Cyber Insurance and Staying Protected

Unsecurity Podcast

We are joined by David Kruse to discuss cyber insurance, the Fitbit/Google news, and (of course) the first year of the UNSECURITY podcast. Give it a listen and let us know what you think at

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Evan Francen: Hey Unsecurity Podcast Listeners, this is episode 52. The date is November 4th 2019 and I’m your host, Evan Francen. My guy is with me Brad Nigh tell the folks something Brad, Good morning.

[00:00:42] Brad Nigh: words, words, words, etcetera, etcetera.

[00:00:46] Evan Francen: You actually, you are following the show notes, like verbatim. All right, well, we’ve got a great show plan today. I’ve been learning some things about doing podcasts and one of the things that I’ve learned is you’re supposed to do a hook at the beginning of the podcast to tell people like, hey, keep listening because this podcast is going to get long. So unless you have a long car ride with nothing to do, I should give you a hook. Okay. All right, I’m gonna do that. So what we’re going to talk about today, we’ll talk about this is the one year anniversary. This is episode 52. That’s crazy. I know we’re gonna talk about that. We’re gonna talk about the things that we learned over the course of the last year.

[00:01:21] Brad Nigh: Some would argue. We haven’t learned a lot.

[00:01:23] Evan Francen: No, no, no. We totally have, man. We’re going to go down that path. Uh, and then we’re going to welcome our, our guest, uh mister David Cruz Dave. We can call him. He’s an awesome dude who’s got a cool career story. I think I like his career story because it parallels I think so many of our careers. Uh but he also knows a ton about cyber insurance. So we’re gonna nail him with some tough questions on cyber insurance.

[00:01:49] David Kruse: Can’t wait. So

[00:01:52] Evan Francen: hi, David say, hi,

[00:01:54] David Kruse: good morning. How are you?

[00:01:55] Evan Francen: I’m doing well, I’m doing well. It’s good to good to talk to you. Last time we talked, you were here in person. You were at the hacks and hops. I think,

[00:02:04] David Kruse: You know, last time we talked, we’re about two ft away from that glazed bacon table. Um, so I can’t say that was preferable, but that was a great day.

[00:02:13] Evan Francen: I just had a moment. Sorry, did you say glazed bacon? I remember that. That was super good. Yes, I think I had like way too many portions uh

[00:02:25] Brad Nigh: glazed bacon on a stick. You just eat off. So good.

[00:02:28] Evan Francen: Right. And I think there’s certain times when it’s okay to be selfish. And I think that was one of those times.

[00:02:33] David Kruse: You know, the the only, the only way you stop eating glazed bacon on a stick is when you run out of glazed bacon on a stick,

[00:02:40] Brad Nigh: that’s what happened

[00:02:41] Evan Francen: to it was very disappointed.

[00:02:42] Brad Nigh: I went back for more and it was gone.

[00:02:44] David Kruse: I

[00:02:45] Evan Francen: believe I was looking for somebody to blame. Uh All right. And then after that we’ll wrap this whole thing up with some interesting news stories, including I think the one that sort of troubles me a little bit is the google. Excuse me, google buying Fitbit. Uh,

[00:03:02] Brad Nigh: have you? Yeah, we’ll talk about that. All right.

[00:03:06] Evan Francen: So let’s dig in. Uh, David. We already introduced you. So, again, welcome. Let’s talk about our one year anniversary. It’s crazy man. It is. Remember we first the very first podcast we did. Yeah,

[00:03:19] Brad Nigh: zoom from our homes on a sunday evening.

[00:03:23] Evan Francen: Yeah, I think the first, maybe what five were done that way.

[00:03:26] Brad Nigh: Uh, more than that. It was like 10. We didn’t start doing it in person until January.

[00:03:32] Evan Francen: That was when I think either your wife or my wife or both bows. We’re

[00:03:36] Brad Nigh: getting both were like, okay enough. Yeah, they

[00:03:40] Evan Francen: wanted their sunday nights

[00:03:41] Brad Nigh: backs. My wife was getting a little frustrated trying to keep the kids quiet for an hour were recorded.

[00:03:47] Evan Francen: Did you ever listen to any of those?

[00:03:49] Brad Nigh: I, my wife did. And she played a couple back where you could totally hear the kids in the background. Oh my God, yeah, slightly different.

[00:03:58] Evan Francen: Dave. Did you ever listen to me any of the first few podcasts,

[00:04:02] David Kruse: You know, I started listening, you had Ryan Claudia on for an episode I think was 17 or 18 maybe. Um, so that was the first one I listened because he’s a buddy of mine from up in the cities there and I went back probably half a dozen episodes prior to that and started listening. So I don’t think I’ve got the early ones, but I’ve got a reason to go back and listen now. I

[00:04:21] Evan Francen: know you can skip them if you want.

[00:04:24] Brad Nigh: It was it was definitely uh there’s some awkward pauses because you couldn’t, we didn’t have a, like a flow down, you couldn’t see the other person really.

[00:04:33] David Kruse: So yeah,

[00:04:35] Evan Francen: it was it was weird because I’d wanted to do podcasts for a long time and you know, I I finally just said, screw it, we’ll just brad you wanna do a podcast and breads like sure. So we just started recording on zoom and I never listened to him. I’ve never listened to one of our podcasts.

[00:04:56] Brad Nigh: The only ones I listened to are the ones I’m not on. So that’s weird.

[00:05:01] Evan Francen: I’m with you. So that we started recording here, right? We we started recording in the boardroom with Yeti Mike. Uh somewhere in there was my trip to Cancun, which was

[00:05:14] Brad Nigh: weird. That was when that might have been. No, that wasn’t,

[00:05:20] Evan Francen: it was january. So it’s been like 2.5 months in. Yeah. And then uh I guess the biggest miracle for me is that we did all these podcasts and we didn’t miss a week, you know? And then nuts. It is, we’ve been a day late, I think maybe twice, Maybe three times

[00:05:35] Brad Nigh: most of time. It’s some sort of a technical glitch. And we had to, you know rerecord or something. Yeah.

[00:05:43] Evan Francen: All right. So next week we’re going to um have Brandon. He’s the, what would you call him?

[00:05:49] Brad Nigh: He’s our marketing guy. Marketing guy. He slaps marketing on things.

[00:05:53] Evan Francen: Yeah, just kind of spits marketing. Yeah, something like that. Yeah. So he’ll be uh we’re gonna we’ll have to see what he says. But I would love to see him put together some clips and maybe have him do the voiceover so people can, you know, get introduced to Brandon, he can sit in here for a little while. It would be funny. It would be funny. Do you have a best, do you have a favorite episode that when you look back over the 52 51?

[00:06:19] Brad Nigh: I mean there’s been a lot, but I think that the best one that was kind of the riskiest for us was our wives. All right. Because that could have gone really, really not well for us, but I think it was it was good and we got a lot of really good feedback on that one.

[00:06:35] Evan Francen: We did, we should invite them back. They make us look better. So, I had the wives. I thought a couple of episodes with Ben were pretty cool. Um because he’s always got some interesting things, he just came back from my second where he gave his presentation in Chicago on on his uh you’re welsh Ortner research he’s been doing. And I guess he got like mobbed at the end. Yeah, it is really, really good. What else? We had christophe Phoolan on the episode a couple times. I really like him

[00:07:08] Brad Nigh: as bummed. It didn’t work out when I was in D. C. To meet up. It just didn’t work out

[00:07:14] Evan Francen: well he did. Um So christoph has his own podcast and it’s really dedicated to helping people get into this information security industry. You know, he’s, you must be younger than us

[00:07:28] Brad Nigh: two. I’m finding that happens a lot more now. It’s weird. I don’t like it.

[00:07:33] Evan Francen: Yeah, man, we’re getting, do you see my beard going long? Is there a lot of gray hairs in here? It’s getting squirrely. I gotta go get, yeah, I need to get cut down. All right, so christophe, that’s a, that was a good one. And then like uh buying

[00:07:47] Brad Nigh: a couple of times.

[00:07:48] Evan Francen: Yeah. Now Dave,

[00:07:49] David Kruse: how do you know Ryan? So I know Ryan through, are you familiar with the group’s Source well up in Minnesota. Yeah. So, so I’m connected with sort of the main source will office up in staples Minnesota through a gentleman named Ryan Donovan. Um back in my former employer. Houseman johnson Insurances are independent insurance brokerage based out of Madison. Um, We partnered up with source well to offer a cyber insurance program for municipalities and school districts and non profits and other governmental organizations um that we sort of crafted help make sure that they’ve got the best product that they can get. Um and so I was handling the insurance side and then Ryan obviously worked with source file technology. So we initially met uh we initially met up in Minnesota for the first time in person about a year ago, we had talked on the phone a couple of times prior to that. But Ryan, Ryan came into that meeting with a laundry list of things that he wanted to vet Source wells insurance provider here and hopefully I can say I won him over over the past year. But that’s, that’s how I know, Mr resourceful that way. That’s cool.

[00:08:57] Evan Francen: One thing, the one thing I like about Ryan, uh, I like a lot of things about Ryan, but the one thing that sticks out is just this passion. I mean, he genuinely loves people and it’s so cool. It’s contagious.

[00:09:09] David Kruse: He’s just the perfect example of a mission driven professional and it’s an attractive personality to be around. He’s a powerhouse when you get him going, don’t get in his way.

[00:09:20] Evan Francen: Right. We should uh, I would like to work with him more,

[00:09:26] Brad Nigh: you know, he’s working, he’s helping on the, That’s two teams stuff, right?

[00:09:31] Evan Francen: Yeah. S two teen and I know he’s uh you know, also working with schools because he’s very well connected to, you know, opens a lot of doors. Uh but both of the episodes with brian, we had, we had him on twice one time, I was in Anaheim California and so like my audio was just

[00:09:50] Brad Nigh: they turned into the brad and Ryan show.

[00:09:53] Evan Francen: Yeah. And the same thing happened on his second time. I was in

[00:09:56] David Kruse: Brooklyn.

[00:09:57] Evan Francen: Yeah, that’s

[00:10:00] Brad Nigh: fine. He’s a he’s a great guest to have in studio because yeah, he he’s just so full of energy even. It’s not like the boom and am

[00:10:09] Evan Francen: like knock the audio boom down or anything, you know what I mean? Because he’s kind of animated to like Mhm. Yeah. All right. So those were good episodes. Uh

[00:10:20] David Kruse: I’m excited ransomware episodes. Those were those were fire and brimstone episodes from the audience perspective. I love those. Okay.

[00:10:28] Evan Francen: And we should revisit those. Yeah, we should we should revisit those. I have had somebody take a look, somebody that I I think I trust and all that. Take a look at uh ransom or readiness assessment, the free one that we give away online just to get his feedback. And I got I got some good feedback general, I mean, and overall he really liked it. Uh But I think there’s some things we can do to make it even better. I

[00:10:53] Brad Nigh: Mean we like giving stuff away version one. There’s always it’s never finished.

[00:10:59] Evan Francen: That is true, That is true. All right. So real quick brad. What have you been up to? Uh We haven’t talked. What have been what’d you do last week

[00:11:08] Brad Nigh: stuff good. No, mostly keep doing more business stuff.

[00:11:13] Evan Francen: Business. See things

[00:11:14] Brad Nigh: businesses stuff numbers and such. Yeah, that’s fun. It’s

[00:11:18] Evan Francen: different colors were black. I mean the color the colors of the numbers are truly they were read

[00:11:23] Brad Nigh: write mostly black. Good.

[00:11:26] Evan Francen: Let’s keep it that way. But

[00:11:27] Brad Nigh: if you find right, you got to figure out how to fix it. Right. True.

[00:11:31] Evan Francen: It’s true. Uh Well last week I was in uh, so I gave a talk the cybersecurity summit something about a talent shortage problem. I made those those slides available online and then, which is awesome. I ran into peter Martinson there. Uh he was, he was my room guy. You know what I mean? When you give a talk they flash those things saying hey you got five minutes left and stuff and then the Minnesota counties computer consortium, something like that. M. N. C. C. C. They erin call the sea. So for the state of Minnesota was supposed to speak and he backed out, john was already scheduled to speak there. So they reached out to me and said, hey can you speak tomorrow? I’m like okay sure about what like I don’t know you get to pick, I’m like, well I’m like what was Ryan going to or Aaron call, going to speak about? I said uh security and uX design like crap, I want to talk about that so I can’t tie that into anything I’m working on. So I made a side back. Excuse me. It made a side deck. Um how to secure America,

[00:12:46] Brad Nigh: did you see it? I heard about it. Have you had a flag on every slide? Yeah, well mary come

[00:12:52] Evan Francen: in, you know, I started it, I said uh you know, it was all a bunch of counties, There was probably 100 20 years maybe people there. I said uh show of hands for everybody who likes America and then anybody who didn’t raise their hands, I said, you can leave. Right. There you go. They all stayed. Because who’s going to leave when, when you say something like that,

[00:13:12] Brad Nigh: That’s the security guy talking about.

[00:13:14] Evan Francen: Right? So that was, that was that talk. And then we were down in Dallas and I met a bunch of really, really, really cool people in Dallas. But anyway,

[00:13:22] Brad Nigh: it’s john’s post on that, that the format I guess was really good or he liked how they, how they did that, how

[00:13:28] Evan Francen: it’s structured. It’s the weirdest uh, conference e event thing I’ve ever seen. They had the vendors uh and we were, we were a vendor, right? We weren’t selling anything right? I mean everybody else was selling things. And it was really interesting because a couple of people came up and told us, you are the only people that actually asked about me. I was like, well, I don’t know, maybe you should go tell the people that didn’t, that they should, their sales would probably be more effective. Um but there were 10 vendors, this thing, this event and they sat, we each sat at a table and then all the business consumers, people came in and they were assigned to certain tables And then you did these rounds round one was uh speed dating. So you have six minutes to tell them about your thing, what you’re doing and everything like that. And then after the six minutes they’d ring a bell and then they rotate interesting. Yeah, and so you know, you go through all that and then they vote on the business business consumers, people, they vote on who they want to see a demo from. Uh so we were john and I were like, that would really suck if like nobody voted for somebody, you know what I mean? We had uh we had, we had people had plenty of people, you know, so there was no, I didn’t really feel a fear like no, we would come and want to come all our stuff because then I just go get an energy drink or something, you know? But uh yeah, it was just weird. That’s interesting, very cool. I met, we met a lot of really neat

[00:15:09] Brad Nigh: people. That’s kind of a cool concept because that way it basically forces all the attendees to meet with all the vendors and and it doesn’t allow somebody to like completely dominate the time for someone

[00:15:22] Evan Francen: and it forces you to get to the point too, I like, you know, give me six interesting rather than, you know, and it’s got this feature and that thing and this, you know, but there are there were two people, two companies there that we’re selling a I and I walked went to one and like, tell me about your Ai Yeah, it wasn’t a I

[00:15:41] Brad Nigh: it was, was it Omega gin? Oh,

[00:15:45] Evan Francen: yeah, yeah.

[00:15:45] Brad Nigh: I responded. We’ll make a gym with ai and blinky lights.

[00:15:49] Evan Francen: That’s right. Yeah. We’re going to have the gen to end all jen’s, right, You have, Next gen, we’re going to go all the way to the end and do omega jen, and we’re gonna make a killing. We’re going to be so rich,

[00:16:01] Brad Nigh: you’ll have an easy button and blinky lights for us. Do you need well, ai and Blockchain? Yeah, Okay. There you go. Put that in there too. I forgot Blockchain.

[00:16:09] Evan Francen: All right enough of that. So, uh introducing Mr David Cruz. So, David or Dave, I’m gonna see you haven’t in all my show notes to call you David, but I’m gonna call you Dave, because I feel like we’re like closer than that.

[00:16:23] David Kruse: I think so, yeah. So, whatever comes out your mouth is, I think

[00:16:28] Evan Francen: one of the most fascinating things. So, when we were kind of prepping for the show a little bit, you had, you were kind enough to kind of share your background, you know, how you got here. Uh, I think today, you’re starting a new job

[00:16:43] David Kruse: in two hours and 40 minutes. So

[00:16:46] Evan Francen: We’re like the this is cool, so two hours and 40 minutes you start a job and where are you going?

[00:16:52] David Kruse: So I’m gonna be going to a firm here in Madison called Gil wear. Um They do a couple of things, but primarily they do digital forensics and then proactive risk control as well. Um and they also they also have a data recovery side of the business too.

[00:17:05] Evan Francen: Cool. And how big is gil

[00:17:07] David Kruse: wear? So gil wear, there’s probably about 40 45 employees operating underneath the name Gil wear. I’m probably 20 to 30 of those are operating on the data recovery business. And then the remaining pieces operating under the forensics and risk control side. Okay,

[00:17:24] Evan Francen: And I assume you you live out that way. Are you close to Madison?

[00:17:29] David Kruse: Yep, I’m in Sun Prairie, about five miles east of Madison.

[00:17:31] Evan Francen: Okay, so that’s a nice commute and everything. What’s the competition? What’s the competition like in Madison? In terms of security

[00:17:39] David Kruse: people? In terms of security, there’s, I mean, you’ve got nobody, there’s not really many firms whose whose secure that have security at the heart of what they do. I mean, you’ll have plenty of firms that do sort of general managed services and they also offer security in the form of a firewall and, you know, email filters. Um but there’s there’s not really many that are focused exclusively on security? I can think of one in Brookfield, which is just west of Milwaukee and there’s another one up in stevens point, both of those are quality firms that do a good job as well. Um but in Madison that I can think of off the top of my head, not not really many. Okay,

[00:18:18] Evan Francen: interesting. Is fr secure the consulting company here? Uh We do some work, I think we have partners in medicine, but I don’t think we do much work there. Um and we like, and hopefully, you know, hopefully you’re the same way, but we like collaboration, you know, uh more than competition because I think there’s so much untapped market

[00:18:44] David Kruse: everywhere, uh couldn’t couldn’t agree more, you know, it’s it’s were nowhere as near saturation in terms of businesses that should be utilizing security services like ours. So at this point we all we all we should be doing is helping each other really. I agree with that couldn’t agree more

[00:19:04] Evan Francen: so in your, in your path, which I thought was just really kind of fascinating how you got here. And it reminds me too of, you know, there is no one path to get to a security career.

[00:19:17] Brad Nigh: No, and I think the more varied the path, you know, typically you’re more well rounded, you understand, you know, the different businesses and definitely people

[00:19:26] Evan Francen: work definitely better looking,

[00:19:28] Brad Nigh: right?

[00:19:30] Evan Francen: I mean, proof in the pudding right here. Yeah. Uh huh. So well, like Susan Maldon remember Susan Maldon, right? She was the sea, so for Equifax and she was getting all sorts of grief from some people I think people who don’t know better that she had a degree in music.

[00:19:49] Brad Nigh: Yeah but

[00:19:52] Evan Francen: if you look at her experience she was at Suntrust Bank for a good amount of time. I mean she she came up through the ranks so she was pretty qualified I think to be the Cso at Equifax at the

[00:20:02] David Kruse: time.

[00:20:04] Evan Francen: Uh Regardless of how much grief she caught for being a music major.

[00:20:08] Brad Nigh: But I think you’re yeah that’s I don’t agree with that

[00:20:14] Evan Francen: one. Well you shouldn’t I think it’s wrong and you’re

[00:20:17] Brad Nigh: seeing more people like that don’t have degrees. I’ve said it I don’t have a degree of college experience but I didn’t graduate because I couldn’t figure out what I wanted to do. And then I started getting into computers and just was like oh this is it. Well

[00:20:31] Evan Francen: I’ve done sort of at the time and by the time you got out of prison you had to get a job. You know it

[00:20:36] Brad Nigh: was tough you can’t pick. But uh but yeah I think there’s you know some of the more I guess progressive companies that are that are not as uh locked into the old ways are starting to see that. Um And where was that post on? I’ve seen a couple of posts on linkedin where it’s you can’t you know you want an entry level security person with the C. I. S. S. P. Or you know five years experience and it’s like that’s not you can’t do that

[00:21:09] Evan Francen: when I. And so you don’t have a degree. I have a degree in geology. Rocks

[00:21:14] Brad Nigh: chad.

[00:21:16] Evan Francen: Yeah well that’s smarter than me. He remembers more I think I did more drinking in college so I kind of forgot most of the rock stuff. Uh Dave would and you studied uh what

[00:21:27] David Kruse: I studied Theology and philosophy. Um So where most information security people start? I’ve found um

[00:21:36] Evan Francen: what what is philosophy? I mean it’s just arguing with people.

[00:21:41] David Kruse: I mean if we want to get all high and mighty right out of the gate degree comes from the greek form of the love of wisdom. Um So we can go with that. But it really it’s just a lot of really gents reading that’s all it is. I’m

[00:21:56] Evan Francen: a big fan of wisdom.

[00:21:58] David Kruse: Oh yeah. Absolutely. Absolutely. So yeah I did that and then uh study philosophy and there was an ethics concentration built in there as well. So I’d like to think I can tap into that from time to time.

[00:22:11] Evan Francen: I thought the funny thing in your background you said the most technical thing I’ve done or even whatever ever done is run disk defrag on parents old compaq. That’s

[00:22:23] David Kruse: pretty funny. You know my uncle said it would make Duke Nukem run faster and he wasn’t wrong,

[00:22:28] Evan Francen: Duke Duke. Um Oh my gosh wow blast from the past. That’s awesome. And then some VB in high school? So VB in high school. So now you’re starting to date yourself a little bit. I was basic in high school Apple to

[00:22:45] Brad Nigh: trying to think what, I don’t even know if they had a computer. Really. Did you

[00:22:50] Evan Francen: play Oregon trail?

[00:22:51] Brad Nigh: Oh yeah, we had, we had that. Oh yeah, we’re working trail. But no, uh, no computer classes

[00:22:59] Evan Francen: was Oregon trail. It must have been some kind of a government grant because everybody had organ trail

[00:23:03] Brad Nigh: because it was a game that was quote unquote educational,

[00:23:07] David Kruse: right? That was fun. You shot £5,000 of Buffalo. You can carry 200 back to the wagon.

[00:23:13] Evan Francen: Yeah,

[00:23:14] Brad Nigh: that’s true. Died of dysentery,

[00:23:17] Evan Francen: dang it again. So then your path. Uh, Dave, which I think it’s just cool. So you graduated college, unemployed painter, unemployed high school theology teacher. Which is like, who does high school theater? I didn’t know that was a class in high school.

[00:23:34] David Kruse: Uh, yeah, that was, it was an all girls school in downtown Milwaukee that I taught. Um, so the interesting thing about that one is the state of Wisconsin probably according to my fuzzy memory from earlier this decade. Um, they stopped offering license jurors or certificates. Um, for anybody that wanted to be a high school religion teacher because they said, well we can quantify what makes a good math teacher, We can quantify what makes a good english teacher. But how do you quantify what makes a good religion teacher? You know because you’ve got an Islamic, a jewish in the catholic high school. How do you say? Okay. How do you put a governmental rubber stamp on that and say, yep, you’re approved? So the state of Wisconsin stopped offering license jurors for that so that you can still go ahead and do it, but we’re not going to rubber stamp. Yah. And what that really meant and practices that I didn’t need to get a degree in education in order to get that job. I just needed a degree in the subject matter. But what I found out maybe, I don’t know, 10 minutes into teaching was the subject matter is maybe at most 5% of what you do as a teacher. That’s really secondary. The rest of it is all classroom management and behavioral issues and individual education plans and lesson planning and all this other stuff. All these hard skills that I had none of. Um That was a that was a short lived tenure at ST joan into the high school. But a valuable one of that interesting,

[00:24:58] Evan Francen: wow, that’s cool. And then unemployed again. The nanny bank teller, personal banker, insurance, customer service rep insurance broker focusing on life science tech business and then leader of the agency’s cyber practice. So here’s where cyber starts to come in. Uh And then you’ve been there for. How long were you there? 56 years?

[00:25:19] David Kruse: Yeah, I was at houseman johnson about 5.5 years. Okay.

[00:25:23] Evan Francen: And then now you’re all right gil wear

[00:25:25] David Kruse: Well soon a couple hours that’s 2.5 hours.

[00:25:29] Evan Francen: So my I tell people because my when I was young I was an only child so I was kind of a rebel And I liked that that at that time, you know, I like to drink. So I’ve been sober now for 18 years Uh because jail just didn’t just enough of that. Right? So uh but I when I was in college I passed my series seven and 63 and became a stockbroker for yeah for uh uh what was the brokerage? It was called hain miller and farming. It was a little regional broker in downtown Minneapolis. And what that really meant was you’re gonna do all the studying and work really super hard to do nothing but cold calls for the brokers that have a book of business, the ones you know the and so the job was 100 cold calls a day, right? Every day working on straight commission and and I was like 19, right? So if you’ve got money and you pick up and I happen to get through some, you know, call block and finally get to you are you going to give a 19 year old money, you know, to invest in penny stocks. The two penny stocks I had with ce software which is a macintosh computer uh software manufacturing Iowa in a company called Apogee robotics which made robots for um prisons, right? I don’t know if either one of those companies still alive. The only client I ended up having that actually paid me was my mother. So I did that. But you know what it gave me, it gave me such a huge appreciation for people in sales. Mhm. You know if you’re a hunter, my god, is that hard work?

[00:27:15] Brad Nigh: Yeah I don’t want I’m not a salesperson. Right?

[00:27:18] Evan Francen: Uh And then what did I do that? And then I was mortgage broker, a bill collector, a bartender. Um What else I do, warehouse worker, a warehouse manager. And then work then then I got my first job at IBM cleaning boot sector viruses off the windows through one machines All before the age of 22. Oh that crazy. Yeah

[00:27:46] David Kruse: wow. Yeah I had no idea.

[00:27:49] Evan Francen: Well that’s why when I read your, when I read years I’m like man I can relate. I think I just did it all in like a three year span and I think you probably took a little more time getting through it

[00:28:01] David Kruse: little bit, little bit. But yeah people find their way here and all all sorts of ways. It sounds like

[00:28:08] Evan Francen: when it and it’s so cool because everybody that I’ve seen, you know come from different perspectives. Has such a good refreshing perspective on things. Um You know it’s so easy to get stuck in your ways. You know now that I’ve been in information security I’ve done this for 27 years, I still learn you know I’m not talking with people uh and if you just take the time to listen they have a different perspective and it’s valuable. Yeah

[00:28:38] David Kruse: but I look at that that path of mine and I think that you know one of the things that in my interactions with the information security industry now being in that industry, I think one of the biggest assets that I’ve got is the fact that I have like seriously disk defragmenter is as good as I get. Um So I think the fact that I don’t necessarily have I understand the risk and the problems that can the real problems that can cause for a business, even if I don’t necessarily understand the technical reasons that that problem makes itself manifest. And I think that when I’m having a conversation with somebody in the information security space ill mentally make a tally of the terms that they’re using that your average normal person would never understand. And even if it’s stuff that is really entry level thing for an information security person we’re still way past where normal people are at. But even just a term like host like nobody knows what that means outside of information security and nobody that means nothing to anybody. So we got to start you got to meet people at a much lower level. I think that are much more fundamental level than you sometimes necessarily think

[00:29:46] Brad Nigh: what no hostess who’s having the party.

[00:29:48] Evan Francen: Exactly my place. Yeah. Okay. And I got it man security humor, you know it’s funny too because when I give so many talks I can’t figure out why people don’t laugh at my jokes sometimes when I remember the punch line. But the uh it’s I think it’s, I think it’s kind of what dave saying. I don’t think they get what I just said and it’s not because it’s not and it’s not a level of intelligence. It’s just

[00:30:16] Brad Nigh: a different language

[00:30:18] David Kruse: level of exposure,

[00:30:20] Evan Francen: right? If I sat in a room and talked in with a bunch of accountants and they were having a discussion, I’m guessing

[00:30:29] Brad Nigh: half of what

[00:30:30] Evan Francen: they’re saying, I have no idea what they’re saying. Yeah,

[00:30:32] Brad Nigh: I got a, I got a little taste of that. Um my sister’s having some medical stuff and my wife center. So they were talking medical and I was just like I don’t what I checked, I was like okay, I get it, this is what it’s

[00:30:46] David Kruse: like

[00:30:49] Evan Francen: that’s cool. So then when you were at uh the insurance agency um you founded their cyber practice.

[00:30:58] David Kruse: Yeah, I was, I was part of a team that founded in originally and then as time went on I essentially took over leadership of it. But really the reason that we got that practice together in the first place was When, when you’re within the insurance business, people generally assume that any time a new risk is evolving, so to speak. And the cyber risk had certainly been around prior to 2014, when I started there. But it wasn’t necessarily the behemoth that it’s become now, at least from the insurance industry’s perspective. Um, so people generally assume that if I have a loss, I have a general liability policy that’s going to cover that loss. And insurance carriers don’t necessarily think that way because when they underwrite that policy, their underwriting that through a pretty well defined set of risks that that policy is meant to cover. And all of a sudden they’re getting claims on their policies for things like ransomware attacks and losses of private information. And from their perspective, they never intended to underwrite that or cover that because it’s outside of, they didn’t even know what that risk was. So what carriers will do is they’ll start up putting exclusions on general liability policies saying this policy is not meant to cover X, y and Z. Um, and what happens then is the industry will then sort of raise up a whole new category of insurance policies to offer affirmative coverage for it. And that’s what we are seeing Around 2014 and 2015. Um, and we have seen this trend before back in the eighties and nineties, people always assume that, okay, if there’s a harassment issue at work or a wrongful termination issue at work, why the general liability policy that covers that and no it doesn’t. So a whole new category of insurance rose up called employment practices liability that covers those HR type issues. Um and that exact same thing was happening in the cyber and in the general liability in cyber insurance world in 2015. So we said we need this isn’t something where we can just dip our toe in and just see what the waters like. We need to either jump in headfirst or not be a part of this at all and not being part of it wasn’t an option. So, so we founded our team at that point too, really get a sense as to what what is, what what all these new terms mean um what are carriers doing to respond to these risks and which carriers are doing that in the best way? And that’s that’s really been our focus for quite some time.

[00:33:17] Evan Francen: That’s cool. And you mentioned you know, in in kind of the brief that you gave me uh that you’ve read many many uh you know, insurance policies, cyber insurance policies, uh and then you develop this 100 plus point test to identify weaknesses within them. Is that a proprietary test or is that something that you can share?

[00:33:38] David Kruse: Yeah, great question. So that’s something that the basis of it is something that’s available um that test was originally formed by a group called er me the insurance and Risk Management Institute. They put out a test that was maybe At 20 points or so, and I use that as my basis to develop that into something that’s a little bit more robust. Um So now it’s now it’s about 100 points, that’s something that since the, since that was done under the guise of the former employer, that is a very intellectual property at this point. Um and I wasn’t allowed to take that with me when I left, so, um so I can certainly share the basic ideas, I think. Absolutely, and I would love to love to talk about one of the things you should be looking for on a policy like that. Um Yeah, but most of it’s all up in my head now at this point anyway, so say if anybody wants to talk and have you take a look, you know, right right now, I know more about cyber insurance right now than I probably ever will again. So. Well, I think it

[00:34:35] Evan Francen: would be great, you know, to have that opportunity to collaborate with you, David, just to uh because we get that all the time and you’ll find it too when you’re well, and you already know this anyway. But there’s a lot of confusion about cyber insurance policies and what’s the right policy, what’s, you know,

[00:34:50] Brad Nigh: what is actually covered, what writers do I

[00:34:53] Evan Francen: need to and often they’ll ask, you know, security people and we’re like, I’m not, I’m not an insurance person. I don’t know.

[00:35:01] David Kruse: Yeah. But how many times are you asked to fill out the insurance application that happens all the time for somebody nights or somebody’s Social Security for doing that? Yeah,

[00:35:11] Evan Francen: they wouldn’t have, they probably wouldn’t have us do it because well, but the truth on there, but

[00:35:17] Brad Nigh: we get, we get we get questions from clients on how should I answer this or we’re filling this out and it’s like 15 questions or 20 questions for millions of dollars of coverage or whatever. It’s like, I don’t know how you could underwrite.

[00:35:32] David Kruse: Right. Well, and that’s that’s what you’re, what you’re hitting on. Right. There is probably the biggest disconnect between the technical side of information security and the financial side. So insurance in an organization is usually controlled by a controller or a CFO or like a VP of operations. It’s usually one of those three titles that ends up handling this coverage. Maybe somebody in accounting sometimes. Um but they, the trend in terms of how you underwrite insurance, the application is always the basis for issuing a policy and over the past couple of decades really the trend has been, how do we, how do I identify what the most critical points of information are that we need to capture in order to underwrite this properly and how do we make this application as short as possible so that people actually completed and actually return it and actually buy a policy and get protected. So that sort of trend has been following on the cyber insurance side and the people on the operations of the finance side love it. But the people on the technical side absolutely loathe these short applications because of what you just said brad. How how can you possibly trust the carrier to cover you properly if you’re only asking me Less than 10 questions? How do you how do you have any confidence in the person who’s issuing coverage? And I understand I understand that. I appreciate that really

[00:36:51] Brad Nigh: is interesting. I talked I can’t remember who it was. It was an insurance person but they’re they’re saying basically something along the lines of were writing out these monthly million dollar policies on you know a couple of pages there’s no way I would go and ensure a building for that much without doing a physical walk through without seeing what’s going on. But we’re basically just taking companies words like on this, flip two pages of questions. Right.

[00:37:19] David Kruse: Yeah. Well what what’s really incredible is there’s one carrier that I know you can get a policy usually probably max about $5 million in coverage and you can get that policy with your name, your address, your annual revenue and then a simple, have you had an incident in the past if you give them those four pieces of information they’ll give you $5 million of coverage and it’s actually my favorite cyber insurance policy. That’s the thing. It’s just right now the markets at a, at a state where this is still a nascent market, there’s not many, not nearly enough businesses are carrying this kind of coverage. So right now, even if the carrier’s aren’t doing really tremendously good underwriting and it’s not bad underwriting, but it’s not as deep and as in depth as we might like, they can outpace whatever losses that they’re facing by just writing mountains in new business. Eventually that’s going to catch up with the market. But right now that’s a bit of the tech that’s going on. And to, to add a little bit too that about three years ago I took about seven or eight carriers applications and lined them all up side by side because when I was curious of was, what are the, what are the common, what are the commonalities between these applications? What is that? You know, what are the things that every carrier asks no matter what. Um And when I, when I land all those apps up side by side, there are only about four items that every carrier asked about. Everybody asked about an instant response plan. Everybody asked about, do you have antivirus and anti malware and firewall things like that. But what was interesting is the carrier that had the longest application, they had about 65 or 70 different lost risk control questions they had when we look across what the marketplace looks like, they probably have the smallest market share because their applications. So onerous that they never actually write a day policy because they never get an application back. So the ones that are doing the most in depth underwriting, I don’t necessarily believe that that’s because they’ve got a better understanding the risk either I think they just open up a miss framework or the C. I. S 20 and say, okay, well each one of those is gonna be a question of throat on the app and just hope they’re gathering the right information.

[00:39:27] Evan Francen: Yeah, that’s interesting. Well that’s that that that was my sort of assumption too, though, it’s it’s in line with what you’re saying, it’s, you know, writing policies get, get them on the street collect uh because you will outpace the losses. And I think did we see a change because you would know better than I did, But did we see a change in like the jumbo policies? Because it seemed like those policies now, you know, like a target policy or a policy for like General Mills are 3M those are much more in depth because of the dollars that are at stake. Is that is that true?

[00:40:02] David Kruse: Absolutely. Where you see a big, big sort of shift in how much underwriting gets done is once you get above about a billion in revenue, that’s when you really are going to get more in depth underwriting. And unfortunately I didn’t have the opportunity to work with many organizations with that kind of revenue. Most of most of the businesses that I worked with that I had probably a, a handful that we’re approaching that and but the vast majority probably were in the, you know, 500,000 revenue up to about half of like 500 million. That’s where the majority and that’s where the majority of businesses are these days. Um That those, those are the majority that I work with. But for some of those bigger ones, yeah, you’re going to get a more in depth underwriting process because if you, if you’re going to have an incident at a, at an organization like that, even if it’s a minor incident for that business, it’s still going to be a high dollar amount response. So, so they’re going to want to understand what it is they’re getting into. Um, so some of those, some of the better underwriting practices are starting to trickle down to your everyday carriers and the policies that the businesses that we work with every day currently hold, but it’s, it’s getting there. It’s not there yet. Um, but things like doing a basic external vulnerability scan carriers are starting to do that kind of thing is part of the underwriting process and that’s not sufficient, but it’s getting closer to that point.

[00:41:22] Evan Francen: Well, yeah, and I think there’s because one of the things we do get also is, well, you know, we’ve got cyber insurance. So we don’t need to have, excuse me, we don’t need to have a risk assessment or we don’t need to, you know, do all the other security things that you should be doing. Uh That’s a Yeah, I know right. That’s a dangerous dangerous mentality to

[00:41:43] David Kruse: yeah, might as well get rid of the smoke detectors in your house and the sprinklers in your warehouse

[00:41:47] Evan Francen: fire insurance. That’s a really good analogy. It is. I like that.

[00:41:51] David Kruse: Uh huh. Yeah, that’s well, there’s a couple of reasons for that. One is on the application that you’ve completed, you’ve probably made some warranty statement saying that you’re that you’ve got certain risk control practices in place so you’ve signed and that that application is part of the policy and payment is contingent on your true answers to that application. So at the very minimum you need to be doing what you said you were doing when you applied for the coverage. But somebody mentioned this the other day and i it might even been you it acts and perhaps even if I’m if I’m remembering right, but the person who said this basically said if you if you’re if you’re dealing with a nasty ransomware incident, that’s likely going to be one of the five worst days of your career. So yeah, you can have an insurance policy that might pay a ransom or cover your business interruption losses, but that doesn’t that doesn’t shake the feeling that you have, that you, that you’ve lost control. That doesn’t shake the feeling that your customers have or that your business partners have that. Maybe this isn’t quite the sturdy foundation that we thought they were no policy you can pay for that kind of stuff. So yeah, you want to avoid the loss Of course.

[00:42:57] Evan Francen: Yeah, that makes perfect sense because yeah, I, I assume there’s no real cyber risk insurance for reputational risk.

[00:43:06] Brad Nigh: I don’t know how you quantify that,

[00:43:08] Evan Francen: how you suffered in the marketplace, potentially

[00:43:10] David Kruse: with great difficulty. So, so cyber insurance. So when we say cyber insurance, there’s sort of two things we’re talking about here. The first is the bolton writers and endorsements that you might have on a property or liability policy. Those aren’t great. We won’t go into all the details why. But usually it’s low coverage limits and high costs for limits. So there’s a lot of reasons not to do that. So if you have a cyber policy, that’s its own policy there, that will typically include business interruption coverage, which is your loss of income while you’re recovered from the incident. The other piece that they would that some of the better policies offer is a reputational harm peace. That once the incident has been remediated. What is your loss of income over the next 12 or 18 months that you would have expected to incur, but are not incurring because you can trace that back to the incident that you had um you’re right. Right, that’s difficult to quantify that. Um but some cyber cyber insurance markets are offering a supplement of maybe $50,000 for the services of a forensic accountant to help you quantify that loss. Um so there’s, the industry is starting to deal with that particular case, but that’s that coverage isn’t very widespread at this point, but that’s something that’s growing.

[00:44:25] Evan Francen: That’s interesting. And so um I had another question, I was thinking, oh, have you seen in your time, you know, underwriting cyber, you know, writing policies or whatever. Um Have you seen uh claims be denied?

[00:44:44] David Kruse: You know, we we’ve seen we’ve seen seen claims get denied. What really is happening when clean gets denied, It’s usually due to improper expectations of the client of what the policy would cover and and that doesn’t fall on the client that falls on the broker, whoever their broker is to explain what the policy doesn’t does not cover. Um It’s it’s really rare. I don’t know that I’ve seen a claim get denied because you didn’t have the right firewall in place or something like that um Really where claims are most often getting denied is not understanding what’s actually covered or not and not adding certain coverages that you should have at the very beginning, so I’ll give you two examples there um just two weeks ago, we had a client that called up and wanted to file a claim for about about $15,000 was their loss. And what they were trying to do was they were sending some workers to do a job down in Virginia, so they were going to go on craigslist and rent a house for them to stay at while they were down there for a media month or two. Um So it was a typical craigslist scam where they sent the money off and then when they said, okay, well how do we get into the house? The person goes to them and the money was gone and the house doesn’t actually exist. Um So they tried to file that claim on their cyber insurance policy, but that type of craigslist scam really no cyber insurance market has ever intended to cover that because how do you underwrite for that kind of a risk? They can’t, the underwriter can’t review all of craigslist and identify the ratio of scams to not scams. So the insurance industry is really good at covering risks that understands and does not want to touch risks that doesn’t understand. Um So, so that was a situation where claim was denied because the client didn’t, the clients thought there’d be coverage for something, the policy was never intended for the other piece that we see far more often. Um Not necessarily at our, at our, at our, my old brokerage, but it sort of industry wide is people getting coverage for things like computer fraud or wire transfer fraud but not adding in coverage for social engineering fraud. Um You know, the the insurance entry will define those a little bit differently. Social engineering is exactly what you know it to be. But the computer fraud is where somebody hacks into your network and then communicates directly through your online banking portal and sends a wire transferred to Latvia and your money is gone and you’re never going to see it again. Whereas the other one you actually get tricked out of sending your money. So that’s that’s an issue where we’ve seen customers um think coverage is going to be there. But either, you know, we offered the coverage and they declined it or another agent offered the coverage and they declined it or something like that. That’s where we see most of the claims denials, but it’s usually not for you didn’t have the you didn’t have your patch management patch management procedure running properly. And a lot of the reason for that is most carriers on the underwriting side don’t have the technical aptitude to even understand that you weren’t patching properly. So they don’t have the they don’t have affirmative ground to deny the claim because they don’t understand the technical side well enough,

[00:47:44] Evan Francen: interesting. Yeah, I would definitely get the social engineering

[00:47:48] Brad Nigh: coverage.

[00:47:50] Evan Francen: I mean 95% of your breeches are coming that way. So if you if you decline that, not a naughty.

[00:47:56] Brad Nigh: Yeah, we’ve had a couple of incidents where the company reached out to us and then went and filed the claim and the insurance company had their own IR firm come in to review our work or I guess question what was going on? That’s always an interesting uh discussion where you know, because we’ve had conversations with insurance and they’re kind of like let us know what they did wrong. So the fear of working on behalf of the insurance to to stop or not do that payment versus what’s right for the customer.

[00:48:36] David Kruse: Yeah, absolutely. And that’s I think that sentiment is especially people on the technical side that sentiment is absolutely echoed. Um I would push back on that just a little bit and say that I I’ve met with people that handle the claims on the insurance side of things and often they’re very good people, you know, they’re not necessarily in this too, you know, pay as little as possible. What really, what motivates a lot of these people is how it’s really the basis of what insurance is and it’s indemnification making somebody whole again, so what drives a lot of the people on the claim side of an insurance company is how do we make this person whole again as quickly as possible. Um And two and according to the, you know, the values that this company has something like that. Um So the carriers definitely will keep their own panel of incident response providers but the reason they mainly do that is because they recognize that these are very time sensitive incidences and the moment you have somebody in your system, you need somebody working on getting them out of your system yesterday. So they keep people on retainer just so that you can fire somebody up and say, all right, go take care of that. Um, so it can lead to some sticky situations if a client has gone out, gotten their own i our team and then the insurance company says, well you should be using ours and that gets a little murky. It certainly does.

[00:49:56] Evan Francen: Sure that makes sense now. It seems like the one we have to move on here in a little bit. But It seems like the one thing that insurance companies fear the most I just want to ask because it just popped into my head is one event that affects a wide number are large number of uh, you know clients because that’s very, you know, being that we are in such a connected world and you know, you have things like wanna cry which turned out to, I didn’t cry but uh, but there’s a possibility that one catastrophic event that affects, you know, half the United States. That’s going to be very bad for the insurance industry, right?

[00:50:37] David Kruse: Yeah, that would be tremendously bad. Yeah, absolutely. I don’t know what else to say. Yeah, that would be terrible. So you’re, you’re right. The, the cyber insurance conferences that I’ve been out in the white papers that I’ve read, They will use the term aggregation to deal with that type, that topic. But that is that is a big concern for a lot of folks. Um and and it’s not not really hard to understand why because you know, if you have, you know 500 policyholders all making $1 million dollars claim all at once instead of one major claim every six months. That’s the insurance company has a finite amount of money to pay claims with. So you might reach that finite amount at some point. Um So carries do build in some backstops into the policy to prevent that type of thing from happening. And one example is um it actually, you know one of the, one of the news stories that you put in the notes here Evan about the was at the Utah power company that was taken down by an attack. So better cyber insurance carriers will offer what’s called contingent business interruption. So if if a business you rely on um is the victim of a cyber attack and you lose business income as a result of that will pay that business income loss. So they typically mean something like in a. W. S. Or you know some sort of cloud hosting company um where they will not have not seen any carrier offer coverage is for utilities if you have a power if your power utility falls victim to cyber attack and you lose business income as a result of that cyber attack and you no longer get power. No, I don’t know of any carrier that’s willing to offer coverage for that because you think about that, just like you said, you could have 1000 policyholders get hit at the drop of a hat and that would, that would be awful. So, um, so they usually don’t stick their necks out for something like that.

[00:52:33] Evan Francen: Yeah, that’s interesting. It will be cool to see how this market sort of, uh, all kinds of pictures. Yeah. Uh the one thing though, and for our, for the benefit of our listeners and because I agree with it completely is you said business must repeat, must work with a broker that knows what they’re doing uh, with cyber insurance, not somebody who’s just dabbling in it or just kind of playing around. Uh, So when you’re shopping for your own business, cyber insurance policy, make sure you’re going with somebody who has done this for a while. Right?

[00:53:10] David Kruse: Oh, absolutely. And that’s, I mean, the reason that property and liability policies, those have been around for 400 years and the property insurance form, as we know, it hasn’t really changed in probably 80 years. I mean every carrier puts their own little spin on it, but the form is basically the form, there’s not really any sort of standardization in this market, yet it’s trending that way. but it’s not there. So having a carrier that we’re having a broker that really has some sort of a practice for some sort of person whose job it is to understand the current state of the market is going to be critical. Um one example of this I found is there’s, I was working with the hospital in Minnesota last early this year and they mean their hospital for Pete’s sake, you’re talking about a target rich environment that you know, is going to be high risk. Um we, I went to talk with them and they had, they had a policy with a $1 million limit, which seems shockingly low to me, if you look at the ocr s list of hipaa fins, that’s already that’s already too low. And then if you actually read the policy forum and get into the conditions, they had what they called it a due diligence and a vendor due diligence condition, meaning that you basically said you need to be conducting yourself with the best possible information security policies and you’re also promising that all of your vendors are going to be doing that as well. How in the hell of the hospital supposed to do that? I mean, tell me that’s not a back door that the carrier could get out of paying whatever claim they wanted to and I don’t that’s not necessary. I don’t blame the carrier for writing that policy because they don’t necessarily understand, they don’t understand what they’re offering coverage for and, and that’s a reasonable thing to offer. Say on the property side. Yeah. You should make sure you’ve got working fire extinguishers and sprinkler systems or whatever. But that’s to me that was unacceptable. And the person that they were writing their coverage with was phenomenal on all the other lines of insurance. But I said we really need to move the cyber because this is a really bad condition you have built in and the better insurance cyber markets out there are going to have those kind of conditions.

[00:55:13] Evan Francen: Yeah, exactly. Well, that’s good man, this is really good discussion. Dave, we’re going to have you on again, I’m sure because hopefully, uh, you know, people that are listening are have questions about cyber insurance, uh,

[00:55:27] Brad Nigh: guarantee you want to ask questions. Right.

[00:55:29] Evan Francen: Well, you want to make the right call here, right? You don’t, you wanna because how many times do we do incident response is brad where we here? I thought we were covered for that, not for insurance necessarily, but you know, for, they went out and bought a new blinky light thing and they didn’t

[00:55:43] Brad Nigh: spend a lot of money and yeah,

[00:55:46] Evan Francen: you know, so they don’t

[00:55:47] Brad Nigh: have asset management in place. So yeah. Hey, you’re, you’re blinky light only covers a third of your entire yes. Yeah.

[00:55:55] Evan Francen: All right. So let’s move on to some news, uh, and then we’ll close this thing out. So one of the news stories that caught my eye and it was actually Brandon. I think he was sent to me while I was ruined our

[00:56:05] Brad Nigh: weekend.

[00:56:06] Evan Francen: Well yeah, you know, is this Google buying Fitbit for $2.1 billion? How long before we start talking trillion someday? But this isn’t a really interesting story. So I’m just going to choose the one from the New York Times. That’s the one I referenced in the in the notes. Uh, but here Google, the title is Google to buy Fitbit for $2.1 billion. The deal represents an aggressive attempt by Google to bolster its lineup of hardware products. Yeah, I think you remember when google was a search engine

[00:56:41] Brad Nigh: do no evil. I know, right? Um Yeah, yeah, this concerns me. They’re claiming they’re not going to use any health data for advertising. And I believe it when I see that you’ve seen,

[00:56:55] Evan Francen: you’ve seen google’s response to other things. You’ve seen their responses to breaches. I mean, they’re so aloof about this crap. They could give two craps about your data. Right? I mean, seriously get serious.

[00:57:08] Brad Nigh: And the problem is, you know, what are your options now? Right. What are other alternatives for that? But one of the things I saw that did make sense is you know that that that wearable health analytics market is really gonna explode from a medical standpoint, not just, you know, your personal health, but you know from diabetics and all these other things. So that’s where google is trying to get in now because they want to diversify. So it’s not just their ads

[00:57:39] Evan Francen: they have such a vast amount of wealth though you know to get into this market.

[00:57:44] Brad Nigh: I’m not scared defending them.

[00:57:46] Evan Francen: But yeah I agree. I mean it’s already I mean as a consumer your were essentially powerless, right? You Yeah I know Google has the G. D. P. are compliant things where you can go and see all the data that they have collected about you. But that’s BS two. I don’t believe it.

[00:58:02] Brad Nigh: Well. And what are the what’s the penalty if they do have a breach and your personal health information is leaked and

[00:58:10] Evan Francen: right. What is your

[00:58:11] Brad Nigh: recourse as a consumer against google?

[00:58:14] Evan Francen: Mhm. Yeah so this just makes me feel very uneasy. David, what do you think

[00:58:19] David Kruse: it’s nothing that I’m terribly comfortable with? You know I think we talked about aggregation from the uh from the insurance side just a bit ago. I mean I think that’s a concern for the data, the data holders that we will work with nowadays too. You know I I don’t necessarily like the idea of one company having all that much. I don’t know that there’s much we can do about that as everyday people but you know that’s yeah that’s a concern.

[00:58:52] Evan Francen: Yeah I don’t know I’m more I don’t wear a Fitbit and I’m not going to and I don’t have google home but even then google, you know, according to the article Uh controls or is involved in 90% of every Internet search. I mean my God, the data they have is crazy. And even if they’re not, there’s nothing nefarious here, you know, google is such a wholesome company. That’s just way too much power to wield in one place. Right? I mean uh man, we’re sinful for crying out loud.

[00:59:30] Brad Nigh: Yeah. Uh Alright, it’s interesting girl,

[00:59:34] Evan Francen: I don’t want to talk forever about that. So I’m just gonna get depressed and it’s monday. Let’s not do that.

[00:59:39] David Kruse: Got started to hide out here.

[00:59:41] Evan Francen: Yeah. So the next one to uh just make us even happier. Uh this one comes from threat post the next two news articles come from threat post the first one is global crime ring bilked us military members vets out of millions. Uh what do you think about this one grab?

[01:00:00] Brad Nigh: I mean, unfortunately, it’s something we see all the time. This was just very, very targeted towards military. But yeah, I think this is probably wider spread than people realize, but because it was a the, you know vets where it’s a kind of a targeted group, it gets a little bit more publication. Um but yeah, unfortunately this is pretty common for for those types of uh online fraud.

[01:00:35] Evan Francen: Right. Well, and this is us citizens involved to write in this fraud. This Frederick Brown pled guilty um as a and and then he had a co conspirator named what’s his name, robert wayne Bolling JR they, none of them have been sentenced yet. But what would be the appropriate penalty for somebody like this?

[01:00:59] Brad Nigh: Uh, you know, I don’t know.

[01:01:03] Evan Francen: I saw another article this week on Iran, I don’t know Fox news. I was watching, I was reading Fox news, uh, and they were talking about the punishment in Iran. You know, they’re talking about how inhumane it is. I wonder what happened to these people. Yeah, country like that.

[01:01:20] David Kruse: I’m not sure you’ll be hearing from them again.

[01:01:22] Brad Nigh: Yeah, they would disappear.

[01:01:26] Evan Francen: Yeah, that’s crazy. So bullying Crawford Kerr and Seaq. So these are others, uh, are charged with multiple counts of conspiracy, wire fraud and aggravated identity theft. Crawford remains in federal custody and bowling currency occur in custody and Philippines awaiting extradition. Mm hmm. They should uh, yeah, I wonder what the vets would like to do.

[01:01:49] Brad Nigh: Yeah. Well, I’m going to guess they’re not going to have a good time in jail because I think they said and they’re like, each conspiracy is like 20 years in prison right up to I guess. But with multiple counts, I’m going to guess they’re probably gonna be real popular.

[01:02:03] Evan Francen: Face your accuser. That’s what they should do. Just face your accuser, all the victims, the military guys and gals probably another one from three post solar wind power utility disrupted in rare cyber attack. This is uh, us energy grid. This is s power a Utah based wind and solar provider series of lost connections in its main control center in remote power generation sites. It’s a it’s a DDOS attack. Yeah dos attack.

[01:02:38] Brad Nigh: I mean Yeah. Well I want to say that that’s surprising that they were able to be disrupted by that. But I mean it’s sadly not.

[01:02:51] Evan Francen: Well the fact that the matter is the entire power grid is so fragile. It doesn’t it doesn’t really take much,

[01:03:00] Brad Nigh: It’s running on stuff that’s 20 years old because it works right.

[01:03:05] Evan Francen: Like I was going to work with a Power Company A Large one and Yeah we were talking about their control systems and we’re talking about these Windows XP machines. I think they were maybe they might even been there might have been before that might have been 98 or something. I can’t remember XP their XP uh we they were vulnerable. Like completely vulnerable and like, you know, we need to figure out a way to patch these when they said well we can’t, I’m like why can’t you? And they said well because if we patch that system to and and reboot it, everybody loses power like so you didn’t build redundancy into this. No, you know and there’s so many single points of failure in our power grid just due to common sense, poor planning.

[01:03:50] Brad Nigh: Yeah. Yeah. I know we’ve talked with companies power companies and stuff that still running like Windows 2000 some 2003 stuff like that for that exact reason. Well we can’t replace it because they’ll take everything down.

[01:04:06] Evan Francen: They have no redundancy. No

[01:04:07] David Kruse: I was talking with the C cell of the hospital system in michigan probably a year and a half ago and we were talking about you know updating your systems and you know stuff like that. And the issue that she had is they had were running they were way far behind on either updating to a newer version of Windows are just patching the existing version for their MRI software. And what she was worried about that because obviously there’s lots of sensitive health images and information that you can access in the hospital. And she said she approached her her medical team and said okay well we need to update this this software and the doctor said no we don’t want to do that because the moment we update the newer version of the software doesn’t give us as good as an image as the old version does. So in a situation like that, how in a hospital setting done is patch management ever going to trump patient outcome. So you have to find a way to build around that. But in a case like that, maybe there’s a legitimate reason not to do it but that doesn’t mean you necessarily just sit and sit and stew with that risk. You still have to find a way to isolate that somehow.

[01:05:15] Evan Francen: Well you hit the nail on the head. Right. You have to get creative, you have to figure out other ways to mitigate the risk because there’s, there’s usually multiple ways to do it. And so one of the strategies in hospitals that you know works well is to, is micro segmentation, you know, in isolation of those systems. So if there is a malware outbreak or something happens on that network, it’s very limited. And that network is so hardened that if somebody is pivoting within the network, you know, trying to find it, uh, they’ll be restricted in that too. It’s almost like treating them like little cardholder data environments in a peaceful environment. Yeah.

[01:05:51] Brad Nigh: The problem is, is that you don’t see that investment being put in. They don’t have any

[01:05:56] Evan Francen: money. Yeah. I mean, most of the hospitals in the United States are losing money. I mean, even big ones here in the, in Minneapolis in the Minneapolis area, big health systems are only Operating at like a one or 2% margin. Right? They don’t have the money to, it’s just crazy. Anyway. Well, that, that’s some good, you know, some uplifting news for a monday.

[01:06:22] Brad Nigh: Good way to end

[01:06:23] Evan Francen: it. Right. Well, David. Uh, seriously, thank you for joining us. I do. Thank you for having me. I hope we, uh, we get to do this again. There’s so, you know, as I’m sitting here thinking, I’m thinking of more insurance questions. I’d love to ask

[01:06:36] David Kruse: next time we’ll do I was a cyber insurance broker for five years. Ask me anything.

[01:06:41] Evan Francen: That would be great. We should a live show. We haven’t done that

[01:06:45] David Kruse: before. There you go. I drive up to the cities for that.

[01:06:48] Evan Francen: Yes, you’re too I’m gonna make the year two of the best year ever Right to it. So episode 52 is a wrap. Thank you to our listeners as well. Keep the questions and feedback coming. We do read it, we do enjoy it. It’s uh I don’t know, keep it clean if you can. Yeah. Mostly

[01:07:07] David Kruse: cannot make it funny.

[01:07:08] Evan Francen: Yeah. Yeah. There you go. Give me a picture that I can tweet that people will give me like some laugh about it.

[01:07:15] David Kruse: Yeah. There you go.

[01:07:17] Evan Francen: Send those things to us by email at Uh If you’re the social type socialize with us on twitter, I’m @EvanFrancen and brad is @BradNigh David. Do you have, do you have a twitter account anyway? You want people to follow you?

[01:07:32] David Kruse: Um You know Lincoln is probably the best way to go. Um If you if the Lincoln link is something like linkedin slash David. Our crews. Last name is K. R. U. S. E. That’s probably the best way to get a hold of me

[01:07:44] Evan Francen: perfect. That’s how you find him. Also follow security studio. It’s at studio security and fr secure is at fr secure. He said that wrong. What I mean? He said at studio secure. That’s how it is. What? That’s how it is. Yeah, That’s the other one was taken by somebody.

[01:08:01] Brad Nigh: Oh, uh yeah, I thought it was That did not even realize that. Well, I’m gonna take that back then. Brandon edit that out.

[01:08:10] Evan Francen: All right. That’s it. Have a great week.

[01:08:13] David Kruse: Thank you for talking to you guys.

[01:08:16] cyber insurance: Thank you for listening to this episode of the Unsecurity podcast. We value our listeners and would love to hear from you. Give us your feedback by emailing us at Be sure to tune in next week to hear the latest insights from brad and oven