Cybersecurity Insurance "Got Ya's" for Small Business Owners

Transcript

Opening

Mike Krass: Welcome to What's the problem the show where we dive deep into some issues facing the world of cyber and data security leaders, leaders today. And in each episode, we are joined by expert guests who share their insights, their experiences and their knowledge on the world of cyber and data security. So whether you are a seasoned veteran or a new leader in the field, this podcast provides valuable info and strategies to help get your organization or your department moving up into the right so join us as we explore the evolving landscape of security and discover a few takeaways that you can walk away from this episode. But today, we are joined by Theresa Jones, Theresa say hello to our listeners and our viewers.

Theresa Jones: Hello, everyone. Thank you so much for having me.

Mike Krass: Absolutely. And Theresa, can you let our listeners and viewers know what's your background? Why do you qualified to talk about security.

Theresa Jones: Just aside from being a computer nerd, I'm actually the CEO and proud owner of Evolve IQ. We're a cybersecurity and technology consulting firm headquartered in New Orleans. And our certified cybersecurity trainer as well is what we call a C and MMC registered practitioner, which means I specializing and getting small businesses ready to do business with their cybersecurity for the Department of Defense. In addition to that, I'm on the government cyber commission and I specialize in the maritime space due to the maritime clients that I have as port authorities as well as the Louisiana State Supreme Court. So I do a lot with cybersecurity on our high level as well as a low level in terms of small businesses as well.

Mike Krass: Let's let's start there, and talking about small businesses. I know that you know cybersecurity insurance has come up in the past couple of years is something that a lot of small and medium sized businesses really need to carry needs to pay attention to that just carry a policy that actually pay attention to the contents that policy when you're talking to small businesses in particular. And let's let's define that as businesses, fewer than 50 employees. When you're talking to a business of that size, what are some of the initial pieces of advice or tips that you're giving them about what they should be looking for in cyber insurance policy?

Theresa Jones: So I call it the big four, you want to make sure this privacy liability coverage, we want to make sure there's network security coverage, errors and omissions coverage and media liability coverage. That would be the foundation of a good cybersecurity policy for any small business.

Mike Krass: And can you expand on those, those four, you know, what does each one contain?

Theresa Jones: Certainly, so privacy is going to cover. If something happens to companies data for their personal identifying information or their PCI compliance in terms of credit card information, such it will cover things of that nature, network security is going to cover in case of a network outage. Here in Southeast Louisiana, we have hurricanes. So if your internet goes out, and the power is still on, and it's not on, within 24 hours a day, you can actually cash you know, your business interruption for network security. And you get paid your annual revenue for the day, on all days that the network security, the network is not happening. So that's huge for us in South Louisiana. The errors and omissions will cover everything from a breach to what I call a bacon egg and cheese, which is a business email compromise. I always tell customers like they have to understand there's a difference between a breach as well as a bacon egg and cheese. So bacon egg and cheese didn't sound that bad, right? That's usually when you have a small business has an employee that has given away money, they've clicked on something initiated a situation versus a breach is going to be an incident. That could be anything from a tornado throwing a computer out of the facility and you just don't have access to that device in the data. And people don't think about cybersecurity breaches as being that we think of like when the LMV loses data here Louise's right? But a breach is anytime there's access to a device or data that your company is supposed to have in his possession and you don't. So it can be from natural disasters to actual hacking or people commandeering information from your network from other ways that's not traditional hacking, right? And then your media liability if you're anything like me, you have to really watch what you say, because I say some crazy stuff sometimes. So it covers when we're saying things online. If you are heavy in social media to some things, people say it's pretty controversial to say I might want to sue you because of it. That's how we protect the small business because of the insurance that's in place for them. Not based off of okay, well, in a court of law, you said it, it's in writing. I'm gonna show you. This is how you protect yourself utilizing insurance.

Mike Krass: Interesting names. And am I to understand just asking this question for the viewers, immediate liability that most just general umbrella, you know, general liability for errors and omissions policies would not cover that cyber comment?

Theresa Jones: No, it won't. Just as well as the errors and omissions won't cover. Over just general errors and omissions won't cover if your employee gives your money away. So like recently, you see a spike in companies that have employees clicking on things making transactions. I just was told a story about a young lady who, first of all business of state employees, somebody gave away $200,000, she went to the bank, the bank said you have to go through the insurance because technically your employee initiated it and gave the money away. So you're Oh, so the young lady contacts, an insurance company, and her insurance agent tells her well, you opted out for cyber insurance. And your GL and your Arizona mission will not cover this, because it's specifically under cyber. But how many small businesses? No, that's undesirable.

Mike Krass: Yeah, right. So that seems like a big Gotcha. Like, what other kinds of gotchas exist, like maybe on the network, side of things, any other gotchas and policies that small business folks will be looking for?

Theresa Jones: Absolutely. So a good example of a good gotcha is what can you do, if you have a breach, there is in the fine print what you're allowed to touch and what you're not allowed to touch? In what time that timely, how fast you contact the insurance company, that you have to report it to law enforcement, which law enforcement so you really have to read your policy, you can't just Oh, I got it. Your IT person, IT company, as well as your incident response plan or business continuity plan in your organization should have those details. Because if you break if you break any of them your car, your policy is null and void at that point. So you've paid into a policy that you won't collect on and you still have to fix the breach issue.

Mike Krass: Interesting. So would it be a wise idea to actually keep like paper copies can actually print a copy of the policy because they're going to mail it to you anyways, right? You know, the insurance company's gonna mail you a paper version. This seems like one of those instances where, right, if you were locked down at any systems or had access issues, from an incident that you actually might have to pull it up and look at the paper and read that way.

Theresa Jones: Correct. So I saw all of my customers in your incident response plan, you should always have it printed out as a binder, you should have your insurance policies, all of them printed. My binder goes in a waterproof backpack, because I'm in Southeast Louisiana. So if I got to run from water, nothing will get damaged. I also have Amazon is like always your friend. I have waterproof document that it takes to put insurance policies in not just for like the home for the business. So I have a whole go kit specifically for the business to make sure that I have this information with me at all times, even if I don't have access to a computer.

Mike Krass: So I know we've been talking about a water based event I'm thinking just have other natural events. Obviously it fires happen like we see those out west a lot seems to be a similar idea. It might not be a waterproof container, but having something that fire resistant container. And taking that with us as a small business owner. That's kind of like just one last thing that you throw in the car as you drive away.

Theresa Jones: So there, they have twofold document holders. So there's these really cool like $20 ones that are water and fireproof. So I have the documents in that in the backpack. So if the house catches on fire, I still got one item to make sure I have at least insurance and the birth certificate and social security card and the passport is always in there at all times. So definitely you have to worry about tornadoes. Truthfully, if a tornado comes through, you're not gonna find anything. So

Mike Krass: Oh yeah its going to tell you to send it wherever.

Theresa Jones: Can you stash stuff in a safety deposit box you can stash things in the cloud outside of your region, you can get real creative with saving copies of documentation.

Mike Krass: How many? Because you just gave a few good thoughts there. In terms of points of redundancy? How many? How many places would you store this information, I recommend the small businesses store this information.

Theresa Jones: So I'm a maniac. I have it in three. So I have it electronically on an external hard drive that's in a waterproof case. So I have it printed in a binder at the office, I have it printed in the travel bag. I also have it saved in the cloud in the in a data center that's at least 500 miles away from the hurricane zone of Louisiana. So I haven't.

Mike Krass: So if you're illiterate or not in South Louisiana, or on the Gulf Coast, it sounds like you know, 500 miles in terms of selecting it strategically a data center least 500 miles on the coast, right? Like think about the northeast, Hurricane Sandy came in and did a lot of damage, New York, New Jersey. So you're really talking about at least 500 miles west, specifically choose that data center for where that information is going to be stored, instead of letting Amazon Web Services or GCP, or whoever, just pick your data center, you specifically say I want this one.

Theresa Jones: Correct, because usually, if there's a natural disaster, whether it was an earthquake, hurricane, tornado flooding, 500 miles, it should have either stopped slow down or something. In a perfect world. So we always say 500 miles outside of your disaster area. So if you know you're in Tornado Alley, what's next to the list? 500 miles to the right. So that's why we come up with the 500 mile radius for that.

Mike Krass: That's a that's a good example of tornado alley. Think of like North Texas, Kansas, Oklahoma, you're basically going to split it, send it either, you know, west to Nevada, or Utah, which I'm not trying to remember what's West, right, or we're headed east. Yeah,

Theresa Jones: Exactly. So we sent it to Nebraska, Ohio, somewhere we send it to North Dakota get it further this way? Or is that too close to too much ice and water from the coast? Like it just you want it 500 Somewhere, just not in your backyard.

Mike Krass: Okay, I know we're coming up on time here. But there's been a lot of really fantastic takeaways for business owners, any gotchas that we haven't covered yet.

Theresa Jones: I always tell people read the fine print on everything. A lot of people do not read their end user licenses for software. So for example, Microsoft has on page six of their end user agreement that they do not backup, Microsoft, you're responsible for backing up your office 365. And people don't know that. And we naturally assume because you have organizations that are like Microsoft, these huge conglomerates, that if a hurricane comes or whatever, it's safe, it's in the cloud, Microsoft has it. What if it hits too many data centers, or if there's heat there water here. So I'm a firm believer, read all of your documentation, read the fine print, don't just click Accept. I know that's hard, because it's like 3040 pages, but you know what you're responsible for, right? So you need to backup not just pertinent information in terms of like, you know, client information, but backup, your office 365 account, that's huge. Office 365 can actually cripple the small business, if you don't have the files that you've been using for in Excel, Microsoft, we're not necessarily PowerPoint, depending on your business. But I think a lot of people are not paying attention to that. And in some of these cyber insurance policies, you're required to have backups. So a lot of people aren't paying attention to the fine print where it says that you are agreeing to do this. So I think it's very important that we always be considerate of what the fine print says in our insurance policies. In your network infrastructure, whether you have you know, a local ISP, you need to know what their downtime is potentially going to be. A lot of people don't even know that, but it's in your paperwork. They have an SLA agreement with you that you just click agreed. But in that agreement, it tells you, hey, that you potentially can be up to 10 days without internet in the case of an act of God, but you might want to know that so you can have my size and things like that on hand. That could be a gotcha. When it comes down to your insurance. Because of the insurance. You want to do a claim but you signed off saying it could be up to 10 days and I knew this. You can void your insurance. So you really kind of want to know very detailed things about your equipment. Your network infrastructure, how you actually save and do things, as well as what the insurance will cover and protects you on the back end.

Mike Krass: And I'll ask a leading question here as we finish up, for those who, you know, just struggle with the 30 and 40 pages, this to that the other to read, I'm sure that somebody like Theresa Jones and her group at Evolve IQ could assist with that process. Is that accurate? Is this like something that y'all do for other people?

Theresa Jones: Actually, we do. So all of my clients, when we take them on, we actually do a software and insurance review. We need to know what you got based off of the kind of customers you have. Who are you going after, and you need to make sure that you're managing your risk by having enough of it. So we actually do check that for our clients, so they can be in a happy place. And we won't have incidences, like a local municipality that had 3 million in insurance 10 million in damage and had to come up with $7 million. Because no one took the time to plan and review the insurance. So it's important that you know that information as well as know what, how much equipment that you have, because some policies will even go as far as to give you the money to replace the damaged equipment. But you don't know if you don't know to ask.

Mike Krass: Right, right. Well, Theresa, thank you so much for our guests. Thank you. That is a wrap for this episode of What's the problem. I hope you've found our conversation with Theresa Jones to be insightful and informative. I've got a pile of takeaways from my own business, I'm sure that you do as well. And remember to tune in next time for more discussions on the latest in security. I also wanted to give a quick shout out to our hosts MKG Marketing, MKG is focused on helping cybersecurity businesses get found generate leads and close deals. So if your cyber business is struggling to do any of those things, let us help you learn more you can visit our website at mkgmarketinginc.com Thank you for listening. Don't forget to subscribe, click that button and leave a rating for this show. Theresa told me she only likes six star ratings on the five star scale so you've only got her to let down if you're not giving us a six star. So leave those ratings when you have a moment and thank you for listening.

Theresa Jones: Have a great one.