Using yesterday’s cybersecurity lessons to prepare for tomorrow.
With so many employees working remotely and all of the operational changes the COVID-19 pandemic caused, every business was – and will continue to be – exposed to a new layer of cyber threat as part of our “new normal”. Now is the time to revisit your cybersecurity program and protection plans so you’re prepared for any challenges the future may bring.
On December 8, 2020, Ryan Shinkle, Head of Sales at Insgroup, and Michael Trpkosh, Director of Cybersecurity at Pathway Forensics, discussed essential cybersecurity topics, including:
- What is cybersecurity?
- The difference between having a general cyber insurance plan and a tailored plan
- A few major cyber threats organizations have faced
- The proper steps to take to ensure your company’s best protection
- How you should react if you experience a cyber attack
- Business email compromise (BEC)/email account compromise (EAC), also known as CEO fraud
- Pathway Forensics uses a risk-based approach, but you could do everything right and attackers can still get into your network. You must allocate resources to defending against these bad actors and ensure you have a well-practiced and well-executed incident or data breach response plan. Using a partner like Insgroup can provide that additional security through an insurance plan that identifies your assets, their value, and what it takes to get up and running if an incident occurs. Pathway prepares you at the front end, and Insgroup helps you on the back end.
- Information security refers to all of your data, including paper, digital devices, and more. Cyber specifically focuses on electronic, such as digital data and assets. Pathway’s risk-based approach means they identify what is a risk to your digital assets and they can help cost those out and determine how much to spend to protect those assets.
- Cybersecurity is not just limited to Fortune 100 companies. Every company – of every size – needs cybersecurity protection. It is crucial to understand your company’s digital data when determining your cybersecurity approach because it’s not a one-size-fits-all solution.
- Cyber liability insurance can cover non-malicious actions taken by an employee, such as accidental phishing where an employee is not intentionally leaking information, but it happens, nonetheless. For example, if an employee accidentally sends a client list to the wrong email address, this would be considered a non-malicious, non-intentional breach.
- There is a time element to cyber insurance policies. According to Insgroup, if everyone at the management level is listed in the policy as being a responsible reporting policy and one of those managers becomes aware of an incident and doesn’t take action, doesn’t pass it up to a more senior-level person, or doesn’t report the incident in time, there may be issues when it comes time to settle the insurance claim. It may cost you the full coverage, limited coverage, or no coverage at all due to the lack of reporting, which likely impacted the insurance company’s ability to take action and potentially stem losses. It’s important to know who is responsible for reporting claims and the time limitations once an incident becomes known.
- Threats such as ransomware, phishing and social engineering, and CEO fraud are escalating. With employees being so comfortable working remotely, they let their guard down when opening emails at home. These types of emails are known as business email compromise (BEC) or email account compromise (EAC). If an employee is working from home and happens to open a phishing email on their personal account, their home network becomes compromised.
Read the transcription here
[Jackson Phipps, Insgroup] Everyone, thank you all for joining. My name is Jackson Phipps. I’m a business development rep for an ins group. We’re a premier insurance brokerage firm and one of the largest independently held firms here in Texas. We’re beyond excited to be partnering with pathway forensics on cyber security best practices and trends for today. Before we get started if you have any questions, please put them in the chat and we’ll make sure to discuss them at the end during the Q and A. With that being said Ryan, Mike the form is yours.
[Ryan Shinkle, Insgroup] What a good deal. Thank you, Jackson. Mike thanks for joining us. Mike and I have had the opportunity to connect on a couple of different occasions and talk about the work that they do at pathway forensics and how it complements the work that we do here at ins group. As Jackson mentioned ins group is a commercial insurance brokerage and advisory firm. Pathway is a subsidiary of Briggs and Veselka. Briggs is very impressive, one of the largest if not the largest privately held accounting firm in the state of Texas. Multi-location accounting firm that tax advisory, a full-service firm and one of the services being a leader in their industry is cyber security and cyber security assessments.
Of course, I’ll yield to Mike to talk about that. But the reason the partnership makes so much sense is I think it’s safe to say that Mike and his team are focused on breaches not occurring cyber events not occurring education and awareness for their clients. We are here to put in the appropriate products to support clients if and when those things do happen. To provide tools and resources both before and after a breach. Our services and the advice that we give are very complimentary, wouldn’t you agree mike?
[Michael Trpkosh, Pathway Forensics] I totally agree. I think you hit the nail on the head. The services that we offer, we do our best to try to assess your cyber posture and then we make recommendations to help you define and defend your perimeter of your organization. That’s getting much harder to do, it’s not a brick and mortar building anymore, especially now with covid. So we’ve had to kind of think outside the box and how we approach that we use a risk-based approach. But then where our partnership with ins group really makes sense is you can do everything right and the attackers are still going to get in. So not only do you allocate resources to defending but you also then have to have a very well executed and very well practiced incident response or data breach response plan. What that includes is having a partner like ins group that can provide that security through the insurance that you’ve identified your assets< you valued your assets and now we know what it’s going to take to get you back up and running. We prepare at the front end, but we’re also prepared at the back end.
[Ryan Shinkle] Very well put. The first question that Jackson has put up in front of us here is pretty high level Mike and I’d love for you to run with it. What is cyber security, and the answer may sound obvious, but I think for many of our attendees a more in-depth explanation of your holistic approach to cyber security would make a lot of sense.
[Mike Trpkosh] Yeah, so back in the day cyber security wasn’t even, nobody knew what that was and that we had information security and before that we had your IT organizations. They were a function of finance generally and your chief information security officer was generally a technical subject matter expert within IT.
Then as we started to identify the need for information security whether it’s from regulatory or risk, then that person kind of became more separate from the IT group and owned their own space. Now today the CISO and the cyber group has pretty much stepped out of the shadow of IT and has become an overarching umbrella over the entire organization because every facet of the organization now through digital transformation is part of the cyber security equation. When we say information security we’re talking about everything, all of your data and that includes paper, devices and such. But cyber focuses specifically on electronic and what that is, is digital data and digital assets. That’s the big difference between the two and the approach that we take, we utilize a risk-based approach meaning that we identify what is a risk to our digital assets and then we cost those out and we determine how much we’re going to spend to protect those assets.
[Ryan Shinkle] That’s very well put. From the insurance side it reminds me very much of the concept of enterprise risk management of everybody within the organization has ownership over managing risk. That’s certainly true in the cyber world, you talk about CISOs and very large IT departments. Is cyber security something that is only really applicable to the fortune 1000 or the large upper middle market or is cyber security also a focus of your much smaller organization, say you know 50 employees to 100 employees?
[Mike Trpkosh] That’s a great question because I hear that a lot. That’s one of the most common questions that we get, do I really need a cyber program and what I always tell them is if you have any type of digital data you need a cyber program of some sort. It doesn’t have to be massive, but you have to understand, what are my digital assets, again we go back to the risk-based approach. We have to understand well how valuable is that data to us if you’re looking at supply chain and you’re looking at a big database that just has inventory identification numbers and it doesn’t have racks and rows. That isn’t near as valuable as a medical office that has patient data. Digital data has different values to different organizations. I’s up to each organization to define what the value of their data is. Kind of a long-winded answer but yes, every organization could use a cyber program. Now organizations need a cyber team or a chief information security officer, those services we provide. We can come in and do that kind of thing for you and just do check-ins with you. Some of you listening might have heard the term virtual CSO and that’s an individual that has oversight, can come into their program, look at it, make recommendations, they execute. Then he just drops by every three or six months, looks at their progress course, corrects if necessary and then gives them the next assignments to maintaining their posture.
[Ryan Shinkle] It sounds like it’s a very highly customized approach at identifying what your area for exposure is. That’s really the first step I mean if you look at the risk management process I keep bringing in the insurance nerd side of me. But the first thing is to identify what the risk is, you can go out and you can purchase cyber insurance and it’s it is becoming incredibly common place. The vast majority of insureds are now asking for cyber insurance or a cyber insurance quote when they’re going through the renewal process. It’s getting to be one of the things that everybody is carrying and the product has a great deal of variance in it from a very inexpensive product for a company with very little exposure to a very complex product. The cyber is one that is kind of in the suite of financial lines products or management liabilities. Where they need to be very customized to be appropriate. The off-the-shelf cyber product can be very limiting and it’s in really getting to understand what the exposures are through a process that you’re talking about, that you get the appropriate forms, endorsements, and coverage limits to give the correct coverage for the company. People are concerned sometimes about that process as well as is that premium going to be more, am I going to pay more. But there’s nothing more expensive than cheap insurance in the long run. So when you look at these questions, when you first engage with a new client are these some of the questions that you’re faced with and if not what others are very commonplace that you run into.
[Mike Trpkosh] Sure, so does my company have cyber insurance, that’s the question that I ask them, do you have cyber insurance. Then they’ll ask me, well is this appropriate to our risk and that’s where I’ll say it’s an answer you probably don’t want to hear but it depends. Then we start the conversation, like you’re talking about the enterprise risk model, that’s where most of your cyber philosophies and theories come from. An enterprise risk model, because we have to have a way to value our assets and we consider data as an asset. So does your company have it and is the risk appropriate. The first thing I ask clients or potential clients is when was the last time that you had done a risk assessment, I’m not talking about the enterprise risk assessment, I’m talking about just a risk assessment that is around your digital assets. Or what I’ll ask them is do you have a risk register because a risk register is the risk that you’re addressing with regularity. So that’s what we’re working on right now. Now items can be plugged into or taken out of your risk register and those go back into the risk repository. So, we identify all of the risk to our assets but we’re only really working on the high priority ones because there’s a need there. That’s how I try to break it out to people, let’s identify all of your risks that we can through a threat assessment or whatever risk assessment. Now let’s prioritize and take a look at companies don’t have unlimited funding and they don’t have unlimited resources. Let’s go ahead and figure out what makes sense to address right now, so what is the potential cost if I don’t have it again I hate to say it but it depends only because not everybody’s the same. I’ll use the supply chain, they’re not near the target that a medical practice is. If you have regulatory requirements like HIPAA, that’s going to cost you in a form of a breach. If you have brand degradation. If you have the PR nightmare that comes with the with the risk of a breach. There’s a lot of intangibles that play a part in how much a breach going to cost you. A lot of it is not known immediately, you kind of uncover it as you’re sifting through the rubble and that’s where the insurance comes in.
[Ryan Shinkle] A lot of the expense in that when you talk about rubble is putting that rubble back together again. Which is one of the real features of the coverage. The ability to rebuild your systems, to bring in data forensics teams to rebuild your data systems and put your pieces back together. Because unfortunately when you face some sort of a a hacking incident where they have a ransomware and don’t let you get back in your system until you’ve paid them in the appropriate amount of however much bitcoin they’re demanding. They don’t put everything back where they found it, they may give you your system back, but they don’t put everything back where they found it. Unfortunately, they don’t leave behind a customer service number for you to call, 1-800 cyber terrorist please put my system back together because I paid you the money. They tend to just disappear. One of the things that I have found interesting as I visit with clients on cyber insurance is that it actually has something of a misnomer. There’s a misconception around the name cyber and you deal with a number of clients, maybe the manufacturing or construction space, they say look we don’t sell anything on the internet, we don’t process any credit cards, we don’t have cyber exposure.
What I have found, I’d be interested to hear what if you’ve heard the same, is when you start talking more about privacy and privacy remediation and protecting the non-public personal information of your employees and your clients. That’s when this conversation starts to resonate with many companies, especially if they’re one that doesn’t have the full suite of internal security forces or cyber security as you’ve discussed. When you talk about privacy, it’s a very tangible thing to say if someone gets into your system, and this is a very real claim that I’m aware, of someone hacking in through a dropbox account tied to an associate general counsel and got into the system and got all of the employees’ personal information and of course we’re going to sell it on the black market unless they paid in a ransom situation. Just the fact that that happened even if they don’t sell it on the black market, even if that information never goes anywhere, the fact there’s been a breach that you know about, you now have certain regulatory requirements, and they vary state to state. So if you’re a multi-state organization it gets very important that you have an insurance carrier that you believe in and who has the right resources to support you with the notification requirements, the credit monitoring requirements and these things can really add up to serious dollars if left uncovered. Or if you have the appropriate coverage it’s a call to an underwriter who activates kind of a swat team that activate the swat team and say you as a business owner or executive from figuring out well what do we do now. Nobody wants to be in the position of having to google I’ve had a cyber breach what do I do now, who am I supposed to call. So, you have that support on the on the back end to help you put the systems together, do the appropriate notification, set up a 1-800 number for your employees or clients or customers to be able to call in and get support.
You actually can take what can be a very bad, very damaging event to your business and turn it into something of a I won’t say positive, but I think you can stop the bleeding and at least give your employees and clients the peace of mind that we’re prepared, this is unfortunate that it happened. But as you said Mike, even the best prepared cannot prevent every type of an event that can occur even the best security system on your car is not going to stop it necessarily from getting stolen if someone wants to get into your system they’re going to get in. The ways to get in, this does not have to be some state-sponsored attack, it can be very simple. A phishing attack, email spoofing that an email comes to me that looks like it’s from Michael but if I look real close, the L is actually a one but I’ve already responded with wiring information or I’ve already sent my credit card and you know the cat’s out of the bag at that point. So, we’re kind of dovetailing into the effects of a cyber attack and we hit them.
I mean time is number one you want to be running your business to grind to a halt while you’re figuring out how to manage this event. Obviously lost capital, if it’s an uncovered loss because you either don’t have coverage or the coverage is inappropriate for the exposure. Then your business is going to be out of perhaps lost revenues, if you can’t get into your systems, if you can’t put out proposals or bid work then you’re going to lose revenue lost in the confidence of your customers and perhaps even more importantly of your employees and your ability to keep them safe. It can be very damaging to the brand and then of course the regulatory penalties and fines if you don’t take the appropriate action. The fines can be quite steep toward the business owners, the directors, and officers of a company for not having put the appropriate coverage in place. Is there other effects Mike that are worth getting into?
[Mike Trpkosh] No, I mean you hit the nail on the head, straight on. The whole point of your insurance and your data breach response plan is the ability to reduce chaos. When I do exercises, desktop exercises with organizations. The best compliment I can get is they all come walking in with their cup of coffee at eight o’clock in the morning it’s like all right let’s sit down let’s get going and I just love it when somebody comes up and says my hands were sweaty, I had a knot in my stomach. Because we make these exercises and that’s the point. The point is to tell you it isn’t going to be the treasury or secret service coming up to you and saying hey we got your data on the dark web and here it all is and here’s what it means. You’re going to get snippets of that, and you better be prepared, and you had mentioned regulatory, a lot of that is communications, your notification process starts and it’s timed.
Most of your states have disclosure windows that you have to once you call a breach and say we’ve been breached the clock starts and you’re going to get fined based on how well prepared you are to deal with that, how well prepared you are to communicate to people. Having that ability to say we’ve went through exercises people, we call this team we bring in our breach response team, we have our insurance agent, we have our cyber team that comes in. What that’s doing for it, it doesn’t lessen the trauma of the breach. What it does is it buys you time to use that time somewhere else as part of your rebuild. So that’s what I tell people all the time, having the right partners in place reduces the chaos, you’re not standing there googling or looking like a deer in the headlights. You come out and you say we’ve exercised this, we’ve practiced this, it’s real this time. Now you go do this, you go do this and so the time you save is time that can be applied towards something else.
[Ryan Shinkle] That’s well but an interesting change I’ve seen over the last five to maybe seven years is it used to be when I would advise a client on cyber coverage and the privacy remediation. I used to get a lot of pushback from their IT team internally. As if it was some sort of an indictment, we’ve got firewalls, we’ve got protections as if it was some sort of an indictment of their capability or their preparation. I have found over the past few years it’s actually shifted now to where the best IT professionals in the business are recognizing that this is a tool that makes them better prepared for their job. They’re more welcoming of people like you and me to come in and poke around and look for vulnerabilities and then solutions for the vulnerabilities. But not that long ago I can remember you know very experienced and very well educated IT professionals were put off by the concept of us, guys like you and me coming in and looking to see what was going on and offering the the solutions to issues that may exist. Have you had a similar experience?
[Mike Trpkosh] Yeah, the how dare you challenge me mentality. That’s what we’ve done as an industry is tried to educate and tell people we’re all in this together, we’re all in one boat and it’s that single torpedo that can take us all down. So why don’t we band together and put these defenses in place. I don’t know if any of the listeners have heard this term but it’s defense in depth and what that means is that I’ve got a perimeter defense and if that attacker gets through it or when he gets through it, all he’s facing is another line of defense. Then he has to go through another one, we look at it as an onion. So you’re peeling back the layers and that’s what we want. Now the internal IT people are at the core of that and they’re welcoming those layers because the attacks have become so complicated and so sophisticated. They’re phased attacks and a lot of your big attacks start with noise somewhere else. Like somebody’s trying to brute force a password, it’s very noisy and all of your resources are focused on that and then they’re sneaking in another back door over here. The IT teams understand that now and they’re like whatever help you can give me I will take it.
[Ryan Shinkle] Yeah, I mean we’re here to make you look better and be better prepared so that when it goes wrong you can say I knew it could happen and that’s why I got the advice from pathway and recommended the coverage that we have, makes perfect sense. So when we talk about coverage one of the questions that I get is okay, so what do we look for, what are the key components of a cyber policy, what should be there and what shouldn’t be. Well at the risk of copying you it’s, well it depends, what keeps you up at night, what business are you in, and what are you concerned about. But the key questions I think that are on the screen pretty much hold the insurance company and are there multiple policies available, are there levels of policies that are available from any given insurance company. The answer of course is yes, you have kind of your basic unendorsed policy and you can bolt on better coverage, broader coverage, higher limits, lower deductibles. What’s interesting about that is a lot of times it doesn’t necessarily carry a lot extra cost. With cyber being a little bit different than a lot of other insurance products as far as getting broader coverage or more enhanced coverage. A lot of times it has to do more with the underwriters understanding of your business and your operations more so than about well we’ll give you x amount of more limit for x amount more premium. That’s where I think having an assessment on the front end like pathway has or something similar to our risk management system that we use called insight plus. It helps the underwriter get a better feel, the more comfortable an underwriter is with your business, and this is almost any kind of insurance, the less expensive it’s going to be and that’s why it makes sense to poke around. Most of them have maybe more than one type of insurance policy and these policies can and should be highly tailored to the needs of what your business does.
As you might imagine an IT firm or someone in the healthcare space as Mike mentioned are going to have very different exposures than a construction company or a trucking company would have. They all have exposure it’s just it’s just different,. Deductibles vary widely it’s kind of hard to do on this forum. They’re typically some coverages that carry dollar amount deductibles and some coverages that have a time element deductible especially as relates business income. If the cyber-attack shuts down your business and you can’t operate there may be a certain number of hours or days until the insurance will kick in and start paying you for the lost income. The coverage is applicable to both first and third parties. It’s called cyber liability and a liability is typically for a third party. The damage that can be done to you, to others because your system has been hacked. Think of an instance where you have client data on your servers and your servers are hacked and now sensitive client data may have gotten out into the wrong hands. People think of hacking, it can be as simple as you know someone left an unprotected device on a park bench and you got access to it and your email is linked to it and their attachments in that email that may be sensitive and maybe damaging if they got out to your company or potentially to your customers. That would be both the first and third party example. Someone getting in and breaking your stuff – first party. Someone getting in or getting access to your information and damaging a third would be something for which you may be liable. Very often contractually liable where you are obligated to reimburse another party indemnify them for damages done due to you doing business together. Those contracts may require cyber liability insurance. The events of the policy covers are so varied and are very unique but broadly speaking it’s an unauthorized breach of your systems, dissemination of information beyond your control, the misplacement or erroneous sending of intellectual property or capital. It can be incredibly broad coverage if written the correct way but what’s key is that the agent that you’re working with, the carrier that you’re working with truly understands what your exposures are and where loss may occur. What I’ve found many times with a cyber it’s not one of those things that’s keeping you up at night, it takes some conversation and some exploration to get to where exposure really lies which I think is applicable for both what pathway does and for what we do as an insurance advisor.
Does the policy cover? The appropriate answer would be it can, yes the policy can cover non-malicious actions taken by employee. This is the accidental fishing stuff, this is an employee of yours is not out to hurt you or out to damage you and accidentally sends a client list to the wrong email address. Something as simple as that if it is sensitive data can be determined, it can be considered a breach and you owe some duty to the people whose information was accidentally sent to a third party. There may be someone in your email database I think most of us have done this you’ve gone to type in to send an email to Michael and it goes to the Michael who autofills instead of the one that you intend it to and the next thing you know you’ve sent sensitive data through email and you’ve had a breach and it was non-malicious, non-intentional.
Is there a time element to the policy language? Something that can be important with many policies, not just cyber is it’s important really to understand the detail in the policy of when do you have to report something that has happened and who are the individuals within the organization that are described as responsible individuals for reporting that incident into the insurance company. This actually can be a very important detail because if someone at a management level or maybe everybody at the management level is listed in the policy as being a responsible reporting policy and one of those managers becomes aware of an incident and takes no action or doesn’t pass it up to a director level, doesn’t report it in and then finally later in time the claim is reported and in settling the claim they discover well this manager had knowledge of it three weeks ago. You may run into an area where you don’t have full coverage or maybe limited coverage or maybe no coverage at all because that party who was aware of it didn’t report it in time for the insurance company to take action and potentially stem losses. So it is important to know the definitions of who are the people that are responsible for reporting claims and what sort of time limitations might there be around them reporting those claims from when an occurrence became known.
[Mike Trpkosh] They also might, if you don’t have it defined who the communications person is what you also see is, when I had mentioned notifications start a clock, if somebody that isn’t authorized to say something and they do they’ve started that clock and it might be starting it way earlier than the organization wants to because they don’t have everything in place. That also imposes a bunch of risk on an organization by not having defined roles on that breach response team.
[Ryan Shinkle] That’s very well put and it’s one of the benefits of looking not just buying the insurance and sticking it on a shelf and saying okay we’re covered for cyber. But taking the extra step working with an advisor, working with someone like Mike’s team to identify what is our crisis response, who are the people that should know, what should you say and what should you not say. Having that response team in place ahead of time is critical. It’s well put Mike.
[Mike Trpkosh] I did a webinar last year on data breach response and I asked a poll question. How many of you out there have a separate breach response plan, use your incident response plan or have no response? 46 percent said that they would use their incident response. It’s a totally different animal, you start out with an incident and then you deviate from that path to the special considerations necessary for data breach, like what we’ve been talking about today. The fact that so many organizations would want to use that, they’re the ones that are going to be googling what do I do when I’m breached.
[Ryan Shinkle] That’s right and at a minimum you’ve gotten some coverage and that first call is to your agent or to the insurance company to pull in resources that may be available. Most of these insurance companies offer on top of what to look for in the coverage side what tools and resources are available to me before, during and after an incident. Cyber is one where many of the top insurance companies offer a nice suite of preparedness tools to help you do some planning and preparation. Because as you might imagine the best claim for them is one that never happens. They have tools and resources that you can us in combination with a firm like pathway and say well here’s what we have available to us from our insurance company. How do we incorporate that into our planning or how do we incorporate that into our response?
I would encourage any of our current attendees or anybody who may see this to reach out to your current agent or broker and have a conversation about what’s available to me through my insurance policy. How can I take advantage of those resources before I’ve even had a claim in an effort to prevent an incident or a claim from occurring? We’ve talked some about incidents and claims. Mike from your perspective I’m interested, what are the top threats that you’re seeing? Now we know that the world has changed with covid where many of us are working from home on what may be less secure servers. We talked about this at the very outset of our call, how that has kind of changed the game? With the current environment what are the biggest threats that you’re seeing right now?
[Mike Trpkosh] Yeah so great question because normally what we would see is the types of threats are not changing. They’re not changing because they still work. What we’re seeing is an escalation of those threats. What the top threats that I see right now are what we call BEC or EAC, that’s business email compromise or the email account compromise. Then the CEO fraud. Then the next one is ransomware. Both of those are under the umbrella of fishing and social engineering. The ransomware and the fraud are a result of the fishing and social engineering. We’re seeing a massive amount of phishing and social engineering attempts because of the remote workforce because people are a little bit more comfortable working at their home. So they’re more likely to click on things or emails. They’ll have both their personal email and their company email pulled up because they’re at home. When a personal email comes in they’ll click on that, well once that is infected your home network becomes compromised and you’ve established a trusted relationship back to your office. Therefore, we pivot right back into the company.
The BEA and EAC, what I was telling you earlier, is the reason that these are so scary right now for any organization. Over the past few years we’ve all been conditioned not to click on attachments or not to click on links you know or to try to interrogate emails a little bit. What’s happening is the BEC and the CEO fraud, those attack psychology, you don’t click anything, it’s the attacker getting you to do something without your spidey sense or your ability to determine something about this doesn’t seem right. What they’ll do is the CEO fraud, you’ll get an email and it says hey this is executive vice president or CEO, I’m at a conference without access to email and I need you to pay this vendor. They reached out to me directly and we’re behind on an invoice. I want this taken care of before lunch time today please handle this. Everybody wants to please their boss. He’s not available and it’s a rush so now all of the defenses that you would normally use to break that apart, the attacker’s taking those away. So the average person is like oh I need to do this for the boss, he asked me specifically to take care of this. In your desire to please your boss you’ve just wiped out the ability for your company to defend itself against anything like this. That’s a big one. The other one is if you do click on links or it says go to this website for the latest cure of covid, how to protect yourself, or your state’s health department says this is the best thing to do to prevent covid. Well you’re going there and what that is, the address might be one letter off and instead of going to the state health department you’re going to an attacker’s website and they’re downloading a payload of ransomware and now you’re compromised. Those are the big threats right now and unfortunately security awareness training only goes so far. We just have to keep that mentality front and center and let people know every time you click think twice and click once, kind of the old carpenter’s adage. But you just have to do it, we’re getting to the point where these
guys are so smart. The fact that they’re going psychological on us is really scary to me and I’ve been around forever.
[Ryan Shinkle] In preparing for our meeting today I saw an interesting statistic and statistics are they can be you know one thing one year and completely different the next. But this one struck out at me and made me think I should be very careful. Is that 85 percent of people posting puppy photos are trying to scam you. Now I don’t know where that came from but your puppy photo I think nothing brings your guard down like a puppy. So click here to donate or whatever the case might be. But that one all the other statistics were very dry, that one really jumped off the page at me. I don’t know if this was really, look at this cute little puppy boom and you’re compromised. I think would be the next logical question and then we’ll look to wrap up here. We’ve talked about the biggest threats here and the CEO fraud and the email spoofing and the social engineering type things. What kind of basic, I think common sense steps do you advise people to take as far as educating their employees what to be on the lookout for, what kind of measures as far as look if someone asks you to do anything with money have a have a third party, an accounting or something like that verify. What kind of steps do you have people put in to for them to share with their employees and also just to use in their own lives both professionally and personally?
[Mike Trpkosh] I’ll give you a good example. I received an email this morning and I have a rental commercial property, and it looked like the company that I leased from had sent me an email but there was no signature, nothing, just click on this we need you to sign these documents. I sent them back an email and said hey this looks suspicious. They quickly sent it back and said hey we’re sorry, we wanted to get this out in a hurry but it is legitimate, it only took five minutes. You’re right set up procedures within your organization that if it’s urgent, if it’s there seems to be limiting circumstances for you to do your due diligence, if you feel like that chances are there there’s something wrong. I even would go so far as to develop almost a check it with somebody else or call them directly. These attackers, if they get into your email and they’re watching who your vendors are they’re going to pick a vendor that you do business with regularly. Call them anyway just spot check them, say hey I just wanted to double check on this one or set a dollar amount that we’re not going to pay anything if your banking, or your wiring instructions change. That’s a red flag an immediate red flag.
[Ryan Shinkle] Especially if it’s offshore.
[Mike Trpkosh] Exactly and at the English. A lot of times these emails are from countries that don’t have a good command of the English language. Look for grammatical errors, if it says it’s from Microsoft and there’s two periods at the end of a sentence, massive red flag. They’re not going to let that stuff get out.
[Ryan Shinkle] Can’t you also in the email click, like it may appear it’s from you but if I click on it then I see it’s actually just a string of letters and numbers and then you know what it’s something suspicious.
[Mike Trpkosh] We call that spoofing and so what I can do is I could say that I’m Jackson in the in the from, but if you hover over it you’re going to see the actual email where it’s coming from. That’s what I tell people there’s five steps, look at the English, look at the grammatical, hover over the two and just take a look at it, if it doesn’t sound right it’s probably not. Nobody is going to beat you up over being too careful, not in today’s world, and if you do get beat up that’s not right.
[Ryan Shinkle] No agree I agree with you. Really good tips. I think that’s most of the ground that we had to cover for today. I don’t see any questions in the chat box but maybe we just give a minute. If there are any questions for Michael or for myself, give a minute for any questions to populate.
[Mike Trpkosh] Two things that I’ll follow up on is when we talked about it depends as an answer, don’t be offended by that. What that means is who you’re talking to is probably knowledgeable enough to know that they can’t give you a one-size-fits-all answer and if they do give you a one size that’s the one to be of not the guy that says depends let me ask you a few questions first before I respond. The other thing too is we’re seeing these massive data breaches recently because back in the day all of those were paper files you’d need a tractor trailer to carry off a million records. Now I can carry a million records off on a thumb drive. It’s an economy of scale and these attackers know it.
[Ryan Shinkle] Well hey guys we have a few questions from our audience members. One of them is how often should we test our cyber risk plan?
[Mike Trpkosh] I’m a big proponent of reviewing that plan with my teams. We would always do it when I was a CSO, we would always do that in February. We’d have our annual objectives and then the first thing that we did every year was we went over the former cyber risk assessment. We would take a look and say is that still a risk and if it is what do we need to do, what progress do we make. If it’s not then we would move it to the risk register and move something else in its place. We would have a half day event where we did a threat assessment and the threat assessments are fun because no answers out of out of bounds meteor strike. What I do is I give everybody, a yellow pad of stickies and a pen and we would say okay stick these on the wall then we would categorize them as how likely they were to happen and that’s how we came up with this. So it was a fun exercise but long-winded answer, I apologize. It should be at least once a year and twice a year if you can if you can manage that.
[Ryan Shinkle] That’s a good question.
[Jackson Phipps] That kind of answers the follow-up question. What does protocol look like when making sure everything is up to date as cyber crime or cyber crimes evolve?
[Ryan Shinkle] I think what’s the protocol to maybe build the plan and stay on top of the evolving cyber environment.
[Mike Trpkosh] Okay I get it, yes and as cyber crime evolves again the threat assessment that’s what we do to take into account. What is the current, what we call threat escape, what does it look like now because you’re right it changes sometimes more frequently than every year. You want to make sure that you’re addressing the crime. This year we would look at social engineering and we’re all responding to that and unfortunately that’s a lagging indicator we’re responding to something that is already happening. They have the advantage of thinking up new ways to trick us and if that doesn’t answer your question feel free to reach out to Jackson and I’ll answer it better.
[Jackson Phipps] I think that’s all the questions we have from our from our audience members. I wanted to thank Mike you as well as Ryan for taking the time to give us a good informative back and forth with this I know it’s probably helped a lot of our viewers.
[Mike Trpkosh] I was just saying I enjoyed spending the hour with you and I think it was great conversation. I really enjoyed it.
[Ryan Shinkle] Likewise, I did as well and I think that we’re going to make this available through some other channels where people may see it after the fact and if that’s the case, if you’re watching this in the future and you’ve got questions that you would like answered and addressed by either Michael or me or both of us please send a note to Jackson at firstname.lastname@example.org and he’ll be sure to facilitate that and would be more than happy to engage with any of our attendees today or those in the future on helping to make you more prepared and more cyber secure. Mike thank you so much for your time and joining us. Jackson thanks for facilitating and hope everyone has a wonderful, secure day.