This month we focus on new and emerging cyber risks. Ransomware continues to evolve and how bad actors are using it is changing. We will also look at policy coverage for personal cyber risks, as well as work-from-home cyber issues in a hybrid environment.
Transcription
*Transcripts are generated using a combination of speech recognition software and human transcribers, and may contain errors. Please check the corresponding audio for the authoritative record.
Patti Harman (00:08):
Good afternoon and welcome to our Transformation Forum, exploring the world of new and emerging cyber risks. I'm Patti Harman, editor in chief of Digital Insurance, and I'll be your host today. A recent report from Allianz Commercial found that the frequency of large cyber claims is up 14% for the first six months of 2024. While severity had increased by 17%, data breaches are the top cyber exposure that companies fear and fear the most. And there were several high profile cyber attacks, if you remember the MGM T-Mobile and Change Healthcare and all of these attacks resulted in the theft of records involving millions of people, and they highlighted the vulnerabilities associated with protecting customer data. Cyber coverage is changing, especially with new and emerging risks, and one area where this is particularly true involves personal cyber risks as more of us are working from home or in a hybrid environment. Joining me today to discuss how risks are evolving and more is Michelle Drolet, the CEO of Towerwall. Thank you so much for joining us today, Michelle.
Michelle Drolet (01:26):
So happy to be here. Thank you, Patti.
Patti Harman (01:29):
So we have a lot to cover in the next half hour or so, but I wanted to know, is the number of attacks still going up year over year, or are you seeing it kind of leveling off a little bit?
Michelle Drolet (01:43):
Not at all. I like your statistic, that 14% increase year over year. I have 15% from a different study. It's crazy. The bad actors are getting better. 70% of SMBs will be attacked and it's going to be, the statistics says that it's going to be or 10.5 trillion industry. I say 2025, which is just next year.
Patti Harman (02:17):
Right? Yeah. What are the types of claims involving threat actors? Are they changing or are you still seeing primarily ransomware attacks at this point?
Michelle Drolet (02:28):
It is everything. So ransomware, but what we're seeing, so we recently had a, they weren't a customer until they had an issue, but they had a man in the middle attack, which meant that their CFO's account was taken over and the QuickBooks account, all their customers got sent an email that basically said, here's my new a CH number. Thank goodness that the clients and the customers were smart enough to say, well, this doesn't quite smell. So they reached back out, so they didn't lose any money. The phishing attacks, you click on something, all they want to do is get inside. So they get inside and they go and they try to find out. They'll stay in an organization for up to 280 plus days before they actually do anything. How does the CEO communicate with the CFO? How does the CFO communicate with his accounting team? How do we exfiltrate the dollars? It's crazy. So denial of service, all of them. It's not just ransomware.
Patti Harman (03:39):
And that kind of leads into my next question, which is are there new risks that businesses should be watching and trying to mitigate at this point in time?
Michelle Drolet (03:48):
Are there new risks? I think the risks, I don't know if I would call them new risks. I think that the risks that have been there are still there. So not patching, no user awareness, so the employees don't know that they're part of your cybersecurity team and they click on that free pizza, right? And so having people be aware, and actually I made up a word a long time ago called programmatize, so we're not shooting from the hip and we're actually making things repeatable and measurable and then everybody inside the organization can lock the windows and lock the doors a little bit tighter and better.
Patti Harman (04:40):
It really, and the importance of having your work environment protected and the training for your employees just is so important. And I think sometimes that companies forget the importance of that role. And that kind of leads into my next question, which is that hybrid work environment, it's no longer what we would call new, but there are still many risks that kind of exist with that. Are you seeing companies and their employees becoming maybe a little bit savvier about protecting their equipment and their data from cyber attacks in this type of work environment now?
Michelle Drolet (05:21):
So we know that this is a computer, right? And it goes with us everywhere. We are working from home, we're working in the office, and the bad actors are trying to figure out where we are. So those phishing attacks, those types of things, looking at even I'm working from home today. We have a clean desk policy, whether you're at the office or here, we have a policy acceptable use policy of that's a corporate asset, and your children are not supposed to be playing on it or doing their schoolwork. And so making sure that, again, whether they're at the office or at Starbucks or here at your home office, that everybody again understands what the number one rules of engagement are, but also what the threats are. Because when we're doing penetration tests now, before we would just look at the cloud environment or the actual external piece of the environment of the network, but now we actually look and we'll do penetration testing on the c-suites homes to make sure that somebody can't traverse through and get back in to the network. Somehow it's changed.
Patti Harman (06:48):
Yeah, because what I was going to ask, if there are there threats that focus more on that hybrid environment, because everybody works from home remotely somewhere, and you're right, you mentioned being at Starbucks or some other place where there's public wifi that just opens up a whole new area of risk I would think.
Michelle Drolet (07:07):
It really does, and I would challenge everybody to go get it looks like a little USB, and I'm going to say this and it sounds really funny, but it's a USB condom, but that's what it's called. And basically when you're going in to a Starbucks, you put that in before you connect to anything, whether it's wireless or whatever, because they're stealing data no tomorrow. And so being able to protect your information, but also your company's
Patti Harman (07:43):
Information. So you held up your phone before and said that it was a computer, and there's a lot that we do on our phones these days. Is that creating more cyber risk for individuals? And if so, how can those be mitigated? It's a little bit scary when you think about all of the data you have on your phone. When I have to switch from one phone to a new one, I'm thinking I'm watching what they're doing with it, and I'm worried about what they'll do with the data even in the phone store type of things. But I'm wondering, are there other risks that we should be watching for and can we protect against them?
Michelle Drolet (08:21):
Well, I mean, having mobile device management on the phone, whether it's your phone, we pay for people's devices, but it's their device. But with that being said, we actually install mobile device management and containerize where the Towerwall information is. So email, if they lost their phone, we can suck it out. And so again, it's that protection and it's the layers of protection. Protection. And then that two factor authentication too. So if it goes away, can somebody actually get into it? And how often are you changing, not necessarily the passwords, but the login time?
Patti Harman (09:10):
Yeah, changing passwords is kind of like the bane of my existence, and it's always somewhere where it's late at night or you're traveling and it's like, I need to come up with something really fast, and it's always like the worst possible time. But you're right, the importance of doing that on a regular basis just really can't be underestimated.
Michelle Drolet (09:30):
So it's interesting, Patti. So I was just reading, and I've been in the cyberspace for almost 30 years, and I still learn something new almost every day. It's so cool. But what I was reading is that if you create a pass phrase, our password policy is no minimal 15 characters, but if you actually create some type of past phase with numbers, it doesn't even need to have special characters. From what I was reading that if you can be up to 17 to 19 characters, even with the generative AI, this password crap like crazy,
Patti Harman (10:09):
You're good.
Michelle Drolet (10:09):
And then you don't have to change your password all the time because you have that multifactor and you have that password. It's a one two punch. So maybe that's your solution.
Patti Harman (10:22):
I'll have to keep that in mind. I did use a phrase once and I had to give it to someone like my accountant or something like that. I was having trouble getting in, and when I told him he was laughing at me, I was like, well, but no one's going to be able to think up this phrase type of thing. I love it.
Michelle Drolet (10:40):
I love it. And that's so true, so true.
Patti Harman (10:43):
So are bad actors getting smarter and adapting more quickly as companies improve their defenses as we use a 15 character password or whatever.
Michelle Drolet (10:56):
So we create and we develop our defenses. We build our programs, we have our strategies, we have our incident response plans, we have our disaster recovery plans, we have our technology stacks, all of that type of stuff. We do our user awareness. We have AI in the technology now to help better thwart from a threat response, all of that type of stuff. But the bad actors are doing the same exact thing. And I'm sure everybody's heard of the dark web and that dark web. Well, it's not always been there, but it's been there a long, long time. It's a lot smarter than it used to be. And so not only, I mean, ransomware as a service has been around for quite a few years. So now you can rent your ransomware for a week for less than $300 now because of all the hacks and all the different stuff.
(12:02):
You can say, I want to target insurance organizations. So now they can actually buy a list and say, I want a hundred thousand insurance brokers or whatever it is, because that's who I'm going to send my ransomware. And even beyond that, I'm not real technical, so now I'm going to actually rent a person to actually run the test for me. So then now I'm just collecting the money because I've paid all these different things, and now if all I need is a couple people to click on it and you know what I paid for myself tenfold, at least
Patti Harman (12:38):
It's like it's its own business model actually, and it's
Michelle Drolet (12:43):
Interesting help desks for that. And then they help desk for people to help them pay the ransom.
Patti Harman (12:49):
Okay. I wrote a story a couple of years ago about what you could purchase on the dark web, and I was astounded then to learn that they have a customer service department for, and if you say, I wanted to buy names of young professionals that live in the Wall Street district of New York City between the ages of 25 and 40 or whatever, but that wasn't the list that I got when I purchased it. Apparently I could go to their customer service department, say, Hey, these names and addresses or whatever aren't working, or these social security numbers or whatever. And it just blew me away that they were that sophisticated and had all of those different aspects established already
Michelle Drolet (13:39):
$10.5 trillion.
Patti Harman (13:41):
Yep, yep. So are there common mistakes that businesses are making or areas where they leave their data or their companies kind of vulnerable to attacks still?
Michelle Drolet (13:54):
So I have to say, it hurts my heart to have to say this, but we're still talking about patching. Microsoft has Patch Tuesday,
(14:07):
Patching of Acrobat, Adobe third party applications. SASS e applications have made it easier to not have to have that, whether it's your endpoint or whatever it is. So you're not patching servers that it is sitting on your MDR solution or whatever. But again, it's that programmatize. There's organizations that, I actually was talking to somebody a couple years ago and got off the phone and I was like, oh, because he had every shiny object that you could possibly imagine. He had two different kinds of endpoint security. He had two different kinds of scanning tools. He had firewalls. I mean, he had everything, intrusion detection, prevention, everything. And it's like you have that and you don't have it set up. It all fights. So you think that you have and you are protected, but that endpoint security isn't working at 75 to 80%, it's working at 10, maybe 15 because it's fighting against the other stuff. So having a strategy, having an understanding of what you want to protect because it's all risk-based, right? What are the crown jewels? Because we can't protect everything.
Michelle Drolet (15:39):
What are the specific things that we want? And then we can build a fortress around it, and then we can build our policies and programs and procedures, and then we can build our user awareness program so that everybody understands what we're supposed to do. If something bad happens, who are we supposed to call? Right?
Patti Harman (15:59):
Very practical approach, for sure. So everybody talks about AI. That's been the new shiny toy for the last maybe 18 to 24 months. Does the increased use and adoption of AI put companies at a greater risk for a cyber event then?
Michelle Drolet (16:20):
So if you think about phishing, the phishing emails of three, four years ago with the typos and hello My name is...
(16:36):
Well now with AI, they're beautiful. In fact, we had a client that had something happen and they actually had it. So it looked like it was two Ls, and I'll just use Michelle. So Michelle, it was actually an L in an I, but you couldn't tell if you looked at it with an eye, it looked like that email address. And that was just a specific font. So having them use AI again for the bad actors makes it a lot more sophisticated. And that user awareness so that the employees need to really pay attention to what they're looking for so that they're not clicking. And you think about your HR application, and what they'll do is they'll send out,, here's a payroll change and it's from Paychex and it's from blah, blah, blah, blah. And it could be PAY C3, and you're looking at it and there's a change and you're going to get a bonus. So again, yes, AI has made it easier for them to Gotcha.
Patti Harman (18:06):
Well, and on the flip side of that, does the use and adoption of AI give them a better opportunity maybe to identify and preempt some of these attacks then?
Michelle Drolet (18:18):
Yeah, no. As it's being used for, the bad is being used for the good. So the firewall technologies, the threat response, the intrusion detection, all of those different things. What's an anomaly? Where does Michelle go? How many files does Michelle look at? Now all of a sudden, Michelle's downloading 10,000 files. It's like, whoa, that's a red flag. Or Sally from HR is now trying to get into the finance folder. So just understanding patterns of behavior or Michelle's here in Natick, Massachusetts, but wow, I'm logging in from Yugoslavia or something. I don't think that's a country anymore, but you know what I mean. And so again, AI can be used definitely for the good.
Patti Harman (19:13):
Okay. Are you seeing an improvement within companies in terms of their cyber hygiene, like being more consistent with their patching or better training for their people or better controls like dual factor authentication as these companies become more cyber savvy?
Michelle Drolet (19:34):
So it's interesting. So there's two things, and again, I've been doing this a long time. So pushing a boulder up the mountain, trying to explain why you need antivirus and firewalls, but with the adoption of vendor risk management and organizations getting these vendor questionnaires, and they're not going to get a client unless they can fill these things out properly so that they need to have an information security program. They need to have an incident response plan. They need to have an acceptable use policy. They need to have the different controls in place so that they're going to get that client on the other side of it. So you have that vendor side, you have the cyber insurance side, so cyber insurance with physical people, insurance, there's actuaries and we know blonde hair, blue eyes, X of X age, whatever from where. Maybe she's going to live to 85, I don't know.
(20:50):
But in cyber, and it's getting better now, but there were no actuaries and the ransoms were not $500 anymore. And so the insurance companies, and I know there's a lot of insurance companies here have requirements to say, you have to have multifactor authentication or we're not going to give you cyber insurance. You have to have endpoint protection. You have to have updated firewalls, EDR, endpoint detection and response, managed detection response. And then if you do that and you get those different pieces and parts, it's going to keep your premium down. That doesn't mean that they're going to keep all the bad actors out, but it's going to, again, I use that analogy a lot in the door lock in the window. So those two things have made a big difference in people really getting on board on doing the right thing.
Patti Harman (21:56):
That's good. And it is really important. And sometimes it's the smallest things that can have the greatest impact I think as well. Is there anything that really concerns you at this point in the cyberspace, whether it's the maybe increased attacks on infrastructure, that's one of the things our team has been kind of paying attention to or bad actors becoming bolder and their attacks or more state sponsored attacks. There are just so many different places my mind could go in this space, but is there anything that really concerns you at this point?
Michelle Drolet (22:32):
I think as I was saying, the bad actors are getting better and the stakes are higher, especially infrastructure. And we do OT assessments and it is terrifying. We will do walkthroughs, we do penetration testing, we do risk assessments to review all the policies or programs and things like that. And you would think that things would be really locked down and they're not. And so that concerns me. What also concerns me is this software as a service applications because organizations are building these technologies without security in mind. And so people are thinking that this large company is doing the right thing and they don't have a secure development lifecycle program that their developers are following. They don't have testing to make sure that the code is good. And then they're not even doing testing after it's done to make sure that user A can't get to user B or can't escalate to become a manager and now change somebody's, I don't know, vacation or pay scale on an HR application. That terrifies me. We do a lot of that stuff and we break things all the time.
Patti Harman (23:59):
Right. Yeah. Wow. I'm wondering, do you have any recommendations then for companies to help them improve their cyber resilience?
Michelle Drolet (24:12):
So again, think about your cyber strategy. It needs to align with the business strategy.
(24:24):
And then you as an organization need to look and say, okay, what's my risk tolerance? What are my regulatory requirements? What do I have to adhere to in the insurance? If you're doing business in the state of New York, you have to do a New York DFS risk assessment annually. So if you don't do that, you could lose your license there. Penetration testing. So again, what are the crown jewels that need to be protected? And then what are the different pieces that you look at? And you look at it from an awareness perspective, you look at it from a technology stack perspective. You look at it from a vendor, who are your vendors that you're working with both upstream and downstream,
(25:17):
And look at who are your top 10 or top 10% and then make sure that they're protecting you, just like you're protecting your customers because that could be your weakest link. And so looking at that, I think I said user awareness component, that cyber insurance, make sure that your cyber insurance is actually covering you and that you are adhering to everything it asks for. Because if something bad happens and you're not, they're going to pay your ransom. They're not going to pay whatever it is that you need. Have a forensics retainer sitting there. So in case something happened, you have somebody to call because the last thing you want is on a Friday at six o'clock at night when somebody clicks something and you have a ransomware attack, it's like, okay, now what am I going to do? Right.
Patti Harman (26:14):
Or
Michelle Drolet (26:14):
Even though your insurance broker's number,
(26:19):
There's just a lot of different pieces and parts, but it's all programmatic and it's repeatable. I say to our clients all the time, it's a journey. It's not a destination because something new's happening every day. And so you can't just sit back and rest on your laurels. That's so true. I love this story. So we work with a lot of higher ed organizations, and it's a smaller private school here in Massachusetts. And the president and I met and the CIO, and they brought us in to do a risk assessment. And we did that. And then they brought us in because they didn't have any programs or anything, and we built out the program for them. It was called an information security management program, and we gave it to 'em in actually a binder. And Paula basically said, she introduced me one time and she said, I don't have any paper in my office at all except for her book, and it scare me to death. I'm like, good. But you know what? It's programmatic. And they are so far ahead of a lot of other schools because they have used that approach not shooting from the hip. You never want to do that.
Patti Harman (27:45):
Well, and to the paper piece. So I have worked in communications for several decades and we had a book on, I had an emergency book binder on my shelf that if certain things happened, it was all there. And if you think about it, and today with technology and cyberspace, if your system gets locked up, you're not going to be able to access anything. So having all of the phone numbers, who to call, what to do, the steps to follow, having that printed out somewhere, even though it seems old school could be really the difference between mitigating the damage immediately versus trying to figure out what to do next when something happens. So
Michelle Drolet (28:28):
I love that you had the forethought to do that, because we say that because we build incident response plans and playbooks, and they're like, well, it's electronic. And it's like, well, that's lovely, but if the systems were not available, what would you do? So I would suggest you print it out and maybe print out a couple copies so the different leaders in the organization have a piece of it, and then maybe test it, do a tabletop exercise so you have some muscle memory on what that looks like, because you don't want to practice when something bad's happening.
Patti Harman (29:03):
So true. You only need to go through one crisis to realize the importance of taking some of these steps well in advance.
Michelle Drolet (29:12):
That makes me really sad.
Patti Harman (29:15):
Yes. Are there any risks you're watching or things that companies should be monitoring for the next six to 12 months? I used to ask for the next three to five years, but things are changing so rapidly now. So anything that you're just keeping an eye on maybe for the next year or so?
Michelle Drolet (29:32):
I think from a risk perspective, I think regulatory and compliance. So really paying attention with the Feds kind of sat back in certain things like Graham Lewi Act or just different regulations that have been there, but now they have really kind of ratcheted them up and there's some serious teeth, like hundreds of thousands of dollars of fines, and they're coming in and doing audits. So just be aware of where you stand with different things like New York DFS for example. They could be knocking on your door. So being proactive from a regulatory perspective. The ransoms, if a small business gets hit, and the statistic is awful, but 60% of small businesses that get hit with a ransomware attack, and again, they're not 500, they're not a thousand, they're not $5,000 anymore. They're sub 250 plus thousand dollars for small businesses. They'll be out of business within nine to 12 months.
Patti Harman (30:40):
Right. So true. Which is
Michelle Drolet (30:43):
Terrifying.
Patti Harman (30:44):
So we've covered a lot over the last few minutes. Is there anything that I haven't asked you that you think is really important for our audience to know about cyber risks or cybersecurity?
Michelle Drolet (30:57):
I just think just understanding what you're trying to protect. Building a program to protect it, educating your people, making sure that you're working with really good partners, and then have good cyber insurance. Put the right technology in place. Educate, educate,
Patti Harman (31:21):
Educate. Very true. I completely agree. So thank you so much, Michelle, for joining us and for sharing your insights on cybersecurity and how to mitigate some of the risks. I also want to thank our audience for joining us today. Please join us for our next transformation forum in November when we talk about mining social media for data. I'm Patti Harman for digital insurance, and please enjoy the rest of your afternoon.
Michelle Drolet (31:48):
Thank you, Patti.
