Participants in the discussion were Sara Anstey with Novacoast, Jacub Bruning with Digital Office Systems, Kevin Colborn with High Touch Technologies, John Dobbin with Pileus Technologies and Brian Schnese with Hub International.
Who in an organization is responsible for cybersecurity?
Jacub Bruning: Chief Information Security Officers (CISO), Cyber Team Leads, Chief Information Officers (CIO), and leadership teams are the common answer. However, an organization that has a cyber-focused environment will give responsibilities to everyone to ensure the strongest cyber security stance possible. You can spend your entire budget on cyber security measures just to see an incident still occur, because of one complacent individual. Everyone needs to be responsible for cyber security. What may be an obviously fake email to one individual may be the downfall of another. Having the appropriate reporting channels, procedures, and policies in place topped, with documented training will allow for risks to be identified by those in the trenches and provide greater visibility for your cyber teams and experts.
Kevin Colborn: Within an organization, everyone has a role to play when it comes to cybersecurity. After all, an overwhelming majority of cyberattacks start with human interaction. Hackers don’t necessarily care if the device they’re attacking belongs to a salesperson, manager, or executive, as long as they can weasel their way into the system. Once they break into an entry point, hackers can snake through systems and hunt for valuable information.
Starting with leadership, organizations should provide their employees with tools and training to become gatekeepers to their data. In larger organizations, an entire team may be dedicated to security, managing all aspects from strategy to monitoring, threat detection, and response. On the other end of the spectrum, individual employees should be mindful of safe internet best practices when using company equipment.
John Dobbin: It takes the complete team from the beginning. Everyone shares the responsibility starting with management down to the entry level positions. Cyber security is more than technology deployment and configuration. People are our biggest asset, and largest risk. Engaging everyone in the process is critical to the success of a cyber security program in business.
Brian Schnese: Cybersecurity is no longer just an IT issue; it requires resources and buy-in from the entire enterprise. The magnitude and severity of the impacts organizations face in the wake of data security incidents should drive the level at which this domain of risk is managed. The analysis is clear – cyber incidents routinely negatively affect enterprise-level strategic initiatives and often pose an existential threat.
Who in an organization is responsible for maintaining cyber security policies and procedures to ensure that they are current?
Jacub Bruning: Everyone should be responsible for cyber security; however, cyber experts should oversee your policies and procedures. You want to ensure you have someone with their fingers on the pulse of the cyber world, to ensure the newest threats (which are daily) are being analyzed and mitigated as best as possible. Those mitigations will come in the form of training, and network or operational policy and procedure updates. You want someone more than just your I.T. head, your CIO, or your Operations Officer. Those individuals are busy ensuring daily operations in their departments. You need someone who is trained and has the time to continually evaluate the risks in the cyber world, and how they affect your organization.
Kevin Colborn: One of the easiest ways to ensure your cybersecurity policies and procedures are current is by working with a cybersecurity or managed cybersecurity partner that can provide CIO-level guidance and strategic road mapping. Cybersecurity is an expertise that changes rapidly, and staying current with new threats and technologies requires dedicated knowledge and resources.
For larger organizations, the Chief Information Officer (CIO) or Chief Information Security Officer (CISO) should provide overall guidance for cybersecurity policies and procedures. Senior leadership can help establish the support required to establish buy-in from the rest of the organization.
John Dobbin: Maintaining policies and procedures starts with management. When initiating or maintaining a cyber security program, management, considering business risk, must have review processes that shape how policy is written and implemented. Consultation with legal, regulatory, insurance, and technical controls that identify and quantify risk must be regularly reviewed and policy adjusted if necessary. This is a fluid process that requires maintenance to integrate into daily business processes.
At what level of meetings in an organization should a cyber representative be a part of?
John Dobbin: The most effective cyber security programs start with engagement of the management team. Without full management onboarding, controls whether technical or administrative are impossible to enforce. Working with management, risks can be addressed, and the team can then work with operational entities to assure the best outcome at all levels.
Is a cybersecurity program limited to the IT department/service provider?
Kevin Colborn: Threat actors strike at all levels of an organization, so everyone must have the tools and training to defend the business from cyber threats. Having a single point of failure regarding organizational security is not advisable.
Other departments outside of IT/cybersecurity should also be included from an administrative standpoint—for example, involving human resources to ensure that all employees of an organization have been through security awareness training and that their training has been documented for compliance.
John Dobbin: Simply, no. The responsibility of managing company risk is a team sport. Meaning that each part of the equation has responsibilities in executing the policies that define the program and its success. Ultimately the IT department/service provider is a tool to use to manage those responsibilities and risks. For completeness, cyber security programs must be considered a business process, not a technical configuration.
How often should a cyber program be reviewed and who needs to participate in that review?
Kevin Colborn: There should be at least a quarterly review of a cybersecurity program to ensure it’s on track with the latest cybersecurity trends and regulations. New threats and vulnerabilities are discovered daily, and it’s vital to review controls and incorporate novel, sound strategies as needed. You should include the CIO/CISO, managed services provider (MSP) senior leadership, and human resources in the quarterly review and record all meeting minutes for reference.
John Dobbin: At minimum, a cyber security program should be reviewed annually. As a company rises in security maturity needs may arise that will trigger review more frequently.
What is the importance of getting management buy-in on a cybersecurity program?
Jacub Bruning: Leadership teams must buy-in on the organization’s cyber security program. Company culture starts at the highest level. If cyber security is not important or practiced by an organization’s leadership teams that mentality will travel down to the lowest levels. Your leadership’s priorities will become your users’ priorities. Make sure cyber security is a priority. Also, security almost always comes at an operational efficiency cost. If your leadership team does not buy into the changes, they will quickly be disregarded to improve operations.
Kevin Colborn: Senior leadership buy-in is essential to enact change within any organization, and cybersecurity isn’t any different — it’s not just some switch you can flip and turn on. Technological security solutions, security controls, and organizational policies are all involved in an effective cybersecurity strategy. Management/leadership sets the example for employee buy-in. Additionally, leadership has the authority to make policy compliance enforceable.
John Dobbin: Management buy-in is critical to the success of a cybersecurity program. Policies must be enforced and processes and procedures in place to assure compliance. My favorite example is that a company must be prepared to sanction an employee for non-compliance. Without that buy-in, the program will ultimately fail.
Sara Anstey: The systems and networks that support modern business grow in complexity year after year. This leads to increased, sophisticated cyberattacks, and as a result, cybersecurity solutions grow in complexity as well. There are some tools and processes that will impact the way some users and systems interact. When management buys into security then the security and IT teams have a much smoother path to ensuring the security of the organization.
What is the best approach or philosophy to building an ideal cybersecurity solution?
Jacub Bruning: When considering or building a cyber security solution, you want to remember the phrase “Defense-in-depth”. This is a multiple-layer mindset. To simplify it, think of your house. Back in the day, only having locks on your doors and windows was considered safe and secure. Then the need for audio alarms arose. That then turned into security cameras layered on top. The final solution, was a monitored system that allowed someone else to call emergency personnel to your dwelling on your behalf. The multiple security measures used to secure your house are Defense-in-depth. You want to ensure you are securing everything, email, web access, network perimeter, physical security, user training, etc. There are a lot of vulnerabilities, and the best approach is a layered defense-in-depth.
Kevin Colborn: There’s no such thing as a 100% perfect cybersecurity solution, but with more layers of protection, you can ensure your business is as possible. Think of the individual layers of cybersecurity like slices of Swiss cheese — each one has a few large holes where a threat could pass through, but when you stack slices on top of each other, you cover up those holes, so the only way to get through the stack becomes narrower and narrower.
In building an ideal cybersecurity solution, you need the technology in place to help keep your business safe, the people/processes to ensure the company stays safe, and the education to ensure everyone in the organization knows how to recognize and report cyber threats.
While building your security structure, security awareness training (SAT) for your users is paramount. Social engineering accounts for around 90% of cyberattacks; it’s, by far, the easiest way for a threat actor to breach an organization. Providing SAT and phishing tests creates a collaborative culture within your organization. Users help report suspicious activity rather than being too afraid to report a potential incident. Fostering a good internal security culture can be incredibly helpful in preparing for possible targeted attacks.
John Dobbin: When building a cybersecurity solution, we must start at the ground and work up. In this sense, we start with people. Everyone plays a part, and the most effective beginning is with the investment in people. From there assessing business requirements, compliance mandates, and risks. Notice that I haven’t said anything about IT. While technical controls are a part of building a solution, they are only one tool in the chest. A complete solution will provide support for assessing the risks and informing what tools will be most successful at addressing those risks. A technical stack will address the risks where those controls can be effective but is not a complete solution.
What aspects of cybersecurity have become critical for organizations that have adopted a work-from-anywhere employment model?
Jacub Bruning: Two main aspects of cyber security have become critical as organizations move to a work-from-anywhere model: Mobile Security and User Training. The majority of organizations have implemented some sort of cyber protocols or solutions before the employment model shift. The problem is those solutions were designed for on-site workforces. As users move away from a secured network being protected and monitored 24/7, they have moved to residential-grade equipment that may or may not have the basic admin password changed. Users are working on public free networks at their favorite coffee shops before returning to their home office. These situations are the kind that keeps cyber experts up at night. Security measures must be able to travel with the user. The second is user training. As users move away from secure networks, it is up to them to utilize good security practices. Users who know why they must perform an extra step before working like logging into a VPN before focusing on the day’s tasks are more likely to do it. An organization’s users can be one of your best cyber security tools if they are trained.
Kevin Colborn: Work-from-anywhere made everything more challenging for organizations to protect equipment, networks, and data—on-site cybersecurity resources no longer protect company equipment. Instead, endpoints are out in the wild and vulnerable.
Organizations must include some sort of multifactor authentication (MFA), especially with cloud SaaS resources. The beauty of MFA is that it adds verification to the login process, so even if usernames or passwords are compromised, the threat actor can’t easily gain access.
Additionally, endpoint management tools are all essential to secure data and track risk. Cybersecurity solutions like endpoint detection and response (EDR) work by monitoring networks and endpoints (computers, mobile devices, printers, tablets, etc.) in real-time to detect malicious behavior. When the system detects malicious behavior, it quarantines devices until threats can be investigated. Not only does EDR protect endpoints, but it helps prevent endpoints from carrying threats back to on-site networks when employees return equipment from outside the office.
John Dobbin: Work from anywhere has provided challenges, but this isn’t a new paradigm. Current challenges have persisted for years in how we assure a remote endpoint is compliant. In how a remote worker can access company resources and data. This has brought remote management tools, collaboration platforms, zero-trust access products, and configurations that allow remote work to be productive and flexible. New levels of BYOD configurations to allow productive remote work from unmanaged endpoints in a secure manner.
If your organization doesn’t have a huge technology budget, what are two tools you definitely need in your stack?
Jacub Bruning: The top two tools any organization needs and should have in its security stack are user training and Multifactor Authentication (MFA). So many issues can be stopped by just knowing the risks. Society is putting devices in schools at pre-school and will have them through college, yet there will be little to no training on the risks associated with using those devices. Most of the time users have no idea what they are doing, is a risk to your organization. Knowledge is power. Users can and should be your greatest cyber security asset, not your greatest concern. Utilize those individuals you trust to keep your organization successful by trusting them to keep your organization safe as well. MFA is an easy and most of the time free solution built into most applications or networks. If you have a third-party application, software, or website you utilize and do not have MFA on it, call your support team today. If the third-party vendor can do MFA, then activate it, if they do not then request it and evaluate your risks of staying with that solution.
Kevin Colborn: Building a cybersecurity stack requires strong leadership buy-in and a long-term implementation plan. To get started, security awareness training (SAT) and multifactor authentication (MFA) are the most essential and accessible tools you should incorporate into your organization’s cybersecurity plan. Establishing controls based on IS 27001:2013 or CMMC is a low-cost strategy that you should also employ.
John Dobbin: I would argue there are three. Robust backups, quality endpoint protection, and user training. I will argue that the latter is the most bang for the buck in cyber security. The better trained our “human firewalls” can be, the most common attack surface can be reduced.
Sara Anstey: I think having a tool that does vulnerability management tool and patching in a single tool is a pivotal for a any organization, especially one with a small budget. If you can keep your operating systems and applications on the latest (or nearly the latest) versions, you should be secure. A hacker will have a difficult time attempting to hack into a fully patched system. The second tool would be having a method of multi-factor authentication (MFA) that is widely deployed in the organization. If you can have all privileged accounts and as much of every other type of account utilizing MFA, it would go a long way to securing your organization against lot and stolen credentials. This is an inexpensive tool and has a good bang for the buck in terms of ROI.
What are the three key things you should be looking for in a managed cybersecurity partner?
Jacub Bruning: Three things organizations need to consider when evaluating a managed cybersecurity partner are credentials, monitoring level, and trust in them. First, it is very important to look at their credentials and understand what is important to your organization. If you have CMMC, ITAR, or HIPPA requirements, but their stack does not provide that then you have an issue. Also, what are their technical certifications? There are many certifications out there, and it is important to know what value is added to your organization and the industry you operate in. Second, is monitoring levels. Are you getting great tools and alerts, but you are left to figure out what to do with them, or are they taking care of those alerts for you? Are they monitoring endpoints only or including SIEM, network, email, etc.? Or did you buy the tools, and you are providing the setup, monitoring, and maintenance? Third, the most important thing is do you trust them? They can have all the best sales pitches and demonstrations, but if you are uncomfortable, or not getting the transparency you would like what is the point? This partnership is supposed to help you and your team sleep well at night. Is this provider going to meet those requirements?
Kevin Colborn: First, a managed cybersecurity partner should employ similar tools, practices, and procedures that they’re recommending for your organization. A partner with an industry-known certification like ISO27001, AICPA SCO, or MSPAlliance MSPVerify is a great start — these certifications show that the origination has proved that they employ secure practices. Keep in mind that there should be proof that the audit was completed across the board and not in one specific area of the organization. Many MSPs don’t certify the entire organization yet still tout their compliance.
Secondly, they should be well-versed in creating a cybersecurity roadmap for their clients. Many clients will not have the budget to incorporate expensive security solutions, and it’s crucial to demonstrate the initial steps as a low-cost risk mitigation strategy to build a secure environment and relationship with trust.
Lastly, they should be knowledgeable in assisting the client in navigating compliance pertaining to their vertical in a cost-effective manner.
John Dobbin: One – look for a partner that can compare offerings you are evaluating to make sure you are getting an apples-to-apples comparison.
Two – your partner should be able to support your industry vertical and understand your business risks.
Three – a partner should be a resource of knowledge to guide you through developing your cybersecurity program.
Sara Anstey: One area I would look into is how the group handles conflict. There is no such thing as a service that will deliver 100% of the time, every time. So, you will want to know what the conflict handling processes is and ensure you have a short escalation path to upper management and direct contact information for those individuals. A second area is the training program for their employees. I see many customers struggle with recruiting and retaining security professionals. Outsourcing a service to a third party doesn’t mean they don’t experience the same issues. So, how do they ensure their employees do not burn out and have a path for growth in their career path? People in general need the ability to grow in their career to reach their full potential. If a partner has a progression path, it ensures that their employees are consistently trying to learn and improve, which will be a direct benefit to the quality of your service. I would also look into how they recruit and train new employees as the ones they have advance; how do they fill in the gap left behind with new talent? The third area I would say would be the experience. I would be less interested in whether a partner has done work with companies similar in size and business as my own and more interested in how long and how frequently they have been working with the technology in question. This will help when encountering new tools as the space evolves and understand what changes in the evolution of the technology have occurred and ensure sound methodologies when implementing it for you.
How does an organization determine if a risk is acceptable and that the mitigation efforts are enough?
Jacub Bruning: This can be a tough question for any organization and even for cyber experts as well. The hardest part is what is acceptable for one organization or even for one situation within the organization may not be acceptable for others. In cyber security, we use risk assessments. These assessments most of the time cannot be templated as each situation and risk is unique. Also, each leadership team and individuals have different risk acceptance levels. The best thing to do is to have a risk board that consists of different levels and departments within your organization and not just your cyber team. This board will decide what metrics are to be inputted on how to best mitigate any risk.
John Dobbin: Determining the balance between risk and mitigation is a balance of cost/value of the mitigation control versus the asset being protected. If mitigating the risk costs more than the loss of an asset, the risk is likely acceptable and in-place mitigations are enough.
Sara Anstey: Every company has their own tolerance for risk, it is impossible to completely limit risk, so it is important to understand how much you are willing to take on as an organization and what to invest in in order to get below that point. Adopting a quantitative model for assessing risk is the best way for an organization to understand how much risk they are taking on and how to lower it. By using quantitative models, an organization can simulate different scenarios to determine how often events take place and what the impact of them is when they occur. This allows us to understand what mitigating controls have the highest ROI and reduce key risks by comparing your historical data with other industry data to help predict future loss.
Is penetration testing necessary to assess risks?
Kevin Colborn: Penetration testing is vital for internet-exposed assets; however, it’s also costly. Active penetration testing can cost upwards of $10,000 per asset. Persistent, highly visible services provided by an organization should have yearly, active penetration tests. Additionally, the tests should be when there’s any significant change to an asset.
Alternatively, passive vulnerability scans are much cheaper and can be completed with cloud tools such as Tenable or Qualys. They can help organizations identify external vulnerabilities at a lower cost and provide insight into what threat actors see when searching for targets.
John Dobbin: For most environments, penetration testing can provide great value in assessing risks that may not be adequately mitigated. Assessing the controls in place to test the expected response to an incident is critical to assuring the effectiveness of those controls.
Sara Anstey: I wouldn’t say it’s necessary, but a quality penetration testing group would directly show where the weaknesses are in your network. There are a growing set of tools that can do quantitative risk assessments to a wider set of businesses. This is helped by the many freely accessible reports of security data published annually by numerous global security vendors and research firms. The information available in these reports can be utilized to help companies predict the probability of the risks occurring and the potential costs and impacts to the organization. More traditional GRC platforms are also widely available and can help mid-to-large size companies get a handle on risk.
Brian Schnese: Hiring a professional to conduct penetration testing on various domains of your infrastructure is a core part of assessing your cyber risk. An exercise like this will give you deep insights into areas of potential vulnerability. Because this type of assessment provides a snapshot-in-time of your risk, it’s also advisable to make it a reoccurring part of your program. Insurance carriers typically expect to see penetration testing conducted at least annually and implementing the practice will typically lead to more favorable insurance terms.
What do Wichita business owners need to know about the evolving Ransomware pandemic?
Kevin Colborn: When it comes to ransomware, education is critical. Having the cybersecurity tools in place to detect and defend against ransomware attacks is also essential.
Threat actors can target any business with ransomware, regardless of size or industry — business owners need to understand the risks, know how to recognize ransomware, and have a plan/cybersecurity expert who can assist if a ransomware attack occurs. Recently, threat actors have also begun using extortion tactics with ransomware, like threatening to release confidential or personal information unless you meet specific protocols. Furthermore, upon meeting the ransomware actor’s demands, they continue to double down on the threat until you pay more ransom.
It’s also vital for business owners to educate their employees on ransomware and how endpoints get infected. Security awareness training is an integral part of that strategy. It’s also crucial for business owners to engage with a security partner that can build up their security practices at a pace their business can support financially.
John Dobbin: Everyone is a potential target. No company is too small or niche to ignore the risk. Businesses that have not had an incident have been fortunate.
Brian Schnese: The deeply nefarious availability of ransomware-as-a-service products has weaponized a new cohort of less sophisticated threat actors and continues to drive average ransom demands skyward. Insurance claim studies place the average total cost of a data breach today between $200K and $9M.
What protections do you put in place for ransomware?
Jacub Bruning: Implementing an advanced endpoint protection software suite that utilizes artificial intelligence (A.I.) technology that is monitored 24/7 by a Security Operations Center (SOC). This sounds like an expensive solution, but as the need for this solution has grown, so has the availability and affordable pricing. This is the best way. Backups while a good protection plan for ransomware, are not perfect. It’s a reaction. The outages are already happening, and your organization’s reputation and revenue streams have already been affected. You need a real-time monitoring system that can implement fixes and quarantines the payloads as fast as the automated tools being used by adversaries.
Kevin Colborn: Our primary strategy is a “defense-in-depth” or multilayered approach to cybersecurity. This strategy can include educating clients on threat vectors, implementing multifactor authentication, employing immutable backups, enabling signature and behavioral endpoint protection, event log and information management, SaaS protection and auditing, intrusion detection, vulnerability scanning, and monitoring via a 24/7/365 security operations center that can correlate all of that information as an extended detection and response solution.
John Dobbin: We utilize a multi-layered approach to ransomware. Protection at the network edge including SSL/TLS inspection. Endpoint protections including extended detection and response including threat hunting. Ransomware specific detection outside of endpoint protection. Verified backups with air-gapped cloud repositories that can be spun up quickly while onsite assets are being remediated. An incident response team with experience in remediation to return an environment back to production efficiently.
How do you create an incident response plan?
Kevin Colborn: We recommend developing a separate incident response plan for every function within an organization. Each function should have defined stakeholders; identified assets; assigned risk designation; a process of identifying, protecting, detecting, responding, and recovering from the incident; and a possible breach notification plan, depending on the asset.
John Dobbin: Starting with a template to begin creating your incident response plan. This will provide guidance learned and prevent having to reinvent the wheel. Keep things simple. Identify your response team and document how and when they should be engaged in an incident response. Include management, technical, legal, insurance, and public relations resources in this list. Include the steps to document the response process to identify the incident, contain, and remediate it. Once the incident has been remediated, document the steps to recover. Include a post-event meeting to gain lessons learned and review the response plan for improvement.
How can cyber insurance help Wichita business owners transfer some of this risk? What does cyber insurance cover today?
Kevin Colborn: Cyber insurance can establish a good primer for an organization to begin its own journey to security best practices. While collecting cyber insurance quotes, your organization will likely uncover vulnerabilities you didn’t initially recognize.
Broadly, cyber insurance covers liabilities caused by the breach. This facet protects the organization from privacy-related fines if personally identifiable information or personal health information is released due to the breach.
John Dobbin: Having the right agent/broker is really the key here. We have one that that we have partnered with that only deals in cyber insurance policies that can communicate the different options to the customer. That is a value add that we bring to the table as we know the tech side and allow them to communicate the differences in the policy.
Brian Schnese: Ultimately, we all retain and must manage cyber risk, but using insurance to transfer some of that risk is useful. Increasingly, carrying insurance is also helping organizations win new business and assuage prospective client concerns about the risk of doing business together. A comprehensive cyber insurance policy will be tailored to include multiple components specific to the needs of the organization. A one-size-fits-all policy is rarely the best fit for most organizations and what you need or want should be driven by your unique exposures, industry, and risk appetite. Most cyber policies contain some combination of coverage for breach response services (like computer forensics and a breach coach / privacy attorney), extortion payments, loss of business income, and third-party claims (like lawsuits and regulatory actions or penalties).
How does cyber insurance affect service delivery?
Jacub Bruning: Cyber insurance drastically affects cyber-service delivery. You must ensure your organization is meeting your insurance company’s required cyber security measures to ensure you are covered. Insurance companies were paying out a lot of money to claims throughout the COVID Pandemic. They have been adapting and changing. Forms for insurance went from one page to small booklets to fill out. They require having basic cyber hygiene practices in place and failure to do that could lead to a claim not being covered. You must know what your insurance plan covers, and what they require from your organization to ensure you stay covered.
Kevin Colborn: Cyber insurance has affected how service providers access client assets. It’s essential that the service provider can guarantee that protection to privileged accounts. Multifactor authentication (MFA) requirements call for documentation systems to employ a TOTP software token within the solution to access the client.
Service providers also must consider the downtime caused by incident response investigations. They should create a method to efficiently offload data snapshots to the insurance company to quickly restore client operations.
John Dobbin: We know the controls that need to be in place, sometimes getting the customer to buy-in to those controls can be a challenge. Though a customer today that is either getting cyber insurance for the first time or renewing their policy, we are being validated that those recommended controls are indeed necessary for their protection.
What impact are the tremendous losses related to data breaches having on the cyber insurance market?
Kevin Colborn: From what we’ve observed, insurance providers are reducing the amount of coverage depending on the type of controls in place and the type of threat actor that caused the breach. Insurance providers are requesting proof of properly implemented controls for coverage. Also, some providers will not cover a breach if they have determined that it was an attack by a state actor.
John Dobbin: Insurance costs are definitely increasing. The insurance companies have been paying out huge sums because they were allowing customer to self-attest to their level of compliance. The Insurance companies are now realizing that there needs to be more stringent guidelines to get coverage.
Brian Schnese: The frequency and severity of claims in the last several years have had a devastating effect on cyber insurance carriers. Though it is developing toward maturity, this is still an emerging risk domain where risk quantification and assessment remains difficult. Some insurers have quit the market, while some are no longer writing new business. Prospective and renewing insureds should expect anywhere between 30% – 400% premium increases and elevated retentions as well. In terms of capacity, insurers are currently reluctant to offer more than $5M limits and are also leveraging coverage terms like ransomware restrictions, sub-limits, and targeted exclusions. In response to this rapidly evolving threat, underwriters now also want to see that their insureds have strong preventative controls in place and a proactive approach to managing cyber risk.
In light of the difficult cyber insurance market, what are some strategies that Wichita business owners can employ to ensure placement and favorable terms?
Kevin Colborn: Multifactor authentication (MFA) on cloud resources such as Microsoft 365 is imperative to achieve a reasonable cyber insurance rate. In fact, some insurance companies require it for approval. Endpoint detection and response (EDR) and tested backups are also critical for ensuring a reasonable rate.
John Dobbin: Make sure that your business and management team is having regular discussions about and thinking about what an attack may look like if that would happen. Also, if you don’t have someone on staff that is currently responsible for cyber currently. There are a number of IT Service Providers that can help lead you down the right path.
Brian Schnese: There will be long application forms and supplemental questionnaires to complete and shopping the insurance market can take time. Start the process 3 to 6 months prior to renewal or placement. By understanding what cyber controls carriers are looking for, you’ll also be positioned to put your best foot forward and win the most favorable terms. Among a long list of controls, multi-factor authentication should be enabled on company email and critical business applications. Systems should be protected with endpoint detection and response (EDR) capabilities. And of course, carriers want to see that you have sound data management and back-up strategies in place. None of this is typically cheap or easy, which is why it also imperative that you budget accordingly and set realistic expectations with your management and board. Navigating this process is easier when you leverage the placement expertise and in-house cyber risk management resources of your insurance broker and carrier.
What are some of the trending breach response and insurance claim issues that should inform Wichita business owners’ approach to managing their cyber risk?
Jacub Bruning: Knowledge is power. Business owners need to know what is covered, and what they must do to ensure they meet the terms and conditions of that coverage. An email breach claim can go uncovered if the insurance company requires MFA on all email accounts and your organization failed to implement it. A good insurance provider will have their own response requirements and team to help assist if needed; however, that is often too late for a business owner.
Kevin Colborn: Business owners should consider cyber insurance like a safety cushion if their cybersecurity solution is compromised—one thing you need to consider is the downtime caused by incident response investigations.
Cyber insurance incident investigators will want to analyze the status of an asset that has been compromised, and this investigation can create days of downtime for an organization. The dollars add up quickly and painfully when your employees can’t do business.
In the same vein, as part of their cybersecurity strategy, businesses should create a method to offload data snapshots to the insurance company quickly so that client operations can be restored promptly.
John Dobbin: Employees can help by being aware of company policies, engaging in the training programs, and engaging with management if an improvement can be made. Think of the effect on security when making changes and engage the team to address any issues discovered. Encourage co-workers to engage in cyber security as part of company culture.
Brian Schnese: Most ransomware incidents will feature a double extortion. With respect to encrypted files, perhaps your back-up strategy is good enough to help you sidestep the demand for payment, but if sensitive client or customer data was exfiltrated, that will be used as a second leverage point. In the wake of a compromise like that, many face lawsuits and litigation. During these proceedings, communication that is made during your breach response without the legal protection of attorney-client privilege can sometimes create liability. It is advisable to consider invoking legal privilege. Additionally, most insurance carriers require timely notification of an incident, the use of approved response vendors, and a stake in the decision of whether to pay a ransom demand. All these factors should inform and be included in your cyber incident response plan.
What can employees do to help an organization’s cybersecurity program?
Kevin Colborn: An excellent security awareness training program can foster a company culture of teamwork to protect an organization. Creating a trusted flow of information from employees is important to help find threat vectors.
Creating a fear-based culture built on repercussions related to breaches and threat events will only delay your response time and hurt your overall security plan. Conversely, choosing a security awareness training provider should give your employees memorable training and foster a team-based cybersecurity mentality.
Sara Anstey, Data Analytics Manager, Novacoast. Sara Anstey is a Data Analytics Manager at Novacoast who is passionate about empowering businesses to use everyday data to make strategic business decisions. She believes that the intentional adoption of a data-driven culture can be a key differentiator to companies in today’s security climate. Sara has experience in custom web development, artificial intelligence, data analytics, business intelligence, and applied statistics.
Jacub Bruning, I.T. and Cyber Security Operations Manger, Digital Office Systems. Jacub Bruning is a 10-year cyber security expert who is currently the I.T. Operations Manager at Digital Office Systems which provides managed I.T. services to SMBs in the Wichita area. In this role Jacub works every day to ensure the privacy and security of DOS’ clients, and works hard to improve their existing security footprint.
Jacub Bruning is currently finishing his MBA with an emphasis in I.S. Management from Emporia State University. He has a B.S. in technology from Pittsburg State University. He was originally trained in cyber security as an officer in the United Sates Army. He went on to lead multiple cyber teams focused on improving cyber security standards and monitoring for threats to their systems. Jacub helped write the standard for security practices utilized in the Army’s first electronic flight bag program for the Aviation Corp. He has been recognized by FORSCOM and CYBERCOM for his work in establishing a cyber focused culture and achieving high remarks on a NETCOM cyber audit.
Kevin Colborn, Senior Vice President of Network Operations and CIO, High Touch Technologies. As Senior Vice President of Network Operations and Chief Information Officer (CIO) at High Touch Technologies, Kevin facilitates operational successes for both clients and the enterprise through proactive technology solutions. Overseeing High Touch’s network operations center, cybersecurity practice partnerships, virtual CIO consulting, business applications team, and internal IT, Kevin’s strategic leadership and vision forms the foundation of our comprehensive solutions experience.
With over 30 years of experience working in the technology industry, Kevin’s expertise has grown alongside the company, helping champion major initiatives to expand High Touch’s presence as a comprehensive technology solutions provider. He has served as a key member of High Touch’s acquisitions team, where he developed the company’s acquisition strategy, found and secured acquisitions, and oversaw integration efforts.
John Dobbin, Engineer/Cyber-Security Consultant, Pileus Technologies, LLC. I’ve been in the IT field since the late 1990’s starting with building computers out of my house. Becoming a Microsoft Certified Professional (MCP) in those days started my path in corporate IT administration, web hosting, and now managed services. Each environment I have worked in has provided unique challenges that I have learned from and bring to bear when approaching customer solutions. I have a degree in Information Systems Security and CompTIA Security+ certification. While cybersecurity has always been a part of my experiences to date, I have spent the last ten years focused on cybersecurity concepts and building knowledge. I am driven to provide the highest quality service in customer satisfaction and in cybersecurity. I am passionate about helping businesses not only protect themselves, but the families that rely on that business for their livelihood. I believe people are our greatest asset and risk and look to be a leader in addressing those risks.
Brian Schnese, Assistant Vice President | Senior Risk Consultant Organizationa l Resilience | Risk Services. Hub International. Brian is a Certified Fraud Examiner and has over 15 years of professional experience in regulatory compliance and managing risk in state and federal government agencies, and in private industry operations including brick and mortar and online retail, supply chain, transportation, healthcare, and the financial industry.
Brian is a former Fulbright Scholar, former FBI Special Agent, and was most recently a Senior Manager in the National Investigations Center of a Fortune 50 corporation.
As a member of HUB’s Organizational Resilience Team, Brian specializes in developing and delivering Cybersecurity Risk Management focused solutions in addition to Enterprise Security Risk Management, Business Continuity Management, Fraud Risk Management, and Critical Incident Response Management solutions.