Anthony & Jed discuss the biggest security controls impacting cyber insurance, using a real application.
Check out the transcript below and listen along with the embed, Spotify, Apple Podcasts, or find us on your favorite podcast app.
Transcript
Introduction
Jed Fearon: Hey there, Anthony.
Anthony DeGraw: Hey, Jed, glad we’re back at it today.
Jed Fearon: Absolutely. It’s Friday. So that means it’s time to talk about interesting topics within the MSP world. And today we are going to focus on cyber insurance preparedness. And I would be remiss if I didn’t say that having a great cyber insurance policy in place really transcends the benefit of coverage.
Why is cyber insurance important?
Anthony DeGraw: Absolutely. As we know, I like to say my standard saying on this subject, and I came from the cyber insurance world as well, is that even the best MSPs in the world and we put all the technologies in the world in place. And you have an unlimited budget.
Even with all of that being said, we can only really get you to about 90 to 95% secure. It’s not, I just hand this off and I’m perfect. It’s not the case. There’s still a lot of work that goes into it. And at the end of the day, it’s humans interacting with technology and human error will always be a factor in cybersecurity.
And with that being said, that’s why cyber insurance, I will always recommend as another prevention or risk mitigating factor that an organization can utilize. Yeah, cyber insurance is extremely necessary. And error, human error, we’ll always have.
Jed Fearon: Oh, definitely. One of the many things that I like about cyber insurance is the application and renewal process is showing an increased demand for transparency from MSP.
Who are going to be insured and from clients. So what it’s doing, it’s creating a closer bond between insurance companies and MSPs. The insurance companies want to know where you’ve been and what you have. And they want to figure out the best policy to put in place in case you experience a disaster.
But their questions in particular are getting a little bit more pointed. And what I like about the pointedness of their questions, if that is a word, is. A company can go to their MSP and get a lot of input on what they have, but also get third-party verification that’s what they actually need. You gotta be able to trust your MSP, but it just adds an extra level of authority.
If somebody else is making recommendations, other than the MSP who could actually sell you the solutions. So what I was going to do is go through five questions on a cyber application. And I also wanted to mention, if you have thorough responses to these questions as a client, it’s also going to improve your marketing appeal because businesses want to work with other businesses that have their cyber act together.
Cyber insurance carriers are seeing increased claims
Anthony DeGraw: A hundred percent. Yeah. The there’s two different angles on this, right? One angle that you mentioned was we have cyber insurance carriers that over the last couple of years, but mainly the last year and a half, have seen a significant amount of claims coming into that. And that should raise your ears or perk you up a little bit, because if that’s the case, that means businesses all around you are getting hit with these types of attacks. And when cyber insurance carriers are coming back and they’re raising their prices, they’re non renewing clients. And they’re asking for minimum requirements on the technology side, that is because they’re experiencing pain, right? That is because they are paying out claims of substantial dollars amount.
Cybersecurity as revenue generation
Anthony DeGraw: So that should perk you up if you’re listening. And number two, as Jed mentioned, and we’ve talked about this before I believe Jed, is businesses that look at compliance and cybersecurity as revenue generation. We have firm out of our Atlanta office. That’s a small law firm.
I think it’s about seven folks. Not crazy big. But they are looking at compliance and cybersecurity as a way for them to continue to punch above their weight class with clients that maybe they weren’t able to compete with because of their size, but because they’re taking cybersecurity and compliance so specifically, they’re using those to their advantage and they partner up with somebody like us who can help them get there. And that just warms my heart, to be honest with you. There’s nobody better than an organization that’s looking at this like that law firm that I just mentioned.
Jed Fearon: Well, I know that people are getting a lot more curious about where you’ve been and insurance companies in particular are no exception.
Cybersecurity breaches
Jed Fearon: So I’d like to start off with the first question from the application. And it’s a little long-winded. Some of these questions are long-winded. So be patient with me. It says in the past three years, did you have a breach that compromised customer, client, or employee confidential or personal information?
And it’s just a yes or no question, and you probably have some opinions on that particular inquiry.
Anthony DeGraw: Yeah, you ended in a data point here, which I love, and it says nearly three quarters or 74% of respondents said their organizations have fallen victim to a phishing attack in the last year. With 40% of people confirming, they’ve experienced the one in the last month.
That’s a lot of folks. And what we typically find is that’s just the ones that are known, so if it’s 74% are known, how much more of a percentage is unknown? And we find that typically that is also the unknown exists a lot in organizations. And when an organization like ourselves comes in to provide services or does some deep dives, there’s been times where we’ve walked in put our systems in place and said, “Hey, did you know that you’ve been breached?”
” That they’ve existed on your network for six months right now, here’s the proof.” And they haven’t known. So the unknown aspect, people identifying that they know, and the unknown aspect of this is a very high percentage of folks.
And at the end of the day, your reputation’s behind this, when you get a breach like this that’s exposed customer, client, or employee confidential information. You have to notify them. Legally, you have to notify them. And your reputation is on the line. And the first thing that’s coming to my mind as a consumer or a customer of your offerings is what did you do to protect my information? Or what didn’t you do that you should have been doing to protect my information?
And there’s that reputation hit that you’re going to get from that along with fines, penalties, notification costs, breach response costs, all of that kind of stuff. Those are the things that are going to come up.
Jed Fearon: Yeah. And looping back to what you said about the human factor. The statistics vary, but it’s around 50% of us tend to click on phishing emails, 50% of us.
And then these phishing emails are how malware is launched and that can lead to a ransomware. And that’s just a behavioral thing. So I’m glad that you mentioned that at the inception of our dialogue, because it’s so valid and to err is human, to click on the wrong email is even more human.
Anthony DeGraw: The upwards of when there’s cybersecurity awareness training programs out there that we’ll implement for our customers. And we’ll see, 80 to 90% failure rate. The first time that we implement those to the end users, they don’t know they’re coming. We craft them up, we execute on it and you’ll have 80 to 90% of the organization fail. But the positive of this is as you continue to push that in front of people, they become smarter and smarter, and you’ll see that significantly drop off as you do it.
If you do it monthly, you can do it quarterly. You’ll see that percentage drop off. At the same time, as we’re seeing their failure rate on those trainings drop, which is great. We see an increase in the amount of user support requests that says sending to our support team. “Hey, is this spam, hey, is this legitimate?” So now they have the eye on looking out for things, and that’s exactly what we want.
So you’ll see that drop-off, you’ll see this increase. Funny enough, you’ll never actually see it dropped completely to zero. We’ve tried many times with a lot of education, and despite this insurance and technologies are important is because we are still human and we still make mistakes.
And a lot of times the same users over and over again still exist in making those mistakes. And so that human error never fully goes away. Even with those training programs.
Information security training plans
Jed Fearon: Hey, so you must’ve been reading my mind because what you just lay it out is about half the the answer I anticipate you’ll provide for question number two, which is, do you have an information security training plan that includes annual training and orientation of employees, contractors, and third-party vendors?
Now, let me insert one little idea here. I think that they get a little, maybe ambitious, thinking that would also include third party vendors, but what are your thoughts on the availability of well-known reputable vendors that offer ethical phishing and other cyber training curriculum?
Anthony DeGraw: I love the way you used the word ambitious. When you read me that question, I said-
Jed Fearon: Who’s going to pay for that, Anthony. Are we going to pay for-
Anthony DeGraw: I saw contractors and third-party vendors. I was like, I haven’t seen anybody pull that off yet.
Jed Fearon: Relatives, the extended family.
Anthony DeGraw: So yeah, and I apologize for jumping ahead to the second question, without-
Jed Fearon: No apologies accepted. You’re doing fine.
Anthony DeGraw: So, Yeah. So there’s two aspects of the cyber security awareness training programs that we talked about definitely should be implemented for executives and employees.
By the way, executives, I’m calling you out right now. Executives are usually the ones that are most hesitant or pushback the hardest on cybersecurity awareness training, multifactor authentication, content filtering systems, because they can’t do what they used to be able to do. And this mantra can’t just be for employees. Sometimes employees are the best use cases of people that are thinking about this. It has to be a top down approach to cybersecurity and hardening of systems.
On the other side, information security training plans. Yeah. That’s another piece of it, right? That’s the policies, the procedures, and the training of what do we have in place and what do you need to comply with? And are we training you on those? And that should most likely be done on an annual basis.
Those policies, those plans should be updated, especially as organizations change, bring on other exposures and new business offerings, whatever, those things need to be constantly looked at. And making sure that then once they’re looked at it’s getting down and being trained on to the folks in the organization, it can’t just sit up in a glass box somewhere that nobody knows about.
It’s got to actually be trained on.
Jed Fearon: Hey. So I think a really simple illustration of that is what happened a couple of years ago with the pandemic and the pivot to work from home. So the work from home routine, if you will, would have to be incorporated into an annual security plan just as a simple example.
Anthony DeGraw: Yeah, absolutely. Most likely, it had to be created from scratch if they never were able to do that before. And it has to comply with the technologies that you have in place. Hey, do I need to use a VPN? Hey, if I’m accessing cloud systems, how do I need to be able to get into those things?
Yeah, that’s a great example of a policy that almost every organization needs to have in place. Now, I don’t know many that are just fully onsite still that they probably didn’t have before the pandemic.
Jed Fearon: I can assure you now two years into it, hopefully it’s be wrapped up soon that there are far fewer people, executives letting their kids use their desktops for gaming, et cetera. You’ve got to keep junior off your desktop or you’re going to definitely get higher level of infection. I would think.
Anthony DeGraw: Oh yeah. I want to piggyback on that real quick. Cause I see it a lot. We were on a dark web scans for folks free of charge, right where we’ll take their email domain name, and we’ll plug it in to see what’s available on the dark web.
And my point here is please do not use your business email address for personal things. I can’t tell you how many times I run a business domain against the dark web, and I have users in that organization using that business email address on personal websites that they would use in their family or in their personal life and they would never use that website, that email subscription service in their business life. And that stuff is publicly available.
And one day your employer may know about those things, especially if those third-party sites that you’re using your business email address on get breached. So please, if it’s personal, use a personal email address. If it’s business, use a business email address, don’t mix them.
Jed Fearon: I know what you’re saying. A lot of people probably got embarrassed from the Ashley Madison breach.
Anthony DeGraw: Yes. That is one of many examples that we have come across.
Jed Fearon: It’s a little embarrassing.
Multifactor authentication
Jed Fearon: Okay. So question number three, it’s going to bring up one of our favorite technologies. Do you implement multifactor authentication on all business critical accounts? Administrator accounts, accounts have access to customer or employee data, et cetera. Yeah, I know you’ll have plenty of input on this one.
Anthony DeGraw: I literally was just on a call with a 15 person law firm out of the Philadelphia, New Jersey area and the managing partner of the firm is going off very passionate about encryption and this rule and they need to have encryption and blah, blah, blah.
And I told them, I love the passion that you have for this. At the same time, I’m looking at their assessment over here that we did, and they don’t have multi-factor authentication set up. They have local admin rights on their computers, their Office 365 account, which holds probably all the communication and attachments of the non-encrypted files anymore because it’s not on the server in an email wide open.
Oh yeah. This is one of my top things. My minimum standards. Multi-factor authentication needs to exist. As our businesses move more and more to cloud systems or these could be public cloud systems. They could be private cloud systems. They could be third-party applications that are hosted on the cloud, like financial systems and CRM systems.
It is imperative that you are using multi-factor authentication. And I’m not sitting here there’s some very good security folks out there. That’ll tell you multi-factor systems I’ve been breached and they can work around it. Absolutely. I’m not telling you that multi-factor is the end all be all, but it is one layer, in a lot of layers, that helps slow people down or even get them to look somewhere else because they know that there’s accounts out there without multi-factor authentication.
So yeah, I want to make sure I’m very clear on that. It’s one of the biggest things that you can implement that validates that Jed is the one looking trying to sign in to the QuickBooks system or to the financial package system. It’s me trying to get in, not somebody else. So yeah. Once again, it’s a piece it’s not the whole thing.
Jed Fearon: I know that when I was preparing for this interview. I recounted that I really can’t count the number of times that I’ve been prompted by an MFA. Let’s just say for Yahoo or Wells Fargo account, are you trying to access Yahoo from Denver? No. I’m in Atlanta. So you just hit the red little deny.
So it hasn’t happened with any of my business affairs. Which is good. Cause maybe I’m probably more well-known as a consumer on social media. So they target me for that reason. But the threat is alive and well.
Anthony DeGraw: We use the same example with this firm I was just talking about before, about encryption and the passion there, which is same thing. We have a lot of older users that aren’t great with technology. How is it going to work for them? And I laugh because it’s was like, you’re so hot and heavy on encryption. But yet they can breach your systems without even having to get there.
They can get into these things. And I told them, I said that the executives top down has to be implemented, needs to be made mandatory. And if your IT team knows what they’re doing, you can make it where if it’s in a known environment, like if it’s within the four walls of your office, you don’t have to multi-factor all day long into all these systems.
But if it’s outside of the environment, you’re in a Starbucks or you’re at your home or whatnot, and it’s an unknown environment, then yes. You should have to multifactor.
Jed Fearon: Yeah. I just thought of an analogy for that company is that it seems like most of them over there were playing with matches. And the encryption, the analogy would be, they want to get flame retarded protective suits, which is stop playing with matches first and then worry about the protective gear later.
Anthony DeGraw: Perfect analogy.
Jed Fearon: Okay.
Separate accounts for daily operations vs. admin functions
Jed Fearon: I wanted to go into question number four, and this is a great, I love this one. And some of the stuff that you already mentioned is applicable.
Do your employees have separate accounts for day-to-day business operations, like checking email and administrative functions, like applying system updates? So that’s obviously the IT person they’re talking about.
Anthony DeGraw: Yeah, we’ll hit this one pretty quick here, but we go into so many environments and they have local admin rights on almost every computer and or executives or IT folks in the environment have local admin rights.
And it’s because I need to be able to do everything, I need to download this. Doesn’t matter. We like to say that our Director of Engineering, our VP of Product, our most senior cybersecurity engineer knows a lot about technology and cyber as well. And they don’t have local admin rights on their computer.
They don’t use admin credentials, day-to-day. They have a separate set of credentials for when they need to do those things that they utilize. And then they get out of. And when they’re doing their day-to-day work, they’re not in or working on admin credentials. And it is very important that is known. Because if I breach your credentials once and you have admin rights, I have freedom to do whatever I want to do.
Jed Fearon: You can take down the whole castle.
Anthony DeGraw: Yeah.
SolarWinds
Jed Fearon: Hey, so I want to deliver our fifth and final question. And I don’t know if they’re making a big deal, more of a big deal out of this than they need to, or they just want a little bit of historical context, but does your organization currently use any SolarWinds products?
Anthony DeGraw: Yeah. So this is a very pointed question, which is which is, I would say a little bit aggressive by the insurance carrier.
Do I understand it? I do. SolarWinds was breached and had a pretty significant breach, but there’s also been others, right? There’s a big company out there called Kaseya, also had a breach. And my question would be, as an insurance company, constantly updating this application to ask about all of them.
And that being said, say I was a subscriber to SolarWinds and they had a breach. They responded to that breach. They fixed the holes in the known vulnerabilities. So am I being penalized to still use those systems? And there’s been a lot of systems that have been breached that people still have to utilize every single day.
And it’s only a matter of time before they all do. So yeah very pointed question. I think this question could actually be asked in a better form. Are you utilizing a remote monitoring and management tool or any other systems to manage all the end points in your network and your critical systems?
And if so, what protections do you have in place? Multi-factor blah, blah, blah, patching, blah, blah, blah. So yeah, very pointed and aggressive towards SolarWinds. But that being said, I think there’s a better way to ask it, but if you’re utilizing a system like SolarWinds and it gets compromised, then you’re going to be affected by that and your customers are going to be affected by that.
So I understand the point of the question. I just think it could be worded a little bit differently.
Jed Fearon: And I think that’s where MSPs, Integris in particular could help. Because as you said, a lot of systems get breached. Maybe the question could be asked differently and a little figure I’ll put in front of you, is there was a compromise of 18,000 SolarWinds customers, but the actual attacks were limited to the networks of 50 companies, just 50 companies. And Microsoft said that they only identified 40 customers who are victims. And a breach is no good for anybody since we’re all interconnected. I don’t think SolarWinds should bear the mark of Cain for the rest of their existence for that particular incident.
Anthony DeGraw: A hundred percent agree. It could be said for many systems like Microsoft. Microsoft has been breached. Do you use Microsoft? Come on.
Jed Fearon: Yeah, completely.
So we can stand up for our clients when they’re getting bullied by cyber insurance, applications that are a little bit too strict in their inquiries.
Anthony DeGraw: Absolutely. Jed, once again, weekly pleasure, man. I appreciate you doing this with me and putting all this content together and getting it out to our audience and being able to share with them.
Jed Fearon: Hey, it’s fun for me too. I hope you have a great weekend.
Anthony DeGraw: Awesome. Thank you, sir.
Jed Fearon: Thanks again pal.