Rapidly evolving cyber crime & cyber security

Welcome to Risky Business Commercial Insurance with Butler Buyers. This is Paul Martin, the business commentator on CKOM. Joining me today, as always, our resident expert, Colin Rooke, the commercial risk reduction specialist at Butler Buyers. And Colin, I like to call you an expert on insurance, but today we brought in a real expert because we’re going to talk about some technical stuff. And I want to welcome Mitch Bernier, partner with Professional Computer Services.

And we’re back to one of those topics that we have touched on fairly frequently over the last few years, and that is cyber, cybersecurity, cyber attacks, all of that sort of genre of activity that business people are faced with. And I’m wondering, we haven’t talked about it for about probably 3, 4, 5 months and I’m guessing everything else in the world, this one is evolving and that even three months ago, the story we would’ve been talking about is different than the story we’re going to be talking about today. Is that a fair assessment?

Yeah, it is. We certainly keep coming back to the topic of cyber crime, and it’s just because it evolves so rapidly, something that we would have discussed as a new issue or sort of a must-have from a cybersecurity perspective, certainly three to six months ago, you look at today, and those best practices are no longer sort of the best but considered to be sort normal and required. And so I think it’s important just to keep touching on the topic and to make sure the audience is staying relevant.

I think I do a pretty good job of explaining the nature of the risk, the frequency and severity of claims in the industry, where it’s going, why pricing is so high, what you can do about it, and talking about overall, the nature. But I wanted to bring Mitch in to talk about… Okay, we’ve talked about topics like data encryption, we’ve talked about multi-factor authentication, we’ve talked about endpoint detection and response. I just throw those words out there saying, these are some of the things that we’re seeing that we used to say it would be nice to have. And then I think you’re going to need it soon, and now you must have it.

And so I thought rather than talk more about the claims we’re seeing or the list that we get from the underwriters to bring someone on that can actually say, okay, well what is it? Why would a cyber insurer be concerned if you didn’t have it? What does it do and how can you get this? And so I thought, why not bring Mitch on, again, partner with professional computer services, he can explain these topics and then our audience now knows, well, here’s what we can do. And bringing experts like this would be all part of the risk reduction work we do. So we go through the assessment, we identify gaps, and then we would connect our clients with a third party that can help if we aren’t able to do it in-house.

All right. Well, Mitch, welcome to the program and look forward to your insights on this. And Colin used a lot of buzz words, end-to-end data encryption. I mean, I wake up in the morning and think, “Oh, if only I could deal with that today.” But I’m sure business people feel a little overwhelmed with this saying, the volume of things that they have to deal with now from a regulatory to this sort of protective side of thing, when business people come to you, Mitch, I mean, are they a little bit perplexed, a little bit baffled, how do you guide them through this and how do you bring the temperature down a little bit on this conversation?

Right. Yeah, Paul, good morning guys, and good to see you here this morning or talk to you this morning. I think this is very much on business people’s minds, like the owner’s minds now. Like you said, when you wake up in the morning and what’s bugging you. And lately, one of the big topics, and it kind of I’ll say started through COVID. There was a very big uptick on cyber attacks, cyber crime. And we keep hearing these stories in the media about some large enterprises that get compromised or even down to your neighbor’s small business that gets attacked and compromised. They fall for something, they get tricked for something, they get ransomwared, cryptowared, all these names.

And now even in Saskatoon, since in my geography, I tend to deal with more small business than large enterprise and I have a lot of owners coming back to me now with a two or three-paged PDF from an insurance company saying, “Hey Mich, can you help me fill this out?” And I guess I’ve always done those steps with these people because it’s a lot of the geeky type questions that they’re just not going to be able to answer. But over the last year, I probably start filling out two or three of these a month now to try and help people through their things and identify the gaps. And a lot of times they say, well, what’s this about? Why do I need this?

And at first it started with, “Hey, Mich, my insurance guy, he’s trying to sell me this cyber insurance stuff. Do I need it, or do you have me protected?” And now it’s more a conversation of, “Hey Mich, I want cyber insurance now. Not do I need it, but now I want it. What do I got to do to comply?” And in the last year in filling out these forms, the forms are getting a lot more specific on what they require for a business to comply. And there’s a few key things as the buzzwords that Colin mentioned there. MFA is such a huge thing now. Encryption, a big word and it means a lot in a lot of different spaces. The endpoint detection, EDR or MRT or MTR, managed threat response.

Some of these things now are becoming so prevalent in our cybersecurity world. It’s almost mandatory to have these pieces in place now. Just like when the internet came out of 20 years ago and everyone needed a firewall, that was the one piece to keep you secure. And now it’s so much more than that. Now our world is so connected, the introduction of everything cloud-based. And now your resources aren’t necessarily in your four brick walls downtown. They’re scattered throughout the cyber universe. How do you protect it all?

I guess we know we’ve reached a level of maturity when we have our own set of acronyms and initials for something like this. And I noticed you were first struggling with the number of initials that are out there, and you got to feel a little bit sorry for the business owner or the CFO responsible for placing insurance to be able to keep up to all of this stuff. And Colin, I’m wondering, do you get pushback from prospective clients or your client base, or how are they reacting to this just with some kind of resignation, or are they indignant about it?

Yeah, so Mitch made a very good point when it comes to the application itself. So, the application is full of terms. I mean, absolutely full of terms. And unless you’re dealing with someone like Mitch on the other end, we’re asking a CFO as an example to confirm is this in place, is that not in place. And it’s tough to keep up. And we certainly get applications back where some of these boxes are ticked, and it takes a couple of questions from our end to realize, no, they’re not.

And so there was some confusion. You’re not quite sure what multi-factor is like. We’ll get organizations that’ll say, well, we have login passwords. Well, that’s not what we’re talking about. And so I think step one, especially due to the complexity and the nature of the risk and the insurance application itself, I think it’s very important to reach out to someone like Mitch from Professional Computer services and say, “I might know what I’m doing, but I don’t want to be wrong on this. Can you walk me through how to fill this out because I certainly don’t want to say yes to something that we don’t have in place?”

Because from our chair, if you say yes, but you have it and don’t, there’s a breach, there’s not going to be coverage. And that’s a big deal. And so I think step one is talking to someone to walk you through it. But Mitch, we talked about a few of the acronyms. Why don’t we start with MFA, multi-factor authentication, and just kind of quickly explain what it is, what it does, how do you get it, and why the insurance companies would care?

Yeah, and I’m going to jump in. We have to take a little break, and I was thinking right after the break, Mitch, if you’re good with that, we’re going to come back and kind of walk through some of these more technical terms and just get your insights so that business people, business owners and managers can actually get their head around this. And this becomes less of a fear factor, more of a “Oh, I understand that and I know why we’re doing it.”

You’re listening to Risky Business Commercial Insurance with Butler Buyers. I’m Paul Martin. We’ll be back after this.

Welcome back to Risky Business Commercial Insurance with Butler Buyers. Paul Martin, your host here, and joining me, Colin Rooke, the commercial risk reduction specialist at Butler Buyers, and Mitch Bernier, partner with Professional Computer Services. And we’re just getting into some of the terminology that is… I’m guessing going to become part of the average everyday business person’s lexicon as we go forward. And Mitch, maybe just walk us through that. And let’s start first with that multi-factor authentication thing that we’re talking about prior to the break.

I think multi-factor authentication is probably the single most important piece to ensure everyone is running nowadays. On top of strong passwords and a firewall and stuff, it’s the latest thing on a way to protect yourself. I think in most small business in their Office 365 tenant, there’s some easy check boxes or easy clicks to enforce your staff to help them to enable this thing. Back in the day, we relied on one password as that single password. And I think that’s where the multi-factor, it started with two-factor authentication where people realized, if that password gets compromised, is there another step that we can take to protect ourselves? While now, people or businesses are looking to multiple ways to protect those layers to get into your organization to get to data. So, it kind of evolved into the term multi-factor authentication. So usually, the first step in MFA is something you know is your password; is the most common thing.

For years and years now, we’ve been stressing to people have a good strong password, uppercase, numbers, symbols, stuff like that, come up with a phrase, something that’s not guessable, not in the dictionary. The next evolution in there now is in the MFA world, something you have. So for most people now, it’s a smartphone. So the next layer to authenticate is… And a lot of people will see this from their bank accounts nowadays, where it’ll text you a code and you got enter in the code and then I can gain access to my bank account or the banking website.

In the Microsoft world, it’s to gain access into that Office web app or into my Outlook, into SharePoint data. Another option is the fobs that you see. Every now and then, somebody will see it on their key chain or something, and it’s a code that’s changing every one minute. You can install that same type fob as an authenticator app on your smartphone. And in our world here, we tend to push that authenticator app a little more than a text message. Nowadays it seems a little more common, where when you’re setting up the two-factor authentication steps, they’re asking you to scan this QR code and it’ll install into the authenticator app and start generating a new code every one minute for you to key.

Another type of authentication then, of course, is something that you are, meaning your fingerprint, your face, your palm, when they scan something bio on you that they can look at that’s unique to you as a human. My laptop, now when I sit down in front of it, there’s facial recognition, so my cameras tends to always be on, or I don’t cover the little slider switch. So it’s looking at me, and when it sees my face, it turns itself on and logs me in. Something like that.

I think in filling out all these insurance forms here lately, MFA is the one piece where you can really see it coming from any insurance provider now where it’s almost a black and white question of “Do you have this enabled? Yes or no?” And if you check the no box, then they always come back and say like “You’re declined. We’re not going to cover that one.” And then usually, the business owner comes back to say, “What do we got to do? How do we do this? Where do we go from here?” So you can walk them through the steps of getting that coverage or getting some type of MFA going, and then they can check the yes box. That make sense?

Yes. Yeah, absolutely.

I think in the recent waves of attacks that we see now in the world, most, like 99% of them will be stopped if people have MFA enabled. If they receive a bad email and they click on that bad link and type in their password for their office account, the next check if the bad guy had your password now, it prompts them for that MFA authentication. So if you’re sitting there with your smartphone and you’re getting a prompt for, “Hey, do you want to allow this to happen?” And you’re thinking, “I didn’t ask for anything. I didn’t do anything.” The immediate button to hit there is “Deny the action.” Proceed if you don’t know.

And of course, as we’re talking about this, well, maybe a year or so ago, we went through an exercise where that was the case where somebody was annoyed with the button popping up on their phone saying “Do you want to approve?” And they said no. And eventually, they were annoyed by it, so they approved it. So even that level of protection, they just bypassed it by not thinking about it because they were getting attacked. They just didn’t realize it until it’s too late. And it comes down the human aspect there. They’re waiting for the human to make an error, make a mistake.

I’m glad you said that because I often talk about that cyber crime is almost 100% human error. And it’s these types of situations where you’re explained what multi-factor is, that you’re going to get an alert on your phone if someone’s trying to log in, but then people being people, you see the prompt, you think something’s wrong with the program and you approve it, and now suddenly we have a breach. So I’m glad that you touched on that because it’s something that I often talk about; that’s why education’s so important and it’s so important to have regular talks about cyber crime and cyber liability because of instances like this that if your phone is telling you someone’s trying to log in and you aren’t, it is a problem. Don’t ignore it. Don’t just hit “Allow it to go away.” Tell someone like yourselves in IT to say, “I’m a little concerned.”

And I always say too, and I just ran into a situation yesterday that if your gut instinct is telling you not to do something, what has to do with your computer or your device, don’t do it. I mean, you’re not going to be reprimanded to say, “Hey, I was thinking about the company here. This seems a little suspicious. I don’t want to do anything that’s disruptive. What should I do here? Should I do something or leave it?”

Yeah, that’s right. It should raise an immediate red flag to the user. And most of it comes down to that user education, user training. A lot of people will say “I don’t understand IT. I don’t understand all this stuff. It’s too much.” But that’s where we do need to start training our staff, training the people on what this means, how it works, and what it means, what to do. And you’re never going to go wrong by asking questions or going to ask somebody, “Is this good or bad? Should I do this?” to keep the organization safe.

Yeah, absolutely.

Colin, we’ve got maybe a half a minute left here. As you guys are discussing this, it just strikes me as training and plugging the staff into this stuff on a regular basis becomes one of the tools that business owners can use- regular training or updating sessions. And Colin, I wonder how the insurance industry views that. If a company seem to be proactive on this by spending time discussing it with staff, maybe having a Mitch come in and talk to the team, that I’m guessing is considered favourably.

Yeah, absolutely. Again, part of the reservation with the insurance markets is, are we discussing cyber crime? Does the organization understand cyber liability? We get questions around it, and we don’t have time to touch on it today, but having an incident response plan, and part of that plan requires at minimum quarterly education or rereading the plan. And so these are all things that as we go, it’s going to… Of course, from a pricing standpoint, but frankly at this point, just the availability of coverage itself, that if you’re not putting in the effort, you’re going to find yourself without. And that’s the real concern. And so education is very important, and it’s important that we relay that back.

Gentlemen, we’ve run out of time. Thank you for this. The insights are really impressive on this. Mitch Bernier, partner with Professional Computer Services. Thanks for taking time to join us. You’ve been listening to Colin Rooke, commercial risk reduction specialist at Butler Buyers. This is Risky business. Thanks for joining us.

Thanks Guys.