EPISODE 71
Learning from Latest in Cyber Insurance Claims

EP 71: Learning from Latest in Cyber Insurance Claims

Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.

Sign Up Now!

About this episode

January 19, 2021

A new cyber insurance claims study of smaller businesses shows the top types of cyber-attacks, as well as their causes, for the first half of 2020. Your hosts are Kip Boyle, vCISO with Cyber Risk Opportunities, and Jake Bernstein, JD and Cybersecurity Practice Lead at Focal Law Group.

Tags:

Episode Transcript

Kip Boyle: Hi, I'm excited to share that we have a new free bonus just for you.

Jake Bernstein: We've started publishing our very own quarterly Cyber Risk Management journal. It's loaded with over 30 pages of useful content taken directly from our podcast. Here's how we make each new edition.

Kip Boyle: So we start by transcribing the four or five episodes that we've published in the previous three months.

Jake Bernstein: Next, we send our editor and designer the transcripts and our supporting materials for those episodes.

Kip Boyle: Then they revise all the text. They put clickable links in for all the resources and they create the best look and feel for each episode.

Jake Bernstein: And finally we, Kip and I, make sure the finished PDF is ready for you.

Kip Boyle: So download the current edition now. All you have to do is go to b.link/crmj. That's the letter B dot L-I-N-K forward slash C-R-M-J.

Jake Bernstein: And if you like it, share it with your friends and encourage them to subscribe to the Cyber Risk Management Podcast. Now, on with the show.

Speaker 3: Welcome to the Cyber Risk Management Podcast. Our mission is to help you thrive as a cyber risk manager. On today's episode, your virtual chief information security officer is Kip Boyle and virtual cybersecurity council is Jake Bernstein. Visit them at cyberriskopportunitiesdotcom and focallaw.com.

Jake Bernstein: So Kip, what are we going to talk about today?

Kip Boyle: Hey Jake. Well, I thought it would be a good idea if we took a look at this report. It just came out, publicly released a little while ago. It's a cyber insurance claims study and it shows the top types of cyber attacks as well as their causes for the first half of 2020.

Jake Bernstein: Very interesting. So who published this report?

Kip Boyle: This is a new source to my eyes. It's by a company called Coalition, and Coalition is a new type of cyber insurance company, but they've got a familiar story, right? They're a Silicon Valley startup. They're valuation is over a billion dollars now. So it's a unicorn. Yep, yep. They currently insure about 25,000 small and medium sized businesses, right? So this data set that they used for this report is coming from their customer base, right? So if you're a giant enterprise and you're listening to this, okay, there's probably some relevancy here, but you're not in this data set, so. So that's okay though, because even though it's limited information, I still think it's useful, right? And there's some other biases in here.

One of the things about Coalition that I find really fascinating is that they not only provide you with insurance, they also provide you with a limited information security team functionality for your policy holders. So, if you were a giant enterprise and you had an information security team in house, they would conduct security incident investigations for you. They would monitor your computers to make sure that malicious codes were detected, that sort of thing. And that's kind of what Coalition is doing. They're starting to actually deliver cybersecurity or information security services as part of the coverage that they sell, which I think is very innovative. So I just wanted to take a moment and just describe how Coalition is different than the NetDilligence cyber claim study, which we've talked about before. We'll talk about it again, because it's really good, but this is a new one and it's a little different.

Jake Bernstein: Interesting. So one thing real fast is that the Coalition is not a sponsor of this episode or the podcast-

Kip Boyle: Correct.

Jake Bernstein: We just found this. So this has nothing to do with Coalition.

Kip Boyle: I've never even spoken to anybody at Coalition.

Jake Bernstein: I've never heard of them until right now. What I find really interesting is that they're kind of a hybrid company really is what you're saying. I mean, because when you think about cyber insurance, there's actually a lot of different players in the insurance industry. You've got the underwriters, you've got the brokers, you've got the... All the different entities that are involved. And it can be very, very complex as to what legal entity has what liability for when. And so it's interesting that this Coalition company is... They seem very focused on cyber insurance. Yeah, to my knowledge, they don't provide any other insurance products.

Kip Boyle: Well, they do provide errors and omissions insurance dominantly for tech companies, right? And that kind of makes sense.

Jake Bernstein: That makes sense.

Kip Boyle: That's sort of their pedigree, right? Is kind of tech company, but their customer base actually includes a lot more than just tech companies. So that's one of the reasons why I thought this was going to be useful to explore with our audience is because the data set , while limited, and there's some and bias in there, I still think it's insightful.

Jake Bernstein: Yeah, so let's move into it. What was the number one claim that they found? I'm going to guess it's not shocking.

Kip Boyle: It is not the least bit shocking to my ears. It's ransomware, and 41% of all the cyber claims in the period that they examined, right? Which was the first half of the calendar year 2020. 41% of all their cyber claims were ransomware. And it's really interesting because again, the fact that Coalition has data, not just what was reported by the claimant, but they actually have systems data, right? Is what I see when I look at this report. So they actually have more data about their claims than I think a typical insurance company would because they have direct access to the data.

Jake Bernstein: Yeah, sounds like it.

Kip Boyle: So what they're saying- Yeah. So what they're saying is that the most popular attack vector was phishing. And in fact, just to kind of back up for a moment and look at the entire data set, 54% of all the cyber attacks in their data set started with an email.

Jake Bernstein: And when you say that, does that imply phishing or does it just mean that somehow email was involved?

Kip Boyle: Well, they don't... Okay, in the report, I didn't read an answer to your question, which is a good one, but it's implied I think that these are phishing attacks of different types, whether it was a broad based phishing attack, or a spear phishing attack, or a whaling attack. I mean, take your flavor, but I believe that what they are saying is it all started with a fishing attack.

Jake Bernstein: Got it. Okay. Yeah, so they helpfully used the nomenclature email slash phishing, so we'll just assume it was the same thing. So, okay. Very interesting. And I like how they... I mean, I think you're right about this, how they have the... Having the percentage broken down, or having the claims broken down by attack technique is really quite interesting. It's frightening to me- crosstalk.

Kip Boyle: And you know what?

Jake Bernstein: Access is 29%.

Kip Boyle: Yeah. So this is really... This is one of the reasons why I thought our audience would really appreciate this because cause and effect, right? Insurance companies that are selling cyber policies have a big problem in front of them right now and have been for years, which is this, okay, if I'm going to sell an insurance policy, it is in my best interest as the insurer to decrease the risk of a claim, right? That's the way all insurance really works or most all insurance works. Like fire insurance, right? Okay, if I'm going to sell you a fire insurance policy, I need to know that you have sprinklers built into your building. I need to know that there's a fire department within a reasonable distance. I need to know that there's a fire hydrant within a reasonable- All that stuff, right? And so you get a preferred rate. Well, insurance for cyber is still trying to sort that out. And I think this is really interesting because Coalition's going to have actual data about the claim separate from what the claimant's report, right? So, they're going to see it more clearly.

Jake Bernstein: Yeah. That's a really good point. And I think there's a lot of places that you're just not going to get fire insurance without a certain minimum level of protection. And I wonder if that's going to be... My guess is that we'll move there with cyber insurance as well.

Kip Boyle: Yes, absolutely.

Jake Bernstein: As we've talked about in the past.

Kip Boyle: Yep. That's absolutely going to be the case.

Jake Bernstein: So if ransomware was 41% of all cyber claims, what was the set- What was the number two claim and what was the percentage of that?

Kip Boyle: Okay. So no one will be shocked by this either, right? There's really no shocking information. Well, I could think there's one thing in here I think people will find surprising, but we'll get to that later. But the number two claim was funds transfer fraud and it was 27% of all the claims that they received.

Jake Bernstein: So is funds transfer fraud the same thing as a business email compromise? Or is that crosstalk different?

Kip Boyle: No, I think so. Because a funds transfer fraud that didn't involve technology, like if it was an insider embezzlement or something like that, I think that would be categorized differently.

Jake Bernstein: Got it. Interesting.

Kip Boyle: Yeah. So, okay. So that's the number one and the number two claim, right? There's others, go get the report, take a look
. There's others. That's what we have time to look at right now. But again, because they have additional information, they also published about root cause. And so what- Again, there's no surprises here, right? But what are some of the root causes? Well, remote access was the root cause of a lot of the ransomware incidents, right? In other words, because everybody went to remote work fast as a direct result of the COVID-19 pandemic and the quarantines, there's a lot more remote access surface area to attack. And a lot of it's not configured very well because it was put in quickly. So that's one root cause. And then another root cause of the funds transfer incidents was all kinds of email shenanigans. So intrusion into an email system, invoice manipulation, domain spoofing, right? So, all of this is really under the umbrella of phishing, I think because these are just specific techniques.

Jake Bernstein: Interesting. Yeah. No, I think that's really important. So how about the deal- What is the deal with email here and does it matter which provider you use? Is there anything that people should look out for?

Kip Boyle: Now here's the thing that I thought was insightful, I had suspected this, but I'd never seen any actual data on it. And according to this study, organizations that used Microsoft Office 365 for their email were more than three times as likely to experience a business email compromise as compared to organizations that used Gmail.

Jake Bernstein: So do they have any reason for that? Is it-

Kip Boyle: They didn't say.

Jake Bernstein: Because to my knowledge, Microsoft Office 365 is, it remains far more popular amongst businesses, but I wonder if it has something to do with the exchange server, the built-in, maybe just the default levels of security could be different. That's that's a really interesting question and I really love to know more.

Kip Boyle: So I can share a little bit of information with you that was not in the report, but that I went off and found out for myself. So, what I found out... One thing I found out that I thought was really interesting is, Google's installed base for Gmail is way bigger than Office 365, like 10 to one, something like that. It's a huge, huge number, Gmail, right? Much, much bigger than office 365. And they've been doing it longer-

Jake Bernstein: That's taking into account consumer free Gmail accounts?

Kip Boyle: It does, but that's relevant here because if you are trying to put anti-phishing controls on the customers of your email system, the more data you have about what those attacks are actually like, and the more years you have doing that work, it's likely you're going to be better at it. You're going to be better at detecting it, you're going to be better at getting rid of it, better at preventing it. And so I think what's going on here... One thing that's going on is, Google just knows how to do it better right now. And that's not to say that Microsoft won't catch up as their installed base grows. They probably will, but that's kind of the state of the art right now is very uneven between them. And I think that's why.

And another thing that I think on too is- And again, it goes back to your point about how Gmail has a lot of non-business users, right? Just college kids and just people who just need a personal email address and that is targeting. So if I'm going to spear phish you or I'm going to whale you, okay, well, I presume that the whales are in O365. So I just choose that one, right? It's the same reason why Windows as an operating system is more targeted than Linux or Mac OS or whatever. It's because that's where the fish are, so to speak.

Jake Bernstein: Yeah, no, it's very true. I mean, I think you're going to go where the biggest players are, and that is the case, plus I'm not sure how easy it is to... I mean, Gmail is a proprietary system that has not, I mean, in some ways it's younger than Exchange is, but-

Kip Boyle: Oh, it is. Yeah.

Jake Bernstein: Anyway, we're speculating-

Kip Boyle: But Exchange has a history of being an on-premises solution that had limited scalability, right? So you might scale it to the size of a Boeing or a large enterprise, right? But O365 is scaled way beyond that. Way beyond that, right? Whereas Gmail has been operated at scale from the beginning, so that's a little difference in their history.

Jake Bernstein: For sure. So, okay, what are the... Do they have industry data? Because you had mentioned that they have about 25,000 insureds and I'm really curious to know if they have data broken down by industries.

Kip Boyle: Yeah, they did. Now this report wasn't as bristling with data as the Verizon data breach-

Jake Bernstein: Of course not. Nothing crosstalk Nothing is data heavy as the good old DBIR.

Kip Boyle: The DBIR, but I couldn't help myself as I read this report, I was like, "Come on. More, more, more, more right? Give me more data, give me more data." Well, so they had some information and in my big takeaway from what they did offer was that, when comes to ransomware, their data set showed that retailers, professional services, and healthcare were most often the victims of ransomware. Which I thought was interesting because if you just looked at the headlines in the news, you would think healthcare would be number one and maybe they are across the board. And so maybe Coalition just doesn't insure very many healthcares, I don't know, but they were number three in this data set.

Jake Bernstein: Very interesting. Very interesting indeed.

Kip Boyle: And the business email compromise, right? Or the phishing... Well, the number one and the number two industries there are professional services and financial services. So what I thought was pretty interesting about this, right? Is that professional services is number one, attacked for business email compromise and number two attacked for ransomware. And so then I looked in the mirror and I said, "thank God I have cyber insurance." Because that's a big part of what I do, right? So.

Jake Bernstein: Yeah, absolutely. It's very... And I wonder too, if... I mean, one of the limitations of this data set is that it is small and medium size business. So, I think it might be difficult to draw too many conclusions about... I wouldn't necessarily use this to draw conclusions about enterprise.

Kip Boyle: No, not necessarily. And I think there's some real limits even in terms of the small, medium business profile, right? I mean their data set does not include... Probably if I went to a statistician and I said, does their data set include a representative sample of all SMB? And-

Jake Bernstein: They'd say, no.

Kip Boyle: Yeah, they'd probably say no. I'm not sure, right? Because I haven't seen the data set, but there are some disclaimers in the report that make me believe that's probably what would happen if a statistician took a look at this. And so, is there 90 degree or I'm sorry, 90% confidence in these results? I'm not even sure that they've reached that level, but I just think this is a very interesting thing because I believe in the future, right? They're probably going to grow and other people are going to copy their business model. And I think future claims studies will look more like this. And really, let's face it right now as a cyber risk manager, you need all the data you can get to figure out what works because that's ultimately where-

Jake Bernstein: Absolutely.

Kip Boyle: Yeah, that's ultimately where I want to take this episode today.

Jake Bernstein: And one of the things that's great actually about this is I'm seeing here that in their sample, a large organization is revenue of a hundred to 250 million. Which the reason that's great is that, we often talk about our client demographic and this company appears to be squarely in that zone, which is really helpful because so much of the time, it's actually hard to get information on stuff that's not enterprise. So I want to just clarify that it's not a negative that enterprise isn't included here. In fact, it's quite a big positive. So, let's move on to... This is super interesting information as a young company. What else do they offer in here and what should our listeners do with this information?

Kip Boyle: Yeah, so thank you. Thank you. Nice segue. That's where I want to go. I think there's four conclusions in the report that we should take a look at here. And again, I don't think any of this is strikingly new or I don't think there's any really deep insight here that I've never seen before. It really reinforces my experience anecdotally and also some of the other things that I've seen published elsewhere. So, but there's four things that this report talks about. The first is, is that in their data set, they're seeing that the losses are increasing both in number and in severity, and they tribute a good chunk of that is due to the broad adoption of remote access- Well, just technology in general, but remote access solutions in particular.

Jake Bernstein: Which has become, I would say, non-optional during the COVID-19 pandemic.

Kip Boyle: That's right. And since this data set only covers the first half of 2020, I can't wait to see the second half of 2020, because I think that's when most of the shenanigans have probably occurred.

Jake Bernstein: Yeah, that's quite correct. And I think what's interesting here too, is that even though they say that the number of cyber attacks is not actually increasing dramatically, much more concerning is that the rate of success has been boosted.

Kip Boyle: That's right. Yeah, that's right.

Jake Bernstein: And I think, it might be that it might be that the number of cyber attacks can't meaningfully increase, because the fact is, is that most everyone's being attacked most of the time. And we only define a cyber attack when it actually does something. And what we're seeing is, more effective cyber attacks. That's bad news.

Kip Boyle: That is bad news, yeah. It just means that the attacker's success rate is increasing, right? Their virulence. I love using the health metaphor here. And I think it also backs up the basic assertion of my book, which is that cyber criminals innovate all the time. And so, think about it. They're not attacking that much more. Maybe 10% more attacks, but their success rate is much higher than 10% more. And so that just means that they're just getting better at what they do, unfortunately.

Jake Bernstein: Wonderful. So-

Kip Boyle: Yeah, crosstalk.

Jake Bernstein: I think the next point though is actually helpful, which is that cyber insurance works. And the reason it works is that it can pay for loss and play a critical role in helping an insured entity recover operationally. And that's something that I want to talk a little bit about primarily because I'm experiencing it right now with the lack of sleep and everything. Which is that I think people often don't realize the sheer amount of work it takes to rebuild a compromised IT infrastructure and the costs associated with a cyber attack. I think people unwittingly focus on kind of the headline drawing data breaches, where there's... Even those have, quote, hidden costs, for example. If you have to send out a hundred million letters, physical letters, even postage is expensive, right?

But what about situations where you don't have any consumer data and data breach isn't really a major issue? What happens then? And I think people just plain forget that, for example, if you're hit by ransomware, even if you have a good backup, let's just say that you do, it's going to take you days to weeks to fully clean your network or rebuild it from scratch. And during that time, not only are you making no money, but you are probably spending money on help to get that network back up and running. And I think that because of that, cyber insurance, this is one of the most important areas that it comes in. And I think even if you assume I'm never going to pay the ransom, which I think is easier to say in theory than in practice, there's a lot of cost associated with these events. And so I think that having that ability to stand on the insurance policy is huge.

Kip Boyle: And that's what our friends in the insurance industry would call first party costs, right? Direct costs to you, the person who's a experiencing the loss. And the third party costs, right? Those are the other people who get harmed. So in the case of a massive data breach, that's the money that you pay to send those letters and to make other people whole. And so that's what people are used to, but you and I have both seen cases where an organization that's actually not very tech savvy, that's operating some kind of a manufacturing-esq business, right? Where there's some kind of production line and they've got proprietary data that they need in order to either assemble products or package raw materials in a way that their customers want. And if you don't have that data, then you really can't run your production line.

You can't make things, you can't pack things, or you're going to have to make them impact them very differently. And that might actually result in a crisis of confidence with your customers. So, yeah. But back to the point, right? Cyber insurance, it's working, right? It plays a very important role in your first party costs. And then getting you back into business because every hour that you're not doing business is an hour of lost revenue plus all the expenses. And yeah, I mean, I just tell all my customers, you need cyber insurance and not one of these little dinky add-ons to your main liability policy. That's rarely sufficient. I've seen some- I saw one customer that effectively had $10,000 of cyber coverage, but that only came in to play after they absorbed $10,000 of losses. And then every dollar above $21,000 was uninsured. And it's like-

Jake Bernstein: Uninsured, yeah, that doesn't help.

Kip Boyle: You might as well have no coverage, because you can't even call Jake for $10,000. I kid. But it's just, you look at the claims, right? I think this report said like two million dollars, right? Was a typical claim amount kind of on the high end. Two million dollars, right? And if you're an SMB, that's a lot of money, so. Okay, so that's point number two-

Jake Bernstein: A lot of money.

Kip Boyle: Yep. So point number three is-

Jake Bernstein: What's point three?

Kip Boyle: So nothing and no one is a hundred percent secure. Again, that's nothing truly revelatory, but I thought... This is what they said behind that. They said, claims were made by small businesses, large businesses, for profits, and nonprofits across every industry and despite investments in cybersecurity. In other words, these people were not- Were a huge variety of shapes, and sizes, and types of organizations. And they were not uniformly asleep at the switch, right? They were all doing something to be cyber secure, but no matter what they were doing, these folks ended up filing a claim. So, and I don't think- Now point number four is going to sort of address something that our listeners are probably thinking right now, which is, if I'm going to spend money on cybersecurity and I'm out of a claim anyway, then what's the point? Just buy insurance and don't do anything. But point number four is going to refute that.

Plus in the future, you won't really be able to do that because I think insurance companies in the future won't even sell you a policy unless you are meeting a minimum standard, right? Kind of an at a minimum, I would think, right? And if you did more, you'd get probably a preferred rate. But I think the takeaway from point number three is, if you don't think you are at risk, you're probably wrong.

Jake Bernstein: Exactly. And we should point out too, that- I mean, and to the point that's coming up, just because it seems impossible to avoid the attack or just because you think, "Oh okay, I can just get insurance and it's fine." Keep in mind that the level of controls that you've built in, and the level of preparedness you have, are still going to play a key role in determining how you come out the other side of an incident. And I think that it would be a huge mistake to assume, "I don't have to do anything because I can just buy insurance." I mean, again, as you said, even if you could get insurance by doing nothing, which I don't think you could, the issue is recovery is much, much, much harder without being prepared. And so I think the final point here that we want to make is that, look, the root causes of security failures are pretty much known and predictable.

And the Coalition report echoes that. They say, and this is a quote, "The implementation of basic cybersecurity controls could have avoided a majority of the claims and losses. No cost and low cost controls would've eliminated a majority of losses experienced." And this is such a critical point. And I think if you listen to what the controls are that they're talking about, multifactor authentication is essentially free for most businesses on most systems. I mean, you don't have to pay for it at this point. Routine backups, but routine offsite backups. And offsite doesn't necessarily mean a totally different physical location, although that is advisable. But we do need people to remember that as convenient as network connected backup solutions are, the bad guys know about them. And they're not going to ask you for money until they've encrypted both your actual data and your backups. So this is-

Kip Boyle: But in the reverse order, they're going to find your backups, they're going to encrypt them first-

Jake Bernstein: Yes.

Kip Boyle: And then they're going to come at you.

Jake Bernstein: Yeah, they'll do it stealthy. They'll either delete your backups or they'll encrypt them. And because again, it's... Well, I guess all I can say is fire doesn't innovate, hackers do, and-

Kip Boyle: Yeah, early versions of ransomware didn't do this, crosstalk.

Jake Bernstein: A really good example. Yeah, I mean the early version was, oh, we'll just encrypt your live files, and we'll hope that you'd rather pay us, at the time, relatively small ransoms, rather than go through the pain and suffering of a backup, restore procedure.

Kip Boyle: Yeah.

Jake Bernstein: Well-

Kip Boyle: I remember five years ago, ransomware was just something that a consumer would get on their computer. It would tie up all their family photos and they'd have to pay $300 to get it unlocked. And that's kind of where it was. And now we see-

Jake Bernstein: Now however, you have-

Kip Boyle: Hundreds of thousands of dollars-

Jake Bernstein: Highly sophisticated-

Kip Boyle: Millions dollars of ransom and yeah, super sophisticated attacks and-

Jake Bernstein: And something else that- Sorry, something else that this doesn't even take into account yet, is that in the last six months, it is basically... You can basically assume that if you've been hit by ransomware, they probably took data first.

Kip Boyle: Yes.

Jake Bernstein: Which means that- And the reason for that is that they want to- Again, they're looking for ways to force you to pay. So now it's, if you do have, and again, this is a perfect example of bad guys innovating, because the routine offsite backup system is not that difficult to pull off, what it means is that by exfiltrating your data and stealing it, they have a secondary source of blackmail. Which is, okay if you do have your offsite backup, you can just restore. Then we're going to threaten to release this as a data breach if you don't pay. And so, again, it's just another example of ways that these criminals are making it harder on you.

Kip Boyle: Yep. Yeah, there's even a new, the newest wrinkle that I'm aware of is when they're taking all your data before you know they're in your system, one of the things that they're also starting to do is they're vetting your finances. They're actually looking at your cash balances. They're looking at short-term investments, they're looking at anything you can liquidate to raise cash. And they're basing the ransomware demands on your actual ability to pay as reflected in your financial statements and your records. So, don't even try to negotiate with that, right? Because they can see your hand, they see every card that you're holding, and every card you're going to get dealt. It's horrible.

Jake Bernstein: Yep. Well, and it makes sense if they're in there for a few weeks in order to do all their recon before they actually hit the encrypt button, of course they know that stuff.

Kip Boyle: Yep, yep.

Jake Bernstein: So-

Kip Boyle: And they're going to use it.

Jake Bernstein: What are the other techniques that this report talks about? I see password management, email security, wire transfer verification. Wire transfer verification is one of my favorite examples. I mean, talk about a no cost control. Literally. You just need to verify a wire transfer with a phone call or something. Just one other way. I mean, it's not even... This is a 100% a processes and procedures control. There are no technical- There's no software you need to buy. There's no configuration of anything. This is a totally simple, we can literally just decide that we're not going to do a wire transfer without a phone call verification. That's it.

Kip Boyle: Right, right. Well, now there's some subtleties there, which I help my customers with, right? Which includes things like, when you do the phone call verification, don't use the phone number in the email that you just received.

Jake Bernstein: Definitely not.

Kip Boyle: Right?

Jake Bernstein: Yeah.

Kip Boyle: And-

Jake Bernstein: There's some operational security things that you do need to be aware of, but they're not that hard.

Kip Boyle: They're not, but this really underscores another really important point, which is, cybersecurity is a team sport and it takes people, process, technology, and management all working together, kind of like a four cylinder engine, right? Every cylinder's got to be firing. And this procedural aspect is a great example of something that you can do. And so, yeah, so there's five things. Let me just recap, right? There's multifactor authentication. And I would start with banking accounts first. Routine backups that are not attached to your network. And synchronizing to the Cloud doesn't count. Better technical defenses against phishing. And that might mean email providers. This dual control for funds transfer is the fourth one. And then the fifth one is using an attack resistant password manager to its fullest capabilities. Now, it turns out that those five things are very, very well aligned with something that we've talked about in a recent episode, which is the Essential Eight by the Australian Signals Directorate.

And so if you want to future proof your business, and if you are large enterprise, you should be exploring the Essential Eight and you should be making plans right now to implement all eight of those controls in the prioritized order, and according to the maturity model that they have published. It's free, super practical stuff. I don't make a penny by telling you this, but I do tell my customers that you really need to do Essential Eight, because again, what percentage of all of the cyber attacks in the claims started with an email? It was 54%. Which tells you that the cyber battles today are not at your firewall. They are not on your network. They are at wherever you're processing email. That's where you've got to pivot. That's where you need to fight your battles, and that's where the Essential Eight will really come into play.

Jake Bernstein: Absolutely, could not agree more. I think this is a... I think these examples here are just even more helpful that we just kind of have to be aware that this is the world we live in, and it does not take a ton of money to protect yourself, but it makes a big difference.

Kip Boyle: It does make a big difference, but it is kind of resolving that you're going to eat more healthy this year.

Jake Bernstein: Very much so.

Kip Boyle: Right? It's a different way of living. It's a different way of living. It's not quite as fast and loose as what you may be used to. And so you need to use a little bit more discipline. But really, I mean, this stuff is not... These are not fad diets and I think this stuff is totally achievable. Okay, anything else before we wrap up Jake?

Jake Bernstein: No, I think that's it.

Kip Boyle: All right. Well, thanks everybody for being here. And that's a wrap on this episode of the Cyber Risk Management Podcast. Today, we looked at a cyber insurance claims study that showed the top types of cyber attacks as well as their causes or ways of preventing them for the first half of 2020. Thanks for being here, and we'll see you next time.

Jake Bernstein: See you next time.

Speaker 3: Thanks for joining us today on the Cyber Risk Management Podcast. Remember that cyber risk management is a team sport, so include your senior decision makers, legal department, HR, and IT for full effectiveness. So, if you want to manage cyber as the dynamic business risk it has become, we can help find out more by visiting us at cyberriskopportunitiesdotcom and focallaw.com. Thanks for tuning in. See you next time.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).

YOUR CO-HOST:

Jake Bernstein

  Newman DuWors LLP

Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.