ve got to have that security team to monitor for what’s going on, to continually update and change your defensive tactics, your posture, look for new defensive technologies, look for new defensive administrative controls. That’s what you’re going to do. It’s the cost of doing business these days.
DAVIN: That’s right. And these are just the bare minimum recommendations. These are just 5 things. There’s multiple security tools that you can implement for your organization. These are just bare minimum. If you can honestly say that you have these 5 things and your business is secure, just drop in a comment. You can put quotations around it and say “Thankfully I don’t have to worry about a cyberattack because I have these things in place.” I’ll wait a little bit, but I have a hunch that the comment box might be empty.
For cybersecurity, this is what you need to get started. We’ll talk about some first steps in a second, but before that, we’ll talk about cyber insurance.
[00:32:34]
Cyber Insurance
What do we know about cyber insurance? It’s been around for a little while now, but in the past 5 years it’s become an essential to all businesses. It’s become a necessity. You might even see it with your full business insurance package. It might be included. But you’ll definitely be hearing about it a lot more in the next month, and definitely this year. Cybersecurity insurance is rapidly changing regarding underwriting, security environment, the requirements, and a lot more.
Like I said, I come from a background of insurance and I’ve been able to study cyber insurance. I met with a highly respected insurance provider, and we talked about how cyber insurance is changing from an insurance provider standpoint as well as the buyer’s standpoint.
From a provider standpoint, some changes you’ll see – and if there’s some insurance specialists on here, you’ll be expecting these soon, and you might have to implement some of these – insurance providers are seeing an increase in attacks. With increase in attacks comes frequent payouts and lots of underwriting losses. How do you mitigate the risk of those costly claims? One way is that rates must increase. And they’ve been predicted to see double-digit increases just in 2022, just this year. That’s not projections for 2023. It’ll only increase. If you have a cyber insurance policy, you can expect it to increase.
From an underwriting standpoint, they’re increasing cybersecurity practices and requiring those. They’re increasing the requirement of those practices, such as the 5 things that we just talked about. You may see an email coming out in the next couple months that those things are required for your organization for your cyber insurance policy to be valid. You’ll need documentation proving your security measures that you have in place. You’ll have to have policies, response plans, procedures, and even employee cybersecurity training – which is another great security tool and security measure that I highly, highly recommend.
Another thing you’re going to see from insurance providers, or insurance providers will have to do, is coverage restrictions and exclusions from specific types of cyber incidents. Also, all over the states, and specifically in Virginia, insurance companies are being required and regulated by the Virginia Bureau of Insurance that they have to have an information security program in place. They have to investigate all cybersecurity events. They have to notify the Commissioner of Insurance of Virginia of cybersecurity events. They have to notify all their customers affected by cybersecurity events.
So as an insurance provider – this isn’t just in Virginia; Arkansas, Florida, California – you might have to prepare for these changes that are coming, these requirements that are coming ahead. Like I said, cyber threats aren’t going away. We’re going to have to change, and insurance providers are going to have to change as well.
From a buyer standpoint or business owner standpoint that has to have this insurance policy, you’re going to experience those higher insurance rates. You’re going to be required to have those security measures in place. You might also have a hard time finding or getting approved for a cyber insurance policy because of the decrease in risk appetite in those coverage offerings. A lot of those coverage offerings are going to exclude ransomware attacks. As we talked about recently, ransomware is the largest cause of cyber claims in the past 5 years, and of course the most expensive.
One piece of advice I do have is if you have a cyber insurance policy, I advise keeping it separate from your business policy because if you have a cyber event, cyberattack, and it’s connected with your business policy, expect 100% that your rates will increase – just like if you’re in a car wreck, your car insurance will increase, expect your business policy to increase. So I advise having a separate cyber policy from your actual full, total business policy.
Do you have something to add, Tom?
TOM: Yeah. A friend of mine is the president of a pretty good-sized independent insurance agency here, regional. I do stuff all over the country – but his underwriters, he’s seeing 20-40% increases, but that’s because it’s just a couple or three underwriters that they represent. But what we’re seeing nationally is some reports of 200-300% increases in plans. We’re seeing insurers getting out of the business altogether.
We’re seeing other insurers doing very in-depth applications and assigning risk to your firm, your organization, based upon if you’ve got the 5 things in place. Do you have security awareness training? Do you use password managers? It’s real in-depth. You have to have an infosec specialist to fill the application out. And if you check one box wrong they’re going to deny the claim, and I’ve seen numbers ranging anywhere between 20-49% of claims are going unpaid. They’re being denied because somebody checked the wrong box on an insurance application.
Another thing that’s not insurance: we’re starting to see banks, lending organizations, increasing loan interest rates for clients that have suffered a data or security event because it’s a bigger risk to them. They know the numbers. Companies that have a successful breach, there’s a good chance you might go out of business. Those of you that trade on your reputation – accounting firms, financial firms, law firms – you can’t buy back your reputation. You have no idea what kind of collateral damage can come out of it. You may ruin somebody’s life, and now you’re open to civil suits. There’s a real threat of civil fines.
No matter what industry you’re in, it is quickly going to be regulated, regulated, regulated and you’re going to be required to do the 5 things and other stuff to secure your data, protect your customers, your clients. I tell everybody every day, this is the cost of doing business. You can’t do it yourself anymore. Maybe you do your own IT. That’s fine. But security’s got to be Job 1 now. It’s not an add-on. It’s not a bolt-on anymore. It’s got to be Job 1.
If you want to continue doing your IT and all that stuff, that’s fine. You’re pretty handy at it, you’ve got somebody that you call maybe once a year, it’s a little outside your wheelhouse – that’s fine. But you can no longer treat security as a nice-to-have. You don’t think of it as an add-on to IT. You put security in place with skilled professionals first. That’s what smart, visionary leadership is doing right now.
DAVIN: That’s right. Speaking of leadership and what you can do, it leads us to why cyber insurance and cybersecurity are both essential, just like Tom was saying.
[00:40:36]
Cybersecurity & Insurance
If you have one, you have to have the other. Think of it this way: as a homeowner, if you’re a homeowner – or if you’re renting a home, I can guarantee you the owner of that home has this – and that is a smoke alarm or fire alarm. That’s a security measure that’s required by your home insurance provider overall for your safety. Underwriters want to avoid a total loss. One question they ask on the application when filling out a home insurance application is how close you are to a fire station. Seems simple, and you don’t really think about it, but they’re trying to avoid a total loss, which is very, very important.
When you think about car insurance, everyone here has to have car insurance if you have a car. If you have anti-lock brakes on your car, I can almost guarantee you’ll get a discount on your car insurance. It’s a security measure that you have that helps you deter or make sure you don’t have a bad wreck or keeps you safe, once again avoiding that total loss of your car and insurance payout.
Cybersecurity and cyber insurance have the same relation. Car insurance is necessary. Cyber insurance is now necessary. It’s an essential. And with necessary insurance comes required security measures right there paired with it. It’s been like that for years, and it’s going to continue to be like that. You have to expect these security measures, and you have to have these in place.
We’ve learned about cybersecurity and cyber insurance separate, but when you pair them together, there’s no friction. There’s only benefits. Cyberattacks are real. You can ask any insurance provider. Me and Tom have met with multiple insurance providers in the area, and they have had their hands full with cyberattacks and cyber payouts all of 2021, and multiple just in the last 3 months of 2021. So they’re making a change. They don’t want to deal with these costly claims, these payouts. They’re requiring security features, security measures for their clients. The attacks aren’t going away, so they’re adapting, and business owners and businesses all over have to adapt as well.
It’s not if your organization will be attacked; it’s when. And that’s a fact. So what do you do?
[00:43:17]
First Steps
This is step by step what you should do, in order. Plan with your information security team. Like I said, they should reveal your risk and vulnerabilities. You have to know what you need to protect, what your risks are. Then from that, you put that plan in place. You figure out what security controls you need to take care of those vulnerabilities. Then your team takes care of that. They take care of your policies and procedures that you have to have. You have to have a response plan when something happens, and that’s what that team is for.
So those first two go together. You have to create the plan with your team, with your specialists, and then you have to implement the plan. You have the resources at your fingertips. You know the 5 things. Now you have to implement the security measures.
After that, talk with your insurance advisor. Make sure you’re compliant with the security controls and security measures they require if something does happen for that claim to be paid out. You have to make sure that you’re meeting their needs, but also that your needs are met as well regarding your insurance policy. If something needs to be changed or adjusted, that’s when you do so. You have all the information; you already have the tools in place. If there’s changes that need to be made to meet your needs for your company as well as your insurance provider, then you make them.
The last and final step is what you’re doing right now: education. Make sure you know about cyber threats. Make sure you know about cybersecurity. You have to know good cybersecurity practices so you can make efficient and effective decisions. But also knowledge is only as good as it’s used. It’s all about doing it. You have to do it. You know the need and you have to meet it.
Tom, do you have anything to add regarding those steps?
TOM: Yeah, a little bit. If you do the planning with your infosec stuff, you’re going to get the 5 things. We’re also seeing it depends on the underwriter and the way they do the application process. Are they analyzing risk and then assigning the premium on that? We’re seeing that those underwriters that do it that way – if you’re a high risk, you’ve got to pay $10,000 a year; if you’re low risk, you’ve got the 5 things, you’re doing security awareness training, maybe it’s only $2,000 a year. That’s an $8,000 difference. They do the premiums. I’m just using that as an example.
Those of you that are at high risk, you’re going to pay $8,000 more or $5,000 more or $3,000 more for cybersecurity insurance. But if you do the 5 things, or maybe a couple of other things to really beef up your security posture, it pays for itself. The stuff that you put in to defend your company is cheaper than the premium increase. Not to mention the fact that you don’t want to rely on insurance to make you whole. It’s just like all other insurance. “Worst-case scenario, at least I’ve got insurance.” That’s worst-case scenario. It will not make you 100% whole.
So yeah, it’ll pay for itself. And if you’re not in an industry that’s regulated right now, you will be. I promise you. I’ve seen it for years. Everybody knows about HIPAA laws. At first it was a recommendation, and then the Office of Civil Rights, who enforces the HIPAA laws, the privacy laws, the patient health information, said, “We’re not going to fine you; if you have an incident, let us know. We’ll look into it and we’ll both work together to figure out what went wrong.” Then a couple years later, they immediately started fining out of the box. As soon as you report an incident – which they’re required to do by law – immediately start with the fine first. Because they gave them fair warning, and they didn’t heed it. They had an egregious security gap, and patient health information was released or acquired by criminals or nation-states or whoever the hacker was.
I’m telling you, I’m seeing it, and it’s changing rapidly. Critical infrastructure is changing rapidly. Those of you that are in water utilities, that [unclear 00:47:55] was just the first step. And it was wholly inadequate, as far as I’m concerned. But believe me, the EPA and other departments are going to enforce it, just like they have in the electrical industry, just like they have with accountants. Accountants are changing. There’s a difference between ’21 and ’22 with their regulations and compliance. It’s rapidly, rapidly changing. Every day you wait to put in good security is a day that it could happen to you.
So your first step is to know the condition of your ship. Find out where you are, where you’re vulnerable, and then get protected. That’s it.
DAVIN: That’s right.
[00:48:40]
TOM: Oh, Davin, at the end – we’ve got about 12 minutes before the top of the hour. I’ve got a surprise that I want to show everybody, if we can carve out just a couple of minutes.
DAVIN: That’d be perfect.
TOM: You guys will like this.
DAVIN: Yes, you will.
TOM: Hang on till the end and I’ll show it to you. I think you’ll really like it. It’s kind of cool.
[00:49:03]
Takeaways
DAVIN: The goal today was to give you valuable information, and now you have the knowledge and resources to make those decisions you need to make to protect your business and overall make sure your clients and employees and your organization are taken care of.
The final step is I strongly, strongly advise you talk to professionals. Talk to the specialists in cybersecurity, cyber insurance, and get their advice. They will tell you what to do. They know what to do. They deal with this every single day. That’s what you need to do. I hope this was beneficial. Of course, we both look forward to speaking to you all again.
[00:49:41]
Speak with an Infosec Specialist
We’re going to run through this briefly, and Tom has a surprise. If you want to start off right and speak with an infosec specialist, that first is a link. It’s meeting.irontechsecurity.com. That’ll take you to a website where you can schedule a short meeting where you can, like Tom said, discuss your ship, find those vulnerabilities, get a plan together, and get started. You can also send us an email at sales@irontechsecurity.com. Or if you just want a short phone call to answer some questions, right there is my personal line. Call me. I’ll answer. If not, might be at lunch. No, I’m kidding. [laughs]
TOM: You don’t work 24 hours a day.
DAVIN: No, no.
TOM: You might get voicemail.
DAVIN: Yeah. But I’m excited to talk to you all. I want to answer questions. I want to hear your thoughts on cybersecurity. I want to hear about your organization. So please, feel free to give me a call.
You might see at the bottom there, it says $300 off NIST-CSF Assessment. That’s an assessment that is nationwide, and it’s a good assessment to understand your current risk and vulnerabilities. It gives you actual data, and you get a document showing everything. It gives you immediate recommendations to put in place. We walk you through that assessment at the end and we give you recommendations and show you exactly what you need and how you need to protect your organization and how we can do that for you. That’s a $300 off special. If you’re interested in that, please feel free to reach out with those links below.
Now I’m going to pass it to Tom real quick, and he’s going to hit you with a surprise.
TOM: Yeah. Real quick on the NIST Assessment, that’s a very time-consuming, in-depth assessment of your vulnerabilities. We know that probably everybody on this webinar – because if you’ve already done the 5 things, you’re probably not on this webinar. And if you’re a real small organization, you don’t need the NIST-CSF. We know you need the 5 things. Let’s just skip it.
Now, those of you that have to answer to a board of directors or you have managing partners or you have other stakeholders that are part of the decision-making process, or you’ve got 300 accountants in your company, the NIST Assessment is a very worthwhile investment. It stands on its own, and it’s compliant with NIST. That’s a gold standard around the world for doing your cybersecurity right. But it takes a minimum of 5 hours on our side; it’s going to be a couple of hours of your time.
So if you’re a smaller organization and you’re the only decision-maker, chances are – we’ve done this hundreds and hundreds of times. We know what the vast majority of you need. We’re going to ask some questions and look at your risk profile at a very high level. So if you just get that meeting, in about 10 minutes, Davin’s going to be able to tell you which is the best way to go. You’ll get an idea of what the costs are going to be, and then it’s just a matter of pulling the trigger on it and we roll it out.
Anyway, I’m going to come back to this slide if you haven’t written it down yet, but I need to share my screen.
DAVIN: I can make that happen for you.
TOM: I bet you can.
[00:53:03]
Surprise – Threat Map
We’ve got a surprise here. I’ve got to make sure I do this right. There’s my Zoom box, and there is – now what are you looking at right here? Everybody see that okay? Can you see that okay?
KINDSEY: Yeah, I’m looking at the map.
TOM: I can’t get my – you’ll just have to look at the bottom stuff there. This is a new SOC control panel, a security operations center control panel, that is graphically showing real-time attacks on our data center in Nevada. Let me optimize it for video to make sure you see it here. Can y’all see the animations there?
DAVIN: Yeah, they’re in real-time.
TOM: What’s happening here is we’ve got literally – this is real-time production servers. All of these are exchange servers. Most of them are. Like I said, we’re doing a trial of this; we don’t have anything else around the country that we’re monitoring at the moment. But these are real-time attacks. One’s coming from China, one’s coming from Russia, and another one looks like it’s coming from around Luxembourg or Denmark, somewhere up in that area there, Copenhagen, something like that. These are real-time attacks on these servers. And we’ve only got like 15, maybe 25 servers in this particular data center. Look at that. We’re talking 100 a minute, basically.
This is happening to your network as well. We’re going to light this up and start monitoring clients’ sites with this. United States, Alaska, North America – we’re going to see these lines going all over North America, from Russia and India and Iran and all of this as time goes forward. But we are literally under attack thousands of times a day. We are, as a company. You are likely under attack hundreds of times a day, and you don’t even know it.
Within seconds of lighting up a remote desktop where you can remote in from your home, within seconds of enabling that technology – literally within seconds – somebody around the world knows it and they’re trying to hack into it. That’s why MFA is so important on remote desktop, because username and password by itself is simply not good enough.
Anyway, I thought you guys would get a kick out of that. If you do a later webinar, I’m going to throw these in as some surprises later on. It’s going to be interesting to see how all of a sudden we start seeing attacks from Africa and South America. The one that’s happening in Western Europe right now is probably through a virtual private network connection. It would be very risky for a hacker to be living in a Western democracy and carry out attacks like these. So it’s probably somebody from Russia that’s remoting in to a server in Western Europe and then conducting the attack. That’s one of the ways they hide their footprints. That’s also how you get around the Netflix deal; if you travel to Europe and you can’t watch Netflix, you just use a virtual private network and it looks like you’re coming from the United States.
But I thought you guys would get a kick out of that. Most people don’t get to see the behind-the-scenes stuff like that.
Let me re-share out the contact screen so you can get that in case you didn’t get it. There it is. That first one is to schedule an appointment with Davin. You can certainly drop him an email, give him a buzz, ask any questions. We’re there for you. That’s the bottom line. It’s our job, we love it, and mine and Davin’s role today was to hopefully expand your knowledge and understand that you’ve got to take it seriously.
Oh, and plug my book. [laughs]
DAVIN: Yeah, there’s a little picture down there. [laughs]
TOM: Yeah. My book should be out in about a month. If you want to get on the notification list so you can buy a copy of the book – we’re probably going to send all the details out – but if you want to get on the list for the book, just drop us an email or tell Davin when you talk to him or whatever, and we’ll put you on the book notification list.
DAVIN: I know we’re coming close to the end, but if there’s any questions, please feel free to drop your question in the Q&A or comment box, and we’ll of course answer those for you. I know Kindsey has dropped a few links in the comment box as well. The meeting.irontechsecurity.com is in the comment box as well, so you can click on that and schedule a meeting as soon as possible.
TOM: Yeah. We had two affirmatives on the – I assume those were ransomware attacks. So you’re looking at around 10%. You may be interested to know that that is very typical. Sometimes it’s as high as 25% of the people on one of our webinars that have suffered a ransomware attack or know someone personally that has had a ransomware attack.
We all know this stuff is serious. I’m not telling you guys something you don’t know. Everyone knows this is a problem. What we hope to do today is take the next step. Let’s protect your organization so you can sleep better at night and quit hoping that it doesn’t happen to you. You can take action and stop this stuff.
We have never had a client have a successful attack. And the vast majority of them have just the 5 things. Actually, 4 of them. Some people don’t need MFA, or they’re using the free stuff. They don’t even have to go through us for that. But we’ve never had one, and I hope I can say that for years to come.
DAVIN: Knock on wood.
TOM: I don’t think it’s realistic, but it’s a fact. It does stop ransomware. And another thing about these internet security suites – if you get off of this webinar and you just coincidentally get an email from Norton, which is really bad now. Really, really bad. Or McAfee or whoever, whatever you’re using for your internet security suite – we’re seeing these shrink-wrapped software companies claim that they now have EDR. Woefully inadequate. It’s not a true EDR, and it’s not backed by a skilled security team. They are not what we call best of breed. A skilled security team is going to put the best technical controls in for your organization, and it’s nothing that you can buy off the shelf. Like I said earlier, it’s no longer do-it-yourself, and it’s not that expensive. If it’s only 5 or 10 minutes in a phone call to find out, then that’s a good investment of your time.
DAVIN: Yeah, it’s worth your time for sure.
[01:00:40]
Q&A
KINDSEY: We did have someone ask if there would be slides available after the webinar. I’m going to send out a copy of the recording this afternoon, so you can expect that in your inbox.
DAVIN: Perfect.
TOM: No questions? We answered everything, Davin. Good job.
DAVIN: We did our job. What in the world?
TOM: That’s right. I’m sitting here looking at the threat map still. We’ve done these things over the years, and if you guys have ever seen us at a tradeshow or a conference, we have a big screen set up. We’ve got a bunch of different tools like this that show real-time threats. We’ve got one that we use that shows – it’s not our stuff. It’s the whole planet threats. Boy, those lines go crazy on those. It’s almost – well, it is overwhelming. And they’re only certain types of attacks. You wouldn’t be able to see the map if everything was tracked.
I don’t know exactly what the ones that you saw are, but they’re probably trying to exploit known vulnerabilities in Windows server operating systems and they’re doing port scanning, which is – I’m getting into the weeds now, nerd talk. [laughs] But yeah, it’s real. So make that first step.
All right, I don’t see any questions. We’re two minutes over. Thanks again for joining us today. We certainly hope you learned something.
DAVIN: We’ll try to talk to you again in our next webinar. Of course, keep up with us, and we’ll talk to you again soon.
[End of recording]