News & Blog Podcasts

Why Preparing Your Business for Cyber-Crime is Critical with Ryan Smith of Rigid Bits

Written by Issa Bissau
explore

Mitigation and risk assessment are increasingly important for businesses in the evolving cyber space. As an insurance consultant, Ryan Smith explains his collaborative efforts with IT and leadership teams to reinforce existing infrastructure and prepare businesses for cyber-attacks. Tune into this episode as Chip Arenchild and Ryan Smith explore how to select a good cyber insurance policy and what to do in the event of an attack.

Preparing Your Business for Cyber-Crime Transcript

00;00;02;01 – 00;00;18;29
Chip Arenchild
Welcome to Know Your Risk and Insurance Coverage with Risk Pro Net, where we will discuss all things insurance for you and your company. Risk Coronet is a network of independent agencies who offer specialized insurance across business sectors.

00;00;19;01 – 00;00;45;23
Chip Arenchild
Regardless of where you are in your insurance journey. We want to invite you to join us to think about insurance differently. Know your risk and insurance coverage with risk. Coronet provides answers to all your insurance questions. Hey welcome everybody. This is Chip Aaron child with know your risk and insurance coverage with risk Pro net. And on our podcast today we’re going to continue to explore what’s going on in the world of cyber insurance.

00;00;45;25 – 00;01;10;02
Chip Arenchild
And today we’re going to talk to a consultant on what you can do to a get prepared. Be prepared to get a policy, know what to do in the event of an attack. And I’m really excited to introduce all of you to Ryan Smith. Ryan is a director of sales and customer success at Rigid Bits Cybersecurity. They’re located in Denver, Colorado, and they provide cyber security services across the United States.

00;01;10;02 – 00;01;13;12
Chip Arenchild
So, Ryan, hey, thank you for taking the time to join us today.

00;01;13;14 – 00;01;16;18
Ryan Smith
Hey, thanks for having me. I’m excited to be here.

00;01;16;21 – 00;01;51;24
Chip Arenchild
I’m anxious to talk to you because the last few episodes, we’ve talked with brokers within the Risk Pro Net network about just the difficulties with the cyber insurance marketplace and for our member agencies and people listening to this podcast. I’d like to, try and understand it from your side of the world what it takes to be compliant, the effort it needs, how we’re diverging between IT and cybersecurity, some of the things that, you know, are good mitigation, things that people can do to improve their results in the event of a hack, and how to respond.

00;01;51;26 – 00;02;16;13
Chip Arenchild
And also for everybody who if you’re listening, I just want to let you know that, Ryan, today on our podcast is wearing a t shirt that says enable to FAA and that is because October is Cybersecurity Awareness Month. Yes. So, Ryan, tell us a little bit about rigid bits and yourself and what’s going on in the world of cybersecurity on your end right now.

00;02;16;15 – 00;02;16;27
Chip Arenchild
Yeah.

00;02;16;27 – 00;02;38;24
Ryan Smith
So, Ridge of Bits is a cyber security firm. So that means we help businesses identify and reduce their cybersecurity risks. We do that through services, technology and consulting. And a lot of that’s working really closely with IT and leadership teams together to help them plan ahead, test to reinforce what they have in place in some cases meet compliance requirements.

00;02;38;26 – 00;02;57;01
Ryan Smith
We also do some breach investigations as well, so that helps us help our clients be more prepared themselves for an attack and know a little bit better of what to do, what requirements they have, and certainly ways to be more quick to respond so they can reduce their overall cost of attack. So that’s a very important piece.

00;02;57;04 – 00;03;18;29
Chip Arenchild
So I know you’re aware and our audience is aware that within the last 12 weeks, maybe longer, all of a sudden purchasing cyber insurance has changed. And the requirements on the insurance and what it takes to get coverage, it’s changed. I think right now, if you don’t have a multi-factor authentication, you probably can’t get a policy at this time.

00;03;19;01 – 00;03;38;25
Chip Arenchild
So if you’re an insured and what would be the first steps that someone should take right now to maybe prepare themselves for being able to get a renewal policy or to get a policy, and are there simple ways to get that done, or what does it involve? And maybe getting an audit of your cybersecurity program if you’re uninsured?

00;03;38;27 – 00;03;57;29
Ryan Smith
Yeah. And this is I know it’s newer for a lot of people. This is stuff we’ve seen coming for a while now. And and part of it’s just because of really the, the lack of information a lot of companies had in the past on the risks they’re insuring. I’ve heard past podcasts of yours where you guys were talking about some of the simple applications there.

00;03;57;29 – 00;04;14;25
Ryan Smith
And, you know, a lot of times you’re just looking for the, the website, maybe the company name and their total revenue, maybe number of employees come into that. And that’s not giving you a whole lot of information of really what’s going on in that environment. So as an insurer, you have to really have a better understanding of what risks you’re taking on with that.

00;04;14;25 – 00;04;31;04
Ryan Smith
So this is stuff we’ve seen building and have been in the alarm on a little bit that this is all coming. So, well, it’s a pain, I’m sure for a lot of people it’s actually moving the industry in the right direction and in the businesses too, that need to be doing these things to protect themselves and their clients.

00;04;31;06 – 00;04;47;16
Chip Arenchild
I do think that’s become evident with the breaches that we’ve seen this year, in the awareness since they popped up all over in the local town that I live in. Yeah, all of a sudden, I think two weeks go in the newspaper, they say, oh, by the way, City Hall and the police department were hacked and and we paid the ransom.

00;04;47;21 – 00;05;08;19
Chip Arenchild
You brought up a great point about the application, and we talked a little bit about in the earlier podcast how this has changed the coverage. So how it’s changed the risk for the, you know, no longer are you just is worried about protecting someone’s personal identification, but it’s being hacked and a ransomware attack. And I think the application makes up a good point.

00;05;08;19 – 00;05;28;07
Chip Arenchild
In years past, you would sit with your CFO or the buyer of insurance and you just answer those 3 or 4 simple variables to get a quote. Now, when we get an application, we look at it and it automatically you have to bring in the right person in the room. Can you tell me a little bit, what’s the difference between it and cyber security?

00;05;28;09 – 00;05;33;06
Chip Arenchild
Sometimes we think through the same thing and I get the impression that they’re not. Maybe you could tell us about that.

00;05;33;09 – 00;05;55;03
Ryan Smith
Yeah, it’s too confusing that we often see and think it’s because of some of the marketing around cyber security. If you’re an IT person who is not talking about cyber security, you’re going to be obsolete pretty quickly. So you need to have cyber security buzzwords in your marketing and in some of your offerings. And, certainly there are some things that I sit providing and doing well with.

00;05;55;06 – 00;06;15;26
Ryan Smith
But there’s a lot of differences, and you can start to see that in the educational track that people go down through it, or cyber security a lot of times called information systems securities, that path really starts to diverge after maybe the first year of college and you start to see different degrees, different certifications for individuals. They’re going to look very different on paper.

00;06;15;26 – 00;06;35;25
Ryan Smith
When you start to pick apart those two careers. But in their function that they play a part in with the business, that’s where it really starts to diverge. It tends to typically be more about getting a network up and running, keeping an optimize, making sure that people have access to tools and information they need, and keeping that system up and reliable.

00;06;35;27 – 00;06;58;21
Ryan Smith
We’re more curious about the risk aspect. We’re almost like the insurers in there, right? We’re trying to understand more of what’s causing the risks to be higher in certain areas. What certain things do we need to think about if we do have an attack, how it might impact us? To talk more about compliance and legal precautions, we start to dive more into things like legal and HR areas and start to diverge quickly away from it.

00;06;58;23 – 00;07;13;24
Ryan Smith
So in a lot of our conversations, we’re not just talking to IT leadership, we’re talking to C, C level team, operations, HR, legal, all of those come into play. So that hopefully that helps paint a little bit of a picture of some of the differences it does.

00;07;13;24 – 00;07;31;27
Chip Arenchild
So in your experience, do you find that most businesses have that cyber professional in place? I know, almost everyone has an IT person now, but I don’t know when I think about it like that, that we just kind of assume that the IT person is also the cyber person. Is that what you notice as well? More often than not.

00;07;31;29 – 00;07;54;19
Ryan Smith
That assumption happens a lot. And a lot of times people will tell me, oh, all right, Guy has this taken care of. And when we start to press a little bit deeper and ask questions about, well, how are they identifying areas of risk, what is your highest risk? You know, what are your compliance drivers? What cybersecurity framework or best practices are they following to align with those and implement policies and procedures.

00;07;54;24 – 00;08;10;10
Ryan Smith
And we start to get into these detailed things that we work on. We start to see that it might not quite have it covered so much. And it’s again, no shortcoming of what it is doing in many of those cases. A lot of times, the assumption some of these made because of those buzzwords, in some cases being brought in.

00;08;10;12 – 00;08;31;18
Ryan Smith
Now, it might be providing monitoring tools, secret awareness training, things like antivirus, endpoint detection, response firewalls, tools and technology that will actually help protect the business. That tends to be stuff we rely on. It to help with, too. We do provide things like secure awareness training and can help figure out what the appropriate antivirus or endpoint detection response tool is.

00;08;31;21 – 00;08;52;24
Ryan Smith
But a lot of times people just assume that’s being done. And I think that’s a big thing. We’ve seen in a lot of breaches that happen and a lot of mistakes people make is there are assumptions being made, and we’re not in a world anymore where we can just assume that the vendor we’re working with, whether it’s night provider or a cloud hosted technology or, you know, somebody else that’s connected into our information is actually doing the right things.

00;08;52;24 – 00;08;58;05
Ryan Smith
We need to ask them to document that stuff because that’s what shows that due diligence on our side.

00;08;58;07 – 00;09;19;05
Chip Arenchild
Yeah. You know, it’s interesting to the carriers now with they’re all using AI to be able to news website. Right. And run a little report. And then as part of the underwriting process, they’re saying, hey, you need to fix this list of open ports or items. And I’m floored by how they can get that much information. Well, can we talk about that a little bit?

00;09;19;05 – 00;09;30;00
Chip Arenchild
Yeah, I would like to hear, but because that’s what’s going on for our clients. Right. Is you sending it. They send an app and I’ll send the carrier send you back. Hey, you got to fix this whole Excel spreadsheet of open things and.

00;09;30;02 – 00;09;54;16
Ryan Smith
Yeah, I think some of those are good, and I. But I will caution that it’s not the right information. And you should think about what information you’re giving. Like you said, it’s usually your web address and so unless they are given more information, all they’re seeing that are tied to your web address. So sometimes they’ll find stolen credentials that might be related to your domain, things that are out there for sale on the dark web that, you know, in databases.

00;09;54;19 – 00;10;15;14
Ryan Smith
But most of the time, those open ports and things that they’re giving you a list of those are tied to your web server, which many offices in most cases don’t host their own website. They have a third party that’s managing that. In fact, they usually share those web servers with a slew of other sites. So these are things that they’re finding that really a lot of the offices have no actual control over.

00;10;15;22 – 00;10;33;13
Ryan Smith
It’s anything you should give that list to your web developer and say, hey, are these things that we need to be worried about? And, you know, certainly things you should be asking. As I said before, you need to make sure your vendors are trusting certain things on security. So I think there’s it’s a good conversation starter. And I see there’s some value in those things.

00;10;33;17 – 00;10;52;19
Ryan Smith
But I also worry that it’s really a narrow picture of the area of risk, you know, the questions that they need to be asking about what hardware do you have to protect your environment? What versions of software do you have? This may be outdated. What security practices have you put in place and documented? None of those things are uncovered in that kind of exercise.

00;10;52;26 – 00;11;15;18
Ryan Smith
So I have what I’m most worried about is when somebody has a score on there that says, hey, you have 100 out of 100. We didn’t find anything when we scanned your website. And then that person has this false sense of security. Now. So I worry about how that is conveyed and that some people that are running that might not really know to talk about some of those unknowns, those pieces that are missing.

00;11;15;20 – 00;11;41;09
Chip Arenchild
That’s actually great to hear, because I do think that is exactly the case. And especially as this market flipped over the last 12 weeks and taking whatever you get back from whichever carrier working with your application. So what would you recommend that a client would do to kind of prepare themselves in the best light tune insurance company? You mentioned a few things there, almost like a checklist is there.

00;11;41;11 – 00;11;55;22
Chip Arenchild
And are there things that a company should be looking at and being able to present to the carriers that would say, hey, we understand this exposure, here’s what we’re trying to mitigate it. And therefore maybe we’re we’re a better risk than just checking our website.

00;11;55;25 – 00;12;14;10
Ryan Smith
This is perfect because it’s coming full circle to some of the stuff we started talking about. So, you know, mentioned some of the changes happening with cyber liability over the last 12 weeks or so. You know, like I said, this is stuff we’ve been watching and concerned about because when we go in to understand the level of risk our clients have, we do something called a cybersecurity risk assessment.

00;12;14;17 – 00;12;33;29
Ryan Smith
And there’s different levels of that. It might include things like a vulnerability scan or a penetration test, which we can talk more about what those are and the differences are. But that’s where we started really see this difference and have some concern about the state of cyber liability. When you’re just asking these limited questions. We go in and we have a we have a almost a three month long exercise.

00;12;33;29 – 00;12;53;10
Ryan Smith
We take people through where over the course of time, we’re hacking away at understanding the different areas of risk and their environment based on the systems they use, the data that they rely on, where it’s stored, how they interact with it, all of these things we understand through a cybersecurity risk assessment where we begin to score each area of risks, their likelihood and impact.

00;12;53;12 – 00;13;12;17
Ryan Smith
But what we’re seeing now, with insurance carriers starting to push more of these requirements on to cyber liability policies, is that they’re catching up to that, and they’re realizing we need to really understand some of this stuff better. And I’m not sure if you knew about this, but New York released a cyber liability framework in January. So this document is New York’s recommendation.

00;13;12;17 – 00;13;31;20
Ryan Smith
It’s not a law or anything yet, but it’s their recommendation for how you should be understanding those risks you’re accepting and your and your policy that you’re taking on. And one of the key things that that talks about is a risk assessment. So understanding these at that level, the same level that that we do before we we come in and work with the client on how to fix these things are really where I see the insurance industry going.

00;13;31;27 – 00;13;39;15
Ryan Smith
I would imagine down the line maybe five years from now, that a risk assessment would be part of any major policy, anything with a large limit.

00;13;39;17 – 00;14;02;17
Chip Arenchild
I always try to work with our clients to, you know, advise them the best ways to be prepared. And I think getting people prepared as we for the next set of renewals, it’s not just three weeks before it’s due, right? These these are sounds like these are kind of time and there’s a duration to this to do it well and to really take a look at what you’re doing that you should probably start six months or so before renewal.

00;14;02;20 – 00;14;03;17
Chip Arenchild
Would you agree with that?

00;14;03;24 – 00;14;24;26
Ryan Smith
Absolutely. I know I talk to people all the time. It’s not always insurance. Sometimes it’s because of a business contract. Right now I’m seeing more pressure from business to business relationships or insurance policies to implement cybersecurity practices than lost people try to skirt under the law. Hope that they don’t get caught. You’re only on the radar if you’ve had a breach and all of a sudden some is investigating you.

00;14;25;03 – 00;14;46;19
Ryan Smith
But business to business or insurance, they want to see this stuff up front or as part of their contract renewal. And so people are worried about losing that contract. And so I’ve I’ve had people say, hey, I have three weeks to do a risk assessment, implement all of these things and do all this stuff, and it’s just not going to be enough time in a lot of cases to I think a lot of times cybersecurity gets put on the backburner because we get busy.

00;14;46;25 – 00;15;06;03
Ryan Smith
You know, we have things that are driving revenue or really important times of year for us. So we’ve we put cybersecurity off to the side. And you know, when that happens and we certainly have things that take our precedence. We might not be able to do it all right away. So we have to think about ways, to, to kind of work toward this over the course of time.

00;15;06;06 – 00;15;24;29
Ryan Smith
And if people have a year or so, that’s really the best amount of time to, to work on these things, because you can break that up little chunks. I compare it to good health. You know, if you want to work on your health, you have to do those little things every day. Maybe, you know, some days you park a little further away from the entrance to a store or you try not to get that fast food that one day, or eat a salad on occasion.

00;15;25;05 – 00;15;29;25
Ryan Smith
But it’s those little decisions day to day that move your health forward. It’s the same thing with cybersecurity.

00;15;29;28 – 00;15;54;08
Chip Arenchild
That’s a great, great analogy, Ryan. What I’ve witnessed, and, it just falls to where it’s unless it’s a priority, it just tends to get, like you said, push to the back burner. Even with this explosion that we’re seeing and reading about in the newspapers. And when our government’s trying to do, I think, one of the podcast people spoke about, you know, state sponsored terrorism now, and that’s a reality.

00;15;54;08 – 00;16;12;08
Chip Arenchild
And I thought you did a good job talking about that. So I, I don’t know how you get people to take it seriously and how to know that it’s probably going to happen to. I do know that the few companies that I’ve watched have attacks where they’ve been held hostage, it’s serious disruption, a lot of indirect lost cost.

00;16;12;10 – 00;16;27;08
Chip Arenchild
Is there 2 or 3 things that you would tell all clients you work with, like, listen, you got to get this endpoint down or the cloud down, or are there 2 or 3 things that you could tell us today that’s like, if you don’t do anything, go work on these three parts of your security right away. Yeah.

00;16;27;11 – 00;16;42;28
Ryan Smith
Certainly. And before I do that, I do want to comment back on just some of that, psychological barrier a lot of people have, you know, when you’re putting this off and putting this off, it’s one of those things one day it’ll come back and you might have one of those attacks, too, where you have no choice but to sit down and do this.

00;16;43;05 – 00;17;02;03
Ryan Smith
But now everything else is on hold until you fix it. So it’s one of those things you have to see that coming. But the problem, the reason why people might be apprehensive to do that is term called optimism bias. Despite statistical evidence, a lot of people will believe that’s not going to happen to them. And so everybody believes there’s a mystical anomaly.

00;17;02;06 – 00;17;19;23
Ryan Smith
And that’s not the case. And we have to literally learn from these things. So it’s it’s really about, you know, understanding your risks and understanding why certain ones are higher. And so to your other question, some of the things that people should be doing right now, we have to think about our work environment, right? We have a lot of people we had to send home to work.

00;17;19;23 – 00;17;47;06
Ryan Smith
We had to think differently about how we run our businesses. So we opened the doors to our environment to allow remote access. We really need to make sure the right people are getting in. So part of it, I would say, think about what is public facing with your environment. If you have firewalls, if you have Remote Desktop Protocol servers or RDP servers, VPN into your firewall, whatever it might be, how people are accessing your environment remotely, those access points certainly need to be more secured.

00;17;47;08 – 00;18;05;15
Ryan Smith
A lot of these things don’t just turn on and be secure. You have to actually configure them. You might have to make sure that multi-factor authentication is in place. All of these things are going to slow down hackers. Multi-factor authentication. We’re starting, of course, as you mentioned, to see that in cyber liability requirements, many laws have that.

00;18;05;17 – 00;18;23;06
Ryan Smith
In many news articles you’ve read about ransomware attacks or business email compromises, you’re going to see that MFA would have stopped it. And so it’s there’s no silver bullet to security. So I don’t want to lead with that idea. But this is something that’s going to slow down most people. And, you know, a lot of people push back on it because, oh, it’s going to take longer.

00;18;23;06 – 00;18;40;08
Ryan Smith
Log in. It’s a pain. It’s not that bad. Once you get used to it. It goes pretty quickly. But the whole idea is that it’s going to be a pain for somebody to log in. If they have your password, you don’t want them to be able to get in and not be you. Right? So you want to make sure that they have a way to verify your you and that they have that device in their hand.

00;18;40;10 – 00;18;57;27
Ryan Smith
So it’s important to have that there. I say the other thing that people should really be thinking about right off the bat is skewed awareness training. But that’s not again, another silver bullet. You have to think about people that make mistakes. I’ll own up to this. I’ve actually clicked on a phishing email that was sent to me as a simulation.

00;18;57;27 – 00;19;16;20
Ryan Smith
Is training, and it just happened to come in after I got off the phone with somebody. I was busy. They were supposed to send me a file. I got an email in my inbox and I immediately went and opened it. I got a big orange hand in my face saying, stop, you failed a training. Here’s what happened and I was so glad it was a training email.

00;19;16;22 – 00;19;20;03
Ryan Smith
Who knows what would have happened in my career. I might not be here talking today.

00;19;20;06 – 00;19;41;18
Chip Arenchild
Training a real one. I think every one of us can send a story. We’ve we’ve implemented internally a security training as well. And it’s been fun when you catch them and report them and you get kudos for like how you caught it. But it’s amazing the volume of emails that we have to send out to say, hey, keep an eye out for this particular type of email.

00;19;41;18 – 00;19;48;14
Chip Arenchild
Or I mean, it’s a relentless amount. And so I have to imagine it’s happening to every business all the time, all day long.

00;19;48;16 – 00;20;03;05
Ryan Smith
What my point being with all of that, though, is I’m somebody who knows better. I know how to spot these things, but we get busy, we get distracted. Which is the other reason why I’m concerned about people that put off cyber security till they’re not busy. When you’re really busy and slam, that’s when you’re going to make mistakes and those things happen.

00;20;03;08 – 00;20;21;20
Ryan Smith
But security awareness training is helpful, but you can still make a mistake. You can still be caught in a point of weakness where you click on that thing because you’re in a hurry. So we have to think about extra layers there. So there’s two things that MFA, the public points, I guess there’s three. And then the secure awareness training.

00;20;21;24 – 00;20;39;00
Ryan Smith
But I’d say the other thing to be thinking about are where are your highest risks are, think about things that can help you understand those, risk assessments, a great exercise to go through that are ways equipped to do that on their own, something that might be a little faster, that maybe sometimes I can help with, would be a vulnerability scan.

00;20;39;00 – 00;20;58;23
Ryan Smith
Just identify really obvious things that might be out of date, that need to be updated or patched. Any attacks that you’ll read about in the news either come from so many missing MFA or somebody having a password that was out there and MFA wasn’t turned on, so they were able to get in. Or in a lot of cases, it’s an old vulnerability that they could have fixed.

00;20;59;00 – 00;21;08;09
Ryan Smith
They just didn’t. They just like they didn’t know it was. There were a lot of people get these scans and they don’t do anything with them. So it might be something that they just neglected to take seriously.

00;21;08;11 – 00;21;18;18
Chip Arenchild
And for a business to try and take a look at those four items, six weeks, something like that, to have an analysis done on something like that, 6 to 12 weeks or even that one.

00;21;18;21 – 00;21;35;24
Ryan Smith
You know, the act of running a vulnerability scan doesn’t take very long. Reviewing it is all pretty quick. So I mean, that’s stuff that we can turn around rather quickly for people. The act of fixing it, depending on what’s on that list, that might take some time and it might depend on what vulnerabilities are there. Sometimes it it it might not take that much effort.

00;21;35;24 – 00;21;40;22
Ryan Smith
And if you’re staying on top of them, you know, that’s what keeps it more manageable. It’s that good health thing I was talking about before.

00;21;40;26 – 00;21;56;29
Chip Arenchild
Yeah, I like the I like the good health plan analogy. I think that’s wonderful. People are looking for tangible things they can take a look at. I, I think they have a hard time getting their heads around it. I do I mean, for some people they don’t. It’s all relative to what are your priorities are and the size and what you’re doing.

00;21;56;29 – 00;22;18;26
Chip Arenchild
So let’s let’s pivot and go the other way. So now I’ve been hacked. And now how how do you help a business I’ve been hacked. I don’t know what to do. I said I get this notice. It says send me, it’s $80,000 a bitcoin. I tell my clients when they don’t want to get cyber coverage. I said, just go figure out how you can find Bitcoin in short notice.

00;22;18;28 – 00;22;23;26
Chip Arenchild
You know, because I don’t even know how to go buy it. So what do you recommend now I’m hacked. What do we do? Well, I.

00;22;23;26 – 00;22;46;22
Ryan Smith
Have to say try not to pay the ransom. You’re funding terrorism and you also helping these hackers get access to more resources, talent and tools. More ways to attack people. So, you really want to avoid that recommendation by the FBI? They’re starting to do more to sanction, you know, payments on that. So you don’t want to be caught making these payments.

00;22;46;24 – 00;23;05;04
Ryan Smith
And there’s no guarantee that if you do pay whatever the criminal is that got into your environment is going to do what they said. Now they kind of have a business model they’re running there. So you have to be careful because either they they have to be careful. I should say, because they want to keep their reputation in good standing.

00;23;05;07 – 00;23;26;12
Ryan Smith
You know, if they’re not trustworthy and people realize that they might not pay it off. So you have to think about these things. I will say, during an attack, though, one of the first things you need to do is to isolate it. So if it’s a workstation, that ransomware server, whatever it might be, wherever you see that you need to cut it off, make sure that it’s not going to spread to other environments.

00;23;26;14 – 00;23;43;11
Ryan Smith
And the other thing I see happen a lot of times that people do by mistake is that they want to go and wipe and re re restore everything from a backup. And when you do that, you might be destroying critical evidence that investigators could use to tell how the attack came in. And if that person still has access.

00;23;43;13 – 00;23;58;24
Ryan Smith
So you really want to make sure you understand how the attack happened, how they got in, what they did when they were there. A lot of times ransomware is the end of it. It’s like their smoke bomb. Before they leave, you know, they try to cover their tracks. In a lot of cases, it may even be a different person that actually got into your environment.

00;23;58;26 – 00;24;12;28
Ryan Smith
They might have hung around a little bit to see what they have, and then maybe they sell it off to a hacker to come in and do a ransomware attack. So it could be multilevel. And so what I see happen a lot is that people just aren’t prepared for any of these things, these possibilities of what could come up.

00;24;12;28 – 00;24;32;22
Ryan Smith
And they make rash decisions because they’re in a panic. They want to get things back up and running. There’s harming their business. They’re worried about what might come out of that if they’ve exposed data to somebody. So I see a lot of people that aren’t prepared spend more because they’re having a knee jerk reaction to go hire whoever they can to help them.

00;24;32;25 – 00;24;50;16
Ryan Smith
They might not know how to preserve that evidence. They might not know about a breach notification requirements. And that’s something really important for people to know, is there’s a breach notification law in all 50 states. So if you have data on somebody, you need to know where they reside as their primary residence, because that state will protect you, will protect that person.

00;24;50;22 – 00;25;11;06
Ryan Smith
And there are certain things that you need to know there. There’s a timeline you have to follow. Depending on when you detect the attack, there might be certain things you need to report as far as what you investigated and what you know about the attack. Depending on how many people were attacked, you might have to know what you most likely have to notify those individuals, but you might also have to notify the attorney general for that state.

00;25;11;09 – 00;25;28;04
Ryan Smith
So there’s a lot of things that need to happen. And it’s on a timeline. And every state’s different. So you need to know what that timeline is for the states where your client’s primarily are. And then, especially the thresholds as far as how many people might be affected that you have to think about. So there are things that need to happen, right?

00;25;28;04 – 00;25;48;21
Ryan Smith
As soon as you discover this thing before that claim really kind of gets moving along that you might need to think about. So having an incident response plan is going to be very critical, and it’s something you test to just like that, you want to make sure that you have an idea of how an attack would go. If you’re going to have to buy, bitcoin to go pay a ransom, how do you even acquire that?

00;25;48;23 – 00;25;55;26
Ryan Smith
You know, you have to start thinking about that stuff. But I have heard that some of these hackers have support networks. So if you need help with any of these things so glad.

00;25;55;26 – 00;26;10;06
Chip Arenchild
That they have money. They can help you take care of it. Do you do you find, any idea of top of your head how many businesses have incident response plans in place? I would assume it’s still relatively low.

00;26;10;08 – 00;26;33;01
Ryan Smith
I would think so. I mean, the thing is, I think it’s out there more than people know for resources to to get those a template is not necessarily good enough. I think that, you know something, it’s better than nothing. But with something like this, you really need to know those unique things to your environment. Everyone’s going to have different response requirements because it’s not going to be just those states.

00;26;33;01 – 00;26;49;21
Ryan Smith
You also have to think about the other third parties involved that you may have to notify. You might have a contract that you promised you would notify if a breach occurred. So you really have to make sure that matches your environment. You have to think about the technology that you have running. You know, certain things are affected by an attack.

00;26;49;23 – 00;27;05;12
Ryan Smith
There might be different technical steps that need to happen to protect those assets through the attack itself, too. So everything’s gonna be different. The other thing I see missed a lot to are there are key roles that need to kind of, come into play here. It’s like I was saying before where cyber security, we really start getting into legal and HR.

00;27;05;18 – 00;27;28;09
Ryan Smith
The same thing with incident response. You’re not going to just have it having actions here. You’re going to have leadership that you’re going to have to have somebody ready to make business decisions on a a short notice in the middle of an incident. You’re going to have legal and HR that might have to communicate with people or think about how you’re responding to some of these things from a PR perspective or from the legal perspective, or these Attorney General requirements.

00;27;28;11 – 00;27;49;05
Chip Arenchild
So where do you think it ends if you were to look in your crystal ball going forward three years, five years, do you see industry able to get on top of this or do you think we’re always going to kind of be chased because it’s being driven by, you know, basically a criminal intent? And what do you have a feeling for where we’re headed?

00;27;49;07 – 00;28;12;02
Ryan Smith
I my opinion in looking at a lot of the news articles I read and the cases that we see ourselves are that many of these things are preventable. And with some of these key best practices we were talking about before could have been stopped. You know, I hear a lot about how ransomware is increasing. And, you know, I think it definitely did take an extra little incline because of us working remotely over the last year or two.

00;28;12;04 – 00;28;32;03
Ryan Smith
But it’s been on an incline. It’s been increasing. The stakes have been going up. That is something you can see since, probably about 2016, 2017. It really started to take off. And the ransom amount is going up, the number of people getting hit going up. So I don’t really think that it’s 100% the pandemic that’s caused that opening.

00;28;32;05 – 00;28;54;15
Ryan Smith
It’s what it really is, is it’s not so much of a ransomware problem. It’s a security problem. People aren’t taking the right steps to protect themselves. It goes back to the optimism bias. You know that many people don’t realize that a lot of these aren’t targeted attacks. When you read about things like Colonial Pipeline, the JBS food processing company that was hit, these were both just complete random opportunities.

00;28;54;15 – 00;29;00;12
Ryan Smith
The hackers didn’t know what they had until they got in there. Once they found out, you know, then then that’s where the stakes got raised. A little bit extra.

00;29;00;15 – 00;29;06;19
Chip Arenchild
Katie Barr, the door. Look what we got out. Yeah. It’s like going fishing. Yes. And we got the big one on the hook. Yeah.

00;29;06;19 – 00;29;24;01
Ryan Smith
But they it’s a crime of opportunity. When they find these open facing public ports to your environment, they they might not know what you have until they get in there and explore it. So that’s why I worry about the optimism bias being a factor for people is nobody knows how big you are. They just know that they found something.

00;29;24;03 – 00;29;39;10
Chip Arenchild
That’s a very good point. I have not really heard a lot of discussion around that. You know, the other piece of it that I find interesting is the ability now to get into makers and their machinery and shut things down. And so it opens your eyes to a way more things. You just like, hey, give me some money.

00;29;39;10 – 00;30;00;11
Chip Arenchild
Like we hear hospitals being shut down and ventilators cut off, and school districts and, and, power plants. And so again, is, is it is the technology the same that, if you’re running a piece of equipment, as long as it’s open to the internet, it’s vulnerable or are there can you do security analysis across the spectrum?

00;30;00;13 – 00;30;19;20
Ryan Smith
Yeah. I mean, from our perspective, there’s a lot of similarities. There are some differences where, you know, laws come into play and maybe kind of the nuances of those businesses would be important things to know. But, computers are computers to us. And, you know, the way they communicate is going to be the same. So there’s going to be different aspects of it.

00;30;19;20 – 00;30;41;07
Ryan Smith
But in a general sense, I’d say it’s pretty similar to things that you’re hitting on. Goes into a little bit that I just kind of teased earlier is when we look at risk, we’re looking at the likelihood of it and the impact of it. So how probable is it to occur, and then what is the impact to the business if it does happen now, the likelihood we’re looking for certain vulnerabilities or weaknesses in our environment.

00;30;41;09 – 00;31;04;15
Ryan Smith
There’s a few things that can make something more likely to get hit than another thing. But the impact side is where you’re seeing those differences in those businesses. You gave us examples. There’s three different areas that we look at. It’s called the triad or the CIA triad of cybersecurity confidentiality, integrity and availability. And so with confidentiality we’re wondering okay, is there information that needs to stay private.

00;31;04;15 – 00;31;20;16
Ryan Smith
And if somebody gets into this and that information gets out, how could that affect us? If it’s integrity, it’s the information we rely on. So that power plant or manufacturer might really need to make sure that that information is correct, that they’re looking at in a system. And while somebody is in there that’s not supposed to be in there, can they trust it?

00;31;20;18 – 00;31;39;08
Ryan Smith
Wire transfer fraud would be a great example of an integrity compromise. And then availability. That’s like ransomware, right. So the system’s not available to us. Well, it’s under attack. We have to think about those. But I bring those up because those are three things we can think about proactively with information systems we use in the data we interact with.

00;31;39;10 – 00;31;57;00
Ryan Smith
We can think about how those three things could affect us. You know, our email system, our payroll system, our IT agency management system might be that one of the things we’re thinking about, all of these different systems we use for different business functions will have different levels and impact different ways that they affect us. So we have to think about that.

00;31;57;03 – 00;32;13;09
Ryan Smith
And that’s something that insurance really doesn’t give us back. It’s yeah, I’m a huge advocate for cyber liability insurance. I don’t mean to say that it’s not effective. What I’m saying is, if you have something in your system, even if you pay the ransom, even if you recover from that attack, if they got access to information, it’s not private anymore.

00;32;13;09 – 00;32;30;26
Ryan Smith
It’s now no longer confidential. If you have somebody in your environment, even while insurance is maybe helping you get resources to get them out, you might not be able to trust the information that’s in there will do there. And then the availability piece, too. Certainly insurance will probably give you resources to help get things back online, but you’re going to have downtime.

00;32;31;01 – 00;32;49;13
Ryan Smith
You have to think about how these things affect you. Even with insurance. There’s additional cost, of course loss of business, cost of investigations, possibly fines and fees, other financial impacts. That’s where insurance is going to help. More, maybe not on the fines if you’re not compliant with the law. But some of these other things, insurance is really going to be important for that.

00;32;49;13 – 00;32;52;12
Ryan Smith
There’s there’s a lot of things people miss totally.

00;32;52;12 – 00;33;17;00
Chip Arenchild
I’ve really enjoyed hearing some of these things, and I find them very helpful to think they have better discussions with insurers and with our peers about how to handle it. I’m encouraged to know that you believe improving security is going to help to minimize if everyone gets behind it, but I assume it’s like everything else where you make a rule and if someone figures out how to break it, so absolutely.

00;33;17;03 – 00;33;38;16
Chip Arenchild
But but your point is well-taken. I think about the impacts of these things because there’s so many indirect losses. If you do have an event that will impact the business, that it’s even hard to predict it, you know, and I’ve often found because it’s been so easy to purchase up until this go around by answering five questions, no one’s really put the time into trying to shift their business model.

00;33;38;16 – 00;33;52;12
Chip Arenchild
And from a risk management standpoint, I imagine CFOs are starting to pay a little more attention to it, and I think they’ll be more asked to brokers to bring a more comprehensive solution to this particular exposure than we’ve had to deal with in the past.

00;33;52;14 – 00;34;18;20
Ryan Smith
I think. So I think the brokers going to provide much more access to additional resources and knowledge that these individuals won’t have. We do a lot to help educate producers about these concepts, because for one, it helps them paint a better picture of what risks actually there and helps them recommend the right coverage for the client, but then also helps them know a little bit more about some of these defenses and ways to avoid a claim altogether and reduce that risk exposure.

00;34;18;22 – 00;34;38;01
Ryan Smith
Something that I see happen a lot, though a big misconception people have is that we can have a really, efficient system where, you know, there’s a lot of risk and it’s really easy to get into things where we can have a really secure system is going to harm our level of efficiency, but there’s still going to be some aspect of risk in that there’s things we don’t know how.

00;34;38;08 – 00;34;56;03
Ryan Smith
Like you said before, threat actors might be looking for new techniques, new ways to get in. If we make it harder for them to launch ransomware attacks, we’re cutting off a major funding stream for them. So they’re going to try to find something different. So it’s always going to be escalating. But that’s why you have, you know, cybersecurity researchers out there trying to stay a couple steps ahead of them.

00;34;56;03 – 00;35;03;23
Ryan Smith
Yeah, that’s that’s how we know what vulnerabilities to look for, because somebody is out there collecting that information and publishing it for us to refer to real.

00;35;03;27 – 00;35;30;08
Chip Arenchild
Well, it really sounds like brokers need to have a cybersecurity specialist on their team that they can bring along with them to talk to somebody. I would imagine with the, explosion of claims, all of a sudden we’re going to see an explosion of cybersecurity specialists now. And if I’m going to go out and find a cybersecurity specialist to put on our team that we’d want to take to a client, what are some of the things that we should be asking of that firm when we talk to them?

00;35;30;08 – 00;35;33;29
Chip Arenchild
Are there some what would you recommend?

00;35;34;01 – 00;35;54;21
Ryan Smith
So if I can plug this we’re actually we’re releasing a guide for October. So it’s in final production with marketing right now. We’ll have it sometime mid October. So it’s our take on what you should be looking for. So there were ten key areas. I’ll see if I can remember off off the top of my head. But first you need to think about their approach.

00;35;54;21 – 00;36;11;06
Ryan Smith
Does it align with what you’re trying to do? Is it somebody that you can kind of build and grow with? Do they understand what you’re trying to accomplish there? So there’s a little bit of the general overarching theory that they’re talking about. A lot of what I’ve been describing today is risk based cybersecurity. So that concept is is our approach.

00;36;11;13 – 00;36;29;20
Ryan Smith
Other people might not maybe know what their approach is, or maybe have a little bit different way that they talk about it. So you really want to know, you know, how are they guided on these things? How are they approaching it? Qualifications is going to be next. You want to look at what kind of certifications they have. You know, where is that background coming from next?

00;36;29;23 – 00;36;33;00
Ryan Smith
I’m not probably gonna remember all ten of these off the top, you know.

00;36;33;02 – 00;36;54;02
Chip Arenchild
And maybe that’s a document that we might be able to, put on our website and share. Right. I don’t know how you guys are going to distribute that, but if it’s a public document, because I do think the brokers will need to be able to have a partner going forward. It’s, you know, right now, most of it is purchased in the wholesale marketplace and you’re relying on what you get there.

00;36;54;02 – 00;36;58;10
Chip Arenchild
And I think in a lot of cases we just don’t know. Right. So yeah.

00;36;58;12 – 00;37;16;24
Ryan Smith
One of the other things to watch for too, that’s probably really important if I’m going to highlight a couple would be communication, making sure that there’s somebody that’s going to be able to help you take this information internally and talk to your C-level team. If you’re an IT person talking with cybersecurity professionals, that’s probably going to be an easy conversation for you.

00;37;16;26 – 00;37;32;16
Ryan Smith
But if you’re somebody that then has to take that conversation up to a CEO or CFO or somebody that does not speak this technical, language around cyber risks, you need something that can translate that. So you need to make sure that, you know, the findings that they have are things that you’re going to be able to understand.

00;37;32;24 – 00;37;52;22
Ryan Smith
I don’t see any good in paying. So we need to go do this extensive report and then not help you understand what any of that means or how to run with that information. So really the follow through of of whatever analysis they’re doing, your audit they’re doing or assessment they’re doing is something that you’re going to be able to pass that information along with and understand each other through that process.

00;37;52;24 – 00;38;10;17
Chip Arenchild
Yeah, that makes perfect sense. Well, it’s a it’s kind of the Wild West right now. I feel like, you know, I think it’s going to continue. So we got to do our part to beyond anything else that you feel like our listeners should be aware of that we haven’t talked about today.

00;38;10;19 – 00;38;32;12
Ryan Smith
I think the biggest thing for people to know where I see mistakes made is that a lot of people don’t understand where to begin, because they haven’t taken time to understand the risks. I see many people have more of a fear based approach to cybersecurity because they’ve read stuff in the news, or they just have something in the back of their head that’s that’s concerning them.

00;38;32;14 – 00;38;54;25
Ryan Smith
That might not be your greatest area of risk, though. I’m sure you’re being smart about how you prioritize your time, energy, your budget. You really need to understand and be able to identify those reasons, those factors that are making it a high area of risk. Again, you’re not going to get rid of risk all the way. So you have to be really smart about being impactful there and kind of have a path for yourself.

00;38;54;25 – 00;39;20;02
Ryan Smith
So when people don’t understand, we see them missing risks. There’s unrealized risks in their environment. They might not know where their highest risks are. They might not then know what best practices are going to be most appropriate. And I also see that kind of cascade down into missing some of the behaviors behind everything. They probably aren’t as likely to document them, or be able to demonstrate their due diligence and do care how they’re protecting their environment.

00;39;20;09 – 00;39;38;17
Ryan Smith
They probably aren’t in compliance in a lot of those cases to then, but then they’re also not really aware of how an attack might impact them. That CIA confidentiality, integrity and availability I was talking about before. If you don’t understand some of these things and how an incident would affect you, then you might not know exactly how to respond.

00;39;38;23 – 00;39;54;11
Ryan Smith
Probably not going to be prepared for what you need to do those breach notification laws. So there’s a lot of things that really kind of stem from first understanding that area of risk. And I think that’s common with any risk management. Since you haven’t jurors listening. Yeah, I think that identification is going to be the first phase for.

00;39;54;11 – 00;40;12;26
Chip Arenchild
Any of this. Yeah, I do too. And it’s like it’s it’s so interesting to see how when the product was first created, it was kind of an afterthought of who would buy this. Right. And now to see what it’s turned into with just, obviously parallel with the growth of technology and to what it is today and really the impact.

00;40;12;26 – 00;40;22;20
Chip Arenchild
Right? It’s a significant impact for virtually every business. So, so I think it’s so important. And that’s why I’m so glad you took the time today, Ryan. I’ve enjoyed this conversation immensely.

00;40;22;22 – 00;40;37;17
Ryan Smith
Yeah, I hope I was able to help expand a little bit on some of these concepts from our perspective. And I’ve also enjoyed the conversation. Chip. So anytime you want to revisit some of these or if you have more questions after you’ve talked to more people or is happy to come back in and help you out with some of that.

00;40;37;23 – 00;40;55;19
Chip Arenchild
There’s a good chance we’ll have you back on Ryan. So now you got to hear a little bit from on cybersecurity specialists and an expert on things you can do that make a difference. And I think if you were to take a summary of what you put together, Ryan, you could build a nice little checklist in, in a marching order on what you can do.

00;40;55;19 – 00;41;02;03
Chip Arenchild
If you’re not sure right now to start getting yourself in a good spot. So thank you for all your time today and your knowledge.

00;41;02;05 – 00;41;03;19
Ryan Smith
Absolutely. My pleasure.

00;41;03;21 – 00;41;28;06
Chip Arenchild
Okay, remember enable to Ufa. We’ll see you later. Ryan. We hope you enjoyed this episode of Know Your Risk and insurance coverage with risk. Coronet. For more information about Risk Coronet, please visit our website. You can follow us on Facebook and Twitter for insurance insights from everyone at risk. Pro Net, we want to say thank you for tuning in and see you next time.

Related Resources

View All Resources
2023 Summer Insurance & Risk Management Rotational Internship

2023 Summer Insurance & Risk Management Rotational Internship

Are you a college junior or senior looking for a summer internship opportunity? Apply for […]

Learn More
What is Construction Insurance? 8 Key Types of Construction Insurance

What is Construction Insurance? 8 Key Types of Construction Insurance

What is construction insurance? Construction insurance provides various types of coverage for the construction industry. […]

Learn More
Ronald McDonald Charity Golf Tournament: Moody Insurance

Ronald McDonald House – Toddonio Family Foundation

Moody Insurance proudly sponsored the 23rd annual Ronald McDonald House golf tournament on July 13, […]

Learn More
8th Annual Golf Tournament to Benefit Judi’s House

Moody Insurance Raises $103,250 for Judi’s House

Moody Insurance surpassed its goal of $100,000, raising $103,250 from its 8th Annual Charity Golf […]

Learn More

Get In Touch

Talk to an expert to see how we can help.

Moody Insurance is here to help provide you with solutions to your personal, business or employee benefits insurance questions. Please fill out the form or call us at 303.824.6600.

service interior

Contact Us

  • By providing a telephone number and submitting this form you are consenting to be contacted by SMS text message. Message & data rates may apply. You can reply STOP to opt-out of further messaging.
  • This field is for validation purposes and should be left unchanged.