Mitch Bernier joins Paul Martin and Colin Rooke again to continue the conversation on cybersecurity.
Listen to the full episode here, or read the full transcript below.
Paul Martin:
Welcome to Risky Business, commercial insurance with Butler Byers. This is Paul Martin, the business commentator on CKLM, and the host of this program. Joining us, as always, Colin Rooke, the commercial risk reduction specialist with Butler Byers.
We also have joining us, Mitch Bernier, who is a partner in Professional Computer Services. Mitch, we had you on here on the last episode and you and Colin were exchanging some absolutely critical information that business owners and those responsible for business operations are going to have to become conversant with. Actually, we ran out of time, so we decided we better just keep this topic going, because there’s too much here to brush over it too quickly. This is rapidly becoming, Colin, maybe you can jump in here from the insurance industry’s perspective. This topic is really being elevated rapidly in the minds of importance. The rank of importance in the minds of the insurance companies, isn’t it?
Colin Rooke:
Yeah, it is. We brought up three topics in the last show, multi-factor authentication or MFA, we brought up endpoint detection and response, and we brought up data encryption, so everything’s at rest and in transit, including email. We talked quite a bit about multi-factor authentication. We ran out of time, but it’s critical that we, I’m going to even say warn business owners out there, that if you don’t have or you don’t know what endpoint detection response is, and if you’re unaware of data encryption, especially depending on what industry you’re in, one, you need to know about it, you need to know why you would do it, the risks of not doing it. And then I guess a warning from myself that it’s going to be a requirement soon. For a lot of industries, it is each year more and more.
So rather than wait until your broker or your cyber insurer requires you to do this, understand what it is today, and formulate a plan and get your business up to speed, or up to best practices now, because one thing I can say about the cyber insurers and specifically cyber insurance, they’re not going to give you nine month lead time when they require something at renewal. You’re going to learn one month, maybe two out, and often it’s a race to get it done and most can’t complete that in time. And now you’ve got a big issue.
Paul Martin:
All right. That’s why we brought Mitch back in because he is the keeper of all the knowledge on this topic. Mitch, you deal with business owners, with general managers, people responsible for IT in businesses around the province on a daily basis. How are they reacting to this? What are you hearing back? Is it just one where, “Man, I don’t know if I can keep up to this, my eyes are glazing over?” Just how are they coping with it? What are you seeing? What are you hearing?
Mitch Bernier:
Hey Paul, Colin. Thanks for bringing me back here. Yeah, after our last episode aired, I have a few people that were emailing or texting out back to me saying, some of it was simple like, “Hey Mitch, we heard you on the radio. Thanks for bringing that up,” and, “Am I protected? Because I don’t really know, but can you tell me?” For the most part, most of them are, they’re in decent shape, but there’s always something that you can make better.
On the odd, there is the odd one that it’s like, “Nope, we talked about this a few months ago with you and you didn’t do anything,” but it might have been summer holidays. And now they’re looking at, “Okay, now we hear this, we think it’s serious, we should do that. Help us out.” It’s been a good positive change that way. Now after, as Colin talked about there, the different insurance providers that are asking different questions, especially in cyber, those questionnaires are getting way more precise with terminology and exactly what they want. So if we want to talk about the data encryption piece, is that where we’re going to start?
Colin Rooke:
Yeah, either, or. If you want to talk about endpoint detection or encryption, the mic is yours.
Mitch Bernier:
Okay. Okay, well let’s start a little bit about data encryption. I think it’s important to understand what is it? What does it really mean when people talk about data encryption? It’s a form, a way to transform data from readable to non-readable. Easy as that. And then if you want to read it again, you need a decryption key. If you have the key, it’s presented as readable.
Now that can apply to your emails, to your Word documents, your home recipes, put it on anything you want, but break it down as simple as that. Most people, most business owners or most employees in the company wouldn’t be able to tell you if I asked them, “Is your database encrypted?” They would have no idea about that. That’s more looking at the IT department, the IT guy, something like that to reach on.
In the cyber insurance forms that we’ve filled out over the last couple years, what started off was it might be a question of, do you encrypt your data? But now those questions are way more precise is, if you are running a database, is your database encrypted? They are really targeting any personal information. So if I look at Colin and Butler Byers, I can only assume an insurance company gathers names, dates, addresses, stuff like that, that’s personal information, and now he’s obligated to protect it. The way to do this is through encryption, through using technical methods on keeping that data safe and doing all he can to do that. Colin, you had used a couple other words about data in transit or data at rest?
Colin Rooke:
Yeah, so I’m not an expert in the how, but what I find where businesses get hung up on, they seem to be okay or call it, it seems to be easier to do the stored data, but when we say email as well, so in transit, that seems to be the big project or the, “Ugh, this is going to take some time.” Again, I understand what encryption is, I understand why these cyber insurance market wants you to have it, but what is the challenge there specific to email? Why does it seem like a project to implement?
Mitch Bernier:
Right. Okay, well, when people think email, you’re communication. It’s a communication tool that you and I are sending data back and forth, and not if it’s like, “Hey honey, bring home milk tonight,” not really super sensitive, but there is probably information that you might send to another business, to an insurance provider, that is sensitive and you want to ensure that it’s not readable by anyone else. In Outlook, there’s a button in my Outlook that says encrypt and I have a few encryption options there, but it’s as simple as that. That is, if email was going from me to you, Colin, that’s data in transit and that’s where I want to encrypt that message.
Another example of that would be if I’m doing my online banking, and now the bank and I are having an interaction here and I am looking at my bank account, I necessarily don’t want people seeing that. That’s where you see when I go to the bank website, there’s that little lock icon right by the www dot address and it’s telling me that this is encrypted.
Paul Martin:
I’m going to jump in just for a second, just because I’m trying to manage our time here gentlemen, and we do have to take a little bit of a break. But I want to just touch on one further aspect of this. We generally look at this in this context in this program around the issues related to insurance, but there are also some legal issues here too in terms of data breaches and this kind of stuff. There’s protocols and laws that we have to be looking at as well that go, I guess that’s why you buy insurance against it, but there also is the legal implications and legal liability that goes with it. So maybe we can pick that up after we take a short break. You’re listening to Risky Business, commercial insurance with Butler Byers. I’m Paul Martin, we’ll be back after this.
Welcome back to Risky Business, commercial insurance with Butler Byers. Paul Martin here, and joining us today, Colin Rooke, the commercial risk reduction specialist with Butler Byers, and Mitch Bernier, partner in Professional Computer Services in Saskatoon, and our expert on all things related to cybersecurity.
Just before the break I was talking about, yes, there’s insurance stuff here, but there’s also legal stuff too. So it’s a double-layered thing. Colin, do you have a perspective on that? Do you end up talking to lawyers on these kinds of things?
Colin Rooke:
Yeah, we do. You referenced the Privacy Act quite often. Really, if we have a client that has a claim, it’s not just as simple as, “We’ll get working with your adjuster and we’ll look for any first party damages that may have occurred and work on reimbursement.” There’s often third party damages that you need to consider.
There’s also regulatory issues and requirement from our clients by way of 24 hour help desk, credit monitoring, that sort of thing, to ultimately protect the public. So it really is a good topic, and I always warn our clients that the first party damages are the least of your concerns. It’s always the, what are the risks to everyone else? And if you talk about reputation risk, reputation, and then working on reputation repair, it’s going to come, again, from third party damages and any regulatory penalties, rulings, that kind of thing. So, yeah, it really is an important topic to cover that it’s not just about insurance, it’s about everything else.
Paul Martin:
Well, I raised that only to reinforce the message that’s underlying this program is, business people, this is important. This has many implications for your enterprise. Mitch, I’m wondering if you get people to say, “Well, I guess it’d be a nice to have, but is it a must to have now?”
Mitch Bernier:
Yeah, very much. In the last few years most companies that we deal with, that business owner would come to us and ask, at least ask about it. So that’s probably an insurance provider that’s approaching them saying, “Hey, protect your business. This is what to look at. This is important.” And then they might not understand the questions on the form, but they would come to somebody like me to say, “Hey Mitch, how are we? Are we in good shape? Do I comply? Is this going to cost a bunch of money? Is this going to take a bunch of time?” Like some of those considerations for the owner.
Colin Rooke:
So, speaking of compliance, let’s talk about endpoint detection and response. That seems to be the new kid on the block, at least for us. We’re hearing about it all the time. Data encryption has been talked about for a while and it just seems to be showing up everywhere, back to the forms you’re seeing, it usually is the supplementary questions that are asked. So, again, what is it? Why do I need it? How do I get it? Why is the insurance market concerned with it?
Mitch Bernier:
Right. Okay. So endpoint detection and response, EDR, is, think of it like, back in the day everyone needed antivirus and that was the thing, and that was probably a question on an insurance form back in the day, do you run antivirus? Well, now there’s just so much more to it than that. Really it comes down to how technology has evolved, where they can be looking at your endpoint, and endpoint meaning desktop computer, laptop computer, your iPad, your smartphone, wherever you put this agent on, in real time they’re watching… not watching what you’re doing, that’s the wrong term. They are analyzing what your computer is doing.
If it’s something like the old school virus, they might throw an alert on your screen saying, “Hey, there’s something going on. Maybe don’t click on this or follow it.” But there also might be some analytics in the background looking at that transaction that your computer’s trying to do saying, “Hey, this looks pretty fishy. We’re going to stop this now and not let you proceed, because we think something bad is going to happen if you do that next step.” The evolution now in the EDR market is a managed threat response, where if you’re doing something bad on your laptop and the user might not know something bad is happening, but there’s a team, an alert generated outside to a third party, and that team will look in real time at what’s going on and take action.
In some of our clients nowadays, you can subscribe to some different models, because Butler Byers might be getting attacked at four in the morning and I’m in bed, or your IT person’s in bed, and not necessarily looking at something happening, but that team that’s running 24/7, they will take action or you can grant them permission to deny any, turn off the internet, do whatever it takes to prevent something negative from happening to a business.
Now of course it comes down to budget because these security companies do charge for this, but there is lots of value there depending on what line of business you are in.
Paul Martin:
Mitch, is there any differentiation between big business and small business in this? Or as long as you’re in business you could be facing a threat?
Mitch Bernier:
I would say anyone’s at risk. When you hear of some of the ransomware attacks or some of these attacks nowadays that happen, it’s some small business, some large business, and the bad guys, those threat actors, they are good at what they do. When they come up with a scheme on how to attack a site or get into it, they’re efficient at it. They’re not just doing necessarily only one. They might do a thousand of them today. They only need to get into one.
Colin Rooke:
I can concur too. There really doesn’t seem to be a rhyme or reason or any pattern you can follow as to who has the breach. One, it’s random, and seemingly rampant.
Mitch Bernier:
Yeah. They find a weakness and they exploit it. If the weakness is technology, we need to correct that. Or the weakness might be your employee, your human sitting there, so we need to educate them and bring them up to speed.
Paul Martin:
Yeah, I guess I’m asking, there’s no protection then for being small and thinking, well, I’m too small a fish for them to bother? There’s nothing here to bother pursuing?
Mitch Bernier:
No.
Paul Martin:
No, that doesn’t matter at all?
Mitch Bernier:
No. Usually that comes down to money, budget, where some of the large organizations can afford to do those third party security firms to monitor things 24/7, and the small ma and pa shop, they can’t afford that fancy stuff. So you invest in a good EDR solution or something like that and it’s doing its best job for you.
Paul Martin:
I guess the argument could be the reverse, is that the small business is likely more of a target because they’re less equipped to prevent it.
Colin Rooke:
Yeah.
Mitch Bernier:
Yeah. That’s right.
Paul Martin:
Just one other question on this, Mitch. Just in listening to the conversation here as you lay it out, back then we only needed to have antivirus. Now it’s become more sophisticated. I take from that that this is an ever evolving situation, that the bad guys are always learning new stuff and we always have to put new stuff in to protect ourselves. Is that a fair or accurate assessment?
Mitch Bernier:
Yeah. Oh, that’s exactly right. It’s you, we need to be perfect every time. They only need to get something right once and they’re doing their thing. But on the defensive side, you need to be right every time.
Paul Martin:
Yeah, and this isn’t just one fix solves it for the rest of eternity. This is something business owners need to be on top of. Just another thing that you have to deal with on an ongoing basis, and it needs to be put into your systems so that it’s constantly being brought up to the top of your to-do list.
Mitch Bernier:
Yep, exactly.
Paul Martin:
All right, Colin, we’ve got maybe a half a minute left. Do you want to offer what Butler Byers brings to this table too? If I’m a business owner, I call you up, how are you going to help me with this?
Colin Rooke:
Yeah, I just think it’s important to have experts like Mitch Bernier from Professional Computer Services on the show to point out that this is part of our system, this is what we do. So when we’re going through the risk reduction workshops and talking about level of protection, if we’re talking about cyber, for example, and formulating that plan, well then we say, “Okay, we’re not going to implement endpoint detection in response, but here’s someone that can.” But they also, they understand the cyber market, they understand what’s going on and they’re thinking proactive. So it’s part of what we do in the identification, and then we will also play a part in connecting with the experts.
Paul Martin:
Colin, as always, very insightful, thank you very much. Mitch, I want to thank you for joining us a second time. Your insights are invaluable. Thank you for that.
You’ve been listening to Risky Business, commercial insurance with Butler Byers. I’m Paul Martin. Thanks for joining us. Talk to you next time.