A Closer Look at Cybersecurity: Prevention with MJ Insurance & Trava
Adam Adler: Good afternoon and welcome, everyone. Happy Tuesday. Thank you for joining us today for our first installment of our four- part Inspire You Cybersecurity Risk Management Series. Today's topic is A Closer Look at Cybersecurity Prevention. Joined by our friends at Trava, today's session we'll cover how you can protect your organization and mitigate exposure prior to a cyber event. Before we dive in and I introduce you to today's group of panelists, a few housekeeping items to go over. All attendees have been placed on listen- only mode. There will be a brief question and answer session at the end of the webinar. Finally, we ask that you submit your questions you may have through the questions or chat box. We'll monitor and answer as many as we can at the end of the webinar and individually follow up as needed after the webinar, so let's get started. My name is Adam Adler. I am a Client Executive here at MJ Insurance in Indianapolis. I'll be facilitating today's discussion. I oversee strategic implementation and execution of property casualty insurance and risk management solutions for many of our valued clients. In addition, I help lead our MJ Cyber Insurance Coverage Team. With all that has happened and continues to evolve with cyber threats, cybersecurity, and cyber insurance, there is so much to continue to do and MJ remains dedicated to provide proactive risk management guidance to our clients. Now, let's meet today's panelists. We are graciously joined by our friends Jim Goldman and Ryan Dunn from Trava. Through the convenient cyber risk management platform, Trava enables growth- oriented companies to operate secure, productive businesses without fear of interruption or loss caused by cyber incidents. Our first panelist is Jim Goldman, who is the CEO and co- founder of Trava. Prior to founding Trava, Jim was a University Faculty Scholar at Purdue University where he served as a Professor and Associate Department Head. He started a research lab serving the FBI and trust organizations for cloud computing companies that included Salesforce. While at Salesforce, he was responsible for enterprise- wide security governments, risk management and compliance, and built the company's first security GRC organization. Boiler up, Jim, thanks for joining us.
Jim Goldman: Thank you, Adam.
Adam Adler: Also joining us-
Jim Goldman: I'm very happy to be here.
Adam Adler: Also joining us today is Ryan Dunn, who is the Director of Insurance for Trava. Ryan is an experienced insurance agent that has served technology, life science, VC, PE risks, and a high specialty in tech and E& O and cyber reliability. He has built, managed, and led within a variety of financial service companies, including insurance, workers comp, retirement programs and warranty programs. Thanks, Brian, for joining us as well.
Ryan Dunn: Yeah. Thank you, Adam.
Adam Adler: All right, so let's dive into our discussion on cybersecurity prevention. Everywhere we go, and it's hard to ignore the reality of our interconnected world. Our organizations and businesses are no different. No matter what your organization does, that interconnection and the data that is collected, transmitted, and stored, is vital to what you do and how you do it. Unfortunately, we also live in a world that involves so many threats and bad actors. These individuals and organizations, many of which are very professional in their time and effort, want to take advantage of the vulnerabilities that may be present in that interconnected system. The bad actors seek to take advantage of these weaknesses for their own gain, often with monetary impact. My first question to you, Jim, is five minutes or less, please do your best to describe the current state of cybersecurity.
Jim Goldman: I sure will, Adam. Thank you, and you actually kind of gave me a good segue in your intro when you said cyber crime continues to grow and cybersecurity continues to evolve. I think that's the first thing you need to understand. In preparing for today, I read a recent report. It's from the World Economic Forum, just came out in the last couple of months or so. It was called The Global Cyber Outlook for 2023, and I thought this one statistic was rather startling, but then I found myself shaking my head in agreement. The statistic is this, 86% of business leaders and 93% of cyber leaders believe that global geopolitical instability is likely to lead to a catastrophic cyber event in the next two years. What we've seen lately is almost, and you alluded to this as well, almost like a merging or a melding of cyber crime and nation state cyber warfare, that type of thing. It's no longer this separate thing over there. It's very much one of the weapons in any entity's arsenal to wreak havoc on another company or entity. That's the first thing is cyber crime has taken on this geopolitical significant, which is not good news for anybody. The other thing is that in some ways, it sounds ironic to say this, but in some ways ransomware, which you mentioned down here, is a good thing because the reason I say that is ransomware, in my opinion, finally brought the topic of cybersecurity sort of out into the open. It became a business problem. I think up until now, it'd been largely seen as a IT problem, and even business executives just said, " Well, my IT department worries about that. I don't have to worry about it." I think the notion of ransomware just shutting a business completely down has now enlightened board members, boards of directors and executives that maybe before didn't think that much about it or they didn't take it all that seriously. You know, the other thing is that we're in a state of constant technical innovation, new technology always being introduced. We're always buying new technology, and in some ways the criminal activity of breaking into that new technology always lags behind. You know what I mean? New technologies get introduced. We don't really know the ins and outs of them, and then somebody finds a back door. It's like the more innovation we have, the more kill chains or attack vectors that we're putting out there, so it's becoming more and more complex. Again, on the good news, as I said before, more and more corporate boards are now paying attention and on many corporate boards, now it's required that there be a designated kind of cyber person on the corporate board. Because of the ransomware thing, something called cyber resilience is now a big deal. In other words, companies are realizing they don't really have a paper system to fall back on. They have to be able to access their computers, access their information. Then, I think the other trend that I would talk about is because more and more companies are moving to cloud- based solutions, whether they are their own or somebody else's, in other words, more and more companies are getting away from the days of having their own data center with their own IT employees taking care of the servers and the data center. We're actually becoming more dependent on service providers, cloud service providers, et cetera. That means the boundary of your area of concern or the boundary of your system now crosses over into other businesses, and os there's a need for just the new level of vendor management, third- party risk management, service provider management that a few years ago was almost an afterthought. Those are my high- level trends that I would call out.
Adam Adler: Well, yeah, I appreciate that, Jim. Given all that is ongoing with cybersecurity, question for you, Ryan, then. What does the environment look like for cyber insurance in 2023? How does cybersecurity prevention and insurance intertwine?
Ryan Dunn: Yeah, absolutely, Adam. It's interesting, Jim was mentioning cloud environments and how there's new... Technology is constantly coming out where companies are integrating them into their tech stack. Vulnerabilities aren't being found until later on. As we start integrating more of our business processes into our businesses via a digital infrastructure, what we're seeing in the insurance world and what the insurance world is mostly worried about is a systematic breach attack. We're seeing a lot of attention being focused on, how do they either identify that or how do they prevent that from happening? That's where a lot of the concern is, and we have seen that being represented in a lot of increased pricing. I'm sure everybody on this call has seen somewhat of a market reaction to that, and we're seeing reduction of coverages. We're seeing a lot of tightening up on the war exclusion. You'll start to see exclusions not just saying that it's a state actor, but even non- state actors being implemented in there because of that concern of how integrated we are from a digital infrastructure, so seeing that. Now, as from an underwriting standpoint, you will start to see things such as... I'm sure everybody on here has seen that MFA question, yes or no, but we're going to start to see underwriters wanting to validate that info. They're going to want to start taking a deeper dive into your cybersecurity infrastructure, and so we might see something deeper than just a brief external scan and a questionnaire. We might start to see agents starting to collect information that comes from a cloud scan, a web app scan, those more internal scans. You'll start to see underwriters requesting that type of information as well.
Adam Adler: Thanks, Ryan, appreciate that. Let's move on. Take a step back. There is so much confusion and misuse over simple terminology when it comes to cybersecurity. It's easy to confuse or unintentionally misuse so much when it comes to cyber risk, so let's take a moment to dissect some key cybersecurity risk terms. I'm going to ask Jim, could you please provide a simple overview of each of the following: threats, vulnerabilities, cyber risks and controls?
Jim Goldman: You bet, and you're absolutely right. These terms are often used interchangeably and, therefore, incorrectly because the terms actually have a distinct meaning. Let's start with a threat. A threat is a potential attack that could happen, like something negative that could happen. It is a manner in which someone could launch an attack, that type of thing, so a threat would, in the real world, if we want to look at it, a threat would be a person walking into a jewelry store and finding an unlocked case and helping themselves to some jewelry. That's the threat. That's what might happen. Now, that threat doesn't happen unless there's a vulnerability, well, almost like a matched key vulnerability. If the threat is someone's going to walk in and, as I said, find an unlocked jewelry case and help themselves, the unlocked jewelry case is the vulnerability. That is a situation in your system that is an opening. I like the analogy of unlocked doors. Every information system has unlocked doors, and it's the unlocked door that is the vulnerability. Now, if no one's willing to jiggle that handle and find out that it's unlocked, we don't have a problem because at the moment, for whatever reason, there is no threat. Vulnerability can exist without a threat. The vulnerability is the negative situation, the less than ideal situation, not fully protected situation. That's the vulnerability. Now, a risk almost molds those two together and say, " Well, what's the probability that that act would happen, that that threat would hit a hundred percent, would actually be activated? If it were, what's the impact to the business?" Usually measured in dollars, not like an exact dollar amount, although it could be, but usually in terms of one dollar sign, two dollar signs, three dollar signs. Just kind of an order of magnitude. Likelihood times impact is the risk. In other words, all right, let's go to the same example. The threat is someone looking to steal some jewelry. The vulnerability is an unlocked case, and the risk is it's usually termed in terms like low, medium, high. Even though there's a... Let's say there's an unlocked case, that's a vulnerability and we have a threat. The risk could still be low because of what are called mitigating controls. Every piece of jewelry has a safety tag on that the alarm goes off as you're exiting or something like that. Just understand that they're almost like three independent variables. You can have a threat, you can have a vulnerability, but there may be mitigating controls in place that don't have the risk that high. On the other hand, sometimes you have something that seems like not a big deal, but if you look at the... It may even be low likelihood, but if you look at the impact that the impact is catastrophic, it can still end up at a high risk, if that makes sense. Then, as I've been mentioning, controls of what you can do in terms of policy process, training, people, technology, that just address a specific risk and mitigate that risk down to a tolerable level. Another term that gets thrown around here is something called risk threshold. Every company, this is where the board comes in, every company's different. They say, " Well, we're willing to accept that risk, or we know we need to put in more mitigating controls, or we think we're okay." That's where you decide what is your risk tolerance or risk threshold. Then, you just really go to town. Once you've identified your threats, your vulnerabilities, your risk, what you have for mitigating controls, and it's like, " Okay, here's where we are today. What do we need to put in in the coming year?"
Adam Adler: Perfect. Thank you very much, Jim. Let's move on. Given the current landscape, this might seem overwhelming with no clear path board for the average business and organization. That said, there really is no reason to bury your head in the sand. It's more crucial now than ever than before that you take a three- pronged approach to cyber risk management. My next question is for Ryan. Could you provide a brief overview of the cyber risk management process from beginning to end? Then further, how does Trava assist organizations?
Ryan Dunn: Yeah, absolutely, so at first, the first thing to note is that most of us or most businesses have either an internal or external IT staff that may deploy some of these security controls for you. I would like to point out that it's extremely important that you are getting an additional layer of assessment going on. When you look at this, obviously the graph explains it pretty plain and simple, but you need some independent third party assessing your risk, identifying anything that your internal external IT staff could be missing. With that, once you've had that assessment, having a security professional outline the mitigation steps and what mitigation factors you should implement. Lastly, once you have those mitigation steps in place, there is some risk that is unavoidable. That's obviously where the insurance piece comes into. Now, when it comes to like, " All right, who should be this independent third party that does this?" Frankly, right now, MJ Insurance would be the perfect partner for that because they're already advising you on your insurance. However, they've partnered with Trava to be able to check on your cybersecurity infrastructure through that assessment range. They've partnered with us as well from a mitigation standpoint as well going over what has been identified. Where is your cyber risk? Where's the exposure? What are you doing about it currently? What can you add additionally to improve that? Then lastly, where can that risk be transferred over?
Adam Adler: Perfect. Yeah, thanks there, Ryan. That integrated risk manager approach that Ryan just talked about is a simple fundamental element in their incident response process. Jim, could you walk us through the basis of this underlying process and can you provide a practical example of each of the steps listed on the screen?
Jim Goldman: You bet, and the truth is, it's not always these six. In other words, there are incident response processes that range from having four steps to seven steps, but all of these elements are in all of the different processes. It usually starts with a prevention or sometimes it's called preparation stage, and it's like that old adage, an ounce of prevention is worth a pound of cure. Much better to prevent incidents than having to learn the hard way how the kind of damage and disruption they can do to a business. The first thing is prevention, and that really ties right into what Ryan was just talking about. You identify your risks, you prioritize your risks, and then you put together very specific mitigation plans to implement mitigating controls for each of the risks that you identified. That's the preparation or prevention. The next thing to do, and this sometimes escapes people, is you have to have really good detection out there. In other words, once you identify where your risks are, you need to think about... I always use the analogy of wet concrete. Where can we put wet concrete so that when the criminal walks through that vulnerability, that attack vector that we know about, how can we trap their fingerprints or their footprints without them knowing it? That detection stuff, so there are technical solutions, there's network detection devices, there's endpoint detection devices, but basically you want to be looking for what we call anomalous behavior. I mean, malware prevention, anything malware software falls into this, and the way anti- malware software has evolved over the years is kind of a good indicator of the sophistication of the criminals. What I mean by that is back in the old days we called it antivirus software. There really weren't that many new viruses getting introduced every day, and so we would do what's called signature- based detection because we knew what the signature of a given virus was. That was okay for many, many years. Then, what happened is we started getting more viruses, more malware more quickly than we could publish the libraries of known viruses, and so a new type of incident detection called heuristic or behavior- based detection came about. What it's doing is saying that... Not that it's looking for a signature of a virus, a certain executable, it's just saying, " That behavior is not normal. Here's my normal behavior. This behavior is not normal. I think something's going on." The software's even gotten more sophisticated, so it can like eliminate that one device from the network. It can isolate it, it can quarantine it so the virus doesn't spread. There really is a lot of good medical analogy that you can use in risk management that really makes it more understandable. The other thing that people overlook on the detect one before I leave that is a lot of people don't pay enough attention to log management and how important logs are. Any action that any user on your system is taking, I know it takes up a lot of disk space or whatever, but you really do need to keep logs for a given amount of time for different systems. Logs are absolutely your first level of defense because when you first suspect that something's wrong, you're going to go to the logs and say, " Well, who did what, when?" That kind of thing. Unfortunately, this is what a lot of companies learn the hard way on their first incident is they weren't paying attention to their log management and they don't really have the logs that would show when the intrusion first happened, that type of thing. Imagine that feeling if you don't know how long the bad guys have been in your system taking data out. Once you've detected it and you've identified it, now we can respond. Again, with the medical analogy, we may be sick, but until somebody does a thorough diagnosis and the testing and finds out exactly what's wrong, we really don't want to be treated with a response. The same thing is true here. We have to identify the exact situation and then respond. Now, sometimes here in response or a subcategory is containment. They'll say, " Well, the first thing you need to do once you've identified it is containment. Put up a perimeter, isolate it, that type of thing. Take it off the network, whatever you have to do so that the attack doesn't spread any further than it already has." Then, the other part of response after you've contained it, then you need to eradicate it, get rid of it, remove it. Then, the next step is recover, so very often those are grouped together, containment, eradication, and recovery kind of go together. Recover, this is where you hopefully have done like a business continuity and disaster recovery exercise so you know you've got good backups. Ironically, backup and recovery is one of those kind of required questions with the big increase in ransomware. Now, cyber insurance companies want to know that you could restore your systems and actually have tested and then successfully restored them like you've actually done it and you know you can do it. Very, very important. Then, finally, there's usually two stages of retrospective. One's called a hot wash. That's where you immediately when you say, " Okay, the incident's been contained," you do an immediate hotwash or review of the process and look for process improvements. Then, usually about a week later after everybody's gotten some sleep, you come back and you do, again, another lessons learned thing. " Okay, what could we have done differently? What did we miss? What went well? What didn't go well?" That's really it.
Adam Adler: Perfect. Thanks, Jim. All right, so where does an organization begin? Well, if the leadership team has made the commitment that cybersecurity prevention is a critical risk that needs addressed, what is the most practical first step that a business should do today to help mitigate cyber risk? This question's going to be for both Jim and Ryan. Can you both share your insights on where an organization should start?
Ryan Dunn: Yeah, yeah. This is a great slide. I know Jim had some good input on where they should start exactly. I can't stress more from the assessment level how important it is to start assessing your internal security controls. Our modern cybersecurity infrastructure has moved to the cloud, and so making sure... What we hear from a lot of businesses, and I'm sure MJ hears it a lot is, " My data's in the cloud. We're okay. We're partnering-
Jim Goldman: Yep.
Ryan Dunn: ... "with AWS, we partnering with Azure. We're okay." It couldn't be farther from the truth, frankly. Everybody would not believe how many times when we scan a cloud infrastructure where there's data publicly available, so in my opinion, I would say getting a good idea of your internal security controls and you're assessing your internal environment would be absolutely paramount.
Jim Goldman: Yeah, and I would just dovetail on that. I go back. Sometimes it's easier to think about analogies or applications in other fields. If you were sick and you went to a doctor or a quick clinic or something like that, you probably wouldn't want them to start treating you and fixing things without having first done some kind of testing, all right?
Adam Adler: Yeah.
Jim Goldman: Well, it's the same thing here. You know, the other analogy I use is if you check engine light goes on, you don't pull into the nearest auto parts store, grab a shopping cart, and start taking random parts off the shelf. You want to get the test results interpreted, and so it's the same thing with cyber risk. You have to be tested. You have to have a thorough cyber risk assessment. Otherwise, what happens is you're allowing the influence of cybersecurity technology salespeople to basically dictate your strategy for you because you don't have a strategy. You're just saying, " Yeah, I guess we could use one of those." Well, maybe that one of those is like the ninth most critical risk you have and you ignored the other eight that you should really be mitigating sooner. You have to have an assessment and a plan and then just start working your plan to whatever budget and time commitment and manpower level you have.
Ryan Dunn: Yeah, and additionally, kind of on that note of having a plan, it's important to have this external support. You have your managed service provider, your external IT or internal IT staff that is constantly helping you out. You have your insurance broker or carrier providing resources as well, and then you have the cybersecurity partners attached as well. What this does is it eliminates that single point of failure from your strategy standpoint, so you're not going to just be relying on your one guy that's been working on your IT for the past 20 years. You're having multiple parties looking at your cybersecurity infrastructure and saying, " Hey, we've found these vulnerabilities, we found this vulnerability. By the way, this cybersecurity control is a little bit low compared to your exposure. We should take a look at that." Having a tiered multi- pronged approach is going to be a great plan for success.
Adam Adler: Yeah, great point with the stressed advisors, that's critical to make heads and tails of what you find out in that assessment, right?
Ryan Dunn: Yep.
Adam Adler: To all our viewers, you do have the ability to download a cyber assessment checklist that we've made available. It is in the handout section of this presentation. We will make it available after this, but it's an easy, simple guide that you can check off simple steps in this process. Again, it's available to download now, but we will send it out after this as well. All right, so ultimately, let's spend some greater time diving into some of those critical controls that an organization can do to mitigate cyber threats and risks. Jim and Ryan, let's take some time and walk through all the information that's presented, the controls that are presented on this screen. Can you explain why some of these are important? Then, for someone who's not in an IT or cybersecurity position, what do these controls mean in layman's terms?
Jim Goldman: Mm- hmm. Do you want me to start, Ryan?
Ryan Dunn: Yeah, yeah, and I'll dig in-
Jim Goldman: Yeah-
Ryan Dunn: ...on something.
Jim Goldman: ...so these are the solutions to mitigating the risks that most IT organizations would face. The good news is that there are industry standards that say, " Okay, in today's cloud- based world, all right, every single company doesn't have to come up with their own plan, solve their own problem. There are really smart people that have gotten together and set these standards. For example, there's the National Institute of Standards and Technology in the United States, NIST. There's an international organization called The Center for Internet Security. Those are both really good security control frameworks. If if boils it down, these are the buckets that those controls say, " Yeah, you got to do something here, here, here, and here." If you were to do all of these things, like had a decent control and it was implemented maturely. What I mean by that is it's documented, it's repeatable, it's well- managed, it's done the same way consistently. If at any time it doesn't get done, you got either a management or a monitoring layer above it setting of an alarm. For each one of these things, you want to put in a mature system to make sure it's being done properly, that you're gathering evidence for it if you want an audit or something like that. Some of these we already talked about I can go through real quickly. Antivirus is just what it says. Sometimes people separate malware defenses against that. Antivirus is just one type of malware. Another thing that just it's sort of a head- scratcher why it gets ignored so much, but it does, is just keeping your patches updated. Now, if you're not familiar with that term, what happens is every piece of software gets written, and as I alluded to before, eventually people find ways to break into that software. It's sort of an inevitable cycle, all right? What happens is, as those vulnerabilities come to light, the company that wrote the software sends out another little piece of software that's called a patch. Just think of it as plugging the hole that had been there, but then it isn't. Really, there's a lot of automated patching now, letting you know if your laptop operating system is out of date, your browser, your Chrome needs to be updated. You really should just implement kind of a corporate culture that embraces updates and patches and does them on a regular basis, so that's a big prevention right there. Probably the most common one that people are talking about these days as a result of all the ransomware and what cyber insurance companies and carriers are saying is multi- factor authentication. It is probably the single most effective, least expensive way to thwart a ransomware attack is to have multi- factor authentication. It sounds fancier than it is. It just means you also get a number sent to your phone or, you know, you use a third- party authenticator app like Google. That, again, gives... It just generates a code that's time- synced with the application. If someone was to say, " Boy, if I could only do one thing this year, what's the one thing?" I would say multi- factor authentication. Endpoint detection/ response protection software, so this is a little bit different than antivirus, although there is some crossover because what this is saying is this is more on the emphasis on the response side. It's like what I was talking about before with automatically removing a device from a network, quarantining it, et cetera, et cetera. You have to have someone, it doesn't have to be an employee, but someone has to be kind of watching your network, watching your information systems for anomalous behavior, random logins from countries that don't usually log in, that kind of thing. That 24/ 7 is usually done by a security operation center or a SOC. Large multi- billion- dollar companies are going to have their own SOC. Smaller companies are going to hire a third party to do that. Backup and recovery we already talked about. That's absolutely critical. Employee training, it's not an exaggeration to say that the weakest link in any company's cybersecurity program is the people and they continue to prove that to be true. I think the important thing here is good training, training that is engaging, that's not boring, that's well- produced, that gets the point across, but can be fun. We happen to use one, and some people say, " Well, once a year you're going to sit there for an hour, an hour and a half and look at these 40 slides or something like that." What we chose to do is we do 15 minutes a month, so every month we do 15 minutes of training. It's like animated. It's choose your own adventure, et cetera, et cetera. It's really, really quite engaging.
Adam Adler: Yeah-
Jim Goldman: Our-
Adam Adler: ...yeah.
Jim Goldman: ...password management process, again, this is sort of one of the older controls that got implemented. It's hard to believe, but when computers first came out, we didn't have passwords. We had user ID. We didn't have passwords. There were no passwords, but yeah, passwords have to be... All the typical requirements have to be changed every 30 days, have to be 12 characters long, have a mix of Roman numerals, et cetera, et cetera. Can't be looked up in a dictionary. Privacy controls has gotten real big. This has to do more with data classification, data handling, data deletion, et cetera. The GDPR is the European Union Privacy Standard. In the United States, California CCPA is kind of the forerunner there. This is very serious stuff. You don't want to get on the wrong side of this. If you have sufficient revenue derived from enough, there are exclusion clauses. If you have enough data on enough EU citizens, you have to be GDPR compliant. You don't have a choice. If you have an incident and they find out that you weren't meeting all your obligations in a GDPR, they can take up to 25% of your annual revenue. That's quite a fine. Just protecting your data with encryption, that's straightforward. We talked about an incident response plan. Scans and penetration testing, that's what Trava does besides just evaluating your risk, as Ryan talked about. They have extensive scans. It's amazing how many people are in the cloud, but don't bother to scan their cloud environment because they're so used to the mentality of, "Well, we need to scan my computer or this server under my desk." They forget that they've got a whole cloud out there that isn't well- protected. Then, finally, just what we talked about with the interdependency. There's increased emphasis on third- party risk management, vendor security, service provider management, whatever you want to call it.
Ryan Dunn: Yeah, and I would just add, Jim, I feel like that was a great encompassing description of each category. A few things to add, employee training. It's wild that almost none of these would necessarily matter if employee training isn't there. Us humans are the biggest risk to our organizations, and so making sure that we're up to date and just have a general understanding of what's going on out there, how to identify a spam email, or how to respond if you are to receive that. I think that's something that needs to really be ingrained in companies is, " Okay, my employee has identified something worrisome. What is their three- step process that they need to do that?" Making that super clear and obvious for the whole organization is super important. I couldn't stress harder on the employee training standpoint. You can solve a lot of cybersecurity threats just through that one category. Then, as this pertains to insurance, these are the categories that insurance carriers are paying attention to every single one of them. You will see a question on your cyber application that's pertinent to every single one of these categories, and if you are paying attention to these categories and making sure that you are top- notch in them, your insurance renewal and insurance process, the process to getting cyber insurance has become very cumbersome, it will be super seamless. If you're going to be focusing on areas, it's this, and yeah, I just wanted to put that point in about the insurance piece.
Jim Goldman: Yeah, something-
Adam Adler: Yeah.
Jim Goldman: ...you said about employee training really caught my ear. The objective of employee training is to develop a sensitivity in your employees when something doesn't seem right. In other words, we're not trying to make them cybersecurity experts. We're trying to give them enough sensitivity to the kinds of things cyber criminals do so that they recall it and it just slows them down and they think for one extra second because that's what happens is we're all so busy trying to get through our email, it looks legit. We click something, and so we just need that extra second or that extra half a second to pause and think before we click. That's really the main outcome of employee-
Ryan Dunn: Yeah-
Jim Goldman: ...training.
Ryan Dunn: ... I mean,just speaking from my standpoint, I received an email, it was just last week. It kind of goes towards that vendor security. Companies are using so many vendors for so many various things, sometimes the rollout of that vendor isn't specifically stated or it kind of just comes to you via email and you're like, " Oh, I guess we're starting to use this vendor now for billing or something." Because of this employee training, I was able to take a step back and go, " Wait, I have not received any type of notification inaudible."
Jim Goldman: Yeah.
Ryan Dunn: You know, just took a step back and verified it with whoever sent it. That's all because of employee training. I probably would've clicked on it if it wasn't for that, but don't tell our security team that.
Jim Goldman: No, that's good.
Adam Adler: Right. I appreciate the insurance insights because you're right, the cyber application process is a cumbersome, tedious process. No application is the same, but they ultimately try to get towards the same outcomes. And all these topics are essentially being asked, if multi- factor authentication was the item for the last year or two, is there one or two of these that you see going forward to really put that focus on towards the future?
Ryan Dunn: I mean, to me it's more they're going to be validating how deep are these controls rather than, " Do you have this?" The MFA was, like I stated earlier, MFA was yes or no, EDR, yes or no, but now it's going to get, " Okay, yeah, MFA, but to what extent?" How many employees have MFA on their emails? Right? Do you have MFA on all of your third- party apps? If your remote access employees, do they have MFA? Being able to express that is going to be on every single application, and then EDR, same thing. Great, you have EDR, but you have endpoint detection and response on 50% of your systems. Is it 80%? To what extent? I think to what extent is going to be the next thing that we start to see. I think it's important for businesses to be aware of that, but also for insurance agents to be aware that that's coming down the pipe as well.
Adam Adler: Great point. Thanks, Ryan.
Ryan Dunn: Yep.
Adam Adler: Well, that question towards the future kind of leads us right into the next slide, which is in regards to the future of cybersecurity. So much of the change over the past so many years, it's fair to assume the future will continue to emerge with new vulnerabilities, new threats, and new controls. Jim, I'm going to start with you. From your perspective, what does the future hold?
Jim Goldman: Sure. Well, believe it or not, I think it's not all terrible news and doom and gloom, even though I kind of started out my talk that way. When we first founded Trava, it was the notion of getting cybersecurity or cyber risk professionals to speak the same language as cyber insurance people was pretty farfetched or preposterous because the two really didn't speak a common language. What I have seen in the two and a half years or so that we've been around and had a lot of conversations with agencies such as MKJ, various carriers, et cetera, it's like we're starting to talk the same language again and we're moving towards some kind of shared understanding. I like to think of that shared understanding as a concept of cyber resilience. In other words, we have that screen that had all the, whatever it was, 10 or 12 different technologies. Well, it's 10 or 12 different scores. I think what's going to happen is we're going to weight those 10 or 12 factors, and we're going to come up with cyber resilience score. It's that that's going to be the common language for cyber insurance people and cyber risk people and just the people that are in charge of the cybersecurity of their businesses or organizations, that type of thing. I think we're all going to talk cyber resilience. It'll be standard measure, and I'll be like, " Okay, you got a 700, you got an 800. You know what I mean? That kind of thing. I think we're all going to talk cyber resilience. It'll be a standard measure and I'll like, "Okay, you got a 700, you got an 800." You know what I mean? That kind of thing, I think it'll make everybody's lives easier when we get to that in some kind of validated state, I think, and we've already seen this. I think at least in the United States, the government, the federal government is going to take more and more of a role in encouraging and supporting businesses to be more cyber secure. They realize because of the nation state implications of this, as I often say, two out of every three new jobs in the United States comes from small and medium- sized businesses. It's like 66% of the U. S. economy is terribly at risk because of a lack of effort, money, et cetera, to properly secure our small and medium- sized businesses, huge gaps. I don't think that's going to remain unaddressed by the federal government, and I think it's going to be not just thou shalt, not just more regulations. I think there's going to be programs developed to actually see that this gets done because it's too scary not to. We as a nation can't afford to remain as vulnerable as we are.
Ryan Dunn: Yeah, yeah, I inaudible-
Jim Goldman: I think the last thing I had was cyber insurance companies are going to continue to raise their requirements because they're losing their shirts. They're going to continue to restrict coverage and continue to increase rates.
Ryan Dunn: Yeah. Jim, just a note on that, government intervention. Right now, they're doing an analysis of what that would look like. What would that cost? How would they implement something like that? We all know if government is going to be putting money behind this, that's going to be coming at a cost. That cost is going to be stricter controls, more control framework, stricter balance between businesses and following some type of control framework and using some type of structure to make that accountable most likely using insurance as the catalyst to make sure that's implemented. I would definitely completely agree that if government does get involved, create some type of backstop, then there will be stricter controls and carriers will be held more accountable on that.
Jim Goldman: Yeah, there'll be requirements, and one thing we probably... I mean, it was an early slide, but it would be good to go back to, there's only three steps to the risk management process. You assess the risk, you mitigate the risk to the extent you can, and then you always have risk left over, and that needs to be risk transferred to insurance. There's always going to be unmitigated risks. There's always going to be residual risk. There's always going to be a need for cyber insurance to be the risk transfer mechanism for that residual risk.
Ryan Dunn: Mm- hmm. Absolutely.
Adam Adler: Great point, guys. All right. Anything else, I guess, towards the future before I move on and we jump into questions and answers?
Ryan Dunn: Nope.
Adam Adler: Okay. All right. We have received a few questions and I'm going to try to get these out to each one of you. This is probably a question for Ryan, but Jim, feel free to chime in. Are insurance carriers making terms so restrictive and premium, so costly that businesses may start canceling their cyber insurance policy? Thoughts or comments on that?
Ryan Dunn: I just want to make sure I'm understanding the question completely. Am I reading this or hearing this as they're like purposefully trying to do that so people cancel their coverage?
Adam Adler: Yeah, I think essentially going too, yeah, too extreme to the point where hey, companies would be better off to self- insure at risk.
Ryan Dunn: No, I think they're expecting businesses to still acquire insurance. The reasoning behind that is a lot of people are, if you look at the purchasing behavior as to why people buy insurance, a lot of it is contract requested. I think in some fashion, businesses have their hands tied when it comes to that. I don't think it's in their modeling that they're saying, " Okay, let's make this super expensive and people will cancel and go self- insured." I think they're still expecting people to purchase. Unfortunately, it's coming at a pretty steep cost now. I mean, Adam, I'm sure you've seen it, but I just saw somebody's premium go up 400%-
Adam Adler: Yep.
Ryan Dunn: ...and they're an MSP. I mean that's pretty aggressive, so I think they are still expecting people to purchase.
Adam Adler: Yep inaudible.
Jim Goldman: You know, and there again, you don't know what's going to happen. The government may have to step in. I mean, maybe it'll vary state by state, but it's like in most states you can't drive a car without automobile insurance. Well, I'm sure there was a time when that wasn't a rule and then it became a rule. Something prompted it to become a rule. I don't know that this is all that different. You look at the amount of loss right here in real dollars and when does the government say, " Well, as part of this backstop program, you're going to do this, this, and this, but we're going to create a shared insurance pool and everybody's going to have cyber, and everybody, whatever, over 50 employees has to have cyber insurance?
Ryan Dunn: Yeah, I think there needs to be a give and take on both sides. I think there needs to be... Businesses need to be more involved about what they're doing about their cybersecurity, but at the same time, there needs to be some assistance there from a financial perspective. Businesses can't be floating the cyber insurance world on their own. That's just unreasonable and just it won't work. It would crash the models. If it really got expensive people, people would stop buying it, and if people stop buying it, that's when things get really shifty. I think to summarize, I think it's going to have to be a give and take on both sides, right? A little-
Jim Goldman: Mm-hmm.
Ryan Dunn: ...bit more involvement from businesses and a little bit of financial support from the backend, which would be government.
Jim Goldman: Well, the other motivation for businesses doing this that we didn't talk about that should be obvious is when your customers and potential customers say, " Thou shall be certified," or" Fill out this security questionnaire," or, " Love your product, but if you're not, don't have this certification. I'm sorry, we can't buy from you." In other words, it's that interdependency, and if I'm running my business and I spend time and money to properly protect it, but I need your SaaS application or whatever, well, that's like leaving the back door unlocked if I'm not holding you accountable for the same level of security, I'm holding myself accountable.
Ryan Dunn: Yeah.
Adam Adler: Yeah, that vendor and client kind of checking out process is probably going to be very important towards the future.
Jim Goldman: Exactly, exactly.
Adam Adler: We have one question that came in, and maybe this is a question for Jim, and I always think that hey, it's not a matter of if someone, a business, an organization is attacked, it's more when. The question is, is there a way to actually stop even that threat, that intrusion that's out there?
Jim Goldman: I would give a qualified yes, in other words, it's a matter of how much do you want to spend on technology and people? The other kind of joke that we always say is you can't overspend in one area and underspend in another area of security. The analogy we use is it's like putting a steel door on a grass hut. You know what I mean? As long as they're trying to break in the steel door, you're in good shape, but once they realize it's just a grass hut, they can walk in the back door, you just wasted your money on a steel door. It's the same thing in security. You can't like overspend in one area and because you bought the absolute best solution, most expensive solution out there for that one area, that doesn't make you secure.
Adam Adler: Makes sense. One last question I think we have time for here. Question is really about utilization of clouds, internal networks, internal systems not connected to the internet using PCs as terminals. Is there any of those steps that are kind of beyond the controls and say, " Hey, we hear this so often, " Hey, I use the cloud, my data has backed up the cloud.'" Is there anything to that that even says that that's helps, that's better better than otherwise?
Jim Goldman: Well, the thing about the cloud, and I think Ryan alluded to this, is all of the cloud services are secure in and of themselves. The problem comes is when you buy a cloud service, and they're all the same in this regard, their motivation is for you to get your application or your use of their cloud resources up and running quickly and easily. They do that by having default settings that are not fully secure and people don't realize that. If you just quickly set up a default area in name whatever cloud provider you want and start storing data there, chances are that data is publicly accessible to everyone unless you explicitly go in and change the security parameters. This is what Ryan was alluding to. We find some of our customers when we scan them the first time and scan their cloud environment, they literally have thousands of vulnerabilities because for every instance of a given vulnerability on a given server, that counts as one vulnerability. That's how they end up with thousands of vulnerabilities in that cloud environment and they're shocked because they say, " Well, I thought name- the- cloud environment was secure." It is, but it's not securely configured by default.
Ryan Dunn: Yeah, that applies not only just to cloud, but also Internet of Things, so whether if that's an on- prem like thermostat or even your Wi- Fi network, change the default password-
Jim Goldman: Yeah.
Ryan Dunn: ... becausethose default settings will not be in your favor.
Jim Goldman: Yeah, it's the default password thing, just like Ryan said. Your cable modem from your TV company, I mean, there was that great story about a casino being broken into by I think it was the default password on an aquarium thermometer.
Ryan Dunn: Yep.
Adam Adler: All right guys, I think we're out of time here, so before we move on, though, for our attendees, we want to invite you to join us for our next MJ Inspire You event, The Business Case for Mental Health: What C- suite Leaders Can Do to Recruit and Retain Top Talent. This will be taking place on Tuesday, April 18th, at 3:00 PM Eastern time. For those of you out there, please feel free to scan the QR code to learn more, so if you have those cameras up, I'll give about five seconds here for that, but we'll send this out, too. so join that. I know it's a totally different topic, but love for anybody to join us for that. Then, finally, thank you, everyone, for joining this candid conversation on cybersecurity prevention. We hope you found insightful risk management prevention steps and controls at your organization should consider now in planing into the future. Thank you both, Jim and Ryan, for your insights and your expertise. For the audience, please be on the lookout for information for our other upcoming cybersecurity Inspire You events to come later this year. Those topics will include reduction, risk transfer, and compliance. More to come on that soon. Thank you, everyone, and have a wonderful day.
Jim Goldman: Thank you, Adam.
Ryan Dunn: Thank you, Adam.
DESCRIPTION
In 2022, the average cost of a data breach hit 9.44 million in the U.S. with that number expected to rise 23% per year, globally reaching $23.84 trillion by 2027. The numbers are staggering, and one thing is certain—no industry is immune.
As cybercrime and its associated cost continues to increase steadily, organizations must proactively prepare by instituting various cyber prevention strategies and tactics.
Learn from our team of risk management and cyber security experts as they share tactics on how to protect your organization and mitigate exposure prior to a cyber event.