Host Kevin Szczepanski is an insurance, privacy and data security attorney at Barclay Damon in Buffalo, New York. For episode 29 of Barclay Damon Live: Cyber Sip™ Kevin talks with Bill Haber, co-founder of TEKRiSQ, a cybersecurity company that helps small- and medium-sized businesses minimize technology risks quickly and affordably. Bill’s company approaches its work with a “wellness” philosophy—only recommending solutions after the underlying issues are diagnosed. Bill dispels some common myths, describing how and where his company comes into the mix when businesses are seeking cybersecurity insurance. 

For a full page transcript, visit here

[Kevin Szczepanski]: Hey, everyone, this is a Barclay Damon Live broadcast of the Cyber Sip. Practical talk about cybersecurity. I’m your host, Kevin Szczepanski. Let’s talk.

[Kevin]: Hey everyone, we’re back with another episode of Cyber Sip. And this morning, very excited to have with us Bill Haber, the co-founder of TEKRiSQ. Bill, welcome to Cyber Sip.

[Bill]: Thanks, Kevin. Great to be here.

[Kevin]: Now, I know that TEKRiSQ believes very strongly in identifying a… or an organization’s true technology risk before taking any steps to remediate and reduce that risk. But before we get started, I want to ask you how you got started in the world of cybersecurity and why your experience led you to found TEKRiSQ.

[Bill]: Sure. That’s a great question. And I’ve had a long technology career in software companies, data platforms, cybersecurity solutions, medical devices, and…let’s say lots of areas dealing with sensitive data. And my co-founder, Dean Mechlowitz, with a similar background, he’s been in more engineering and pure cybersecurity types of companies. But our skillsets complement each other. I had an opportunity to work with and help found a wholesale brokerage years ago, focused on technology-oriented risk. And when I looked at the way that data was being collected, let’s… rather than data; the way people are populating applications, the way clients are interacting with the… with insurance carriers and their agents, I saw a lot missing. And I certainly saw an absence of true “diagnosis.” So, you know, root cause—what’s going on in this organization? What’s their cyber maturity? Do they practice, let’s say, “cyber wellness,” you know, their solutions in place, policies, procedures. I just found it very loosey-goosey and realized, you know, this is an extraordinary moment in time when people go to get insured and it’s an opportunity to really evaluate where they’re at and recommend things that will make them more resilient and get a real good look under the hood what’s going on its own organization. And that’s a missed opportunity; it still is for many reasons. So we sought to find a way to streamline that in fast, affordable ways that can help insurance professionals to get that proper view and, you know, really have a better way to prevent bigger problems down the road.

[Kevin]: It almost sounds like what you’re saying is that you had seen a situation where patients were going into the doctor’s office and the doctor was prescribing the antibiotic or the antiviral without first diagnosing the patient. So what you’re talking about, it seems to me, is, you know, we’ve got to get in there and we’ve got to diagnose the patient first. What are the risks to this organization of technology or data? And then based on those actual risks, we’re going to devise a solution that enables the company to manage the risk, to get insured, and so on. Is that that where you’re coming from?

[Bill]: Well said, Kevin. And yes, we deliberately use the “cyber wellness” term and I use that in some organizations that I participate and discussing these topics as well. But it’s very easy for people to understand. You know, driving wellness keeps you out of the doctor’s office. Proactive analysis of what’s going on is what helps you to correct problems before they become bigger.

In fact, cybersecurity companies, when they look to deliver solutions to their clients, they prefer to perform risk assessments to identify where people at on the maturity continuum. What are they doing right? What are some clear gaps and how do we fill them? And, you know, there’s a lot of companies that make full-time careers out of that. You can really, with focused conversations, using these principles, get the bottom of that pretty quickly. And that’s really where we’re focused—that checkup has to happen.

[Kevin]: And you’re focused primarily on small- and medium-sized businesses. Why is that? Is there a need you see that isn’t being met? Or is there some other reason?

[Bill]: No. You bet there’s a need. That segment…we consider them underserved. Most of the focus of cybersecurity companies today are on the “haves.” And when we say “haves,” you know there’s a digital divide with the haves, with CISOs and solutions and policies and procedures and well documented and in the “have nots,” who sometimes don’t even know where to get started. And so there’s an opportunity to quickly engage those folks and have cybersecurity experts participate in conversations to analyze what’s going on here. Where do they need help? Are these folks aware, are they driving wellness or are they lost and need help? And provide the recommendations to help them get there.

So, you know, we saw a huge unmet demand and we’re seeing a good cyber risk profile being critical to doing business today, almost as important as a credit report on Dun & Bradstreet. And that’s part of the reason why cyber insurance is exploding. If we can help people to, you know, button up procedures and tighten their security stack, they’re not necessarily that far away from being insurable. They just need a little bit of help.

[Kevin]: All right. So let’s say I’m one of those have nots. I know that data privacy and security is important. I know cyber hygiene is important, but I don’t know how to get there. So I’m talking to you. What’s the first step that you take in order to identify and diagnose my cyber hygiene?

[Bill]: Sure, great question. So we believe the best way to do that is to start objectively with a technology risk assessment, looking at potential vulnerabilities. We have a few different ways that we do that, but we have a basic risk assessment that we deliver to most of our clients that’s not more than 30 minutes. It’s an online conversation that’s fast, easy, and affordable. We strip technology jargon out of it. Then when we talk to people, we seek to understand how are you using technology? What are the things you use? How do you share data? Where does the data live? Who’s accessing it? What methods do you use to secure it? And we used NIST-based principles to kind of dig into that. We also use a little bit of psychology and adult learning theory to arrive at some conclusions and make some recommendations.

[Kevin]: Tell me about that. Got it. I’m sorry to interrupt, but tell me about that. How does that that psychology and adult learning theory play into the analysis?

[Bill]: Sure. So sometimes the way people answer questions indicates a bit of uncertainty or there’s a vague response and we find a way to come back to that and ask the question a different way to determine if we see an inconsistency or just evaluate with the confidence level that people have in their responses. That’s really important. We see a lot of small business leaders believe in common myths, and we hear them every day when we talk to clients. Things like, Oh, well, I have everything in the cloud, so I’m good. We use Macs exclusively here, and since Macs can’t be infected with anything, we are ok.

[Kevin]: Can we try it? I’m going to…I’m going to be pretty much who I am. And we’re on a phone call. And you’re working through the questionnaire, if you will, to sort of get a sense of my cyber hygiene and where I sit as an organization. So go ahead.

[Bill]: Sure. So, Kevin, do you have any particular ways that you secure your endpoints in the company?

[Kevin]: I think so, but I’d have to talk to my IT person. I’m not really sure how we do that.