In this webinar, Windes and Bryson share real-life cybersecurity case studies. Learn best practices to help you, and your company, avoid falling victim to the same scams and attacks.
The following is a text version of the recorded webinar presented by Windes and Bryson on November 12, 2020.
Click here to view the presentation slides.
Host & Moderator
Craig Ima, MBA is the Chief Marketing Officer at Windes. He has more than 30 years of marketing, business management, product, strategy, database, business development, and sales experience.
Presenters
Rebecca Christiansen, CPA, MST was the Director of Operations and Information Technology (IT) at Windes. She headed the Windes Cybersecurity practice, which offers a full suite of cybersecurity services.
Trent Bryson is the Chief Executive Officer of Bryson. He has over two decades of financial services and insurance experience. He is a frequent speaker on KTLA News, an adjunct professor at Cal State Long Beach in human resources, and the chair for the Political Involvement Committee for NAIFA. Please visit Bryson at brysonfinancial.com to learn more about cyber insurance.
Joe Catalano is a Senior Vice-President at AmWINS and has 13 years of experience in the insurance industry. AmWINS is the largest independent wholesale distributor of specialty insurance products, which includes cybersecurity. AmWINS has 115 offices globally, over 5,400 people worldwide, and are the premier experts in this arena.
For questions regarding cyber insurance, please contact Megan Christensen at 562.661.4724 or via email at megan@brysonfinancial.com.
For questions about Windes Cybersecurity services, please call 844.4WINDES (844.494.6337) or email us at advisory@windes.com.
DISCLAIMER: The information presented in this webinar is intended as general information and does not constitute cybersecurity, IT, or legal advice. You should always consult your IT, legal, insurance, or financial advisor for direction regarding your specific situation.
Craig Ima:
Thank you for joining us today. I am Craig Ima, the Chief Marketing Officer of Windes. Today you will be hearing from cybersecurity experts, Rebecca Christiansen from Windes, Trent Bryson from Bryson, and Joe Catalano from AmWINS. You will hear seven cases of cybersecurity breaches and how you can prevent them.
You will discover that a large percentage of businesses are not utilizing best practices with their IT infrastructure and cybersecurity. Cybersecurity is more important than ever because most of us are working in a remote environment. I will briefly introduce both Windes and Bryson, as well as today’s presenters.
Windes is a public accounting firm established in 1926. We have 29 partners and cover an array of services, including audit and assurance, tax services, and advisory services. Cybersecurity is one of the key advisory services that we provide, along with business value acceleration and exit planning, employee benefit services, M&A work, and outsourced accounting services, such as fractional CFO work. We also provide Paycheck Protection Program loan forgiveness calculations.
Windes has two full-service offices located Long Beach and Irvine and a satellite office in LA. We have 5,000+ clients, ranging from small- to large-size businesses, non-profits, high-net-worth individuals, as well as international clients.
Windes has consistently been a “best places to work” both in LA and Orange Counties, for 10 years and running. We are also one of the “best accounting firms to work for in the country,” acknowledged by Accounting Today. Another recognition that we are proud of is that we are a “Civic 50 Orange County” award-winner. This honor recognizes the 50 most community service oriented firms in the county. Last year we were number one in the mid-size category. Windes gives back to the community, we treat our employees well, and in turn, we treat our clients even better.
Bryson is a 51-year-old premier insurance and financial services firm, providing corporate employee benefits, corporate retirement programs, individual wealth management, life insurance, property and casualty insurance, both personal and commercial. Bryson also provides M&A due diligence services and are specialists in Medicare and human resource consulting. Headquartered in Long Beach, they have a diversified client base across the United States.
They have been recognized by numerous industry awards, including the prestigious Long Beach Chamber of Commerce’s City National Bank Entrepreneur of the Year and as a “Top 300 Most Influential Defined Contribution Advisor” by the 401(k) Wire.
Our first speaker today will be Rebecca Christiansen, Director of Operations and Information Technology at Windes. Rebecca is a UCLA graduate and started her career at Windes in 2005 as a CPA. However, after moving into the firm’s administration, she found her passion in operations, which morphed into IT and cybersecurity. Rebecca heads the firm’s cybersecurity practice, which includes cyber risk assessments, vulnerability assessments, penetration tests, incident response, and preparedness. In addition, she runs all of the firm’s training.
The next speaker is Trent Bryson, CEO of Bryson. Trent has over two decades of financial services and insurance experience. He is a frequent speaker on KTLA News, an adjunct professor at Cal State Long Beach in human resources, an officer for Young Professionals Organization, and the chair for the Political Involvement Committee for NAIFA. Trent is also a star athlete and former Nike Farm Team participant, who went to the Olympic trials for track and field.
Joe Catalano, Senior Vice-President at AmWINS, will also be speaking today. Joe has 13 years of experience in the insurance industry. His firm AmWINS is the largest independent wholesale distributor of specialty insurance products, which includes cybersecurity. AmWINS has 115 offices globally, over 5,400 people worldwide, and are the premier experts in this arena, so we are very pleased to have Joe with us today.
I will now turn it over to Rebecca.
Rebecca Christiansen:
Thanks Craig. Good morning all and thanks for joining us. Hopefully, this is a topic that you are, all at least, a little familiar with. There has been a regular stream of reports of various high-profile breaches in the news over the past few years, and an endless flow of all the dire statistics related to this increase in number, and severity, of cyber attacks that have happened in the last decade.
I saw this morning that the World Economic Forum Global Risk Report for 2020 ranks cyber attacks as the second most concerning risk for doing business globally over the next 10 years. This definitely makes sense. The major reason we are doing this broadcast today is that COVID has added fuel to the fire. You can see some of the statistics on the slides. The FBI is showing a 400% increase in cyber attacks, as opposed to reports of cyber attacks pre-coronavirus.
Ransomware attacks are up over 800% since the pandemic stared. The biggest concern is that very few companies are utilizing best practices in this new remote environment. The economic impact that COVID is already having on many businesses has been significant. If you add a cyber attack on top of that, it can be catastrophic. That is why Windes partnered with Bryson and AmWINS to present today’s webcast. We want every business owner to understand your company is currently under attack, repeatedly, remorselessly, and every day.
Cybersecurity really needs to be the focus and at the forefront of every business strategy process. It cannot be an afterthought. The following quote is from the special agent in charge of the San Francisco Secret Service Office: “This is a once-in-a-lifetime target-rich environment for fraudsters. The number of people that are potential targets that could be easily duped by sophisticated cons is the greatest I’ve ever seen in my life.” This remote workforce environment is a great opportunity for cyber criminals. They are out there targeting everyone, every business, relying on peoples’ heightened emotions and concerns in order to use social engineering and phishing – all the tools that were already out there – to more effectively exploit individuals and businesses.
For business owners and individuals, cyber security really needs to be a part of your everyday thought process. I’m now going to hand it over to Trent to dive into our cases.
Trent Bryson:
I think that one of the best ways to talk about what is happening out there is to talk about some of the real life cases that have happened with some of our clients. In the first situation, an email was sent from the CFO to the controller that said, “Please wire over $12K.” The controller complied. The next day, an another email came requesting for $85K. Again, the controller did it. The third day, another email came from the CFO asking the controller to wire $285K, he once again complied.
The way that they figured out the fraud was the controller walked by the CFO’s office, and said, “Hey, I just sent over that wire.” The CFO looked at the controller and said, “What wire are you talking about?” What had happened was the criminals had hacked into the system and watched the way the two corresponded, using the same nicknames and language style. All the cybercriminal had done was change the email address by just one letter removed, and so it looked like it was coming from the CFO. The compromised email had the company logo and signature in it as if it was a normal transaction. The controller had sent over $382K to a fake account in Nigeria. The company had cyber insurance, but they did not have a social engineering endorsement.
It is critical not only to have cyber insurance, but a policy with the right endorsements. It could be the difference between getting $382K of coverage back, or getting nothing back. Situations like this are happening all the time, whether they are only attempts or actually events where money has been transferred, this kind of cybercrime is happening to almost every business.
As Rebecca pointed out, with everybody working from home, there is not as much face-to-face interaction, so it’s easier for these kinds of cybercrimes to happen. As we go into the next case, you’re going to see this was a situation where a business owner was buying a house, and as you know, when purchasing a home, you’re being sent information from the escrow office, from the loan offices, from the title company, so you’re receiving all these documents, and it’s really hard to keep up with all the emails coming at you.
In this case, all it really took was the cybercriminals getting into the systems of the escrow, loan, and title company. They watched what was going on with the transaction, saw what was next in the process and what the buyer might be expecting to receive via email. Think about buying your dream house, and you have unknowingly wired money to Africa, instead of to the escrow company. You’re out that money. We see these scams drastically increasing, as more people are working from home, these types of situations are happening almost weekly now.
As we go into the next case, you are going to see some of the lessons learned and what we have put in place for our own company. One best practice is that you should have a verbal requirement in place before wiring money. My CFO has to talk to me personally before she sends a wire. I can email her the information. I can email her where the wire needs to go, but she cannot actually send that wire unless we either have a verbal conversation in person, or on FaceTime, or on another digital platform where she can actually see me verbalize the approval. It’s another level protection. Wires generally have significant amounts of money associated with them, you’re generally not wiring $15. If you’re doing that, you’re using your VENMO account or something similar, so it’s worth adding in that extra step of personally verifying all requests for wires.
Second is training. Employees need to be trained how to identify these phishing red flags. Especially those who have banking access. Rebecca will talk about the cyber best practices that Windes has put in place.
Rebecca Christiansen:
Training is absolutely going to be the number one thing every company needs to do regularly.
Sending phishing test emails is a great best practice to have in place. Having your employees exposed to these types of scams on a regular basis, so they can start to identify those red flags and learn to always stop, and think, before they click on anything, download anything, or follow any instructions in an email, provides good practice for employees. It also informs your cybersecurity team about who needs more training, should an employee fail the “phishing test.” Other cyber best practices include training your employees to understand that cyber bad actors can spoof email addresses, even without changing that one character, as in Trent’s first case. Cybercriminals can make it look like the email is coming from within your organization. You can set up email filters that will actually put a flag onto those emails right at the top that states: This email is coming from outside your corporation, your entity, and you should be careful before clicking on anything. This is something your IT team should be able to do and it’s usually free, if you already have an email filter.
Joe Catalano:
To take a step back on the insurance side, Trent had mentioned in the first case that the company did have cyber insurance, but they did not have a social engineering endorsement. Within the insurance base, no two policies are created the same. There’s some really good policies on the market. There’s some very, very poor policies on the market. You really need to have a great understanding of what is covered, and what is not covered under your cyber policy or your commercial crime policy.
We are seeing social engineering endorsements that have authentication or call back provisions in order for coverage to apply, so the insured would have to verify a wire transfer before it’s covered. A lot of these endorsements have sub limits. Sometimes it’s a $10K sub limit. Sometimes it’s $250K sub limit. You really need to understand what your limit is, if there’s any kind of call back provision, and really get into the fine print of those endorsements in order to have a thorough understanding how they would apply in a particular situation.
To piggyback off of what Rebecca was saying regarding best practices, in terms of employee training, the insurance underwriters who are underwriting cyber liability insurance are looking at those types of things. What actual training does the business have for their employees? Do they have phishing or spear phishing training? How often are they conducting it, and are all new employees exposed to this training? Underwriters are really getting into the granular details of the risk before they’re agreeing to quote this type of insurance.
Trent Bryson:
Finally, cyber insurance is evolving, literally, on an annual basis, so a lot of times people will say, “We looked at this three years ago, and put it in,” but this industry is evolving so fast and the criminals have figured out that this this new remote workforce is a great way for them to exploit hundreds of businesses on a daily basis. Therefore, it’s important for you to take a real good look at what cyber insurance you have, what endorsements you have, what you don’t have, what’s covered, what’s not, and understand what your risks are.
So you say to your insurance provider, “I want cyber insurance.” If you think about the insurance risk pool, an underwriter is looking at it from the perspective of what is their risk? What’s the probability of us having to pay out? They are going to want to know if you are training your employees, if you have verbal confirmations place, if your company is employing other best practices. If your company is doing all of these things, the underwriter goes from looking at you as just a random number, to an actual number, and determines that you are low risk and are the type of client they want on their books. This is when you start to get more competitive pricing. So it is not only making sure that you have the best policies in place, but actually utilizing best practices, so you can leverage down that pricing on those policies.
Rebecca Christiansen:
Both Joe and Trent were talking about social engineering and mentioned spear phishing. Hopefully, you’re familiar with those terms. Social engineering is when the bad actors lean on your human nature, your willingness to help people, your fear, any of those heightened emotions, and try to trick you, coerce you, or convince you to take some kind of an action, like clicking on a link, downloading a file, or sending a wire.
Spear phishing emails try to get us to click on links or to download files. Spear phishing is much more targeted and is a very advanced form of social engineering. I have a couple of cases that are trickier than the typical cases you hear about. Not just the simple email that came out of the blue. Bad actors are getting really sophisticated with these types of attacks, and in these cases, utilized something called pre-texting. Before they even send you the actual email with the attachment or link they want you to click on, they set you up so that you are lowering your defense mechanisms and expecting these emails.
In the first case, the attackers looked on LinkedIn and found people who had gone to a specific school or university and reached out to them via LinkedIn under the following context: I’m a student at this school. I see you went there, and you’re in the industry that I am interested in studying. Would you be willing to review my resume and give me your feedback? The target person would respond and say, “Of course. I’d be happy to help you out.” Again, the cybercriminals are relying on your willingness as a human being to be helpful to other human beings. The target receives the email with the attachment, which looks like a PDF document, but instead, that file had a second extension, which was an executable. The target downloads the attachment and opens it, executing a ransomware worm on the company’s network. The FBI had to be pulled in. The company ultimately ended up paying the $4.2 million ransom because they did not do enough preparation and never tested the backups, which were corrupted, so that they could not restore the information.
That’s one example of pre texting. In the next case, the TED talk case, the bad actors looked at the company’s website and looked through employee bios and saw that there were a handful of people who had spoken at several public events. The bad actors reached out to these employees and said, “We are going to be having a speaking event in your area. We would love to have you participate.” This was just a normal email, and the target responded that they would love to participate in the presentation. Then they sent the target another email saying, “Okay great. We need to set up a meeting to discuss the content of your talk.” Then, the bad actors sent what looked like an invite to a Zoom meeting. Of course we all get these invites – we are all currently on a Zoom meeting at this very minute, in which we received a link to join. The target, expecting this email, since they had already interacted with this person, clicked on the link expecting to download Zoom and start the meeting, but instead, that link took them to a site that downloaded ransomware. In this case, the existing backups were also corrupted…well, the existing backups were corrupted because they had not tested them. They were doing regular backups, but they had not tried to restore from any of those backups, or tested them in any timeframe, so they ended up having to go back an entire month, and it took them a month to recreate those records.
In the first case, the company did not have cyber insurance, so that $4.2 million was straight out of their pocket. In the second case, the company did have cyber insurance, but the time spent restoring those backups is time the company will never get back, not including the cost in dollars for that time. Trent has another story about ransomware.
Trent Bryson:
What we are seeing now is that smaller companies are being targeted. The larger institutions like Target have been hit and have updated their systems. Target was a pretty well-known one. Smaller companies are more vulnerable. I’ll talk to a company about cyber, and they say, “We’re too small. Nobody’s going to come after us,” but now they are the target. We had one case with a small financial services firm in which ransomware was installed on their system. The cyber criminals now had the company’s clients’ personal information and were threatened with paying a ransom, or all their clients’ accounts would be released and targeted. The owner of this financial services company says, “Wait a minute, I just spent the last 30 years building my business, gaining the trust of all my clients, and now somebody’s going to threaten all of that. What’s going to happen is this going to make me look bad.” For an owner of a business, that is a scary thought. The best way to stop something like this from happening is for it not to happen at all. It even got to the point where the Department of Justice was involved. They don’t even want insurance companies paying ransoms because of where that money is going and what it’s funding. So now we have this weird situation where even when you have the ransom amount, where is that money going to? I think the number one thing you can do to really protect yourself is to train everyone in your organization. I know that I talked about it earlier, and Rebecca talked about it earlier, as well. Training your employees to help keep situations like these from ever happening is literally the best protection in terms of what you can do.
Joe Catalano:
I would like to add to that. The Treasury Department also released some guidance on October 1, 2020 regarding making ransom payments to sanctioned, known organizations, or countries. The guidance basically says you risk, by paying these ransomware threats, civil penalties by the Treasury Department. So yes, you can make the payments to these foreign bad actors to get your data back, to get your systems online, but you risk the possibly of the Treasury, or some other regulatory body, issuing civil penalties to your organization by voluntarily paying funds to a known restricted entity.
These are some of the challenges our insureds are facing in these situations. Their systems are locked out. They can’t do business. The government is telling them that they can’t pay the ransom, but they have no other choice because they can’t operate their business. Those are the tough decisions facing our insureds. Being prepared is key in order to avoid these situations altogether.
Rebecca Christiansen:
Even when companies do pay ransoms, we’re finding that cyber criminals are getting much better at monetizing these threats, so aside from ransomware, we’re seeing much more infiltration of the data before they even encrypt it. So while the cyber criminals may give back your data, they also probably still have a copy it. In fact, they probably have all your passwords, as well, and they will release that information on the dark web or sell it.
There is a whole industry related to cybercrime. There are groups that are created specifically to identify vulnerabilities and sell those to other groups who then exploit them. Just because you have your data back, does not mean that the problem is over.
Lessons we can learn from this: The kinds of things that your employees are sharing on social media, what you are sharing on your company website, all of that information – everyone should be aware of, so if someone reaches out to you and says, “Oh, I know so and so,” or “Oh, I have a connection to you,” it’s worthwhile to understand that anybody could be the person reaching out to you, and that has to be part of your training.
Every employee needs to be trained never to open any attachment or click any link in an email where they did not initiate first contact. When someone sends you an email with an attachment or link, even one you were expecting, it’s always better to verify the identity of the person sending it to you before you open the file or click on the link. With any kind of web meeting, it’s always a better idea to go directly to Zoom’s website or Webex’s website and manually enter the meeting ID rather than clicking on the link in the email. Those kinds of things, while they take an extra step, obviously create added protection. The same thing goes with verifying the identity of the person who sent you the email.
Do not use the contact information listed in the email. Do not use the phone number or the email address. Do not reply back to the email address, and say, “Is this legit?” Obviously, if that email account had been hacked or it’s a spoof email address, they’re going to reply, “Of course it’s legit.” You need to use your historical contact information to verify any identities of anyone who sends you anything, again, unless you already know who it is, and were expecting it.
I mentioned email and web filters. There are filters that will actually screen any executable files, so if that PDF that looked like a resume had been downloaded, what would have happened was it would have been run in a sandbox environment first, and flagged as a malicious file, and that user would not have been able to ultimately open it and install it.
There are those options, and then of course, having your backups. We strongly recommend you follow a 3-2-1 backup setting, which is you have three backups, two different locations, and one of them is a Cloud location. Those kinds of things will help protect you in the case that you do have ransomware. It’s part of a layered approach to server security defense, and while it will not solve all your problems, it will definitely help the recovery, if you do have a ransomware attack.
The next two cases are a little more concerning because they relate to internal access. In the Shopify case, Shopify discovered that two of their own employees were accessing customer merchant data and trying to exfiltrate it. In this case, the major result was legal fees and reputation, which is another cost that unfortunately cannot be covered by cyber insurance. If your breach becomes public, then obviously you’re going to have to deal with the fallout of your reputation and the trust of your clients.
The next case is one that you probably heard about – the Twitter breach. The hacker was 17 years old, just graduated high school, and was living with his parents. This was a huge social engineering attack. He found information on employees and convinced them that he was also an employee. Through social media and some kind of an internal collaboration platform that Twitter had, he was able to get credentials from employees that allowed him to have administrative access to gain control over actual client accounts, and you know some of the big names of people on Twitter. He took over serval accounts and started posting for them.
The major impact for Twitter was their reputation and the public’s trust. What is significant about these two cases is what we call a flat network. Even Twitter had various levels of access, but it’s so important to look at cybersecurity from a holistic approach and ask, “Who has access to what? What do their credentials give them access to?”
If every single employee has administrative access on their own computer, that means that every single employee can download any kind of application and run it on their machine, whether it is legitimate or malware. You are essentially giving employees access to your network, to infect the entire network, or giving a disgruntled employee the ability to exfiltrate your client proprietary data or your company’s business data, to take with them, or sell it on the dark web, as they walk out the door, or even before they walk out the door.
Let’s look at the lessons learned from these two cases. The major one is letting your employees know when it’s appropriate for your IT department to ask for your credentials. If you have a large IT department, and don’t know who everyone is, or if you have an MSP, there should be specific situations where IT can ask for your user credentials and it should be in some kind of an encrypted or hashed format.
Again, training is crucial. Every single employee should be careful what they post on social media. If you have employees who are posting that the CEO is going to be out of town or at some conference for a week, that would be a perfect opportunity for a cybercriminal to spoof the CEO’s email address because everyone knows the CEO is going to be hard to reach. If the CFO or controller of that company received an email from the CEO asking to wire money immediately, it would be harder to do a verbal confirmation.
Also, another cyber best practice is Micro-segmentation and Zero-Trust, which are two terms that have been floating around in the cyber industry. Micro-segmentation is looking at the data in your business, figuring out where it is, and who needs to have access to it. Zero Trust is that every employee only has the minimal level of access that they need to do their job. If an employee requests more access, they are only granted access if it’s proven that they need it, as opposed to everybody having access to everything at all times. What this does, is not only protects you internally from your own employees, unfortunately we have to think of that, it protects you in case one of those employees actually gets breached or compromised, then their credentials are locked down, and they only have access to a very limited amount of data or to your system. It’s definitely something that a lot of companies are looking at, but it does require a complete look at your entire IT and security structure, and it’s a process. It’s something that’s going to take many, many months or years to accomplish, but it’s worth looking at now because these cases and these issues are only going to get worse.
Joe Catalano:
Rebecca, if you don’t mind me just touching on two of those items. First, in the Shopify case, you were talking about rogue employees, and from an insurance standpoint, we’ve seen some insurance policies that have specific exclusions for rogue employees. If an employee were to sabotage a system or steal confidential information from a company, there are certain insurance policies that would not cover those type of situations. So again, knowing the fine print within your cyber insurance policy is key.
Another area mentioned was reputational damage. Sometimes that’s hard to quantify, but certain insurance carriers are offering reputational coverage within their cyber policies, and in short, if there is a cyber breach that results in bad publicity, and there’s a notable decrease in revenues and net income because of that cyber breach, there would be a pot of money as part of the policy that could be paid to compensate for that lost income. Again, knowing the ins and outs of your cyber policy is very, very key to protecting the balance sheet of your company, and obviously making sure that the right coverage is in place for you company.
Trent Bryson:
What we are seeing out there in underwriting is that the cyber market is showing signs of what we call firming. It means pricing is getting more expensive, as more carriers are coming into play, with more endorsements. You have the large carriers that have been in the market for a while, and now you have new ones that are trying to get into the cyberspace market.
Another thing that I would suggest is if it’s been a few years since you priced your policy, and you receive your renewal, a lot of times we hear people saying “Oh, I didn’t get much of an increase, so do I really want to shop it?” I would suggest that you do shop it because there are some competitive rates that are coming into the marketplace with new endorsements that you may want to consider. If you haven’t done it in the last 36 months, I would certainly make sure that your company goes through a thorough cybersecurity insurance process just to look at coverages, limits, what’s going on in the industry, how it’s affecting your business, and what new training programs can be employed. Hopefully, as a result of listening to us today, you will be putting more cybersecurity training in place, as it can help you leverage pricing. You don’t want to be paying more for something that doesn’t exist across the board. I think it’s a pretty good process to go through. Putting those controls in place to show the underwriters that you’re committed to being prepared to stave off these risks. If you haven’t been doing it already, you definitely want to build up that story about your company.
Joe Catalano:
Just a couple things to add. We are seeing some firming in the insurance marketplace right now. Some of your carriers that have traditionally written this coverage in the past, like your AIGs, your Beazleys, your Chubbs, your Travelers. They have a large amount of cyber on their books, so they are certainly experiencing some of the claims that we’re talking about today – the social engineering, the ransomware. In fact, we just saw some recent statistics that showed a huge increase in ransomware severity and frequency with the majority of our cyber insurance carriers, so we’re starting to see price adjustments at most renewals, typically in the 5 to 15% range on most of our clients renewals. Again, this is a great time, as you’re coming up to your overall insurance renewals to look at the cyber piece. See where you might be lacking in certain areas. You need to see what’s in the marketplace because as Trent mentioned, the cyber market space changes dramatically on a month by month basis, so new endorsements are available, new coverages are available for the new exposures that are out there.
One other thing is look for in the cyber insurance space is what sort of risk management services are available to you as part of the cyber insurance coverage. Certain carriers are offering penetration testing or help with creating a breach response plan. Some of those things are free add-ons that a lot of carriers are starting to include as part of your cyber insurance purchase. Keep an eye out for that. See if it’s available and if it would be helpful to your organization as you look at your cyber insurance renewal.
Rebecca Christiansen:
A few conclusions from today. As Joe mentioned, there are a lot of things you can get from you cyber insurance policy if you already have one, or if you’re getting one. Sometimes that includes training. I cannot emphasize enough that training has to be something that every company does with their employees constantly. If not every single day, it should be something that you do at least annually. There are a number of platforms out there that you can get.
Windes Cybersecurity can help, and through our partners, we have a training platforms, so if it’s something you are not currently doing, it is something you should be doing. Training your employees should not only be through webcasts like this one. It should also include phishing testing, something where your employees are actually exposed to these emails on a regular basis, and they get some kind of immediate feedback on whether or not they’ve clicked on some kind of a phishing test or a link.
One of the things that we’re really trying to educate and communicate to all of our clients, and everyone we speak to, is this idea that IT and cybersecurity are not the same thing. You have an IT team, you may have an MSP, maybe in-house or some combination. Your IT team has put into place various things that you’ve heard about, such as antivirus and firewalls, and that is part of the regular IT practice. However, cybersecurity, as you can see with all of these attacks that we’re talking about, is rapidly changing and is a very specialized activity. You really do need to look at cybersecurity as a separate thing. Your IT people are already overworked and already focused on just keeping you guys up and running, keeping your network running and keeping you connected, especially now that we’ve got everybody working remotely, but they’re not going to be capable, not that they don’t have the skills, but they don’t have the time or the ability to focus full-time on cybersecurity.
It really needs to be something that is pushed from the top. It’s an ongoing process. It’s not something that you can put one tool into place to fix. You are going to have to build this into the culture and the strategy of your business. Every change that you make should be done with security first, as a focus, because every change you make is going to affect your security. If you implement a new ERP, if you add a new office, if you allow employees to work remotely, all of these things have security implications, and if you don’t have somebody who focuses specifically on security at the forefront, you’re going to miss some of these things, and that’s where you create vulnerabilities and open yourself up.
Vulnerability or penetration tests are something that every company should be doing at least once a year. As Trent and Joe both mentioned, doing these things, and showing that you’ve done them, and that you’ve addressed some of these issues will help when you’re having your cyber insurance conversation with your carrier. It is also something that lets you know where your company has issues, and then you can use that information to strategize and build your budget over the next few years.
Everybody should have a cybersecurity budget that’s unique from their IT budget. It should include an annual penetration test, training, and some of the new appliances that you may need to put into place, something like Managed Security Services that will allow you to have someone regularly monitoring your network for strange traffic or activity.
It’s a combination of training and team work that will let your IT know immediately if there’s an issue. As mentioned earlier, once ransomware is installed, even recovering from backup is usually not going to get you 100% safe, so you really need to focus on prevention at the front end, rather than just trying to mitigate after the fact.
Trent Bryson:
As most people go into their end-of-the-year or beginning-of- the-year strategic plans, I think that an agenda item should be what are your cyber risks, and how has that risk evolved? We are now starting to see all these blending of coverages. Sit down with your consultant and make sure that you really have the right cyber insurance in place for your company. You don’t want something out of the box. Every company has different risks, so instead of saying, “I need cyber insurance” you need to say, “I’m going to take a look at my company, and where we are most vulnerable, where a hit would hurt us the most.” Some companies would say, “Reputation doesn’t affect me at all.” Others would say, “That’s all my company is.”
You really want to look at your company and look at where the cyber risk is, and make that part of your plan. Then, it needs to be implemented. It’s one thing to go to that planning meeting and come up with all these great ideas, but if you don’t implement them, put dates on paper and make people accountable, then all too often you come back to the table the following year, and all you are is more vulnerable than you were the year before. Make people accountable. A lot of companies say, “Yeah, we’re going to do this, this, and this,” and then when they go back into renewal the next year, they say, “We didn’t do any of those things because we were so busy.” I think that putting stakeholders in your company to say, “You are going to accomplish this by this date, and we want a progress report” is really important. It’s not just putting in the plan, but it’s putting in what the plan is, implementing the plan, and then monitoring the plan, and making sure that you’re creating the accountability within your own organization.
Craig Ima:
Great. Thank you Trent, Rebecca, and Joe. At this point, we’ll go into some of the questions that we’ve received.
Question: With the constant changes in cyber attacks, how do you try to identify the right coverage and training adequately? Is there a list of issues and terms to get all-inclusive training, and insurance coverage?”
Craig Ima:
At Windes, we receive fake emails testing us to see if we’re going to fall for the trap. If you failed the test, then you have to go through some training, which is all online. We are on alert all the time. I’ll just throw it out to the panel to get their thoughts.
Trent Bryson:
I love that Windes is doing that. Windes is certainly in the top 5% of companies that are being aggressive with training, so kudos to you there. I think there’s best practices that your insurance consultants can provide for you in terms of what they’re doing. You’ve also heard lot of best practices in this presentation. There are basic checklists, but it’s really identifying where your company is vulnerable and how you’re going to mitigate those risks.
Joe Catalano:
From an insurance standpoint, it’s such an involving target. Carriers are looking at something now, and maybe in a month from now, or two months from now, they’re going to be focused on something else. Right now it’s ransomware. A lot of carriers are asking for additional information as it relates to ransomware preparedness and training. Those are the type of things we’re looking at now, so like Trent said, your insurance consultant should be able to give you a checklist of items from an internal standpoint that your company can focus on to make sure you’re adequately protected, but then obviously you need to look at the insurance back stock, making sure you have the right policy in place with the right coverages. Every company is unique in that way, so having a good insurance broker to walk you through, to coach you through that, is key in this marketplace, especially as the risks are evolving on a day to day, week to week, basis.
Question: How much of this targeting are you seeing in the non-profit industry?”
Trent Bryson:
When you’re talking about cybercriminals, they don’t have a prejudice with regard to for-profit versus non-profit, unfortunately. Sure, there’s probably a bigger bullseye on some of the big companies, the Amazons of the world, but they also know that a non-profit is easier for them to extrapolate money. At the end of the day, bad actors who are looking for money, or looking for ransoms, they’re going to go for the most vulnerable organizations. As much as we’d love to say they’re not targeting non-profits, unfortunately, they are. Many non-profits are not putting this in their controls, and so some would say you get targeted a little bit more. I can’t think of anything worse than my favorite non-profit sending $150,000 to the wrong country, and not being able to use that for programs. I would definitely put that as part of your protocol.
Rebecca Christiansen:
So many of these crimes are really just crimes of opportunity. As I mentioned before, there’s a whole industry out there, so if somebody discovers a breach, say a vulnerability in Microsoft, and you’re a Microsoft shop, they’re going to sell that breach to any group that’s out there, and the barrier to entry into cybercrime and ransomware is so low that if they get $5,000 from you, it didn’t cost them anything to get in, so whatever size or whatever complexity your organization is, as Trent mentioned, the easier you are to get in, the less time they have to take, so any amount of money is gravy to them.
There definitely are industries that we see are being targeted more because they know they can make a bigger bang for their buck, but those industries tend to be more protected, so there’s a trade-off. Really, everybody’s targeted all the time, so if you have a computer connected to the internet, you’re a target.
Trent Bryson:
We see more of these cybercrimes happening from an opportunity standpoint than a “we’re going to save the world” standpoint by targeting what some would perceive as “bad” companies or overly profitable companies. Cybercriminals are opportunists who are out there trying to figure out a way infiltrate an organization’s systems, and to Rebecca’s point, they’re going where the low-hanging fruit is.
Joe Catalano:
I can share a personal story. I serve on a board of a non-profit and we, unfortunately, did have a cyber event that occurred last year. It was not us in particular, it was our third-party service provider that did donation processing for us. Their systems got hacked, and the private information, including financial data of some of our donors went active. Luckily we had cyber insurance in place. We were able to notify all the affected individuals and provide credit monitoring. Luckily, there was no funds stolen from any of our donors, but it wasn’t even our non-profit’s fault. It was our third-party service provider whose systems were compromised. Our insurance policy did respond to it, luckily. A good insurance policy should cover situations like this, regardless if it’s your system or a third-party service provider. We had all the right controls in place, but it was our third-party service provider that had a vulnerability that was taken advantage of. Again, having the right controls in place wasn’t even enough to protect us fully from this type of cybercrime.
Question: Are you seeing any special cases or trends with your healthcare company, specifically hospital systems and health plans?
Rebecca Christiansen:
Unfortunately yes. There has been a huge increase in attacks on the healthcare side because there’s a lot of private data that is covered under a whole bunch of different regulations that cannot be exposed, so they feel like they have you by the neck if they get ahold of that data, so there’s definitely been an increase in focus on the healthcare industry. We’ve also seen a huge increase in manufacturing over the last couple of years, which seems kind of odd, but there’s definitely been an uptick on the number of attacks on both of those industries.
Question: Any suggestions on what to do if we feel that there is, or was, a cyber breach in our company by a former contractor or employee? In particular, those that had access to our backend passwords? Usernames have been updated since, however we feel that the breach is still going on.
Rebecca Christiansen:
Yes, call me. If you have cyber insurance, call your cyber insurance broker. If you believe that there’s a breach, time is of the essence, so if you do have cyber insurance, definitely reach out to them, but also, I’m not kidding, call me. We have a team of cyber forensics that can help with incident response both to help mitigate any disaster that’s happened and to prevent it from happening again. And we can help you clean up the mess.
Question: Can we feel comfortable with the Cloud considering the increase in cyber attacks? How is it that the Cloud protects our data better?
Rebecca Christiansen:
The short answer is it doesn’t. If you’re using Microsoft or AWS, they have their own protections in place to keep someone from coming in from their end, but you are responsible for the settings and the infrastructure that you have hosted on the Cloud. All of the same protocols that take place if you were hosting the information on your own servers still exist in the Cloud.
I actually talked to a client who is very not concerned about cybersecurity because all of his infrastructure was in Microsoft Azure. I wanted to ask him, “Okay, well if you get a breach, is Microsoft going to pay you for that breach? Are they going to take care of all the costs related to that?” The answer to that is no. If you look at any agreements that you have with your Cloud providers, they’re going to tell you that you are still responsible for implementing your controls, access, admin credentials, rules, and the way that you are accessing that data. If you have employees that are accessing that data from home, on a router in which they are still using the default router password, and then somebody hacks their router and pulls data from it, everything that employee is transmitting is now free and open. That’s another form of breach not protected by the Cloud.
While the Cloud protects you from your physical servers and helps with the data backup side, you are still responsible for all the configurations and should have a cybersecurity specialist help you design them.
Craig Ima:
That concludes our hour-long cybersecurity webinar. We appreciate your time today. Have a great day.