Paul Martin and Colin Rooke discuss cyber threats as the biggest concern for executives globally, over natural disasters and business interruption.
Paul Martin:
Welcome to Risky Business, commercial insurance with Butler Byers. This is Paul Martin, your host and business commentator on CKOM. Joining me today, Colin Rooke, the commercial risk reduction specialist in all of Saskatchewan, maybe the Western world, and of course, he’s at Butler Byers too. Colin, before we dig into too many things, we’re getting a chance now, here we are starting into 2022, but we’re really getting a flavour for what was going on in 2021, what kind of impact. Clearly, a year of change, a year of disruption, a year of everything different from working from home to you name it. I’m just wondering, what are the big things that came out of 2021 as we enter 2022? What’s the big topics that the industry is now talking about in hindsight?
Colin Rooke:
Yeah. I really like this time of year because all the summaries come out, and being a risk management nerd, I like to read all the reports. What are the executives saying? So, this is like my Christmas when you get these summaries out, and I dive in right away. We’ve been doing this show for a while and, of course, I’ve always been interested in cyber, and we’ve, we’ve talked about it quite a bit. But when we first started, cyber was in like 58th, something like that, 58th, 59th place among executives globally, and I bring this up every year. It’s rising up. It’s rising up. It’s getting a little higher.
Well, now the number one business risk for 2021 was cyber and it’s beat out catastrophic losses. What’s very shocking to me is it also beat out business interruption insurance during a time of closures globally where business interruption has been the hot topic for anyone that’s purchased a policy while officially, executives globally are more concerned about the cyber threat worldwide than, again, natural disaster and business interruption. So, that’s big and it needs to be discussed.
Paul Martin:
You think, well, that’s something that happens in Toronto or New York or something, but no. It happens everywhere, and I think you in previous shows have said, if it hasn’t happened yet, it will happen to you. So, it’s kind of like COVID. You will get it. But we’ve had a couple of examples in Saskatchewan of some pretty significant cases. We are not immune. The attackers don’t care about geography. They just care about whether or not you’re vulnerable.
Colin Rooke:
Yeah. There’s no longer any rhyme or reason. The attacks are less targeted, they’re more sophisticated, and it seems to be that it doesn’t matter what your IT spend is. If they want in, they’re going to find a way, and they’re always looking for new ways in. Now, I’m not saying there’s nothing you can do. Being proactive, learning about cyber, educating yourself, and having proper policies and procedures in place to have any staff member question anything that they find suspicious, that’s your best defence. But it’s not something that you can say “I’ve made the investment. So, I don’t have to worry about it.” It’s just not true. You can’t spend your way out of this. You got to educate your way out of this. Another big risk that, like I said, cyber has beat out is supply chain issues. If you’ve been to the grocery store, if you’ve tried to buy a car or anything, it seems to be they’re out of it, they’re back ordered, and yet that was less of a concern globally than cyber.
Paul Martin:
We’ve had a couple of fairly high profile cases in the province, I guess, the latest one being the Christmas Day hack of the Saskatchewan government, their liquor board. So, it’s not like the government of Saskatchewan doesn’t have 50 bucks to put towards a program. We’ve got a lot of technology. But even them, even organizations of that stature and with the security, they were aware of it. They were on the file and they still got hit. It’s really intriguing to me just how pervasive this has become. In fact, it looks like the cyber attackers are on … They’re winning. Right? They’re gaining ground. The rest of us are playing defense, but not nearly as well as they’re playing offense.
Colin Rooke:
It’s true, and one of the best speakers I’ve ever had the privilege of listening to in person and then meeting after, his name was Pablos Holman, and he said, “When the new Apple iPhone comes out or any Apple device and they show the lineup of people in Paris, in London, and Downtown New York, when they show the lineup of people, every single person in that lineup is a hacker. The only reason to wait four days to get the new iPhone is so you could be the first to break it and use it for your own devices.” He said, “I was that guy.”
Yeah. You’re right. They would’ve had proper IT. They would’ve had great minds monitoring their system. But it doesn’t matter. It comes down to human error. It comes down to lack of education. Without knowing exactly how the breach occurred, I know that those on the other side of it, it all came down to something simple, some little mistake that, in hindsight, was completely avoidable. That person would’ve had a funny feeling. There was some mistake made and it’s that simple.
Paul Martin:
The irony is it’s not a traditional attack. Right? It’s not full on frontal assault. It’s really, they send you something that looks innocuous and you bite. That whole phishing concept of they toss you a line, there’s a lure, and you’re not paying attention or somebody in your team isn’t looking with some detail to say, “That doesn’t sound right,” then a click, and later you’re in trouble.
Colin Rooke:
Yeah. The more you read into this and you think about, well, how are these phishing attempts changing, so back to the pandemic, you have people that are not going out as much and there’s this heavy reliance on using the internet to do most of your purchasing. So, of course, the cyber criminals have taken advantage of that. So, one of the largest, or bigger emerging threat is in the insurance industry. So, you say, “Well, I’m going to really try and buy this online or not go into a brokerage. So, I’m going to source out … I want to ensure my home online.” It was out of Ontario, but it was called, Hidden Ace Brokerage. Completely fraudulent. Not real. They took people for hundreds of thousands of dollars who thought they were buying insurance online. They weren’t. It was all fraudulent.
It was a great website, I remember seeing it, and it’s not something that you say in hindsight, “This was suspicious right from hello.” Nope. It was very well done. It just wasn’t real, and they’re preying on people that are, again, using the internet to get things done that they normally would. They’re busy. They’re not looking. Maybe they don’t do their own research. They don’t question why they’ve never heard of Hidden Ace before, you make a purchase, and there you go. One, you don’t have the insurance you thought you did. Two, your money’s gone. Then three, they have all your personal information, and statistically people reuse the same password hundreds and hundreds of times over. So, now they know your name, your username that you’ve probably used a thousand times over, your password, and now they’re into everything.
Paul Martin:
All because you thought you were just doing business legitimately online. This may be one of the intriguing byproducts of COVID, of people not wanting to go out, want to do more online. So, now there’s a whole new caveat for us. It’s the old buyer beware thing. Well, I want to dig into this a bit deeper, if you don’t mind, Colin. We got to take a little break first, though. So, keep that thought. We’ll come back to it right after this. You’re listening to Colin Rooke, commercial risk reduction specialist with Butler Byers. This is Risky Business. Back in a moment.
Welcome back to Risky Business, commercial insurance with Butler Byers. Paul Martin here, your host, and joining me, Colin Rooke, the commercial risk reduction specialist with Butler Byers and today, the bearer of, well, scary news, I guess. You’re really just saying all of that talk we’ve been giving you before over the last few years about buyer beware, look out for scams online, and that kind of stuff. You’re just amplifying it right now. {art of it is the kind of the way we got conditioned through COVID to less contact with people, rely more online, and you’re saying that could be actually something to be doubly careful about.
Colin Rooke:
Yeah. A common word throughout the pandemic is pivot. Right? So, that’s what cyber criminals have done. They’ve pivoted and they’ve gotten better, and they’re saying, “Okay, where’s the trend now?” Frankly, with more people, more users, call it, it’s right in their wheelhouse and it’s easy to trick. Back to that Hidden Ace insurance, when it was, I guess, widely known it was a scam, you have all these people crying out to the insurance regulators to say, “Well, you’re supposed to be monitoring this and, well, I don’t have insurance.” Well, no, they’re not. It wasn’t real. So, there’s no regulators stepping in saying, “We’re going to enforce policies that never existed.” 2021, they referred to 2021 as the cyber-demic, and I would agree. It’s run rampant, and 2022, they’re saying it’s just going to be a hangover from that. It’s not going to go away. It’s getting worse and it’s getting more sophisticated.
Another really good example of where people are being taken advantage of is supply chain disruptions. So, you go to look for a car. You can’t find one anywhere. So, you’re looking on various car sites and you go to a popular one like Autotrader or Kijiji and can’t find what you like. So, you dig deeper and again, you find another website that has exactly what you’re looking for, and the price seems fair and the delivery conditions seem fair and it’s in great shape and you bite. Again, you pay a deposit, car doesn’t show up, and again, they have all your information. There’s thousands of examples of everything from masks, personal protective … So many people are paying for fraudulent masks that never arrive only to get their information … Any scarce items.
You really have to say to yourself, “Have I heard of this company before?” Or if you look for reviews, you need to say, “How old are these reviews? Have they all been in the last three weeks?” Because if they have, they’re not real, or 90 days, call it. But people are scrambling to get things that were otherwise readily available. They think, well, thanks to e-commerce, I can buy something in Toronto and have it here. Why do I have to look into whether or not it’s valid? Well, it’s because it’s so easy to create a site that’s there to be fraudulent. Another big one, online gambling and sports betting, fantasy sports leagues. More people are doing that than ever and, of course, now there is what looks like completely legitimate gambling sites. They’ll give you tokens, you can spin the wheel, you can win. You’ll put a little money in and you’ll win. You take a little out, you put a little more, you’re testing the waters.Well, they wait until you say, “Hey, this is working well for me. Let’s put in a little more money, a little more, a little more.” Suddenly, gone. Again, it’s, well, I just wanted to play a game online. How is this possible? Well, when there’s a will, there’s a way, and they’re very aware of how many people are playing fantasy sports online and how many people are doing things like online gambling. So, they say, “Well, this is a great opportunity to get information.” It’s pretty scary.
Paul Martin:
I’m just thinking , it’s very easy to shop online, as you point out. But clearly, it’s very easy to scam online too. This is the other side of that coin that, yeah, it is easy, but it goes both ways to be easy if you’re trying to buy or you’re trying to take advantage of.
Colin Rooke:
Well, and you said coin. So, cryptocurrency, big problem. So, due to the rise of all the cryptocurrencies and people wanting to get a piece of the pie and having no idea how to do it, that is one of the fastest rising internet scams there are. Now, they’re not new, like five years ago, all kinds of bitcoin type scams. But now, with all these popular meme coins and limited availability, or at least ways to buy them, people are searching. You hear about like dogecoin shooting through the roofs, you say, “Well, I want to buy some.” Even if you buy cryptocurrency on a legitimate site, people don’t realize that that is digital money, meaning that it’s meant to be stored, and people don’t realize that if it’s just stored on the computer that it can be hacked and taken.
You’re supposed to treat that like cash. You put it on a USB and lock it in a safe. But people think because, well, it’s digital, I don’t have to take necessary precautions. So, again, they go to a new cryptocurrency swap site. They upload what they have to trade it for something else or make a purchase. Suddenly, the whole balance is gone because they’ve created a username and password. So, you said the word coin, and it’s a big problem with cryptocurrency and those that don’t understand how it works and what you’re getting.
Paul Martin:
Well, I can’t help but imagine, the image that comes to mind, and maybe this helps people who don’t really grasp this, to think this is the modern day version of the snake oil salesman running around the Wild West with a wagon full of elixirs, that it just sounds too good to be true, and guess what? It is. But I’m curious, Colin, if you can offer an observation as to, all right, you and I are talking about this. We’re enlightening our listeners. How’s the insurance industry responding to this? Obviously, they’re watching it too and saying, “What’s our role in this?”
Colin Rooke:
Yeah. That’s a good point, and what is the role of Butler Byers? It’s to help. It to share these resources. It’s to educate. So, a lot of what we talked about today may not necessarily apply to the business itself, but to all the staff. We talk about things like, well, presenteeism, productivity. Well, if you’ve just been taken advantage at home and you thought you had $10,000 worth of cryptocurrency, or maybe you legitimately did and now lost it, that’s going to affect you at home and at work. So, if we are training the individuals to look for things that aren’t normal, or articles or sites that just give you a weird feeling. If we’re training people on what to look for and giving the proper procedure, then we’re going to help not only the business, well, sorry, not just the individual, the business itself because they’re going to bring that to work.
Why does the insurance industry talk about this? Well, we need the individuals educated on cyber crime if the business has as any hope of dodging attacks. So, the people need to know what it is, what they’re looking for at home so that when they go to work, they can do the same. I’ve said this hundreds of times probably, it’s not enough to just purchase a cyber liability policy. Our job is to coach and educate so you never use it, because when you’re going through a major breach, insurance will be one of the last things on your mind, even though the costs are significant or significant because of the mess that it creates. So, if we can avoid all of that pain, we’ve done our job.
Paul Martin:
Colin, as always, good advice, and our time has gone. Again, it goes by so quickly. But we’ll pick this up in future shows. So, if you’ve enjoyed this, we would encourage you to join us again next time and listen to Colin as he provides the latest insights on where the world is going and how you can protect yourself and buy insurance, if that’s a possibility for protecting yourself as well. You’ve been listening to Colin Rooke, commercial risk reduction specialist with Butler Byers. This is Risky Business. Thanks for joining us. Talk to you next time.