On May 20, CHIPS hosted a live webinar panel with a focus around the increasingly important topic of cybersecurity.
CHIPS’ President and Co-founder, Evan Leonard, sat on a panel alongside special guests Bruce Wilson, Partner of Agency Partners, Jason Schwent of Clark Hill Associates and Russell Safirstein of Red Point Cybersecurity. The purpose of the panel was to educate our local community on the importance of protecting your business from a cyber attack.
If you are interested in taking the next step in protecting your business, reach out to us at firstname.lastname@example.org.
Biographies of our Panelists
Evan Leonard: Evan J. Leonard is the President and Co-Founder of CHIPS Technology Group. For over 25 years, CHIPS has provided managed services with focuses on security, collaboration, and strategy. Evan is also President and Co-Founder of a startup, CrushBank Technology, which leverages artificial intelligence and machine learning to solve complex industry problems, where his team has created “The AI Platform for IT Support.” Evan is on the board of IT Solutions Inc., is a member of the President’s Council for Big Brothers Big Sisters, and is a member of the Executive Council for Cohen Children’s Medical Center. Evan has a BA from Hofstra University.
Bruce Wilson: After graduating from Susquehanna University in 1984, Bruce worked for Chubb for four years as a commercial lines underwriter before joining a family owned agency in 1988. He received agency training as an account manager and marketing specialist before taking responsibility for the integration of a major agency acquisition while building his own book of business. In 1991, Bruce joined Tribus/Wachovia Insurance in Wayne, NJ as the first P&C producer of an exclusive Employee Benefits agency. He was instrumental in the formation of the P&C department in addition to his own sales production responsibilities. Bruce’s expertise in Commercial Property & Casualty insurance and relationships with the leading providers and wholesalers provide an excellent resource for his clients. He earned his Certified Insurance Counselor (CIC) designation in 1995 and remains committed to the educational values that designation exemplifies.
Jason Schwent: Jason M. Schwent is experienced in data privacy, intellectual property and litigation making him a fierce advocate for his clients. His passion for protecting clients’ assets is evident whether negotiating a complicated enterprise software agreement with a Fortune 100 company or counseling a client following a data breach that exposed millions of users’ data.
Russell Safirstein: Mr. Safirstein is President and CEO of Redpoint Cybersecurity, LLC. Redpoint is a subsidiary of Anchin where he is also the Partner in Charge of Anchin Digital Risk Solutions. He is a senior executive and a progressive thinker with over 30 years of experience and has been successful in bringing non-traditional solutions to an ever-changing work environment. Russell has co-founded several organizations that specialize in AI & Machine Learning and holds several patents. Russell is a highly regarded and sought after speaker on cyber security, technology, audit and risk practices. Prior to his current roles, Mr. Safirstein was a Partner for a mid-size accounting firm leading their AI and Machine Learning initiatives, in addition to their cybersecurity and risk advisory practices and President of an AI based consultancy firm where he led the development of its AI platform. He held several Chief Audit Executive roles for several global organizations Mr. Safirstein started his career with KPMG in their Financial Institution practice after graduating from Adelphi University with a BBA in Accounting.
What’s the state of cybersecurity now?
Evan Leonard: There are people out there that are really good at it and they’ve gotten better at it over the years. There’s just more groups out there than there ever were before. They figure it out and it’s profitable for them. A lot of this is now getting paid through Bitcoin and other methods that become problematic when trying to track the money. In last few years it’s also they’re getting more sophisticated on how they are penetrating. Most people think they penetrate using some mythical technology to get through two networks when it’s really social engineering. Right there just finding the weak link, you know it just takes one person in a company. That person now becomes the weak link. They wait for weeks and months figuring out the technology. They are figuring out when to attack, what your weakest points are and how to elevate themselves through the network to be most destructive. That makes them really dangerous and really good and that’s just been our experience, especially over these past nine months that it’s getting more and more frightening out there.
How has Cybersecurity changed over the past three years?
Russell Safirstein: There’s a lot of myths that are out there, relating to cybersecurity so I would like to get rid of the first one here. A lot of companies still think they are too small to be compromised. Looking at the stats today versus what they were three years ago, most small businesses are being compromised today then ever before, probably 60-70% of businesses have had some sort of incident. People understanding that there are organizations are at risk today and they’re not too small, you know it could be, you know the Ford dealership in Missouri could be.
Jason Schwent: One thing that that many companies rely too much on tight on technology. As Evan said it technology is is an important part, you have to have the certain protections in place that technology provides, but this is not a problem that you can throw money at technology and consider yourself covered or protected.
Jason Schwent: The social engineering aspect of, and when we talk about that what we mean is, when individuals send an email to you and get you conversing with them or call you up on the phone.
Jason Schwent: and get you talking to them and get you to provide a password or login credentials that weakness is one that technology is not going to solve that’s always going to be your employees are going to be the weakest link there and that’s something converting you’re.
Jason Schwent: Addressing of cybersecurity from a siloed issue that’s my it departments thing to worry about because once they’re inside your organization, they can move wherever they want and trust me when you have one of these incidents it’s not just going to affect it, it will affect the entire business.
Bruce Wilson : and Joe i’m an insurance guy on the panel here and i’m a safety net, this is when everything that Evan does and everybody else does fails.
Bruce Wilson : A big thing is 15 years ago I think there’s a lot of it people out there who said what to say oh yeah you’re fine you got the fire protection firewall protection of all the technology stuff that is not my thing is their thing.
Bruce Wilson : But there’s always someone smarter out there in the insurances the safety net that it’s the risk transfer it’s taking the money out of your pocket.
Bruce Wilson : You know, having the insurance company pay for the wall, because it’s you know it’s an old cliché but it’s not a matter of if it’s going to happen it’s when it’s going to happen, how bad it’s going to be.
Russell Safirstein: I think you know boots it’s a good point about insurance and thinking about you know we sit on number of insurance panels.
Russell Safirstein: As again after someone has a breach, you know when they call the insurance company if they you know, obviously they’ll give us a ring.
Russell Safirstein: What happens in, that is, I think the insurance companies, look at it, like their risk and the risk transfer for them.
Russell Safirstein: Is the business interruption side of the House, paying i’ll say pay me or paying you know the legal counsel you know that’s a cost.
Russell Safirstein: But the business interruption is the biggest issue that i’m seeing on the insurance side of the House and you have to understand their their understanding of risk is that.
Russell Safirstein: that’s a much bigger number, and we want to understand if you’re going to be out of business for two weeks, three weeks because of a ransomware attack and just think about no access to emails no access to phone if your phone is over voice over IP any of those things you’ve customer databases.
Russell Safirstein: Those critical elements to making sure your business works, you know, day in and day out, and I think that’s not everyone thinks about that along those lines of like well what am I going to do you know how am I going to get this done, and you know many times they’re not prepared for that.
Evan Leonard: yeah so also what I’ve seen is that you know, years ago, there was thousands of dollars, that they were asking for now I haven’t seen anything less than 500,000.
Evan Leonard: Right, so that has changed i’m sure the whole insurance industry is going to change around this too, I think there’s so much to come and we’ve seen so much change already, but I think there is going to be.
Evan Leonard: Tremendous changes in the future as well.
Jason Schwent: I think the other sort of change is with the way that businesses handle their own operations there’s a lot more farming out.
Jason Schwent: different aspects of their business to vendors and other service providers.
Jason Schwent: those individuals who you give your information to, they have to be just as secure as your business, and so, while companies can be cognizant of and can take precautions with their own businesses.
Jason Schwent: It the extension of those protections to their vendors, to the people who do work for them.
Jason Schwent: it’s not always there and it’s always it’s not always possible to make sure that they you know, take the precautions that they need to be you know you can try to force them, but you know if they don’t do it.
Jason Schwent: That expands the universe of possible you know problems that you can have, and I think that has greatly expanded as well.
How can someone in an organization inadvertently let a cyber-attack happen? How does this happen in the modern world, why would you be giving technical information out to anybody on the phone, who was known to you?
Evan Leonard: Sometimes it’s known and the unknown right so i’ll give you one example, I am sure Jason and Russell can give you some great examples as well, so we had one case where my client’svendor was hacked.
Evan Leonard: And then they got into their email right so say Joe Smith, who you get emails from all the time, send you an email send you an attachment.
Evan Leonard: or send you like, I need certain credentials, there is an issue or something, and they do it, because that is actually Joe Smith .
Evan Leonard: So they send that information over and not knowing that it’s just about actor who’s watching.
Evan Leonard: Every transaction go across your company and they’re patient they’re waiting they’re smart and they know what they’re doing.
Evan Leonard: it’s not just always where you know I hear from my mom hey I got some call and they wanted me to give credentials and I hung up the phone on them.
Evan Leonard: I got you know, an email from Evan Leonard, but it was EvanLeonard@gmail and all these crazy things that are pretty easy to identify.
Evan Leonard: So that’s part of the problem here, a lot of times, it can be coming from someone that you actually know but they don’t know they’ve been compromised.
Russell Safirstein: I think any a lot of times what we’ve seen on the business email compromise on the House where they’re.
Russell Safirstein: Actually, inserting themselves in inside the conversation, so those reply all emails are going back and forth.
Russell Safirstein: they’re inserting themselves in the middle of those conversations, so it just appears you know, Joe to your point about how does this happen.
Russell Safirstein: It appears to be a normal part of the regular dialogue and conversation and and ever made a really good point earlier about.
Russell Safirstein: If they’ve been hanging around the network for a long period of time they probably have your network mapped out better than you do.
Russell Safirstein: And you know that that’s just reality and because of that, you know they know exactly what those weaknesses are so it’s not always.
Russell Safirstein: You know the compromised credentials probably happened some point in the past, and they got in but now they’re just evaluating they’re going through a process, you want to make sure.
Russell Safirstein: That when they’re asking for hey I need to change, you know some of my banking information again part of a normal threat of conversation.
Russell Safirstein: It’s normal internal controls pick up the phone make a phone call and call someone.
Russell Safirstein: You know we’re so used to just sending emails and specially now everyone working remotely where no one that you know you don’t have any one’s phone number you don’t have their you know their home or their cell phone number that’s you know that’s a different world today.
Jason Schwent: And I think that that that that remote operation also gives another avenue where you know I’ve seen with clients where.
Jason Schwent: You get a call from what’s purportedly your help desk and you may not know you know if you’re in a large enough organization your help desk or your help, support team. May not be someone who you know they may not be the individual who’s done the office.
Jason Schwent: And so they give you a call and say hey we were looking at your system we noticed some weird things can you I just need your login real quick, can you give that to me.
Jason Schwent: That sort of stuff can seem innocuous and they’ll do it in a way that it’s an emergency, it looks like we’re seeing somebody trying to hack in we need this right away.
Jason Schwent: there’s always are usually a time pressure element of this where they’re trying to get the person who they’re working with to make an action, very quickly, where they don’t have time.
Jason Schwent: To verify the identity of who they’re working with I also think it’s evident and Russell both touched on this that experience and the amount of time that they’re spending in your system.
Jason Schwent: These are individuals who do this for a business, this is not a one off individual in someone’s basement as it’s often characterized these are people, this is their business.
Jason Schwent: And, and they really they treat it like a business and you should to that you’re up against, and so they have very advanced technology they have very advanced education and skills and they apply those because it’s how they make their living.
What type of people participate in cyber-attacks?
Jason Schwent: it’s a lot of these actors are members of organized crime. And so, this is an element of that organized crime functionality, some of those are state sponsored.
Jason Schwent: Some of those are not organized crime, but they are state sponsored so they may be, China or Russia, they have wings of their operations, who are out there, doing this sort of thing.
Jason Schwent: And then there are those who do this because it is a very nice way to make a living there’s not much overhead in terms of deploying ransomware.
Jason Schwent: On a person’s computer and if you can crank that out to 1000 people and you get let’s say 10% of them pay you a million dollar payment you’re doing pretty good for the year and it’s not that difficult to do.
Evan Leonard: And also, you know these are a terrorist spurs to right, so these bad actors, you know Bruce may not be able to pay.
Evan Leonard: On some of this because it’s a terrorist group and our government will say sorry you can’t you know transfer money to them, because they were terrorist organization and then you will be in violation of our laws.
Evan Leonard: And that’s the other scary part of this, that you know just came up in this past year, that you know is very frightening because at that point, if you can’t pay the rent if that’s your you know break the glass let’s call Bruce you know you’re in trouble if you can pay that ransom.
Bruce Wilson : A lot of the insurance companies are playing catch up to what’s happening out there, you know policies just continue to evolve so.
Bruce Wilson : You know ransomware obviously is the hot thing, but a lot of things that Evan was talking about and Russell and Jason is social engineering social engineering is picked up computer fraud.
Bruce Wilson : Funds transfer fraud again they’re just terminology for other ways of an outsider to steal money from you, but again, those are all covered at different degrees, depending on what you buy you know and what you do for a living will dictate you know the limits that you have.
Evan Leonard: And Bruce didn’t accept just announced that they’re not going to pay for ransomware anymore.
Bruce Wilson : I think a lot of carriers are looking to either carve back and put some limits or even co-insurance on ransomware I have not heard that that they were doing that entirely but we’ve we’re starting to see that happen yeah definitely.
Bruce Wilson : really serves me is that you know it hits close to home when insurance companies are getting hacked you know back in March cna a $10 billion insurance company that right.
Bruce Wilson : Guy hacks and again you guys might have a little more insight as to what it costs them, but you know they were really just tripled four weeks.
Bruce Wilson : And whether they were ransoms paid and or not any i’ve heard lots of different stories there, but again area represent have high regard, and.
Russell Safirstein: Anyone who’s at risk, no matter how large or small, that that’s you know we kind of learned that you know, a day in and day out, and I think you know.
Russell Safirstein: You start thinking about you know accident again that I think a common Evan was too.
Russell Safirstein: I think their European on was not going to pay the ransom for right now but i’m sure that you know that’s going to continue out, you know even further.
Russell Safirstein: You know, one of the one of the panels I sit on what the conversation has been on the insurance side and Bruce you’ve probably seen this not only have.
Russell Safirstein: The insurance premium shot up to the roof relating to cyber insurance.
Russell Safirstein: But there’s been a couple of non starter, so if you don’t have multi factor authentication turned on you haven’t had a pen test in the last 12 months number of factors that are basically saying we won’t even right you if you don’t have these at least most basic protections in place.
Evan Leonard: yeah that always amazes me too when you know we go up against our competition and we say look, you know we are a Soc 2 type 2.
Evan Leonard: You know, but audits and we get our pen test every year and we have you know multifactor and.
Evan Leonard: I know some of my competitors don’t do that, and I think that’s enough just about like my company my industry, but I think it’s just that’s the kind of mentality everyone’s going to need to have when vetting out who you’re doing business with.
Evan Leonard: right because that’s going to be very important, and that does have a trickle down or you know you connect the dots that way that’s how they’re connecting all the dots.
Russell Safirstein: Okay, that a lot of way that’s in my mind that’s going to help you kind of rise to the top of the heap.
Russell Safirstein: Again, compared to some of the competitors, we saw a lot of MSP last year, you know, in the springtime being compromised, because ultimately I get into one I get into 100 companies right.
Russell Safirstein: But you know organizations like yours, that are maybe doing a better job than some of the ones down the block, you know you know, maybe you’re a safe haven and some other organizations that are out there.
Jason Schwent: And yeah and I think that that need to address those basic.
Jason Schwent: Basic good practices when it comes to cyber security, I mean it there’s far too many cases where i’m involved with where the clients have not taken.
Jason Schwent: Even what would be considered the most basic of cyber security protections and protocols, they haven’t put them in place.
Jason Schwent: And I do think that insurance is going to find it harder and harder to pay for those particular act for those particular insurance.
Jason Schwent: If they haven’t taken any steps themselves to protect themselves, and I know for a lot of those businesses, you know we talked about the fact that small businesses are a major target.
Jason Schwent: For these ransomware on these other cyber.
Jason Schwent: Security events and one of the reasons they are is because, as a small business you don’t have a lot of money or time to invest in these things and, unfortunately, you may see yourself as not a target.
Jason Schwent: That needs to change, because I think, even if you’re only doing business to business with other companies.
Jason Schwent: You are a vendor who’s going to be handling information that belongs to someone else you’re going to have liability that comes with that.
Jason Schwent: And you need to take protections yourself to protect your environment, and if you don’t at some point, I think, in the future you’re going to find yourself without insurance coverage.
Evan Leonard: yeah in an event like to put together a whole questionnaire just for our vendors to fill out, you know see who were doing business with and everything else, and it, it does get time consuming costly but it’s yours and other people’s businesses and livelihoods.
Jason Schwent: yeah The alternative is terrible I know what’s the statistic that for small businesses who get hit with a cyber security event.
Jason Schwent: 60% of them go bankrupt within six months of that event so it’s the cost, yes, there is a cost involved in it requires spending money, but the alternative is potentially the end of your business.
What are the basic requirements that a small to mid-sized company needs to have in place and what they need to do now?
Russell Safirstein: And I think Joe you know it means that you know cybersecurity journey, you know everyone’s on a different level but uh you know Jason said earlier it’s kind of those essential things you have to do, I would probably say essentially. And in that, essentially, it was again multifactor backups I think you’d expect to see patching etc.
Russell Safirstein: But you have to have those basics, the foundational aspects and it’s not just about having the tools, because we can have one it’s.
Russell Safirstein: at once tools rich, but they know that we’ve seen so many times, where they haven’t set them set them up properly where they haven’t implemented them right.
Russell Safirstein: And those things are critical to making sure that you, you know are protecting yourself from that environment again.
Russell Safirstein: No one’s going to be immune from us, you know just like capital one and these massive companies who had plenty of.
Russell Safirstein: You know it resources, you know they got compromised as well, it just.
Russell Safirstein: let’s kind of move down the block it’s always like that you know adt sign on the front lawn you know I know the big dog let’s move to the House next door same kind of concept here is just.
Russell Safirstein: let’s have those essential things that are put in place, so we can you know help at least protect ourselves from you know the easy pickings.
Evan Leonard: yeah you really need training and procedures right most companies do not have security procedures in place.
Evan Leonard: They do not have disaster recovery business continuity plans in place and the other thing is training right when you hire a new employee they go through a certain training process training on your applications training on your business sexual harassment training right now it’s mandatory.
Evan Leonard: This has to be security awareness has to be mandatory, training and it has to be yearly training or continuous training really.
Evan Leonard: But that is so essential and I, you know it’s hard for to convince you know, businesses, sometimes to do it, but.
Evan Leonard: that’s one a lot, because that is always your weakest link and into everyone’s point here, you know we try to you know you put in a great firewall you put in some great technologies to help prevent or, if you do get hit.
Evan Leonard: You have a fighting chance and backups and everything else, like we’ve had to rethink everything 10 times over just in the last 12 months GEO fencing.
Evan Leonard: and doing all this other stuff to try and protect from it, but every security breach has been through social engineering so training is a huge key to this.
Jason Schwent: yeah I mean, I think that the two big that that I push with clients are one that they need to have an incident response plan.
Jason Schwent: And that plan should not be iits incident response plan, it needs to be an incident response plan across the organization, because when an event happens it’s going to affect all of the organization, not just it.
Jason Schwent: And so you that plan What it does is it speeds your response so even if you’ve got all these other things in place like we said these big players.
Jason Schwent: When they get hit, they will get hit, and so, but it’s the the speed with which you can respond.
Jason Schwent: lowers the damages that are out there, it decreases the amount of impact it has on your business.
Jason Schwent: And ultimately, it leads to lower costs, which I know some insurance companies will you know they they’ve seen decreases in costs that are fairly significant just with having.
Jason Schwent: an incident response plan that everybody is as Evan said trained on it, you have to be trained on that response plan and how to how to use it, which is the second thing that that I like to see.
Jason Schwent: Is tabletop exercises where you get the organization to sit down at a table top and you bring in an attorney like like myself who deals with these breaches all the time or someone like Russell or heaven.
Jason Schwent: On the technical side who sees what these breaches can do to an organization and can sit down with it operations sales marketing.
Jason Schwent: And somebody from the C suite you know somebody up and run through an incident and you take your incident response plan and you test it.
Jason Schwent: With a with an imaginary scenario, you will see vulnerabilities very, very quickly, it always happens, you will see communication breakdowns, you will see spots where wow we didn’t even think of that what what do we do now.
Jason Schwent: You want to test those things in a in a forehand not during an incident where you’re paralyzed because you don’t know what to do.
Bruce Wilson : it’s like a drill.
Bruce Wilson : Yes, or having in disaster recovery plan it’s it’s you know you got to think through your supply chains and everything so it’s really just you know cyber becomes another peril like a fire.
Bruce Wilson : or vandalism or that something a windstorm that takes your business down it just ends up being a different paradigm, which is cyber.
From an insurance perspective, how would you assess a business? How do you address the insurance questions and what kinds of costs should business owners think are necessary to make this to be viable to the insured?
Bruce Wilson : The insurance companies are catching up to a lot of what’s going on out there.
Bruce Wilson : A lot of them are, in theory, ensuring buildings that are already on fire, they don’t know it.
Bruce Wilson : The way policies are written now, it provides prior X coverage, so you can write coverage by coverage for the first time, there could have already be somebody in your system that you don’t know about, but they’re going to pick that up as well.
Bruce Wilson : Couple years ago, people weren’t buying insurance, because the application at were 16 pages long, and the client who I was trying to talk to.
Bruce Wilson : had no idea, most of these questions so they’re handing them to people I, given the complete and it just ends up dying on somebody’s desk and it.
Bruce Wilson : It just doesn’t happen, they streamline that were now there’s so much information out there on a business.
Bruce Wilson : They can pull information down they know a lot more about you than they used to, and they can quote, and I can basically get a quote with sales and address number of employees that’s about it.
Bruce Wilson : And that’s and we can get a quotes in 24 hours for somebody so the process of getting quotes should not be a hindrance anymore.
Bruce Wilson : But all the things that you mentioned are things that again talking with Evan or, again, people who are out there, helping with the training the procedures in place definitely makes you a better risk.
Bruce Wilson : and makes for better pricing.
Evan Leonard: You know those questionnaires really weak in our clients, a lot of times because they asked us to fill it out right three get sent that questionnaire was all the time, it can be about insurance reasons or we have a client, that is.
Evan Leonard: Trying to do work with bj and bj sent them over a stack of papers and said, are you doing the following.
Evan Leonard: And I said, you know how quickly do they want you to do business because we got a lot of work to do here, you know so there’s there’s a lot of that that goes on hmm.
Evan Leonard: And I suspect that that’s going to be more of the norm from either the people you’re trying to do business with already doing business with or the insurance carrier, who is you know going to renew you next year and now it’s a lot more complicated you can’t just take the old.
Evan Leonard: You know questionnaire for last year and just copy and paste it into this year’s because that’s not gonna fly anymore.
What does it cost and at what point do I need to get an incident response team involved?
Evan Leonard: yeah well first Jason Russell are much more expensive than I am so if you have to get to those guys are in a lot of trouble now.
Evan Leonard: You obviously need a multi-pronged approach right so someone said it earlier obviously you need to make sure your insurance policies are where they need to be.
Evan Leonard: someone like Jason in there to make sure you know you have the right policies and procedures and those type of things you know russell’s got just.
Evan Leonard: incredible amount of experience, especially what he deals with on a day to day basis is there’s really just not a number you put on it obviously has to do with size of company.
Evan Leonard: But there are things that you need to do like traditional AV is not you know sufficient anymore right, you need Next-gen AV.
Evan Leonard: Something I can see things that this doesn’t look right I haven’t seen this before there’s been no update for this, but it’s got some Ai built into it.
Evan Leonard: You need stuff that is really going to help you in case there are incidents right there’s the training aspect of it, there is so much to it.
Evan Leonard: That it’s hard to put $1 on and maybe Russell or Jason has some type of a better way of thinking about that, but there’s also the compliance he have a lot of this, so it also depends, are you someone that you know, has compliance issues or not.
Evan Leonard: So for me, you know I go through sock audits every year, you know it’s probably around 11,000, or so I go through penetration tests every year that’s probably another 15,000.
Evan Leonard: You know, have all these other technologies, you know we do subscribe to training, you know, I have another company that does third party training for all my employees those type of things so.
Evan Leonard: You know it, it does add up, and it does become a cost of doing business, but if you don’t do those things a there’s protection and be no one’s going to want to do business with you.
Evan Leonard: So I know Jason & Russell i’ll have a little bit more of a number anything else, or if i’m missing something but that’s kind of like one on one type stuff.
Russell Safirstein: And I think you know if you use, you know I haven’t I said earlier about you know, maybe using it as a differentiator of your business mate what makes you better than the next person that’s doing what you’re doing.
Russell Safirstein: But you know you’re 100% right and that initial assessment is critical, I you know one thing we came out with wasn’t essentially checkup Ray was you know five grand just.
Russell Safirstein: What are you doing and putting the roadmap employees to kind of move that move move that process forward, you know because I think ultimately.
Russell Safirstein: We have to kind of get to the point of like make it practical I said earlier, having practical experience and practical knowledge.
Russell Safirstein: and Joe to your point about what you’re going to course it depends right, you know depends on the size your organization, the complexity, you know as Evan said if you’re in a highly regulated industry.
Russell Safirstein: You, of course, without much greater out, you know it could be hipper it could be pci compliance could be any of those things, but for.
Russell Safirstein: The more traditional businesses that to me like you said, I mean kind of laid out, you know hey listen we.
Russell Safirstein: If we are handling customer data, I have to have a sock review, you know that’s going to be a certain assessment.
Russell Safirstein: You know that the penetration tests hundred percent need that to be done, that that’s like step one in the process.
Russell Safirstein: And you got to be able to stop we know we mentioned is very early on.
Russell Safirstein: they’ve been hanging around new network for a long period of time, if you look at the miter attack framework i’m not going to go into details, but.
Russell Safirstein: column three is persistence right someone’s been hanging around a network for a period of time, we have to break that persistence that foothold on your network.
Russell Safirstein: And that’s where we got to go hunting and hunting for persistence, is a big part of kind of what one of the things that we do for organizations, I think that that’s those are steps you have to take.
Russell Safirstein: it’s an ongoing effort, though it’s not some sort of one and done.
Jason Schwent: And then it’s not the it’s not a finish line yeah. It’s something where it’s also, I think, and Russell made some excellent points there, I mean, I think it is something that the assessment.
Jason Schwent: The assessment is so critical because you need to understand what information you possess with with many organizations, once you get past a certain size.
Jason Schwent: You are going to have departments, who are.
Jason Schwent: Collecting information that is going to be a potential liability they’re dealing with vendors, who are going to be a potential liability and you may not have first hand knowledge of all of that.
Jason Schwent: and your IT department, who is probably going to be largely responsible for handling this sort of compliance area they’re not going to have the grasp.
Jason Schwent: Of what’s going on an operations or marketing or other areas where they’re sharing the information that assessment, I think, is probably the most critical part to understanding what you have.
Jason Schwent: On another unrelated issue that what we’re dealing with today it’s also incredibly important for data privacy.
Jason Schwent: reasons there are so many laws California Virginia and others who are being put out there, where you have to monitor.
Jason Schwent: The information that you’re collecting in your organization that assessment is critical to that too, so if.
Jason Schwent: You are going to be able to go out and get contracts with companies for businesses and for you to do your work.
Jason Schwent: you’re going to have to be cybersecurity compliant which is going to take these steps and you’re going to have to do that assessment for that.
Jason Schwent: you’re also going to have to be data or data privacy compliant with all of these different statutes and so it’s be fast becoming a requirement that all of this stuff be done, regardless of the cost.
Evan Leonard: And also something like a Soc 2 Type 2 made us a better company, so you don’t realize it’s not just a technology questionnaire it’s not technology is certainly part of it.
Evan Leonard: But there’s so much HR there’s so much policy around it, you know your corporate handbook it’s about do you have a sign corporate handbook from every employee there’s so much to it.
Evan Leonard: And if you do go through some of these I guarantee you’ll become a better company coming out of it, the first one will be extremely painful from a time.
Evan Leonard: You know restraint, but you go through that stuff and it’s it’s actually pretty eye opening and it identifies a lot of just holes in your company and then.
Evan Leonard: You come out of it really much stronger your IT’s team building there’s a lot of positive stuff that can come out of some of these things.
What type of companies are at risk of being attacked?
Jason Schwent: Some of my largest number of clients in terms of the frequency with which I see these types of clients or CPA firms and small medical practices, I see them quite often, and to say that they’re a small CPA firm or and the other one is small insurance firms.
Jason Schwent: That they get hit and those organizations have a great deal of information that they hold it’s very valuable information so they are juicy targets.
Jason Schwent: And because they are small, sometimes mom and pop organizations 123 employees, they don’t have robust cyber security protections and the damages and the impact can be catastrophic for those organizations, if something goes wrong.
Jason Schwent: there’s plenty of mid-sized manufacturing sales other organizations out there, but I get a ton of just mom and pop organizations who have hundreds of clients and customers that they work with.
Jason Schwent: And when they get hit, it is a catastrophic event i’ve seen them completely wiped out from one of these events.
Russell Safirstein: hey Jason i’ll just throw it throw on to that and again your law firm just you know add to add to that.
Russell Safirstein: i’m actually a partner and answering as well, so right, so I totally get the you know the accounting side of it.
Russell Safirstein: Yes, yeah we we we did a an engagement actually just happened last year just around the filing deadlines around around 915 again.
Russell Safirstein: Critical you know small you know 10 person CPA firm to the smallest firm compromised and it was going to say was like it was just around the end of August and they literally couldn’t do filings for their for their clients at all.
Russell Safirstein: They literally shut down for very time and.
Russell Safirstein: You know my comments to them, you know after we you know came up with a plan of you know, helping them out, obviously.
Russell Safirstein: But it’s the you know friend phil to pay me now or pay me later, you know a little bit of effort up front.
Russell Safirstein: could have limited, you know there’s damage that you that you have to take care of here, you know, and I think that’s you know a lot of the idea, you talked about it, you know, during our conversation.
Russell Safirstein: Is if you can have an opportunity where you can pay a little bit up front now to kind of get your.
Russell Safirstein: get your house in order and Evan brings up a great point about doing a sock exam you know going through that process, you know.
Russell Safirstein: Getting yourself better off than you were before and is critical and going through the testing as well you know I jokingly tell a funny story we I was chief order for a bank on loan Alan.
Russell Safirstein: A long time ago, we did obsessive every tests and Saturday night were you know before computers, we had a binders works we’re in the main office we go to shut the power down.
Russell Safirstein: We didn’t bring a flashlight you couldn’t read thRussell Safirstein: story, you know 20 people laughing in a room, but like literally you know you have to go through, and actually test, you know test your system to go through that process, so it is, it is really important to go to understand kind of where your weaknesses are.
Bruce Wilson : yeah it’s been saying other industry that is a real target and like they haven’t had a tough enough year already is the restaurant business.
Bruce Wilson : You know the lot of them think that they’re the data that they use it with their processors protects them, but again, a lot of them have indemnification agreements where it really falls back on the business owner.
Bruce Wilson : And again when the margins are so tight, you know why don’t we just say I can’t afford it.
Bruce Wilson : And it’s just not that expensive.
Bruce Wilson : Really, I mean that’s the that’s the misnomer with everything all the doom and gloom we’re talking about there’s still policies and products out there that are very, very good and very, very.
Jason Schwent: Well, and I think one of the main the the types of businesses that we were just talking about who we see this frequently with these really small businesses.
Jason Schwent: The impact of an event like this the reputational harm that they suffer in an event like this if you’re a CPA firm and you’ve had.
Jason Schwent: Your tax returns for all of your customers taken and false returns filed.
Jason Schwent: Your customers are going to think hard and long about whether they’re going to go back to you next year.
Jason Schwent: And you’re going to lose business because of that, if you’re a restaurant where credit cards, have been stolen customers are going to not go there and win the competition is already so tough.
Jason Schwent: that’s a big factor when you feel like i’m not my Informations not going to be safe at that doctor’s office or that CPA firm suddenly that’s where the lasting effect.
Jason Schwent: of an incident like this there’s not just the initial cost in the initial damages and the initial compliance obligations, you have then there’s that lasting tale of people associate you with a bad event where they had their identity stolen.
Jason Schwent: And they’re not going to go back to you after that.
Evan Leonard: yeah and i’ll tell you who else is getting really smart or their private equity firms right like they’re coming in and they’re buying companies and one of the.
Evan Leonard: Things they evaluate is there, it their cyber their security plans, and you know they’ll they’re going to spend a lot of money on that because that really affects their portfolio.
Evan Leonard: So that is something if you’re considering going to private equity if you’re considering you know something of you know acquiring a company being acquired.
Evan Leonard: You got a lot of work, a lot of things to think about there, because that is you know, last year, even just last year, private equity firms like and we’ll deal with that later or something else, so now it is like, for you know it’s like Eva then cyber attacks.
What makes a small to medium size company vulnerable to an attack?
Jason Schwent: You’ve got HR where you’re collecting their social security numbers their payroll information their direct deposit information your employees that didn’t know that’s all subject.
Russell Safirstein: it’s even like school districts, think of you know everyone says Oh, you know what will you think of you know, a child who’s information is there.
Russell Safirstein: they’re not valuable today but they’re valuable in years from now, right, you know and and that’s.
Russell Safirstein: You know, again, think about this and you know, especially you know we talked about you know ransomware gangs and things of that nature.
Russell Safirstein: You know, there are business, there are a fortune 100 business, they have a long term thought process around it’s not just i’m going to make a quick buck today.
Russell Safirstein: Quick buck, you know hundred million dollars, but but, but like you know, make it really kind of focused on what’s the long term game here.
Bruce Wilson : I think, with the smaller businesses to where maybe they don’t have the IT background or backup with someone like Evans company.
Bruce Wilson : or don’t have the insurance they’re thinking hey I can have a hack i’m going to fix it myself.
Bruce Wilson : And I think this happens often and it’s kind of like trying to put a little you know fire out and suddenly the thing you know you know takes over the whole building and now you’re calling Russell and Jason and save it can you fix this.
Bruce Wilson : there’s fines and penalties involved there’s a regulatory as to that you are, you are legally responsible for protecting the data that you have so there’s I mean that’s a piece of this that will turn into a moneymaker at some point, you know for.
Bruce Wilson : You know state governments as well.
Jason Schwent: it’s well it’s already happening with in my dfs in white dfs is has already come out of the gates super aggressive with their finding of organizations, so in my dfs for those who aren’t familiar.
Jason Schwent: New York department of financial services, if you have to register with New York as a financial institution, so that would be insurance agencies securities traders banks that sort of thing if you have an incident, you have to report it to ny dfs within 72 hours.
Jason Schwent: Of suspecting that you have an incident, not knowing that you have an incident not you know verifying that you have an incident within suspecting that you have an incident.
Jason Schwent: And they have taken the fact that you have not reported that to investigate all of your operations to go through all of your it to go through all of your compliance steps.
Jason Schwent: Those investigations can be super invasive and their fines have been in seven digits and with their fines that they’re imposing they are including clauses that say you cannot use insurance coverage to pay the fine.
Jason Schwent: So the compliance aspect of that is catching up now, and they are jumping in there jumping in big California, is going to be right there very soon as well, in terms of their fines that they’ll be loving but New York has come out of the gate and they are signaling to be very aggressive.
Bruce Wilson : In this, and every state has a different notification law, though, you can, if you’re doing business and multi states to which is you know, some are.
Bruce Wilson : Much more real as far as notification might be 22 hours or something versus, you know as far as we.
Jason Schwent: Can to get the key there is not where you’re located it’s where the individual whose information you’re collecting is located.
Jason Schwent: So you could have offices in New York Philadelphia and Dallas but, if your customers are in Montana and Illinois.
Jason Schwent: And Alabama you have to comply with all of their laws, when you provide notice so it’s it gets really complicated very quickly.
Russell Safirstein: They’re finding United States based companies.
In your experience, what’s being done to prevent cyber attackers? What do you predict a future trend will be in cyber security?
Evan Leonard: Our governments state and local federal are going to have to get more involved.
Evan Leonard: Because there’s this probably so let’s they are going to be able to do so, part of its going to come through regulations to some of it’s going to be that they have to.
Evan Leonard: You know heighten up and better protect us and be able to you know counteract and I hate to sound like it’s a bit of a war out there, but.
Evan Leonard: You know if we were you know if someone was sending missiles over here we’d have a certain Defense system we react in a certain way.
Evan Leonard: It’ll be interesting to see what happens with this pipeline, because you know this was an embarrassment to our government it’s an embarrassment to the industry.
Evan Leonard: And you know we can’t just sit here idly and say well it’s Okay, they just paid the fine and people were filling up you know, on the news we’re watching people take.
Evan Leonard: You know milk cartons and things and filling it up, which is another whole thing of I don’t know what they’re going to do with it eventually but it’s really demoralizing right so.
Evan Leonard: We need government response and like I said I know Russell’s got some more experience in you know what that looks like and what’s being done behind the scenes, a bit you know, for us, but it’s coming down with.
Russell Safirstein: You know that our government, has a lot of code deployment, in the space.
Russell Safirstein: But it’s still at the same point, you know we’re not 100% there yet right, you know I know personally bought into signed an executive order relating to cyber security just recently was a week or two ago.
Russell Safirstein: But it’s getting money into the system to to continue to kind of move this forward and there’s a number of.
Russell Safirstein: fairly large contracts that are out there, right now, department Homeland Security and some other ones FBI etc, and I kind of moved in this moving the ball forward to kind of help protect listen our our.
Russell Safirstein: You know our four walls right our our our country and we’re not there yet, Joe and I think that that’s.
Russell Safirstein: You know, we can have the you know again the phone deployments are great and they kind of behind the scenes, you know, so we don’t see the big fire we don’t see the you know the missile going over, but they are occurring it and they’re out there.
Russell Safirstein: I know, specifically on on the colonial pipeline.
Russell Safirstein: Internet you know, there was an immediate response relating to that.
Russell Safirstein: That you know it’s probably a little more classified and I can share on this call, but just ultimately is definitely felt, you know, again, one of those foley deployments of the earth.
Jason Schwent: The reality is that this is most likely going to be what warfare is going to be a component of warfare in the future, I mean the colonial pipeline attack was.
Jason Schwent: And could be considered part of you know, coordinated attack, where you take out the fuel for the eastern seaboard you.
Jason Schwent: Have a couple more of those to take out the power grid in Texas, you know, are a couple other things and as part of.
Jason Schwent: You know what disorganization campaign, and so the militaries are investing heavily in this sort of area.
Jason Schwent: As Russell alluded to, and we’ve got capabilities, there you know, in the United States as well, but I think one thing that has been identified.
Jason Schwent: Is that there is a lack of training and a lack of educated individuals who can participate in this that the US isn’t a bit of a deficiency there when it comes to some of the other countries who are.
Jason Schwent: Putting forth large forces of individuals who can conduct these types of attacks.
Jason Schwent: The US is has not quite caught up to that and I think that’s an area where I think there could be.
Jason Schwent: And that’s more of a ground level and it’s going to take time that’s not an instant sort of you know reversal, but I also think that some of the funding that russell’s talking about the know for programs to educate individuals in that area
Russell Safirstein: there’s negative employment right now and cyber right we all, we all can understand that right now and they’re definitely to need to kind of move that move that process forward.
Russell Safirstein: One of my sons, who was in college and university of Maryland you know studying cyber.
Russell Safirstein: And it’s interesting when you know we talked to him and his his classmates and just about what what’s coming next and and.
Russell Safirstein: There are certain schools Maryland’s one of them that teach cyber in a much different way than other others.
Russell Safirstein: You know colleges do we’re going to need a lot more of that you know kind of don’t fold it much more.
Russell Safirstein: What we kind of, say, proactive, you know we called hunting the hunter that that’s right point thing, but ultimately like, how do we be much more proactive to joe’s point is.
Russell Safirstein: You have to go with that break break persistence, you have to be you know I hate to tell you say take this the sniper approach, but we have to be very targeted and what we’re doing.
Russell Safirstein: Good make sure that did these bad actors on you know again close to home or not, in our networks are not here.
Russell Safirstein: Let me go next door.
Joe Dowd: And I know that West point actually has been at this for several years, they have a cyber Defense program there for many police officers, I know that that’s going on.
Russell Safirstein: Absolutely as Joe I you know I think you know about 80% of my team came from military and military background I just hard my last one I just started an air force guy so I covered all the.
Russell Safirstein: But you know their training and they’re at you know what they get on in the military side far beyond what.
Russell Safirstein: You know, traditional you know commercial you know training is and that’s one of the reasons why we, you know we look in that space, because it is.
Russell Safirstein: It is so critical to success in the cyber world to get that type of training and you’re enjoying each one of those institutions has to do a better job you know.
Evan Leonard: got that one last thing here, and that is the cryptocurrency you know. Cryptocurrency always you know going up on the news, or you know and that’s just the dark side of what we have to look at every day, which makes us so much more difficult.
Evan Leonard: And I think that is you know, when I look at you know crypto and even want to invest it just you know you’re living this on a daily basis, it just makes the.
Evan Leonard: The warfare that much more difficult so going into banks, you know, try to talk show, and I was all these other things they probably do with money in cash and sequencing and stuff is just out the window now.
Evan Leonard: we’re behind the eight ball, a little bit and that’s you know part of what you know we have to deal with in the new world sure.
What message would you give to business owners on Long Island relating to cyber security?
Jason Schwent: Cyber threats are not solely a technical issue, your organization as a whole has to face this problem.
Jason Schwent: legal resources here are critical, this is a huge compliance space and, just as in any other compliance space, you need to consider the legal ramifications so having an attorney involved in that process.
Jason Schwent: is very critical and when you do so, having an attorney who knows what they’re doing and it’s familiar with the space.
Russell Safirstein: I think you know it can be thought about it being practical and making sure that you understand you are risk is to me just kind of step one you know kind of admitting that your risk is the first step.
Russell Safirstein: going through that that journey of cybersecurity journey is making sure you have essential things that need to be done within your organization or being done.
Russell Safirstein: You know, we mentioned, you know early on, about war gaming going through that process testing your network, whether it be on the technical side and all the policy and procedure side.
Russell Safirstein: Those are critical elements to this process and I think that is where organizations will be better off and Evans hit it hit home, a number of times about training.
Russell Safirstein: Making sure your employees know what and what not to click is also you know critically important to that so.
Russell Safirstein: Each one of these things are all kind of the building blocks, do you know kind of what I call practical cyber is making sure we have essential items, but also, you know, we have our bases covered.
Bruce Wilson : You know my third in the business, I was started by insurance a certain insurance company and their orientation book was titled about the history of the company, but it was called if there were no losses.
Bruce Wilson : And it just kind of thought provoking but if there were no losses there’d be no need for insurance, but insurance death and taxes, there will always you know there’s three things you can’t control and.
Bruce Wilson : Cyber is probably the only thing that keeps me up at night because there’s so there’s always so much you can do to protect yourself.
Bruce Wilson : With employment practices liability, you can control what comes out of your mouth, you can control and through training, what employee may say or or what appropriate behavior is.
Bruce Wilson : And there’s a finite number of people out there that can hurt you or hurt your company, I think, with cyber it’s.
Bruce Wilson : it’s almost infinite and, more importantly, uncontrollable all these guys are much smarter than me when it comes to.
Bruce Wilson : The Defense part of this, and again my role is trying to educate the client that the insurance is the safety net when everything else goes wrong, but it’s I just think it’s an essential investment in your insurance portfolio.
Evan Leonard: yeah the Russell mentioned that before and i’m going to say it again, training, training, training, you got to start there.
Evan Leonard: And also, if you have an incident, you need to reach out right away because time is critical and then, when the time is ticking it’s really important that you put a response together.
Evan Leonard: As Jason said you got to get your legal team together, because there is client attorney privileged information there.
Evan Leonard: And there needs to be a response, and you know don’t be afraid to reach out to someone in like if you have an IT person or you know what they would say the it guy and i’ll say it as a company.
Evan Leonard: it’s just not enough, you have to engage with outside resources, you have to have you wouldn’t do your own taxes you’re not doing your own payroll anymore.
Evan Leonard: You can’t do your own IT you can’t do your own security you get your team involved they know this stuff and you know that was where I would start.