The Expert Podcast

No doubt, as a business owner, the subject of cybersecurity, cyber defense, and cyber liability insurance has come up in your world many, many times over the past month, even year. A couple of years ago, it was probably something you were aware of but wasn't really that urgent. But now you're seeing articles every day about companies being hacked, fines being paid, and regulatory problems. Here's a perfect example: the federal government is looking to pass another Sarbanes-Oxley-type regulation that relates to how companies prepare for cyber insurance. If you don't have best practices in place, it may be considered liability for your company as a board, executive, or CEO.

At the same time, the risk landscape is increasing, and many companies are looking to reduce their internal cybersecurity resources. So, what can be done as a company to prepare yourself for the increased risk of cyber attacks? It's kind of like if a hurricane were suddenly coming; you'd want to batten down the hatches for your business. So, we're going to talk about business cybersecurity: what are the best practices, what you can do internally, and how you can create a strategy and a system for your company without breaking the bank to prepare for a cyber event. If one happens, how do you respond to it and make it not a deal breaker for your company?

First, let's look at a tale of two companies. Let's say on a Monday, you pull into your company parking lot, get out of your car, and see your building. On that particular day, it looks like this: flames pouring out of your business, burning. Hopefully, you're the first one there, and God forbid nobody gets hurt, there’s no injury, or loss of life, just a lot of damage. What happens next? The fire department comes and puts out the flames, and it's the end of the day—it's 2 or 3 in the afternoon. Now what? When can you be back in business?

As a company, let’s say this is an accounting firm as an example, what do you do next? I'm sure as the fire is going on and as other employees show up, you start calling clients, letting them know things might be a little hectic that day, and you're making plans already. But what do you do the next day? Well, in reality, as an accounting firm, you could be back in business pretty quickly. You could find some empty office space—there’s probably plenty in your town. You get some cheap folding tables from Walmart, some computers from Best Buy, and phones shipped from Amazon. In theory, you could be back in business within 24 to 48 hours. Your business is resilient. There may be some trouble—you might have to be cramped in one small area, nobody has their private offices, and there’ll be a little bit of chaos—but you can be back in business. That’s hazard peril number one.

What if, instead of walking into a fire on Monday morning, you walk into this? Instead of being on fire, you walk in the door, and everything looks fine. But you look at your computer screen and see this: your files are encrypted, and you're being asked to pay a ransom. All your computers are locked down, and you can't access your computers, phones, accounts payable, or even your cloud systems. Everything’s offline. Either the computers won’t boot up, or there’s this big-time warning message. What do you do now? How fast could you be back in business at this point?

Certainly, your first call will probably be to your IT department, finding out what they can do. Normally, at that point, it’s probably too late. Most cyberattacks actually started weeks or months before, kind of lurking on your system, gathering information, finding all the ways to lock down your system. So, now what do you do? You can't go to Walmart and buy new computers or phones because it’s not really about the computers—it’s about the encryption. This could be a big event. In fact, how big could it be? According to Inc., 60% of small businesses go out of business within 6 months after they are attacked.

So, what can you do? Well, first, let’s look at what the damages could be. According to Chubb Insurance, one of the largest cyber insurers, a typical cyber incident costs over half a million dollars. You’ll have the investigation, a response team, privacy control, fines, and penalties—usually government agencies impose a lot of fines for this. You’ll also have to pay the ransom and deal with other costs. That’s how much it costs, and it’s why many businesses fold within six months.

What kind of companies are being attacked? Well, it’s not just tech firms. You have media, networks, and all kinds of companies being affected by this. How does it happen? Usually, it’s due to human error, hacking, or malware installation, which is part of human error. The assets that are affected include media, your network, and your people. We’re going to talk about that later—how this turns into a people problem at some point.

Here’s more detail on what kinds of companies are attacked. Professional services, by far, are the most targeted—almost a third of attacks. Technology companies make up only 13-13%—not even a fifth. Retail, hospitality, and financial institutions are also low on the list, but many different industries are vulnerable.

Professional services and other businesses, such as paving companies and real estate companies, are among the ones being attacked by hackers. So, what can you do? Unlike many other losses you might have in your company, such as fire, liability insurance, or Employment Practices Liability Insurance (EPLI), cyber risk and losses are almost entirely preventable. These attacks take more than a month on average. Hackers get into your system, lurk, and remain hidden. During that 60 to 75-day period, the attack could be interrupted as long as it’s observed. The best practices for observing this and preventing it are not always in your IT department. Your IT people are great; they know what they’re doing, but this cyberattack is not always about IT. The steps to prevent the attack aren’t bureaucratic—they won’t slow you down. In fact, they will improve your operations, lead to more sales, and won’t impede your business.

Now, let's talk about what happens beyond the loss of money in a cyber attack. Sure, you’re going to lose money, but you will also lose morale. During the attack, your employees will be bewildered. Your salespeople won’t be able to sell, your production staff won’t be able to produce anything, and your competitors will see this as an opportunity. They’ll know you’re out of business for a week, a week and a half, or even longer, and they will pounce. They will try to poach your clients because your clients will start losing confidence in your business. They won’t be able to reach you, place an order, or check on existing orders. You may also face problems with vendor contracts—vendors who supply you with materials might divert their resources elsewhere. Furthermore, you could have third-party claims. Clients, vendors, or other parties may file claims against you for losses they experienced indirectly. Lastly, you’ll face scrutiny from regulators, especially since laws regarding cyberattacks are being passed. If you don't take action now, you won’t be able to prevent an attack in the first place.

So, what can you do internally to prevent this? There are seven things you can do, and we’ll cover them quickly and in detail. The important thing to remember is that these steps are easy to incorporate into your daily routines, and in many cases, they’ll boost morale and business development. The first step is device inventory, followed by a credential census. Then, you need to support your IT department, conduct social engineering memos, perform updates and patches, automate responses, and establish a response team. These steps are hardly any work at all. It’s not hard to do, and you can mix them into your normal key performance indicators (KPIs).

Let’s start with the device inventory. Within your organization, you have dozens, if not hundreds, of devices connected to your network. Certainly, you have computers, laptops, and desktops. You also have servers, routers, and networks. These are things most people can relate to, but you likely also have other network devices you might not be aware of. Security cameras, for example, are network devices. They’re basically mini-computers. Do they have passwords? Do you need to log in? Your phone system, your IP phone system, is also a network device—it’s a mini-computer and can be shut down. Even things like Smart TVs, parking controls, access controls (card keys), and thermostats are network devices. Many people don’t consider thermostats a big deal, but remember that every time you add a device, you need to input your Wi-Fi password. Tablets used for inventory or by customers are also networked devices.

The first thing you need to do is inventory all of these devices. This is simple. One or more of your routers will have a listing of everything connected to it. Your IT person can easily create a spreadsheet of all the devices on your network. It’s a one-time task, and it can be automated. Once you have that inventory, what’s next? Well, we need to take a look at the credentials required for each device.

This leads us to the second step: the credential census. You’ll want to look at the credentials of all those devices and people. For example, the guard gate to your parking lot doesn’t need access to payroll, and your thermostat doesn’t need access to your client list. But you might find that these devices have full authentication and credentials for access to your network, even though they don’t need it. Starting with a device inventory allows you to know what’s on your network. Then, you can assess the credentials.

What about people? Does your sales manager need website developer access? Should your sales manager be able to change your website? Not that they would do anything wrong, but what if their personal computer gets hacked, and now the hacker can access your website and shut it down? Does your CEO need what?

Does your CEO need full access to everything? You might think, "Well, just because he's a CEO, he should access everything." Well, maybe, maybe not. When he needs to access something, he can, but how often does he really go into the website? Does he really go in and do payroll? The CEO needs to see things, but just because he's the boss doesn't mean he needs all access credentials. Authority does not equal job authority. There may be some people lower on the employee chain that maybe need more access than someone above them because of the job they do.

A couple of other examples: Does the bookkeeper need access to your customer management system? They need access to payroll and financial statements, but maybe not your clients. Also, look at third-party APIs. Your website might have little modules on it that connect to your server to get product information. Also, look at your clients. Your clients may have access to put in orders, even automatically. You want to look at the census and ask: Who, what, where, and why does this person need it? Every single credential needs to have a reason associated with it that is important for them to be able to access it. If they don't need it, you should remove it, not out of distrust, but for the sake of not letting a hacker get into something they don't need to access.

Next is active monitoring. This is a little trickier because it's an ongoing process. Remember, most of these hacks start with somebody getting intrusion. It may have started with access to a security camera. We had a case with a car dealership that had a really good security system with cameras all over the place. A hacker found a way to get into a security camera because there was no password on it and no protection. Once they got in, they were able to go layer by layer. It didn’t have direct access to their main server, but once they got into that, they could see emails. Once they saw emails, they could see passwords. Once they got passwords, they could go further.

Active monitoring will notice these unusual events. These hackers lurk for weeks or months, gathering information and records to use for their attack. They'll do social engineering. They might even create an email address and email other employees or create third-party credentials. Once they’re in, they can start doing what's called exfiltration. They'll take your customer information, your product information, and your financial information, and suck it out of your system. They'll leave a copy, but they'll take it for their own use. They'll also install software locks that will prevent you from locking down other devices. It’ll prevent you from solving the problem. If you catch this early, you can prevent all of these things from happening. This is also easy because it’s passive, and you can outsource it. Your IT person might be able to do it, but I'm sure they have a full plate already. If you want them to sit around all day monitoring it, you can, but there are resources and tools you can use that are either free or cheap, and you can use the link below to access some of those.

If you have a cyber liability insurance policy, it will probably include active monitoring because, quite frankly, your insurance company doesn't want you to have a claim. If they can prevent it and they know that 99% of claims are preventable, then they will do all these things to keep them from losing money, and you.

Speaking of IT departments, next, you want to support them when it comes to cybersecurity. You don’t want to be just a receiver of efforts; you want to support them. It’s like the old Kennedy quote: "Ask not what your country can do for you, but what you can do for your country." What can you do for your IT department? You want to give them a wider knowledge of emerging threats. Your IT person is probably not out there every day studying the most recent hacks. They probably see them in the news or read about them, but there’s a large array of new attacks that happen every day. You want to enable them to focus on business development and CRM, not spend all day preventing a hack. You want them to focus on selling more and making the website and processes easier for your salespeople, clients, and business—not just spend all day trying to be a guard at the gate. Sales and marketing are most important. You don’t want them doing tedious risk management. By supporting them and giving them the tools, you enable more productivity on the sales side without bogging them down with bureaucracy.

That brings us to the next thing: You want to send out memos on a regular basis to all employees. Most hacks start with an employee making a mistake, probably one they didn’t even know about. If you just make them aware of it, they’ll most of the time notice an attack when it's happening at the employee level and keep it from happening. You want to send out memos, maybe on a weekly basis. It’s probably something you already have, and you can mix it with other regular messages, like a newsletter or a sales update. It can be a reminder to watch out for social engineering, make sure they change their password, use multi-factor authentication, and let them know if they’re using an outside network to use a VPN. What are the rules for using a personal device, like their phone? Be skeptical of phone calls and emails. If they get an email that’s suspicious, have them send the headers to your IT department.

Again, you don’t want this to be like a bureaucratic TPS report, like in Office Space. But if you give them a constant reminder, it will be more likely that when something unusual happens, they’ll recognize it. You’ll enable all of your direct reports to be soldiers in this fight against the hackers. It doesn’t have to be overwhelming or overbearing. It could just be something you mix in, and a lot of people think this cyber stuff is spooky and interesting. If you make them your co-warriors, you’ll have more people carrying the burden rather than just on your shoulder or the IT person’s shoulder.

Okay, next, this one might require a little bit of effort, but there’s a way to turn a problem into an opportunity—silver lining—and that comes in the form of updates and patches. We’ve all seen these kinds of notices: “Update your software, click here to update yes,” right when you need to send an email or make a phone call. That's when these things pop up, and everybody clicks "Later, later, remind me later, decline."

Clicks it, but that's where the hackers can get in, so what do you do? You have an update party, right? Maybe on Friday when you normally do your lunch, maybe you make it a bring-your-pet-to-work day. For a few hours, everybody has a little bit of social time, and they can click to update their computer. It might take 5 or 10 minutes to put the update in, but you have to go back and click the next one. Make it a social event. Don't let it interrupt sales, your daily routine, or people doing their job. Make it part of a social event or something that's more pleasant. They're getting paid for it, they get to do something that's not quite that intense, and they get all their updates done. How often do you do it? I don't know, once a month, right? It's so important that if you do have a cyber liability insurance policy, your insurer probably will require this—your updates. If you have a standardized event, it's going to make sure your coverage stays valid. So by making it a paid social event, like bring your dog to work day, you know, something that's a little more fun, it'll be a way to get it done and get some social benefit from it for your staff.

Okay, here's the next one. You want to create a response team, and this could be a person from multiple departments, not just your IT department. You want somebody from sales, somebody from bookkeeping or accounting, somebody from legal (even if it's outside counsel), somebody that handles your vendors, somebody in HR, and maybe even a third party. Here's the thing: if your building was on fire (remember the first slide of this presentation), the first thing you do is pick up the phone and call 911. If you have a cyber attack, you can't really call 911. You could, but there's not much they can do, nor will they. This is not really something that they handle, so you have to handle this internally. Now, again, cyber insurance policies have a response team that you can call, but you want to have some internal people regardless who can handle all the moving parts of this. You're going to need to talk to your clients, letting them know, “Hey, look, you might not be able to get to our website for a couple of hours. Don't worry about it.” Give them some confidence. You want somebody in bookkeeping or accounting to get a hold of the bank, saying, “Hey, don’t let any transfers go from the accounts.” You want to have your legal department look at what disclosures need to be made. You want to maybe talk to your vendor, saying, “Look, we have some things going on.” You can even make up a story, like, “We’re rebooting our system, we’re putting on a new server.” You don’t want to scare them too much. HR, you want to have people creating confidence with your personnel, giving them instructions on what to do and what not to do. Don’t answer any phone calls. Then, third parties may get involved too. If you have this already in place, kind of like you do a fire drill, when it happens, you have a list, you know who’s going to do things. You’re not running around like a chicken with your head cut off trying to pull people together. There will be enough things you’ll need to do as an executive when a cyber attack happens that are chaotic. You don’t want to add putting together a response team as a new thing. It's easy to put it together. A lot of times, you’ll have people that want to volunteer for it. They want to be part of this spooky cyber stuff, right? And if they don’t move on to somebody else, there’s plenty of people who want to do it. Having that cyber team put together will also make those people look out for it in advance, prepare for it in advance, and maybe you have a drill a couple of times a year—two or three times a year—saying, “Look, pretend there’s a cyber attack. What do we do?” You’re talking to vendors, checking with the bank, and updating the process. That’s how to make it easy. It’s not really that hard. It is something you’re going to have to do, but it doesn’t have to be too tedious.

So what else can you do on top of those seven? Well, put a news alert on your news source, whether it’s Google, Yahoo, or anything else, to get daily news on cyber attacks or attack events. You want to know how these attacks are happening and how they’re affecting companies. We see it all the time. Check your insurance policy to see if you have cyber protection. Now, there’s a difference between a cyber insurance rider on an existing policy and a standard standalone cyber insurance policy. The standalone cyber policy will be much more broad coverage. It’ll have higher limits—one, two, or three million versus maybe 20 or 30k on a cyber rider. It’ll have responses, and it’ll have active monitoring. So look at those two and decide if you want that third-party monitoring. We talked about a pent test, where you have an outside person or company, or maybe your IT person, test to see if you have vulnerabilities. You can get more information on our website about these things. You also want to do social engineering trials—maybe hiring an investigator or hiring an outside marketing company to call into your company and see what information they could get from an employee that they’re not supposed to give out. You also want to do a funds transfer policy for test transactions. Maybe just like when you write a check in your company, you have a policy that it needs two signers. Maybe you have a policy for wire transfers: if it’s more than a certain amount—$1,000—that you have two logins. Additionally, anytime you’re transferring money more than, let’s say, $1,000, it should be a standard policy to first send a dollar, verify with the recipient that they got that dollar, and then send the rest. Because if you just blast out an $80,000 wire transfer, you could be in big trouble. If you put the wrong account number or somebody convinced you to put a different account number—maybe somebody called up or emailed you and said, “Look, this is your vendor that you pay $80,000 a month to for materials. We changed our bank account. Here’s our new bank account information.” If you just take them at their word or maybe they had an email that they forwarded to you that you think is true, you’ll do that and could be in big trouble. So, do a test transaction policy: every wire transfer, if it’s more than $1,000, send a dollar first, follow up, and make sure the proper recipient got that dollar. Then, send the rest. Is it an extra step? Yeah, but it can save you a lot of money.

Cyber insurance, and when you’re dealing with third parties like your vendors or customers, require that they have cyber insurance. They also require that it covers you for damage that happens to them. Think about it: if your customer gets hacked, one of your major clients gets hacked, and they have some cyber event, that hacker might have a way to get into your system. If you have a connection with your customer—maybe your servers talk to each other about orders, payments, logistics, shipping—if the customer gets hacked, they can get into you. So, make sure all your third parties—vendors, customers, accountants, attorneys—have cyber insurance, and it covers you. You should put it in your contract in the sales process with vendors. Ask them, if they’re pitching you on a proposal or quoting you, “Hey, do you have cyber protection insurance that covers third parties, that covers us?” These are other things you can do to lower your risk and increase your protection if damage happens.

Talk about reading news on cyber attacks. Here are some that just came out within the last week. “Year in Review: Protecting Society and Solving the Cyber Skills Gap.” All kinds of articles come out all the time. Now, how do we know all this? Well, in addition to being a licensed private investigator, we’re also certified in cybersecurity. We’re also a licensed commercial insurance producer, so we’re on the insurance side. We see these claims, we see these underwriting policies on the insurance side. We’re certified expert witnesses for forensics. We’ve seen this in court cases many times. We’re also a director for the ACFE, the Association of Certified Fraud Examiners. We see fraud cases—hundreds a month. We see it from the inside, what they look like. We’re licensed as a commercial surety bond agent, so when a lot of these cases happen, there’s a surety bond that kicks in that may cover some of these losses. We see the losses from the surety side. We’re also a certified civil litigation mediator, so when cases are mediated in litigation, we see both side stories of how the mediation dispute happens. In addition, we have some patents on products and processes that prevent cyber attacks. So, this is not to toot our own horn—although that’s what we’re doing. We’re doing it to give you some insight into where this knowledge comes from and where the information comes from.

If you want to contact us, here’s our contact information. You can take a screenshot of our websites, phone number, and my direct email address. If you have questions or want to set up a consultation, we’ll be glad to assist. The most important thing is we believe that cyber risk is the fastest growing risk within 30 to 36 months from now. It will be the highest risk for any business—especially small businesses—because they don’t have the resources to protect themselves. You don’t need to spend a lot of money to protect yourself. Just do the basic stuff. Get your updates done, have a response team, and have a policy in place that tells you what to do. Then, get insurance. That’s the bottom line. It’s something that’s not difficult, but it takes the right attitude and responsibility to get it done.

I really appreciate you taking the time to go over this. Hopefully, this helps. If you want to take a screenshot of our website and our contact info, feel free to email us. Thanks again, and we’ll see you soon.