Business Concerns Regarding Cyber Threats – Techstrong TV

This year’s Travelers Cyber Risk Index found that cyber threats are the top business concern. Of the 1,200 business leaders who participated in the national survey, the majority said they worry some or a great deal about cyber. The video and a transcript of the conversation are below. 

 

Charlene O’Hanlon:            Hey everybody. Welcome back to Techstrong TV. I’m Charlene O’Hanlon. And I am here with Tim Francis, who is the enterprise leader of cyber insurance over at Travelers. Tim, welcome back to Techstrong TV. I know it’s been about a year or so since we talked, but  it’s great to see you.

 

Tim Francis:            Likewise, great to see you and thanks for having us back.

 

O’Hanlon:            You bet. You bet. So as with the last time you were here, we’re going to be talking about the Traveler’s cyber risk index. And for those of you who maybe didn’t see the first interview that you and I had together, tell us a little bit the Traveler’s cyber risk index.

 

O’Hanlon:            Well, it’s funny. Not that many years ago, this was a general business risk index to talk about a variety of subjects and what our customers and just businesses in general, whether they’re our customer or not were interested in and what were their concerns and kind of I’ll say the things that we’re keeping them up at night. And cyber years ago is kind of creeping up. And in the last couple of years, we’ve really focused the risks just on cyber. We still ask a broad range of issues, but much more of the questions are geared towards cyber. And cyber once again, unfortunately is the top concern and by a bigger margin than it’s ever been.

 

O’Hanlon:            Well, I’ll tell you if there’s one thing that the pandemic has really done it is heightened awareness for cybersecurity. So I will say that it doesn’t really surprise me that it is still a top concern and maybe even more so this year. We’ll dive into the results in a minute, but you know, I wonder if just because of the fact that we are just dominated or inundated, I should say by headlines day in and day out about ransomware attacks and cyber threats and what nation states are up to these days. It just seems like the cybersecurity news cycle is relentless and endless. So do you think that that’s contributing to that kind of overall you know, increase in cyber threat or, you know, pain points around or paranoia if you will?

 

Francis:            Yeah, I do think so. Right. And it’s the headlines that we all see and they are relentless and endless, never ending. I think, deeper down, right, it’s also evidence that not even at everything that makes the headlines. Companies are being affected by this more so than just make the headlines. And that was apparent in our survey. And if it hasn’t happened to you, it’s likely happened to someone that you know in a business that looks and feels a lot like yours. And so I think people are very much right to be concerned about it and thinking about ways that they can help not have it happen to.

 

O’Hanlon:            Yeah. So let’s talk a little bit about some of the highlights of the report. What were some of the things that you know, really kind of stood out for you guys in terms of both negative and positive? I mean, what did you find most terrifying?

 

Francis:            I mean, I still think, you know, we’re still in, you know, wherever we are in terms of dealing with the pandemic. So, you know, it still is remarkable that cyber is the number one concern by an increasing margin. And also that it’s the number one concern of small, medium and large companies, right. Everybody’s concerned about it. I think there’s some good news, if you will, in that companies are more aware of it. So it does make sense that it’s at the top. That’s in a way a good thing. People are aware enough to know they should be concerned. That’s a positive. The problem is that despite being aware of it, we ask some pretty pointed questions about what are you doing to prevent things, and how secure are you, or how security you feel you are. And our survey results showed it’s the number one concern, 25% of the company said they had had an event happen to them in the last 12 months. And yet less than half are really taking proactive steps to really do anything about it, less than half, even by some cyber insurance on top of putting the right controls in place to help at least it reduces the chances. So those two things don’t really seem to go together. And that’s probably the thing that’s the most worrisome.

 

O’Hanlon:            Yeah. And I wonder if that has something to do with the fact that cybersecurity is such a big animal to wrangle, and I would imagine that there are certain organizations, especially small and medium organizations that don’t really know where to start when it comes to the most effective you know, cyber security position. You know, it’s, you know, that do, do you lock down your devices? Do you lock down your network? Do you know, just install applications on everybody’s machine and devices to, you know, to make sure that you know, they’re continually scanning for threats. I mean, there are so many ways that you can approach cybersecurity these days, that I wonder if it’s almost like drinking out of the fire hoses.

 

Francis:            You know, I think there is something to that. And I think particularly on some of the smaller mid-size company where they don’t have the people power, right. They don’t maybe even have the financial resources, but if they’ve got an IT department that’s, you know, an IT department who thinks about keeping the business running and the computers up and that they may be less focused on the security aspect. And so on one hand, I get that. On the other hand, some of the preventative measures, at least in my opinion, are relatively low hanging fruit. And I think within the grasp of most computer professionals and things like multifactor authentication. Things like maybe an EDR solution and point detection and response, as opposed to antivirus. Those are not, there might be some cost, but they’re not in, you know, relatively expensive considering the benefit that you get for having done those things. And on the MFA front, you know, depending on for, you know, what email you’re running, you may actually just be able to essentially flip a switch and turn on MFA.

 

So I think that there’s a lot of stuff that’s within the grasp, if you just like any other big problem, right. Don’t try to be overwhelmed by it, do some concrete steps that you can do. And if you do nothing else, at least you’ve done something. And I think from an insurance standpoint, that’s one of the things I think people don’t realize that insurance companies do as well as we do. Right? Which is to say, we provide our customers access to risk management at services and best practices and have partners that they can contact before they have an event. Right. We’re there  when you have a claim, but we’re there before you have a claim and we want to work with you to make sure that you put in place the measures to help, you know, reduce the chances that you’re going to be a victim.

 

O’Hanlon:            Oh, that’s awesome. And it kind of boggles my mind that if it’s not an issue whereby the organization doesn’t really know how to approach cybersecurity effectively you know, I don’t know if it’s just because they just kind of feel like they are in, you know, bulletproof, if you will that it’s never going to happen to them, or it’s never going to happen to them again, because it’s happened once, or if they’re just kind of lazy about it. But I, you know, I think awareness is always a very, you know, good first step. But how many organizations actually act on it beyond that? I think is very telling about our state cybersecurity and how they you know,- I don’t know, it’s almost like a lot of other things are, you always think that it doesn’t ha it’s not going to happen to you until it does. And that’s when you realize I should have gotten insurance or I should have done this, or I should have done that. You know, do you think it’s going to take some major event, like, you know, cybersecurity issues become personal to the company or to the individual before, you know, we start to see real change happen?

 

Francis:            You know, I maybe, maybe I’m biased, right. This is what I do every day. So I would say these events, is it going to take a major event? Geez. It seems like we have a major event that ought to move the envelope every other day it seems like right. Or, at least at least frequently. And yet it doesn’t quite get us over that hump, I think in terms of institutional awareness, I guess. But you know, to your point, though, right, when we have a customer that has an event, they get religion pretty quick in terms of making, you know, saying, not wanting that to happen to them again. Right. And those are customers that have an event and we’re there to guide them through it, right. Not just financially, but we’re there with our experts and partners to make that situation go as well as it could go.

 

And despite doing that, and despite it going, as well as it could go, it’s never fun. It’s always filled with the anxiety. It can be detrimental to your business. And particularly in ransomware, right? You may have insurance and you may, you may even pay the ransom and get your system back online, but that takes potentially days or weeks where you’re offline. Right. And you’re a small, medium sized business. You don’t have days or weeks to be offline. And so the consequences are extreme.

 

I  think slowly, but shortly, as I said before, if it’s not happening to you it’s happened to somebody you know, right. Somebody in your neighborhood, somebody in your business sector. And I think that’s driving a lot of people to realize I need not only the security and play, but just in case something still happens, I need insurance, but it’s still creeping up. Whereas the cyber threat is running at us very quickly.

 

O’Hanlon:            Well, I certainly hope that awareness is going to spur people to move faster with their cybersecurity controls and making sure that they do have the right technologies and tools in place to be able to effectively fight off cyber-attacks. So you know, kind of circling back to the report, were there any things that, any single thing, or, or maybe multiple things that changed this year that really kind of took you by surprise in, you know, in comparison to years past?

 

Francis:            The thing that did strike me is I thought it was the, in years past where we’ve had, when we asked the question, have you had these events, it was single or low double digits. To jump all the way to 25% identifying that they’ve had an event of some consequence, right. That, ranges from really bad to maybe not so bad, that’s striking. And then I can’t help, but, you know, go back to the that’s happening. That’s real, that’s not headlines, right. That’s just real, every day businesses having these events take place. And yet still somewhat saying, yeah, but I haven’t done everything I know I could do. And maybe I don’t even know everything I can do. And yeah, we’ll get there, but I think people still don’t fully appreciate when these events get really bad, how bad they can get. It’s not uncommon for, you know, these to be multi-million dollar events for companies that may make, you know, I’ll say as an example, we’ve had situations where our customers have had ransom demands in excess of their total gross annual revenue. That that’s not a situation that you can really afford to deal with on your own. You just can’t. And so that’s if nothing else, the value and the importance of having insurance is the backup.

 

O’Hanlon:            Yeah. Yeah. Okay. So looking ahead then based on, since you guys have been doing this index for quite a while now, I imagine you guys have seen some trends kind of play out over the few years. And especially with respect for cybersecurity, what are you guys kind of thinking is on the horizon for next year, based on what you’ve been seeing over the last couple of years? And you know, do you think that overall things are going to get you know, better in the next year, maybe as we see even greater awareness from organizations?

 

Francis:            I think year over year, things have gotten better. It’s not all doom and gloom. I certainly think that things should be that there should be, they should be getting faster than they are, but there is a slow and steady march towards better practices. And that’s true. And I think that’s a very positive thing. I just would say, I wish it weren’t slow and steady because as we said, claims that we’ve seen have increased in frequency and increased in severity in terms of total cost at an even faster pace. And so I think while we’re making steady progress, I’m not sure it’s keeping a pace of the threat. And I think you’re going to see from insurers like us you know, really make sure that our customers are doing the right things. And so things like multifactor authentication as an example, right, no longer having that as a best practice, having that as something that’s mandatory.

 

And if we have customers that say, and we do, we have customers that are small, medium and large, and some of our customers you know, sole proprietary ships, two or three employees doing, you know, working every day to pay their employees and service their customers often don’t even know what a multifactor authentication is, right. And let alone how to put on your system. We have the resources to help them. We can partner them with companies that will do things like that at a relatively nominal cost. Again, some of this is not even at any cost, so we’re there to partner with our customers. But things that maybe were nice to have, or should have, are going to become more and more mandatory. And so whether you’re a buyer of insurance or not, be aware and pay attention to those trends, because they’re real and they’re not there by accident.

 

O’Hanlon:            Yeah. Good points, good points. And I do believe that a lot of the requirements that the insurance industry is going to implement, I think that is actually going to have a positive impact on the cybersecurity footprint of organizations at large. Not just those who are looking to get cyber insurance, because it’s also kind of a, you know, a supply chain thing. Right. So if you’ve got a customer who works with another customer, and then, you know, that customer works with another, you know, all these different vendors, they all have to be somewhat secure. Well, not somewhat, but secure along the lines to make sure that you know, that your customer is secure. So it almost seems like almost like a butterfly effect, if you will. So, you know, hopefully that will have a major positive impact on cybersecurity.

 

Francis:            Yeah, and I think that’s right. And I think it’s a good point. And I, and I would just add to that. We as an industry and certainly Travelers as a company are working very closely with government and whether it be through CSA or with folks at Nist to make sure that our standards where appropriate line up with their standards and vice versa. And we’re in conversation with those organizations to think about what are the right standards based on, you know, what we’re seeing in our claims environment, helping inform those standards for everyone, whether you buy insurance or not, and making sure that we have some uniformity and some consistency and ensuring of information where that’s appropriate to try to get towards the true, real, best practices that can do the best to prevent these things from taking place. So I think we’re going to see even more out of that public private partnership in terms of creating standards and having those standards actually implemented as opposed to just being out there as some best practices that maybe a look at a website once in a while. That won’t be the case, you know, for long anyway.

 

O’Hanlon:            Yeah. Yeah. Good, good point. Good point. Well, good stuff all the way around. If folks want to take a look at the index, is it available on the Traveler site?

 

Francis:            I believe that we can make a highlights of it available and we’ll make sure that your folks get a link to where they can see that.

 

O’Hanlon:            All right. Awesome. Awesome. Well, Tim, thanks so much for having the conversation with me. As always a pleasure talking to you.

 

Francis:            Very much. Thank you so much for having me back and look forward to it anytime.

 

O’Hanlon:            All right. Great. All right, everybody, please stick around. We’ve got lots more Techstrong TV coming up. So stay tuned.

 

[End of Audio]

Avatar photo

Charlene O’Hanlon

Charlene O’Hanlon is Chief Operating Officer at Techstrong Group and Editor at Large at Techstrong Media. She is an award-winning journalist serving the technology sector for 20 years as content director, executive editor and managing editor for numerous technology-focused sites including DevOps.com, CRN, The VAR Guy, ACM Queue and Channel Partners. She is also a frequent speaker at industry events and conferences.

charlene has 55 posts and counting.See all posts by charlene