EPISODE 84
Minimum Viable Planning for a Cyber Business Disruption

EP 84: Minimum Viable Planning for a Cyber Business Disruption

Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.

Sign Up Now!

About this episode

July 20, 2021

Do you have a minimum viable plan for a major business disruption in the age of ransomware and other intense cyber risks? Learn how to make one with our guest Dan Weedin. We’re your hosts Kip Boyle, vCISO with Cyber Risk Opportunities, and Jake Bernstein, Partner with K&L Gates.

Tags:

Episode Transcript

Speaker 1: Welcome to the Cyber Risk Management Podcast. Our mission is to help you thrive as a cyber risk manager. On today's episode, your virtual chief information security officer is Kip Boyle and your virtual cybersecurity council is Jake Bernstein. Visit them at cyberriskopportunities.com and focallaw.com.

Kip: Jake, hi. What are we going to talk about today?

Jake: Hey, Kip, today we have a guest Dan Weedin, and he's going to walk us through how to plan for a major business disruption in the age of ransomware and other intense cyber risks.

Kip: Oh, that's great. We need that. Dan Weedin, welcome to the podcast.

Dan Weedin: Hey, thanks for having me. I appreciate, looking forward to it.

Kip: Well, it's kind of on us that we haven't had you on the Podcast yet. We've known you for quite some time now, we've done business together, but this is your first visit to the Cyber Risk Management podcast and I'm glad we finally took care of that. So can we crosstalk.

Dan Weedin: And I've been wondering about that. I was a little bit nervous, I thought maybe I had done something wrong, so I'm thrilled to be here.

Kip: Yeah. Well, you did something wrong. You fixed it, you didn't even know that and then we're like, okay, we'll let them on now. No, you're clean as a whistle and you're here, so it's fantastic. Let's start by, please introduce yourself and tell our listeners a little bit about your background.

Dan Weedin: Well, thanks again for having me. It's hard for me to believe, I've been in the insurance and risk management industry for now going on about 34 years. And that was before cyber was even a word, I think. I don't know that cyber or anything related to that was even invented. In fact, I was thinking about this, when I first became an insurance agent, I still had to use a book, I had no laptop, I had no cell phone. None of that was around. I had to actually do things off of a book and write from a book.

Kip: That's your book of business.

Dan Weedin: Yeah, exactly. And by the way, my math skills have never been good. So the reality is the change was good for me. But I started in the insurance industry in the late '80s. And I've spent the majority of my career working with small and medium size businesses. After 16 years of being an insurance agent, I started my consulting practice in 2005. And the focus of that became more around risk management and what I call business continuity, crisis response, safety, everything like that helps a small and medium size business to stay in business regardless of what happens.

I was able to bring back my insurance brokerage in 2017 to make that part of my overall consulting practice, and as we're going to talk about today among other things, cyber and technology, and all of the fun things that come out of that Pandora's box have become a major part of insurance and in business continuity planning. So my work is really to help these small and medium size businesses that don't have the same resources as a fortune 500 companies.

Kip: But all the risks.

Dan Weedin: Yeah. They have whole departments of it. Right? And in my view, and I think you'd probably agree because of that small and medium size businesses are more at risk, more susceptible to having one of these attacks be fatal to their business. And so that's why-

Kip: They don't even realize they're a target.

Dan Weedin: -I love working. Pardon me?

Kip: They don't even realize they're a target in many cases.

Dan Weedin: They don't realize they're a target. And that's probably part of what we'll be talking about today. But that's a little bit about my background, 30 plus years in insurance and risk management and it's ever changing.

Jake: Thank you, Dan. That's great. So, having been around, as you said for 30 plus years, have you ever seen a situation where businesses have been more vulnerable to major disruption simply because they use the internet to serve their customers?

Dan Weedin: No. Jake, the quick answer is no. And the reality around that is that, when probably all of us started in business, at some point, if we lost power, we could still talk on the phone, right? The phones even still ring. Today, even a simple loss of power. And I know people are working virtually more now than ever, but even a simple loss of power can stop business in its tracks. When you add to it that technology and the ability to access just about every piece of information, any business, I don't care if you're a manufacturer, if you are a retailer, if you are an office, in services, the ability to get that information when you need it, if that's gone, it's crippling. And I even think, like I said, back 30 years ago, it took something more drastic to be crippling to the operation. So, yeah, no, you're exactly right, Jake.

Kip: Yeah. Like a hurricane Andrew, right. Which would scrub the buildings down into their foundations would mess with people. That was like 1992 as across the state of Florida. And that was the kind of catastrophe. And I remember when I had like one of my first jobs in the 1980s was fast food and we had these computerized cash registers. And when they failed, which back then they failed a lot. It wasn't a big deal because they would just give us order pads and stubby pencils, and we would just keep going.

Jake: Huh. So Dan, it really feels like these days, and I think you just did a really good job of summarizing the change, but an owner or a senior decision maker can go to bed knowing that their business has never been better, but then wake up in the morning and have zero ability to serve the customers at all. And when that happens, of course, the number one priority has got to be continuity of the business. Given that, and given what you just said, how many businesses do you think are ready to deal with this kind of major disruption right now?

Dan Weedin: Yeah. Well, I'll use the pandemic as just a quick foundation for this, because I think it'll help in that. So I tell people that in 2020, every single small and medium size business activated their business continuity plan. Unfortunately only 14% of them actually had a written plan. So that means 86% flew by the seat of their pants. The same is really can be said, it's the same concept with any type of a cyber attack while everybody knew that cyber attacks happened to somebody else, having a written plan in place for a business. Let's just say a business of 25 people, which is still a significant business. You're talking two, 2 million, maybe dollar company, 25 people, something like that. All of a sudden, you wake up in the morning and you've had some sort of a ransomware attack. All of a sudden, you don't know what to do next, because it wasn't written down. There was no nothing done before the chaos to say, oh, step one, call Kip or Jake. Step two, call the insurance, whatever it is.

Jake: It can be simple.

Dan Weedin: And here's the names, here's the numbers, here's what you do. And that's...

Kip: It's hard to fake your way through a digital crisis like that.

Jake: And Dan, one thing I want to do, because I think this comes up a lot, particularly in my practice is I really want to focus in on the importance of the written plan. Because I think sometimes, for better or for worse businesses will see a compliance requirement, like a written business continuity plan or written information security policy, and basically just think, oh, that's busy work. Or it's a waste of time.

Kip: It's window dressing.

Jake: Window dressing.

Kip: It's a way I keep the auditors away.

Jake: It's not real. And certainly we've all heard of situations where companies are quote compliant and they've got their policies and procedures in a big three ring binder on a shelf. But can you maybe explain in your experience, why does having a written plan matter?

Dan Weedin: And I love to answer that. I'm going to actually redefine, written and communicated, I think, because you just said something.

Jake: Yes, that's good point.

Dan Weedin: A lot of things can be written and gather the proverbial dust, whether it's on a bookshelf or, in the bookshelf inside of the cloud. Communicated is as important. So the written part of it does not have to be complicated. And I realize that's one of the obstacles that business owners have is, oh, it's complicated. It doesn't have to be. A written business plan for a small business can be as simple as writing down all the contact information of who's responsible, internally and externally, for something that is likely to happen to a business. Every business is different. A manufacturing company has different concerns than a retail or a technology company does.

Right? Everybody has different concerns around shutdown, period. As we talk about cyber, everybody has that similar concern. It's a different scales. Just simply by having at the very top who is responsible in our organization to contact when this bad thing happens, who is our first call out. I try to tell people let's have that contact list right up front. Right up front so we don't have to search for it and then have a plan in place that says... it can be like aI don't want to say it's a 30,000 foot, but it's at least a process that says, we're going to gather together. This is who's going to lead it. We're going to have a conversation about how bad it is. And then we're going to make the best decisions that were made prior to chaos happening prior to the calamity.

Because what happens is if you don't write it down, after having done the work, short range decision making is made and the consequences are three months later, you might say, well, that was a terrible... Why did we do that? Well, it's because you looked at it through the lens of, we got to take care of the next five minutes. And so that's why it's so important to have it written and communicated because I'll tell you this. If I were to ask you, if you were my clients and you ran a company, and I said, who are first responders? You might say law enforcement, fire, medical, these are all first responders. No, it might be your receptionist as a first responder to any crisis that you have in your organization. It could be your human resource person or your director of sales, or whoever's in the building. However that looks has to respond first. And if they don't know where the game plan is and it's not spelled out now they're forced to make decisions for the company. But if they're given the confidence to say, Hey, somebody already thought about this, we've had this attack. Somebody's already thought about it. Here's who's in charge internally. Here's the external numbers we call and here's what we do next. That's the power of the written and the communicated.

Jake: That's great. Dan, and I think too, I mean, would you agree then that part of the benefit of putting a plan in writing is that it forces you to actually just think through these issues. And readiness and capability. Those are both semi military terms. I mean, that's where they tend to come from. And one of the things I often marvel about is what's the difference between the army and a mob? Well it's organization, it's command control, it's standard operating procedures. In other words, it's the thinking and the writing that has gone into organizing the situation. That's the difference, right?

Dan Weedin: Well, and Jake, you bring up something that's really important. You mentioned the military. Consider the term fog of war. Even in the fog of war in military, things happen because there's that fog. And so by having as much written as possible in a business circumstance, regardless of the type of... You're always going to have a certain amount of fog of war, but can you imagine how foggy that is if you have nothing in place?

Jake: It would feel like, it'd be pea soup and you have absolutely no clue where to go. I mean, and the other thing too, is that the confidence of having something written down helps to cut through some of that panic and chaos. I think we've all seen businesses freeze, and that just adds the recovery time. So that's great. That's a really helpful conversation. And I think we could probably do an entire podcast on the benefits of writing stuff down. But Kip, why don't you go ahead and ask about, another risk management process that we talk about before quite a bit.

Kip: Yeah. Cyber insurance. I find that I'm recommending cyber insurance to all my customers. I've heard Jake do it too. We think cyber insurance is a great deal. It's just a fabulous deal. It doesn't cost all that much for what you get when you need it. And so we really think it's the right thing to do. But you're in the insurance business. So how often is cyber insurance actually used?

Dan Weedin: Well, I haven't seen real recent statistics, but the ones that I've seen in the last years or so is that 50% of small business owners still don't purchase it. And I still note today as an insurance broker that I have to, and I hate to use the word talk into, but I have to really influence people to take a hard look at this. Because so many small business owners think about cyber insurance in the wrong way. They say, oh, I don't have anything that anybody wants. Right. Why would I be vulnerable to that? I'm a chiropractic office, or I'm a title insurance that's a bad one. But I mean, you're because they know, but they're saying, why do I need that? And so the importance is-

Kip: Dentists. I know of lots of dentists that have lost dentist businesses because of this.

Dan Weedin: Yeah. So, I mean, the reality is that there's so much out there on insurance that is required. You're required to have fire insurance, required to have liability insurance. To date nobody requires cyber insurance, although you're starting to see that more from a supply chain, where you've got either vendors or clients who are saying, you must have cyber insurance. I'm starting to see that more. But cyber insurance is probably the insurance policy of the 21st century, because you're more likely to have a cyber attack, a cyber claim than any other event, including professional liability for those who need errors and omissions. You're more likely to have a cyber event. And I would say this, you probably are aware of many nonprofits that out there that have boards of directors. The quickest way to be sued as a board of director, is to have shooed cyber insurance. And now all of a sudden you have a tremendous financial consequence because of it.

Kip: Yeah. It's crazy how this has burst onto the scene so fast and without very many people really paying attention to this. I was thinking about this the other day, I was thinking about this in terms of, when you have your financial statements audited, one of the things that you do is you think about what are the material risks to my organization, and do I have sufficient funds to weather those kinds of things? And I know this is far more common in bigger organizations, but it seems to me that certified public accountants should be bringing this up as an issue with the companies that they do financial audits on, because they certainly would bring up other risks and would ask if they have reserves and that sort of thing. I mean, I'm not an expert at this, right. But it just seems to me like this is a material risk and it's financial. And I just don't know if those conversations are happening.

Dan Weedin: Well, I don't either. And I guess I'd even ask, especially if they're talking about accountants, CPAs that maybe are in smaller firms or on... they may not be purchasing their own cyber insurance. But if one thing-

Kip: Right.

Dan Weedin: -if one thing I can say on this podcast today is if you are a small or medium sized business, because most large businesses today, I mean really large businesses, it's part and parcel of what they do. But if you're a small business owner and you do not currently have cyber insurance, you're vulnerable to it. And I have seen a situation where I've got a small business client had five locations to their, to their practice or in the health field. They had five locations. They had a ransomware attack that cost $15,000 by the time it was done.

They didn't pay the ransom, but the cost of everything was $15,000. They had not purchased at the time. They have it today, but they didn't have it at the time the cyber insurance. Had they had the cyber insurance. When you took out the deductible and the premium cost, it would've saved them $11,000. Well, not everybody puts $11,000 in their budget to pay some year under the title ransomware attack. And so this is just plain old, a good old fashioned risk financing. And again, I would just reiterate, this is the biggest risk to any business. I don't care if you're a three person operation or a 300 person operation. This is a number one risk, because as I've heard Kip wax poetic about the cyber criminals, don't care about your size. They care about what information they can get, what type of money they can steal. There's a ton of ways that they can cause chaos and it doesn't matter.

Jake: It's very true. So obviously, Dan, we've been talking about ransomware. It's been in the news a lot recently, but cyber insurance can help with more than just ransomware response situations. What else can you tell our audience that it is good for? What else can it help with?

Dan Weedin: Well, how about this? And this is a recent example of a client cyber insurance situation. I have a client that was phished, and I think I'm using the terms correctly and had had fraud perpetrated on them to the tune of $124,000.

Jake: Sounds like a business-

Dan Weedin: So what had happened-

Jake: Business email compromise?

Dan Weedin: Yeah. So what had happened was they got an invoice and it was correct. And it was for 124,000. It got approved. And lo and behold, an imposter who was, I say hiding behind the proverbial rock. And in someone came out and they put out an other email and said, oh, we've changed bank accounts. You know where this is going. If change bank accounts, please change. This was a longtime vendor. The call was not made to the vendor to confirm. That all got done. And before you know it, money 124,000 went out. Couple weeks later, the vendor is saying, boy, are we ever going to get paid? And we paid you. Well, we haven't changed our bank account. So that went through, now the payment was made. It was actually half through cyber, half through a crime policy, but that crime policy was specifically programmed to include that. A lot of people don't have crime policies either.

So if that particular business had not had crime and cyber to cover that electronic fraud, they would pay nothing. They were only out their $5,000 deductible. If they only had crime, there was a internal limit. They would've been out 55,000 or about $60,000 because they would've lacked the cyber. So the importance of not only as you mentioned Jake ransomware, but electronic fraud. Penalties if all of a sudden you've been, it's been found that it was because of you that people's personal identifiable information has been compromised. That there's been identity theft. That you have to pay for monitoring for all of your employees, for all of your customers for the coming year. How about if you lost income of this, there's business interruption. There's a lot more than ransomware. Ransomware is certainly the most common that we've seen.

And I think I've seen both of you talk about the ransomware being, I think 35% or something of the cyber gate. But that leaves 65% of other stuff, including the consequences of fines and penalties. So cyber insurance, and by the way, one other thing that I want to bring up if it's okay. If I have a couple seconds to do this. In our virtual world, things have changed with cyber insurance. And it's really important because cyber insurance, not like homeowners insurance, they don't all look the same. Every cyber policy is different and it needs to be examined. In the virtual world, let's say I was an employee of yours. And because of COVID, I had to go work from home and I'm just going to stay, it's all worked well. I'm going to continue to work from home.

I'm working from my personal computer. Now, the bad guy comes in and accesses my personal computer to be able to get into the business. And we know can all happen there. Well, a cyber policy without a coverage called bring your own device. Used to be bring your own drink, but now it's bring your own device, right? If you don't have that, an insurance company could say, well Kip and Jake, that was Dan's purse that wasn't yours. That I know what happened, but it's his fault, you got to go after his cyber insurance. Well all that may not even exist. So it's really important to read the policies, to understand that this is not a one size fits all. And that in today's virtual workplace, which is forever changed, I believe due to the pandemic. BYOD bring your own device is extremely important to have on every single policy, because it includes your employees who might be working mobile from their mobile devices or virtually from home.

Jake: It's a really good point. And it's also an important point just to remember that insurance companies are for-profit businesses. And even if you have an adjuster or your agent, or your broker really wants to pay, if the contract, if you fall under an exclusion, they're not going to pay. They can't.

Dan Weedin: Correct.

Jake: Right? They can't do that and stay in business. So it's incumbent on the policy purchaser to really understand what it is that they're getting and not getting. And I think that's absolutely correct, and really important.

Dan Weedin: Jake and Kip, can I give one real quick, other thing, tip for your listeners on understanding besides BYOD do I have like a minute to do that?

Jake: You do.

Kip: Please.

Dan Weedin: Okay. So there's two things to really look at, and this is probably right up Jake's alley when I start talking about first party and third party. But you want to look at your insurance policy for both first and third party. First party is the bad stuff that happens to you. That's a technical term, the bad stuff that happens to your computers, to your hardware, to your software, to the loss of your own money, business interruption, to fines, to penalties, anything that harms you. You're the first party. The third party are other people that have been harmed because of it. If the loss of personal identifiable information, somebody else has had an identity theft. Medical records, you mentioned dentists and people that, those are of concern, but somebody else has been damaged because of you, that's third party. So it's really important when you look at a proposal or you look at an insurance policy for cyber that you have both first and third party covered to a place that makes sense for your business. I know that sounds complicated, and that's why you really want to have a good advisor when it comes to cyber insurance, because it's a different animal from the rest of your insurances.

Kip: And for those folks who could benefit from a quick story about first versus third party coverages, PF Chang's had a credit card data breach a few years ago. They had paid six figures for an insurance policy for this. And it turns out they only had first party coverage, because what happened was a bank had to reissue a whole bunch of the credit cards that were compromised. And the bank sent PF Chang's a bill for like a million bucks or a million and a half dollars to cover the cost of reissuing all the credit cards. And so Chang's paid that, submitted the invoice to their insurance carrier, who immediately denied it because they didn't have third party coverage. So, ouch.

Jake: It does hurt.

Kip: That's a hard way to learn the lesson that Dan just shared with us and PF Chang's they're not a small operator. And they made that mistake, right? So they're a sophisticated organization, sophisticated risk management practices, and they didn't even catch that. So I think what you've shared Dan is like super insightful and is going to help us avoid those kinds of mistakes. But you were talking a moment ago about BYOD and how the pandemic and the quarantines caused a lot of customers or caused a lot of companies to rely on BYOD as a business continuity strategy. And I think that makes a couple of points that I want to really emphasize. One is people made it up as they went along and I saw them do it. And it resulted in a lot of long term suboptimal situations. So no two factor authentication on the remote access system, which opened the door to all kinds of ransomware attack vectors.

Jake and I worked a ransomware case earlier this year where we didn't have the direct evidence, but it was strongly indicating that somebody had compromised a remote access server in order to deliver that ransomware. And when we certainly see that's the case elsewhere, and then things like, if I have people working in my facility and I've got network security devices deployed, well now they're BYOD. They're going to the internet straight through their home office router. They don't benefit from any of those sizeable investments that were made for people working on the local area network in the physical buildings.

And so now you got all these people out there on the internet, not protected. Anyway I think that really highlights a point that you made coming into the podcast today, which is if you don't have a business continuity plan and you make it up as you go along, you're going to make decisions that are designed to get you through the next five minutes, but they're going to be suboptimal for where you're going to end up in the long term. And so I just think that was a really great point that you made. And I really wanted to emphasize that. Are there any other lessons from the pandemic and the quarantines that we need to share with the audience?

Dan Weedin: Yes, and it really comes from the bigger picture of the business continuity plan. I mean, we obviously were talking a lot about cyber today, and we're talking about the effects of that. There are other perils and calamities out there that are part and who thought of a pandemic? I got to tell you, people say, oh, you probably brought that. Never, I never brought it up. Pandemic hadn't crossed my mind. So nothing's off the table. What the pandemic taught us is nothing's too crazy anymore. When you looked at the shutdown that happened across the globe in March of 2020, nothing's off the table.

Kip: I would even say the collapse- crosstalk The collapse of that condominium in Florida, while it's a-

Dan Weedin: Yes.

Kip: -that was a residential structure. Right? But we're going to learn an awful lot about what caused that. And some people are wondering, is global warming with respect to oceans rising.

Dan Weedin: Right.

Kip: Right. Is that what's going on?

Dan Weedin: Exactly. We're going to have 112 degree temperature day in Seattle in June, right?

Kip: Yeah. That's unprecedented.

Dan Weedin: But that in and of itself, I mean, think about there's businesses out there today. I was watching the news this morning, Dick's which is a famous drive-in shutting down today. They're not going to be open. There's businesses that have to shut down because of the extreme heat. There's going to be businesses that shut down because of snow. Every business has concerns about its continued operation. And I think we all know this logically, but if you don't have a plan in place in advance, everything that you've worked so hard to accomplish can be gone. And your plan does not have to... I hear people all the time about, well, we can't think of every thing. No, you can't. However, you can think about the process. This is about a process. I don't have to list every single bad thing that can happen.

However, if we have a process that says, here's who's in charge, here's our crisis officer. Here's our crisis team. Here's phone numbers. Everything has a process. And if you could at least get the process written down, communicated, it doesn't matter what the peril is that happens. You are going to be so much farther on to be able to respond to and recover from. And, oh, by the way, you guys know this, the cheapest way to deal is to prevent something.

Kip: Oh yeah prevention.

Dan Weedin: A big proponent that if you put together a written plan, you are going to improve prevention as well, because you might through that planning, put something in place that prevents something from happening to begin with. So preventing, responding to, and recovering from, that's the biggest thing of putting a written business continuity plan into place.

Kip: And Dan you're reminding me of a quote that I know I've shared in the podcast in a previous episode, I'm going to share it again. Dwight D. Eisenhower, right? Supreme commander of allied forces in World War II. What did he say about plans? He said, plans are useless, but planning is indispensable.

Jake: So very true. It's a great quote. I think it's... It really is.

Kip: That's it. That's what it comes down to. Yeah. Okay. Cool. Well, Dan, thank you so much for being our guest today. I really appreciate everything that you shared. And as we wrap up the episode, would you tell everybody how to find you on the internet if they want to know more about you and your work?

Dan Weedin: Well, thank you. Yeah, the quickest and best way is through my website at danweedin.com, d-a-n w-e-e-d-i-n dot com. I have lots of free resources and information that anybody can use to help them with that. You can also reach me danatdanweedin.com. I'm happy to talk to you about business continuity, planning, cyber insurance, all of that. And you can find me I'm ubiquitous on social media. If you put in Dan Weedin.

Kip: You're on LinkedIn, right?

Dan Weedin: I am. And oh, by the, if I could say really quickly, I have three courses on LinkedIn learning. Now, LinkedIn learning owns that content. So it's not free unless you have the advanced premium set up for LinkedIn, but they're also available for like $25. I have three courses on business continuity, 21st century risk management planning, all of that. So if you are a member of LinkedIn, you can find those courses there.

Kip: Yeah. Oh, perfect. I'm so glad you mentioned that. That's a great way for people to just kind of ease into this topic if they've never done anything like this before. Well, guys that wraps up this episode of the Cyber Risk Management Podcast today, we talked about the need to protect the continuity of your business. That's an actual asset that you have, but that continuity is threatened like never before. And Dan Weedin helped us understand that and helped us know what we could do about it. Thanks for being here. And we'll see you next time.

Jake: See you next time.

Speaker 1: Thanks for joining us today on the Cyber Risk Management Podcast. Remember that cyber risk management is a team sport, so include your senior decision makers, legal department, HR, and IT for full effectiveness. So if you want to manage cyber as the dynamic business risk it has become, we can help. Find out more by visiting us at cyberriskopportunities.com and focallaw.com. Thanks for tuning in. See you next time.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).

YOUR CO-HOST:

Jake Bernstein

  Newman DuWors LLP

Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.