Cyber Crime Close to Home

In today’s episode of Risky Business Paul Martin and Colin Rooke are joined in studio by Dan Gold from Martin Charlton Communications, and put the spotlight on the City of Saskatoon’s latest cyber crime incident.

Listen to the full episode here, or read the full transcript below

Paul Martin: Welcome to Risky Business Commercial Insurance with Butler Byers. Paul Martin here, the business commentator on CKOM, and joining me in studio our usual contender is Colin Rooke, the commercial risk reduction specialist with Butler Byers. And we’ll have another guest a little later in the program. But we often call and respond or talk on this program to some of the latest headlines that are popping up. And kind of a chronic or perennial topic for us has been cyber crimes, cybersecurity. And, lo and behold, the, the poor city of Saskatoon gets itself caught with that cyber incident. And I think we really need to talk about it because, obviously, in the wake of the event, one of the conversations is insurance claims. Let’s talk about it. You’re a pro at the insurance game. When you heard that story, what are the thought processes that went through your mind when you heard that?

Colin Rooke: Yeah. The first thing that went through my mind was we are going to get a lot of questions from our clients, first of all, about those that have been sort of meaning to get around to the coverage. I mean, is really top of mind when you’re talking to the city of Saskatoon. It’s such a big breach. And then also we had a lot of questions about should cities and towns carry it? Does the city of Saskatoon have a cyber policy? What do they do now? How are they going to get the money back? Can they get the money back? What happens next? Every time we talk cyber, I always promised that we’ll take a break, but then-

Paul Martin: It just keeps handing itself back to us, doesn’t it?

Colin Rooke: Yeah. You’ll look into the news and you’ll see, okay, well, another cyber incident. And, quite frankly, we could do a show a day about big breaches hitting the media.

Paul Martin: And it’s funny thing about sort of public sector now. So the city of Saskatoon captures all the headlines in Canada. I mean, it was a national story and all of that.

Colin Rooke: Yep. Yep.

Paul Martin: But you’re just recounting to me, and how many of these things were happening across North America at the same time? I mean, Saskatoon is not immune or alone, I mean, in this thing, not unique.

Colin Rooke: No. And when you look at the situation with the city of Saskatoon, cyber crime usually comes down to human error. Almost a hundred percent of the time it’s human error. And in this case, again, a mistake was made. And these are mistakes that are very difficult to catch. I mean, the cyber criminals are very good at what they do. That’s the point. We always talk about cyber … it’s not an IT problem. It’s a people problem. It’s a human error problem. And so, I was asked should cities and towns now carry cyber insurance coverage and do I know if the city has it? But I do want to reference that this week alone 23 small towns in the state of Texas alone were the victims of ransomware. This past week, Louisiana declared a state of emergency due to ransomware attacks. Again, this week New York, the city of New York, was hacked. Maryland was hacked. There’s cities in Florida that were hacked. I mean, this is happening each and every day.

Paul Martin: As I watched the coverage unfold on this, when the city came out and talked about it. I mean, first of all, I was kind of taken by the fact that they were really upfront about it. Civic administration stepped up to the plate and said, “Look, here’s what’s happened.”

Colin Rooke: Yeah. So we’ve talked a lot about the value in having an incident response plan. And few years ago it was on the wish list of an insurance underwriter. Now they’re saying, “We need one or you won’t get it.” You could tell that by the response from the city that they did have a plan. And, of course, it was later disclosed in further interviews that, yes, they do have a plan. They’re working the plan. In fact, they were in the middle of a cyber control audit when this occurred. They’re doing what they need to be doing from a proactive risk management perspective.

But the real message is, for those listening, we all aren’t the city of Saskatoon. We don’t have access to the top resources available to prepare for something like this. But you can still put in the work. You can still plan for this. You can still work on risks. You can still learn about cyber. You can still have, again, your own incident response plan. And so, when this happens to you, you’re going to do really the best you can to come out on top.

But you can still put in the work. You can still plan for this. You can still work on risks.

Paul Martin: Good point. Because, I mean, as you rightly point out, I think the city of Saskatoon did have a plan and they got caught. 

Colin Rooke: Yeah.

Paul Martin: Imagine those who don’t have a plan, how vulnerable and easy a mark they would be for someone who’s really skilled at this stuff.

Colin Rooke: Exactly. And really good point. The city got caught and they were working on it. They work on it on an ongoing basis. They had the plan in place. They were in the process of a cyber security audit. It sounds like they do have cyber crime coverage, as well. This was top of mind with the city and it happened to them, or to us, I’ll say. I guess, really it’s we’re all the city. But, again, for a business owner that’s saying, “I don’t have any of those things.” It’s time to take a hard look and say, “I think I need it.”

Paul Martin: Just in a recent show we were talking about something called credential loading, which is posing as someone else and then getting you to kind of feed in your information.

Colin Rooke: Yeah. Exactly.

Paul Martin: In a way, that’s what happened on this one, isn’t it? That somebody posed as a CFO of a legitimate company with a legitimate contract and business arrangement with the city and magical presto.

Colin Rooke: Yeah. Yeah. Yeah. The bigger or more prevalent term is social engineering where basically they would have monitored the behavior of the CFO for a while and got to the point where they felt very comfortable mimicking the CFO. Or I guess in this case it would be the general contractor it sounds like, so let’s use that example. But at some point someone was being mimicked and then tricked into, of course, transferring funds. And it’s that simple. 

And what also hasn’t unfolded yet is all the reciprocal damage and also was anyone else hacked? What other information could have been lost? And does the city have a duty to notify all the … basically everyone they have a file on, everyone they work with. I mean, right now it’s the tip of the iceberg of what could happen. And, again, it sounds like the city has a plan for that. And I in no way want to suggest that they don’t. But from a business owner perspective, if you haven’t had these conversations, you really need to think about what am I going to do when this happens to me? Not if, when it happens to me.

Paul Martin: Well, one thing that didn’t get discussed either is that we talked about the million dollars or just over a million dollars that was directly involved in this transfer. But, I mean, think about how much time, money, and effort is being spent by the civic administration right now working on this thing. 

Colin Rooke: Yeah, to get it back.

Paul Martin: There’s going to be a lot of people, there’s a lot of salaries, a lot of hourly rate that’s going into this. And that’s not calculated into it. And for the average business owner, I assume, well, you’d have to factor that in if you were in that seat.

Colin Rooke: Yeah, exactly. I mean, we talk all the time about total cost of risk. And so you say, Well, okay, the city, I guess, they’re out a million bucks.” Not even close. As you mentioned, it’s the salaries, it’s the time, it’s the effort. It’s the investigation. At the end of the day, even if they, let’s say they recoup most of the million dollars, they might be out another million just working on getting it back.

Paul Martin: And you can’t get insurance for that part of it.

Colin Rooke: Yeah. There’s no coverage for all the time and effort of recouping that.

Paul Martin: Now you made the comment that the city of Saskatoon obviously has coverage on this.

Colin Rooke: Sounds like the like they do, yes.

Paul Martin: Yeah, it sounds like it. Would that be kind of the norm or would that be the exception that they would have this kind of a policy and be this well prepared?

Colin Rooke: Yeah. Like without knowing, because, I mean, there is a chance that this could have fallen under a crime policy just a standard crime policy, not cyber crimes. Without knowing the details, no, I would say it’s not the norm for cities and towns to carry cyber crime insurance. And, again, it’s an industry problem where it takes a lot of effort to convince a business owner or city or town that this is going to happen or, quite frankly, already has. And then another area where, quite frankly, the discussion needs to be had is, okay, so if Colin is right and it’s a matter of when it happens to me or the fact that it’s probably already happened to you, you just don’t know about it, and now it’s public. What do I do about it?

Paul Martin: Right. Yeah.

Colin Rooke: Who do I talk to? Who handles this for me? Because we’re talking at the end of the day, trust. I mean, if the city of Saskatoon did not handle this well, they’re going to lose a ton of trust. And that’s very important to the city of Saskatoon. 

Paul Martin: And to anyone who wants to come here to do business or already is here. And obviously we need trust in our political institutions period or you kind of get to anarchy, don’t you?

Colin Rooke: Yes. Yep. Yeah, exactly. 

Paul Martin: And from a corporate perspective, I mean, I was jokingly saying, I guess it’s more tongue in cheek as a joke, that the worst case scenario for the CEO is to arrive at work this morning and the news cruiser and the police sirens are going off as you pull up because your business is now been the center of some kind of major event. That’s what we’re going to talk about after the break. We’re going to take a little break Colin, so just sit with us. And those who are listening, you’ve got Colin Rooke on the line here with Risky Business. We’re talking cyber crime, cyber insurance, and cyber protection. Back after this.

Paul Martin: Welcome back to Risky Business Commercial Insurance with Butler Byers. Paul Martin here, and joining me, Colin Rooke, the commercial risk reduction specialist with Butler Buyers. And also he’s brought along another guest that will join us in just a second. Dan Gold with Martin Charlton Communications to talk about the public relations aspect of this. And before the break you were talking about reputational damage that comes from this kind of stuff. And why would you bring somebody like Dan along to talk about that?

Colin Rooke: Yeah. And, again, when you’re dealing with a public incident, you are dealing in trust. You are dealing in reputation. And, again, if in the essence of mitigating further damage or further loss, you wanted to say, “Okay, well, have I done everything I need to do proactively to get myself through this?” And let’s say you’ve had a conversation about how you’d handle a data breach, but you internally but you haven’t had a discussion about how would you handle that publicly. Again, you may not win the sort of the trust reputation battle, and it’s something that you need to think about. Do I have a PR strategy in place for my company? What would I do? Who would I talk to? What’s involved? Who would do what? And what a lot of business owners won’t realize or maybe it’s just not discussed enough in our industry, but there may be coverage available as part of that. For example, if there’s a cyber breach coverage available for PR. And so, again, if you know that you have the coverage available, but then you wait until you have the big breach to then look into it, by the time you, let’s say choose a firm, work out a plan and get them on the street for you, maybe days have gone by. And it’s my understanding of the industry that the minutes matter, not even the hours.

If you’re giving cyber some thought and, let’s say we’re not acting naive and saying it won’t happen to me, you need to give your PR strategy some thoughts. So Dan Gold’s going to join us and he’s going to talk about, okay, what should business owners do? How do I engage with a PR firm? What conversations need to be had? Is it difficult to do? What’s involved? And educate the audience for us.

When you’re dealing with a public incident, you are dealing in trust. You are dealing in reputation.

Paul Martin: Okay. That’s a no problem. And Dan Gold is the Saskatoon office head for Martin Charlton Communications, also their Director of Digital Strategy. And I guess I have to kind of be a little honest about this because I am a Martin in Martin Charlton so we should probably talk about that. But, Dan, welcome to the program. This is like the first time you had been on commercial radio since your days back in the U.K. And for those around here, Dan kind of came to Saskatchewan via the Baumgartner story. The guy who jumped out of outer space and did the parachute landing in Saskatchewan. 

Dan Gold: Yeah, that’s-

Paul Martin: You came. You were kind of in the British media at the time and then doing communications and PR there. And then followed them over here and became part of the Saskatchewan wave of immigrants that came over the last 10 years. So welcome to the program. And you heard Colin set this up. I mean, What conversations do you like to have with business owners about why do you even need to talk to a PR firm and it’s too late to put the genie back in the bottle after the incidents happened? 

Dan Gold: Well, generally one of the first things we like to do is talk to people and educate them ahead of anything happening to say, “Preparation is everything.” What are the things that keep you up at night? What are those things that could be worst case scenario? And have you thought about how you’re going to deal with it? Not just whether you have an existing emergency plan, but how are you going to communicate around that? And when we talk about public relations, it’s not necessarily just the public, but what about all the other stakeholders? What about members of staff if there’s an incident? What about their families, regulators authorities, suppliers, customers, et cetera, potential customer? What’s going to be the future for the organization if there’s damage, significant damage that happens to it? Reputationally. Trust. You could extend it on even further than that with someone’s lives, liability. If there’s been impropriety. There’s all sorts of different things that I like to speak to people and find out what are the things that keep them up at night. And if they haven’t thought about what keeps them up at night, go make a list. What would make the firm exist after something goes wrong?

Paul Martin: And what could go wrong that would be life threatening to the firm? Probably is a legitimate question, too. And you speak a lot to businesses in particular, and I guess some public sector people, as well, but mostly businesses, about crisis communications and crisis management. And when you talk to them about that, it kind of implies that here’s what you do after you’ve had the incident. But your argument is, no, it starts way before the incident. Yeah?

Dan Gold: Mm-hmm (affirmative). Yeah. Absolutely. If you’re not dealing with what we call issues management, then you’re already playing catch up. The worst thing in the world would be for not only the CEO to turn up in the news crews already there, but you imagine if there’s clients or family members that find out that something’s happened from the media or on social media. Suddenly something’s breaking and trending across Twitter and the leadership of the organization knows nothing about it.

Being prepared is, in my mind, absolutely key. And there are numerous steps and different techniques that we can put in place, which are simple and scalable, from the smallest organization up to the largest corporations in the world. And, in some cases, there are lessons that we can learn from the big guys when something does go wrong and see how that can scale down to a single person operation.

Paul Martin: I guess it starts by just trying to decide what it is we’re going to do, how we’re going to handle it. So if we’re faced with an incident, who’s going to speak? The fact that we are going to speak because if you don’t speak, if you try and sweep it away or pretend it didn’t happen, you’re pretty much signing the warrant right there, aren’t you?

Dan Gold: Yeah. No comment is not an option because people immediately questioned what else is happening. If you’re not talking about this, is it a bigger issue than we think it is? And suddenly all the thoughts grow in this crowd, in this kind of hive mentality of there’s conspiracies that suddenly come into it, which you’re not in control of. You need to maintain communication. If you don’t know something at that time, then say, “We’re investigating it. We can’t speak at this time because we are finding out the facts. Or an investigation is taking place.” Whatever the reason is, we were speaking earlier on, I was listening in to the first part, and you can’t wait days. You cannot wait days. The truth is a crisis breaks. If it gets on social media, generally, there used to be a thing called the golden hour, getting a response out within an hour. In this digital world, in this connected world, we’re talking within seven minutes, you need awareness. So using tools and having a good community where you communicate with each other is essential. Not just from the point of view of going out and selling something, but protecting the organization to make sure in future times there is an organization.

Paul Martin: All right, we only have a few seconds here, Dan, but you’re involved with IABC, which is the business communicators international organization. You’re involved with it at a global level right here from Saskatoon. Now if I’m a business owner how do I interact with you? I mean, what do we need to do? What conversation do you need to have with a business owner to get this started?

Dan Gold: Well, I think the first they do just get in touch with me, and I will be available to listen to what the shape is of your organization and understand the risks that you see. And then from an external perspective what we see as well. From there we can look at what the options are from not only planning for crisis communications and issues management, but also media training. Because lots of people when they’re thrust in front of the media clam up or they don’t know what to say or they don’t know how to say it. They don’t know what their message is. So you can always get in touch with me via Martin Charlton website martinchartlon.ca, and I will be more than willing to sit down with you to go through that.

Paul Martin: Dan, thanks very much. You’ve been listening to Dan Gold with Martin Charlton Communications and Colin Rooke, the commercial risk reduction specialist with Butler Byers. And, again, the news has brought us back to the topic of incidents and cybersecurity. And I know we probably can’t wear this topic out. It just seems to have a life of its own. I’m Paul Martin. Thanks for joining us and we’ll talk to you next time.