Cybersecurity with Craig Petronella - CMMC, NIST, DFARS, HIPAA, GDPR, ISO27001

CMMC Cybersecurity and Compliance - November 2020 - In this episode, Craig Petronella and Sam Brown of Rancho Mesa Insurance Services answers questions about Cybersecurity CMMC, NIST, DFARS and how these standards may influence Cybersecurity Requirements.

November 11, 2020 Craig Petronella
Cybersecurity with Craig Petronella - CMMC, NIST, DFARS, HIPAA, GDPR, ISO27001
CMMC Cybersecurity and Compliance - November 2020 - In this episode, Craig Petronella and Sam Brown of Rancho Mesa Insurance Services answers questions about Cybersecurity CMMC, NIST, DFARS and how these standards may influence Cybersecurity Requirements.
Cybersecurity with Craig Petronella - CMMC, NIST
Help us continue making great content for listeners everywhere.
Starting at $3/month
Support
Show Notes Transcript

CMMC Cybersecurity and Compliance - November 2020 - In this episode, Craig Petronella of Petronella Cybersecurity and Digital Forensics and Sam Brown of Rancho Mesa Insurance Services answers questions about Cybersecurity CMMC, NIST, DFARS and how these standards may influence Cybersecurity Requirements. 

Support the showCall 877-468-2721 or visit https://petronellatech.com

Please visit YouTube and LinkedIn and be sure to like and subscribe!

Support the show

NO INVESTMENT ADVICE - The Content is for informational purposes only, you should not construe any such information or other material as legal, tax, investment, financial, or other advice. Nothing contained on our Site or podcast constitutes a solicitation, recommendation, endorsement, or offer by PTG.

Support the Show

Please visit https://compliancearmor.com and https://petronellatech.com for the latest in Cybersecurity and Training and be sure to like, subscribe and visit all of our properties at:

Announcer:

You're listening to cybersecurity and compliance with Craig Petronella. Visit us online at Petronellatech.com.

Craig Petronella:

Hey, Sam, how are you today?

Sam Brown:

Hey, Craig. I'm doing well, yourself?

Craig Petronella:

Good. Welcome.

Sam Brown:

Thanks for having me.

Craig Petronella:

Absolutely.

Sam Brown:

How's your day going?

Craig Petronella:

Good, it's pretty busy. It's DFARS Interim Rules. It's pretty busy and causing a lot of people to need help.

Sam Brown:

Ever cheat; your world is ever-changing. Mine changes once a year. Yours is changing once a week.

Craig Petronella:

Yeah, last week, I was on a webinar from Katie Arrington around the DoD DFARS Interim Rule and how it affects over 300,000 federal contractors. And there's a lot of questions around that. Some folks thought they did not need to upload their self-assessment to the SPRS database by November 30. And she said that pretty much everyone needs to upload it. Unless you're what's called COTS are off the shelf commercial, off the shelf products. There's a lot of questions around it. And I think that even if folks don't fall into the controlled unclassified information bucket, they should still do the self-assessment process. It's freely available to everyone. And it's only going to help everyone. It's only going to help improve the cybersecurity of their company. You're going to say fiddle through it. But if they get stuck, just reach out to a cybersecurity specialist and get help. It's only going to help strengthen their organization and increase their cyber maturity level. And I think it's a good thing all around.

Sam Brown:

Yeah, I wish everyone was self-motivated in this realm, but it's usually the threat of either severe cuts to revenue or even fines. When I say cuts to revenue, I mean a suspension and operations, or the threat of it. That's what motivates folks, other than applying or complying with federal guidelines for HIPAA or anything else. I guess people just have to see more of it. I don't know.

Craig Petronella:

Yeah, I think that's a good point. When I went through the CMMC training, they talked about the False Claims Act, and they talked about why the CMMC came about, about the self-assessment and self-assessment process just not working well for folks. And that's where I saw that it only really affects a lot of different industries or will. For example, PCI or Payment Card Industry compliance. For folks that take credit cards. Almost every small business takes a credit card. So they're supposed to do the self-attestation of PCI compliance. So if they're using square or some vendor to authorize .NET to take credit cards, they're supposed to do that self-assessment process. And they're supposed to do that once a year. And it's usually like 50 or 60 questions. But a lot of people just click, click, click and click next, and submit, and they don't realize what they're clicking on. It's going to a new website and accepting the terms of use. If you don't accept the terms of use, you need to leave. But most people were like, No, I want to buy whatever I want to see, whatever they got. So they just say yes. And they just move on. Right?

Sam Brown:

Oh, or an insurance application? Yeah.

Craig Petronella:

I guess my point is, I think the CMMC is a good thing. It's the third-party involvement, the third-party looking over your shoulder and making sure that you're doing all stuff the right way. And you have two forms, the supporting evidence for each of the 110 plus controls and coming on-site to your office and making sure this is done. I think that's a game-changer. I think that's going to affect your industry greatly. And by all means, introduce yourself, Sam. I appreciate you coming on board. I'm happy to have you and help answer any kind of cybersecurity Insurance questions for us.

Sam Brown:

My name is Sam Brown. I'm the Vice President of the human services group here at Rancho Mesa Insurance Services. We're a commercial property-casualty and health benefits agency focusing on certainly cyber liability and workers compensation, directors and officers liability, General Liability property and auto as well. We have two main verticals, which would be the Health and Human Services. That's nonprofits, healthcare, education, and then construction. Many of the insurance lines that we sell will apply to many different industries across many different states, such as workers comp, directors and officers' liability, and cyber liability, which is why we're talking today. I am so happy to talk about what I know or what I have learned since March in how employers need to be ever more diligent in communicating and training their virtual employees on what they ought to be doing.

Craig Petronella:

Thank you.

Sam Brown:

We're on the risk management side.

Craig Petronella:

Thanks, I appreciate you coming on. So, if you don't mind, talk a little bit about what a small business should be looking for in a cybersecurity policy. What are some of the gotchas I know you'd mentioned before about cybercrime coverage? And maybe you could just kind of talk a little bit about that for a minute.

Sam Brown:

Yeah. Cyber liability insurance goes by a couple of different names. It might be data compromise insurance as well. It does several different things. They become very broad in various triggers for coverage. So, for example, your information or your system, as an employer, as a company, has been breached, and very sensitive information, whether it's health information, social security numbers, just any information, has been out there. In this case, you could become subject to a lawsuit. Another company was to sue you. You would have coverage for the defense costs for the attorneys who will defend you against those allegations, and then any settlement or judgment that does come to pass, you'd have coverage for that as well. But aside from that, you have a lot of different coverage, which will come into play. So you could have coverage for administrative penalties, such as HIPAA fines. If your system were to get hacked, and you have ransomware, where it says, Hey, Craig, my name is Sergey, and I have locked your system up, you need to pay me 10,000 Bitcoin. And if you do, I"ll free up your system. If you don't, best of luck. The insurance carrier is going to do their best to send in a forensics team, after carefully monitoring how much that would cost the insurance company, of course, and try to free you up. And if that doesn't work, or if they feel like it's cheaper to send in the ransom to free you up, they'll do that as well. But then, hopefully, that forensics team will be able to patch up those holes quickly. So it doesn't happen again. There's also going to be the cost to notify everybody whose information may have been compromised. So you may remember a couple of years ago, Target and a lot of other large retailers may have been hacked. And they have to, by law, as we all do, send notification via US Postal to everybody and say, Hey, if you shopped here between December and January, your information may have been compromised. We've enrolled you in free credit monitoring. So it's going to respond to that as well. And then cyber policies are also going to have, as you mentioned, the cybercrime component. So that cyber typically means stolen data, but the cybercrime will reference stolen money and security. So that's going to be Computer Fraud, and Funds Transfer fraud, are the two big ones in that category.

Craig Petronella:

Like business email compromise, where are you tricked with a phishing email into wiring funds or sending gift cards?

Sam Brown:

Oh, that's the next one. That's commonly referred to as social engineering or voluntary parting. So let's say that I'm the president of a company and I'm going to Minnesota on business for a conference. The bad guys, as you know, Craig, will sit on my email if they breached us, and they'll know what's happening. They know my travel plans. They're watching my email going back and forth with everybody at the company. At the right time, they're going to email somebody with control of funds at my company and say, Hey, this is Sam. I'm in Minneapolis. I just got in a terrible accident, and I don't have my health insurance coverage. I need you to wire me$25,000. And this works. But, fortunate, a lot of time, it doesn't. If it were to work, that is also coverage found on a cyber liability insurance policy. So several different triggers for coverage. That's a pretty good overview.

Craig Petronella:

A few weeks ago, I was reading a LinkedIn post from an attorney saying that they passed a law or something around, no longer being able to pay the cybercriminals. In the example that you gave about Bitcoin, they lock you up with ransomware. They trick your employee or yourself into clicking on a fictitious link or a spoofed link that looks like it came from a trusted source. They lock your systems up. They encrypted 2048 bit encryption or so. And then they demand in 24 or 48 hours, three Bitcoin payments somewhere. I was watching a thread from a data privacy attorney. And he was saying that if the criminals are on, I forget the list. But it's basically like the blacklist for our country. If they're in a sanctioned area of Russia or China, for example, they're on that list or a terrorist list, and you're found to send them the ransom payment, the three Bitcoin, you can get prosecuted for money laundering. Have you heard about that?

Sam Brown:

I haven't heard about the money. But I have heard that they're watching this closely because they're trying to stop all payments, all sources of support for any sort of illegal activity, right?

Craig Petronella:

Yes.

Sam Brown:

So insurance companies have deep pockets. That's why people get sued. So yeah, if insurance companies are in the habit of making these ransom payments, one quick way to end that would be to put in some legislation that would disallow it. It might create a little bit of a headache for employers or the policyholders. But as long as there's an understanding that there's no coverage when you're purchasing the policy, then you're in the habit of implementing best practices. So ever the more reason to help employees get trained up, you can test the employee workforce to say, Hey, we're going to randomly test a few employees and see if they click on the link they're not supposed to.

Craig Petronella:

That's right.

Sam Brown:

All those measures are just going to be so much more important.

Craig Petronella:

Absolutely. And those drills are essential, too. So it's not only important to have the policies and procedures and security controls, but do the drills and test your employees each month to make sure that they're not clicking on things they shouldn't be. And then, if they are, send them back to boot camp and get them trained up. Because if you've got employees that are not trained, and they're clicking on stuff that they shouldn't be, that's going to lock you up and get you in a real bad spot real fast with this ransomware. I saw another headline. I wrote a blog post about how ransomware is targeting hospitals at the moment. And there's a huge uptick from the FBI. There was an announcement. But it all boils down to the same stuff I've been preaching for years, but nobody wants to listen to the proactive stuff. They don't want to do anything until it happens to them right or tills it affects them. So, yeah, that was very interesting, what I was reading about the money laundering thing. And it was also ironic to read that many of the counties in the state-level areas that were hacked with ransomware, that I know, they tried hard not to pay, but some of them did pay. Some of them had to because they'd had no backup systems to restore from. And that's the hackers. They do recon to figure that out and see how bad a shape you would be if you lost all your backups. And then if they got your backups and got your systems, they know they got you. And they know that there's a high chance for them to get paid. It is a business to them, and it works.

Sam Brown:

And it's repeatable, right? I don't know all the blackhat cybercriminals out there, what they're capable of, but I got to think that they're not just working on one big hospital at a time, right?

Craig Petronella:

Oh, they're sending out squads, and they're scripting. I've always said this. They're smart, and they're lazy. So they write scripts, they don't do all the heavy lifting themselves. I just read a thing this morning. They're buying ads on Facebook now to attract you, and they get the ad approved. And then, they switch the link to an infected web server with ransomware. So they're casting their nets wider and wider to trick people. As you mentioned, not just with email phishing, scams, and social engineering, but now they're going steps farther there on social media. They're going where you hang out. And they're looking to trick you there, too. I've even had some. I don't know if I told you this, but I've had a law firm tell me that they would not want to do all the stuff that I recommended based on this and all the preparedness that they're supposed to be doing and that they would just buy cybersecurity insurance and just do a payout.

Sam Brown:

That is called a moral hazard. It's like, I'll park my car underneath that volcano. I have insurance. Right? But I think I learned that I went through my licensing as a moral hazard.

Craig Petronella:

I've had folks tell me that I've also had folks where I went to their premise and had a meeting with them. And I said, Okay, let's look at your server room, and they show me their server room, and it's in the men's room. Yeah. And it's right next to the water sprinkler systems on the roof. And I'm like, If you guys don't hire my company, just get a professional to move this stuff out of here. That is not a spot for electronics.

Sam Brown:

And I think that all the pre-emptive measures you can take, all the best practices are becoming so important now. The pandemic forced many of America's workforce into a virtual mode. Whatever controls were there, they need revamping, or they need to be explicitly communicated and trained in the form of a work from home policy. So questions that I've been asking, or when looking at the cyber insurance renewal or policies we have in place, is okay, Is coverage going to get triggered? If something happens, off-site? My chief admin officer is working from the living room helping his kids with math, and he clicks on the wrong link. Is that going to qualify for coverage? Or if there's a breach into a personal machine, a personal piece of equipment. So it's my laptop at home, it's not a company issued? Maybe I'm missing some security patches. And again, maybe through no fault of my own, my computer gets hacked? Or I jump onto some public Wi-Fi at an eatery. Is coverage going to apply there? And then, of course, does it include social engineering? But yeah, the virtual component or the workforce's virtual aspects are just making it more important to ask those questions before as you're sifting through the quotes.

Craig Petronella:

You're right. And if you think about it, before COVID hit, and people were in the corporate environment, they go to work. They're typically working off of a corporate-controlled endpoint laptop, desktop, the corporation has installed security controls software, monitoring tools, backup systems, advanced firewalls, intrusion detection system, all the IT infrastructure, right? If you're a small company, maybe you have pieces of those things. But the point here is, they did. If they did some type of self-assessment or attestation, they did it off of that model that diagram, right? I'm in the building, I've got physical controls, maybe I have a key card or all these different things. Now COVID hit. So now everybody's working from home, most businesses did not issue an endpoint with their security controls. They're allowing people to work from home. So that's where your BYOD or Bring Your Own Device Policy comes in. Right?

Sam Brown:

Right.

Craig Petronella:

And if you don't have one of those, you don't have any clear direction for the employee to follow what's allowed and not. So what happens is, you've got a lot of folks that are working from home. Their home computer is not going to be very up to date, often. Most of the time, it's going to be out of date. It's going to be an older operating system. They're not religious about patching and checking patches and then patching, rebooting, patching again. They may not be technical. Maybe, they never even do that. But my point is that now you've got all these open doors, these unpatched endpoints, and a lot of employees working from home are working with sensitive data. And that could be healthcare, patient health information, or some type of personal identifiable information. So we know most of these people working from home not only their endpoints insecure, but they're usually working off the Internet Service Provider's modem, which the password is like an eight-character. Super easy to hack the password. It's sticky noted right on the firewall appliance.

Sam Brown:

Or it's the employee's home address.

Craig Petronella:

Yeah, or something dumb, like their last four digits of their phone number. All it would take is a word driver or some malicious person within range of them sitting in their car. And this does happen, by the way. They sit in their car. They find an access point, use some freely available open-source tools, break into your network, sniff your traffic. Let's see what's interesting, maybe steal something break into your system exfiltrate data from you. You might not even know, and often you won't know because you don't have the technology to detect this stuff.

Sam Brown:

Yeah. I read a stat that said that, before the pandemic, the FBI would feel about 1000 reports a day of some sort of data breach. Since March, that's up to three to 4000 a day. And I got to think it's higher than that now.

Craig Petronella:

I'm sure it's higher than that.

Sam Brown:

Those are just the ones that we know about.

Craig Petronella:

That's right.

Sam Brown:

To your point. How many don't we know about? Then, circling back to something you had said, I had read that 85% of employees working on their own devices at home are circumventing their employers, policies, and protocols, downloading games or coming to Facebook. That's a scary point you made if I'm going on Facebook or my lunch break, but I click on a link that I think is leading me to an article about the election, and they got me.

Craig Petronella:

Yeah, and it's so easy. I don't know if you know about keyloggers or keylogger malware. Keylogger malware goes on the black market for about 100 bucks. It's a piece of software that a malicious actor, a bad actor, can trick you via social engineering, phishing, all the above, into you clicking on this email attachment. Maybe it's disguised as an invoice or some PDF attack, whatever. It doesn't matter that they dropped the payload on your system. Often, nothing happens to alert you that anything happened. It may show an invoice. It might show what you thought it showed, but maybe for you, it's just an error. You think nothing of it. What happens is, once those payloads dropped, your antivirus won't detect it because it's called a zero-day keylogger. Well, what is it doing? It's capturing every single keystroke without your knowledge and exfiltrating it right to the hackers. So this is what happened with Target, Michael's, Home Depot, Sony. They all got hacked for the keylogger. Super easy software you can get into any company, and just skirt right through all the security, and you can't detect it. You can get the latest firewalls they make. You can get the best antivirus that you think you can find from any maker model vendor. It's not going to stop a zero-day keylogger. So the big tip that I recommend to folks is to use a password manager with a passphrase greater than 22 characters complex. I know that's super hard for a human, but then pair it with something like this. Have you ever seen one of those?

Sam Brown:

No, what is that?

Craig Petronella:

That's a hardware token. This one, in particular, is called a Yubikey. What that does is it uses a password manager. We're all human, right? I've got bazillion passwords to all different things. Every day I log into something, it's like, Oh, you need to change your password. I don't even know what my passwords are because I rely on a password manager. But I don't just rely on the password manager. I also use and link it to what's called a hardware token. So I used to connect it. So if I got a keylogger on my system, somehow, they could capture my long 22 character password, but they won't get in because they need my hardware key too. They need both forms. So it's kind of like multi-factor authentication, which I highly recommend enabling for any Box, Dropbox, Facebook; whatever you use, you should enable two factors. But this takes it a step further because now you're encrypting and using all your passwords, but you're using a hardware token as well.

Sam Brown:

What Password Manager is our most effective, you think?

Craig Petronella:

There are several on the market. Roboform is a good one, but I'm not sure if Roboform has updated their system to support hardware tokens. I know LastPass does. You can get a cheap LastPass license. It's less than $200 a year. But the token itself, you can go on Amazon, it's like $50 for the token, but this greatly enhances your cybersecurity if you go to all your websites. You make sure you have 22 plus character complex passwords, you change them all, and you protect it with that hardware key. The big passphrase that's significantly improving your cybersecurity is just doing those two little things. It's not the silver bullet. I'm not saying you don't have to do policies, procedures, and all the other stuff. That's an example, two security control layers out of 110 and this, you know. But my point is that anything that we can do all of us, whether it doesn't matter what business we're in, anything we can do little steps forward, will help. And I believe in a layered approach. So the more little layers that we could do, the better.

Sam Brown:

I'm with you. I think I had listened to a webinar a couple of weeks ago. And I think we've mentioned most of the tips that they had forwarded on in that webinar. They're always making adjustments and security patches to address any known threats. Beef up your password practices of 22 key characters you sense is never the same. I'm not a cyber professional. So I was taking that to heart and saying, Okay, here's some Joe Schmoe tips that I can use, and then I thought the two-factor authentication was really good. And we know that, as you said, i's not perfect. But it's a w apon to use in the battle, r ght?

Craig Petronella:

Many business emails compromise where you get an email to a C level or somebody important in the organization with binding authority. Sometimes they'll get tricked by a hacker. Maybe, they use Microsoft Office 365, for example. And, perhaps, the phishing email that comes in looks like the login to Microsoft Office 365 on purpose by the bad actors. And it says, Hey, log in with your Microsoft credentials. They do that to capture your credentials to hack you to try to get into your email and spy on your communications to do wire fraud or something like that. But had you had two-factor authentication enabled in your Microsoft Office 365 or Google ecosystem? I'm going to stop that dead in the tracks. You would have given them their password if you fell for that, which is terrible. You should train so that you don't fall for that. But if you did, or one of your employees did, have you had two-factor authentication enabled that one security control layer? Had you had that in place for everyone in the organization that would have stopped them in their tracks? It's not perfect. There are ways to circumvent and get around that if you're subject to a very sophisticated hacker that can, you know, social engineer their way around that. My point is, though, you've now elevated your cybersecurity level to the point that most hackers are smart and lazy. If they find that you've got that, they're going to move on to an easier target.

Sam Brown:

You're right. The analogy is a club. Simply, how many potential car thefts? Did the club prevent it?

Craig Petronella:

That's right. It's just the alarm system. If you get a sticker or sign from an alarm company, stick it out in your yard. The sign alone is statistically proven to deter criminal activity, smarter criminals, I call those layers. The sticker is a layer. The sign is another layer. Maybe, you get a camera; that's another layer. A dog is another layer. The more stuff you do, the better. You don't just protect your front door; you protect all your entry points, your windows, and everything else. You want all-inclusive cybersecurity, or in this case, physical security protection level. But my point is that by blending all these layers, you're making yourself closer to being unhackable as you can, right? So the closer we can get to make ourselves less of a mark, the better. And some of this stuff does not have to be expensive, either. Multifactor is free for most offers. The little hardware token that I said is cheap, 50 bucks. The latest statistics on the cost of breaches are over$150 to $100,000. It'll bury a small business, but I still talk nowadays to business owners. They say I'm not going to do all this stuff. It's too expensive. I've been in business for 20 plus years. I've never had this happen before. I've never had any problems. But times are different now.

Sam Brown:

They know that if you go after the large department stores, they are better protected than the small Mom and Pop pawn shop down the street, which has plenty of information, or any small employer. So it's no less important for a small employer to have these procedures in place. And then an insurance policy. I mean, I hope folks are doing one or the other, either. And truth be told, your insurance application is essentially a best practices checklist, or yes or no. And sometimes, you see some very basic questions answered no. Like do you have a firewall? Is private health information encrypted? And the answer is no. And many times, if I see those out an application, I'll double-check with my clients if they are sure because this probably won't be accordant. We will be honest here. We want to hear a no from the insurance company now, rather than after a claim. So let's be honest, are you sure? Yeah, we're sure. I say, Okay, well, send it in any way. And a lot of times they won't offer.

Craig Petronella:

And this is where I think the CMMC is a good thing. So the CMMC is the newest, latest and greatest. It's the cybersecurity ISO for the United States of America. Okay?

Sam Brown:

Right.

Craig Petronella:

So it's the most recent release of five different levels of how we secure, in this case, the supply chain of the Department of Defense. However, it's these best practices can be used for any company. And there are tools out there that are freely available that can significantly enhance your cybersecurity maturity level. And I think the best part about all of it is you can't fake it anymore. You have to get a third-party to look over the IT guy or the company's systems. They have to go there. They can't self attest; they have to prove with two pieces of supporting evidence. Each of these things is being done. And you can't do this stuff overnight and fake it. I think it's going to be overall painful for many folks, sadly, because it's going to be a wake-up call. But, maybe, one day, it'll be a third-party requirement to get cyber insurance. I think that could happen because it will be better to protect the cybersecurity insurance providers like you, guys, from payouts. You're going to have more secure folks that you're insuring.

Sam Brown:

Yeah. And what we see is that in many areas, the Department of Defense has been sort of a trailblazer. I mean, they talk about so many things, so much technology that was first in a weapon.

Craig Petronella:

Right.

Sam Brown:

GPS, for example. Now, as you know, it's on your watch. It's in your car, everywhere. So if the DoD is leading the charge on the CMMC requirements, it could be adopted more universally.

Craig Petronella:

I think that's true.

Sam Brown:

Trust me. I'd love it if no one needs cyber insurance because it's one of those things that's not perfect. And I'll say that about any line of insurance. And you know, should you have a breach? It's very stressful.

Craig Petronella:

Oh, absolutely.

Sam Brown:

You're down. You mentioned the hospitals. So it was six California and Oregon hospitals that were breached and attacked on the same day. And you and I talked about it, but many of these hospital administrators were saying they're on paper right now.

Craig Petronella:

Well, back to the Stone Age.

Sam Brown:

Yeah, that is how far we've fallen. Until we get back up, we are on paper. And I can't imagine potential lawsuits that could arise from this event if a hospital impacted somebody's health because of their level of care and the manner.

Craig Petronella:

Oh, absolutely. And that's happened before in past attacks with ransomware on medical. People have died because they couldn't get the health support that they needed because the systems weren't available there. There was an incident. I think it was in Germany, a lot of people died. It was really sad.

Sam Brown:

Yeah, I sent that email to many of my clients and prospective clients just saying, Hey, just be on the lookout. Just be very aware. Right?

Craig Petronella:

Yeah.

Sam Brown:

Ensure all your employees, team members, and head Information Officer make sure they know about all this up, and they probably knew it before that. Still, in case they were wondering if it had any insurance implications. It does. Because also, on that insurance application, it will ask you, Have you had any recent attacks? Have you been a victim of any

Craig Petronella:

Right. recent attacks?

Sam Brown:

They know what you know, which is those bad guys make may come back.

Craig Petronella:

But the scary part is that many folks may not have the technology to know if there could be somebody lurking on the net. And I'm not saying that to scare people. I'm saying it at a truth from forensics that we've done. We found that actors and networks, three to six months of spying on communications before they pounced. The folks that we were helping had no clue. They had no technology to detect that the hackers covered up their logs and their trail and things like that. And free software doesn't have the security and compliance, security control layers to be able to trackback. That's another good point, too. Since it's typically a long time before an individual or a company learns that they've been breached. Often, their backup window doesn't go far enough. Their log data doesn't go far enough back, like in healthcare for HIPAA compliance. You're supposed to be saving all the logs, the firewalls, but you're supposed to have all that supporting evidence if you have a breach. Most of the folks that are in healthcare don't have that stuff. And that's an example of a control layer. So that's what I'm saying. I think the CMMC will be a good thing overall because you have to show evidence of that. You have to show your logs and a trail of all that stuff. And just last week, the CISO of the DoD, Katie Arrington, was talking about what's called the DFARS Interim Rule. She said how this affects over 300,000 federal contractors that do business with the DoD, and many people ask questions. Universities are like, Do we have to do it to universities? And she said, Yes. There are only two areas that don't have to do it. And it's commercial off the shelf, cots. And there is another one where it was something less than $10,000, a small. It's called micro-purchases. There are only two that don't have to do this. And even if you don't fall into that bucket, you should still use the free tools anyway. Do that, get the help now, take action now to do it. It's going to save you so much money and aggravation in the future from avoiding something like a breach. It could very well save your company.

Sam Brown:

Yeah, and many insurance companies are getting smarter about offering resources to their policyholders to make sure that they are adopting best practices. Sometimes, even with the quote, they can do a cursory scan of the dark web and say, Hey, the following email addresses were found on the web. And, a lot of times, I'll just pass this along to my client with the quote. Honestly, they don't have the cyber, so I'm not trying to resell. I'm just saying you are exposed. I'm glad you have the insurance. However, please, make sure that you're staying up to date on all the new regulatory requirements and the latest and greatest defense tools, make sure you're doing it.

Craig Petronella:

Absolutely. Hopefully, they do. I like to use the analogy of your health. If you go to the doctor, you get a checkup. You're supposed to do that every year, every few years, or whatever. The earlier you detect something bad, the more likely you are of survival to mitigate the risk. So if you find something early enough, you can take smaller action steps that are often less expensive to remediate the issue, and longer-term, help you. Right? So same thing. I think it's a big deal. And I think that it's going to be in the next three to five years. It's going to be huge for many different companies and getting them to take action.

Sam Brown:

Yeah, and we'll see how long it takes for the true fallout of everyone moving to virtual and what that's going to cost the economy. What will cost employers if they're not helping train their virtual employees to follow the protocols? Another insurance piece that might be good for your audience to know is that if you have employees to another, they don't have to be at their cubicle. If they've decided to move away from the office, deciding they'd like to be a virtual employee and the employer is okay with that. And they decided to move out of state. The employer should check with the workers' compensation insurance company. So workers' comp is on the job injuries, but they need to make sure that the workers' comp policies they currently have in place would cover an injury to an employee working out of state.

Craig Petronella:

Oh, that's a good point.

Sam Brown:

If they would, the great. Just add that person' working address, whether it' their home address or wherever they might be working there, t the policy. However, suppo e the insurance carrier can't co er an employee living out of tate. In that case, the e ployer will have to purchase a second or third, fourth, f fth insurance policy to cover t ose workplace injuries in tha extra state. So, we'll have lients that will have a Cali ornia policy. They may have a Co orado policy. And then ther are some states where you can nly purchase it from their Kwaz i state government, kind of like buying it from the DMV. You ave to go there to buy it. So t ose are just good questions t ask. It's come up several times where an employer has a worthwhi e loyal employee that w nts to move out of state; thos are good considerations to watch out for.

Craig Petronella:

Those are great tips. Thank you.

Sam Brown:

Yeah.

Craig Petronella:

What if yo had an organization and ha a bad actor inside your organiz tion, like an employee who was pset that they didn't get t e salary increase they wanted nd did something harmful to the ompany, such as data exfiltrati n? Or do you have it as a typ cal cyber insurance policy co er something like that? Or is that a separate thing to onsider?

Sam Brown:

So, if the bad actor who's an employee or to steal money, that would most likely be triggered on a separate policy, which would be the crime policy. So the number one coverage there would be several, but it's called employee dishonesty or employee theft. And typically, a definition of employee is going to be an intern, volunteer employee, many times, former employee. Suppose there's a volunteer board. Even if they're not volunteering, it'd be those directors and officers as well. I'll give you an example. Eight years ago, we had a client. They had terminated two individuals. For whatever reason, the office manager kept those two employees on the books but changed their payroll to her bank account. So over ten months, she sold 10s of 1000s of dollars as a company. And that's why it's important to have payroll audits. Ensure something like that doesn't occur, and make sure that the payroll records match the census. If an employee is going to steal money, whether it's from computer means or otherwise, the crime policy will pick it up. And I would certainly recommend making sure that those limits are reviewed every year. I can't tell you what the limit should be. I wish I always knew the answer to that question. But it's something that should be reviewed with your insurance broker on an annual basis and make sure everybody's comfortable.

Craig Petronella:

Okay. That's excellent information. What about the situation? If there's bribery, I'm assuming out with a cover, like if somebody was sending sensitive data to Russia or a sanctioned area. Then they were going to get paid and, but a crime hasn't technically been committed yet. Maybe an investigation has to happen. And I'm sure attorneys and counsel have to get involved in that, but I'm assuming that would fall

Sam Brown:

Okay. That's excellent information. What under. about the situation? If there's bribery, I'm assuming out with a cover, like if somebody was sending sensitive data to Russia or a sanctioned area. Then they were going to get paid and, but a crime hasn't technically been committed yet. Maybe an investigation has to happen. And I'm sure attorneys and counsel have to get involved in that, but I'm assuming that would fall under.

Craig Petronella:

That's a good tip that segues into almost all 50 states with Breach Notification laws. So you have to notify, there are certain laws around who to notify and when and how much time you have when you figure out what happened and all that fun stuff. But that brings me to the segue of it's important if you do suffer a breach. And actually, it's better to proactively hire a data privacy attorney to protect you and your company from the very beginning, especially when you're supposed to be doing the annual security risk assessments and the annual penetration test. You want to make sure that you hire a data privacy attorney that then hires the cybersecurity and compliance firm under their umbrella to get the attorney-client privilege. Because that's very important to get those protections; otherwise, if you hire the cybersecurity and compliance firm directly, and you avoid the attorney-client privilege, all the findings can become, they can be subpoenaed. And that could be negatively impacting your company, severely. I think that's a really good tip that I like to provide to folks. If you had to give folks one or two tips, Sam, should they be checking their cyber every year? Or what are some tips that you can give a couple of folks?

Sam Brown:

Reviewing your cyber application every year very closely is the best practices step you can take. There could be a lot of times. It's just really easy for anybody to look at that and see 20 different questions answered yes or no, and assume nothing has changed. But make sure either you fill it out yourself, or give it to your IT professional, whether it's in the house or contracted, and have them complete it every year. So that you know it's accurate because you'd hate to see it claim to go declined or denied because the application wasn't accurate. I would then recommend just a robust work from home policy right now, including training on all the cybersecurity measures. Probably good for everybody to do annually, but they know that we've got a remote virtual workforce even more important.

Craig Petronella:

Absolutely.

Sam Brown:

So to try and make it simple, I would say those are the two things. Just make sure that your insurance application is up to date and accurate. And then make sure you double down on training your workforce.

Craig Petronella:

Awesome, great tips. And we do have training like that available to folks that reach out to our website. You can sign up for various levels with different levels of training for organizations of all sizes.

Sam Brown:

Yeah, I hope your clients are using it.

Craig Petronella:

They asked abo t it, and sometimes they'll s gn up for it. We recommend it highly, of course. And then e find that some people do't even realize that they have it, and then we have to remind them to take the test. So I got bag over the head.

Sam Brown:

You can lead a horse to water.

Craig Petronella:

That's right.

Sam Brown:

But if they listen to this podcast, they'll do it.

Craig Petronella:

That's right. I hope so. Anyway, fingers crossed. Thank you, Sam. What's the best way for folks to reach you? And you mentioned that annual review. Is that something that you do for folks? Or is that something that is a service, or how does that work?

Sam Brown:

Yeah. You can reach me at area code 619-937-0175. Again, 619-937-0175. You can also email me at S Brown, spelled just like the color, at Ranchomesa.com. We will make sure that we go through the applications with our clients. If they have questions on whether they're answering honestly or in an educated fashion, make sure they know what they're answering. And then we'll go out to the market and find the coverage that's going to respond to the new threats evolving all the time. And then, most importantly, sit down and make sure the client knows what they're buying. And if they're deciding not to buy something, make sure they understand what they can do to make sure that they don't regret that decision.

Craig Petronella:

Awesome advice. Thank you so much. I appreciate all your help and your insights. It has been fantastic.

Sam Brown:

Yeah. Thanks, Craig. I've enjoyed the conversation. Thanks for having me.

Craig Petronella:

Absolutely.

Announcer:

Thanks for listening to yet another episode of cybersecurity and compliance with Craig Petronella. Listen to all of our podcasts on Apple, Google, and Spotify. Visit us online at Petronellatech.com to book a meeting with Craig about your business.