Ep. 18: Joseph Brunsman - Cybersecurity
Joseph Brunsman, VP and CCO of CPL Brokers, Inc., loves cyber law and is a public speaker and best-selling author determined to help business stay out of trouble. When it comes to data, cybersecurity policies are a must to ensure the safety and protection of that data. Joseph talks with IMA and Count Me In to explain risks of cybersecurity breaches and best practices for creating and implementing cybersecurity policies. Joseph obtained a degree in Systems Engineering with a focus on robotics system interoperability, has extensive knowledge and experience with database management and network security, and has 2 books coming out to talk about cybersecurity, policies, and insurance. Listen to this episode to protect yourself and your business!
"12 Rules for Cyber You MUST Know" by Joseph Brunsman: https://www.linkedin.com/pulse/my-12-rules-cyber-joseph-brunsman/
CPL Brokers, Inc.: http://cplbrokers.com/
Contact Joseph Brunsman:
LinkedIn: https://www.linkedin.com/in/joseph-brunsman-3a1102101/
CPL Brokers, Inc.: http://cplbrokers.com/
Contact Joseph Brunsman:
LinkedIn: https://www.linkedin.com/in/joseph-brunsman-3a1102101/
FULL EPISODE TRANSCRIPT
Music: (00:00)
Adam: (00:04) Hey everyone. Welcome back to count me in. I am your host Adam Larson and with me once again with me once again, it's my cohost Mitch Roshong. As we continue to offer insight into all things affecting the accounting and finance world, this episode is going to focus on cybersecurity, as we hear from cybersecurity expert and bestselling author Joseph Brunson. Mitch, can you give us some background on Joseph and what your conversation was about?
Mitchell: (00:35) Sure. Adam, thank you. Joseph is the vice president and CCO at Chesapeake professional liability brokers in Annapolis, Maryland. He most recently served as a Lieutenant in the United States Navy working as an anti terrorism and force protection officer. He has a background in systems engineering and cyber law and he is in the process of writing two books on cyber insurance. We focused on the progression of cybersecurity and how to create organizational cybersecurity policies to avoid some of the potentially disastrous costs following a cyber attack. So let's take a listen.
Music: (01:11)
Mitchell: (01:17) So data and technology are two of the most popular topics in accounting and finance. With so much data available to companies today and subsequent information being shared, what kind of emphasis should businesses place on cyber security?
Joseph: (01:32) Sure. So, you know, that's a great question, I'd say that information is like the new oil. So data security is a huge deal and you know, of all the breaches that I've researched that I've written about, that I've worked on, you're really kind of see a common trend and it's that everybody who's been breached suddenly finds a way to spend more money and more time and more resources on cyber security after a breach. So kind of the lesson there is it would have been much easier to prevent that breach beforehand, you know, and that really kind of gets into, you know, starting from the top down where if a company wants to place an emphasis on cyber security and they all should, then, you know, it's really got to start from the top and work its way down. So that's from, you know, the board of directors has to get educated on the topic. Even if it's just, you know, a couple of YouTube videos that generally understand, you know, the basics of cyber security or network security and then from there filter that down through the organization.
Mitchell: (02:38) So with that kind of top down structure, when it comes to implementing a different cybersecurity policies, what are some of the common strengths, weaknesses, opportunities, threats that you've come across when you're trying to help coach these businesses?
Joseph: (02:54) Sure. So you know, kind of some of the common things we see obviously going to be different for each business, right? Because it's going to depend on the industry. They're in various environmental factors of what they're dealing with. But you know, we do see some common trends. The first one's going to be, you know, cyber security policies should not read like war and peace or some legal primer on contract law right there and we, we see a lot of that and always kind of makes me cringe because the primary purpose of a cyber security policy is really, you're supposed to be guiding the staff into making correct decisions, right? You're trying to tell them, Hey, this is what's acceptable and what's not. But more than that, really the biggest flaw that I see is, and this is, you know, it takes a little more time and effort to do this, but it pays off in the long run is, you know, they need to tell the staff members and employees, you know, Hey, this is the purpose behind the policy that we've implemented. And that really makes adherence to it much simpler, which makes the cybersecurity of that business, you know, exponentially stronger because, you can't plan for every possible scenario, but you can really stick to those major threats that you're reasonably foreseeing that could hit the business, you know, you don't need to plan for the apocalypse. So you want the cybersecurity policy to be understandable by the common person. Just complex enough that you're hitting the major wickets there. And that if there's something that you couldn't plan for or there's something missing in that cybersecurity policy, you could reasonably expect the average person, you know, to at least have a general understanding of who to go to to pose the question.
Mitchell: (04:42) So what if you're new to this, what if you have never drafted a cybersecurity policy before and you're not even completely sure of what the potential risks are with all the new data and technology that's out there. What are some best practices for doing your own personal research and developing a process for implementing a new cybersecurity policy?
Joseph: (05:03) Great question. So, you know, first off, Google is your friend, so that is an amazing place to start. There is a ton of great information out there. You know, try to steer clear of, you know, kind of minor organizations that you'd never heard of, but there's a bunch of major players out there. They're really kind of have templates for you. You know, best practices, you know, it's going to depend on each organization. But you know, kind of broad stroke here is get all the decision makers inside the room, block off a period of time and you know, that could be the board of directors, the C suite executives, it legal, your HR team, bring them all together, you know, and kind of start hashing through these templates that are available to you. So that way you get all of the different perspectives on what could potentially happen and how you should really respond to that. And that's going to be probably, you know, the best in terms of best practices because if it's, you know, if you have your cyber security policy and you say, hey IT guy do this delivered on Tuesday, and then you just try and, you know, push that out to the entire business, it's going to be a train wreck and there's going to be a million questions and you're going to have to go and redo the entire thing. So get everybody involved from the beginning. It's going to be much easier for everybody.
Mitchell: (06:31) So as you start to, implement these processes, right, and we have all these different people working together, all the different functions of the business. What have you seen from, you know, different industries or just different firms in general as far as the progression of cybersecurity and what that means in our economy today?
Joseph: (06:54) Sure so I think, you know, everybody is saying that they're taking cybersecurity seriously now, and I would really kind of push back against that because, you know, I think most businesses now are saying, hey, we take cyber security seriously. we have this one guy who does it right, who's in charge of it. But cyber security is really a full organization front that has to occur there. So, you know, it's something where the world is just getting more complex. And so, you know, that's on the regulatory side, it's on the cyber security side with the different types of controls or you know, software solutions or hardware solutions you could buy. So, you know, it's really, really getting complex. So, once again, if the people at the top aren't you know, taking this seriously and really getting involved, that's when really bad things happen.As far as, you know, specific industries that are definitely high risk, obviously financial services just due to the amount of PII that they have: personally identifiable information, the medical industry, they're getting hit constantly because of the personal health information in there. And then retail as well just because of the credit cards. So it's, you know, it's really kind of well across the board. Every industry I can think of really has to tart start taking this seriously, unless they just don't use computers, you know, in which case they probably won't be a business for long.
Mitchell: (08:32) This is kind of off script here, but I'm just curious, you mentioned a lot of different, industries right there. In your opinion, are the experiences that you've had, what is like the main target of, you know, cybersecurity breaches? Are people looking for financial gains? Are they looking just for the personal information? Like what's the point?
Joseph: (08:52) Sure. So it really, once, it depends, but I'll, I'll qualify that statement for you. So, you know, hackers really want information that doesn't change. So that's why I say like, you know, financial services industries are so specifically targeted because your date of birth doesn't change. For all intents and purposes, your social security nber probably doesn't change and I think even if you get a new one, that number is still attached to the old one. So, you know, they're really looking for things that will never change. You know, in terms of the medical industry you know, they're looking for that protected health information. So they want to see, you know, that obviously it's got your social, it's got a bunch of insurance information in there. Once again, a bunch of things that don't change. So those are like the highest cost items on the dark web or things that never change, then you get into retail where we're dealing more with credit card information or financial account information. That stuff can change very rapidly. You know, you could cancel your credit card and get a new one sent to you tonight, so that tends to be lower value, but it goes, for sale much faster on the internet.
Mitchell: (10:08) Hmm. That's interesting. So you're saying a lot of the hackers, they're taking this information and they're not even the ones that are using it. It's really, it's then just out there on the black market for somebody's highest bitter and they do what, what they want.
Joseph: (10:24) Oh, absolutely. So, you know, if you, if you hop on tour and you started going to some questionable websites, you can actually see where they're selling, bundles of information. And interestingly, they actually have a better guarantees than most of what we'll find in the cybersecurity world. So, you know, your antivirus providers probably not going to say, hey, if you get breached or give you $1 million, but you know, the guys writing the software that could breach your computer system. You know, they've actually, they've got holiday sales, they've got 1-800-NBERS. If you need assistance with implementing the code to try and hack somebody, you know, they've gotten minim return guarantees on, you know, how much money you'll get with the ransom, how many organizations that you can penetrate with with their software. So it's really an unfortunately a very fascinating, you know, economic system, but it's 100% geared against legitimate businesses.
Mitchell: (11:24) Right. Yeah. Now that is fascinating and I'm sure this is really difficult to ballpark, but, the different cases where organizations have been attacked, what are some of the costs that you have seen as far as, you know, end results from, from being hacked or from being breached? What's the cost to these organizations?
Joseph: (11:45) Sure. That's, you know, that's a great question. So, you know, I'd say the primary cost, for the people you know, really involve the day to day players, that organization is embarrassment. That's something not a lot of people talk about. But a lot of firms, you know, they're just really embarrassed that they got breached because so much in the business world, you know, as complex as the world is now. A lot of what we do, we just operate on trust, right? Like you just trust that your accounting firm does your taxes correctly. You're going to trust that target is keeping your payment card information secure. So that's really kind of the, the incalculable cost is removing that trust, with your clients or your customers. And then from there, you know, it's really all over the board in terms of cost, but it can get very, very expensive. So, you know, probably the biggest costs you're going to see is going to be the forensics costs. So that's going to help you determine the scope and nature of the breach. Those guys last, you know, best metrics I saw, they're charging 800 to $1,200 an hour. Wow. And a lot of them are charging in 40 hour blocks. So if you do want hours, they charge you for 80. You know, the, the attorneys generally if you have, you know, council, you're going to need it to assist you with this because it's a very complex endeavor to navigate through. You know, they're charging, you know, partner level is probably about 450 bucks an hour, you know, then you've got credit monitoring which could be up to $7 a person and then you've got just the notification costs. You know, if you're going to notify 100,000 people and you're mailing them a notice and you're paying, what does the stamp cost, those costs start adding up very, very quickly. And then, you know, kind of beyond all of that stuff you're legally obligated to do anyways. It's just the business interruption time. So, you know, we saw that with CCH right when they got breached a major provider of a tax software information, you know, just the downtime there, how much money that's going to cost them. You know, even next year after they're back up and running and everything's fine. You know, are accounting firms going to take their business to say Thomson Reuters because they just don't trust CCH anymore. I mean, you know, we just, we don't know, but it's, it's going to be interesting.
Announcer: (14:20) This has been, count me in IMA's podcast, providing you with the latest perspectives of thought leaders from the accounting and finance profession. If you like what you heard and you'd like to be counted in for more relevant accounting and finance education, visit IMA's website at https://www.imanet.org.
Adam: (00:04) Hey everyone. Welcome back to count me in. I am your host Adam Larson and with me once again with me once again, it's my cohost Mitch Roshong. As we continue to offer insight into all things affecting the accounting and finance world, this episode is going to focus on cybersecurity, as we hear from cybersecurity expert and bestselling author Joseph Brunson. Mitch, can you give us some background on Joseph and what your conversation was about?
Mitchell: (00:35) Sure. Adam, thank you. Joseph is the vice president and CCO at Chesapeake professional liability brokers in Annapolis, Maryland. He most recently served as a Lieutenant in the United States Navy working as an anti terrorism and force protection officer. He has a background in systems engineering and cyber law and he is in the process of writing two books on cyber insurance. We focused on the progression of cybersecurity and how to create organizational cybersecurity policies to avoid some of the potentially disastrous costs following a cyber attack. So let's take a listen.
Music: (01:11)
Mitchell: (01:17) So data and technology are two of the most popular topics in accounting and finance. With so much data available to companies today and subsequent information being shared, what kind of emphasis should businesses place on cyber security?
Joseph: (01:32) Sure. So, you know, that's a great question, I'd say that information is like the new oil. So data security is a huge deal and you know, of all the breaches that I've researched that I've written about, that I've worked on, you're really kind of see a common trend and it's that everybody who's been breached suddenly finds a way to spend more money and more time and more resources on cyber security after a breach. So kind of the lesson there is it would have been much easier to prevent that breach beforehand, you know, and that really kind of gets into, you know, starting from the top down where if a company wants to place an emphasis on cyber security and they all should, then, you know, it's really got to start from the top and work its way down. So that's from, you know, the board of directors has to get educated on the topic. Even if it's just, you know, a couple of YouTube videos that generally understand, you know, the basics of cyber security or network security and then from there filter that down through the organization.
Mitchell: (02:38) So with that kind of top down structure, when it comes to implementing a different cybersecurity policies, what are some of the common strengths, weaknesses, opportunities, threats that you've come across when you're trying to help coach these businesses?
Joseph: (02:54) Sure. So you know, kind of some of the common things we see obviously going to be different for each business, right? Because it's going to depend on the industry. They're in various environmental factors of what they're dealing with. But you know, we do see some common trends. The first one's going to be, you know, cyber security policies should not read like war and peace or some legal primer on contract law right there and we, we see a lot of that and always kind of makes me cringe because the primary purpose of a cyber security policy is really, you're supposed to be guiding the staff into making correct decisions, right? You're trying to tell them, Hey, this is what's acceptable and what's not. But more than that, really the biggest flaw that I see is, and this is, you know, it takes a little more time and effort to do this, but it pays off in the long run is, you know, they need to tell the staff members and employees, you know, Hey, this is the purpose behind the policy that we've implemented. And that really makes adherence to it much simpler, which makes the cybersecurity of that business, you know, exponentially stronger because, you can't plan for every possible scenario, but you can really stick to those major threats that you're reasonably foreseeing that could hit the business, you know, you don't need to plan for the apocalypse. So you want the cybersecurity policy to be understandable by the common person. Just complex enough that you're hitting the major wickets there. And that if there's something that you couldn't plan for or there's something missing in that cybersecurity policy, you could reasonably expect the average person, you know, to at least have a general understanding of who to go to to pose the question.
Mitchell: (04:42) So what if you're new to this, what if you have never drafted a cybersecurity policy before and you're not even completely sure of what the potential risks are with all the new data and technology that's out there. What are some best practices for doing your own personal research and developing a process for implementing a new cybersecurity policy?
Joseph: (05:03) Great question. So, you know, first off, Google is your friend, so that is an amazing place to start. There is a ton of great information out there. You know, try to steer clear of, you know, kind of minor organizations that you'd never heard of, but there's a bunch of major players out there. They're really kind of have templates for you. You know, best practices, you know, it's going to depend on each organization. But you know, kind of broad stroke here is get all the decision makers inside the room, block off a period of time and you know, that could be the board of directors, the C suite executives, it legal, your HR team, bring them all together, you know, and kind of start hashing through these templates that are available to you. So that way you get all of the different perspectives on what could potentially happen and how you should really respond to that. And that's going to be probably, you know, the best in terms of best practices because if it's, you know, if you have your cyber security policy and you say, hey IT guy do this delivered on Tuesday, and then you just try and, you know, push that out to the entire business, it's going to be a train wreck and there's going to be a million questions and you're going to have to go and redo the entire thing. So get everybody involved from the beginning. It's going to be much easier for everybody.
Mitchell: (06:31) So as you start to, implement these processes, right, and we have all these different people working together, all the different functions of the business. What have you seen from, you know, different industries or just different firms in general as far as the progression of cybersecurity and what that means in our economy today?
Joseph: (06:54) Sure so I think, you know, everybody is saying that they're taking cybersecurity seriously now, and I would really kind of push back against that because, you know, I think most businesses now are saying, hey, we take cyber security seriously. we have this one guy who does it right, who's in charge of it. But cyber security is really a full organization front that has to occur there. So, you know, it's something where the world is just getting more complex. And so, you know, that's on the regulatory side, it's on the cyber security side with the different types of controls or you know, software solutions or hardware solutions you could buy. So, you know, it's really, really getting complex. So, once again, if the people at the top aren't you know, taking this seriously and really getting involved, that's when really bad things happen.As far as, you know, specific industries that are definitely high risk, obviously financial services just due to the amount of PII that they have: personally identifiable information, the medical industry, they're getting hit constantly because of the personal health information in there. And then retail as well just because of the credit cards. So it's, you know, it's really kind of well across the board. Every industry I can think of really has to tart start taking this seriously, unless they just don't use computers, you know, in which case they probably won't be a business for long.
Mitchell: (08:32) This is kind of off script here, but I'm just curious, you mentioned a lot of different, industries right there. In your opinion, are the experiences that you've had, what is like the main target of, you know, cybersecurity breaches? Are people looking for financial gains? Are they looking just for the personal information? Like what's the point?
Joseph: (08:52) Sure. So it really, once, it depends, but I'll, I'll qualify that statement for you. So, you know, hackers really want information that doesn't change. So that's why I say like, you know, financial services industries are so specifically targeted because your date of birth doesn't change. For all intents and purposes, your social security nber probably doesn't change and I think even if you get a new one, that number is still attached to the old one. So, you know, they're really looking for things that will never change. You know, in terms of the medical industry you know, they're looking for that protected health information. So they want to see, you know, that obviously it's got your social, it's got a bunch of insurance information in there. Once again, a bunch of things that don't change. So those are like the highest cost items on the dark web or things that never change, then you get into retail where we're dealing more with credit card information or financial account information. That stuff can change very rapidly. You know, you could cancel your credit card and get a new one sent to you tonight, so that tends to be lower value, but it goes, for sale much faster on the internet.
Mitchell: (10:08) Hmm. That's interesting. So you're saying a lot of the hackers, they're taking this information and they're not even the ones that are using it. It's really, it's then just out there on the black market for somebody's highest bitter and they do what, what they want.
Joseph: (10:24) Oh, absolutely. So, you know, if you, if you hop on tour and you started going to some questionable websites, you can actually see where they're selling, bundles of information. And interestingly, they actually have a better guarantees than most of what we'll find in the cybersecurity world. So, you know, your antivirus providers probably not going to say, hey, if you get breached or give you $1 million, but you know, the guys writing the software that could breach your computer system. You know, they've actually, they've got holiday sales, they've got 1-800-NBERS. If you need assistance with implementing the code to try and hack somebody, you know, they've gotten minim return guarantees on, you know, how much money you'll get with the ransom, how many organizations that you can penetrate with with their software. So it's really an unfortunately a very fascinating, you know, economic system, but it's 100% geared against legitimate businesses.
Mitchell: (11:24) Right. Yeah. Now that is fascinating and I'm sure this is really difficult to ballpark, but, the different cases where organizations have been attacked, what are some of the costs that you have seen as far as, you know, end results from, from being hacked or from being breached? What's the cost to these organizations?
Joseph: (11:45) Sure. That's, you know, that's a great question. So, you know, I'd say the primary cost, for the people you know, really involve the day to day players, that organization is embarrassment. That's something not a lot of people talk about. But a lot of firms, you know, they're just really embarrassed that they got breached because so much in the business world, you know, as complex as the world is now. A lot of what we do, we just operate on trust, right? Like you just trust that your accounting firm does your taxes correctly. You're going to trust that target is keeping your payment card information secure. So that's really kind of the, the incalculable cost is removing that trust, with your clients or your customers. And then from there, you know, it's really all over the board in terms of cost, but it can get very, very expensive. So, you know, probably the biggest costs you're going to see is going to be the forensics costs. So that's going to help you determine the scope and nature of the breach. Those guys last, you know, best metrics I saw, they're charging 800 to $1,200 an hour. Wow. And a lot of them are charging in 40 hour blocks. So if you do want hours, they charge you for 80. You know, the, the attorneys generally if you have, you know, council, you're going to need it to assist you with this because it's a very complex endeavor to navigate through. You know, they're charging, you know, partner level is probably about 450 bucks an hour, you know, then you've got credit monitoring which could be up to $7 a person and then you've got just the notification costs. You know, if you're going to notify 100,000 people and you're mailing them a notice and you're paying, what does the stamp cost, those costs start adding up very, very quickly. And then, you know, kind of beyond all of that stuff you're legally obligated to do anyways. It's just the business interruption time. So, you know, we saw that with CCH right when they got breached a major provider of a tax software information, you know, just the downtime there, how much money that's going to cost them. You know, even next year after they're back up and running and everything's fine. You know, are accounting firms going to take their business to say Thomson Reuters because they just don't trust CCH anymore. I mean, you know, we just, we don't know, but it's, it's going to be interesting.
Announcer: (14:20) This has been, count me in IMA's podcast, providing you with the latest perspectives of thought leaders from the accounting and finance profession. If you like what you heard and you'd like to be counted in for more relevant accounting and finance education, visit IMA's website at https://www.imanet.org.
