In today’s episode of Risky Business Paul Martin and Colin Rooke talk about ways to safeguard your business from a cyber breach.
Listen to the full episode here, or read the full transcript below.
Paul Martin:
Welcome to Risky Business Commercial Insurance with Butler Byers. Paul Martin here, your host of this program that runs every week. And joining me in studio as always, Colin Rooke, the Commercial Risk Reduction Specialist with Butler Byers. Colin, it seems the headlines just keep repeating themselves. A couple of years ago we were doing the show, we were talking about Equifax, and a data breach, a cyber breach that was going on, and now we’ve got a decision in that court case just in time for a couple more of these things to surface. We all heard about the Capital One event. There was 100 million files that were compromised, and one in Canada, Desjardins, which had millions of files as well. This whole notion of cybersecurity, and cyber breaches, and hacking, and that whole realm, it’s a part of the insurance world that just simply doesn’t go away.
Colin Rooke:
Yeah, I mean, we’ve joked around about, we should call this like a cyber show, and I try not to be a broken record and keep coming back to the old cyber well, but the fact of the matter is, it is constantly in the news. It’s constantly on the forefront. It is constantly being discussed among business owners, among insurance companies, among brokers, and again, and it’s also constantly discussed on national headlines.
So two years ago, almost to the day we were talking about the Equifax breach,and at the time it was the world’s largest data breach, and impacting about 144 million people. Basically, if you’ve ever looked at getting credit, or have borrowed money, chances are Equifax has your information. I mean, that’s certainly how they’re selling it. In fact, I think it’s only … I think it’s a 144 million files just in North America, that excludes the European and global markets.
But now we’re at the point where there’s now … the damages are awarded, and people are being paid. And looking at the numbers, it just makes this whole risk, I think so much more real. So you look at, okay, if your information was compromised, you’re basically looking at years, and years, and years of free credit monitoring. Or you can take $125, essentially, or there’s also ways to get a combination of both. Now that’s the minimum.
The maximum for those that were affected, that actually lost information, the peyote is $20,000. So if you’re a business owner listening right now and you’re saying to yourself, “Well, I’m not Equifax, I mean that’s, that’s a big number for a big company. And they probably had a heck of a lot of cyber liability coverage,” and the fact of the matter is they did. But if you look at your business, it’s not easy … or it’s not hard to get to $10,000, $20,000 files. And if you’ve been around for a while, and you’re constantly interacting with customers, taking on new accounts, you deal with some big suppliers, the idea that if you had your own breach that 20,000 people could be affected is … I mean, that’s a lot easier to accomplish than you think it would.
So what would you do if you had 20,000 files compromised, and they all had damages, and the courts just awarded $20,000 max payment to you? I mean, if I’ve done my math right, that’s $400 million. And now, you’re a medium sized company, and you’ve ignored the risk and now you’re expected to somehow pay this, you know? And so, I want to have a show about what’s going on in the market and now just recently, too of course, Capital One has had a big breach. They’re not sure the damages yet. It’s still pretty early on, and Desjardins Financial has now had a breach. And again, that’s … we’ll see the ramifications of that in the coming months, or possibly years.
And then I do want to touch on … there’s some new terminology, some … there’s … the hackers are always innovative in their approach, and I do want to bring up sort of a something else to look for, or a new and emerging risk within the cyberspace. You know, basically a better mouse trap for getting your information. I want to talk about that as well.
Paul Martin:
Well in this business we call that a teaser. So we’re going to talk about that after the break. So it’s going to get people to keep listening, but it is something that the average citizen should be aware of, that it’s a new technique that hackers are using to suck you in to give you … for you to sort of voluntarily give them too much information. And it’s a pretty sneaky devil kind of things. So we’ll be talking about that in a minute.
But I want to come back to these corporate things. You know, you raised the point that well, these big companies and A, they’re big company, so what’s I going to do with me? But B, they’ve got all kinds of insurance and so they’re sort of protected. But really, you really can’t insure against this stuff. I mean, there’s the actual cost cost that comes from the settlement, but then there’s we all have second thoughts now about the security of these companies, and do we want to deal with them? There’s that reputation piece too, and that’s not factored into the cost.
Colin Rooke:
You know, I mean it’s so important, and how you handle an event like this is really going to dictate whether you’re in business in the following months, especially when it comes down to personal information, I mean there’s a big level of trust. So when you are dealing with your bank, I mean, they … your bank would know a lot about you, a lot more than most would know about you. And a lot of it’s very personal information, or you’re dealing with your doctor’s office, or your optometrist’s office, any professional from your accountant.
How you handle an event like this is really going to dictate whether you’re in business in the following months, especially when it comes down to personal information, I mean there’s a big level of trust.
Colin Rooke:
And so, and then suddenly you learn that’s all lost. That could be anywhere. I mean, absolutely anywhere. And I have no idea when that information could come back to haunt me. And I mean, it could be right away, it could be 15 years from now. Are they going to create a false identity? Are they going to run up my credit card bills? You know, are they going to leak some very sensitive information, very personal information about let’s … I mean, if you’re >.. For example, if you’re the CEO of your firm, are there things about you that you don’t want the public to know about? So now, you’ve had a breach and you have to work on restoring trust, and I mean, it turns into a PR nightmare. And how you handle the … I mean, you mentioned that it’s the golden hour. You know, how you handle that first hour, and then all the hours after that are really going to dictate where you come out on the other end of this thing.
Paul Martin:
Yeah, and that’s not a part of the normal conversation that the headlines are talking about. They’re just talking about the breach, compromised information, here’s the penalty to the company. And it’s a monetary penalty, because they can assess that, because the courts pick that number. But we’re talking about this sort of intangibles that surrounded it. But if I’m the owner of a business, or the manager of a business, I have to take that into account when I’m thinking about saying, “You know, Colin, I really don’t need that coverage.” You really need to have to think about that.
Colin Rooke:
You do. You know, for example, I mean this is a real example. So my daughter, she likes to get the mail and she … so she brought in the mail this week, and there was the Capital One credit card on top of the pile, the, “You’ve been preapproved,” right? And you look down on that thing and saying, “Well, I certainly wouldn’t want to apply right now.” But I mean, that’s very real, and that is a PR issue, and that’s something that Capital One is going to be thinking about. And I mean, it’s … again, the PR side is so impactful to any business.
And you have to think regardless of the industry you’re in, how would you handle the breach? I mean, whether you have insurance or not, now everyone is pointing fingers at you. You lost something of theirs, it’s lost. What would you do? Who would you talk to? What would you say? Would you be transparent? How transparent? How transparent is too transparent? I mean, have you had those discussions? Have you really … have you put together a communication strategy, and asked yourself maybe should we have one? Do we have one? Why don’t we have one?
You have to think regardless of the industry you’re in, how would you handle the breach?
Paul Martin:
And the irony of this is you’ve just been victimized as the company, and all of a sudden now they’re piling on, because your customers are turning against you too. And you think, “This is the time I need sympathy and support, not more beat up.”
Colin Rooke:
Well, and the point of the show too is proactive risk management. And so, it’s real easy to sell a cyber policy to someone that’s had a cyber breach. You know, and I’m sure it’s really easy to sell PR services to someone that’s had a major PR crisis, but on both sides of the coin, do we really want to … do you want to take on the risk after the fact, or do you want to work on it proactively, and work together? And make sure … I mean A, it maybe never happens, but B, if it does, the impact is greatly, greatly reduced.
Paul Martin:
Well in the communications business we always say, it’s sort of … the nightmare scenario is driving up to your office and seeing the police, and the news cruisers sitting there surrounding your building, because it’s probably not going to be a good day as a consequence.
Colin Rooke:
Well and one thing I’ll say too, is when you read all the news articles about these major breaches, what you don’t ever hear is, “How are we ever going to afford this breach?” You know, “Capital One will be closing their doors. Desjardins Financial is done.” They’re not. They protected themselves financially. The concern is getting to the people that, “You can trust us again. You’ve trusted us in the past, but we have to earn that back,” and that’s all PR Strategy.
Paul Martin:
All right, we’ve got to take a little break. We’re going to come back and after this as we promised, we’re going to alert you as our listener to something you need to be watching out for. It’s a whole new scam that the hackers are using, and just … we’ll be gone for just a couple of minutes. Come back and join us, and we’ll fill you in.
Welcome back to Risky Business Commercial Insurance With Butler Byers, Paul Martin here, and joining me in studio Colin Rooke, the commercial risk reduction specialist with Butler Byers. And before the break, Colin, you alluded to something that you and your industry, and you are aware of. It’s kind of a new scam that’s out there, and that is a kind of a sneaky way to get your information separated from you. Can you fill us in a little bit on it?
Colin Rooke:
Yeah, it’s funny too, because the whole premise behind it, and it’s called credential stuffing, but it makes a lot of sense. It preys on people’s behaviour, and it preys on people’s desire to do things easily. So if you’re listening, credential stuffing is when a hacker, cyber criminal will get a log in username and password from an obscure website, whether they buy it on the dark web, or they actually create from scratch, a little portal that requires you to create a username and password. Then they assume that like most people, and if you’re listening now you do this, you’ve used that username and password before. And then what they do is they create a little loop, and they apply that and username and password to tens of thousands, hundreds of thousands of known sites, to see if that’ll open the profile.
And low and behold they had an 80% hit ratio on your name. And so it’s not new in the sense that it’s a new idea, but what … they’re getting more creative on how they’re going to steal your username and password. So maybe it’s a little difficult to get it from your bank, but … and maybe there’s two factor authentication going on there, but when you download a new app and they say, “Hey, make a username and password,” are you really thinking that this username and password could then cause all my information to be lost at some of the more major accounts I deal with? And they’re banking on … and again, statistically most of you are doing this, that you are using the same username and the same password as often as you can, and it makes sense. We need a password for just about everything.
And I mean there’s services that you can subscribe to where you have one password that then unlocks your box of passwords. And then even in there, there’s two factor authentication, and the more I talk about that, people say, “Oh, that’s a such a headache I don’t want.” So of course you go back to old reliable, and you use that every where you can. And in fact what the trend is to is for those people that use different passwords each and every time when they forget that password, the replacement password is usually something familiar, because they don’t want to have this happen again. And again, cyber criminals, they bank on that, they run the data and now they’re in.
Paul Martin:
So, they create a fake website and it’s a alluring. And so, you sign up for it, you hand over your username, your password and they just make the guess that you’ve done this before. So we can take those two things and start applying it to banks, to whatever-
Colin Rooke:
Everywhere, yeah.
Paul Martin:
… and pretty soon they’re into your accounts.
Colin Rooke:
Up to and including you’re your own server at work, or your own login credentials where you work. So who would’ve thought that again, the username and password you made for the little app game, the free app that you downloaded would somehow allow a criminal to access the files you have, your work server, and then cause a breach to your employer just from there?
Paul Martin:
And we were just talking before the break about how significant that can be as a breach to an employer, and it can be that simple.
Colin Rooke:
Yeah I mean, the research shows that it is that simple. You know, and again, if you look at it, if you just give a quick inventory of how many places you would have a password, I would argue you probably have 10 times that amount out there over the years.
Paul Martin:
So what do you recommend to people that … I’m a business owner, and I say, “Colin, I agree with everything you’ve said. Now what” What are the steps that a business owner should be thinking about?
Colin Rooke:
So it’s funny because … so one of the solutions will also create another problem. So the one solution would be to create a strong password policy. So as an employer maybe you require every 30 days you have to change your password, which is tedious, and the more secure the password is required to be, the harder it is to come up with a new password. So you say every 30 days you have to have a password, and that’s great proactive risk management.
Here’s the problem. When you are required to change your password every 30 days and each password has to, again … you have certain criteria that has to be met, characters, capitals, numbers, you can’t reuse certain certain elements. People either write those down, or they’ll save it in a Word file that says “Work passwords.” And again, for those listening, statistically you do this.
And so, you have to educate and say, “You have to create better passwords,” but then you also can’t store them someplace that’s easy to get to. And then also, I mentioned that there’s services that that will sort of be a lockbox for your password, or all your passwords. The problem there is the lock box has a password. So you crack that code into the lockbox, and now you’ve opened the door to every other password you have in the world, so it’s not easy. But one … another, I guess what I’d say to a business owner is to use two factor authentication, or a password with skill testing questions, or sometimes up to three or four. Again, tedious, yes, but secure as well. And again, obviously the subject of the second half of the show is do not use the same password for multiple accounts.
Paul Martin:
Simple, simple, simple. And we all do it.
Colin Rooke:
Yeah, exactly. Yeah, exactly.
Paul Martin:
Because it’s simple, simple, simple. It is easy to do, and we are creatures of habit, and so we’re just inclined to … we open up, probably we do this so frequently, they’re just sort of, it’s like rote, isn’t it? You just fire in user, password, bang.
Colin Rooke:
You know, and like I said, it makes sense. You know, let’s say you’re an avid online shopper, and there’s 15 sites that you like to go to. And again, you don’t want the headache of not knowing what your log in is. You say, well for … I might even have just a shopping password. I mean, that’s the password I use for shopping. Well, on your profile, it’s going to have all your information, where you live, and it’s going to have your credit card most likely attached to it, you know? So it creates a big problem. And I guess, and then what I’m saying is for the listeners that … often the subject is sort of directed more to the business owner. This is just directly for everybody, stop doing this. Find a better way.
Paul Martin:
Colin, great advice. Thank you for this. You’ve been listening to Colin Rooke, the commercial risk reduction specialist with Butler Byers, and as always, the hot topic, cybersecurity. It just keeps popping up. No matter how many times we do this show, it just keeps coming back and reminding us that it’s a critical, critical item. You’ve been listening to Risky Business. Thanks for joining us. We’ll talk to you next time.