Field Transcript
Ring! Ring!
Me: GreyFalcon MSP. This is Daniel. How can I help you, today?
Caller: Hi Dan. It’s Terry at Acme. I have a problem I need your help with, please.
Me: Good morning, Terry. Tell me what’s going on.
Terry: My business insurance is going up. A LOT.
Me: That is … unfortunate. But you have had a couple of issues, the last two years.
Terry: Yeah, I know. And I spoke to my agent about the situation.
He says if I can prove to them that I have corrected everything, he might be able to get my rates back down to what they should be.
Me: So … you are ready to sign up for managed services? That will allow me to get you compliant and maintain that compliance with your insurance policy.
Terry: Oh, uhm, well …
Me: I see. You want to APPEAR compliant to lower your premiums. But without spending the money you should be to actually be compliant?
Terry: When you say it like that, you make it sound like fraud.
Me: Well, Terry, if it quacks like a duck …
Terry: You aren’t going to help me with this, are you?
Me: I will be happy to get you compliant, Terry. And I will be happy to help prove it to your insurer, AFTER that compliance is in place. But I’m not going to put my name on it, unless I’m being paid for it and the maintenance of it, too. Proving you were compliant for one day of a year is not enough. They want to see you are maintaining that compliance. You filled out that insurance questionnaire. Then you signed the contract stating you had and would maintain that level of security.
Terry: But it’s all bull****, Dan. You have told me, many times, that computer threats are always changing.
Me: Yes. They are. Because every time the security community reacts to a threat, the bad actors just change their attack methods. Finding new loopholes. New methods of getting internal people to open doors for them.
Terry: Like I said “It’s all bull****!” How can we stay in business if we are constantly having to fight off these threats?
Me: How do you continue to drive, every day? Every day, there are more drivers on the road. Now that summer is starting, kids are out of school, even more of them are driving, all day long. With attention span of a high school gnat. Your car insurance is going up, every year, because the risks go up.
Terry: That is not the same, Dan. I’m a VERY careful driver. And I do not hire people to deliver my products who are not equally careful.
Me: But you don’t carry that caution into your cyber security. The threats go up, but you want to buy a single use tool that locks everything down. A single, minimal payment to meet your insurance commitment. Such does not exist.
Terry: So what am I supposed to do, Dan? Just keep writing checks forever?
Me: Terry, you already do.
Terry: What?
Me: You pay your electric bill every month, right?
Terry: Of course.
Me: Why? Didn't you pay it last month? Shouldn't the lights just stay on forever?
Terry: That's ridiculous.
Me: Exactly. You pay it every month because you are consuming a service every month. Cybersecurity is not a product sitting on a shelf. It is an ongoing process.
Terry: But I bought antivirus software.
Me: And I bought a fire extinguisher. That does not mean I canceled my insurance, removed my smoke detectors, stopped checking wiring, and started storing gasoline next to the furnace.
Terry: Fair point.
Me: The insurance company is not asking if you bought a security product, Terry. They are asking if you operate your business securely.
Terry: What exactly does that mean?
Me: It means your systems are patched. Your backups are working and tested. Your employees use proper authentication. Your computers are monitored. Your risks are reviewed. Problems are corrected before they become disasters.
Terry: And you document all that?
Me: Yes. Because when something happens, the worst possible time to start collecting proof is after the insurance company asks for it.
Terry: Like trying to buy car insurance after the accident.
Me: Exactly.
Terry: I hate when your examples make sense.
Me: I know. It ruins a perfectly good argument.
Terry: So what happens if I just tell them what they want to hear?
Me: Then you are gambling.
Terry: With what?
Me: Your claim. Your business. Possibly your reputation. The application you signed was not a wish list, Terry. It was you telling the insurance company what protections you already had in place.
Terry: So if I said I had something and didn't…
Me: Then after an incident, they may ask you to prove it. And "I meant to eventually" is not usually accepted as evidence.
Terry: You're killing me, Dan.
Me: No, Terry. I'm trying to keep your business alive. The attackers are the ones trying to kill it.
Terry: Send me the paperwork.
Me: For the insurance review?
Terry: No. For the managed services agreement. Apparently, I need someone making sure this stuff actually happens.
Me: I will get it sent over.
Terry: One more thing.
Me: What's that?
Terry: Do not put this conversation in one of your Ring! Ring! stories.
Me:
Terry: Dan?
Me:
Terry: You're already typing, aren't you?
Me: Have a good day, Terry.
Daniel Curry added a new photo.