[INTRO MUSIC]
[00:00:06 Andrew Rose] Welcome to Cyber Savvy. This podcast was created by DTC to bring awareness, mitigation and response to cybersecurity threats companies and organizations face daily. Be prepared. Be cyber savvy.
Hi, I'm Andrew Rose and I'm an accidental cybersecurity specialist. Several years ago, a friend of mine approached me about starting the Cybersecurity Association of Maryland, and I didn't have any background in cybersecurity, but what I did have was a lot of knowledge on how to start a nonprofit, set up a board, bring in sponsors and get programing underway.
We accomplished that and I moved on from the association, and while I was at my job at the bank, I thought that a great way to build our team up and camaraderie was to have a tabletop exercise or was called TTX, and we were going to simulate a ransomware attack on the banking system just to see what vulnerabilities there were and how resilient we were against an attack like that.
After the exercise was over, many, many different vulnerabilities were identified that I hadn't been aware of, and I started thinking more on a more large scale about what is the rest of the environment look like and how vulnerable are we as a society and as business organizations. After I left the bank, I've spent my time talking about cybersecurity risks, both from an awareness mitigation and response perspective to agriculture, food and accounting audiences generally.
My friend Steve McNamara, the owner of DTC, asked me to participate in the Cyber Savvy podcast for a perspective that is in addition to the risk management and IT portions that we will be covering in this podcast.
Because DTC is an elite managed service provider taking care of IT networks and other infrastructure that are necessary for a very high-end clientele it only made sense for us to partner with R.K. Tongue for their risk management insights and other relevant material. RK Tongue is the white glove, white collar risk management association that provides the highest standard of care for their clients across the mid-Atlantic region. So please sit back and enjoy the Cyber Savvy podcast with Andrew Rose and Michael Urbanik.
[00:02:31 Michael Urbanik] My name is Mike Urbanik, I am an account executive here with R.K. Tongue. I'm here with DTC and being part of the podcast because I'm very passionate about the cyber liability and cyber risk component of that and transfer and risk management profile. We are insurance generalists; we cover a wide swath of clients out there, ranging from construction companies to lawyers to doctors.
And cyber is really an industry agnostic product - it doesn't care what type of business you're in, if you have computers and you have valuable data, which if you listen to the podcast, you will find out all of us do, you're at risk. And insurance and risk is an interesting concept. It's not very tangible, it's not in front of us, we don't touch it. And cyber is the next step of that because it's hidden behind computers, it's even more invisible than risk is already.
So, we want to talk to people, let them know, hey, this risk exists for you. What is it? How big is it? How much can it hurt a company? What are the steps you can do to manage that? Transfer that risk and really protect yourself for what could be a really devastating incident. Major passion for that. And that's what I'm here to talk about and share information about on this podcast.
[00:03:53 Andrew Gerner] I'm Andrew Gerner. I'm the president of R.K. Tongue. We're a Baltimore area-based insurance agency, brokerage and third-party administrator. In business since 1911 and founded by none other than Raymond Kent Tongue. Hence the unusual name. We've done a lot of things over our institutional history, but in general we are an all-lines insurance agency, brokerage and administrator.
So that includes property and casualty, it includes life and health insurance benefits. Present state of the firm, a lot of specialty business and among those specialties is some of the cyber liability ransomware types of insurance. We lump them under the broad categorization of cyber liability insurance, but the industry has any number of words to describe it. And what that means for us is that we go out and shop on behalf of our clients or prospective clients for what might be conceived as the best deal or what might be perceived as the best deal, rather, for that particular line of insurance we’ll often do an awful lot more than that.
Certainly, some deep fact finding about the organizations that we're working with is paramount to us doing this successfully. And oftentimes will find that the solution isn't necessarily something that you would pull directly off of a traditional shelf. It might not be a product that everybody that does what we do has access to, whether that's like a product that came from Travelers or CNA or the Hartford or State Farm or any of the other big insurance company names that that most of us are familiar with.
It may be that we have to go into a specialty program. For instance, in certain healthcare verticals like with dentists, we might go into a specialty program that is tailored individually for dentists written by specialty carrier that's a big-name brand in the world of cyber insurance but isn't an everyday name that you might be familiar with because you also bought your home insurance through them.
And so that's where we end up adding a lot of value. You know, there might be unique rating mechanisms that might be unique claim and breach response mechanisms that contemplate HIPAA for instance that might not be an issue so much for large retailer as an example, but is very much an issue for a hospital or for a health care provider.
Similarly, we might be less concerned about revenues as a rating mechanism and much more concerned about what are the number of providers or the number of active patient records we might be levering off of that to determine best fit. So, the long and the short of it is really that we're trying to specialize as much as possible and get way more granular than perhaps your average broker or agent might do.
[00:06:48 Steve McNamara] I'm Steve McNamara. I'm the CEO and founder of DTC. So, DTC was founded in 1998. Back in a time when cyber wasn't even thought about. When we went in to work with an office, it was basically just to do computer networking. It was the advent of digital technologies. As time went on, obviously the internet became the bane of all of our existences, you needed it for everything that you did. And we had to start looking at the world from a different a very different perspective.
I can remember the first time that we had a client get hit with ransomware; you had to pay the ransom in bitcoins. Bitcoin was not readily available. We actually had to go and purchase Bitcoin and take a picture of ourselves and email it with the bitcoin to certify that it was actually coming. And we were like, what is going on? What is this? We didn't, we didn't know. And you had to hope that they were going to send you the keys back to unlock the encrypted data. So, it's considerably changed.
At the point now we're at the Right of Boom conference that we were at last year—
[00:08:03 Andrew Rose] What does right of boom mean? I hear that a lot.
[00:08:06 Steve McNamara] So right of boom is… What you don't want to have happen is boom. Boom means that you got hit. Left of boom is what we do every day to protect offices from getting any ransomware. In the event that you get ransomware, you're in boom. And now at the remediation. What are you doing to clean it up? Get out, get yourself back to whole? And that's not the same as it used to be, which is one of the things that really has driven us internally to continue to enhance our security offerings here.
At this conference, they spent the entire two-day conference on one of the latest ransomwares out there where they actually come in to your network, steal your data first, then they encrypt it and you can say, well, great, I have a backup. I can just blow this thing off and I'll restore my image and I'm up and running. Except that somebody now has your data, and the ransom is now to keep it off the dark web. So, the dark web is a real place that a lot of nasty things go on. And it's the world that we live in today.
And you can do all of the right things to just stay left of boom and still get boom. Softwares.. People say, well, I'm in the cloud. Well, that's great, but what if your cloud provider gets hit? What are you doing? You don't have any control over that.
[00:09:31 Andrew Rose] Well, and I think there's a misconception to what the cloud is. A lot of people say, oh, the cloud is sort of an ethereal place, it's up in God's kingdom. It's not. It's a server somewhere. It's a server farm.
[00:09:40 Steve McNamara] Yeah, right. You know, people don't understand what the cloud is. It was like, I don't have a server. Well, yeah, you do have a server. We don't have a physical server in our building, but we access a server. Every day here. Somewhere. And hopefully you have some redundancy and things like that. But…
One of the biggest MSP attacks was on a company called Kaseya and they had a vulnerability in their software. And they hit hundreds of MSPs all at the same time. Who then went out and hit all of their clients all at the same time. Which was catastrophic to a lot of businesses because they just they lost everything.
[00:10:19 Andrew Rose] Steve, what is an MSP? It’s got to stand for something, right? And why is it important?
[00:10:24 Steve McNamara] So, MSP is an acronym for Managed Service Provider. And in essence, what that is, is it's an IT based company that manages your infrastructure on a daily basis. So, everything from your computers, your functioning network, your wiring, your security, your business disaster recovery, everything that you need to do to run your practice on a daily basis. So, you would call them if you needed to buy a computer, you would call them if you can't print.
And on the back end, they should be managing all of your security updates, everything that needs to be done so that you're running top of the line, left of boom. So, I think that's kind of where we sit. Education is paramount in every and any industry all the time. Trying to get end users to understand something that's not their business is challenging.
You know, whether they're an accounting firm, you know, they want to do taxes; if they're a dentist, you know, they want to do crowns. They don't want to talk about, why don't my computers work? And what is this red flashing thing on my screen that says all of my data is encrypted? What does that mean? And that's why we all have to be in this together, because it's not an if, it’s a when.
The cyber criminals haven't slowed down what they're doing. And if you look at it like it's an if, good luck. Because we've already seen enough incidences happen that they're just not pretty.
[00:11:45 Andrew Rose] Right, and even if it doesn't happen to you it could happen to one of your vendors or one of your suppliers, I mean, it's this is..it's almost impossible to escape this. And one of the things I appreciate about what you bring to the table is your historical perspective. You were there when it started. You watched the iteration. I think that gives you a perspective that a lot of other folks new to this field will not have that same perspective.
And along the lines of the cyber criminals, we did see a little bit of a decrease in Russian hacking because a lot of the Russian hackers had to go into military operations and work on that, plus they were on defense because they got smothered around the planet. But right now, they're running out of money. So, we're starting to see another spike in ransomware because they've got to refill those coffers with all their ill gains. So, it's just another reason why this podcast so important right now.
[00:12:31 Steve McNamara] Yes. And even for us, when we talk to our clients about cyber liability insurance, and they're like, well, you guys cover us, and we’re like well, no, we don't. We cover us, we don't cover you.
So, we had a case not too long ago with an account that they had a doctor's son connected to the network. Teenager, was connected to the office; don't ask me why. Young men do things on computers. And the office got hit, and our tools were in place and completely locked down the one computer that got hit quickly. We were able to remediate it very quickly because of the tools that we had running.
But if it was some guy managing that network, that doesn't happen. We were immediately alerted by our software, locked it down, and then we were able to remediate the issue on the back side—
[00:13:23 Andrew Rose] It reminds me of the old Stephen King Salem’s Lot story. You know, when I was a kid, there was a book about vampires and taught you all the rules of vampires. And the one thing that was important remember is: the vampire can’t come in your house, unless you let it into your house. So, these viruses a lot of times can't get in there unless somebody on the inside has let that virus into that house. And that nullifies all the protections that we have.
Andrew and Mike, I am going to throw this one back to you. Are there benefits to having an MSP when someone is trying to obtain cyber liability insurance?
[00:13:55 Andrew Gerner] So, that's a great question. For starters Andrew, yes is the very short answer; there's a huge benefit to it. Unless you are yourself very, very gifted from a technical standpoint and have brought up your own network on your own. You stood it up on your own. You know everything about it.
Most business owners just are not going to be able to independently even answer all of the questions, or be deeply familiar with all of the network security policies that are required to actually go out there and get a robust cyber liability insurance policy. And even if they are, it's probably not going to be as cost effective as it could be, and it may have limitations or exclusions that you would find out about at an in opportune time. And that's never a good thing in the world of insurance.
[00:14:46 Andrew Rose] Yeah, when the car hits the telephone pole, you want the airbags to go off.
[00:14:50 Andrew Gerner] Absolutely.
[00:14:51 Michael Urbanik] Yeah. I would say in today's landscape of securing cyber liability policies, it is a mandatory must have to work with an MSP if you're a business and you want to secure a cyber liability policy.
I've seen these applications and the requests from carriers evolve incredibly fast. Maybe last year the application was one page, maybe two pages at most. This year, a new business application is five pages, and they are asking, do you have firewalls in place? Do you have multi-factor authentication?
The carriers want to know what level of walls, protection, security measures you are taking place as a business before they are going to extend any sort of liability coverage to you. Because they're putting their pocketbook on the line, and they are no longer willing to write businesses without these measures in place.
That is how bad it's become. These are 70% loss ratio products. Carriers are currently losing money on writing cyber liability. So, they're trying to get a handle on this. And, you know, that's the first component we talk about when we work with clients. You know what are the things you need to successfully protect yourself? And I'm going to say there's three components.
The first is working with an MSP, someone like DTC, who really understands this digital landscape and can put the things that the carriers want in place for your business. That's firewall, that's multi-factor authentication, that is password protection, all the right digital armor that you need to be a business. You need to work with a reputable company like DTC to establish that that is cyber risk management 101.
The second part is the human component. You need to train yourself and your people on what the risks are and how to prevent them. And that's what we're going to talk about in this podcast on a more granular level. But, you can build the most sophisticated firewalls and multifactor authentications out there, but they're only as good as the people you have, right? If you have all of that, but you're still writing the password on a sticky note and putting it on the screen, that does, you no good. So, we'll talk about the steps and things you can be doing to train yourself and your staff as a business to protect yourself. That is a huge element here. The human element.
The last component would be risk transfer. So, inevitably you will do everything right. You'll have all of the armor, the IT infrastructure in place. You will have trained your people, but the bad guys are infinitely crafty, infinitely malleable and changing their methods in attacks and they'll get through. It's just the law of large numbers. And that's where you have a cyber liability policy to transfer that risk.
Have a carrier come in and indemnify you in the event of attack. Whether it's paying the ransomware, whether it's paying for a forensic IT company to come in and remove viruses or rebuild systems, or even if it means throwing away all the computers because they're unsalvageable and bringing in new hardware. That's what these policies do. And if you're a business in today's era and you use computers, which I imagine every single business out there has to do, you have this risk.
And that's what we're trying to do, is bring this awareness so you guys can properly protect yourself and your bottom line and your assets.
[00:18:40 Andrew Rose] And Mike just to really put a fine a point on what you said there: your employees not only can they be one of the largest risk areas that they can also be one of your largest levels of defense. As long as they're having ongoing training to appropriately respond to phishing emails, social engineering types of campaigns, other things like that. And once they report that up and then trend analysis can begin going back to the first point there.
And Steve, I'd like for you to talk about the security stack that you have here, because it's not just one tool. There's going to be layered defense that happens. Any type of cyber criminals can look for any chink in the armor to come through. But because your security stack and that that certainly will mitigate against that. Would you talk a lot about what DTC offers?
[00:19:25 Steve McNamara] Sure. So, I mean, in today's world, you know, almost anybody you work with in the IT space is going to implement a firewall and antivirus software. I mean, that's something we've been doing for probably the last ten plus years, what used to be top of the line is now like the beginning. It’s what you start with, it's the simple things.
Your password management, as an example, here we use 16-character passwords. Two factor authentication is a must. And one of the things we've done here in the last year is we've added endpoint detection response or managed detection response to our base product. So basically, what that means is there's software running on your computer that's monitoring all of the activity. And if it notices that you downloaded a file and that file got changed, it will set out an alert that basically sends to..if it's your..whoever is managing your network that this file's been altered, and it flags it. Manage detection response is the next step and that basically starts to remediate it.
So, an instance where you get something that the system and you can get false positives here which sometimes people don't like, but I'd rather have the false positive than find out when it's too late. But the managed detection response basically locks that system down quickly so that it doesn't spread through the rest of the network and puts you in a situation where you're at risk.
So, these are the base levels that we now put in. And then then you have your adjuncts that go on top that we have access to, we don't include them in every agreement, but we recommend that you have some of these things to continue to get as security foolproof, left of boom as you possibly can and even that doesn't mean you won't get to boom. But you've got a much better chance, if you're doing all of these things, then if you don't.
[00:21:16 Andrew Rose] You know what? Some people might think they're cumbersome, but if you equate it to driving a car, would you want to get in a car with no brakes, no airbags, no safety belts going down the highway? I mean, sure, you might not hit anything, but should you hit something it’d be catastrophic.
So regardless of how cumbersome these may be, it's a fact of life we need to have these extra stacks and security layers in there to protect these business, especially health care. You know, if you talk about a high value target for these cyber criminals, number one, the health care industry is assumed to have lots of money so it can pay these ransoms.
Number two, this could be life or death situations. So, there's leverage immediately in there. So, the criminals know that the longer they're offline, the more likely they are to pay those ransoms. And Steve one thing you didn't mention that I know we’ve talked about several times is that the average amount of time that someone is offline due to a ransomware attack is 11 days. And that's if they pay the ransom. That’s if they have good backups, that's the average. So, you can do the numbers in your head. How much would it cost you if your business was down for 11 days?
[00:22:22 Steve McNamara] I don't even want to try to calculate that number.
[00:22:24 Andrew Rose] Yeah, and I would put that to some of the health care providers out there as well. So, when you start to see the needs to invest in these security products, to invest in the cyber liability insurance policies, think to yourself: how much would it cost me to be offline for 11 days? Not only the loss of business, but the recovery piece, because you're not going to come back 100% the next minute. It’s going to take a little bit time with reporting issues and what have you. This isn't necessarily to scare you, but it's prepare you for what could be coming.
[00:22:53 Steve McNamara] Yeah, remediation is no joke.
[00:22:55 Michael Urbanik] On our next podcast episode, we're going to be talking about the definitions of cybersecurity and cyber risk. And we're also going to talk about the history, understanding where cybersecurity started and what the future outlook will be.
[OUTRO MUSIC]
[00:23:13 Andrew Rose] We would love to hear from you. Please email us your questions or comments to askus@dtctoday.com. New episodes of Cyber Savvy are posted the second Tuesday of every month. For more detailed information, visit our website at DTCtoday.com.
Be prepared. Be cyber savvy.