Partnering with an Active Insurance Broker

Home

In today’s episode of Risky Business Paul Martin and Colin Rooke are joined in studio by Ryan Warner, to discuss fraudulent benefits plan claims in the workplace.

Listen to the full episode here, or read the full transcript below.

Paul Martin:

Welcome to Risky Business, commercial insurance with Butler Byers. Paul Martin here, the business commentator on CKOM. And joining me in studio as always, Colin Rooke, Saskatchewan’s expert on all matters related to commercial insurance, but the risk reduction manager at Butler Byers commercial insurance as well. And Colin, the last, I guess few shows we’ve been talking about this whole notion of well, security, of fraud, whether it’s cyber or whatever. It’s been coming up a lot and there are just a whole lot of new tricks that the fraudsters are using. And maybe we could just kind of walk through some of the more current things that we’re seeing, the new stuff that people should be alerted to. And this is employers and employees. What should we be watching for? What are you guys hearing about? What’s the insurance industry watching? What are they on alert for?

Colin Rooke:

Yeah, so the biggest new thing, and it’s not new, but it’s certainly happening a lot more often. So it’s been around for a while, but business owners, the general public, it wouldn’t be front and center. And now it certainly is, is credential stuffing, credential loading. There’s a bunch of different terms, but essentially it’s a trick to get you to give your username and password and then it relies on the fact that people are inherently lazy. In the world today we’ve got hundreds and hundreds of passwords it seems, login information. And so it says, “Okay, well I bet if they use this username and password on this site, there are other sites they’ve used the same username and password.”

And you might say, “Ah hah, I’ve got two or three.” Well yeah, so they’ll create multiple sites and they’re hoping that you’ll go through the rotation. And then what they do is they take that username and password and run it across thousands of known popular sites and see if they get any hits, any login. And statistically you do this, anyone listening, statistically we’re all guilty of this. And so therefore now, they take something really low value, like a children’s app. You think, “I’m just going to quickly make a username so my kid can do this puzzle.” Well it’s not really a puzzle, it’s a scam. There is a puzzle at the end, your kid can actually use the app, but the whole purpose was to get your username and password.

And then again, they run it across all these known sites. And then low and behold, you’ve now have identity theft, you’ve got credit card theft, et cetera, et cetera. So, it’s growing rapidly. It’s happening all the time.

Paul Martin:

So it’s called credential stuffing or I think you had another one, credential-

Colin Rooke:

Loading-

Paul Martin:

Loading yeah.

Colin Rooke:

… loading, stuffing. Yeah. But basically they-

Paul Martin:

But it’s posing as they’re trying to get you to sort of give up your stuff. And I guess in a way that’s not too far off what happened to the city of Saskatoon? Someone posed to somebody and …

Colin Rooke:

Yeah, so I mean it’s all in the-

Paul Martin:

It’s a variant.

Colin Rooke:

Yeah, it’s all in the realm of social engineering. So, the easiest way to trick someone is to trick the other person into believing that they’re dealing with that person. And so, rather than send … The old way is you send a weird email that’s not worded quite right with a zip file as an attachment. And I think most people are cautious about opening zip files where it’s not quite the way the email should be worded. And so you’d delete all those. But again, social engineering means your system gets breached and they monitor it. They might monitor it for months. They’re learning your patterns. If they’re going to trick you, they need to act like you. So the case of this city, I’ll say allegedly, but if you look at it, okay there’s the City of Saskatoon and the contractor they’re dealing with. If this was in fact social engineering, the contractor, the email there would be mimicked by the fraudster, the hacker, the cyber criminal to the point where the City of Saskatoon would not be able to recognize the difference.

And in fact, there was probably test conversations back and forth between the hacker, the cyber criminal that the city wasn’t aware of, because if they’re going to get to the point where they’re going to ask for a fund transfer, they’ve got to make sure it works. So it’s kind of low value conversation and they realize, yeah, you’re going back and forth as normal and then they say, “Okay, so we’re doing an adequate job of convincing the other person that we are the person we’re mimicking at this point.” And then they get into the, “Hey, about that progress payment. We’d like you to deposit it to this account on such and such day.” You’ve been back and forth and they’ve done a great job of deception.

Paul Martin:

Just to reiterate, I think we talked about this in a previous program, but I just want to sort of comment on it in light of the City of Saskatoon. I mean, they stepped out very quickly and sort of fessed up and said, “Hey, you guys, everybody else be careful about this and be aware.” Because I think you said in the same relative, same period of time, there were literally dozens of communities across North America that were in the same boat.

The state of Louisiana declared a state of emergency due to ransomware. Rampant ransomware that they could not control.

Colin Rooke:

Yeah. I just wanted to stress that the City of Saskatoon, it’s not out of the ordinary, they’re not an anomaly. We don’t have the worst cybersecurity city in Canada, nothing like that. So, in the state of Texas alone, that same week, there was 23 cities and towns that all had breaches. And then at the same, again same week, the state of Louisiana declared a state of emergency due to ransomware. Rampant ransomware that they could not control.

So, the City of Saskatoon is not an anomaly and we talk about this all the time. On every breach there’s human error involved, and that’s what I guess needs to be understood that it’s not an IT issue. It’s a human issue. It’s a, we all want to be helpful. We all want to get our job done at work and we’re asked to do something by either our superior or someone where we regularly … We have regular transactions with, we’re going to do it. Especially if that’s our role. And so, maybe we’re not monitoring as effectively as we could, but it doesn’t mean again, we’re not being thorough, we’re not being careful, but it just shows how good the cyber criminals are getting.

Paul Martin:

All right. So we’ve talked about those, we’ve kind of covered them in a couple of shows now. What other new things is popping up in that fraud realm? Because it seems these guys are pretty fresh. I mean, we’re a long ways from the Nigerian letter, aren’t we? I mean they’re always, they reinvent themselves faster than just about anybody.

Colin Rooke:

Yeah. So I mean again, on this whole vein of talking about fraud, we thought we’d bring Ryan Warner back, our benefits expert and talk about, on the benefits space, what’s going on there. And so he’s going to join us and talk about, again, benefits fraud and it’s growing rapidly in Canada. And there’s lots of different ways that you as a business owner can be taken advantage of, again by fraudsters or fraudulent claims. So we’re going to bring Ryan Warner on and he’s going to get into more detail and we’re going to move away from cyber a little bit. And again, talk about, okay. I mean, it’s happening everywhere, including on your benefits plan.

Paul Martin:

Yeah. And that’s an area you wouldn’t think would be particularly susceptible. But these fraudsters, these criminals are very, very creative. They’re adept at figuring things out and creating scams that look well. You just, we really have to be on the lookout for him all the time.

Colin Rooke:

I mean, it’s big business. Cyber crime alone is 3 trillion a year. So, I mean there’s an incentive to get into that line of work.

Cyber crime alone is 3 trillion a year business.

Paul Martin:

Yeah, I was just rapidly going through my head. How does that compare to the size of the Canadian economy or the Saskatoon economy? That’s monstrous. It’s just enormous.

Colin Rooke:

Yeah, exactly. Yeah.

Paul Martin:

All right, well we’ll take a little break and we’ll get Ryan in here and we’re going to talk about this whole new area to be concerned about, called benefits fraud. You’ve been listening to Colin Rooke. He’ll come back before the end of the program and we’re going to take a little break. We’ll be back right after this.

Welcome back to Risky Business, commercial insurance with Butler Byers. Paul Martin here, and as we promised before the break, we brought in Ryan Warner, who is a benefits expert and does a lot of work with Butler Byers on this front. And normally we’re here, Ryan talking about how you construct a benefits program, why you do it. Today we’re going to talk about something fundamentally different, which is how people are actually abusing them and they become con artists. So figured out how to defraud a benefits plan. Walk me through how they pulled this trick off.

Ryan Warner:

Yeah, it’s not as complicated as you might think. I think unfortunately at the employee level, some people think they can get away with it and also maybe don’t realize the impact it has on their employer. They generally think that these types of fraudulent activity are likely to go unnoticed and are likely directed at the insurance company alone. But the nature of the beast is if you submit a fraudulent claim, it’s one, fraud and two, it’s going to have an impact on that claims experience that shows up at that next renewal. And it’s not the insurance company that’s on the hook for that claim. It’s ultimately your employer.

Paul Martin:

So there’s a couple of levels of malfeasance here, if I can use that word. You’ve got the one where the employee, who is actually a legitimate member of the benefits plan abusing the plan, but then they do it in kind of concert with the fraud artist who has set up the front that makes this possible. Can you give me an example so that we can understand sort of how this might actually be perpetrated?

Ryan Warner:

Yes. Scary reality is there’s some folks out there that have found some pretty creative ways of making themselves look about as legit as you might think they could be. Something like a false storefront, a massage, an RMT, a legitimate number that isn’t actually a business. It’s just that, a storefront with no actual business inside of it and their pure purpose is to print receipts and sell those receipts to an employee to submit through their benefit plan.

Paul Martin:

So you go in a door and the way you go from there? What do I encounter if I’m the employee who’s trying to build the system?

Ryan Warner:

Yeah. I think this is obviously it’s a pretty extreme example. This isn’t something you’re going to find everywhere, but it’s happened. It’s out there and that’s just it. If you’d walk in and by all intensive purposes it looks like you’re dealing with a proper, legitimate business and you are then offered to buy a receipt and you give a $20 bill for a fake receipt and then you submit that receipt to your insurance company for maybe it’s $90 or something like that. So you’re giving 20 in order to get 70 in return. These types of things have happened unfortunately.

Paul Martin:

Is this something you’re seeing, is this right across Canada? Is it more prevalent in the big city than the small? I mean …

All the insurance companies have what they call their blacklist, which are providers, service providers that they have found to have been engaging in fraudulent activity and they actually won’t accept receipts from those particular providers anymore.

Ryan Warner:

Yeah, honestly it’s obvious that it’s going to be more prevalent in the big centers, certainly in Ontario, that’s been something that the insurance companies are regularly investigating. All the insurance companies have what they call their blacklist, which are providers, service providers that they have found to have been engaging in fraudulent activity and they actually won’t accept receipts from those particular providers anymore. So it’s something that I would say all insurance companies are engaging with some just to a much deeper degree than others.

Paul Martin:

So I assume that police get involved in this and the legal system. I mean, how are they able to actually deal with this? Because theoretically I walk in and there’s a receptionist there. I give the receptionist 20 bucks. I get a piece of paper back, receptionists really hasn’t done all that much wrong other than maybe mismatched the numbers or something. The fraud occurs when I as the employee submit it, right?

Ryan Warner:

That’s right. I mean, there’s definitely-

Paul Martin:

So the store front’s hard to get rid of?

Ryan Warner:

I would say it is. It’s hard, because the insurance companies have to find out, acknowledges and then blacklist them. For an employee you are absolutely, you’re engaging in a fraudulent act by taking that receipt in and profiting from it. That’s not what the idea is of insurance. It’s there for a service and not to help you make more money.

That’s not what the idea is of insurance. It’s there for a service and not to help you make more money.

Paul Martin:

But I assume as you pointed out, that a lot of employees think that they’re maybe getting away with something from the insurance company, but ultimately this all comes home to roost with their own company, with their own employer.

Colin Rooke:

Yeah, that’s just it. I think employees inherently mean well and maybe think they’re getting away with a very small action and it’s not something that’s a huge ordeal, but fraud is still fraud and whether it’s $50 or $5 million, you’re still committing an inappropriate act.

So, if a service provider ever offers to give you a higher amount on a receipt than what you’re paying for and there’s some kind of benefit to you as an individual to benefit financially, that’s likely not appropriate. And as a result, could be fraud if you submit that receipt.

Paul Martin:

And how does this hurt the employer if we can do that? So the employee, we’ve got that relationship, it’s illegal. And so you’re putting yourself at risk of a criminal record or whatever. What’s it mean to the employer in all of this? Well, when you look at a plan and at the end of the year, there’s no real magic to how premium is determined.

Ryan Warner:

It’s simply a factor of how much are employees claiming throughout a period, usually a calendar year or a plan year. And that premium directly reflects that number. So if claims go up, the premium goes up at that renewal time. It’s pretty rare that they don’t directly tie to each other. So that’s the nature of the beast. If a lot of fraudulent claims get submitted to a plan, that increases claims, which will have an impact on that premium.

Paul Martin:

So an employer has a stake in this too. You can’t blindly go along to sort of not paying attention to it. But I mean, obviously this is becoming a bigger issue. Somebody cottoned onto it, somebody caught on. So the only idea how that happen, I mean who was being vigilant to catch this in the process?

Ryan Warner:

Well, as I said, some of the insurance companies in Canada in particular have taken a very active role in this issue. And they will be regularly auditing receipts. So they’ll randomly ask you to submit a picture of a receipt and they might randomly call that service provider and do a little bit of homework. In some cases where they suspect there’s fraudulent activities going on they will pose as a potential client to these service providers and physically go in.

They have investigative teams that are out there to protect their reputation as much as protecting the plan. So it’s happening out there. And I would say, like I said, “Some insurance companies are playing a bigger role than others.” So I think as an employer it’s important to understand which insurance company you’re with.

Paul Martin:

One of the audiences that we talked to on this program here is business owners and those who manage businesses and to say, “These are things you need to understand in order to reduce the risk that you face within your business. So what advice do you give to employers and business owners? And when you’re having this conversation, they come to you and they say, “Man, I just got kind of caught in this thing. And I had no idea what’s going on.” I mean, what advice do you give them? What should I as an employer be looking out for and what questions should I be asking when I’m talking to my insurance broker?

Colin Rooke:

Well that’s the first piece is aligning with the appropriate broker or consultant that is playing an active role in reviewing your data. They should be looking at least quarterly to get a sense of what’s going on inside that plan. And that gives them an opportunity to catch red flags. If there’s heightened claims at any particular period in the year it might come to the surface and at least spark some attention.

So working with a broker that’s going to provide that service is really important. And then again, aligning yourself with an insurance company that is playing the active role, not just providing a service and being paper pushers. We want them to be able to dig in, because they’re the ones really on the front line. They’re going to see it first and they’ll be the ones that are able to blacklist providers.

Paul Martin:

Well as always, I learned things on this program. I got to tell you, thank you very much for this. And to say, I probably would have had more of a crash course in issues of cybersecurity fraud and all that business in the last few months. It’s simply because it’s becoming more and more prevalent. It’s something employers need to be keeping their eye out for. So Ryan, thank you for joining us and Colin again, as always, thank you for stopping in and we’ve run through our time. I’m always amazed at how quickly it goes. So again, gentlemen, thank you very much and thanks to you for listening to us. You’ve been listening to Risky Business, commercial insurance with Butler Byers. We’ll see you again next time.

Cyber Crime Close to Home

Home

In today’s episode of Risky Business Paul Martin and Colin Rooke are joined in studio by Dan Gold from Martin Charlton Communications, and put the spotlight on the City of Saskatoon’s latest cyber crime incident.

Listen to the full episode here, or read the full transcript below.

Paul Martin:

Welcome to Risky Business, commercial insurance with Butler Byers. Paul Martin here, the business commentator on CKOM. And joining me in studio as always, Colin Rooke, Saskatchewan’s expert on all matters related to commercial insurance, but the risk reduction manager at Butler Byers commercial insurance as well. And Colin, the last, I guess few shows we’ve been talking about this whole notion of well, security, of fraud, whether it’s cyber or whatever. It’s been coming up a lot and there are just a whole lot of new tricks that the fraudsters are using. And maybe we could just kind of walk through some of the more current things that we’re seeing, the new stuff that people should be alerted to. And this is employers and employees. What should we be watching for? What are you guys hearing about? What’s the insurance industry watching? What are they on alert for?

Colin Rooke:

Yeah, so the biggest new thing, and it’s not new, but it’s certainly happening a lot more often. So it’s been around for a while, but business owners, the general public, it wouldn’t be front and center. And now it certainly is, is credential stuffing, credential loading. There’s a bunch of different terms, but essentially it’s a trick to get you to give your username and password and then it relies on the fact that people are inherently lazy. In the world today we’ve got hundreds and hundreds of passwords it seems, login information. And so it says, “Okay, well I bet if they use this username and password on this site, there are other sites they’ve used the same username and password.”

And you might say, “Ah hah, I’ve got two or three.” Well yeah, so they’ll create multiple sites and they’re hoping that you’ll go through the rotation. And then what they do is they take that username and password and run it across thousands of known popular sites and see if they get any hits, any login. And statistically you do this, anyone listening, statistically we’re all guilty of this. And so therefore now, they take something really low value, like a children’s app. You think, “I’m just going to quickly make a username so my kid can do this puzzle.” Well it’s not really a puzzle, it’s a scam. There is a puzzle at the end, your kid can actually use the app, but the whole purpose was to get your username and password.

And then again, they run it across all these known sites. And then low and behold, you’ve now have identity theft, you’ve got credit card theft, et cetera, et cetera. So, it’s growing rapidly. It’s happening all the time.

Paul Martin:

So it’s called credential stuffing or I think you had another one, credential-

Colin Rooke:

Loading-

Paul Martin:

Loading yeah.

Colin Rooke:

… loading, stuffing. Yeah. But basically they-

Paul Martin:

But it’s posing as they’re trying to get you to sort of give up your stuff. And I guess in a way that’s not too far off what happened to the city of Saskatoon? Someone posed to somebody and …

Colin Rooke:

Yeah, so I mean it’s all in the-

Paul Martin:

It’s a variant.

Colin Rooke:

Yeah, it’s all in the realm of social engineering. So, the easiest way to trick someone is to trick the other person into believing that they’re dealing with that person. And so, rather than send … The old way is you send a weird email that’s not worded quite right with a zip file as an attachment. And I think most people are cautious about opening zip files where it’s not quite the way the email should be worded. And so you’d delete all those. But again, social engineering means your system gets breached and they monitor it. They might monitor it for months. They’re learning your patterns. If they’re going to trick you, they need to act like you. So the case of this city, I’ll say allegedly, but if you look at it, okay there’s the City of Saskatoon and the contractor they’re dealing with. If this was in fact social engineering, the contractor, the email there would be mimicked by the fraudster, the hacker, the cyber criminal to the point where the City of Saskatoon would not be able to recognize the difference.

And in fact, there was probably test conversations back and forth between the hacker, the cyber criminal that the city wasn’t aware of, because if they’re going to get to the point where they’re going to ask for a fund transfer, they’ve got to make sure it works. So it’s kind of low value conversation and they realize, yeah, you’re going back and forth as normal and then they say, “Okay, so we’re doing an adequate job of convincing the other person that we are the person we’re mimicking at this point.” And then they get into the, “Hey, about that progress payment. We’d like you to deposit it to this account on such and such day.” You’ve been back and forth and they’ve done a great job of deception.

But you can still put in the work. You can still plan for this. You can still work on risks.

Paul Martin:

Just to reiterate, I think we talked about this in a previous program, but I just want to sort of comment on it in light of the City of Saskatoon. I mean, they stepped out very quickly and sort of fessed up and said, “Hey, you guys, everybody else be careful about this and be aware.” Because I think you said in the same relative, same period of time, there were literally dozens of communities across North America that were in the same boat.

Colin Rooke:

Yeah. I just wanted to stress that the City of Saskatoon, it’s not out of the ordinary, they’re not an anomaly. We don’t have the worst cybersecurity city in Canada, nothing like that. So, in the state of Texas alone, that same week, there was 23 cities and towns that all had breaches. And then at the same, again same week, the state of Louisiana declared a state of emergency due to ransomware. Rampant ransomware that they could not control.

So, the City of Saskatoon is not an anomaly and we talk about this all the time. On every breach there’s human error involved, and that’s what I guess needs to be understood that it’s not an IT issue. It’s a human issue. It’s a, we all want to be helpful. We all want to get our job done at work and we’re asked to do something by either our superior or someone where we regularly … We have regular transactions with, we’re going to do it. Especially if that’s our role. And so, maybe we’re not monitoring as effectively as we could, but it doesn’t mean again, we’re not being thorough, we’re not being careful, but it just shows how good the cyber criminals are getting.

Paul Martin:

All right. So we’ve talked about those, we’ve kind of covered them in a couple of shows now. What other new things is popping up in that fraud realm? Because it seems these guys are pretty fresh. I mean, we’re a long ways from the Nigerian letter, aren’t we? I mean they’re always, they reinvent themselves faster than just about anybody.

Colin Rooke:

Yeah. So I mean again, on this whole vein of talking about fraud, we thought we’d bring Ryan Warner back, our benefits expert and talk about, on the benefits space, what’s going on there. And so he’s going to join us and talk about, again, benefits fraud and it’s growing rapidly in Canada. And there’s lots of different ways that you as a business owner can be taken advantage of, again by fraudsters or fraudulent claims. So we’re going to bring Ryan Warner on and he’s going to get into more detail and we’re going to move away from cyber a little bit. And again, talk about, okay. I mean, it’s happening everywhere, including on your benefits plan.

Paul Martin:

Yeah. And that’s an area you wouldn’t think would be particularly susceptible. But these fraudsters, these criminals are very, very creative. They’re adept at figuring things out and creating scams that look well. You just, we really have to be on the lookout for him all the time.

Colin Rooke:

I mean, it’s big business. Cyber crime alone is 3 trillion a year. So, I mean there’s an incentive to get into that line of work.

Paul Martin:

Yeah, I was just rapidly going through my head. How does that compare to the size of the Canadian economy or the Saskatoon economy? That’s monstrous. It’s just enormous.

Colin Rooke:

Yeah, exactly. Yeah.

Paul Martin:

Well, one thing that didn’t get discussed either is that we talked about the million dollars or just over a million dollars that was directly involved in this transfer. But, I mean, think about how much time, money, and effort is being spent by the civic administration right now working on this thing.

Colin Rooke:

Yeah, to get it back.

Paul Martin:

There’s going to be a lot of people, there’s a lot of salaries, a lot of hourly rate that’s going into this. And that’s not calculated into it. And for the average business owner, I assume, well, you’d have to factor that in if you were in that seat.

Colin Rooke:

Yeah, exactly. I mean, we talk all the time about total cost of risk. And so you say, Well, okay, the city, I guess, they’re out a million bucks.” Not even close. As you mentioned, it’s the salaries, it’s the time, it’s the effort. It’s the investigation. At the end of the day, even if they, let’s say they recoup most of the million dollars, they might be out another million just working on getting it back.

Paul Martin:

And you can’t get insurance for that part of it.

Colin Rooke:

Yeah. There’s no coverage for all the time and effort of recouping that.

Paul Martin:

Now you made the comment that the city of Saskatoon obviously has coverage on this.

Colin Rooke:

Sounds like the like they do, yes.

Paul Martin:

Yeah, it sounds like it. Would that be kind of the norm or would that be the exception that they would have this kind of a policy and be this well prepared?

Colin Rooke:

Yeah. Like without knowing, because, I mean, there is a chance that this could have fallen under a crime policy just a standard crime policy, not cyber crimes. Without knowing the details, no, I would say it’s not the norm for cities and towns to carry cyber crime insurance. And, again, it’s an industry problem where it takes a lot of effort to convince a business owner or city or town that this is going to happen or, quite frankly, already has. And then another area where, quite frankly, the discussion needs to be had is, okay, so if Colin is right and it’s a matter of when it happens to me or the fact that it’s probably already happened to you, you just don’t know about it, and now it’s public. What do I do about it?

Paul Martin:

Right. Yeah.

Colin Rooke:

Who do I talk to? Who handles this for me? Because we’re talking at the end of the day, trust. I mean, if the city of Saskatoon did not handle this well, they’re going to lose a ton of trust. And that’s very important to the city of Saskatoon.

Paul Martin:

And to anyone who wants to come here to do business or already is here. And obviously we need trust in our political institutions period or you kind of get to anarchy, don’t you?

Colin Rooke:

Yes. Yep. Yeah, exactly.

Paul Martin:

And from a corporate perspective, I mean, I was jokingly saying, I guess it’s more tongue in cheek as a joke, that the worst case scenario for the CEO is to arrive at work this morning and the news cruiser and the police sirens are going off as you pull up because your business is now been the center of some kind of major event. That’s what we’re going to talk about after the break. We’re going to take a little break Colin, so just sit with us. And those who are listening, you’ve got Colin Rooke on the line here with Risky Business. We’re talking cyber crime, cyber insurance, and cyber protection. Back after this.

Welcome back to Risky Business Commercial Insurance with Butler Byers. Paul Martin here, and joining me, Colin Rooke, the commercial risk reduction specialist with Butler Buyers. And also he’s brought along another guest that will join us in just a second. Dan Gold with Martin Charlton Communications to talk about the public relations aspect of this. And before the break you were talking about reputational damage that comes from this kind of stuff. And why would you bring somebody like Dan along to talk about that?

Colin Rooke:

Yeah. And, again, when you’re dealing with a public incident, you are dealing in trust. You are dealing in reputation. And, again, if in the essence of mitigating further damage or further loss, you wanted to say, “Okay, well, have I done everything I need to do proactively to get myself through this?” And let’s say you’ve had a conversation about how you’d handle a data breach, but you internally but you haven’t had a discussion about how would you handle that publicly. Again, you may not win the sort of the trust reputation battle, and it’s something that you need to think about. Do I have a PR strategy in place for my company? What would I do? Who would I talk to? What’s involved? Who would do what? And what a lot of business owners won’t realize or maybe it’s just not discussed enough in our industry, but there may be coverage available as part of that. For example, if there’s a cyber breach coverage available for PR. And so, again, if you know that you have the coverage available, but then you wait until you have the big breach to then look into it, by the time you, let’s say choose a firm, work out a plan and get them on the street for you, maybe days have gone by. And it’s my understanding of the industry that the minutes matter, not even the hours.

If you’re giving cyber some thought and, let’s say we’re not acting naive and saying it won’t happen to me, you need to give your PR strategy some thoughts. So Dan Gold’s going to join us and he’s going to talk about, okay, what should business owners do? How do I engage with a PR firm? What conversations need to be had? Is it difficult to do? What’s involved? And educate the audience for us.

When you’re dealing with a public incident, you are dealing in trust. You are dealing in reputation.

Paul Martin:

Okay. That’s a no problem. And Dan Gold is the Saskatoon office head for Martin Charlton Communications, also their Director of Digital Strategy. And I guess I have to kind of be a little honest about this because I am a Martin in Martin Charlton so we should probably talk about that. But, Dan, welcome to the program. This is like the first time you had been on commercial radio since your days back in the U.K. And for those around here, Dan kind of came to Saskatchewan via the Baumgartner story. The guy who jumped out of outer space and did the parachute landing in Saskatchewan.

Dan Gold:

Yeah, that’s-

Paul Martin:

You came. You were kind of in the British media at the time and then doing communications and PR there. And then followed them over here and became part of the Saskatchewan wave of immigrants that came over the last 10 years. So welcome to the program. And you heard Colin set this up. I mean, What conversations do you like to have with business owners about why do you even need to talk to a PR firm and it’s too late to put the genie back in the bottle after the incidents happened?

Dan Gold:

Well, generally one of the first things we like to do is talk to people and educate them ahead of anything happening to say, “Preparation is everything.” What are the things that keep you up at night? What are those things that could be worst case scenario? And have you thought about how you’re going to deal with it? Not just whether you have an existing emergency plan, but how are you going to communicate around that? And when we talk about public relations, it’s not necessarily just the public, but what about all the other stakeholders? What about members of staff if there’s an incident? What about their families, regulators authorities, suppliers, customers, et cetera, potential customer? What’s going to be the future for the organization if there’s damage, significant damage that happens to it? Reputationally. Trust. You could extend it on even further than that with someone’s lives, liability. If there’s been impropriety. There’s all sorts of different things that I like to speak to people and find out what are the things that keep them up at night. And if they haven’t thought about what keeps them up at night, go make a list. What would make the firm exist after something goes wrong?

Paul Martin:

And what could go wrong that would be life threatening to the firm? Probably is a legitimate question, too. And you speak a lot to businesses in particular, and I guess some public sector people, as well, but mostly businesses, about crisis communications and crisis management. And when you talk to them about that, it kind of implies that here’s what you do after you’ve had the incident. But your argument is, no, it starts way before the incident. Yeah?

Dan Gold:

Mm-hmm (affirmative). Yeah. Absolutely. If you’re not dealing with what we call issues management, then you’re already playing catch up. The worst thing in the world would be for not only the CEO to turn up in the news crews already there, but you imagine if there’s clients or family members that find out that something’s happened from the media or on social media. Suddenly something’s breaking and trending across Twitter and the leadership of the organization knows nothing about it.

Being prepared is, in my mind, absolutely key. And there are numerous steps and different techniques that we can put in place, which are simple and scalable, from the smallest organization up to the largest corporations in the world. And, in some cases, there are lessons that we can learn from the big guys when something does go wrong and see how that can scale down to a single person operation.

Paul Martin:

I guess it starts by just trying to decide what it is we’re going to do, how we’re going to handle it. So if we’re faced with an incident, who’s going to speak? The fact that we are going to speak because if you don’t speak, if you try and sweep it away or pretend it didn’t happen, you’re pretty much signing the warrant right there, aren’t you?

Dan Gold:

Yeah. No comment is not an option because people immediately questioned what else is happening. If you’re not talking about this, is it a bigger issue than we think it is? And suddenly all the thoughts grow in this crowd, in this kind of hive mentality of there’s conspiracies that suddenly come into it, which you’re not in control of. You need to maintain communication. If you don’t know something at that time, then say, “We’re investigating it. We can’t speak at this time because we are finding out the facts. Or an investigation is taking place.” Whatever the reason is, we were speaking earlier on, I was listening in to the first part, and you can’t wait days. You cannot wait days. The truth is a crisis breaks. If it gets on social media, generally, there used to be a thing called the golden hour, getting a response out within an hour. In this digital world, in this connected world, we’re talking within seven minutes, you need awareness. So using tools and having a good community where you communicate with each other is essential. Not just from the point of view of going out and selling something, but protecting the organization to make sure in future times there is an organization.

Paul Martin:

All right, we only have a few seconds here, Dan, but you’re involved with IABC, which is the business communicators international organization. You’re involved with it at a global level right here from Saskatoon. Now if I’m a business owner how do I interact with you? I mean, what do we need to do? What conversation do you need to have with a business owner to get this started?

Dan Gold:

Well, I think the first they do just get in touch with me, and I will be available to listen to what the shape is of your organization and understand the risks that you see. And then from an external perspective what we see as well. From there we can look at what the options are from not only planning for crisis communications and issues management, but also media training. Because lots of people when they’re thrust in front of the media clam up or they don’t know what to say or they don’t know how to say it. They don’t know what their message is. So you can always get in touch with me via Martin Charlton website martinchartlon.ca, and I will be more than willing to sit down with you to go through that.

Paul Martin:

Dan, thanks very much. You’ve been listening to Dan Gold with Martin Charlton Communications and Colin Rooke, the commercial risk reduction specialist with Butler Byers. And, again, the news has brought us back to the topic of incidents and cybersecurity. And I know we probably can’t wear this topic out. It just seems to have a life of its own. I’m Paul Martin. Thanks for joining us and we’ll talk to you next time.

Safeguard Your Business From a Cyber Breach

Home

In today’s episode of Risky Business Paul Martin and Colin Rooke talk about ways to safeguard your business from a cyber breach.

Listen to the full episode here, or read the full transcript below.

Paul Martin:

Welcome to Risky Business, commercial insurance with Butler Byers. Paul Martin here, the business commentator on CKOM. And joining me in studio as always, Colin Rooke, Saskatchewan’s expert on all matters related to commercial insurance, but the risk reduction manager at Butler Byers commercial insurance as well. And Colin, the last, I guess few shows we’ve been talking about this whole notion of well, security, of fraud, whether it’s cyber or whatever. It’s been coming up a lot and there are just a whole lot of new tricks that the fraudsters are using. And maybe we could just kind of walk through some of the more current things that we’re seeing, the new stuff that people should be alerted to. And this is employers and employees. What should we be watching for? What are you guys hearing about? What’s the insurance industry watching? What are they on alert for?

Colin Rooke:

Yeah, so the biggest new thing, and it’s not new, but it’s certainly happening a lot more often. So it’s been around for a while, but business owners, the general public, it wouldn’t be front and center. And now it certainly is, is credential stuffing, credential loading. There’s a bunch of different terms, but essentially it’s a trick to get you to give your username and password and then it relies on the fact that people are inherently lazy. In the world today we’ve got hundreds and hundreds of passwords it seems, login information. And so it says, “Okay, well I bet if they use this username and password on this site, there are other sites they’ve used the same username and password.”

And you might say, “Ah hah, I’ve got two or three.” Well yeah, so they’ll create multiple sites and they’re hoping that you’ll go through the rotation. And then what they do is they take that username and password and run it across thousands of known popular sites and see if they get any hits, any login. And statistically you do this, anyone listening, statistically we’re all guilty of this. And so therefore now, they take something really low value, like a children’s app. You think, “I’m just going to quickly make a username so my kid can do this puzzle.” Well it’s not really a puzzle, it’s a scam. There is a puzzle at the end, your kid can actually use the app, but the whole purpose was to get your username and password.

And then again, they run it across all these known sites. And then low and behold, you’ve now have identity theft, you’ve got credit card theft, et cetera, et cetera. So, it’s growing rapidly. It’s happening all the time.

Paul Martin:

So it’s called credential stuffing or I think you had another one, credential-

Colin Rooke:

Loading-

How you handle an event like this is really going to dictate whether you’re in business in the following months, especially when it comes down to personal information, I mean there’s a big level of trust.

Colin Rooke:

And so, and then suddenly you learn that’s all lost. That could be anywhere. I mean, absolutely anywhere. And I have no idea when that information could come back to haunt me. And I mean, it could be right away, it could be 15 years from now. Are they going to create a false identity? Are they going to run up my credit card bills? You know, are they going to leak some very sensitive information, very personal information about let’s … I mean, if you’re >.. For example, if you’re the CEO of your firm, are there things about you that you don’t want the public to know about? So now, you’ve had a breach and you have to work on restoring trust, and I mean, it turns into a PR nightmare. And how you handle the … I mean, you mentioned that it’s the golden hour. You know, how you handle that first hour, and then all the hours after that are really going to dictate where you come out on the other end of this thing.

Paul Martin:

Loading yeah.

Colin Rooke:

… loading, stuffing. Yeah. But basically they-

You have to think regardless of the industry you’re in, how would you handle the breach?

Paul Martin:

But it’s posing as they’re trying to get you to sort of give up your stuff. And I guess in a way that’s not too far off what happened to the city of Saskatoon? Someone posed to somebody and …

Colin Rooke:

Yeah, so I mean it’s all in the-

Paul Martin:

It’s a variant.

Colin Rooke:

Yeah, it’s all in the realm of social engineering. So, the easiest way to trick someone is to trick the other person into believing that they’re dealing with that person. And so, rather than send … The old way is you send a weird email that’s not worded quite right with a zip file as an attachment. And I think most people are cautious about opening zip files where it’s not quite the way the email should be worded. And so you’d delete all those. But again, social engineering means your system gets breached and they monitor it. They might monitor it for months. They’re learning your patterns. If they’re going to trick you, they need to act like you. So the case of this city, I’ll say allegedly, but if you look at it, okay there’s the City of Saskatoon and the contractor they’re dealing with. If this was in fact social engineering, the contractor, the email there would be mimicked by the fraudster, the hacker, the cyber criminal to the point where the City of Saskatoon would not be able to recognize the difference.

And in fact, there was probably test conversations back and forth between the hacker, the cyber criminal that the city wasn’t aware of, because if they’re going to get to the point where they’re going to ask for a fund transfer, they’ve got to make sure it works. So it’s kind of low value conversation and they realize, yeah, you’re going back and forth as normal and then they say, “Okay, so we’re doing an adequate job of convincing the other person that we are the person we’re mimicking at this point.” And then they get into the, “Hey, about that progress payment. We’d like you to deposit it to this account on such and such day.” You’ve been back and forth and they’ve done a great job of deception.

Paul Martin:

Just to reiterate, I think we talked about this in a previous program, but I just want to sort of comment on it in light of the City of Saskatoon. I mean, they stepped out very quickly and sort of fessed up and said, “Hey, you guys, everybody else be careful about this and be aware.” Because I think you said in the same relative, same period of time, there were literally dozens of communities across North America that were in the same boat.

Colin Rooke:

Yeah. I just wanted to stress that the City of Saskatoon, it’s not out of the ordinary, they’re not an anomaly. We don’t have the worst cybersecurity city in Canada, nothing like that. So, in the state of Texas alone, that same week, there was 23 cities and towns that all had breaches. And then at the same, again same week, the state of Louisiana declared a state of emergency due to ransomware. Rampant ransomware that they could not control.

So, the City of Saskatoon is not an anomaly and we talk about this all the time. On every breach there’s human error involved, and that’s what I guess needs to be understood that it’s not an IT issue. It’s a human issue. It’s a, we all want to be helpful. We all want to get our job done at work and we’re asked to do something by either our superior or someone where we regularly … We have regular transactions with, we’re going to do it. Especially if that’s our role. And so, maybe we’re not monitoring as effectively as we could, but it doesn’t mean again, we’re not being thorough, we’re not being careful, but it just shows how good the cyber criminals are getting.

Paul Martin:

All right. So we’ve talked about those, we’ve kind of covered them in a couple of shows now. What other new things is popping up in that fraud realm? Because it seems these guys are pretty fresh. I mean, we’re a long ways from the Nigerian letter, aren’t we? I mean they’re always, they reinvent themselves faster than just about anybody.

Colin Rooke:

Yeah. So I mean again, on this whole vein of talking about fraud, we thought we’d bring Ryan Warner back, our benefits expert and talk about, on the benefits space, what’s going on there. And so he’s going to join us and talk about, again, benefits fraud and it’s growing rapidly in Canada. And there’s lots of different ways that you as a business owner can be taken advantage of, again by fraudsters or fraudulent claims. So we’re going to bring Ryan Warner on and he’s going to get into more detail and we’re going to move away from cyber a little bit. And again, talk about, okay. I mean, it’s happening everywhere, including on your benefits plan.

Paul Martin:

Yeah. And that’s an area you wouldn’t think would be particularly susceptible. But these fraudsters, these criminals are very, very creative. They’re adept at figuring things out and creating scams that look well. You just, we really have to be on the lookout for him all the time.

Colin Rooke:

I mean, it’s big business. Cyber crime alone is 3 trillion a year. So, I mean there’s an incentive to get into that line of work.

Paul Martin:

Yeah, I was just rapidly going through my head. How does that compare to the size of the Canadian economy or the Saskatoon economy? That’s monstrous. It’s just enormous.

Colin Rooke:

Yeah, exactly. Yeah.

Paul Martin:

So what do you recommend to people that … I’m a business owner, and I say, “Colin, I agree with everything you’ve said. Now what” What are the steps that a business owner should be thinking about?

Colin Rooke:

So it’s funny because … so one of the solutions will also create another problem. So the one solution would be to create a strong password policy. So as an employer maybe you require every 30 days you have to change your password, which is tedious, and the more secure the password is required to be, the harder it is to come up with a new password. So you say every 30 days you have to have a password, and that’s great proactive risk management.

Here’s the problem. When you are required to change your password every 30 days and each password has to, again … you have certain criteria that has to be met, characters, capitals, numbers, you can’t reuse certain certain elements. People either write those down, or they’ll save it in a Word file that says “Work passwords.” And again, for those listening, statistically you do this.

And so, you have to educate and say, “You have to create better passwords,” but then you also can’t store them someplace that’s easy to get to. And then also, I mentioned that there’s services that that will sort of be a lockbox for your password, or all your passwords. The problem there is the lock box has a password. So you crack that code into the lockbox, and now you’ve opened the door to every other password you have in the world, so it’s not easy. But one … another, I guess what I’d say to a business owner is to use two factor authentication, or a password with skill testing questions, or sometimes up to three or four. Again, tedious, yes, but secure as well. And again, obviously the subject of the second half of the show is do not use the same password for multiple accounts.

Paul Martin:

Simple, simple, simple. And we all do it.

Colin Rooke:

Yeah, exactly. Yeah, exactly.

Paul Martin:

Because it’s simple, simple, simple. It is easy to do, and we are creatures of habit, and so we’re just inclined to … we open up, probably we do this so frequently, they’re just sort of, it’s like rote, isn’t it? You just fire in user, password, bang.

Colin Rooke:

You know, and like I said, it makes sense. You know, let’s say you’re an avid online shopper, and there’s 15 sites that you like to go to. And again, you don’t want the headache of not knowing what your log in is. You say, well for … I might even have just a shopping password. I mean, that’s the password I use for shopping. Well, on your profile, it’s going to have all your information, where you live, and it’s going to have your credit card most likely attached to it, you know? So it creates a big problem. And I guess, and then what I’m saying is for the listeners that … often the subject is sort of directed more to the business owner. This is just directly for everybody, stop doing this. Find a better way.

Paul Martin:

Colin, great advice. Thank you for this. You’ve been listening to Colin Rooke, the commercial risk reduction specialist with Butler Byers, and as always, the hot topic, cybersecurity. It just keeps popping up. No matter how many times we do this show, it just keeps coming back and reminding us that it’s a critical, critical item. You’ve been listening to Risky Business. Thanks for joining us. We’ll talk to you next time.