Cyber Risk Assessment

Home • (Page 2)

Paul Martin and Colin Rooke discuss the braoder and detailed aspect of IT and endpoints security.

RiskyBusiness · Butler Byers Risky business – Cyber Risk Assessment

Listen to the full episode here, or read the full transcript below.

Paul Martin:

Welcome to Risky Business, Commercial Insurance with Butler Buyers. This is Paul Martin, the host of this program, joining me, Colin Rooke, the commercial risk reduction specialist at Butler Buyers. And Colin is an expert in more fields of stuff than you just imagine. And Colin, I guess for the last few weeks, we’ve been talking on this program about cyber, and we’re not going to really depart it, but I realize now in our conversations that describing cybersecurity is really just too narrow. It’s really about IT.

It’s broader than just cyber and maybe you could help me understand that a little bit today. And I think from the business owner’s perspective, some of this stuff, if you’re not schooled in computer technology or technology in general, some of this stuff sounds a little like a foreign language or the classic “Wa waa waaa” thing from of the cartoons, but how does the average business owner know when they’re in good hands or in good shape? I mean, how do we even test whether we’re vulnerable or not vulnerable, or that we’re the easy, low hanging fruit or we’re actually complicated and the attackers would not be so worried about us?

Colin Rooke:

Yeah, really good point. So today, we’re not going to talk about cyber crime, the type of risk, the sort of increased prevalence, but more the piggyback on our previous show talking about sort of the IT side of things, endpoints security. You’re right, it’s really hard to know, are you a target class? Are you a vulnerable risk? And then even further, it’s hard to predict like, okay, for my type of business, if I am subject to ransomware, what kind of amounts are we talking? Is it a hundred million? If so, I guess I would just lock the door and leave or anything in between. And it’s important that our clients or anyone that’s thinking about IT and cybersecurity have some kind of idea that, okay, where do you rank among all business in Canada?

Where do you rank among your peers and then individually, how are you doing? And then even further, what does that mean? If someone says from a cybersecurity perspective, “You’re quite poor.” Well, how do you define that? And on the client side as well, as someone that has helped a lot of people fill out sort of the legacy insurance application for cyber liability coverage, it’s almost impossible, unless you are deeply, deeply involved in your company’s IT, it is really difficult to fill out. We find often we’re sort of re-asking, are you sure you meant to say this? And all of those things impact whether or not you’re going to, one; get the coverage at all, two; the limits offered and, three; the rates you’re going to ultimately pay.

And so what we’ve done and our clients and prospects find this very useful, and to anyone listening to this show, we have the ability now to go in and essentially do a risk assessment on the business itself, the way the IT is set up, all the systems you have in place and then further to that scan the dark web for any associated passwords, any vulnerabilities, any leaks you’re unaware of, any malware installed on your system. And it’s a detailed report that says what it is, how it’s affecting you, when you first got it, when it was removed, what site lost your information. And then even it will say, okay, where you rank in Canada among likelihood of having a claim? It’ll talk about where your individual IT stacks up across all your peers. And then further to that too, we’ll provide a lot of data around average claims, one in 10 year claims, one in a hundred year claims. And then it gets very specific around even types of claim like ransomware, for example, it’ll say you could expect an amount such as this.

Paul Martin:

You know, you raise really interesting point about just how, I think defenceless some people feel when they hear this topic come up and you say, “You can just do this analysis.” People just call you up and you say, “Yeah, we’ll do this for you.” Is it free? I mean, how do you handle that?

Colin Rooke:

Yeah, there’s no cost to do it. And you might say, “Well, one; why isn’t there? And then two; if it’s free, is there any value there?” And it is. I mean, we specialize in risk management and ideally we are working a risk management plan where there’s a combination of proactive work and then a strategy around coverages by way of the insurance program. Well, this allows us to one; have a deeper understanding of how our clients are set up, but it’s really impactful and when we’re talking purchase and placement of cyber liability, but also where we really need to put the work in. And this is a document that is designed where business owner, executive would go to their IT provider and not say, “You’ve done anything wrong.” That’s not the point of this report, but it helps identify what’s occurred in the past.

It helps identify leaks that your IT provider would have no idea even occurred. And then also passwords and emails that have been lost, due to known breaches that, again, really isn’t their job to follow. And so, this says, okay, we have this problem. And then the IT department or third party provider would look into it and would verify and say, “Yeah, you do. And let’s correct that. Let’s work on this together.” Now, from our purposes, then we can share, “Okay, just like our risk management plans, we’ve identified risk. And now we are working on risk.” And we can share the completion date. We can share all of that and say this client does not want cyber liability. They’re very concerned about cybersecurity and therefore we ran this report and they’re getting on addressing all of these topics.

Paul Martin:

You know, it’s almost scary though to think about this, that I can give you permission and you can get all this information. So I am assuming that you’re not the only one who can get it, so can the bad guys.

Colin Rooke:

Yeah. It’s pretty incredible how little information we need to develop a very, very in depth report and we do it in seconds. And so, if you set aside resources to deliberately go after a certain company, how easy it is to gather this information. I mean, if we can tell a business owner exactly how many email addresses they have, new and expired and where they’ve been, on what sites, I mean, there’s a lot of information here. It’s pretty shocking seeing this and then being able to sort of piece together what would be available with almost very, very little effort on the criminal side of IT, cybersecurity.

Paul Martin:

Colin, I want to pick this up in a minute. We got to take a little break, but we’re into something that, well, I would consider to be scary territory. So I don’t think we should treat it lightly. So let’s take a break. We’ll come back and we’ll pick it up. You’re listening to Colin Rooke the commercial risk reduction specialist with Butler Buyers. This is Risky Business back after this.

Welcome back to Risky Business, Commercial Insurance with Butler Buyers, Paul Martin, your host here and joining me, Colin Rooke, commercial risk reduction specialist with Butler buyers. Colin, just before the break we’re talking about, it’s almost sort of scary how much information is actually available out there. And I can’t help, but wonder, do people in Saskatchewan sometimes think, “Well, I’m not really a target. I’m a small business, I’m in a small town.” I mean, is a small town any form of protection in all of this? How do you answer that?

Colin Rooke:

Yeah, we get that a lot, frankly. And really the answer is the internet doesn’t care where you’re located. You’re just an IP address. And they’re not putting in that type of effort. They’re not flipping through a phone book and for trying to identify who’s who and where they are, it’s more of a blanket approach. And that’s why a security scan, like what I’m referencing is just so important. I mean, we’re able to say, “Look,” to a client, “You might not think you’re low risk, but the average ransomware in your, I’ll say successful ransomware attack in your industry is $881,000. Now, after doing your security scan though, you are in the 90th percentile, meaning not great. We want to be in the first, in this case. And so, therefore we can look deeper into the data and say with those, with poor security controls, the average would be quite a bit higher.”

So, we can really level the playing field and let our clients know this is where you truly fall to get a little more… To talk about how specific this report is, it scans every password and I’m not even sure how it does it, but again, just again, think about how easy it is to steal your password, because it can tell me how many people in your organization use lower case only passwords. It tells me. I know how many people in your organization just use numbers. I know how many people have weak passwords, medium passwords, strong passwords, because they do very simple loops that would be able to essentially open something part of the test. And so, I can say, “Look, your passwords are terrible as an organization and here’s the data. And it would take someone that actually wanted in seconds to do it. I mean, not even seconds anymore, they could buy a program on Amazon for nine bucks. And there you have it.”

Paul Martin:

I’m guessing that if this is this readily available, I mean you can provide a third party provider who’ll do this analysis. Now, when I am going to the insurance market and I am looking to get a policy, presumably the insurance companies are doing a similar sort of analysis on their own. I mean, if it’s available to me, it’s got to be available to them.

Colin Rooke:

Yeah, absolutely. You think of a lot of the major breaches. I mean, there’s breaches of course that, like the Yahoo breach, Equifax, Marriot, those sort of things. So, those are public, very public breaches and they’ve all published lists of emails that may be compromised. So, those are the mainstream breaches. Well, it’s really easy for anyone really to scan and say, “Okay. So, if the email address is at blank, blank, blank, we can throw that into the database and say, “Ooh, Marriott has 33 of those.”” But then furthermore, they know of all the breaches that don’t hit the media, thousands of them. And so, this goes a long way when we’re talking about, “Well, why is my premium so high? I mean, I’m just a small business. I don’t see what I’m doing or what kind of exposure.”

Well, they were able to ascertain in a matter of minutes that email addresses are all over the dark web or were involved in so many of these leaks that it’s a real big exposure. In fact, you’ve already been breached. They just really haven’t gotten around to doing anything with it yet. You’re probably in a long queue, but it’s coming at some point. Now, if you’re in that queue and you haven’t had a breach and we’re aware of this, we can close that loop working with your IT. But it’s very important that we’re able to identify these.

Paul Martin:

So, we’re back to that story, that is a kind of a repetitive one when you and I talk, is that at the end of the day doing all of this exercise, I mean, yes, we’re doing it. We’re talking about it in the context of making an application for insurance, but it goes beyond that. I mean, it just makes you a better company, whether we’re talking insurance or just general business operations.

Colin Rooke:

Yeah. I would agree. I mean, for example, if your only goal is to save a dollar two on insurance premiums or percentages, you’re looking at this the wrong way. If we do our assessments, say from an internet security standpoint, you’re terrible. Just think about the reputation risk, which we’ve talked quite a bit about on this show, in losing all your customer information. And in this case, it actually can tell us, like most companies can’t really figure out how many files they have, how many records they have, or even the types of records. And yet this can, so we can say, “Imagine if you lost all 23,000 files that they were able to come across and we’re now highlighting how poor the controls were. So someone gets around to working on your file for lack of better terms, they’re going to get in, you are going to lose this stuff and it is going to be a big deal.”

Paul Martin:

It’s one of those things where it’s hard to kind of think about, I can’t yell loud enough about this stuff, right?

Colin Rooke:

Yeah.

Paul Martin:

I mean, I can’t over-emphasize it and I’m sure that you run into resistance in the business community from people that say, “I don’t understand it. I think we’ve got it covered because I hired an IT guy.” That’s just sticking your head in the sand, isn’t it?

Colin Rooke:

You know, it is. And we spend a lot of time working with other IT providers and we often get credited with helping move things forward. Of course we will print this report and the first thing is you send it off to IT saying, “What’s going on here?” And of course the IT provider says, “Look, these are the 15 items that we’ve been telling you to address for seven years now.” And we have way of making it a lot more urgent or real. And so, I don’t want to suggest in any way that this is an IT issue, this is a company issue. And so, this just helps in making the case for why it’s so important, frankly, to take the advice your IT provider is giving you, it just makes it real.

And on the positive side too, we run across risks that are fantastic. Like we can say, “Geez, you’re in the second percentile. We can’t find anything.” And a lot of our clients will say, “Honestly, we take the advice of our IT provider and they just know so much more about this than we do. And so, we blindly follow and it looks like it’s really working well.” And so, there’s a lot of positives here too. I mean, we can validate all that work you’ve you’ve put in.

Paul Martin:

Colin, we got a half a minute left. So maybe just get you to circle back and just remind people that this is a service that’s available to anyone. All they need to do is reach out to you?

Colin Rooke:

Yeah. Just let me know, just reach out and say, “Can I get a cyber risk assessment?” And we’ll get it to you. It’s like I said, I need very, very little information. It’s almost scary how little I need.

Paul Martin:

And it’s free.

Colin Rooke:

Yeah. It’s absolutely free. Yep.

Paul Martin:

And no commitments, no strings attached. Just your community service?

Colin Rooke:

Yeah, exactly.

Paul Martin:

You have been listening to Colin Rooke, commercial risk reduction specialist with Butler Buyers. I’m Paul Martin. Thanks for joining us. This is Risky Business. Talk to you next time.

Library of Knowledge

Home • (Page 2)

Paul Martin and Colin Rooke discuss the wealth of knowledge, policies & procedure and stats that are used to help clients figure our how to deal with the risks they face.

RiskyBusiness · Butler Byers Risky Business – Library of Knowledge

Listen to the full episode here, or read the full transcript below.

Paul Martin:

Welcome to Risky Business, Commercial Insurance with Butler Buyers. This is Paul Martin, your host. And joining me today, Colin Rooke, the Commercial Risk Reduction Specialist at Butler buyers. And he is also really the Commercial Risk Reduction Specialist of the world. He’s the expert in this field and that’s probably the topic that I want to talk about today. We usually get into such specifics of, “Hey, this is something new that’s going on. There’s that going on?” Whether it’s cyber or, whatever, hard markets. But, I wanted to talk more generally about your approach to the way you look at helping clients figure out how to deal with the risks that they’re facing. But also how to bundle that up, package it, so it’s nice and presentable to provide to an insurance company and that you actually will get, not just a quote, but a good quote from an insurer, because you’ve told the story well.

But really, at the end of the day that’s your job. But one of the byproducts of all of this is this library of information that you guys have accumulated. You are all about tracking all of the latest stuff, and then you compile this information and make it available to business people. I bet you, not very many people know that, “Hey, if I got a question I could actually ask Colin, he would know.”

Colin Rooke:

Yeah, absolutely. For me to have enough data and information to do the show, we got to do a lot of behind the scenes research. And yeah, I mean, we’ve turned into this wealth of knowledge and policies and procedure and stats. And I just want to stress that, for anyone listening, if you have a question or feel there’s something you need. Is there a return to work policy or anything you’re struggling with, abuse policy, safety manuals and everything from newsletters.

So, a lot of the information that I’m sharing and discussions around new and emerging risk, it’s derived of course, from the information we take in. And so I’m more than happy to share that, changes to legislation around occupational health and safety. Reach out to us, to me and say, “We really haven’t visited this in a really long time. How can you get me up to speed?” Or, “What do I need to know, what changes have occurred in the last blank amount of weeks or months?” And we have all of that. In fact, we’ve got so much of it’s… I’ll sort of flip through the database and you almost forget just how much you have and how useful it would be to so many businesses out there.

So essentially, if you’re in an executive or leadership meeting, having a strat planning session and there’re areas where you feel you’re delinquent, and certainly we’ve talked about a lot of those documents on the show, but not even close to how many we would have. Reach out and just say, “Hey, this came up, do you have anything for this?” Chances are we do.

Paul Martin:

Well you know, just the amount of volume of stuff that we’ve talked about in this program over the last few years is astounding. And I think that we’ve probably just scratched the surface of the kind of volume of content that must pass over your desk. So you’re in a kind of a clearinghouse area. You’re seeing all this stuff, for those of us who are just running businesses and we A, don’t have access to that river of information that you’re applying all the time. And B, I don’t know if time to digest it and consume it. You will do all that for us and you’ve actually bundled up and you made it, oftentimes it’s a step by step guide or it’s an information piece, something like that?

Colin Rooke:

Yeah. I remember one of the first shows we did and we were talking about our risk reduction process and what are the stages and what do we do with that information? And is it all bad? We only focusing on the negative. And I remember saying, “No, we have this organization where 100%, they have a culture of safety,” and that was not getting communicated. And when we went through the process and developed the plan, the number one topic was safety.

This continuation of the culture of safety. Well, why would we do that when they put such a focus. Well, it is the primary focus of this company. They want to be known for safety. And so we work with them on an ongoing basis and we provide safety newsletters. And so, as we are going through our information, we flag things that we can send off and make it very easily to circulate. And it’s our efforts or our partnering with our clients to say, “This is what’s most important to you. And it’s most important that it continues. So let us provide. Let’s take the headache out of, having to search and sift through the information. We don’t do that. And we’ll get it to you.”

Paul Martin:

I’m just trying to think of something that might be kind of current, that we could use to spark the thought process a little bit. And I think about the way the world is evolving around work from home, and the fourth wave of getting bigger, especially around here. And business owners having to try and figure out, “What am I doing with staffing?” And that changes almost on a daily basis, I would assume. But you guys have to keep track of this. What’s the latest from your perspective? I mean, what are you seeing? What information do you have? How can you help me with that one?

Colin Rooke:

Yeah, that’s a good one. For example, we have return to work policies and return to work guides. Now, normally when I say that it’s return to work after an injury or an event, how do you slowly integrate back into your daily? And what steps does the employer need to take, what documentation, how to get your ducks in a row? In this case, it’s this whole idea of hybrid workplace. Are you a 100% back into work? Is it more of a hybrid model? We have clients that are still a 100% remote.

And so same type of name, but different approach, right? We are educating on what you need to think about in this new return to work or hybrid environment. And so we spend a lot of time talking about things like end point security now as part of the return to work plan or call it this new way of operating we’re now highlighting new risks that we maybe thought were temporary now, for those that are saying, “This is going to be a permanent thing.” There’s new risks we need to address and discuss. And so we’ve got the plan in place. We can make it easy for you. You can look at it as an executive and make changes, roll it out. You can use our model, but the important thing is, we’re helping you with the education. We’re helping with the document itself and making working on risk easy.

Paul Martin:

Well, easy is a good thing. We all want to push the easy button. Right? But as I’m listening to you talk about this, it just strikes me as probably three years ago or something. We were talking about the old security and privacy things and around your cell phone. So you always worried that employees were taking corporate information on the cell phone, through email or whatever with them when they left the building. I guess now when they’re working from home, this is that same story, but on steroids, right? It’s just exaggerated.

Colin Rooke:

Yeah. Absolutely. We would talk about you might have management or if you have a sales staff, are they at a restaurant meeting with a prospect, leaving the phone out or heaven forbid you forget the laptop somewhere? And so we talked about sort of bring your own device policies and a little bit about endpoint security now, whereas that might apply to three to 10%, three years ago, it may apply to 50 to a 100% now. And so the new focus or where the focus needs to be is, “Okay, this is the low hanging fruit. How secure am I?”

Paul Martin:

All right. We’re going to dig into that. We got to take a little break because we’ve reached the midpoint in the program, but Colin, I think we’re into something that’s really hands on helpful for anyone who’s got a management role in business today. You’re listening to Colin Rooke the commercial risk reduction specialist with Butler Buyers, commercial insurance. This is risky business back after this.

Welcome back to risky business commercial insurance with Butler Buyers, Paul Martin, here, your host, and joining me, Colin Rooke the commercial risk reduction specialist with Butler Buyers. Colin, before the break, we were talking about that something we used to talk about called bring your own device, which was, does an employee use their cell phone at work, or does the company supply them with one and then they carry around two? You know that was a conversation point for a couple of years ago. Today in the post or COVID world and post pandemic, that’s taken on a whole new meaning because we still have people working from home. And so are they taking their office equipment back to the house or does the company have to supply? I mean, all of those questions come into play.

Colin Rooke:

Yeah, absolutely. And just kind of at a high level, over 90% of IT decision makers, so those supplying and those calling the shots believe that end point security is just as important as network security in the new, sort of post pandemic environment, it’s a really big deal. And prior to this recording, I made a few phone calls and I wanted to get some local thoughts too. And that is the feeling that we really have to turn our focus to what was taken home. We all rushed to get home, but what really is at home and what policy and procedures are in place and how are we secure? And the other issue too, is as you bolt-on more features, as you make navigating your work laptop, more difficult, the younger you are, statistically, the more likely you are to find a workaround and then bypass that all together.

So the older you are, you’re probably buy the books. You’re logging in, you’re using it for work, you’re in the server only. As you get younger and you say, “Gee, this is a pretty good laptop, actually.” If you are more likely to cut corners, and you’re more likely to know exactly how to cut corners because you find security to be a drag. And so that’s a big issue. And so, where the industry is moving is rather than bolt-on, built in. So you don’t have a choice. But if you say, “Okay, well, the equipment, for example, that I sent home is old. It’s barely current.” Does that equipment have on it or installed what you need it to do. And maybe should you be looking at what can you purchase today that’s going to eliminate or close the loophole.

For example, you see advertising around Chromebooks that have built in antivirus. You don’t have an option of not having it or subscribing or not, or it is right in there. And that’s this view around this endpoint security, that’s getting ignored as more people are buying laptops, Chromebooks, even printers, right? And most importantly, those with a wireless connection. I mean, technically if there’s a wireless connection, you run the risk of those being able to attack or hack into that network printer. And so those are the conversations that need to be had and a lot more sort of work and effort needs to put into those vulnerabilities.

Paul Martin:

My guess is based on what you just said, mom, dad work at a place where they’ve got pretty good equipment. Now they bring it home. And the next thing you know, the kids are on it, even though they’re probably told not to and all that sort of stuff. I mean, as a business owner, A, what’s my liability and all of that? B, how do I coach or help my employees when they go home so that they do have some level of security without upsetting the home apple cart and saying end up with kids angry at parents, because I’m not allowed to play or touch or whatever. How do I do all of that? How do I navigate that? Do you have information on that?

Colin Rooke:

Yeah, we do quite a bit and I think it all starts with arming you with the statistics, right? If I say, “Oh, it’s a big problem.” How big is it? But I can say, for example, 48% of workers in Canada believe that office security is a complete waste of time. And again, back to the younger demographic from 18 to 24 year olds, that’s 64% say, “I think it’s a waste of time. It’s holding me back. So I’m just not going to do it.” Now where we combat that though, is the education, what does it mean? Right? What happens when you take your laptop home, do personal things with it, come back into the office environment, log back in, what are the risks?

And it starts with one understanding the nature of the problem, what is it? How widespread… So making it real, right? Arming with some numbers of, okay, how significant is this? And then three, walking you through what you can do, how you can change that. Or at least again, arming you with knowledge, you understand where you’re at and you can budget accordingly. I mean, I’m not saying that you immediately replace every printer, every device, but you have to understand your risks and what you can do about those. And certainly educate those around those risks.

Paul Martin:

But it’s not a bad idea. I think I’m hearing you say that as a business owner, take a look at your inventory of assets and how current are they? And if you’re thinking about replacing it or you have a schedule, you might want to just be aggressive about that, stay on top of it or get ahead of it a little bit.

Colin Rooke:

Absolutely. And for anyone listening saying, Paul, Colin, we’re good. We have a policy around this, so I’m not concerned. Well, roughly 70 percent of businesses in Canada report having some sort of network security policy, however, 39% of Canadians in the workplace are unsure of what those policies say, and 32% didn’t know the company even had one. So you’re not as protected as you might think. It’s about reviewing. It’s about updating. It’s about educating and making it real.

Paul Martin:

It’s a bit of a classic, isn’t it? The boss thinks they’re covered, because they are. But nobody below them knows. And so by definition you’re not covered because no one knows.

Colin Rooke:

Absolutely. Yeah. And we get the same thing with fleet safety, right? All of our drivers stand to the limit and follow every rule of the road. Well, did you tell that to the drivers?

Paul Martin:

Well, you often see those vehicles, how do you like my driving dial this number? I mean, first of all, that’s a contradiction and safety anyway, you shouldn’t be posting a phone number on the side of a vehicle going 110K or something. We’ve got like a minute, minute and a half left in this program and solid information you’re giving us. But I’m just curious. How does the insurance company look at this conversation you and I are having right now? I mean, what’s their perspective on it?

Colin Rooke:

Absolutely. So we’ve talked about cyber reliability pricing being up to 300%. And we’ve also talked about seven out of 10 organizations that are faced with ransomware, they pay it. So it’s arming the insurance companies with the focus on endpoint security and cyber security as a whole, that’s going to reduce cyber reliability premiums. I mean, if you’re okay with a 300% increase, go ahead and pay it. And that’s the average, right? So I means there’s people with 600% increases in there. I mean, if the average is 300, it doesn’t mean that’s the marker. And so that’s why this is important. It’s all about arming us with knowledge and then us going back to the insurance companies to say, “They’re putting in the effort, maybe they’re not fantastic, but we’re working on getting from good to great.”

Paul Martin:

All right. Just wind up here, because we only have a few seconds left, but we started this program by saying you have a library and just maybe just elaborate invite people, what would they find in your library?

Colin Rooke:

Policies, procedures, manuals, newsletters basically you name the topic. If there’s an element of risk, our goal is to make your life easier. It’s easy to work on risk if we do all the heavy lifting for you. So reach out and just ask me, “Do you have anything for this?” And we’ll let you know.

Paul Martin:

Yeah. Templates, any of that sort of stuff.

Colin Rooke:

Exactly.

Paul Martin:

Colin thank you as always very insightful. You’ve been listening to Colin Rooke, commercial risk reduction specialist with Butler Buyers, commercial insurance. I’m Paul Martin. Thanks for joining us with risky business. Talk to you next time.