Paul Martin and Colin Rooke discuss the braoder and detailed aspect of IT and endpoints security.
Listen to the full episode here, or read the full transcript below.
Paul Martin:
Welcome to Risky Business, Commercial Insurance with Butler Buyers. This is Paul Martin, the host of this program, joining me, Colin Rooke, the commercial risk reduction specialist at Butler Buyers. And Colin is an expert in more fields of stuff than you just imagine. And Colin, I guess for the last few weeks, we’ve been talking on this program about cyber, and we’re not going to really depart it, but I realize now in our conversations that describing cybersecurity is really just too narrow. It’s really about IT.
It’s broader than just cyber and maybe you could help me understand that a little bit today. And I think from the business owner’s perspective, some of this stuff, if you’re not schooled in computer technology or technology in general, some of this stuff sounds a little like a foreign language or the classic “Wa waa waaa” thing from of the cartoons, but how does the average business owner know when they’re in good hands or in good shape? I mean, how do we even test whether we’re vulnerable or not vulnerable, or that we’re the easy, low hanging fruit or we’re actually complicated and the attackers would not be so worried about us?
Colin Rooke:
Yeah, really good point. So today, we’re not going to talk about cyber crime, the type of risk, the sort of increased prevalence, but more the piggyback on our previous show talking about sort of the IT side of things, endpoints security. You’re right, it’s really hard to know, are you a target class? Are you a vulnerable risk? And then even further, it’s hard to predict like, okay, for my type of business, if I am subject to ransomware, what kind of amounts are we talking? Is it a hundred million? If so, I guess I would just lock the door and leave or anything in between. And it’s important that our clients or anyone that’s thinking about IT and cybersecurity have some kind of idea that, okay, where do you rank among all business in Canada?
Where do you rank among your peers and then individually, how are you doing? And then even further, what does that mean? If someone says from a cybersecurity perspective, “You’re quite poor.” Well, how do you define that? And on the client side as well, as someone that has helped a lot of people fill out sort of the legacy insurance application for cyber liability coverage, it’s almost impossible, unless you are deeply, deeply involved in your company’s IT, it is really difficult to fill out. We find often we’re sort of re-asking, are you sure you meant to say this? And all of those things impact whether or not you’re going to, one; get the coverage at all, two; the limits offered and, three; the rates you’re going to ultimately pay.
And so what we’ve done and our clients and prospects find this very useful, and to anyone listening to this show, we have the ability now to go in and essentially do a risk assessment on the business itself, the way the IT is set up, all the systems you have in place and then further to that scan the dark web for any associated passwords, any vulnerabilities, any leaks you’re unaware of, any malware installed on your system. And it’s a detailed report that says what it is, how it’s affecting you, when you first got it, when it was removed, what site lost your information. And then even it will say, okay, where you rank in Canada among likelihood of having a claim? It’ll talk about where your individual IT stacks up across all your peers. And then further to that too, we’ll provide a lot of data around average claims, one in 10 year claims, one in a hundred year claims. And then it gets very specific around even types of claim like ransomware, for example, it’ll say you could expect an amount such as this.
Paul Martin:
You know, you raise really interesting point about just how, I think defenceless some people feel when they hear this topic come up and you say, “You can just do this analysis.” People just call you up and you say, “Yeah, we’ll do this for you.” Is it free? I mean, how do you handle that?
Colin Rooke:
Yeah, there’s no cost to do it. And you might say, “Well, one; why isn’t there? And then two; if it’s free, is there any value there?” And it is. I mean, we specialize in risk management and ideally we are working a risk management plan where there’s a combination of proactive work and then a strategy around coverages by way of the insurance program. Well, this allows us to one; have a deeper understanding of how our clients are set up, but it’s really impactful and when we’re talking purchase and placement of cyber liability, but also where we really need to put the work in. And this is a document that is designed where business owner, executive would go to their IT provider and not say, “You’ve done anything wrong.” That’s not the point of this report, but it helps identify what’s occurred in the past.
It helps identify leaks that your IT provider would have no idea even occurred. And then also passwords and emails that have been lost, due to known breaches that, again, really isn’t their job to follow. And so, this says, okay, we have this problem. And then the IT department or third party provider would look into it and would verify and say, “Yeah, you do. And let’s correct that. Let’s work on this together.” Now, from our purposes, then we can share, “Okay, just like our risk management plans, we’ve identified risk. And now we are working on risk.” And we can share the completion date. We can share all of that and say this client does not want cyber liability. They’re very concerned about cybersecurity and therefore we ran this report and they’re getting on addressing all of these topics.
Paul Martin:
You know, it’s almost scary though to think about this, that I can give you permission and you can get all this information. So I am assuming that you’re not the only one who can get it, so can the bad guys.
Colin Rooke:
Yeah. It’s pretty incredible how little information we need to develop a very, very in depth report and we do it in seconds. And so, if you set aside resources to deliberately go after a certain company, how easy it is to gather this information. I mean, if we can tell a business owner exactly how many email addresses they have, new and expired and where they’ve been, on what sites, I mean, there’s a lot of information here. It’s pretty shocking seeing this and then being able to sort of piece together what would be available with almost very, very little effort on the criminal side of IT, cybersecurity.
Paul Martin:
Colin, I want to pick this up in a minute. We got to take a little break, but we’re into something that, well, I would consider to be scary territory. So I don’t think we should treat it lightly. So let’s take a break. We’ll come back and we’ll pick it up. You’re listening to Colin Rooke the commercial risk reduction specialist with Butler Buyers. This is Risky Business back after this.
Welcome back to Risky Business, Commercial Insurance with Butler Buyers, Paul Martin, your host here and joining me, Colin Rooke, commercial risk reduction specialist with Butler buyers. Colin, just before the break we’re talking about, it’s almost sort of scary how much information is actually available out there. And I can’t help, but wonder, do people in Saskatchewan sometimes think, “Well, I’m not really a target. I’m a small business, I’m in a small town.” I mean, is a small town any form of protection in all of this? How do you answer that?
Colin Rooke:
Yeah, we get that a lot, frankly. And really the answer is the internet doesn’t care where you’re located. You’re just an IP address. And they’re not putting in that type of effort. They’re not flipping through a phone book and for trying to identify who’s who and where they are, it’s more of a blanket approach. And that’s why a security scan, like what I’m referencing is just so important. I mean, we’re able to say, “Look,” to a client, “You might not think you’re low risk, but the average ransomware in your, I’ll say successful ransomware attack in your industry is $881,000. Now, after doing your security scan though, you are in the 90th percentile, meaning not great. We want to be in the first, in this case. And so, therefore we can look deeper into the data and say with those, with poor security controls, the average would be quite a bit higher.”
So, we can really level the playing field and let our clients know this is where you truly fall to get a little more… To talk about how specific this report is, it scans every password and I’m not even sure how it does it, but again, just again, think about how easy it is to steal your password, because it can tell me how many people in your organization use lower case only passwords. It tells me. I know how many people in your organization just use numbers. I know how many people have weak passwords, medium passwords, strong passwords, because they do very simple loops that would be able to essentially open something part of the test. And so, I can say, “Look, your passwords are terrible as an organization and here’s the data. And it would take someone that actually wanted in seconds to do it. I mean, not even seconds anymore, they could buy a program on Amazon for nine bucks. And there you have it.”
Paul Martin:
I’m guessing that if this is this readily available, I mean you can provide a third party provider who’ll do this analysis. Now, when I am going to the insurance market and I am looking to get a policy, presumably the insurance companies are doing a similar sort of analysis on their own. I mean, if it’s available to me, it’s got to be available to them.
Colin Rooke:
Yeah, absolutely. You think of a lot of the major breaches. I mean, there’s breaches of course that, like the Yahoo breach, Equifax, Marriot, those sort of things. So, those are public, very public breaches and they’ve all published lists of emails that may be compromised. So, those are the mainstream breaches. Well, it’s really easy for anyone really to scan and say, “Okay. So, if the email address is at blank, blank, blank, we can throw that into the database and say, “Ooh, Marriott has 33 of those.”” But then furthermore, they know of all the breaches that don’t hit the media, thousands of them. And so, this goes a long way when we’re talking about, “Well, why is my premium so high? I mean, I’m just a small business. I don’t see what I’m doing or what kind of exposure.”
Well, they were able to ascertain in a matter of minutes that email addresses are all over the dark web or were involved in so many of these leaks that it’s a real big exposure. In fact, you’ve already been breached. They just really haven’t gotten around to doing anything with it yet. You’re probably in a long queue, but it’s coming at some point. Now, if you’re in that queue and you haven’t had a breach and we’re aware of this, we can close that loop working with your IT. But it’s very important that we’re able to identify these.
Paul Martin:
So, we’re back to that story, that is a kind of a repetitive one when you and I talk, is that at the end of the day doing all of this exercise, I mean, yes, we’re doing it. We’re talking about it in the context of making an application for insurance, but it goes beyond that. I mean, it just makes you a better company, whether we’re talking insurance or just general business operations.
Colin Rooke:
Yeah. I would agree. I mean, for example, if your only goal is to save a dollar two on insurance premiums or percentages, you’re looking at this the wrong way. If we do our assessments, say from an internet security standpoint, you’re terrible. Just think about the reputation risk, which we’ve talked quite a bit about on this show, in losing all your customer information. And in this case, it actually can tell us, like most companies can’t really figure out how many files they have, how many records they have, or even the types of records. And yet this can, so we can say, “Imagine if you lost all 23,000 files that they were able to come across and we’re now highlighting how poor the controls were. So someone gets around to working on your file for lack of better terms, they’re going to get in, you are going to lose this stuff and it is going to be a big deal.”
Paul Martin:
It’s one of those things where it’s hard to kind of think about, I can’t yell loud enough about this stuff, right?
Colin Rooke:
Yeah.
Paul Martin:
I mean, I can’t over-emphasize it and I’m sure that you run into resistance in the business community from people that say, “I don’t understand it. I think we’ve got it covered because I hired an IT guy.” That’s just sticking your head in the sand, isn’t it?
Colin Rooke:
You know, it is. And we spend a lot of time working with other IT providers and we often get credited with helping move things forward. Of course we will print this report and the first thing is you send it off to IT saying, “What’s going on here?” And of course the IT provider says, “Look, these are the 15 items that we’ve been telling you to address for seven years now.” And we have way of making it a lot more urgent or real. And so, I don’t want to suggest in any way that this is an IT issue, this is a company issue. And so, this just helps in making the case for why it’s so important, frankly, to take the advice your IT provider is giving you, it just makes it real.
And on the positive side too, we run across risks that are fantastic. Like we can say, “Geez, you’re in the second percentile. We can’t find anything.” And a lot of our clients will say, “Honestly, we take the advice of our IT provider and they just know so much more about this than we do. And so, we blindly follow and it looks like it’s really working well.” And so, there’s a lot of positives here too. I mean, we can validate all that work you’ve you’ve put in.
Paul Martin:
Colin, we got a half a minute left. So maybe just get you to circle back and just remind people that this is a service that’s available to anyone. All they need to do is reach out to you?
Colin Rooke:
Yeah. Just let me know, just reach out and say, “Can I get a cyber risk assessment?” And we’ll get it to you. It’s like I said, I need very, very little information. It’s almost scary how little I need.
Paul Martin:
And it’s free.
Colin Rooke:
Yeah. It’s absolutely free. Yep.
Paul Martin:
And no commitments, no strings attached. Just your community service?
Colin Rooke:
Yeah, exactly.
Paul Martin:
You have been listening to Colin Rooke, commercial risk reduction specialist with Butler Buyers. I’m Paul Martin. Thanks for joining us. This is Risky Business. Talk to you next time.