Webinar Transcript:

Moderator: Hello everyone. We are delighted that you are joining us this afternoon! We have a fun webinar for you today. Before I introduce our speakers I'd like to go over some house keeping items. This webinar will be recorded and available on our website. If you want to ask any questions during this discussion, please throw them in the chat. We will get to as many questions as time allows, and we will be available for individual follow up. Our speakers today are Jeff Lauria, iCorps VP of technology, whom most of you are familiar with. He'll be focusing on the CIS18 compliance framework and strategies for how to strengthen your organization's overall cybersecurity posture, and how that interfaces with potential cybersecurity policies. Our guests today are John Reith, the Channel Marketing Manager at Datastream Insurance and Andy Anderson, who is the CEO of Datastream Insurance. Datastream is an iCorps partner and a leader in the cybersecurity insurance space. They provide comprehensive coverage for first and third party losses, data analyses of your business' cyber risk, and strategies for interfacing with your inhouse and outsourced IT teams. We hope you enjoy today's discussion and with that I'll turn things over to Jeff. 

Lauria: Thanks Marin. I should touch on the fact that everyone is muted, so if you have questions you can put them in the chat box in the top corner. This would be a great opportunity to talk about the CIS 18 controls, which we as an organization rolled out over the past 6 months. We have also started to roll it out to our clients. 

I also want to take this time to have you all meet the team. We have John Melaugh who is on the infrastructure team and is in charge of day to day operations. We also have Jason Dallas, who is on the cybersecurity team, and is the practice lead who is responsible for cybersecurity, IT governance and compliance, and vulnerability and penetration testing. Lastly we have Christopher Cook who is our data privacy expert. He holds a Master's Degree in Cybersecurity Insurance and is certified in the United States and European Union for Data Privacy. Beyond them we have a whole team who is dedicated to data and cybersecurity. Today we'll be talking about the threat landscape, what CIS 18 is, why it's important to you, why cyber insurance is important and lastly - why Datastream. 

Quick update: all of the information we'll be presenting today will be available after the presentation. According to IBM 63% of small businesses had a cyberattack last year (2021). A cyberattack can be ransomware, phishing, compromised credentials, and really a whole variety of things. Typically small businesses is anywhere from 1,000 and under or 500 and under, but according to the small business seeds it's businesses under 25 users.

37% of businesses had a ransomware attack according to Sophos. Ransomware attacks ae shifting. Historically, ransomware attacks have consisted of data being encrypted and the user having to pay a ransom. Now, a couple of things have changed since then. One being that the average ransom fee was $5k in 2018 where as now it is typically around $20k. That is for the small to medium sized businesses. Large businesses ransomware attacks are ranging anywhere from $20-40M. The average cost according to IBM for a data breach was $2.9M. I'd like you to remember this number throughout this presentation. This number represents everything from restoration, legal fees, compliance to regulatory fees. In Massachusetts and Pennsylvania and New York the fees can cost up to $5K per violation. For example, if you lose a record, depending on your status, you may be fined up to $5K.

Something else that has happened within the last year in the ransomware world is that the organizations who are attacked are not paying the ransom. They have great backup systems and recognize that they will only be down for a couple of hours and then they can get back to work so there is no need to pay the attacker. A lot of the bad actors have realized this, and now they are threatening to expose their data, which is something organizations do not want to happen. The attackers can do this by taking the data from organizations, on-premise, and move it elsewhere. Start looking at these regulations through the company. 

For the companies that were attacked, 37% of them suffered a financial loss. 25% of them ended up filing for bankruptcy and almost 10% go out of business. These statistics are from IBM. The worst of all is that these companies get a loss of credibility, which could lead to customer loss. Ransomware is much more than paying a fine. 

Moving on to the next screen here. So protecting your business. There are a couple of ways for the business to protect itself. It's as easy as ABC:

  1. Adopt a security framework such as CIS 18. At a very high level a security framework is a roadmap that helps you increase your cybersecurity hygiene. There are about a dozen out there. We chose CIS 18 because it's very achievable.
  2. Best practices - technologies and vendor recommendations. Often times people do not follow these best practices and vendor recommendations. Microsoft, Google, and every provider recommended businesses use MFA. So, taking their recommendation is important because they have the tools to secure it, but it's up to us to use the tools to protect ourselves. If any platform you're using doesn't support MFA, I recommend switching to a new platform since if they don't care about that, then there are other things they don't care about.
  3. Cyber insurance. Something people never want to get, but it can truly be a life saver. Do not be a part of the 25% of companies that had to file bankruptcy. 


Jumping to our next slide we're going to talk about adopting a framework, specifically CIS 18. One of the reasons we chose CIS 18 is that it's achievable. It has 18 control points, which are also considered categories. There are 18 categories and within them are sub categories which are also known as sub controls. Each category represents an areas of cyber security and within that area are best practices. The way you are rates is anywhere from 1-3. 1, you are just starting out and 3 you are a very mature program. Sometimes you will get a 1 or 2 in some areas, but you can also get 3's in other areas.

Throughout the county, there are states that are adopting a safe harbor data breach regulation, Connecticut being the most recent one. These safe harbor regulations are specifically saying that you should be following a framework. Following a framework can help you avoid a cybersecurity breach. Making sure your computer systems are protected is important. An insurance company didn't want to pay an organization because they didn't maintain and document along the way. The best practice is to have a program, documents, check on, and keep the system up to date. Company reputation is important. Companies are starting to use third-party services to look at your cybersecurity presence. If you are not taking care of the simple things such as a DNS record, it's clear that you will not take care of other complicated matters. This is an example of how companies won't do businesses with you. 

These are the CIS 18 fundamentals. They are very achievable and scalable despite the size of the business. A lot of frameworks are designed for enterprises. Other frameworks are written by administrative folks, whereas the CIS 18 is written by technical people so they are technical solution based. They cover technology and administrative processes. They're identified in safe harbor regulations and are a universally recognized framework. They're easy to follow and are measurable. Lastly they map to other frameworks. For example, you start following the CIS 18 and then you need to follow HIPPA, these will map to those regulations. So you are not reinventing the wheel.

The CIS controls are over here on the right. The first two are talking about inventory control. Number three is talking about how you protect your data. Number four is talking about how you secure configuration of enterprise assets. Next is account management, followed by access control management. The next item is continuous vulnerability management. This is what you are doing day in and day out so if something happened today, you'll know what went wrong. Something that IBM reported was that people who are attacking you are in your system for around 200 days. That is too long and you want to know as soon as possible. Next is auto log management, followed by email and were browser protection. Malware defenses is number 10.

For many years installing anti-virus software was sufficient. However, now EDR or XDRs are the way to go. These are the software that report to you when something bad happens in your system. EDR is the new trend in anti-virus. Next is data recovery, which is a result if you have backups or not. You also must test your backups. Next is infrastructure management, so if you are managing your firewalls and servers. Number 13 is network monitoring, which is extremely similar. CIS control 14 is security awareness and skills training. If you pull out the CMR 217, it talks about cybersecurity and skill training. Your first line of defense is employees. You need to train your employees. Your exposure level, threat level, industry, and regulation model will determine how often you need to do cybersecurity training. At minimum, annually. The other point of this is to get marketing involved. Let them send out a newsletter that includes cybersecurity tips. Search provider management is the next control, which is organizations like iCorps that protect your data. You should also be checking with all of your service providers. Application software security isn't a huge deal here because more people are using commercial software. Number 17 is incident response and last is penetration testing. I went over these at a basic level and will dig deeper onto email web browser protections. 

There are 7 safeguards, which are the controls. If you have 2/7 of the controls you are in group one, if you do 6/7 you are in group two, and lastly if you complete 7/7 then you are in group three. Group one is just starting up. Group two is if you've been doing it for some time now. Group three is that you have been doing it for awhile and that you have very mature systems. 

Many companies don't use DNS filtering, but they aught to. When you go out to the web in the office, and got o a threat site, and come back - we have some controls. For example, with manage security, that tool is going to block it depending on how your endpoint is configured. What do you do for the people who are on the road? What do you do for the remote worker? What do you do for the person at home? DNS filtering allows you that same level of security, or that secondary layer, to protect your organization. Because at the end of the day, your biggest threat is not your servers, it's your end users. They're the ones who are surfing. 

Guess what - most orgs are doing many of these things. There are a couple you're not doing. Now, let me show you where the pay back is here. I want to talk about the MITRE ATT&CK framework. The ATT&CK framework is the golden framework. There is no better. By leaps and bounds it is the greatest framework on the planet. It is all about mitigating threats. Unlike other frameworks, this is all from an offensive position. It's about repelling, it's about holding back. It's about understanding the autonomy of an attack and how to prevent it from happening. It's a great framework. They say, if you follow the CIS frameworks IG1, you have these probabilities of repelling these cyber threats. If you do everything in IG1, you have a 77% chance of repelling malware, or a 22-23% exposure. If you get all the CIS safeguards, you go to 94%. By the way, there is never 100%. It's never absolute. It's not if, it's when. You need to be prepared and you can reduce your risk by doing other things. But by maturing you can get to where you want to go. What I'd like you to think about - think about the policy you have, how much it is, and that $2.9 million. Now, I'm going to turn it over to Andy and John.

Anderson: Jeff, thanks so much. That was so great, thanks for covering all this. Obviously, for anyone who's on this call and thinking about cyber sec and the challenge here, it is one of the most complex and newest things businesses are dealing with. And it is, just because you're a small business, doesn't mean you're not facing this threat. They may not be hitting the papers the way large businesses are, and the reason for that is because it's happening so often that it's no longer news worthy. It's just frightening. There's so much to think about here and so much complexity.

One of the main things is just to make sure that you have the right professionals and the right team that your putting together. That's why we partnered with iCorps. Taking a comprehensive approach where you're thinking about the technology part and the compliance and cyber risk part, and making sure that all three of those things are playing really well together. We weren't really seeing that within the insurance industry. There wasn't someone here who could speak the language of cyber security in a real way, work with good technology and MSPs, and that's why we created DataStream. It's incredible what we can do when we work together as a team. The high level message is that you should come and work with a team that is collaborating. It's like going to the mayo clinic, where a bunch of doctors are working on your behalf, and collaborating without you necessarily being in the middle of those conversations. Cyber risk is not a diy project which most people and organizations are capable of handling. You want a team of professionals who are collaborating on your behalf, obviously keeping you informed, but there's so much to learn here.   

Reith: I'll dive in, and talk about insurance itself, then pass it back over to Andy and he'll take you through some of the differentiators between DataStream and some other providers on the market right now. So cyber insurance is going to cover your first party liability, but it's also going to cover your third party liability - the companies that you work with. When we're talking about the types of attacks that cyber liability is going to cover, it's going to cover overall data breaches, the breach response and remediation, including all those things that Jeff mentioned that add up to that $2.9 million. Legal fees, customer notification and tracing, IT forensics, all of that stuff is going to be covered. As well as business interruption - so the cost to actually get the business up and running again. Things like bricking cost and loss of earnings, even salaries and things like that. Then when it comes to cyber extortion - ransomware - it's not only going to pay for the ransom itself but any of the legal teams that are needed to be brought in. PR teams, recovery, maybe building a new PR strategy coming out of that attack. 

Lauria: Let me throw one thing in here. If you hire Microsoft to do forensics on an Office 365 data breach, the minimum charge for one week is $120,000. So, that's to bring Microsoft in to look. These forensic teams are vey expensive. So when you look at this, that is something you should be aware of. 

Anderson: I think that's a great point. These are specialists, the amount of work that's involved in these instances is extensive and expensive. You have big teams of experts who are working often around the clock, so you're running overtime etc. so the bills add up pretty quickly. I've seen people with cyber policies that are $50,000 or $100,000, and that will pay for the coffee - maybe the donuts for the team that you're hiring here. But get ready to eat the rest of the cost here. Not only is it the cost associated with it, we shared some of the stats about how potentially damaging this is to businesses - how many are filing for bankruptcy or going out of business. And often these attacks - we're living through the start of an attack with Lock4J - what you're going to see is a wave of attacks roll through the market as attackers figure out how to exploit that.

If you're a good incident response firm, you're going to go work for the people that you know will pay you. And they're the ones that will keep you busy. Even if you can pay as a private company, the first time you're interacting with this IR community they have all kinds of questions about your financial health, are you gong to be able to pay, are you going to baulk at these crazy bills they are going to put in front of you? And they have a line of other business that's coming from insurance companies. So even to get access to the top teams, you need to be with a good insurer - that way they know their bills are going to get covered. We know who's busy, we know who's a specialist in certain types of attacks and recovery. We often know the individual teams, and there's been a lot of movement in the space.

Reith: That brings us right into the ROI, and our recommendation as far as coverage is concerned. A baseline of $1 million based on the costs that we've been talking about. Fortunately right now, it's still pretty inexpensive. The average for $1M is gong to be between $1k and $7k per year. 

Anderson: And those numbers are for smaller orgs. If you're a 50-100 mill rev business it will be multiples of that. It will be on the bottom side of the five figures, based on the industry, your size, and risk, but for the most part, when we deal with clients most of the time they're surprised by how inexpensive it is. And they want to understand if it's good coverage and what's there. 

Reith: We're talking about CIS and how insurance plays a role in an overall cyber risk program, and we really think a solid program breaks down into these three main legs: technology, compliance, and insurance. Just right now, we're not seeing it playing to well with the other legs. And that's why we created DataStream. To come in and align with people like iCorps, who are in charge of the technology and compliance side of this cyber security program and create a truly united front against these threats that we're all starting to see.  

Check Out Some iCorps Client Case Studies: