Episode 3
How to apply the 80/20 rule to your cyber security strategy
Cyber criminals are getting smarter. Protecting your enterprise is getting expense.
Where do you start in your cyber security journey?
The co-founders of Assurance IT discuss the top 5 cyber security tools every enterprise should start with.
In this episode, Luigi Tiano, and Ernesto Pellegrino also discuss:
- 13 Cyber Secure Measures
- Incident Response Plans
- Reason to increase cyber security awareness among executives
- How the workspace changed over the last two years and how it's affecting IT
- #1 cause of cyber attacks
- Feedback from cyber security insurance companies
- Top 5 things you need to protect against ransomware
Resources:
Watch the episode: https://youtu.be/FejMyQmT9hA
CyberSecure Canada: https://cyber.gc.ca/en/guidance/baseline-cyber-security-controls-small-and-medium-organizations
Ernesto Pellegrino’s LinkedIn: https://www.linkedin.com/in/ernestopellegrino/
Luigi Tiano’s LinkedIn: https://www.linkedin.com/in/luigitiano/
Assurance IT Website: http://www.assuranceit.ca/
About 10 Questions to Cyber Resilience:
Twice per month, learn about how IT leaders are strengthening their cyber security practices. Every episode comprises of 10 questions that get you one step closer to cyber resilience. Subscribe to stay up-to-date with hot topics in cyber security.
About Assurance IT:
Assurance IT (www.assuranceit.ca) specializes in data protection and data privacy for the mid-market in Canada, since 2011. The Montreal-based company’s unique approach to helping customers become cyber resilient is called the PPR Methodology which stands for Prepare, Protect and Recover. Based on industry best practices, the PPR Methodology is an easier way to achieve cyber security and compliance objectives.
Transcript
This is 10 questions to
Speaker:cyber resilience brought
Speaker:to you by Assurance IT.
Speaker:Released twice per month, every
Speaker:episode brings you one step
Speaker:closer to cyber resilience
Speaker:by hearing how IT leaders are
Speaker:practicing cyber security.
Speaker:Resources mentioned in the episode
Speaker:can be found in the show notes.
Speaker:If you are ready to take your
Speaker:cyber resilience to the next
Speaker:level, be sure to subscribe so
Speaker:you can catch every episode.
Speaker:They were gonna be talking about 13
Speaker:controls based on the cybersecurity
Speaker:Canada framework, before we jump
Speaker:into it and, and talk about it.
Speaker:It's important that we
Speaker:introduce ourselves.
Speaker:I'm Lu Gitano.
Speaker:Co-founder here at assurance it
Speaker:and a little bit about assurance
Speaker:it we're based on the Montreal.
Speaker:We service clients across Canada
Speaker:and we help businesses stay
Speaker:protected, become cyber resilient,
Speaker:mitigate risk, protect them from
Speaker:attacks and help them recover
Speaker:in the event of a disaster.
Speaker:Ernest Ella, you know, based that.
Speaker:Also co-founder here with
Speaker:Luigi, my role work, focus on
Speaker:the technology aspect of it,
Speaker:help organizations leverage the
Speaker:technology, really to meet those,
Speaker:you know, attach them and meet
Speaker:those business objectives and
Speaker:become cyber resilient in doing so.
Speaker:So again, my main focus or my,
Speaker:my focus is primarily working
Speaker:with the technology people
Speaker:within the organization to,
Speaker:to really bridge that gap.
Speaker:Awesome.
Speaker:Before we get into cyber
Speaker:secure Canada, a little bit.
Speaker:The assurance it model.
Speaker:We developed a model here to
Speaker:help our clients remain safe.
Speaker:We call it the PPR methodology,
Speaker:prepare, protect, and recover.
Speaker:Essentially what it helps companies
Speaker:do is identify any gaps in
Speaker:their cyber security strategy.
Speaker:Reduce the chance of human error.
Speaker:Reduce the risk.
Speaker:Associated with running a
Speaker:lot of infrastructure and
Speaker:complex infrastructure.
Speaker:Once we identify those gaps
Speaker:and we're able to prepare the
Speaker:organization, then we can protect.
Speaker:You can only protect
Speaker:what you know you have.
Speaker:Right.
Speaker:Right.
Speaker:And then, and then basically once
Speaker:we know what we're protecting and
Speaker:we're protecting it from all sides.
Speaker:You wanna be able
Speaker:to recover, right?
Speaker:So there's that, that's what
Speaker:we call the PPR methodology.
Speaker:But a lot of people ask us where
Speaker:the PPR methodology came from.
Speaker:Right?
Speaker:And, and this is where I think
Speaker:Ernie's gonna provide a lot of
Speaker:value is we, we had to base ourself
Speaker:on something that was robust, was
Speaker:tried and proven and, and something
Speaker:that we could hang our hat on.
Speaker:When we talked to customers
Speaker:about it, wasn't just something
Speaker:that we came up with out of,
Speaker:out of air, out of thin air.
Speaker:It was something that we
Speaker:were able to base ourself on.
Speaker:And obviously we came
Speaker:across cyber secure Canada.
Speaker:That has an amazing set of, of,
Speaker:of controls and a framework that
Speaker:of course is, is stamped by the,
Speaker:the Canadian government, you
Speaker:know, a pretty substantial body.
Speaker:Who's done extensive research on
Speaker:how to protect the enterprise.
Speaker:So.
Speaker:Today, I'm gonna, you know, I've,
Speaker:I've, that's why we're here Ernie.
Speaker:I'm gonna probably pass the
Speaker:ball off to you to talk a
Speaker:little bit more about cyber
Speaker:secure Canada, what it is, how
Speaker:it fits into our methodology
Speaker:and how it's helping clients.
Speaker:I'll, I'll kind, kind of act
Speaker:more as the, as the interviewer,
Speaker:because you can probably talk a
Speaker:little bit more in depth about it.
Speaker:Well, you did a great job there.
Speaker:Luigi, just defining how we
Speaker:streamlined, you know, how we
Speaker:created a methodology around
Speaker:protecting right and Canadian
Speaker:center of cybersecurity
Speaker:and, and other governments
Speaker:across the world are putting
Speaker:together these frameworks.
Speaker:It's the government's
Speaker:response to cybersecurity.
Speaker:They put together these security
Speaker:controls, advice, guidance,
Speaker:security controls on how
Speaker:organizations can get the most out
Speaker:of their cybersecurity investments.
Speaker:Really.
Speaker:And you'll hear us refer to
Speaker:the 13 cybersecurity points.
Speaker:You'll hear us refer to, to
Speaker:baseline cybersecurity controls.
Speaker:We encourage organizations to
Speaker:implement as many of these cyber
Speaker:security controls as possible.
Speaker:We understand that not every
Speaker:organization can implement all of.
Speaker:But really it's a matter
Speaker:of going through and, and
Speaker:understanding which ones matter
Speaker:to you and, and definitely I'll,
Speaker:I'll help you protect against
Speaker:those ransomware and cyber
Speaker:attacks that we're hearing so
Speaker:much in the media as of late.
Speaker:Right.
Speaker:Right, right.
Speaker:And, and it's well
Speaker:documented online.
Speaker:It's accessible to anyone, frankly.
Speaker:That's kind of how we, we
Speaker:came across it and it's mind
Speaker:boggling and maybe a little bit
Speaker:brutally honest here, how a lot
Speaker:of organizations haven't really
Speaker:got their, their head around it.
Speaker:I just shared my screen.
Speaker:You, you see it earlier?
Speaker:Cuz I, I.
Speaker:What I wanna do I do.
Speaker:And the number one develop
Speaker:an incident response plan.
Speaker:And when we see organizations that
Speaker:don't have an incident response
Speaker:plan, whether it be a cyber attack,
Speaker:human attack, disaster, right.
Speaker:Physical disaster, you need to
Speaker:have an incident response plan.
Speaker:And it's number one.
Speaker:So.
Speaker:You're gonna be running with
Speaker:a chicken without a head.
Speaker:If you don't, you
Speaker:know, what do I do?
Speaker:What systems are critical.
Speaker:So you need to answer all
Speaker:those questions prior.
Speaker:And I guess we'll drive into
Speaker:them a little deeper as we
Speaker:go, but they just hit me.
Speaker:I see incident response file and
Speaker:we've talked to customers on a, on
Speaker:a, on a daily basis and, and it's,
Speaker:it's, it's scary to know that.
Speaker:Most of them don't have a
Speaker:robust or, or any incident
Speaker:response plan in place.
Speaker:And, and we think it's definitely
Speaker:number one in the top 13 in order
Speaker:to really be cyber resilient is
Speaker:developing an incident response.
Speaker:Well, it actually helps you take
Speaker:inventory of what you have, right?
Speaker:I mean, you could only build
Speaker:a, a response plan once
Speaker:you know what you have.
Speaker:And I think that's, that's
Speaker:a major, major issue with
Speaker:a lot of, of organizations.
Speaker:They, they sometimes
Speaker:forget what they own.
Speaker:They have a lot of infrastructure,
Speaker:some is old, some is outdated.
Speaker:It may have been installed
Speaker:or deployed at some point
Speaker:and kind of forgotten.
Speaker:And then there's security
Speaker:gaps that get there's security
Speaker:holes that get created because
Speaker:of that, that infrastructure
Speaker:that's not being patched.
Speaker:Right.
Speaker:Inventory is, is key.
Speaker:And I think it, you know,
Speaker:knowing what you own, then
Speaker:you can, you can react on it.
Speaker:And I think that's, that's
Speaker:one of the issues where we see
Speaker:things from respond, response
Speaker:falls, fall short, right?
Speaker:So exactly that.
Speaker:So you need to inventory
Speaker:your environment,
Speaker:understand what you have.
Speaker:What's critical.
Speaker:What's not critical label them.
Speaker:Right.
Speaker:And put them in different facets
Speaker:where you understand which
Speaker:ones have an SLA of one hour.
Speaker:What can my organization live with
Speaker:for 24 hours without a system being
Speaker:up or an application being up.
Speaker:Right.
Speaker:So that's.
Speaker:Putting a Dr.
Speaker:Plan in place.
Speaker:And, and then we, we talk
Speaker:about incident response.
Speaker:That's the aftermath.
Speaker:If we get hit with a
Speaker:ransomware attack or a, or,
Speaker:or a physical disaster, who
Speaker:do we call, what do we do?
Speaker:Right.
Speaker:What do we do?
Speaker:Yeah, exactly.
Speaker:Right.
Speaker:In terms of, in terms of,
Speaker:you know, even your brand
Speaker:recognition, you know, what
Speaker:is, do we have a lawyer to work
Speaker:with us in order to, you know,
Speaker:make those announcements public?
Speaker:Right.
Speaker:So what do we tell
Speaker:the public happen?
Speaker:It's important.
Speaker:So a quick plan to really
Speaker:eliminate the, the mess that would.
Speaker:It's it's it's critical.
Speaker:Yeah.
Speaker:Yeah.
Speaker:Communication.
Speaker:I mean, cause we, we we're
Speaker:going through this ourselves.
Speaker:We wanna make sure we kind of
Speaker:update our plan on a regular
Speaker:basis, but communication to, to
Speaker:your internal staff, to your,
Speaker:your customers, to your clients.
Speaker:And if you obviously have public
Speaker:company and so on, you wanna
Speaker:make, you wanna make that, that
Speaker:communication really streamlined
Speaker:to make sure you're, you
Speaker:know, you're saying the right
Speaker:stuff and, and advising the
Speaker:right people of what happened.
Speaker:I, I don't wanna spend too much
Speaker:time on just necessarily the
Speaker:instant response plan, but, but to
Speaker:your, to a point you made earlier
Speaker:and I maybe we can touch upon it.
Speaker:A customer of ours.
Speaker:Or, you know, a customer that
Speaker:we've been working with, you
Speaker:know, asked us for a vulnerability
Speaker:assessment a few weeks ago.
Speaker:And, and the response that
Speaker:we, we looked at each other
Speaker:and we, we said, well, there's
Speaker:a good chance that they're,
Speaker:they're already vulnerable.
Speaker:Right.
Speaker:They're vulnerable.
Speaker:So, so maybe touch a
Speaker:bit about that, right?
Speaker:I mean, every organization
Speaker:is vulnerable.
Speaker:Why an assessment is
Speaker:it actually needed?
Speaker:So we use this framework
Speaker:or this model, or these
Speaker:security controls to say,
Speaker:okay, I'm aware they're there.
Speaker:I can take a stab at them before
Speaker:I go into a full blown assessment.
Speaker:You, you know, if you don't
Speaker:patch your operating systems,
Speaker:you don't patch your hypervisors.
Speaker:I'll let you do a, an vulnerability
Speaker:assessment against my environment.
Speaker:I know I'm vulner.
Speaker:So again, it's touching upon these
Speaker:13 security control points, really
Speaker:to look at what do I have in place?
Speaker:That's the first step.
Speaker:That's where I would start.
Speaker:I would reference these security
Speaker:points, say, okay, what out of 13?
Speaker:How many do I have in place today?
Speaker:Right.
Speaker:What's my maturity level
Speaker:within these control points.
Speaker:Where am I at?
Speaker:Yeah, backup plan.
Speaker:We look at one of them
Speaker:backup and encrypt data.
Speaker:Yeah.
Speaker:I have a backup system.
Speaker:Is that.
Speaker:We drive a little deeper within it.
Speaker:Try to extract some,
Speaker:some valuable data.
Speaker:Do I do testing?
Speaker:Do I have a Dr.
Speaker:Plan?
Speaker:Have I identified
Speaker:which applications are
Speaker:critical to my business?
Speaker:And what is the SLA against
Speaker:those, those applications?
Speaker:You know, those are the questions
Speaker:you need to ask yourself
Speaker:before you spend the money.
Speaker:Really to do investment.
Speaker:So, and at the same time,
Speaker:there are different reasons.
Speaker:You can look at these controls,
Speaker:you can answer these controls,
Speaker:but the awareness within the,
Speaker:the C level is not there.
Speaker:Right?
Speaker:So maybe some organizations
Speaker:are looking at assessments in
Speaker:order to create that awareness
Speaker:and say, Hey, C level here,
Speaker:Hey management, this is what we
Speaker:assessed and we need to something
Speaker:about it and you need budget.
Speaker:Then budget is key.
Speaker:That's a very good point.
Speaker:If you look at it that way.
Speaker:So I, I would say that 99% of
Speaker:the, the organizations we deal
Speaker:with small, medium, They're
Speaker:vulnerable in some way, shape
Speaker:or form they're vulnerable.
Speaker:But I think what you just
Speaker:said is important, the actual
Speaker:availability of funds and
Speaker:the not only availability of
Speaker:funds, but the willingness to
Speaker:actually invest in these areas.
Speaker:We we've, we've traditionally
Speaker:seen it as being a cost center.
Speaker:The last 20 years, we keep saying
Speaker:it as a cost center and, and we, we
Speaker:hear some organizations saying that
Speaker:it's the enabler to the business.
Speaker:I, you know, I think we should
Speaker:hear more of that, but we, we
Speaker:don't often hear that it is an
Speaker:investment for the next step or
Speaker:the digital transformation in,
Speaker:in the, in the organization.
Speaker:And I think that vulnerability
Speaker:assessment sometimes is
Speaker:used as leverage to go
Speaker:and find the funding.
Speaker:Absolutely.
Speaker:But, but I'm gonna, I'm gonna
Speaker:be, again, brutally honest.
Speaker:I, I think a lot of it executives
Speaker:are still ignoring the fact
Speaker:that they're vulnerable and
Speaker:they only react after the
Speaker:fact and they, they're kind of
Speaker:flying blind and, and they're,
Speaker:they're doing the basics.
Speaker:To cyber security and not
Speaker:really building a cyber
Speaker:resilient organization.
Speaker:They're they're like you said,
Speaker:they're putting in a few different
Speaker:controls, they got their backup,
Speaker:you know, they're securing the
Speaker:perimeter at some level, they
Speaker:got some firewalls, they've
Speaker:got whatever basic security
Speaker:that that is allowing them to,
Speaker:to kind of run, but they're
Speaker:not going that extra step.
Speaker:And let's be honest.
Speaker:I mean, the cyber criminals,
Speaker:they're, they're getting lot
Speaker:smarter, a lot, you know, quicker,
Speaker:faster, faster, better, faster.
Speaker:Absolutely.
Speaker:The tool sets are,
Speaker:are more advanced.
Speaker:Absolutely.
Speaker:And, and they get in.
Speaker:Right.
Speaker:And to add to that point
Speaker:Lu over the last couple of
Speaker:years, we've seen, we've seen.
Speaker:Change massive change.
Speaker:You know, COVID organizations
Speaker:working from home in the past,
Speaker:or, you know, employees will go to
Speaker:work and the ones that work from
Speaker:home that 10% of the employees with
Speaker:VPN in, and, you know, you connect
Speaker:in and you have access you're in
Speaker:the network and you have access
Speaker:to everything in the perimeter.
Speaker:Right, right.
Speaker:Today with the advent work from
Speaker:home where 80% of the employees
Speaker:are working from home and not
Speaker:going into the office, they're
Speaker:connecting in, we can have the
Speaker:same approach and they know
Speaker:that there there's gonna be more
Speaker:vulnerability by putting firewall
Speaker:rule, allowing this person in or
Speaker:one IP in those things are, are
Speaker:at it's over the dream's over.
Speaker:You have to be more continuous.
Speaker:The advent of zero
Speaker:trust, not trusting.
Speaker:Anybody within your organization
Speaker:has to be put in place because the
Speaker:cyber criminals, they get in, they
Speaker:stay in and they scan and they
Speaker:understand, and they eliminate
Speaker:your backups and they, and they
Speaker:understand how you, you know, your
Speaker:security controls and they attack.
Speaker:So, you know, organizations
Speaker:need to understand that this is
Speaker:critical and overnight you can
Speaker:lose everything you work for.
Speaker:So it's key and an.
Speaker:Could have leveled.
Speaker:The awareness needs to be raised,
Speaker:need to put security up front
Speaker:and center a and, and allocate
Speaker:those budgets in order to, to
Speaker:really implement the baselines.
Speaker:And again, I talk to organization,
Speaker:I say, where do we start?
Speaker:There's 13.
Speaker:Where do we start?
Speaker:We can successfully
Speaker:implement the 80 20 rule.
Speaker:You can achieve 80% of the
Speaker:benefit from 20% of the effort.
Speaker:How interesting M FFA, right?
Speaker:You, you need to have
Speaker:multifactor authentication.
Speaker:You can't just have your
Speaker:users connecting in remotely
Speaker:and accessing their, their
Speaker:email on their phone.
Speaker:On their mobile device.
Speaker:Doesn't make sense.
Speaker:They need to double authenticate
Speaker:it's key and any cyber insurance
Speaker:policy is gonna ask for it.
Speaker:Right?
Speaker:Data protection, data recovery.
Speaker:You know, MD.
Speaker:The age of installing McAffee or
Speaker:again, I don't mean to, to hit
Speaker:on a, on a don't point, anybody
Speaker:out, man, don't we friends
Speaker:to work with these companies,
Speaker:man, don't point anybody out.
Speaker:Right?
Speaker:Right.
Speaker:The, the day of installing
Speaker:that antivirus and, you know,
Speaker:downloading updates and crossing
Speaker:your fingers where it does
Speaker:scan it's over, you need to
Speaker:have manage detection response,
Speaker:and the cyber insurance is
Speaker:gonna ask for it without it.
Speaker:The underwriters will not, will
Speaker:not, will not register you.
Speaker:They, they won't give you
Speaker:the, the cyber insurance.
Speaker:So, so let's, uh, let's not talk
Speaker:about cyber insurance, cuz I really
Speaker:wanna bring that up later, but
Speaker:I'm glad you, you started talking
Speaker:about that cuz that's a huge topic.
Speaker:I don't think we have enough
Speaker:time to talk all about it
Speaker:today, but so 80, 20 rule.
Speaker:That's interesting.
Speaker:So you're saying implement a
Speaker:few of these controls and that's
Speaker:gonna cover you for the most part.
Speaker:Well it'll.
Speaker:Yeah, for sure.
Speaker:It's, it's a good start, right?
Speaker:Achieve 80% of the benefits
Speaker:with 20% of the effort.
Speaker:If you focus on those four that
Speaker:I, that identified, and, and those
Speaker:are the four critical security
Speaker:controls that the cyber insurance
Speaker:companies are looking for.
Speaker:Right.
Speaker:And that's where they see, that's
Speaker:what they see you being as the most
Speaker:vulnerable MDR, MFA data protection
Speaker:and, and incident response.
Speaker:Those, those are, those
Speaker:are key and educat.
Speaker:Again, I'm gonna throw out an
Speaker:interesting fact Lu, sorry.
Speaker:I'm I'm doing a lot of the talking
Speaker:here, but I'm gonna throw out an
Speaker:interesting fact, 90% of separate
Speaker:tax come from the end user it's.
Speaker:So, or through, through an
Speaker:end user through some end.
Speaker:Yeah.
Speaker:Fishing, fishing, not,
Speaker:not the trout fishing.
Speaker:No, not the trout.
Speaker:pH that's pH fishing.
Speaker:That's right.
Speaker:pH fishing.
Speaker:They click on the
Speaker:email they get in.
Speaker:You don't know they're in and
Speaker:again, they start digging.
Speaker:They start doing more and
Speaker:more digging they're they're
Speaker:in network for weeks, right?
Speaker:They're in your per.
Speaker:You're in your network for weeks.
Speaker:And that's, that's the, that's
Speaker:one thing that a lot of what
Speaker:we're starting to hear it.
Speaker:When we talk about backups
Speaker:with our clients, right?
Speaker:They want longer retention periods.
Speaker:They want longer archive periods
Speaker:because now they're starting to
Speaker:see even their, their tertiary
Speaker:backups being vulnerable because
Speaker:they're not backing up enough data.
Speaker:So.
Speaker:But, but let me ask you
Speaker:this, this framework, this
Speaker:framework that you're talking
Speaker:about, it's, it's, it's easy.
Speaker:It's logical, right?
Speaker:In my, in my opinion, if you
Speaker:look at through these, these, and
Speaker:there's nothing in here, that's
Speaker:really out of this world, you
Speaker:know, in terms of, in terms of
Speaker:the, the, the line items, right?
Speaker:They're, they're
Speaker:pretty standard, right?
Speaker:If you ask any it professional,
Speaker:they, they, they don't, they
Speaker:don't need an interpretation
Speaker:to know what these things are.
Speaker:How many companies are
Speaker:actually using this framework.
Speaker:That's a good question.
Speaker:That's a good question.
Speaker:How many companies are,
Speaker:are actually using it?
Speaker:I'd say a lot of companies
Speaker:are using are, are able to
Speaker:answer, you know, several
Speaker:of those security control.
Speaker:How many organizations go in depth.
Speaker:That's the real question, right?
Speaker:And why lack of resources.
Speaker:And we're hearing that a
Speaker:lot lately organizations,
Speaker:especially SMEs, small mid-size
Speaker:organizations, they're, they're
Speaker:really having a hard time
Speaker:finding resources, retaining
Speaker:resources and, and the cost of
Speaker:resources gone through the roof.
Speaker:So you need to leverage a managed
Speaker:service provider or outsource
Speaker:certain services in order to,
Speaker:to stay at, at the top of your.
Speaker:Right.
Speaker:They don't have enough time, not
Speaker:enough time to focus on strategic
Speaker:projects, but they're going
Speaker:from, you know, they're focused
Speaker:on reactive versus proactive.
Speaker:That's the challenge.
Speaker:And, and you need to overcome
Speaker:those challenges by partnering
Speaker:with some, some key strategic
Speaker:partners that can guide you
Speaker:and help you along the way.
Speaker:So in short, not many are using
Speaker:this specific framework, they're
Speaker:just using bits and pieces of it.
Speaker:Well, exactly bits and pieces and,
Speaker:and, and talking to, you know,
Speaker:we do, you know, like, you know,
Speaker:you and I speak to cyber insurance
Speaker:firms all the time, right?
Speaker:Cyber insurance, we work
Speaker:hand in hand with them and.
Speaker:The message from, from them is that
Speaker:the cyber insurance underwriters
Speaker:are not renewing the policies.
Speaker:So it's an indicator that
Speaker:insurance companies are in
Speaker:the business of making money.
Speaker:So if they're not renewing them,
Speaker:it means that they're paying
Speaker:out more than they're receiving.
Speaker:Well, it means, it means
Speaker:it means the it's not worth
Speaker:holding the policy worth,
Speaker:worth holding the policy.
Speaker:So if they're not holding the
Speaker:policy means the companies
Speaker:are not doing their, their
Speaker:end of the bargain, which is
Speaker:putting these controls in.
Speaker:Yeah.
Speaker:So, so that, that's
Speaker:an interesting point.
Speaker:So let, maybe let's talk
Speaker:a little bit about cyber
Speaker:insurance right now.
Speaker:So we've, we've been a little
Speaker:bit, I'd say avanguard when it
Speaker:comes to working with corporations
Speaker:enterprises on the end user side.
Speaker:So when it comes to cyber
Speaker:insurance, the analogy I use
Speaker:often, and I think now we can
Speaker:deep dive a little bit into these
Speaker:conversations is just because
Speaker:you have a skillset in it.
Speaker:It doesn't mean that you
Speaker:deserve a cybersecurity policy,
Speaker:the analogy of driving a car,
Speaker:you can, you can drive a car.
Speaker:I know how to drive a car.
Speaker:You get an insurance policy, but
Speaker:if you go out there and you buy
Speaker:yourself from McLaren and, and
Speaker:you basically drive it at 300
Speaker:kilometers an hour or 200 miles
Speaker:an hour, and you get yourself.
Speaker:Hurt or, you know, severely
Speaker:injured just because you don't
Speaker:know how to drive it properly.
Speaker:Maybe you're not
Speaker:worthy of a policy.
Speaker:Right.
Speaker:I think that's what we're seeing
Speaker:more and more from the company
Speaker:saying, well, show me that you
Speaker:deserve this policy and maybe
Speaker:we'll give you one and if not,
Speaker:well, it's gonna cost you like.
Speaker:In some cases, two, 300% of
Speaker:what they were paying last year.
Speaker:And we're seeing that
Speaker:we're seeing that, that's
Speaker:what they're telling us.
Speaker:Yeah.
Speaker:Right.
Speaker:Underwriters are going to 300%
Speaker:more than what they did last year.
Speaker:Yeah.
Speaker:So, so what are the top ones
Speaker:that, what are the top controls
Speaker:that, that cyber insurance
Speaker:policies are recommending?
Speaker:Uh, Is it back to your 80
Speaker:20 rule, 80 20 rule, 80 20
Speaker:rule focused on MFA data
Speaker:protection, end user awareness.
Speaker:And maybe I didn't mention
Speaker:that one before, but end
Speaker:user awareness training key.
Speaker:The end user needs to understand
Speaker:what an email looks like.
Speaker:Aing email looks like they need
Speaker:to understand what it is to open
Speaker:and not open an email where to
Speaker:click and I'll click which websites
Speaker:not to go to need to underst.
Speaker:That's fundamental, right?
Speaker:Fundamental.
Speaker:But again, it's, it's, it's simple.
Speaker:It's a people process technology.
Speaker:You onboard a new employee.
Speaker:They need to go to
Speaker:awareness training.
Speaker:It it's key every year
Speaker:and it has to be multi.
Speaker:Keep your mind them
Speaker:on a regular basis.
Speaker:Ransomware is always evolving.
Speaker:They're trying to find better
Speaker:and faster ways to get in.
Speaker:More innovative ways,
Speaker:really correlating
Speaker:information upon people.
Speaker:Sometimes I get some from American
Speaker:expressing that, you know, my
Speaker:statements coming up in the next
Speaker:15 days, it's really targeting.
Speaker:It's really looks like the real
Speaker:thing, so they need to be aware.
Speaker:Okay.
Speaker:So again, MFA data protection,
Speaker:employee awareness,
Speaker:training education.
Speaker:Yeah.
Speaker:And last but not least
Speaker:next generation antivirus.
Speaker:Right.
Speaker:Or MD manage detection.
Speaker:MDR.
Speaker:Yeah.
Speaker:MDR key.
Speaker:Right.
Speaker:Key.
Speaker:Yeah.
Speaker:And those are, those are
Speaker:pretty simple things to do.
Speaker:I mean, a funny story, and
Speaker:again, I'm not gonna point
Speaker:anybody out when a customer
Speaker:emailed me a couple of weeks.
Speaker:Well, maybe a couple months ago.
Speaker:And he says my, my cyber insurance
Speaker:company's mandating me to do
Speaker:cyber security awareness training.
Speaker:Right.
Speaker:What did they do?
Speaker:And so, well, what they didn't
Speaker:do basically is, so we basically
Speaker:flipped over a quote over for like
Speaker:some security awareness training.
Speaker:And it was literally a
Speaker:couple thousand dollars,
Speaker:you know what I mean?
Speaker:It, it was, and that's what
Speaker:it costs a lot of companies,
Speaker:especially, you know, if
Speaker:you're a hundred employees, 200
Speaker:employees, you're not paying, you
Speaker:know, your, your sub sub 10 K.
Speaker:Right.
Speaker:And it's like 50 bucks a
Speaker:year per employee, roughly.
Speaker:And he literally answered me back
Speaker:and says, well, can you just gimme
Speaker:a link to a few YouTube video?
Speaker:That I can show my employees.
Speaker:yeah.
Speaker:Yeah.
Speaker:I remember this conversation.
Speaker:Yeah.
Speaker:And I'm saying, I'm saying it's
Speaker:like, again, I mean, if you want
Speaker:someone to drive a car, would
Speaker:you send them to your uncle Bob
Speaker:to learn how to drive a car?
Speaker:Would you send 'em to an
Speaker:actual school to learn how
Speaker:to drive the car property?
Speaker:It's just sad to see that
Speaker:sometimes people don't take it
Speaker:serious and that's a fundamental.
Speaker:Control that you can put in
Speaker:place and it's, it's gonna pay,
Speaker:pay itself off, you know, 10
Speaker:X in the event that some kind
Speaker:of ran more tries to get in.
Speaker:So it's, it's just sad to see.
Speaker:And we, we just noticed we
Speaker:have a couple of comments
Speaker:that are coming in.
Speaker:Yeah.
Speaker:You know what?
Speaker:I was looking at the, I was
Speaker:looking at the common board.
Speaker:I'm gonna go ahead.
Speaker:And the last one's
Speaker:interesting, right?
Speaker:Even C season security
Speaker:professionals and, and like
Speaker:the example that I gave, right.
Speaker:They're getting better and better
Speaker:make errors on email quick.
Speaker:You need not only to train your
Speaker:users, but also have the te.
Speaker:To deal with the
Speaker:inevitable false positives.
Speaker:Right.
Speaker:It's the truth.
Speaker:Yeah, yeah, yeah, yeah.
Speaker:Yeah.
Speaker:So, so essentially like,
Speaker:People process technology.
Speaker:I think we just need to, we
Speaker:just need to make sure that
Speaker:you've put that in place
Speaker:and you're continuously
Speaker:measure and check in on them.
Speaker:The plan do check act.
Speaker:I know we talk a little bit
Speaker:about that when we're doing our,
Speaker:our, you know, our due diligence
Speaker:internally for certain things, but
Speaker:you have to make sure that people
Speaker:are aware and, and whether they're
Speaker:new employees, older employees,
Speaker:I think everyone could be victim
Speaker:anyone's, you know, vulnerable.
Speaker:So it's becomes responsive and,
Speaker:and ultimately who's responsible.
Speaker:Look, we've been it professionals
Speaker:for a long time and.
Speaker:You could see it from
Speaker:my wrinkles there.
Speaker:See?
Speaker:Yeah.
Speaker:well, no, but, but let's
Speaker:be, let's be clear.
Speaker:Right.
Speaker:You know, like there's so
Speaker:many things going on, right?
Speaker:Like if you're a traditional
Speaker:it professional on the system
Speaker:administration side, you've
Speaker:got to deal with a whole
Speaker:bunch of different things.
Speaker:You're securing, you're patching.
Speaker:You're, you're dealing
Speaker:with new deployments.
Speaker:You're, you're tearing down,
Speaker:you're bringing stuff up.
Speaker:There's so much stuff going
Speaker:on in your day that you
Speaker:probably don't have the
Speaker:ability to prioritize security.
Speaker:Then you've got the
Speaker:security folks who are.
Speaker:often, you know, trying to
Speaker:push security down into design
Speaker:of everything they do, right?
Speaker:Yeah.
Speaker:And then, and then you've
Speaker:got the executives who just
Speaker:want you to do more with less
Speaker:deliver, deliver, deliver.
Speaker:Right, right.
Speaker:Do more with less.
Speaker:So, so ultimately I, you know, I,
Speaker:it makes me wonder, like, how do
Speaker:you, how do you kind of segment
Speaker:that and how do you break into
Speaker:the fact that you need the buy-in
Speaker:and you need the, the stakeholders
Speaker:and you need the business to
Speaker:really set aside the budget.
Speaker:It's funny how we, when we
Speaker:talk to compliance people in an
Speaker:organization, all of a sudden,
Speaker:like budget frees, We talk about
Speaker:compliance privacy data, privacy
Speaker:budget becomes a non-issue.
Speaker:But when we're talking about
Speaker:technology specifically bits and
Speaker:bites and speeds and feeds, it's
Speaker:like everyone kind of like says,
Speaker:well, we'll deal what we have.
Speaker:We're good.
Speaker:You know, I don't have time
Speaker:to implement something new.
Speaker:Yeah, so definitely
Speaker:it's, it's challenging.
Speaker:And I think the, the awareness
Speaker:that, you know, what we're
Speaker:seeing today in the media,
Speaker:right, we're seeing these cyber
Speaker:attacks happen, you know, the
Speaker:war with Ukraine and Russia
Speaker:and, and the advent of the cyber
Speaker:attacks are creating awareness.
Speaker:So I think, you know, when
Speaker:awareness comes the ability
Speaker:to take it more seriously, an
Speaker:organization to understand that
Speaker:they can lose what they built.
Speaker:You know what they put in place,
Speaker:sweat equity, we call it that sweat
Speaker:equity that they put in place the
Speaker:small and mid-size organizations
Speaker:can lose that overnight.
Speaker:And they have to understand
Speaker:that this is a serious threat.
Speaker:So I'm gonna leave
Speaker:you off with this.
Speaker:I think we encourage organization
Speaker:to implement as many of these
Speaker:baselines controls as possible.
Speaker:We know, and we understand
Speaker:that not every kinda
Speaker:organization can implement
Speaker:every control, but we suggest.
Speaker:You just focus on MFA data
Speaker:protection, MDR incident
Speaker:response awareness training.
Speaker:As, as the, the 80 20 rule that
Speaker:I mentioned earlier in the,
Speaker:in the call visit cyber dot.
Speaker:gc.ca to reference those 13
Speaker:security points for assurance
Speaker:is there to help you through
Speaker:that journey where we help
Speaker:organizations bridge that gap
Speaker:and become more cyber resilient.
Speaker:You did very good
Speaker:on the blog there.
Speaker:I like the blog.
Speaker:I'm gonna, I'm gonna plug your
Speaker:blog cuz you put a very good blog
Speaker:out on our website, which talks.
Speaker:An in depth about the
Speaker:13, the 13 controls.
Speaker:I think it's worth a read because
Speaker:you really went into each one and,
Speaker:and anyone who's starting their
Speaker:journey, even if they're, you
Speaker:know, they think they're halfway
Speaker:through their journey or starting
Speaker:their journey, they can read
Speaker:through it and they can kind of
Speaker:get a quick idea of what, what it
Speaker:takes to, to get, to get started.
Speaker:A lot of these points
Speaker:are logical folks.
Speaker:They're not, this is not.
Speaker:This is not a rocket science
Speaker:in any way or stretch.
Speaker:It's really something that that's
Speaker:palatable, you know, prioritize
Speaker:what you need to do, speak to
Speaker:your executives about, you know,
Speaker:getting, getting serious about
Speaker:your cyber resilience journey.
Speaker:It's really worth the
Speaker:investment of time.
Speaker:And, and maybe a little
Speaker:bit of money of course,
Speaker:because it takes money to,
Speaker:to pay for these solutions.
Speaker:But yeah, I mean, this is, I, I
Speaker:hope we made our point across.
Speaker:I think with that, we're
Speaker:gonna let you guys go.
Speaker:Awesome.
Speaker:And thanks everyone for,
Speaker:for have a good weekend.
Speaker:All right.
Speaker:Thank you.
Speaker:Thank you.
Speaker:Bye bye.
Speaker:Thank you for listening
Speaker:to 10 questions to cyber.
Speaker:Brought to you by
Speaker:assurance it assurance.
Speaker:It is in the cybersecurity
Speaker:space, specializing in data
Speaker:protection and compliance
Speaker:since 2011, they primarily help
Speaker:mid-sized enterprises in Canada.
Speaker:If you have questions about
Speaker:protecting your data, reach out to
Speaker:us directly at info@assuranceit.ca
