Cyber Insurance with Greg Markell | E008
Protecting your business form hackers.
Summary:
In the 8th episode of Financial Planning for Canadian Business Owners, Jason Pereira, award-winning financial planner, university lecturer, writer, and host of the podcast Fintech Impact, welcomes Greg Markell of Ridge Canada, a cyber security insurance firm. They discuss the origins of cyber insurance, how to protect yourself and your business from breaches, and more.
Episode Highlights:
● 01:06: – Ridge Canada is a wholesale underwriting shop that focuses on cyber and privacy liability insurance.
● 01:36: – Cyber security is quite new, but it can cover measures to avoid liability for breaches or to solve the problem, and can cover the liability itself in the event that you’re sued.
● 06:04: – One of the biggest issues right now is understanding cyber connectivity across the country.
● 06:47: – We’re about halfway up the learning curve for brokers being able to communicate to end clients what their policies can do and how to use it.
● 08:02: – A Canadian census by Stats Canada of small businesses in the country actually asked for the purchasing rates of cyber insurance and it was only 7% as of 2017.
● 10:58: – Canada is the first country to have federal notification legislation mandating that companies notify their customers when there’s been a privacy breach.
● 15:26: – 40-50% of the applicants they see are indicating some form of loss, mostly from ransomware.
● 18:42: – You don’t need to be an obvious target to be hit with ransomware.
● 22:20: – Awareness is key to avoiding cybersecurity threats, including employee training.
● 26:45: – Two-factor authentication and password strength are crucial, and you can use technology like LastPass and other password managers to make it easy.
● 28:46: – There are multiple versions of two-factor authentication, including built-in authentication in Office365.
● 30:03: – Authentication where you are texted a code is the weakest form; even Jack Dorsey’s Twitter account was hacked by duping his phone’s SIM card.
● 34:30: – The strongest option is a physical USB key.
● 44:32: – Greg’s number one tip is to have a disaster recovery plan that includes getting hit by ransomware.
3 Key Points
1. Every business that has ever collected payment information from customers is at risk of
a cyber security and privacy breach.
2. Ransomware or malware are as big a threat as standard data breaches.
3. Never think you’re immune or not at risk of being hit with ransomware or a breach.
Tweetable Quotes:
● “The bottom line is if you take any form of client data and that data ever touches anything but a piece of paper, and that piece of paper isn’t shredded, you’re at some form of cybersecurity risk.” –Jason Pereira
● “I think there’s a lot of strength to the cloud, it’s how you manage things within the cloud. Always always always, if you’re using cloud-based technology, two-factor authentication, it’s a must.” –Greg Markell
● “Make sure you have that instant response plan in a robust manner and so you’ve identified the lawyer that you're going to call who’s an expert in these types of scenarios because your general lawyer is not going to know how to get Bitcoin.” –Greg Markell
Resources Mentioned:
● Website – Jason Pereira’s Website
● Facebook – Jason Pereira’s Facebook
● LinkedIn – Jason Pereira’s LinkedIn
● Jason’s article about RCAs
● Ridge Canada website – https://www.ridgecanada.insure/
● Email Greg: gmarkell@ridgecanada.com
● Call Greg: 416-646-6239
Full Transcript:
Speaker 1: Welcome to the Financial Planning for Canadian Business Owners Podcast. You will hear about industry insights with award-winning financial planner and entrepreneur, Jason Pereira. Through the interviews with different experts, with their stories and advice, you will learn how you can navigate the challenges of being an entrepreneur, plan for success and make the most of your business and life. And now your host, Jason Pereira.
Jason Pereira: Hello and welcome to Financial Planning for Canadian Business Owners. I'm your host Jason Pereira. Before we get started, just a reminder to sign up for my newsletter at jasonpereira.ca. Onto today's show. Today's guest is Greg Markell, president and CEO of Ridge Canada. Ridge Canada is an insurance company that specifically specializes in cyber insurance and I brought him in to talk about the need for cyber insurance and where the threats are coming from these days. So here's my conversation with Greg.
Jason Pereira: Morning, Greg.
Greg Markell: Morning.
Jason Pereira: Thanks for taking the time to come in.
Greg Markell: No thanks for having me.
Jason Pereira: So Greg Markell, president, CEO of Ridge Canada Cyber Solutions. Tell us about what it is that you do.
Greg Markell: So we are a pretty niche player within the insurance market. We are a wholesale insurance underwriting shop that focuses exclusively on cyber and privacy liability.
Jason Pereira: Okay. So technology, something that scares a lot of people but not something that is near and dear to my heart and something that we all need to take more seriously if we're going to advance our businesses. So let's talk about what is cyber insurance and why would an entrepreneur need to get in place? Because this is a fairly new market quite honestly.
Greg Markell: Yeah. Yeah. It really started coming out of year 2000 and then the evolution of it has been quite steep, especially over the last five to 10 years specifically.
Jason Pereira: So that makes sense. I mean we're looking at kind of talan.com bubble. So people are moving more and more of their businesses into the internet. The cloud has become a term or is starting to become or it's going to become a term very shortly. So timing makes sense. Okay. So cyber insurance, what is it? What does it do?
Greg Markell: So cyber insurance is standard insurance policy, except it's a little bit more complex. There's two parts to a cyber insurance policy. There is what I call the expense coverages, which are affectionately known in the insurance industry as first party costs and then there's your standard liability coverages as well that come at the backend. Really the best way to think about it is the expense coverages are in place to help companies prevent getting into liability situations. So your expense coverages cover things for when a breach happens and the costs that a business would incur.
Greg Markell: So hiring a lawyer to be your breach coach or the quarterback of the situation, the forensics folks to get you out of the pickle that you're in. PR and crisis communications, data restoration experts, call center people in case you're going to experience a flood of calls if your business has to do with credit card information. Lots of patients, if you're in retail, if you're in anything like that and it would overwhelm you from the current standpoint.
Jason Pereira: If you're a certain credit rating agency of the US?
Greg Markell: Correct and Canada which has a class [inaudible 00:03:00] and certified against it at this point.
Jason Pereira: Good. We can get into that funny story later.
Greg Markell: Exactly.
Jason Pereira: Okay. So that's the first half is the, okay, something's gone wrong. I've got to face all this extra cost now just to stick handle the situation. What is the second half?
Greg Markell: The second half is the liability. So let's say all of those costs and expenses cannot prevent your business from being sued. So people feel slighted, they feel exposed, they feel anything else and they sue your business in order to recover costs that they might've incurred. So recovering from some of these attacks can take time and if you are heavily involved in supply chain or your supply chain is exposed, then you could face third party suits coming from vendors, suppliers, everything else. The liability portion of the policy is meant to pick up those types of things. So losses that third parties experience and sue you to recoup for it as a result of your cyber incident.
Jason Pereira: So a lot of good businesses, especially bricks and mortar types might be thinking this is something I don't need. Right? But let's face it, everybody's got some digital exposure. Can you give me examples of the type of things that are [inaudible 00:04:05] on the average business?
Greg Markell: Yeah. For sure. And you bring up a great point and something that I didn't even completely realize until we were going through the movement into the new decade, which is 2020. We're in 2020 now, but one of the things and I was reading up on a few things leading into the new year, but when cyber policies first started at the Y2K issue and everything coming out of it-
Jason Pereira: So the insurance companies jumped on Y2K saying, "Hey, we can insure you from this problem." Which really may not exist, but maybe it does.
Greg Markell: Yeah. As soon as they got over being scared of the world ending, I mean everything, they realized that they could make some money on it. But what was interesting leading up is that was really the first time that the Canadian government and everyone else started mapping what their exposure to their networks was, how interconnected things were. And this is is back as the '90s. We haven't undertaken an exercise like that since then. So we're going out 23 years now on the last time that we actually engaged to figure out what our total cyber exposure was as a country. You look at Canada as a Canadian population, we spend more time online per capita than any country in the world.
Greg Markell: We have the highest telecommunications costs because of our vast geography. But we also have, we are a G7 country and we are highly technologically advanced. You look at some of the actual government grants and things that are coming in with the superclusters and everything in the form of robotic security. You've got artificial intelligence. We're a have nation, especially when it comes down to intellectual capacity and advancement of technology.
Jason Pereira: Hey, we're right down the street from where sidewalk labs is being setup.
Greg Markell: So that's right. And that's like its own can of worms.
Jason Pereira: Let's avoid that. Maybe I [crosstalk 00:05:44] show at some point. So yeah, so this is a little bit frightening to think that it has been that long since we've had that kind of threat assessment. But let's continue.
Greg Markell: And if we look at small businesses the biggest thing that we always experienced because we only sell and we only underwrite risks that are brought to us directly from retail, insurance brokers. One of the biggest issues that we've had over the last little while is just the... And it's getting much better is that understanding of on the connectivity. And cyber can be very complex and especially if you look at the policy itself I broke it down into two simple sides, the expenses and the liabilities.
Greg Markell: But the reality is it has the average cyber policy. It has 11 to 12 insuring agreements and by comparison directors and officers insurance, which is naturally a specialty lines product governance focused and regarded as quite complex. It has three. So we're dealing with-
Jason Pereira: So a factor of three here you're increasing the complexity. Okay.
Greg Markell: So I think the learning curve is, we're still probably about halfway up the learning curve relative to markets and brokers being able to effectively communicate to end clients, not just what their exposures are, but what the actual policy can do and how to use it. And I think that that's a really important piece because as we're seeing exponential growth in the market itself, we're seeing exponential growth on very small numbers in terms of the market size in Canada. If we looked at the United States-
Jason Pereira: Starting from one and the two is 100% growth rates.
Greg Markell: It's fantastic.
Jason Pereira: It's the two.
Greg Markell: That's it. And if we look at it, and I mean there is a little bit of insight now that information is somewhat dated. So we have to extrapolate based on what we know from an industry and what the actual purchase rates are on buy businesses. But when the census, and around the same time as the census was being conducted, Stats Canada actually launched a survey. And so what they did was they surveyed 12,597 Canadian businesses and they got an 86% response rate, which is-
Jason Pereira: Huge.
Greg Markell: ... Pretty high. And so they released all of these findings in October 2017 so that's why I'm saying that the information is a little bit dated. But what's very interesting about it is you look at some of the things that they asked were actual purchasing rates by Canadian companies of cyber insurance. And they broke it down into the actual penetration rates based on market size. And the government does it on head count. StatCan did it a little bit differently. There's a little bit of things not lining up. So if you look at some of the actual census numbers small business accounts for 97.9% of Canadian businesses, it's just over 1.13 or 1.16 million total businesses at that time. So 97.9% of those were deemed to be small.
Greg Markell: However, there's a bit of an overlap because in some of the studies there's small and micro is deemed zero to 49 and others at zero to 99 so there is a bit of a gap. But regardless, I mean the small business numbers in terms of cyber insurance purchasing rates, 7% in 2017 that number was the highest.
Jason Pereira: That's pretty frightening. So I mean let's take a step back and talk about, like I said bricks and mortar company may not think that they need it. So perfect example is, let's just say that someone has a flower shop, right? Doesn't even have a website. Maybe the website doesn't take orders, right? And they may say, "Well, why do I need this?" Well, at the end of the day, if you have a computer or a phone or any kind of email account where you've ever taken payment information, let alone delivery information, right? Because you have information on who people are or where they live and potentially their credit card. And this is really, I mean this comes down to this all comes down to the theft of two things. Money either directly, right? Being able to get into the company's bank accounts and do whatever they have to do or get money out.
Jason Pereira: Or basically information that enables them to steal identities. Unless there's a third one I'm missing. But that's it. So the bottom line is, if you take any form of client data and that data ever touches anything on a piece of paper and that paper isn't shredded, you bear some form of cyber insurance risk.
Greg Markell: Correct. And so nail on the head, I mean, there's on the liability side of things and granted Canada doesn't, isn't that evolved in terms of the litigiousness that we see coming out of it, which is a good thing.
Jason Pereira: Out of the US?
Greg Markell: Yeah.
Jason Pereira: Wow. Really?
Greg Markell: Yeah. I'm not complaining about that relative to our own portfolio loss ratio. However, we're starting to see people get a little bit more, their backs up a little bit when their information is exposed. So it's interesting. You're absolutely right. There's a couple of things. There's your actual network security that comes into play and then there's also your privacy or the client privacy. And so making the distinction between the two of those. Now the insurance policy, the evolution of the policy over the last five years, this was one of the things that's been at breakneck speed. So originally there was a distinction between data and dollars and now what you're seeing is you'll look at articles that the economist is putting out.
Greg Markell: You look at all of these thought leaders within the industry and everybody's heard the adage that data is the new oil, just access to that information can now easily be monetized.
Jason Pereira: Is valuable itself. Yeah.
Greg Markell: Exactly. And Canada, one of the things that has come into effect as of November one 2018 was we're the first country in the world with federal notification legislation. And so in 2015 I believe June of 2015 the Digital Privacy Act gained royal assent and it took a few that was under the Harper government and then you move forward into the liberal government now and it still moved through. So we now-
Jason Pereira: That's because it made a lot of sense and it was a global trend I mean, so we're talking about you have to notify your customers when there's a privacy breach within a certain amount of time, which also GDPR in Europe has the exact same criteria
Greg Markell: State by state, they have different legislations, so that becomes a whole quagmire of different things.
Jason Pereira: One week versus three months [inaudible 00:11:35].
Greg Markell: Exactly, but going back to your flower shop example, so as a result of this Digital Privacy Act coming into effect November one 2018 from a privacy standpoint, there's a few implications. So let's say they use paper files for 50% of their work orders or their vendor management or anything like that. Someone breaks in and steals the information. Traditionally you would look at it and say, okay, that's a burglary related risk. But if they're stealing client data, which could have credit card information that they took over the phone, they break everything open. That's a privacy related issue as well. There's not just the cost of replacing the windows and getting everything back up and running. There's now what you have-
Jason Pereira: There's data breach.
Greg Markell: Exactly. What you have to know think about is does this pass be the test that the government has put in place and what they deemed the RROSH test? And that's an acronym for the Real Risk of Significant Harm. So is that data that was stolen, would it potentially cause harm to the affected individuals? And so there's still a little bit of gray on that, but typically the rule states is if there's financial information, if there's sin numbers, if there's anything that can be used to recreate a person's identity, borrow on their name, cause them financial harm, or if there's kids involved. And then if you look at healthcare, it's completely different. It's under the Personal Health Information Protection Act. So the PHIPA as opposed to the Personal Information Protection, Electronic Documents Act, which are mouthfuls in their own right. So there is a bit of distinction between healthcare and the general public. However, that flower shop still has that exposure even if they're not running computers.
Jason Pereira: Yeah, and this is an important point because oftentimes I'll get people say like, "Well, I'm worried about security in the cloud. So that's why I don't put my client files on there." And to which I'll say, "Okay great, where do you keep them all?" "I keep them in this room and still got a lock on it." I'm like, "Yeah and it's got a drop ceiling." Right. Like so push a tile and climb, it's pretty straight forward to get into that thing, unlock it from either side. And really all they've done is they limited the geographic region and the speed at which the data can be stolen. They haven't really limited the ability to steal said data. Whereas I would argue the proper precaution is doing things online can actually be more secure, vastly more secure than any kind of file room.
Greg Markell: You should tell that to StatCan.
Jason Pereira: Well, I mean, let's not getting me started on the number of institutions that won't take digital signatures at this point where it's like really, because I can tell which device, location and everything else that they took. And you're telling me that this is somehow ink on a page is more secure than all that metadata being attached to that signature.
Greg Markell: Yup.
Jason Pereira: Anyway, that's besides the point. So let's talk about the scale of this problem. So the scale of this problem is huge. What kind of statistics do you have about number of breaches or size of breaches and what's going on in the marketplace today?
Greg Markell: Sure. Well, just anecdotally, I can tell you that when we're taking on an evaluating risk, one of the things we ask an application, it's a self-assessment questionnaire for us, it's about a dozen questions. Pretty pedestrian. We tried to focus on governance as opposed to the technicalities behind things. Because what we found was it's typically the purchasers of this and small businesses, it's people wearing multiple hats within a business. So it's your CFO, it's someone management level that is in charge of the general oversight of the business. And they could be head of HR and the CFO at the same time. So we're looking at some of these things-
Jason Pereira: The guy who's in charge of the computers will also [crosstalk 00:14:55].
Greg Markell: Exactly. Yeah. So what we found was if management and everybody else has to outsource the application, if they don't know it, one they should know it because now this is a real risk that presents itself to all businesses. If you're just like you said, if you are connected to the internet or you are using computers in some way, shape or form, you have this exposure.
Jason Pereira: Absolutely.
Greg Markell: So how do we make it easy so they're not having to send it out to a third party like MSP or any anybody else in order to get the information back? So we focused a bit more on governance, but what we found, and again this is the anecdote that I was going to share, is probably about 40 to 50% of the applicants that we see and we see a lot of applicants. We're getting three a day right now more. And that number is continuing to grow as we continue to grow our portfolio and our business and our distribution networks. And 40 to 50% of them are indicating some form of loss. Most of that is ransomware based.
Jason Pereira: Oh boy.
Greg Markell: And so it's a ransomware, you want to-
Jason Pereira: So let's talk about that because that's different than what we've talked about before. We were talking about before is data theft. Ransomware is a completely different [crosstalk 00:15:58]. There's been some very high-profile cases, especially with sadly tragically hospitals being targeted for this sort of thing. So what is ransomware and what does it look like?
Greg Markell: So ransomware is a form of malware. Typically, it is as simple to deploy for the threat actors as embedding it within a link or an attachment that they duped someone in within the company into opening as soon as it's opened, it proliferates through. Some of it can lay dormant and then it can actually just execute itself later on. However, most of the time it's smash and grab. So it's a piece of malware that essentially what it does is it goes in and it encrypts your files so it locks down your business and it just keeps going.
Jason Pereira: So you're running a data server, all the files are there. And then while in the background, it's very sneakily encrypting everything in a format that you can't gain access to. So it's still there.
Greg Markell: It's still there.
Jason Pereira: But you don't have the keys.
Greg Markell: Correct. And what they do is they extort you typically in cryptocurrency, 99% of the time it is in Bitcoin because that is the easiest [crosstalk 00:16:57].
Jason Pereira: There's other ones that are harder to trace than Bitcoin.
Greg Markell: Exactly. Some of the privacy coins like a Monero come to mind, but that's typically happens after the fact in terms of how they wash the money afterwards and how they anonymize it. But what we're seeing is the actual ubiquity of ransomware because one of the biggest push backs that our broker partners actually get is my business isn't a target. Flower shop in St. Thomas, Ontario [crosstalk 00:17:24] on them. Exactly.
Jason Pereira: It's like when my wife doesn't want to put in a difficult password into her email address, she's like, "Oh, I don't care if they find like, what are they going to steal from me?" I'm like, "Well all these like years' worth of years worth of emails, which probably through all of them put together the perfect picture to steal your identity and you telling me that at no point at any point whatsoever, you never put in another password, another login or a credit card number into a single email? That you are the exception to the rule." Because you say this, but it's amazing how one little password difference would basically prevent that from happening.
Greg Markell: Exactly. And the ransomware piece is-
Jason Pereira: My wife is not going to listen to that episode, right?
Greg Markell: [inaudible 00:18:04].
Jason Pereira: Keeping away from her.
Greg Markell: I'm in the same boat. I mean it's on the public record now, but post LifeLabs one in two Canadians was affected on that. And the biggest thing that I keep-
Jason Pereira: Like myself.
Greg Markell: I got questions immediately afterwards. "Greg, what do I do?" Well, first things first, change your password and change any passwords that you used if you use the same password as your LifeLabs [crosstalk 00:18:25].
Jason Pereira: Strike one, do not use the same password. We'll get to tips later.
Greg Markell: Exactly.
Jason Pereira: I mean some of them can be caused, some of these breaches can be comical, like the Ashley Madison one, comical as long as you weren't a client, some of them less so like the LifeLabs one or Equifax.
Greg Markell: But the ransomware piece, what's interesting is you don't need to be a target. What's happening right now is these campaigns, typically if you're a target, you're typically a target of some form of nation state or you have something that you know that you have it, you've got crown jewels that someone has access to and they're trying to exploit that. Or if you're a target from a ransomware perspective, what we're seeing is activist groups get a little bit more vocal, so disruption types of attacks. And those are the targets. So if you're in mining, energy, oil and gas, anything that's environmental-
Jason Pereira: [inaudible 00:19:16] are basically coming in [inaudible 00:19:17].
Greg Markell: Exactly.
Jason Pereira: So for anyone who saw season of Mr. robot and if you didn't, you should. This was the climax was a massive ransomware attack on the world's largest bank and it was like, well now good luck, that money is never getting no, because they weren't going to divulge the keys. Right?
Greg Markell: Exactly. But for everybody else, again, probably not being targeted by specific by groups focused on espionage or nation states or anything like that, but what's really, really ramping out there is the organized crime and I'll put this in perspective. To run your own or to have someone run a ransomware campaign on your behalf, which you can get through tour on the dark web. You can pay someone to do this for you, who will split the profits of said campaign with you-
Jason Pereira: You can find anything on dark web.
Greg Markell: Cost you two grand, two grand US.
Jason Pereira: Really?
Greg Markell: That's it. For different strains of ransomware if you're going to run it on your own and then put your own derivatives coding onto it, it can go as low as 200 bucks US even less. We've heard of-
Jason Pereira: I hope we didn't create a market for ransomware, but continue.
Greg Markell: Well there's already a market-
Jason Pereira: There's already a market [inaudible 00:20:22], wow.
Greg Markell: Yeah. And if you look at some of the major strains that have gone out, it's to make something zero day is just adding additional code onto the end of it. So if you look at, if you think you're safe, we get this all the time, "Greg, I have antivirus and Greg, I have a managed service provider. Greg, I have X." We'll get to the tips, I know at the end, but the issue is is if AV or if antivirus or if any of the actual detection software doesn't recognize it and they don't and they aren't able to sandbox it. And what I mean is it's either known good, known bad or unknown. If they can't bucket in the unknown or in the unknown bad, then it automatically runs through its white list and then it goes through and you're not going to pick it up.
Greg Markell: So unless you have the expertise to diagnose and to prevent in house, which most small businesses do not.
Jason Pereira: Let's face it, the real problem when it comes to all of this is not the technology 90% of the time it's the people.
Greg Markell: Nop. It's people.
Jason Pereira: It's people who basically simple passwords, open anything or run anything, download anything, click anything. There was a phishing attempt that unfortunately about three people in my life suckered into this one, it will look like a iCloud password reset or something like that.
Greg Markell: Yup. Saw that one.
Jason Pereira: [crosstalk 00:21:38]. And you go through the first one looks like the standard Apple like reset this. And the second page started going all this personal information including asking for your sin number. I had people asking like, "Why does Apple need my sin number?" I'm like, "Oh my God, Apple does not need your sin number. Look at the bloody URL." It was like something, it was whatever Apple dots, something else recovery.com I'm like, no, those two words should be interchanged. It doesn't make sense. So yes, humans are always the weakest link of the chain. So let's-
Greg Markell: And a chain is only as strong as its weakest link.
Jason Pereira: Exactly. So let's talk about how we can prevent these sorts of things from happening. What are your top tips when it comes to preventing yourself from becoming a victim of cyber crime as a business?
Greg Markell: I think awareness right now is key. If I look back at the last seven, eight years of just what I've seen within the market and we're staying ahead of what we do of threat information, we try and get as much Intel as we can globally. We liaise with friends in the UK, in the US, in Canada, so we're 60% of the way through the five I's at this point. But just in terms of what's developing, what people are seeing, what that thread Intel is telling us and trying to stay plugged in within the security community as well. Because what we can do is we can sort of relay information on an anonymous basis back to security folks based on the losses that we're seeing. So it's a very interesting ecosystem, but what people can do, I think 2020 is going to be the year of training of employee training. I think that that awareness has finally started hit that nexus. There's no longer the same sort of apathy that there was within the general Canadian populace.
Jason Pereira: You think so? I don't know.
Greg Markell: We're getting better. I like to focus on the positive.
Jason Pereira: I'm sure those guys who were on Ashley Madison they don't have apathy anymore but-
Greg Markell: [inaudible 00:23:26] the list goes on.
Jason Pereira: Yeah. We can go on. Or the people who used to run the back office at Equifax and for people who don't know why that's such a laughable issue. There was one internet, public facing portal that basically had the username and password admin and admin. So I don't know who the admin was but my God, I hope they got fired and fined and penalized.
Greg Markell: Their CSO got fired.
Jason Pereira: Well that's not good enough. Let's not even get into it. But then the CSO like have chief complaint house, chief security officer, didn't they have like a background in [crosstalk 00:24:02] or something? Music. Wow. There is a demonstration of the Peter Principle I've ever heard of one. Okay. So let's go back to tips. Tips. How do business owners prevent themselves from becoming victims here?
Greg Markell: I think first-
Jason Pereira: Awareness as you said.
Greg Markell: Awareness is a great start. Training and employee training doesn't have to be expensive.
Jason Pereira: No. Some of the stuff is available on YouTube for free now.
Greg Markell: Exactly. We've got relationships with some training folks that for reach Canada clients, they're discounted by 80% because it's like software once you've developed it once [crosstalk 00:24:32]. Exactly. So I mean training is one, there is some free training out there. I would say any training for your employees or anyone within your networks is better than no training. Whether it's free or costs you money. I think that awareness and communicating within your staff about what to look for. Just like you mentioned on the Apple iCloud piece. So don't be afraid to hover over an email address to see what the source is. That is a major, major one. And if something doesn't pass the sniff test then flag it. Don't open.
Greg Markell: I think some other tips, some major, major tips, and we've been sort of preaching this for a while, but strength the backups, if right now what we're seeing out there in the market is the number one exposure to Canadian businesses is ransomware. So how do you prevent that? There's no silver bullet if you're going to get hit, what it comes down to is how well do you recover and how resilient is your organization?
Jason Pereira: And I mean, that's not an overly expensive venture. I mean, there's all kinds of online backup solutions that do multiple iterations. So if you've got a server Carbonite's one that comes to mind and God, there's a couple other ones [crosstalk 00:25:40].
Greg Markell: Datto.
Jason Pereira: Yeah. Datto. They will scan your-
Greg Markell: 365 can even do it. Microsoft 365 can do it.
Jason Pereira: Actually, I think Google does it now. [crosstalk 00:25:49].
Greg Markell: I think Google does as well.
Jason Pereira: So literally they will basically, every time you change a file on your computer, they will upload it there and they'll create multiple versions of the same files and you'd be able to go backwards. And even if you're someone who basically puts everything on the cloud like me, who's crazy, who's not crazy. But who's just done with servers. Basically there's even services that will run multiple backups on all your cloud stuff as well. So I'm cloud squared if not, if not cloud cubed on this one. And these are not expensive. We're talking a couple of bucks per computer, like in many cases.
Greg Markell: The cost of storage and the actual compression technology over the last decade has just, it's been advancing at breakneck speed. So it's fantastic. I agree. I think there's a lot of strength to the cloud. I think it's how you manage things within the cloud. I think from the-
Jason Pereira: [crosstalk 00:26:34] security when you access that point.
Greg Markell: Exactly. So always, always, always if you're using cloud-based technologies, if you're using any base technologies, two factor authentication. It's a must.
Jason Pereira: So that's the second, that's the next step. So two factor authentication. So two factor authentication is where you have to put in some sort of second code or second answer after you put in the password. So let me go back a step.
Greg Markell: Sure.
Jason Pereira: I'm going to say before you even get their password strength, right?
Greg Markell: Yep.
Jason Pereira: So we've all heard this advice. It says do not use the same password twice, make them complicated random things. And of course no one's going to do that.
Greg Markell: Change them.
Jason Pereira: The thing is the technology exists to do it for you. So LastPass, 1Password, Dashlane, all great service providers that sit on your browser and will generate random passwords for you-
Greg Markell: Or your mobile.
Jason Pereira: Or your mobile, generate random passwords for you, different every time, store them for you. When you update it, they'll update it for you and they'll even populate and fill in and open the website for you. Like literally it is replaces any bookmarks you ever had.
Greg Markell: And you can link it to biometric on your phone or face recognition technology on your phone. And yeah, so I use LastPass premium-
Jason Pereira: So do I, at the enterprise.
Greg Markell: ... And it's 40 bucks a year.
Jason Pereira: Yeah. It's the easiest money to spend on my business every year. And it's like, you know what, it also restricts my... I've got to turn up. So like my staff tries to use the same password twice. No. It tells them you're not getting away with this. They try to put something in simple, no, sorry, this is a word. You're getting rid of that. Right. And sometimes the staff complaints about this stuff, I'm just like, too bad-
Greg Markell: This is the reality of that.
Jason Pereira: [crosstalk 00:27:58] fire you when something goes wrong. What do you want me to say?
Greg Markell: Yeah.
Jason Pereira: Right. So with cause. So-
Greg Markell: There's that apathy. It's still, it's there.
Jason Pereira: It is there again. Right? But they've gotten used to living with me now. So the point is is that this is and even basic devices. I mean, Apple is embedded in every stuff every device.
Greg Markell: Absolutely. Microsoft, Google, all of them.
Jason Pereira: Yeah, they've all done it, right? But having a third party independent one that was cross platform was much, much better in those instances, right? And all you got to do and that then all you have to do is remember one complicated password. Just one.
Greg Markell: Change it every three months.
Jason Pereira: Change it every three months. Or there's that. Or simply never, ever, ever divulge it. I think I probably changed it once a year, but it's like what's your password? You're not getting that. Never, ever. So basically that's the first. And let's go back to two factors. So two factor. There's multiple forms of two factor. Let's talk about what those look like.
Greg Markell: So I mean for us it's as simple if you're running Office 365 which 90% of Canadian businesses are, I will say.
Jason Pereira: That sounds painful to me, I'm a Google guy.
Greg Markell: Yeah. But most people are running Outlook or some form of Office.
Jason Pereira: Unless you're a startup, in which case then you're running Google.
Greg Markell: Exactly.
Jason Pereira: If your founder is under, 35 you're running Google.
Greg Markell: Non-starter, you should have to factor in and Microsoft has an authenticator. This is free. And any admin, any Microsoft admin can turn this on simply by clicking a button. It is that simple. So it's the authenticator. Yes. So the authenticator is an app that sits on your phone. So if you're trying to log in anywhere, you should have your phone on you, but you can set it up to be as simple as putting your thumb. If you're running anything less than iPhone 10 you can put your thumb on the biometric panel and that would be enough to trigger to two factor as long as you're somewhere but that's WiFi enabled or has a cell signal, it can then log you in because it passes all the credentials through to your Office 365. So if you're logging in on a machine that it does not have a recognized IP address, it would automatically prompt you to check your phone, sign off, "Hey, is this a computer that you're normally going to use?" And then it'll log in.
Jason Pereira: So there's multiple types of this. You've got the one of the stronger ones. I mean the weakest one is this entire, we're going to text you this color, right? That is not something any of us should be using if you can get away with it and simply because your SIM card can be spoofed and if you think it's not doable. It happened to Jack Dorsey, the CEO of Twitter, and someone got into his Twitter account. Okay. So the reality is is that, that is by far the weakest form and unfortunately the only form of the bank support at this point as far as I know.
Greg Markell: Well and what's crazy as well is this has been getting far more prevalent in Canada recently. If you look at all the major news outlets have run a story on this happening-
Jason Pereira: Oh, I know, it seems spoofing is not hard.
Greg Markell: ... Over the last three months.
Jason Pereira: You got to fool the person at the support line to basically give you, so you lost the phone or was stolen, give you a new SIM card and they're off to the races.
Greg Markell: Yup. And if you call from that SIM card and if you call from that number then banks, let's put it into a banking perspective to make it a little bit scary for people.
Jason Pereira: There's a first authentication piece. Right?
Greg Markell: So most of the time, yeah, exactly. That's your first authentication piece is does the number match the number that they have on file? And if it doesn't, okay. There might be some additional questions in order to qualify you. But once that happens, and if you think that spoofing, like getting Rogers tell us anybody else, I'm not just picking on the telcos, but the reality is is these people-
Jason Pereira: They're the gate keepers on them.
Greg Markell: Yeah, they're the gatekeepers and people are being socially engineered and tracked just via social media to figure out what's your middle name? Who is your first pet? What's your mother's maiden name? All of this stuff. People post this stuff via Facebook, Instagram, Twitter, all the way back. So you've created this digital identity for yourself that is accessible to basically anyone. And so answering, think about how you answer those locked out questions that they ask. They're always standard questions.
Jason Pereira: Oh God.
Greg Markell: It's the same 20 questions every time. So for example, I called the bank the other day and came from my number. If they have your SIM card spoofed, then there's only two questions that you get asked. Can you validate your address for me?
Jason Pereira: Oh God.
Greg Markell: And can you give me your date of birth?
Jason Pereira: Yeah, [crosstalk 00:32:03].
Greg Markell: And once you're through with those two things-
Jason Pereira: The next level of is mother's maiden name. And it's like, come on, you can get that just from conversations or Facebook so yeah, that is weak. And so you bring up a couple interesting points. So first off, one of the things that drives me nuts is the ones where they have higher security, but then the secondary ones, "Oh you don't have that. I'll just ping your phone." We should all be avoiding the phone like the plague, the second in fact, Google's gone to the point where they're actually, I think deactivating that functionality.
Greg Markell: Yeah, Google authenticator is fantastic.
Jason Pereira: We'll get to the authenticator in a second. The second piece is those challenge questions. So I will even go further that I've gotten to the point of basically challenge questions. I don't answer them anymore. I actually, what I do is in the last passing, I put a note in that password and I can put in random words that will basically say that. So, if it's asked me like, what was the color of my first car I'll put in like Mexico, right? And then that's the challenge, good luck figuring that out. Good luck challenging me on that. So it does mean it's a little bit harder to get in for me too, but security is worth it. And at the end of the day you need it.
Greg Markell: Especially if it's your bank.
Jason Pereira: Oh my God. Yeah. So then the second piece is the two factor authentication you mentioned, which is the authenticator app. So there's a couple of them. Microsoft's got one, Google's the big one, there's a good one called, [inaudible 00:33:10], Salesforce. I see these things popping up all the time. And what they do is they generate a random number sequence for 30 seconds, six numbers typically. And then basically you type in that six numbers enter the password and you're in, right? Or some of them have, as you said earlier, proximity based ones. So, oh, you're logging in from the IP and you have that phone which has got this push this button to say yes. Right. And those are far more secure. And it was funny when I ruled that out here, the first question my staff said was, "Well, what happens if I forget my phone at home?" I'm like, when is the last time you forgot your phone at home before you went? Let's be honest, you forget your phone, you're turning around, you're going home.
Greg Markell: Exactly.
Jason Pereira: And now you're definitely going home because you can't get into your own computer. So frankly it is a pain. But you know what the reality is no one goes without these things anymore.
Greg Markell: I mean if we look at any financial services-based firms over the last 10 years, I mean there's been a major push for lifestyle changes. Everything else. So you look at the capabilities that people have asked for and the advancements of technology with work from home technology. So if you wanted to do that previously, there were validators in order to get yourself onto someone's network, you have the RSA keys.
Jason Pereira: That's what's the [crosstalk 00:34:16].
Greg Markell: This is essentially an RSA key that you can carry with you anywhere and you will be carrying with you anywhere. So it's no different than the technology that you had a decade ago. It's just in a different format.
Jason Pereira: I think the most, the strongest form of probably the least use form, but one I'm actually going be experimenting with shortly is the actual heartbreak keys. So these are little tiny keys that are USB keys typically or whatever form of USBAC, whatever you're using. Some of them have a NFC so you can tap for them. But what they do is they plug into your computer and only if that is plugged into the computer, will you be able to open that site. And that began, it's even more secure than just that number because theoretically there are ways to get around that two-factor number. It's just, it's a lot harder, but it's super hard to get that specific physical key that you had to have. Right?
Greg Markell: Keep it on your key chain. You're not leaving home without those either.
Jason Pereira: Exactly. So Google started making those, but YubiKey is the big owner of that. So I encourage everybody to look at all these resources and you know what? They sound intimidating. They sound hard. You can watch videos on this, you can [crosstalk 00:35:14].
Greg Markell: It's super easy.
Jason Pereira: It's super easy. And frankly I couldn't imagine my life without LastPass. I was on one password before and then I had to move it for enterprise before they had an enterprise for LastPass for 1Password. But I'll tell you like I don't know what any website is. I just type in what resource I'm looking for and then click on it and it opens up the site, puts in the information and logs me in. And then, I get up off the phone and do the two factor authentication. But it's all worth it.
Greg Markell: I think one other tip that I would give as well, and this is more what we're seeing to protect your organization against potential regulatory issues down the road. So you look at the issue that LifeLab's just went through and having to notify 15 million people that their stuff was potentially compromised. Right. That becomes very expensive. That forms, if I go back to the first thing that we talked about, that hits that expense portion of coverages pretty hard on an insurance policy so that limit could be completely gone. Especially when you're dealing with 15 million records notifying each individual. How do you do that? Is that registered mail? Is that an email is, that number's on file? Either way, there's more costs that come as a result of that. One of the things that could be avoided because now that you have to report any breaches into the Office of the Privacy Commissioner and then they make a decision as to whether or not you have to notify the affected individuals.
Greg Markell: So if it passes that RROSH test again, what we're learning from all of these things is originally when this legislation came out, it wasn't thought of that ransomware would actually be the cause for the reason to notify affected individuals. Because typically ransomware would go in and lock it up, extort you-
Jason Pereira: Then steal the information that's just sitting on touchable.
Greg Markell: And you'd either have to run the cost benefit analysis of restoring and recreating the data and any last out of that you had or paying the ransom and trying to figure it out.
Jason Pereira: Crossing your fingers and hoping to God they actually give it you.
Greg Markell: Exactly, exactly. So what we found is coming out of this is that the Office of the Privacy Commissioner has come out and said too that, "Hey, if you didn't encrypt that data that was on your servers or data at rest within the cloud, then there is the possibility. Even if a forensics go in post loss, try and figure and figure everything out and say, "Hey, no data has been exfiltrated." So that's your network liability component. That's the network security function. However, like we said before, there's still that privacy element and that's what the Office of the Privacy Commissioner has focused on LifeLabs as well in that in terms of having to notify is because the threat actor that got in and locked everything up, they could have looked at those files to prove it.
Jason Pereira: Yeah. Because you can't get them to prove it.
Greg Markell: Exactly. So if your data and if your lists, if your client lists, if anything that you deem sensitive is not encrypted while it's at rest, you are exposed.
Jason Pereira: And this is important to note. So let's just say use an Office 365 or Google or G Suite, whatever it might be to hold all your files, right? Ransomware is not really possible is it? [crosstalk 00:38:03].
Greg Markell: Some of the-
Jason Pereira: Well, go ahead.
Greg Markell: This is where it gets a little bit scary and this is way, way further ahead, but you saw some of the issues coming out of 2018, 2019 where the ransomware and there's a whole bunch of stuff, but you look back at some of the issues and you've got WikiLeaks that happen. You've got Snowden and exposing some of those.
Jason Pereira: No, [crosstalk 00:38:24].
Greg Markell: So some strains of ransomware, the big ones that have globally affected organizations. We look at Maersk, we look at FedEx, we look at some of the others that have been affected. Those have worm based signatures in them too, so they can proliferate through anything that they're actually getting in contact with.
Jason Pereira: So they can be exposed. But let's also look at this scenario we're dealing with, we're dealing with AWS, we're dealing with Google-
Greg Markell: They're co-located, it's pretty [crosstalk 00:38:50].
Jason Pereira: They're co-located. Yeah. They're duplicating data. They're fragmenting it across multiple resources, multiple data centers. So even if one data center gets it in there and they can detect it and they shut it down, shut down, wipe over. No, no issue. Right. So it's the probability of it happening with one of the larger providers versus your computer. I think to myself, what of my staff members? Like we're not even running a full network anymore. Putting individual knows because frankly we don't use a server anymore. And I think it's actually more, it's actually I've increased the attack surface this way, making it harder to get to everybody.
Greg Markell: But if you secure every end point.
Jason Pereira: Yeah. This is the thing. Every end is secured, but every end point doesn't affect the other end point anymore. Right?
Greg Markell: Exactly.
Jason Pereira: So I've increased the attack surface, but I've limited what you can get. And I think to myself, if my staff member got ransomwared, everything's in the cloud, I'm just going to wipe that thing down again and start it again.
Greg Markell: As long as it's encrypted. Yeah.
Jason Pereira: It's encrypted. That's the other thing. And I'll say is that, the other thing is we're running marks, which are far less targeted in general, but still targeted because the software, there's more PCs out there to run it and there's less security around those unfortunately. And there's also the problem of people running very old operating systems and we're talking about some day that Window 7 is about to be a retired essentially.
Greg Markell: Today.
Jason Pereira: Today.
Greg Markell: Today.
Jason Pereira: So no more security patches on Windows 7. And actually XP has been like that for a while. But there was an emergency when they did because the hole was that big a couple of like a year ago. Yeah. So, and apparently they were still selling Windows 7 PCs in 2015 like, oh my God. So if you're not running the most up to date operating system or at least the security patches for that operating system, you are seriously exposing yourself.
Greg Markell: Absolutely. And I mean one of the things that we see too is another just little tip. I had a loss that we paid, we had to pay the ransom because it was deemed to be, we ended up-
Jason Pereira: It was your only option.
Greg Markell: It was our only option. They were doing some monitoring for school boards and for emergency response. And so if they didn't get the call on one of these things to deploy emergency responders, then the liability on that is far greater than paying a smaller ransom. So we analyzed, so we got the call at 8:30 in the morning from the broker. They say client has has had their systems locked up, we go in, we deploy, we get the lawyer involved so that everything in the event that something goes awry is privileged. And so it gives the client control of the situation itself within 45 minutes of doing the triage, we have forensics in place and we'll start going through things. So what we find out within 45 minutes of that happening is basically that they were running 42 servers and their two backup servers, but their two backup servers weren't segregated from their actual networks. So the ransomware-
Jason Pereira: So the back up server was basically-
Greg Markell: It was the same thing. They might as well have been-
Jason Pereira: picked up, they may as well been linked in.
Greg Markell: Yeah, they might as well have been running 44 just servers and they were backing up on two servers that were not segregated. So at that point, the recovery portion is off the table. So that client cannot recover because they don't have the decryption keys to get access to their backups. So what do we do? So we go back, we have the forensics and the lawyers actually negotiate with threat actors. We see whether or not they're willing to come down in their extortion demand. At the time, this was back in 2017 Bitcoin was running about 13 KUS it's back up now. So we look at what's going on globally and it seems to be a bit of a hedge. Gold's gone up, Bitcoin goes up anytime there's tumultuousness, the crypto tends to rise and anyway I'm in the financial services office [crosstalk 00:42:19].
Jason Pereira: I've had many Bitcoin conversations on my other podcasts.
Greg Markell: And I'm not getting into it right now. The whole thing is, is that it's used to extort people at best. I mean there's so many AML issues that go on and do.
Jason Pereira: That it's because it's designed to avoid AML.
Greg Markell: But anyway, so we get in and we talked to the client and we say, "Look how long do you think you can be down? How long can you afford to be down? How long would it take you to recreate all of this?" And they're like, "We'd be out of business." And so-
Jason Pereira: So you have no choice but to try and negotiate.
Greg Markell: So we get an assessment from the forensics folks to say, "Hey, what's the likelihood that these folks that they're going to have honor amongst thieves and that they're going to give you back the decryption keys to decrypt your data?" Luckily it came back fairly positive. The actual known source that it was coming from was recognized. It was organized crime and so unfortunately, while we weren't positive that was organized crime, but based on the signature of the malware, there was-
Jason Pereira: High probability.
Greg Markell: ... A higher probability than not of getting the data back. So we looked at it and they came in and by 4:00 PM that day we had an actual coverage opinion from the lawyers to say, "Yeah, you know what, this is deemed if they miss a call because the school is on fire and they can't get firetrucks out to it, then we have a bigger issue on our hands than we do otherwise."
Jason Pereira: On so many levels.
Greg Markell: And so, but again, it's things that you wouldn't even think about. So is that your issue as a business? It doesn't matter what data you have, it's what you cannot perform in those cases too.
Jason Pereira: Yeah. Exactly.
Greg Markell: So there's privacy issues, there's data issues, there's and I guess-
Jason Pereira: General liability-
Greg Markell: There's general liability issues that come from your activities as well. So it's fascinating about how deep this goes.
Jason Pereira: No doubt. Any last one tip before we wrap up and we cover all the basics. I mean it seems like we did a pretty good job when we're talking about the weakest point link in the chain. So we're talking about specifically training your people, creating password security initiatives and using some softwares to leverage that two factor authentication wherever possible. Backups to basically protect yourself in that case and limiting I think, and then basically being up to date on all your security softwares. I mean those are pretty much like that's five points there. And I think those are pretty much the big ones. Anything else they've had?
Greg Markell: The biggest one, plan for it.
Jason Pereira: Yeah. Disaster recovery scenario, what are you going to do?
Greg Markell: Exactly. An organization that is ready is an organization that is resilient and if you're planning for this, we have things in place, most organizations have business continuity plans, disaster recovery plans. So if your building gets hit by lightning, how are you going to continue operating? Chances of getting hit by lightning are way less than getting hit by ransomware.
Jason Pereira: That's true, unfortunately.
Greg Markell: How do you respond to that? So I think it comes down to having a robust plan, looking and involving all elements of the organization. This is not an IT issue anymore. It never was-
Jason Pereira: If anyone who touches anything with any form of authentication. This is an issue.
Greg Markell: Exactly and IT managers and folks are being tasked with an impossible job like one, there in Canada, what we've found is their own razor thin budgets.
Jason Pereira: Oh God.
Greg Markell: Making any decisions and effecting change is not easy in especially amongst legacy systems. Again, we see end of life Windows 7 being deployed on 30, 40% of actual business.
Jason Pereira: For the record. When I left a major bank institution in the broker side, of course in 2002 the back office had just gone off Mainframe Computers and gotten Windows 95.
Greg Markell: Yeah, exactly.
Jason Pereira: I'm pretty sure those Windows 95 machines are probably still somewhere in their serving some sort of purpose and function.
Greg Markell: I wouldn't doubt it.
Jason Pereira: Because those institutions don't throw things away.
Greg Markell: As long as they are air-gapped, please, please, please be air-gapped, not connected.
Jason Pereira: Well, [crosstalk 00:46:06].
Greg Markell: But yeah, identifying who's going to handle the situation and we're obviously in the insurance industry, we think insurance forms part of a plan, but it is not the plan. The whole thing is crucial-
Jason Pereira: It's what happens when everything else goes wrong. This is not a moral hazard thing where, "Oh, yeah, I'm totally protecting this. I can take that risk."
Greg Markell: Exactly. It's the enterprise risk management model. It's assess, figure out what you have, how you protect, control, protect it, and then transfer out whatever you don't think you can handle. And so that means if you're not looking at insurance, that's fine too. But make sure that you have-
Jason Pereira: You better have yourself protected.
Greg Markell: Make sure you have that incident response plan in a robust manner. And so you've identified the lawyer that you're going to call who's an expert in these types of scenarios because your general lawyer is not going to know how to get Bitcoin, whether or not that's going to cross off-
Jason Pereira: And you're down the street and do everything a lawyer's got to know even know where to start.
Greg Markell: Exactly. And what we're finding too is we do a lot of law firms work. They're catching up. They're catching up in terms of what the exposures are and what they're having to deal with.
Jason Pereira: They're the first ones getting those calls. So now let's be clear, you're a wholesaler that's, so essentially, if people were interested in this, they should be talking to their individual brokers altogether.
Greg Markell: Correct.
Jason Pereira: Your retail insurance broker.
Greg Markell: Exactly.
Jason Pereira: But if people want to find you and learn more about this, where can they find you?
Greg Markell: They can email me. Our website is ridgecanada.insure I-N-S-U-R-E. Our contact info is on there. You can give our office a call. You can call me individually. My numbers actually up, it's-
Jason Pereira: It'll be up. No worries.
Greg Markell: It'll be up.
Jason Pereira: [crosstalk 00:47:37].
Greg Markell: And then finally we're in the process of launching completely nationwide where right now we're licensed all the way through to the Pacific. So the bulk of our clients are in Ontario, Alberta, DC with [inaudible 00:47:50] and Manitoba. We're growing pretty quickly in Manitoba, but insurance brokers across the country know who we are, which is great. And yeah, you can get me on LinkedIn too. So we try and post some things on LinkedIn. Greg Markell and at Ridge Canada Cyber Solutions.
Jason Pereira: Excellent. So I highly encourage everybody to take a look at this because this is a ever growing problem and will become commonplace and there will be a time where we can't imagine that we wouldn't have cyber insurance. Greg, thank you very much for taking the time to come in.
Greg Markell: Thank you, Jason.
Jason Pereira: So I hope you enjoyed the conversation with Greg. I hope it'll inform you as to why cyber insurance is not just some new fad. It's something that's very necessary for most of our businesses. Please look into this and make sure you protect yourself and your business. As always I'm Jason Pereira. If you enjoyed this podcast, please review in iTunes, Stitcher, or wherever you get your podcasts. Take care.
Speaker 1: This podcast was brought to you by Woodgate Financial. An award-winning financial planning firm catering to high net worth individuals, business owners, and their families. To learn more, go to woodgate.com. You can subscribe to this podcast on Apple podcast, Stitcher, Google play, Spotify, and SoundCloud. For more episodes, go to jasonpereira.ca. You can even ask Siri, Alexa, or Google Home to subscribe for you.