David Schade:
Welcome to the First Business Bank podcast. I'm David Schade, and I'll be your host for today's episode about cybersecurity and ransomware. To explore this topic further, I have Frank Stephens and Derek Laczniak here with me today. Would each of you please introduce yourself to the listeners?
Frank Stephens:
Hey everyone, Frank Stephens with Computing Technology Solutions. I've been in this field for a little over two decades. In the last eight years, concentrating [inaudible 00:00:47] in cybersecurity. So cybersecurity for business can be overwhelming and it can definitely be confusing. So we work with all of our clients and partners to make sure that as smooth as possible, as well as effective as possible.
Derek Laczniak:
And my name is Derek Laczniak. I'm the director of cyber liability with M3 Insurance. I started that practice group at M3 about nine years ago, and I partner with organizations of all shapes and sizes and industries and makeups to help them understand what kind of insurance products are out there, which are the best options for them, how much insurance to buy, and how to get through the underwriting process in order to apply for cyber insurance.
David Schade:
Thanks for being with us today, Frank and Derek. And as we think about this topic, I feel like it is extremely timely, because on a regular basis our clients are asking us, "Hey, how can we be handling cybersecurity and ransomware today, so our business is not the next headline in the news?" Frank, maybe we could start with you.
Frank Stephens:
Yeah, it's a new world that we live in where the cyber attacks are happening more often than ever. These guys are basically attacking from, whether it be from North Korea or Russia or even within our organization or within our country. So there's a lot of things that we need to be concerned about. From my perspective and what I've seen out in the field is the biggest threat is our employees and our contractors ourselves. And we can build the strongest doors and lock all the hatches and lock everything down, but at the end of the day, if one of our employees is doing something that could be potentially malicious or negligent, that's where 86% of all these cyber attacks happen, where someone accidentally clicks on an email or attachment and then the payload comes down unfortunately.
Derek Laczniak:
From my perspective, the threat has gotten much, much stronger and much more concerning over the last couple of years. And what we've seen really, when we start looking at through the lens of insurance, is that the types of attacks have really started to become centralized with variants of ransomware. And not to go on too much of a tangent, but ransomware even in of itself, while it has become a buzzword, has even evolved and matured. So ransomware used to be just holding information or data or computer systems hostage in exchange for a cryptocurrency payment. Well, as people started working with organizations like Franks', their backups became more sophisticated. And so, the tackers had then evolved again.
They said, "Well, [inaudible 00:03:15] the risk that they might restore from backup and not pay my ransom while I'm there encrypting information, I'm going to steal it. And then in case they have a backup, I'm going to tell them, Well, if you don't pay the ransom, even if you restore from backup, I'm going to dump all of your personal records online." And so, even as the risk management solutions that Frank's company, for example, works with have evolved, the attackers continue to evolve and it's created a big challenge in the insurance marketplace, because we're used to dealing with finite risks in insurance like property insurance, fire, wind, hail, water, tornado. Those haven't changed in really a hundred years. In the cyber landscape, we're trying to design policies and price policies to battle a risk that seems to change every three months. And so, the threat has become more frequent and more severe and it's a moving target, which has been a real challenge in our industry.
David Schade:
Yep. Thank you both for chiming in. That is very insightful and interesting. And I think to kind of dovetail off of some of the comments that you discussed, Derek, what are some of the top threats that businesses are seeing today in addition to what you've already discussed?
Derek Laczniak:
Some of the threats, there's really two or three different vectors that we see most often. And I alluded to the ransomware example, because it's everywhere, but only focusing on ransomware would ignore some of the largest, most expensive claims that I've had in my career have been as simple as inbox compromises. And to Frank's point, when you talk about all the security you can put up there, it still comes down to your end user. And inbox compromise, if you think about everyone who's listening to this, what's in your inbox? Despite being a cybersecurity guy, I would be embarrassed to show people that I probably have attachments in my inbox that have data sets that I don't need or saved elsewhere, but are still loaded into a file within my inbox. And when an inbox is compromised, usually bad actors want to use that inbox to commit fraud.
But you have to assume that as soon as an inbox is compromised, even if the bad actor's not looking at anything, everything is presumed to have been stolen. And so again, it's this presumption of data exfiltration that has become a real threat in today's world. And the last point I'll make is, while I think the general public have become somewhat numb to this idea of privacy, legislation around the country has gone the other way. Well, you might get a notice in the mail about a data breach you were involved in and you don't care and you don't sign up for credit monitoring. The reality is, which only 4% of people do, that might be true, but the state's laws have gotten tighter. There's now federal legislation that's been introduced. So there's a dissection, and because of that, the threat of just data loss, albeit the impact it might have on your business, has become a real threat that's emerged again despite all the talk about ransomware.
David Schade:
Thanks Derek. Anything to add, Frank?
Frank Stephens:
Yeah, I want to just make a comment, and Derek, that was great, but having your inbox compromised, what that means is, someone basically goes into the back end and for the most part, all of us use Microsoft O365 for our email posting. If you don't have the proper measures in place like multifactor authentication where you have to get a multi-digit code in order to log in and stuff like that, what these guys are doing is, they are infiltrating your mailbox, they're popping in there, getting access to it, put in rules in place, so they get to see copies of all of your inbound and outbound messages. And these guys will sit there for months. And what they do is they learn who you talk to, who your customers are, who's the CFO or the controller. That's a huge thing. And what they'll do is then go ahead and create a phony Gmail account that looks like the controller's email address or the CFOs.
And what they'll start doing is start sending out emails to the accounting team, I've actually seen it where they sent an email to the bank saying, "Hey, I'm Tracy, for example, I'm the CFO, can you wire me some money?" And you'd be surprised at how authentic these things look, like Derek was mentioning, these guys are getting smarter and smarter and the stuff looks legit. And so, by the time you realize that you have been compromised and money's been moved, that's when it becomes very serious, because at that time you're like, "Wow, they've been watching and having all of our data for months on end." So scary stuff.
David Schade:
Yeah, it certainly is. We definitely see that occur on the bank side all the time. And that's when from our perspective, a lot of education comes into play to make sure what is a client doing out of band to confirm that request to make sure it's legitimacy. So let's say something does happen, what are the next steps if money does go out the door?
Frank Stephens:
The first thing that if money goes out the door, is typically what all of our clients have is an incident response. And what that means is who do you alert? What is the process of that alert? So in most cases they'll alert ourselves. So my organization would quarterback the whole thing, where we would get law enforcement involved. We would help preserve the data where we would bring in a forensic [inaudible 00:08:13] depending upon how serious the thing is. And then obviously provide any kind of information or data and anything that we found essentially to both law enforcement as well as the insurance company, so they can start processing that stuff pretty quickly. Because at the end, time is essential and preserving that stuff is essential as well.
David Schade:
Absolutely, Derek?
Derek Laczniak:
I would totally agree with Frank. Time is of the essence. And David, you would even know this on the banking side, when you have one of those unauthorized or social engineered transactions, like any security breach, it's all about time. The quicker that you notify your financial institution, the better chance you have of recouping those funds. Because, think about it, money goes to where it shouldn't have gone. That bad actor still has to take a withdrawal of those funds. And so, you have some windows to chase them around before it bounces through nine different bank accounts and ultimately get withdrawals. So one of the biggest things when you have any security incident, whether it's a bad transaction or an inbox compromise or even ransomware, you'll hear this I think throughout our discussion today, it's all about how ready are you and how quick can you respond? And that doesn't mean you can fix it, but that just means that you have a plan and that's really the biggest thing.
David Schade:
Yeah, thank you both for your feedback there. We've seen that all too often as you had mentioned Derek. And the quicker they contact us, obviously the better. Something that we hear from business owners a lot is, "Well, we might not need additional parameters because we check our bank accounts every day." But then all of a sudden that fraudulent check sneaks through or their email is compromised as we discussed and money leaves the door. And so, having that plan of attack is definitely vital. What about on the ransomware side. What are kind of the immediate steps that should be taken?
Frank Stephens:
So if you get hit with ransomware on the computer level or the server, the first thing to do is isolate the patient zeros, what we call that. So in those cases, any machine that you clearly see a message or a screen, you should immediately turn off that machine and disconnect it from the network. So at least you're stopping the spread of any kind of infection from other systems. In that case, we also do a snapshot is what's called basically where we take an immediate snapshot of the server prior to that, so that we preserve what's on the server. And then we of course with all of our backup disaster recovery solutions, we want to make sure that there's an air gap.
So any kind of backup solution that you have out there, they are are both air gap and non-air gap. What that means is, if the machine or the server's compromised, is the backup solution transparent to the hacker and in most cases it should be, because this way if they have access to the backups themselves, then they can delete that data as well. But regardless of whatever direction you go, the feedback and the guidelines from the FBI is you should never pay ransomware. All you're doing is perpetuating this. And when they get their millions of Dollars across thousands of companies, they're just going to continuously increase their [inaudible 00:11:07]. I've read articles that if you've been hit once, the likelihood of you getting hit again and you're being a target is multiple factors. So that's, the time in which you need to really lock things down as well.
Derek Laczniak:
Yeah, I would echo a lot of what Frank says. In my role, I am funding the cleanup of these kinds of incidences. Frank has got a front seat to watching these things transpire. And from my perspective, it's about knowing the tools that are available to you. And knowing that cyber breaches have a very predictable pattern regardless of what kind of attack it is. And the people that you need to get in touch with are also very predictable. 99% of the breaches I've been involved with have included a breach coach, which is an attorney and a firm like Frank's, forensics analysis firm that not only can figure out how it happened, when it happened, is it still happening?
But also find you and give you the best solutions to do any kind of recovery that you can. And that attorney and these are highly specialized people, they're there to protect privilege along the way, because what you can't account for is if data is leaked and you have to make notice, you're opened up to civil and potentially regulatory litigation down the line and you don't really want every conversation that was had in the heat of the moment being subject to discovery. And so, it's about knowing what to do first and knowing who you're going to call first and turning something that could be a 48 hour delay into 4 hours. That's how the people who get out of these things the best are able to do so, is because they act quickly.
David Schade:
Yeah, very insightful Derek. And I think our listeners might be interested just in the whole cybersecurity policy, what should they be looking for? How does it work? What does it cover? What should it be included? Can you provide some comments on that?
Derek Laczniak:
Cybersecurity insurance has really evolved. Not to get too drawn out in the history, but when cybersecurity really became mainstream about 10 years ago, it was really profitable. And what happens when you have profitable insurance products? Coverage gets really broad, because carriers are competing against each other. Price goes down, because that's the other tool they have to compete against each other. And so, it was really a buyer's market. It was the fastest growing product from 2015 to 2020 in terms of new policies being written. It's turned into a $5 billion insurance market that some say could be as large as the property insurance market. But a good policy still has the same things today that it did before. And that's saying something, because rates have risen 50 to a 100% over the last three years. Underwriting has become very, very, very detailed.
But coverage has still, for the most part remained broad. But with the losses that we've seen in the market, we have seen carriers start to retract coverage. So all of a sudden you get this deal and it's like, "This is an amazing deal. This is way better than what you told me." And it's like, well, the devil's in the details because the one coverage that you wanted has not been cut. But at its most basic function, a cyber liability insurance policy does two things. The first, is it covers your expenses associated with remediation of the incident. That's going to pay for Frank's team. It's going to pay for your attorney, it's going to pay for any loss of income that you might have as a result of a security breach. It's going to pay the ransom, if you decide to pay ransom. It's going to pay all of those first party costs that you incur.
Those are immediate. That clock starts ticking almost immediately when you're attacked. The second piece that it does, is it also pays for any liability that might be assumed because of a data security incident. That could be you notified a 100,000 people and now they're suing you. That could be a regulator from the state of California or Illinois that's launched an investigation. It could be the OCR for a HIPAA violation. It could be any SCC if you're a publicly traded company.
So it does two things. It provides you a bucket of funds to clean up the incident and on the back end it provides you defense and potential any fines, penalties or settlements that you might incur because of the damage that the incident did. So they're very robust policies. And the last thing I'll say for the listeners out there is, there's no standardization in the cyber market. One might say, that's why I have a job, is because every policy is different. They might cover the same thing, but the carriers like to mess with you and they all use different language. And so, you really need to work with and read the details and understand that what you're getting is what you want, because they're all set up a little bit differently.
David Schade:
Thank you for that. Frank, what about on the consulting side? How does your industry work? What should a business owner be looking for when they're talking more on the forensic side?
Frank Stephens:
On the forensic side, it gets dicey [inaudible 00:15:45] for me, business owner, you don't know the details of the back end. And from our perspective, what you need to be focusing on is the logs of all the systems. So the logs from the servers, the firewalls, if you have an endpoint detection response system, all those logs will be needed to be provided both to the insurance company, legal, state or federal officials or whoever they may be. So it's preserving the logs and the integrity of the data at the time of attack. And at that point, that's what you need to be concentrating on when that happens.
Derek Laczniak:
I'll just add a quick comment to Frank. I went through an attack six months ago and there was a shortage of, for whatever reason, and this was in Wisconsin, in Milwaukee area, there was a short of external terabyte drives that were... He went to Best Buy and they just weren't on the shelf for whatever reason, supply chain, and Frank mentioned this earlier, a lot of times you're making an image copy of servers that are infected and you need an external storage device to do it. And so, a good example is if you don't have those sitting around handy and Frank's pile's been depleted because he's had 20 attacks this week, that's like a little thing that you can proactively have on hand, the smallest supply chain disruption of external hard drives can be the difference in responding to an attack. So it's these little things, these subtle things that you get from working with a team like Frank's or mine that will have you just checking all the bases. It's disaster recovery, it's like your bug-out bag. Do you have everything you need in it?
David Schade:
Very good to know. Is any industry immune to cyber threats or is one particularly targeted? What about size of company?
Frank Stephens:
From my perspective, there are some verticals that are absolutely targeted. My industry is IT consulting, because we have the keys to the kingdom of the back ends of all everyone's servers. Other ones that I see significantly hit is our financial services and our accounting firms. If you are able to infiltrate an accounting firm and it's payday, I mean you've got [inaudible 00:17:44] security numbers, you've got tax returns, you've got full addresses, children names. I mean you have everything.
From a size perspective, from what I've seen, they're targeting any organization between 10 employees and typically about 150 employees. And those are the cases where they may not have a huge budget for cybersecurity or security or IT in general. So in those cases, they're the biggest target. They're an easy target, they're less likely to have the tools in place, awareness, training, all that stuff. So unfortunately those are the guys where when they do get hit, I mean it shuts down their business. And it's sad to see that these people can go out of business because of something like this unfortunately.
Derek Laczniak:
I totally agree with Frank. The size specifically, it's like a Nat Geo. Which elk does the cheetah go after? The weak one. So they're not targeting Fortune 500 companies. Sure there's a fair share of people who are, but they know that they can't maybe ask for as much of a ransom, but they have a higher probability of executing the payload. And so that's, kind of how they're hunting. The only thing I would add to what Frank said is that there's been some industries that thought, "I would never have an attack." I would say the construction industry has largely believed, because they're not super techy or sophisticated, if you go to a job site of a high rise being built, you'll notice that all the foreman's have iPads. They don't know when the products coming in, they don't know where it is. Our world has become technology advanced and when you take that away after using it for a couple years, you'd be surprised how much inefficiency takes place.
The other area that we've seen a spike, is manufacturing. We're in Wisconsin, a lot of manufacturing. When you look at a manufacturing, when you look at CNC machines, those things are being told what to do. They're tying directly back to an ERP system that an accountant's looking at. That machine is making what it's being told to make through a computer software system. So when you are successful in taking down a manufacturing operation as a bad actor and a manufacturing operation dials into the minute how much money they're making when a machine is running and you take that offline for three weeks, manufacturers pay ransoms, because they don't have the sophistication as Frank said, because they haven't invested in IT even though everything on their floor has gotten technology advanced. And so, we've seen an uptake in the last year of manufacturers getting hit pretty hard with things like ransomware.
David Schade:
Thanks for that feedback. I know a lot of what I was hearing in your comments just now was like when an event happens or you're a victim of cyber crime. So maybe just wrap things up, as businesses look to put together their incident response checklists, kind of what are those fast 1, 2, 3 steps that they should be taking in the event they do become a victim of cyber crime?
Frank Stephens:
So I'm going to answer that about being proactive, not necessarily what happens in that situation. I mean, when you have the appropriate documentation of the incident response, literally you follow the checklist and when you do that, you're going to have the least minimal attack. But when you think about being proactive and before that actually hits, what you want to do, is want to look at a full security stack is what we call that. And what that means, is basically protecting everything from server to the internet all the way down to the end user. And there's six things that I say that every small or mid-size business should have from a solution perspective. And the first one is called an endpoint detection response. What that is, is it's basically, I call it virus protection steroids. So everyone's pretty familiar with virus protection from McAfee or Norton, Symantec, Microsoft, whoever it is.
All that virus protection is basically, it's software that comes down on a regular basis and it basically has a definition file. What that definition file says is what's bad and what's good. So if something hits your machine or a server, it says, "Whoa, that's bad." What endpoint protection does is it takes it to the next level. And this has been the most successful that I've seen out there that prohibits and stops a ransomware attack. In fact, if you look at insurance policy questionnaires, it actually specifically says, "What EDR are you using and what brand?" And what this does is you put an EDR in place on the end user's machines and it learns your behavior. It learns what David or Sally does on a daily basis, what websites they use, whatever they do. So in the event that something's outside of their behavior or their profile, it says, "Whoa, I'm not sure if this is a virus or not."
Because in most cases, if it is a ransom attack virus will not necessarily see that. What EDR does is say, "Hey, something doesn't smell right. Shut that process down and alert the appropriate people, so that we can take a different deeper dive." So to me that has been a game changer for us. I'll go quick on the other ones. One, is of course a backup disaster recovery solution. What that means is, you're backing up your data, but in the case of ransom or the building blows up or natural disaster, are you appropriately copying that data to the cloud in a secure manner, to make sure that that data is secure. The other one thing that we touched base on earlier, is multifactor authentication. For those who use banking software for the last 10 years, or you try to log into some kind of secure site, you typically get a pin or a code that will be emailed to you.
If you do not have MFA in place, multifactor authentication with anything that is external like your email or anything like that, you're a sitting duck. And in most cases it's free to implement. You just have to do it. The other item is, even though Microsoft and they say [inaudible 00:23:06], "We're not the best at spam." A lot of stuff comes through spam. And so, to have a front layer of phishing and spam protection in front of your O365, something like that, and it literally costs a couple Dollars a month and it's well worth it. The fifth item that I always tell people, is the employee awareness training. And this is something I mentioned earlier. So 86% of all successful hackings is because an employer or subcontractor did something they should have done. And this is basically sending them either fake phishing attempts or fake spam, but it also, it educates them.
So it tells them typically about 10, 15 minute video on a yearly basis to remind people this is what you should be looking at. This is how you determine if something's real or fake and this is what not to do. And again, this is a pretty inexpensive solution and it does wonders. And then the last thing and it's something that from an IT perspective, we've been preaching for decades and that's patch management on your servers and computers. It's something that's so basic and simple that we kind of forgot about, but when there is truly an attack, that's what they're going to be using to spread those kind of things. So between Microsoft, Adobe, or even if you have a Mac, I know people don't believe that Mac's can [inaudible 00:24:16] from a malicious attack. That's not true, they do and I've seen it. So that's, the kind of stuff that we work with on our clients. So if you implement those six items, the likelihood of a ransomware or any kind of attack is slim to none, which is awesome.
David Schade:
That's great, Frank, thanks so much.
Derek Laczniak:
And I'll be really brief, David as we're coming up on time here, but I want to say something that is not a coincidence. Frank's an expert in security on the IT technical side. Everything he just said, those six items, they have gone from nice to haves to table stakes in order to apply for cyber insurance. That's not a coincidence that the things that Frank is telling you that you need to have, have become the minimum requirements in order to apply for cyber insurance. Eight years ago they gave cyber insurance away. If I knew your name, your revenue and your website, I could get you five quotes. Today, I don't really care about those first three things. I care about the answers to those six things that Frank said, because you won't even apply, let alone the cost for cyber insurance. And then when it comes to incident response, I've been hitting on it all day for my world, it's a lot of people buy cyber insurance policies today.
So just buying it from your guy and then putting it on the shelf is not enough for cyber insurance. You need to know who am I allowed to use? Can I get Frank's firm approved so that I can call them? How much limit do I have? What do I have to submit to the insurance carrier and at what point do I have to submit it to them in order for them to pay my expenses? So having a document that says, these are the people that are going to be on my SWAT team internally, this is what my insurance company requires, these are the attorney and the forensics firm or Frank's firm that I'm going to use. And I know that they're approved, so I don't necessarily need pre-approval.
Just having those first five things done to get you into the loving, caring, tender arms of a person like Frank and an attorney. Because, from there you're going to be told what to do by people who do this for a living. So it's all about from discovery to getting that group in front of you, how do I shrink that time as much as possible? It's about speed and it's about just doing a little bit of homework on the front end can go quite a long way in terms of limiting the impact of those attacks.
David Schade:
Very insightful. So thanks fellas for joining us today and in participating in this important discussion. Also, want to thank our audience members for listening in as well. Be sure to visit us at firstbusiness.bank to check out our other resources we offer business owners and leaders. We invite you to experience the advantage with First Business Bank. If there's a way we can help, please reach out to us and we look forward to hearing from you.