Sep 29 2019 14 mins
"12 Rules for Cyber You MUST Know" by Joseph Brunsman: https://www.linkedin.com/pulse/my-12-rules-cyber-joseph-brunsman/
CPL Brokers, Inc.: http://cplbrokers.com/
Contact Joseph Brunsman:
LinkedIn: https://www.linkedin.com/in/joseph-brunsman-3a1102101/
FULL EPISODE TRANSCRIPT
Music: (00:00)
Adam: (00:04) Hey everyone. Welcome back to count me in. I am your host Adam Larson and with me once again with me once again, it's my cohost Mitch Roshong. As we continue to offer insight into all things affecting the accounting and finance world, this episode is going to focus on cybersecurity, as we hear from cybersecurity expert and bestselling author Joseph Brunson. Mitch, can you give us some background on Joseph and what your conversation was about?
Mitchell: (00:35) Sure. Adam, thank you. Joseph is the vice president and CCO at Chesapeake professional liability brokers in Annapolis, Maryland. He most recently served as a Lieutenant in the United States Navy working as an anti terrorism and force protection officer. He has a background in systems engineering and cyber law and he is in the process of writing two books on cyber insurance. We focused on the progression of cybersecurity and how to create organizational cybersecurity policies to avoid some of the potentially disastrous costs following a cyber attack. So let's take a listen.
Music: (01:11)
Mitchell: (01:17) So data and technology are two of the most popular topics in accounting and finance. With so much data available to companies today and subsequent information being shared, what kind of emphasis should businesses place on cyber security?
Joseph: (01:32) Sure. So, you know, that's a great question, I'd say that information is like the new oil. So data security is a huge deal and you know, of all the breaches that I've researched that I've written about, that I've worked on, you're really kind of see a common trend and it's that everybody who's been breached suddenly finds a way to spend more money and more time and more resources on cyber security after a breach. So kind of the lesson there is it would have been much easier to prevent that breach beforehand, you know, and that really kind of gets into, you know, starting from the top down where if a company wants to place an emphasis on cyber security and they all should, then, you know, it's really got to start from the top and work its way down. So that's from, you know, the board of directors has to get educated on the topic. Even if it's just, you know, a couple of YouTube videos that generally understand, you know, the basics of cyber security or network security and then from there filter that down through the organization.
Mitchell: (02:38) So with that kind of top down structure, when it comes to implementing a different cybersecurity policies, what are some of the common strengths, weaknesses, opportunities, threats that you've come across when you're trying to help coach these businesses?
Joseph: (02:54) Sure. So you know, kind of some of the common things we see obviously going to be different for each business, right? Because it's going to depend on the industry. They're in various environmental factors of what they're dealing with. But you know, we do see some common trends. The first one's going to be, you know, cyber security policies should not read like war and peace or some legal primer on contract law right there and we, we see a lot of that and always kind of makes me cringe because the primary purpose of a cyber security policy is really, you're supposed to be guiding the staff into making correct decisions, right? You're trying to tell them, Hey, this is what's acceptable and what's not. But more than that, really the biggest flaw that I see is, and this is, you know, it takes a little more time and effort to do this, but it pays off in the long run is, you know, they need to tell the staff members and employees, you know, Hey, this is the purpose behind the policy that we've implemented. And that really makes adherence to it much simpler, which makes the cybersecurity of that business, you know, exponentially stronger because, you can't plan for every possible scenario, but you can really stick to those major threats that you're reasonably foreseeing that could hit the business, you know, you don't need to plan for the apocalypse. So you want the cybersecurity policy to be understandable by the common person. Just complex enough that you're hitting the major wickets there. And that if there's something that you couldn't plan for or there's something missing in that cybersecurity policy, you could reasonably expect the average person, you know, to at least have a general understanding of who to go to to pose the question.
Mitchell: (04:42) So what if you're new to this, what if you have never drafted a cybersecurity policy before and you're not even completely sure of what the potential risks are with all the new data and technology that's out there. What are some best practices for doing your own personal research and developing a process for implementing a new cybersecurity policy?
Joseph: (05:03) Great question. So, you know, first off, Google is your friend, so that is an amazing place to start. There is a ton of great information out there. You know, try to steer clear of, you know, kind of minor organizations that you'd never heard of, but there's a bunch of major players out there. They're really kind of have templates for you. You know, best practices, you know, it's going to depend on each organization. But you know, kind of broad stroke here is get all the decision makers inside the room, block off a period of time and you know, that could be the board of directors, the C suite executives, it legal, your HR team, bring them all together, you know, and kind of start hashing through these templates that are available to you. So that way you get all of the different perspectives on what could potentially happen and how you should really respond to that. And that's going to be probably, you know, the best in terms of best practices because if it's, you know, if you have your cyber security policy and you say, hey IT guy do this delivered on Tuesday, and then you just try and, you know, push that out to the entire business, it's going to be a train wreck and there's going to be a million questions and you're going to have to go and redo the entire thing. So get everybody involved from the beginning. It's going to be much easier for everybody.
Mitchell: (06:31) So as you start to, implement these processes, right, and we have all these different people working together, all the different functions of the business. What have you seen from, you know, different industries or just different firms in general as far as the progression of cybersecurity and what that means in our economy today?
Joseph: (06:54) Sure so I think, you know, everybody is saying that they're taking cybersecurity seriously now, and I would really kind of push back against that because, you know, I think most businesses now are saying, hey, we take cyber security seriously. we have this one guy who does it right, who's in charge of it. But cyber security is really a full organization front that has to occur there. So, you know, it's something where the world is just getting more complex. And so, you know, that's on the regulatory si...