[Intro Music]
[00:00:06 Andrew Rose] Welcome to Cyber Savvy. This podcast was created by DTC to bring awareness, mitigation and response to cybersecurity threats companies and organizations face daily. Be prepared. Be Cyber Savvy.
All right. So good morning. Good afternoon or good evening, wherever or whenever you're listening to this podcast. My name is Andrew Rose and I'm a cybersecurity consultant working with DTC to help make you and our listener more cyber savvy. And for more information about us, go to our Web site, www.DTCtoday.com. And I'm happy to be able to introduce my co-host, Mike Urbanik of R.K. Tongue and his colleague Andrew Gerner.
And Mike, as usual, who is our R.K. Tongue and what do you do?
[00:00:59 Mike Urbanik] Yeah, as I've said in the past, and I'll say again happily, R.K. Tongue is an independent broker. We work with our clients to help risk transfer meaning to help them secure insurance policies, manage the risks they face every day, keep their doors open and do it all at an affordable cost and professionally.
So that's who we are, what we do. Andrew, feel free to add to that.
[00:01:24 Andrew Gerner] Yeah, at some point or another we crafted a beautiful mission statement and then I think simplified it. Something along the lines of we help people and businesses become financially independent and stay that way. And that’s sort of insurance in a nutshell, we just happen to do it in a way that I like to regard as a little bit high end a little bit unique, a little bit of expertise and service driven.
[00:01:47 Andrew Rose] Well or as I like to say, it's white glove. I mean, you guys are always top shelf. Your exemplify what it is to be a risk management organization and your client base reflects that as well. I mean, you would not have the quality of clients you did if you did not perform at the high level you do, so Andrew don’t sell yourself short.
You guys are remarkable partners and we're really happy to have you along helping us out with this. And today, I believe, Mr. Urbanik, we're talking about data privacy, aren't we?
[00:02:12 Mike Urbanik] Yeah, we're talking about data privacy and data breach. This sits at the center of all of our previous conversations. You know, for listeners who listen in the past, we've talked about phishing and different types of cyber-attacks.
We've talked about malware. But this is, this is kind of what happens when the bad guys get a hold of your information and what information could you possibly have that the bad guys would want?
And then what can happen when that all comes to fruition and it's not necessarily pretty. So, I'll start it off, as I always do with the definition.
Data breach is a security violation in which sensitive, protected, or confidential data is copied, transmitted, viewed, stolen, altered, or used by an unauthorized individual. So, in most businesses out there, even people out there have information that should not be shared with other people.
You know, we can all think, hey, if I give my credit card number to my utility company, I would certainly hope they don't share that with other people and they don't want to.
They're going to keep that information private to the best of their ability. Same with my own personal credit card. If I give that credit card to Target online and I purchase something, I certainly hope they're not sharing it with other people. That's information kept in confidence and in trust. That's user data, but also businesses have their own proprietary information.
Let's say you're a computer coding company and you have a slick proprietary computer code that helps you create cars that drive themselves. No one else can develop it. You've been the one to develop it. You certainly don't want to share that with other people.
So, all of that proprietary information or shared information is given to a trusted source.
And data breach is when someone who does not or should not have access to that data goes in through ways we've talked about. It could be phishing, it could be malware and takes that data and then what do they do with it
So that is kind of what it is in a nutshell. And what we're talking about today.
[00:04:20 Andrew Rose] Awesome
[00:04:20 Andrew Gerner] I have a question.
[00:04:22 Mike Urbanik] Go ahead.
[00:04:23 Andrew Gerner] You know, it's rhetorical, I guess, but in terms of the data that can be obtained and can be considered breached, I know that the Federal Trade Commission and various other regulatory authorities have very stringent guidelines on what is nonpublic.
Some of it's very rudimentary, as simple as dates of birth and really any combination of other identifying data.
And so, realistically speaking, how exposed is just any business, let alone if you're doing credit card transactions, let alone if you're doing or at least processing those transactions in a house… I mean, it would seem to me just from past experience that it's really difficult, short of just operating a cash only snowball stand, that you don't have some sort of an exposure here.
[00:05:15 Mike Urbanik] Andrew, I think you're absolutely right. I think early on in the days of data breach, we and I say we just we the US would say, “Hey, you released Social Security numbers. That's obviously very detrimental. Don't do that. Shame on you. That's a data breach.”
Well, the needle has been moving progressively backwards from Social Security cards to, you know, let's say five pieces of personal identifiable information, which we've talked about in the past to only a few pieces of information.
And I think from what I saw and what I've gathered in the industry, it was about in 2011 this happened, If you rewind the clock and you get your time machine, it can go back that far. That's when we saw the two data breaches at Epsilon and Silver Pop, the credit monitoring companies.
And basically, California said that just a zip code and a first name and last name, those three pieces of information qualifies as a data breach.
And that's important because it then fits into state regulatory bodies purview of a company's data breach and potential fines that could be levied on them. Because just like you said, Andrew, companies who collect this information have a duty to their consumers, their constituents, to safeguard this information. And we'll talk about that in a little bit. But you're absolutely right.
You don't have to have their whole bio, their whole history to be culpable for a data breach these days.
[00:06:45 Andrew Gerner] So if I can take that a step further and I am curious about this, in fact, it's something that I have a tendency to rant about, if you are a business and let's suppose that I don't know, maybe you make horse covered wagons and you absolutely refuse to have computer technology in your business.
Let's suppose if that is your business, let's suppose that you are opposed to using technology and let's suppose again that you have some sort of a warehouse or a building in which you build your buggies and you still need to know who your customers are.
And you probably have names, addresses, you're going to have some other identifying information that at least theoretically in any context that's relevant to what we're talking about today with cyber and data breach and phishing.
If it was digitally maintained, it would be considered protected or at the very least nonpublic and subject to regulatory fines and things like that. But remember, we're in the horse drawn carriage business here and we don't like computers.
Let’s suppose that I've got my filing cabinet and let's suppose that someone kicks in my front door one day while I'm not there and wheels in a cart and just takes away my filing cabinet with those files in it. Is that going to be subject to the same sort of, I guess, liability or is it going to be subject to the same sort of regulatory framework?
I mean, somebody came in, they violated whatever security I had in place when they physically took my records and data. Is that the same or is it different.
[00:08:26 Mike Urbanik] From my understanding Andrew, I'm going to say that's probably a gray area. I don't know each state's individual records for that, and I'm certainly not a lawyer. I know enough to be dangerous.
I'm going to say yes, because that is information given to you, your business, or information that you are personally held and it is kept in confidence. So I would say, yeah, that's going to qualify as a data breach and I have a story to back that up. But I know, Andrew, you're chomping at the bit over here to say something as well.
[00:09:00 Andrew Rose] Yes. The other Andrew here. Well, there's two things I want to bring to your attention. One, is when a firm is actually assessing your company for how secure you are, one of e those assessments as to walk through your office and see our computer screens on are the pieces of paper on the desk that has personally identifiable information that didn't occur through a digital data breach.
It was just a physical person there. And the second was at a prior organization, We run tabletop on disaster exercises and one of those disaster exercises was a tornado hitting one of our offices and putting the papers in the wind.
And one of the things that we recognized was we needed a higher security to stand there physically to protect those pieces of paper, so that information didn't get out there into the wild and literally into the wild itself.
Michael, what example would you like to bring to bear as well?
[00:09:49 Mike Urbanik] Well, there was a story when I was younger years, I was working at a rental car company that's very popular. We had a scenario like Andrew, you were just saying occurred, someone kicked in the front door and there was about 20 keys in an unlocked safe sitting there, and they could have taken away 20 brand new vehicles.
And what did they take? Customer rental sheets. They took all of the rental paperwork.
So, if that doesn't illustrate what is valuable to bad guys, this was 2010’s at the time, Brand new car with maybe 10,000 miles on it, $40,000 in value or several hundred pieces of rental paper documents. They're going for the rental paper documents because that has all that identifiable information.
[00:10:37 Andrew Gerner] Yea that’s scary because, you know, we're in the insurance industry and I guess in a way to a hammer, everything is a nail. So, we look at a risk of loss or we look at an exposure and we think let's insure it or manage it. And so there's a component of both here.
I have a third thought, and man, would it be nice if a podcast like this would go unbelievably viral and somehow incentivize the people who make the rules to actually look at this objectively and think about who's really the victims here?
Clearly, those who have their data lost or compromised, they're obviously victims. But I think except in the case of just a business behaving in a very cavalier or negligent manner, no business wants to divulge customer information that should be kept private.
And in most cases, I don't think they do. I think more often than not, it is, you know, some sort of a fraudulent act.
It's some sort of a willful commission of a crime on the part of a threat actor that's causing this to happen. And if in your example, Mike, the former place of employment, somebody kicks in the door, walks past the 20 car keys, and gets the data about customers instead, well have they grabbed those car keys and started making off with various new vehicles.
We all know who the police go after at that point. They go after the people driving the stolen car. They don't go after the car rental agency. But that doesn't seem to be the philosophy from a regulatory standpoint when it comes to protected information, especially when it's stored on a computer device. It seems to be that if you were the custodian of that data that gets stolen, then that's your that's your fault.
Kinda Like the bank robbers making off with them. The money from the bank and the police come and arrest the bank owner. Something doesn't sit right with me.
And it seems like the regulatory framework needs to adapt somehow. But do you see any of that? An I'm picking the two of your brains. I'd love to know more. I don't know more.
I don't think there's political will for it. But please tell me otherwise.
[00:12:52 Mike Urbanik] Yeah, I certainly don't have insight to our authoritative body’s temperature on this. All I can say is the climate right now it's exactly what you're saying, Andrew. There's a stick and a carrot approach, and right now they're implementing the stick in the sense that you could have a data breach occur, you’ve suffered losses, damages.
You're having to deal with them as a business and then, oh, here comes the regulatory body and they're going to levy fines on top of you. So I've got a good example. I got a brief case study and stick with me here because that point will be made clear at the at the punch line at the end.
So, in 2016, Uber, who a company I think we're all familiar with, suffered basically an attack where their systems were breached through another company's data breach.
So, let's say company A gets data breached they get the engineer's information to the Uber account. They log into Uber. So now Uber has had bad guys sneak into their system through another data breach.
They've suffered a data breach. They were able to access 57 million Uber user drivers and riders’ information. And anyone who's used Uber app, most of us here on this podcast listening to the podcast probably have, you give out quite a bit of information, payment information, personal information, because they want to verify who their drivers and riders are, which makes sense for security purposes.
Well, bad guy gets in there 57 million drivers and riders information instantly that the guy goes and downloads and creates copies of them and he contacts Uber and informs them, “Hey, you've had a data breach, here's what I have, here's my ransom.”
And that kind of happens behind closed doors. I don't know exactly what the amount was. I've heard a number and I'll share it.
I don't know if that's true, but they were contacted in November of 2016. They had the hacker sign a non-disclosure agreement and paid him $100,000 ransom. So, to a company like Uber and that much information, I think that's a pretty good deal. I've seen much worse deals. Not that that's a deal any business manager wants to make because that's $100,000 out the door for nothing, no value.
But what was unfortunate, is they didn't disclose that they had that data breach, Andrew. Ultimately, there was an investigation that occurred and this happened around the change of the CEOs, but basically they found out that it was unethical.
They needed to disclose to their users and drivers that their data was breached. There's rules and regulations and hoops they need to jump through.
And then ultimately, they were fined $148 million as part of that settlement. So that is just what can be on the line for an event like this. I'm certainly not completely intimate with this case study. I know the broad strokes from my understanding there were passwords and measures in place. You know, ultimately the bad guy got the right key, which unlocked the right doors and got him to the valuable information.
But that hurts. That hurts really bad. Not only has Uber suffered this issue, they have to make some internal fixes on their end. They had to pay the bad guys. They've now been fined and there's a huge settlement that occurred which really shows the damages that these type of events can cause.
[00:16:18 Andrew Rose] And I want to interject something here, too.
And Andrew, going back to your point about why is there regulation, too much regulation? And just generally speaking, politicians are reactive. They're not proactive. If they're proactive, they might make a bad bet and get blamed for that, but they'll never be blamed for coming in and fixing something that's already broken.
And typically, when something is broken as this they tend to overregulate. That pendulum swings too far. And then the other piece is if I've got cyber insurance, I'm going to assume that there's data breach insurance.
So, something like the Uber event happens, my insurance company will stroke the check for $100,000. And as a side note to that story, Mike, one of the things that the FBI likes to say quite a bit is don't try and fix it yourself.
Just go ahead and report it. You know, if you try to fix it yourself, you may placate the problem, but they might come back and now you're really on the hook, an for $148 million I think Uber realized that was something they probably should’ve reported.
[00:17:16 Mike Urbanik] Yeah. And I'll just say, if you probably took a survey and walked around to your local businesses big and small, and then asked the owners and you said, Hey, if you had a data breach, are you required to report this?
I don't know how many would say, Yes, I am and I know who to go to. So, there's a big question mark and I don't blame business owners. This is a problem that has come fast and furious and they wear enough hats as is. This is one more thing to do and managers know about.
So, you know, I don't blame them in being necessarily naive, but it just goes to show that I think there's a lack of understanding of what to do in these events, the compliance components, and that's just the atmosphere we live in. I don't know. I don't want to point a blame finger at anyone. That's just the problem and we're trying to increase everyone's awareness so they can be just more knowledgeable and act accordingly.
[00:18:09 Andrew Gerner] Yeah, it's a good point. I mean, the both of you, both you Andrew and your prior message and you Mike. I guess that as a business owner, that sure, you can go out there and buy insurance and yes, that insurance is going to essentially hand you the road map.
And in most cases, the vast majority of the money required to make this right. And so that's nice to know that that's a solution. But we're in a business that really is just a complicated math problem. And so, the more prevalent these sorts of events get and the more costly they are, the cost of the insurance just keeps going up and that becomes untenable at some point too.
And so we're thinking proactively as risk managers. And this doesn't necessarily mean you have to be an insurance professional. It doesn't mean you have to be an actuary; it doesn't mean you have to be a formally trained risk manager. It's just the logical conclusion that we can draw is that we're going to have to do more than just come up with a regulatory framework and enforcement.
And we're going to have to do more than buy insurance and just hope that our networks are strong. We think that at some point the pressure on the element that's causing all of these breaches in the first place, because if people were being penalized or entities were being penalized for these breaches more robustly, perhaps that's a deterrent as well.
I use the highly scientific method of doing a little research on this. Specifically, I typed the question into a web browser and found that in 2022 there were 422 million US individuals impacted by a data breach. In 2021 it was 298 million. In 2020 was 310, and in 2019 it was 883 million.
So, unless my math is wrong, that's all of us many times over in the entire United States.
So, it's already out there. The information's already gone. I guess the barn doors are open. All of the animals are out and closing them now isn't going to fix it.
[00:20:24 Mike Urbanik] Yeah, it's certainly a sizable problem, to say the least. I think it just goes with previous points we've had on other conversations.
We've talked about the Internet of things, all of our information just for ease of access and ease of life, unless you're that Amish wagon builder in Pennsylvania, but you could still suffer a data breach.
You know, we've put it all out there for ease of use. That's just modern life. And we found that businesses we give this to some are not good stewards of information given to them. Some do all the right things and they can still have a breakdown. We've looked at those as well and it's just a fact of life that these types of attacks and releases can happen.
And yeah, it's unfortunate it's out there and as a business owner, you just have to be very aware, hey, I could lose proprietary information, I could lose my clients information.
And it's not just this attack. Two more problems can happen because of this. I've seen invoice manipulation. Well, the bad guys got in. They took all your files in a data breach.
They now know what your invoices looked like. They now have your client list falsely billing your clients for information. So, this can just be a pandora's box if it happens to your business. There are bad guys who will settle for that $100,000 nondisclosure agreement, which is wild to me. They have any faith that a bad guy would you know, and I say bad guy with two air quotes around it would do that.
But, you know, they want to get paid and they probably want to have a reputation that they're reputable to do business with, but that they would even engage that. But it's a big problem and I think we've talked about it before.
The three solutions for protecting it are, one, you as a business owner, you can't just turn a blind eye to this. You have to have a culture of computer awareness, safety, information protection, whether it's physical documents or digital documents.
Because digital can be so easy to access, you need to work with a company like DTC or if they're not in your area, another reputable I.T. Company to put the armor in place to make it hard for the bad guys to get in there, access the information, build all the walls and measures to make it hard.
And then lastly, if your first two measures don't work and they fail, you have a cyber liability policy to come in and indemnify you and make you hold. And those policies, can come in and paid damages. They can pay for PR companies; they can pay for credit monitoring companies to help your clients or your customers who have been impacted.
But if you want to protect yourself in this era, not have something happen to you and completely take your business under which it can, those are the three steps you're kind of looking at and need to implement.
[00:23:11 Andrew Rose] And I'll add there too, if you go back and listen to the podcast we just recorded on Identity Theft and “Miss Anonymous” how it impacted an individual rather than the company itself.
So once that credit monitoring is offered, what are the steps that individual has to go through whose data may have been breached?
[0:23:25 Andrew Gerner] Yeah, Andrew, In terms of DTC's capabilities and services, the I.T. Managed services, without question, we know that. Are there existing services or are there future services that you guys have considered around sort of best practices, training and things of that nature?
Because so often it seems that it's the phishing attack, it's the errant email that's spoofing a trusted email that ends up getting the Amazon gift cards or whatever silliness that requested.
[00:24:03 Andrew Rose] Yes, the short answer there is yes. And I think it's really important to have those phishing exercises run through either your I.T. department or reputable MSP like ours to take care of those because a lot of it is awareness and it's going to be your staff are going to be you're either your weak link or your strongest link and sometimes it's not even at work, sometimes is at home.
So, there is the power of persuasion. You might have someone that's got a hole in their life, a financial hole, academic hole, a romantic hole. And these thieves, these cyber criminals recognize that. And if they're able to breach into their home networks, oftentimes these same people who are susceptible to that are those people at work who we call passive insider threats.
They're the ones who bring the device into the office and charge their phone on their laptop. They're the ones that go to websites and click on links that they wouldn't do at home because they don't feel it's safe at home. But I don't know what they're thinking about doing it at work. But they shouldn’t do it at work anyway.
But the short answer is yes, and that's the human element. There's also the technological element for monitoring, and we've got many tools to support that for our business owners.
[00:25:05 Andrew Gerner] Yeah, that's great because that is something that's important. I think you made a great point. I mean, we see it in our own organization at R.K. Tongue.
I'm a president and somehow every one of our new hires within a few weeks of being hired, gets an email that is ostensibly from me, even though it doesn't come from my actual email address.
The name, the nickname I guess that's typed in as part of the email address certainly appears to be mine might be a Hotmail account or something like that. It's actually behind it, but invariably it's asking for a new hire to run out and buy those gift cards and send the codes or something similar to that.
And but for the training, which we like to hope that that's what's doing it, and sometimes it's just good, critical thinking.
And I would… my boss really ask me things? but that's the only thing that saves us in scale and organization. It seems that you're just more and more vulnerable there.
[00:26:03 Mike Urbanik] And we've talked about that in the phishing episode. But I'll say one more point on that here. That is stuff I think we can all hopefully look in the mirror and say, All right, we use computers every day. We've all heard about the Nigerian Prince emails. We have a little unawareness that stuff like that is happening and we can catch it.
But there's that next level of awareness about opening those email links. And they might look legit, they might look very legit. And it's an Excel folder that you've been waiting on from a client that gives information they want for a quote, and you open it eager salesperson and boom, you've now downloaded that virus, and everything's ripped.
So, as smart as we might think we are and you know, yes the gift cards there's loss there. There's a treasure trove we all sit on. And that's that personally identifiable information and the damages to a business yourself can be significant if that gets out there.
And I'll say this because I know who our clientele is, especially those in the medical industry, because you guys collect so much personally identifiable information because you need it to do your job, it's required by your industry.
So, you guys are specifically targeted for data breach for phishing because of the treasure trove you sit on. So don't think… it's definitely important to lock your doors to your office at night, but it's also very important to metaphorically lock your doors to your computers at night, too so no one's getting in and taking that information.
[00:27:29 Andrew Gerner] Well, I'm scared. (Hahahahah)
[00:27:33 Mike Urbanik] Well, if you're scared, you know, I talked about it earlier, Andrew. You’ll take a hold of this. You can educate yourself, educate your employees, work with someone like DTC, and then buy a cyber liability policy.
[00;27;46 Andrew Gerner] Yes, that's the solution, right? At least until... At Least until Congress solves this for us. Right.
[00:27:51 Mike Urbanik] Ah don't hold your breath on that one Andrew.
[00:27:52 Andrew Gerner] (Hah)I wasn’t.
[00:27:53 Andrew Rose] And I don't wish for that either.
[00:27:58 Mike Urbanik] So we've been talking about PII or personal identifiable information. But what is that? So, this is information when put together, you can figure out who someone is. This is what a lot of bad guys want because it's what they can use to either open credit cards, falsify your personality, create other fraudulent crimes.
Things of personal identifiable information can be the following. It can be credit cards, debit card payment information. Of course, that's going to identify who you are.
Social Security numbers, taxpayer records, financial documents, if they get a hold of those, that's absolutely personally identifiable information, driver's license. But we're seeing that move further down. We are now getting to a point where, Andrew mentioned previously, so much of our data has been linked.
If you have something just like an email address nowadays, you might be able to cross-reference that with other data breach information and figure out who someone is.
So, that used to be considered non identifiable information. I'm going to say it's living in the grey space now because if my name is insurance salesman 1989, you don't know who I am, unless I put my information out there and link it in an email.
But I could conduct myself anonymously. You know, more and more that information is getting enacted together. So, you need to be careful with things. Even as email addresses, zip codes used to be considered vague enough. Now if you have a first name, a last name, a zip code, I guarantee there's multiple Mike Urbaniks’ around the country, but if you have my zip code, there might be one or two in that zip code so you can identify who I am.
So, what used to fall into this purview is getting bigger and bigger. And it's important to understand that because the release of PII, personal identifiable information, is what triggers a lot of the statutes and laws for these regulatory bodies for their investigation.
And I'll elaborate on that. Here for Virginia, there's a Virginia breach code, code 18.2 -18 6.6. It says breach of personal identifiable information notification. So, this is a statute that businesses in Virginia need to adhere to. And it says, “Any individual or entity that maintains computerized data, that includes personal identifiable information”, which we just went over what it is and what can fall into that, “of an individual or entity does not own or license shall notify the owner of the licensee the information of any breach of the security of the system without unreasonable delay following the discovery of the breach.”
So, put that in layman's terms. If you're a business owner and you have personal identifiable information and it's computerized, you are obligated to notify the people who have had that data breach. So, let's say simple, R.K. Tongue has a data breach and we find out user information has been leaked. In Virginia, we need to contact all of those people, and notify them that breach has occurred.
And this is a challenge. What does that notification mean? Well, it says written notification to the last known postal address. Who is typing those? Do we get one of our customer service reps? Do I as the agent handle that? Do you as the business owner handle that? Do you pay someone to do that? Telephone notice, how many phone calls is that? Electronic notice, typing up an email and sending it out? You know, all of those things take time and can be managed, but they could be huge. Let's say you're a major corporation like Dominion Virginia Power that millions of people you are now having to do this for. And yes, they're a big company and they probably have tools and resources to help. But it's it's no small feat to anyone, even if you're a small business owner or a big one. And then if there's a statute on here that says if an individual or entity is required to provide notifications and they've concluded that the cost of doing that would be over $50,000, they can release a major statewide notification to the media, which you certainly don't love doing. Now, that's in the news. John Smith's covered wagon business had a data breach and all your horse’s identifiable information is now been leaked. And we reported that to the Amish Weekly and they're running it in the newspaper.
That's not good for your business. Huge reputational damage. You can post it on your website or an email notice to the individuals and affected members.
So, there's some alternatives. If there's a huge cost and you can absorb it and handle it accordingly. But that concept here just goes with what Andrew was saying earlier. Personally identifiable information gets breached, companies are holding it and they might do all the right things. But then there is this authority figure that can come in and say, All right, you need to go through the procedures. Here's what they are. And the last sentence of this is, “Virginia Businesses that fail to comply with the data breach notifications could face a maximum civil penalty of $150,000 for each data breach or for a series of data breaches of a similar nature uncovered by the investigation.”
So, that goes back to the Uber one. Obviously, their settlement was much bigger. I think they’re based in California versus Virginia. I don't know the California code, then I know that was part of a settlement process, but that's the stick we were talking about earlier. Hey, you've suffered damages. You have to do all these things to be in compliance, which is painful and costly to you. And if you don't, you get the stick. And the idea behind that, and I'm not here to interpret governance and laws and codes, I just tell people what it is. You know, they want to incentivize you to do the right thing on the front end, so they don't have to come in on the back end and give you the stick.
Now, whether that's fair, left, right or central, it just it is the world we live in. And if you're a business owner and you have this information, you have to be aware that this is out there.
[00:34:04 Andrew Rose] So, Mike, when I talked earlier about the business continuity exercise we did with the tornado and the papers going up in the air and all that, we actually discovered the hard way that the state's attorney's office needs to be notified.
And we discovered to our horror that we had clients in all 50 states. And then the other compounding issue was all 50 states have different regulations. Some are similar, some are much more odorous, some it's 1000 names got for each summons, 10,000 names, and each one has an escalatory set of things you have to accomplish should that occur.
So, our team spent months researching every state's laws around data breaches just so we’d be prepared. And we then created templated letters just in case that needed to be done. But I appreciate your bringing the Virginia example to bear because multiply that by 50 and every state is going to be a little bit different. They have their own nuances. Some states be more strict and some won’t.
And then one other thing about ransomware, in addition to the harm to the individuals whose information has been stolen, sometimes that theives will just use as ransom. They say, “hey, we'll give it back to you or we'll release it. And now they have leverage up in the deploy the customer service teams and they'll talk nice to you and teach you how to transfer your bank account to Bitcoin and, and make sure you pay them there as well.
And then, Andrew, going back to the other piece that we spoke about, the sort of the non digital way that someone's attacked your organization, I was thinking about hard drives.
You know, a lot of folks don't recognize their printers and their copiers, retain a lot of information in there. And when something is aged, you don't have an MSP that that knows how to safely erase our driver or shred it, that information could be right out there in the public as well.
And I would assume, Mike, that would fall under a data breach as well, wouldn't it?
[00:35:52 Mike Urbanik] Yeah, not all data breaches are hacking, and I'd probably say that's actually the, the lesser amount. Improper disposable or disposal of paperwork, not shredding it, not dealing with it.
I'm sure we've all heard stories about dumpster divers getting tons of valuable information. Electronic assets are rife for that. If you are not wiping computers before you dispose of them, taking them to proper authorities or knowledgeable figures, please do so.
Because if that just ends up in the secondhand store or you put it on the sidewalk, you say free to good home. It could be… you’re right. Printers, things that you don't necessarily think can house data certainly can these days, as our devices get smarter and smarter.
Another one is terminated employees.
If you have employees who have access to systems and they leave the company, get them off the system because they might be disgruntled. That's certainly a type of cyber-attack. They share that information with a bad guy or sell it. Things like can be hard to figure out, but a good step in measure is making sure you remove their access.
So yeah, it's not always super-secret cyber guy breaking in through all the firewalls and cracking the codes like we see in the movies. It can be as simple as, Oh this paper. I wrote the password to my log in on the back and it says shredding it. I threw it out in the trash can and someone found it later and I can undo an entire corporation.
[00:37:21 Andrew Gerner] Yeah. Do you see a greater prevalence of ransomware attacks or just general ransoms for stolen data above and beyond everything else?
[00:37:31 Mike Urbanik] I would say so. A lot of the I'm going to say, you know, and I say “bad guys” I throw up air quotes here every time. It's more work for them to basically take that data and make it usable. Certainly, their secondary markets we've talked about on the Black Web where they sell that information to people who commit secondary crimes and create the credit cards. But very often they use ransomware or malware get on the computers. They either can lock down the computers or they just say, “Hey, we have all your data, we will release it.”
We all know what that looks like and how much bad PR and stock prices can fall and damage that can occur with the release of that data and companies more and more are willing to comply and pay these ransoms to get around it.
And they'll negotiate and they'll work with you sometimes. But yeah, very often it does happen, and it just depends on the size of the organization and their internal calculations for how damaging that would be versus the cost of pay.
[00:38:31 Andrew Rose] When I think we've mentioned this on an earlier podcast and I might be off a little bit on the percentages, but the FBI was able to get an unencryption key from some of the bad guys and was able to unencrypt the computer systems. What they found were I think was about 80% had already paid the ransom and didn't need the key.
I could be wrong on that, but I think I'm pretty close on that one. And then we just talked about MGM, the casino. Not only was there computer systems, the hotel room keys no longer worked for the doors and the lights didn’t go on in the building anymore, it was a whole lot more than just the slot machines going offline.
It was it was catastrophic and not to plant the seeds in the bad guys heads, but it had the bad guys with this breach. Just release information on the dark web. Instead of telling MGM they could have shorted the stock or bought their competitors at that point in time too, so there could be a secondary payoff to them beyond the ransom.
[00:39:27 Andrew Gerner] Well, thanks for the creative thinking there. You wearing a white hat or a black hat there, Mr. Rose.
[00:39:32 Andrew Rose] Well, you know, thank you for throwing me that softball, because our next episode is on Emerging Threats. So that's where we try to imagine what could that next threat be? And we planned the recording of it on Halloween, although you're probably hear it after that.
So, it's a lot of little subtlety and symbolism there coming together. So Andrew thank you for setting that up there, buddy.
[00:39:50 Andrew Gerner] Man I wish it was scripted and I just feel like I stepped in it. You know, I -
[00:39:55 Andrew Rose] Well you’re a natural here. Hahaha
[00:39:58 Andrew Gerner] I'm curious. I don't know how this all included specifically the fraudulent tax return schemes that seemed prevalent several years ago.
Obviously doesn't take a whole lot. Name, address, Social Security number and you're off to the races, it seems. How did that resolve? Do we know that?
[00:40:16 Mike Urbanik] I don't know that one.
[00:40:17 Andrew Rose] I don't either. I do know that somebody tried to take out unemployment benefits for me, so thank goodness that got caught for me.
[00:40:25 Andrew Gerner] Oh boy.
[00:40:26 Andrew Rose] So I went through the whole way. I mean, we talked about our last episode, but I went through the whole nine yards reporting it, following a police report. I really went above and beyond what you what you should have done. Cause you know, I think, is the proper thing to do.
[00:40:38 Andrew Gerner] Yeah, I agree. Somebody's got to “fight back” is the words, but at least not roll over so easily because there is seemingly a perverse incentive here with the ransom attacks.
Because if there's a regulatory penalty, if they find it paid, well, I guess these criminals are smart enough to understand that they can ask for some amount that approaches the the other side of the cost equation. So, business is going to do the math and figure out which is the cheapest and easiest way out of it.
[00:41:21 Andrew Rose] Well and also, how much does the insurance cover? I’m Sure their premiums going to go up. But I mean, that's the whole reason they're paying that is hoping that you guys are the airbag.
[00:41:21 Andrew Gerner] Right. Yea not just their premiums. Everybody else's.
[00:41:24 Mike Urbanik] Yeah
[00:41:24 Andrew Rose] Good point
[00:41:26 Mike Urbanik] You know, I think it's just punching shadows for any sort of police or FBI to track down and bring these guys to justice. And I think the bad guys know that.
And it's just fuel on the fire. I mean, why not just attempt over and over to commit these crimes, which have a real chance of paying out and a very slim chance of you being caught?
It just people know it and they're state actors in other countries. It’s a very big challenge. So, they say the tools and resources needed to probably catch these guys is, I don't even know, incalculable.
We can't, we can't do it fast enough or we can't build it. So, they go after the business owner. And again, I'm not saying it's fair, I'm not saying it's right, but that's just the climate we live in, and you got to be aware of that as the business owner, which is tough. I'm certainly sympathetic, but there's measures you can be doing to take advantage and protect yourself.
[00:42:21 Andrew Gerner] Well, you put your finger on the emerging risk management problem, I suppose. I mean, just looking at those numbers about affected individuals earlier, I don't necessarily know the source of each and every one of those impacted individuals, but I am certain that an awful lot of businesses have been subject to breaches by now.
And if we're going to go on the hypothetical theory that's going to happen more and more, and that the magnitude is either going to stay similar or increase seems to be the trend long enough timeline.
Everyone falls victim to this and it becomes more and more frequent. We'll all of a sudden the cost of the problem becomes awful close to the cost of the insurance, and then no one buys it anymore because now you're just forced into what I'll call, quote unquote, “self insuring.” And I don't want to get off on a tangent here, but you look at medical expenses and the related insurance, we've all seen that play out somewhat.
It's going to cost a family 20 or 30 thousand dollars a year to have medical insurance. Then some percentage of families end up without medical insurance and then some percentage of those families end up having to pay a bill out of pocket.
And that bill, out of pocket ends up being five, six, seven, ten times that and then you've lost people over the waterfall at that point, I think we'd lose businesses over the waterfall same way.
[00:43:45 Andrew Rose] So, I thought about a lot too, and kind of just looking at where the dots are heading and put lines between them. I see a vibrant captive insurance market being set up around self-insuring for the cyber risk.
I mean, it really just makes a lot of sense, very similar to, you know, if you lose your homeowner's insurance in California or Florida. Those that can afford to do it and those that feel that their defenses are strong enough to withstand whatever it is, it would make sense for them to self-insure some. I don't to belabor that point, but I think I do see the dots move in that direction. But with cyber liability coverage.
[00:44:16 Andrew Gerner] Yeah, that's a that's another very similar market that you’ve cited. The natural disaster prone areas and those homeowner insurance problems and unfortunately it becomes an issue of those with the means to solve the problem will and those without will be victims of it.
[00:44:35 Andrew Rose] So… Well, going back to what you said before, you know we've all statistically been a victim of data breach, given those numbers probably three or four times over.
One of the things that I specialize in as a cybersecurity consultant is what's called, “Right of Boom,” after the attack has happened. So, okay, it happened. Now what do we do? How do we put those pieces back together?
And there's a checklist you can have. You can run through tabletop exercises, develop muscle memory, identify gaps, knowing who to call, when to call them, when to bring the FBI, and when to bring insurance and things like that.
I would encourage any business owner listening right now to highly consider putting together some sort of post-event game plan. I mean, it gives you a little bit of certainty. Know your spokesperson’s going to be you know the person you can go to is going to have all the information about all the devices, connect to the Internet, things like that.
And it takes a little bit of time to get all that documentation paperwork together to run through the exercises. But after an attack happens, it's going to give you a little bit of peace of mind. I mean, at least you be in full chaos panic mode at that point and trying to figure out who these people are in your office taking control of the situation.
You'll have a little bit better understanding of that. So, I hate to say it, but, you know, sometimes it's better to plan for the worst and hope for the best.
[00:45:46 Andrew Gerner] Yeah, that's a fair statement. In fact, I think certain industries are obligated to maintain disaster recovery plans.
Certainly, our insurance industry and by extension the securities industry and a number of industries that maintain sensitive and economically important data that might be considered part of the so-called economic system are going to need to be regulatory standpoint.
They're going to be obliged to do that sort of exercise.
[00:46:13 Andrew Rose] Indeed, and I'm working on a presentation right now for the Certified Public Accountants, CPAs, which are considered financial institutions, even for sole practitioners. So, you fall under the same regulatory schema that a bank would, and a lot of them are not fully aware of what that regulation looks like.
So, Andrew, your point on for that one. So Mike, any further thoughts there, buddy?
[00:46:34 Mike Urbanik] No further thoughts. I think we've covered this pretty extensively. You know, businesses capture a lot of data, whether on purpose or incidentally, and you have an obligation and duty to keep that information protected.
If you don't, bad things can happen both to yourself from the bad guys point and then unfortunately from state and regulatory bodies.
So, take this seriously. It can be a major event. It can be just as devastating as a fire that burned out a whole building, if not more so if you're not working with your internal staff to develop that disaster relief plan, If you're not working with an IT company like DTC to put the walls in place, if you don't have a liability policy that can come in and rebuild everything, help you with the funds, start looking at these things, because the problem's not going away and that's data breach.
[00:47:31 Andrew Rose] It is and Mike, let's say that somebody listening to this would like to have a cyber liability review of the risk management. How would they get in touch with you?
[00:47:40 Mike Urbanik] Yea the easiest way to get a hold of us would be from our Web site. RKtongue and tongue is spelt T-O-N-G-U-E dot com. (RKTongue.com)
There's our contact information. There's a submission folder that you can reach out to us. That's going to be the easiest way, more than happy to have an educated conversation with anyone out there so they can understand where they stand, what the risks might be and what the potential benefits of putting in a policy might be.
[00:48:10 Andrew Rose] Great. I appreciate that and I really appreciate Andrew Gerner you taking the time to come in here and join us for this podcast.
It's always nice to have a guest in here. So it's not just Mike and I talk a back and forth about these weighty topics. So appreciate your showing up here today.
[00:48:25 Andrew Gerner] Yeah, thanks, gentlemen. I always enjoy the opportunity to catch up with you guys and especially on one of these emerging topics that it's not front of mind for a lot of folks. It probably should be.
[00:48:37 Andrew Rose] I agree. So, for those of you out there in Cyber Savvy land who don't know this, October is that month where you're going to hear a lot of chatter about cybersecurity, cybersecurity, best practices. And one of the best things to do is come and listen to these podcasts, because next month we have the future of cybercrime and cybersecurity with a special guest from Proofpoint.
He is the CSO of Proofpoint and he shares a common name with somebody on one of these podcasts. So that's going to be an exciting episode to listen to.
But. Andrew Rose an representing DTC, you can reach DTC at DTCToday.com, you can send us an email and AskUs@DTCtoday.com.
And thank you again for listening to this episode.
[Outro Music]
We would love to hear from you. Please email us your questions or comments to AskUs@DTCtoday.com. New episodes of Cyber Savvy are posted the second Tuesday of every month. For more detailed information, visit our website at DTCtoday.com.
Be prepared. Be cyber savvy.