Episode 338:

Time sheets. Taxes. Annual reviews. There are some things we don’t love as agency owners and leaders. Cybersecurity and compliance are absolutely on that list. But much like taxes, it’s a necessary evil today. The risks are too great, and the reality is – our clients are going to demand it. We’re far better off to get out ahead of it before we’re asked.

Even my guest, Nathan Maxwell, refers to cybersecurity and compliance as “necessary evils.” But, as the CEO of CCITeam, Nathan also knows better than anyone that in a world filled with data breaches, security risks, and unpredictable online attacks, avoidance simply isn’t an option.

Nathan isn’t one to sugarcoat the daunting realities of implementing solid defenses, navigating cyber insurance options, or tending to the growing list of compliance concerns we’re all getting from our clients. But during our conversation, he reminds us that those processes, while painstaking at times, are never insurmountable. In fact, when we take the time to do these things the right way, our efforts won’t just make our companies safer — they’ll make them better.

Founded in 1995, CCITeam (formerly Communication Concepts, Inc.) is a full-service cyber security, compliance, and IT firm, headquartered in the US heartland. President and CEO, Nathan Maxwell saw an important unmet need for a quality IT and cyber security provider that treated their clients more like family, rather than just a ‘number’. With over twenty years of experience in enterprise-level corporations, Nathan founded CCITeam with four core principles; care, ownership, sharing knowledge, and loyalty. Each of these principles is what makes CCI one of the most trusted managed IT and security providers in the region.

A big thank you to our podcast’s presenting sponsor, White Label IQ. They’re an amazing resource for agencies who want to outsource their design, dev, or PPC work at wholesale prices. Check out their special offer (10 free hours!) for podcast listeners here.

agency operations

What You Will Learn in This Episode:

  • What effective cybersecurity looks like for agency operations — and why you should care
  • The risks every business should be aware of (yes, small agencies too)
  • How cybersecurity and compliance are the same, and also very different
  • Why your policies need to match your practices and how to make sure they do
  • How your employees can either strengthen your cyber defense…or be its greatest weakness
  • What to do to protect your business from big risks — including the ones lurking in your inbox
  • When to start shopping for cyber insurance and how to know how much you need
  • The ROI for agencies who “do all of this right”
“Cybersecurity is kind of a necessary evil right now.” @CCI_team Click To Tweet “These conversations are good, helpful conversations — even just in helping businesses mature and do things the right way.” @CCI_team Click To Tweet “In all likelihood, a breach is caused when a policy is violated.” @CCI_team Click To Tweet “Write something down, make it readable, and be done with it. A policy is better than no policy.” @CCI_team Click To Tweet “Ultimately, this process makes you a better company.” @CCI_team Click To Tweet

Ways to contact Nathan Maxwell:

Resources:

Speaker 1:

If you’re going to take the risk of running an agency, shouldn’t you get the benefits too. Welcome to Agency Management Institute’s Build a Better Agency podcast presented by White Label IQ.

Tune in every week for insights on how small to mid-size agencies are surviving and thriving in today’s market. We’ll show you how to make more money and keep more of what you make. We want to help you build an agency that is sustainable, scalable. And if you want down the road sellable.

With 25 plus years of experience as both an agency owner and agency consultant, please welcome your host, Drew McClellan.

Drew McLellan:

Hey, everybody Drew McClellan here with another epic episode of Build a Better Agency.

You know, we’re going to cover a topic today that I think is super important, but I can’t decide if you’re going to love me or hate me by the end of the episode. So I’m a little leery, the guest is going to be awesome and I’ll tell you a little more about him in a minute, but the topic is a tough one. And so it’s tough because we don’t want to do it. And it’s tough because we kind of need to do it because it puts us at real risk.

I guess that’s enough teasing at that topic. So let me just tell you this. Nathan Maxwell is my guest name and he is an expert. He’s a consultant and he works with lots of agencies on helping them get cyber compliant. So a lot of times when you are pitching a big brand or you’re filing for cyber insurance, you get this checklist of things that you need to do.

And a lot of agency owners look at that list and go, “I don’t even know what half of this is and I don’t know how to do it. And I don’t know how expensive it’s going to be.” And it can really be a deer in the headlights’ moment for a lot of agency owners and leaders.

And so I asked Nathan to come on the show and just kind of give us some 101 basics of what it is that we need to be thinking about and doing and all of that. I will also tell you that Nathan is going to be at the Build a Better Agency Summit in May, he’s going to be one of our breakout speakers. So if this is a topic that is important to you and you think after you listen to the episode, A. That guy knows what he’s talking about, which he does and B. He actually spoke in regular English for the most part, which he does. And C. I’d like to learn more from him, which I think you will, the summit may be the place to do that.

So it’s easy to do get to in terms of where you buy tickets just go to the AMI website, agencymanagementinstitute.com and up in the upper left corner is a BABA Summit navigation for Build a Better Agency Summit. Just click on that and you can register and you can learn more from Nathan, because I think after this episode you’re going to be a little freaked out. You’re going to be a little scared, but you’re also going to realize that this is not optional for us anymore.

I think a lot of us think it’s optional still and I think that that’s probably not the case. So if you want to learn more from Nathan beyond the episode, the Summit would be a great place to do that.

All right. I have so many questions for him. I know I could talk to him for three hours, so I want to get right to the show. No more chit chat from me. Let’s just get to it.

Nathan, welcome to the podcast. Thank you so much for coming on the show. I feel like this is a topic we have a lot to talk about.

Nathan Maxwell:

Drew, it’s a pleasure to be here. Thank you so much for having me.

Drew McLellan:

So give everybody a little bit of background on how you come to know all this stuff that I’m about to ask you and how you got into the position that you’re in. That would be great.

Nathan Maxwell:

Yeah, absolutely. So Nathan Maxwell, 20 years in the managed service provider cybersecurity compliance space, all that to say it is, I have spent a long time, many years helping businesses function from a technology standpoint, stay safe. And now with the pressure that compliance is putting on many of us and then just assisting with those pain points.

I have run CCITeam for those 20 years and located here in the Midwest, the Kansas City market.

Drew McLellan:

So let’s talk a little bit about how or why should agencies care about this? Like I have a lot of agency owners who, you and I were talking before we hit the record button. It’s not like everybody’s like, “You know what? I really want to get ahead of this. I want to invest a bunch of time and money and get my cyber house in order.” So what happens that makes someone call you?

Nathan Maxwell:

Absolutely. Yeah, so that can be a nice long answer here. So from a history standpoint, everybody remembers the target breach from however many years ago and that was a watershed event.

Drew McLellan:

Yep.

Nathan Maxwell:

And big business went, “You know we have some very significant risk. We have gaps. We have this black box of unknowns as a result of our subcontractors, our vendors, those that we are hiring and bringing into our environment.” And that just started this ball rolling. And the snowball just built and built and built. And that’s why Drew, you and I are having a conversation right now.

Because those of us, as I’ll just paint with a broad brush and say small business, small agency owners are now getting hit with, hey, I have a client. I provide good work for them. I’m doing a really job servicing them and they turn around and they send me this questionnaire with all of this technical policy based cybersecurity stuff that I’m supposed to fill out. And I can’t even hardly read it, let alone know how to answer it.

And so that’s really the impetus for this conversation. And sadly, like you said, right, it’d be really nice if all of us are forward leaning, forward thinking and like, “Hey, let’s get ahead of this.” But generally speaking we’re so busy running day to day ops and taking care of customers and all that. It’s just one of those things we don’t get the time for until it’s dropped into our inbox and somebody starts a clock and goes, “Hey, can I get this back from you in a week or two?” It’s not a fun thing.

So who’s likely to ask us that question, “Hey, I’m going to give you a checklist and I’d like to get your answers back or proof points that you’ve got all these things covered back in a week or two.” That’s a growing list right now we’re seeing larger businesses are doing this because they have a risk management department that is responsible for, you guessed it, managing risk.

Drew McLellan:

Right.

Nathan Maxwell:

And so they are taking a look at suppliers, vendors, subcontractors, and they’re saying, “Hey, we’re doing all of this stuff. You’re doing it too. Right?” And you know, a lot of us are like, well, right or maybe we’re doing it, but unofficially, like we can’t prove it.

Drew McLellan:

Right.

Nathan Maxwell:

Right. Maybe we’re following these best practices because some of them are just straight up logic and we can’t prove it. We don’t have the policies to match our practices. Like there’s all of that. So certainly it’s coming upstream from a client standpoint, the other area that’s really moving the needle is cyber insurance. And honestly Drew, five years ago, I would talk to a potential client, I would start talking about cyber security and risks and risk assessments and all this. And they would go, “Eh, no, hang on. We’ll just add a $50 rider to our policy and we’ll bolt cybersecurity on there.”

And we don’t really care because if something happens, they’ll just pay us. And that doesn’t work anymore because the insurance companies are really tired and we’re seeing denied claims as a result of negligence because it’s like, you’re not doing this and this. And maybe you told them you were, maybe you didn’t, like who knows? That’s off in the weeds, but cyber insurance is moving that as well because they’re really tired of just paying and paying and paying. And they’re starting to ask for their clients to follow some best practices in this realm.

Drew McLellan:

So when we start talking about checklists and best practices, what are they asking us for?

Nathan Maxwell:

All kinds of stuff. And this is the silver lining. Okay. And I am biased because this is the business I’m in. And this is a service that we provide. But cybersecurity is kind of a necessary evil right now.

Drew McLellan:

Right.

Nathan Maxwell:

You know, and again, that’s certainly tongue in cheek because ultimately cybersecurity done right is not a bad thing. And I’m lumping cybersecurity in with compliance and I’m using this towards synonymously because they really are. So somebody gets this, let’s say me as the example. I get this email from a client of mine and they say, “CCI Team, you’re doing all of blah, blah, blah, blah, blah.” And it could be anywhere from 50 to 250 of these different questions that they’re saying, “You’re doing this and you have a policy that covers this and you’re doing that.” And again, page after page after page.

There’s a… I won’t say the name of the company, but there’s a large company that, tongue in cheek, affectionately called their cybersecurity department, “The department of revenue prevention,” because it was seen as the department of No. And this whole compliance conversation has really morphed into what I see, again, admittedly biased, as being a good thing for companies to address.

You know a really great example is do you have a policy that says, “We terminate accounts for employees within four business hours of the time they leave the company,” that’s the policy. Then yes, you assess against it and all that. But how many times have we been in some system six months later and been like, “Hey, what’s this account still doing here? That person left eight months ago.”

Drew McLellan:

Right.

Nathan Maxwell:

So these conversations are good, helpful conversations for businesses just in helping them mature and doing things right because that like, “Oh wow, somebody had access to the system for six months after they left,” is really not a good thing to discover.

Drew McLellan:

Yeah. Right. So on both the compliance and the cybersecurity side, the cyber side, what are the two or three top things we can just bang out? Like here are some basic things you can do on each side of the ledger that just put you in a better position, safety wise, security wise. If somebody ever hands you the checklist, at least you got a little bit of a start.

Nathan Maxwell:

Yeah, so absolutely. There are different checklists that different businesses use, but there’s common ground on all of them, because it’s talking about best practice in running your business and your operations, your cybersecurity, your policies and things like that.

So to jump right in multifactor authentication is mandatory no matter what framework we’re talking and a framework is really a set of policies, of questions, of documents. And there’re tons of different frameworks, absolutely tons of them, but across all of them, low hanging fruit, multifactor authentication. And it’s something we’re all familiar with.

I’m going to log into this system so that’s a password and then I’m going to provide something else to authenticate myself. Authentication is proving who I am.

Drew McLellan:

Right.

Nathan Maxwell:

And there’s three ways that we authenticate. What we know, which is going to be like a password or something. Now I’m getting off in the weeds on there, but we can provide-

Drew McLellan:

No, no, no. Finish the other two. What we know-

Nathan Maxwell:

Okay. What we know, what we have and what we are. So what we are would be like, iris scan, fingerprint scan. I mean, it gets all into like voice and like there’s all kinds of ways to do it.

What we have, what we possess would be a phone. It would be like a-

Drew McLellan:

Email address?

Nathan Maxwell:

Yeah. That goes over so that’s a little bit different, but we can get tokens that plug into our computer via USB, different things like that. Like only something that we possess and that would help with that authentication. So multifactor everything, your email, all of your accounts, everything needs to be multi-factored. There’s management challenges with that, there’s all kinds of things. But every framework out there from PCI to HIPAA, to NIST, CSF, like on and on and on, multifactor is a given on all of them.

Drew McLellan:

I can hear the agency owners now some of the challenges of that are now you’ve got it tied to people’s personal cell phones, and you’ve got the accountant trying to log into the credit card, but the credit card’s tied to the agency owner, la, la, la.

So what’s the fix to that because I think a lot of reasons why people don’t do this because they go, “Oh no, no, I don’t want to do that.”

Nathan Maxwell:

Yes. And nothing is pain free. Right. I absolutely get, or your examples were good, let’s continue that extreme. Right? How about the union employees where the contract specifically says the company has no access to the phone. Nothing happens on this phone and it is a contract, right. It’s not just like, “Oh, so and so’s uncomfortable with this.” Like it is a flat out contract-

Drew McLellan:

Right.

Nathan Maxwell:

There are absolutely ways to work through all of that. Absolutely ways. You can issue that key fob to the staff, that key fob that generates the codes that gets plugged in there’s different ways to do it. You can issue those if the cell phones are out of our scope for an engagement, there’s lots of ways. Password vaults, okay.

Password management is another thing that’s really, really critical, you know do we have good, solid randomized passwords across the board? None of us are smart enough to correctly practice good password hygiene. So we’re going to be having a password vault, right. It’s something that you need to provide to your employees. You need to audit to make sure they’re using. And to be specific, we’re talking like a LastPass or 1Password or something like that.

Drew McLellan:

Right.

Nathan Maxwell:

These tools have multifactor functionality then built into them. So without getting too technical, we multifactor into our password vault. Right? So that authenticates against me and then the password vault can even have some shared credentials that have multifactor tied to them in the vault.

Drew McLellan:

Okay.

Nathan Maxwell:

And it’s like, well, wait a minute, Nathan, you know are we defeating multifactor? Well, no, because I’m, multi-factored into my app. So there’s my two pieces for authentication. And then we have whatever the service account or use the example of a credit card processor with the count in and stuff like that.

Drew McLellan:

Right.

Nathan Maxwell:

There’s ways to do it. We don’t throw out the multifactor just because it’s a pain point.

Drew McLellan:

Yeah. So one of the other things I think agent centers think is they’re like, you know what, we don’t have client credit cards. We don’t have HIPAA level health data. We have their login to their Facebook account or we have the blah, blah, blah, blah, blah. Do I really need to do this? Like, do I have sensitive enough information that I’m at great risk?

Nathan Maxwell:

The answer is yes, because you still get that email, that special email still comes down and there will be screening questions in there. Do you have this? Do you have… It depends on the vendor and how detailed that screening is. But in general, you’re still going to get the email and yeah you know, there may be less questions if you’re like we’re not processing payroll for you, so this doesn’t matter.

Drew McLellan:

Right.

Nathan Maxwell:

But they still want to know that you are… you know the due diligence is in place in order to take care of their data. And here’s the challenge. I, and it may just be, you know what I see, visibility standpoint, because I’ve not seen, like… let’s say what Google’s parent company is Alphabet. I’ve not seen, hypothetical situation, the risk assessment and the audit that they do against their payroll processor where it is deliberate and large and specific.

Drew McLellan:

Right.

Nathan Maxwell:

But the questionnaires that I see that come down to those of us that are smaller businesses, I look at it and I go, “What? Like really all of this for my type of an engagement with you.” And it seems like an overkill. So it’s a tough thing. There’s no easy outs on this.

Drew McLellan:

So when a client presents you with, sorry, sorry. I have so many questions. So on the compliance side, we’ve got the multi verification. What’s another easy one that we can do that just checks it off the list.

Nathan Maxwell:

Just some real basic policies. There are a number of frameworks, I mean, we’re talking like government that audits against it and stuff like that, where they will hit you harder for a policy violation than they will for a breach. And all likelihood a breach was caused by a policy violation.

Drew McLellan:

Got it.

Nathan Maxwell:

But the goal is follow your policies and so usually my engagement with a client in this realm is also helping them draft policies. And so a policy is better than no policy. Right. And we can like, well let’s have this reviewed by attorneys and let’s have it cover every scenario and situation. It’s like, no, write something, make it readable and be done with it. Right? A policy is better than no policy.

And so going back to the employee termination. A paragraph, two sentences that says, “All employee accounts are terminated within four hours of the employee’s departure.” That’s a policy and then yeah, you need to be able to prove that you’re doing it and prove that you’re following it.

Drew McLellan:

Right.

Nathan Maxwell:

But that’s really pretty easy, all right. I’m a simple, short sentence kind of person. So let’s create something because in an engagement when you’re having this cyber insurance questionnaire, when you’re having one of your customers or clients push this down on you, they’re going to ask for these policies, right. Like, put them up, send them up and if they don’t like them, let them push them back to you. And we’ll rework them. We’ll tweak them. We’ll enhance them based on the gaps. But that happens very, very rarely.

Drew McLellan:

Yeah. They just want to see that you have something.

Nathan Maxwell:

Absolutely. Right. Something is better than nothing. And then the question is, are you following those? Are they sitting in a binder collecting dust or is it a living document that you’re actually following.

Drew McLellan:

So in an agency let’s say of 25 people who owns this responsibility, you don’t have a CTO, right? So and typically you have somebody in the office who’s sort of computer savvy. And they’re the one that gets called when somebody’s computer fries, or they have to set up a new computer for an employee, or maybe they’re even the HR person, but most agencies don’t have someone that has like a sophisticated level of knowledge. So typically in a small business, who do you see owning this.

Nathan Maxwell:

Great question. These questionnaires, birth page, they’re going to ask you to identify a compliance officer. We’re small business people we know how that works. What do we do? We just point at somebody and we add a hat on top of the stack.

Drew McLellan:

Right.

Nathan Maxwell:

And usually it’s an operations person. You know, usually it is that person that has to order the computers or that when the internet connection goes down as the first person to walk to the back of house to figure out what’s going on. Most of us don’t have a Chief Compliance Officer.

We have that operations’ person, we have that office manager, we have somebody that’s kind of detail oriented and can kind of help move the needle on this.

Drew McLellan:

Yeah. Okay. And how would they even know where to start? If you’re not sent the checklist, if somebody’s actually listening and going, I’d kind of like to get out of this, where do I go to even know what that means.

Nathan Maxwell:

Absolutely and that is a really good thing, because the first time you work through this, it’s the heavy lift.

Drew McLellan:

Yeah. Right.

Nathan Maxwell:

Okay. Every time after that, you know I would love for my industry to be so mature that we’re like, “You know we’re assessing against CIS, but you’ve gone through this over here. And really there’s a lot of crossover.” I will just happily accept everything from over here and it doesn’t work like that.

Drew McLellan:

Right.

Nathan Maxwell:

You still fill out all the checklists, you still make sure that your policies line up and are titled correctly. You’re like, “No, it’s still a challenge,” but it’s so much easier if you are that agency owner and you are like, “Okay, it’s a matter of time.” Then you start working. You know, we talked about the low hanging fruit, start doing… like that’s the sort of thing, I would love to have that conversation.

If the person is wanting to be independent, work on their own, then you know, start plugging into some cybersecurity circles, start going, okay you know, I’m going to educate myself on cybersecurity best practices. Google’s your friend on that, take a look and go, “Oh, here’s the checklist of 20 things that we should be looking at.”

And so you’re going to work down through of them. 15 of them are going to resonate, go like, “Yeah my business came up with this.” The one that says make sure the dock doors are locked every night. You’re like, “Yeah, no.”

Drew McLellan:

Right.

Nathan Maxwell:

So you work through it. There’s tons and tons of stuff online. One real easy, goofy thing it is actually a cyber security thing, right? Taking a low hanging fruit, a French thing, to have battery backups on your computers.

Drew McLellan:

Huh.

Nathan Maxwell:

That’s probably not on some of the checklists that you’re going to get from your large clients, but that is something that a lot of these cybersecurity policies and frameworks and stuff like that say is best practice. Right. So funny, goofy thing but there’s stuff in there that’s really obvious. There’s stuff you haven’t thought of. There’s so much online to kind of start that conversation.

Drew McLellan:

Where do you think we’re at the greatest risk? Like if I look at a checklist and I go, “This is overwhelming.” So I want it, low hanging fruit or not, I want to put out the fire that I think is the most likely to take my house down. For an agency what would that be. Do you think?

Nathan Maxwell:

Email absolutely, email. We talked about multifactor authentication, right?

Drew McLellan:

Yeah.

Nathan Maxwell:

That is I log in with my password, what I know, and then I’m going to authenticate with some other thing. Absolutely huge. Email, BEC, business email compromise is something that happens and we don’t know it. Where we have somebody lingering in our mailbox, monitoring our mail flow and then we’ll reach out and strike at exactly the right time. And so we don’t have any indicators that they’re in there.

So lock your mailbox down, make sure that your email is secure. There’s monitoring tools to tell you like geo located IP addresses, what’s connecting into your mailbox. Where are you seeing these things? There’s some monitoring tools that are helpful in that respect. It’s just, it’s huge. An example of that a friend of mine, her parents were buying a house, retired, they just lived in rentals and leased houses forever. They got the email Sunday morning, “Why are your down payments to this?”

And they did it and that like $150,000 was gone like that. They’ve never recovered it. Why? Because the right brokerage emails were compromised and they struck at just the right time and that money was wired and it was gone.

Drew McLellan:

Yeah, that’s been a big thing happening inside agencies too, that agency owner gets an email, sorry, CFO or accountant gets an email from the agency owner. Sounds just like him saying, “Hey, sorry to make you do this, but I need you to send this wire today, blah, blah, blah, blah, blah.” And I’ve had two or three clients that have anywhere from 40 to $85,000, boom, right out the door.

Nathan Maxwell:

I have story after story of that. And you can scale down. I’ve gotten calls from people standing in Target holding gift cards.

Drew McLellan:

Yeah.

Nathan Maxwell:

They’re like-

Drew McLellan:

Oh, yep. Right, I’ve had that one too.

Nathan Maxwell:

Yeah. And they’re going, “I’m so confused right now.” And I’m like, “You’re that company owner, fill in the blank who, did not ask you for those gift cards.”

Drew McLellan:

Right.

Nathan Maxwell:

But I’ve been texting with the person I’m like, “How do they get your cell number?” “Oh, oh, well, that was part of the email chain.” And it’s like, don’t do that.

Drew McLellan:

Right.

Nathan Maxwell:

So even at the small scale, the gift cards, this yes, spoofed email, all of that. Email is the greatest risk. So fish testing, training your employees to be wary, fish testing with a pH. So because your employees are… right, greatest asset, greatest weakness.

Drew McLellan:

Yeah.

Nathan Maxwell:

Are you encouraging them to keep their guard up? Will they fall for that free pizza? I don’t know. Will they fall for the email that says, “Hey, your Amazon package was delivered to an alternate address, click here.” Like what? Why is my Amazon going? No, don’t click on that.

Drew McLellan:

Right.

Nathan Maxwell:

So it is increasing that guard.

Drew McLellan:

Okay. So A. It’s talking to the employees and testing them and coaching them. And then B. What do I actually have to do to my email server provider? You know, probably most of the agencies I know are using Google suites or something like that to power their email.

Nathan Maxwell:

Absolutely. Again, multifactor everything. Devices that are not, or accounts that are not multifactor capable, can use something called an app password. And I, again, not trying to get off in the weeds technically, but I mention that from a risk standpoint, in that those should be analyzed very carefully because the tracking capabilities are very minimal.

So make note of and know what service you’re using and then Drew, I’m going to say this, but like reality you know it’s a pain point. Most people aren’t going to do this, but it’s really nice to keep an eye on the logs and what’s connected into your accounts.

Drew McLellan:

Right, right.

Nathan Maxwell:

You know what IPs are connecting and I do that for my clients. And I have a map that just puts a dot for all of them that shows where they’re connected from. And when I see something that’s like overseas, I’m like, whoa, A. Is someone traveling or B. Do we have a problem.

Tools like that are worth investing in because, you know Google, Gmail list down at the bottom, I think, right. You get house blind to it. I think it’s still there. Like IP addresses that have recently connected. But nobody pays attention to that. Nobody goes, “Oh, right our IPs change. Oh wait, why is that address now? We just don’t do that.

Drew McLellan:

Yeah. All right. I have so many more questions, but we need to take a quick break and then we’ll come back and I want to ask you about cyber insurance and how we shop for it and know what we need and all of that. So we’ll hit that when we get back.

Hey, there, you know I am incredibly grateful that you listen every week and I want to make sure you get all of the support and tips and tricks and hacks that we have to offer in every issue of our newsletter I tell you, what’s on my mind, based on the conversations I’ve had with agency owners that week.

We also point you to additional resources and remind you of anything we’ve got coming up that you might benefit from.

If you are not subscribed to our newsletter now we can fix that in a flash. Head over to agencymanagementinstitute.com/newsletter and complete the simple form and we’ll take it from there. All right. Let’s get back to the show.

All right. I am back with Nathan and I don’t know about you guys, but this is scary stuff. But we’re just going to hang in there and we’re going to keep talking about it.

So before the break I had said, I wanted to ask you a little bit about cyber insurance. So tell everybody what is it, what kinds are there? Again, how do you know if you need it? How do you know how much you need? Give us a little cyber insurance 101.

Nathan Maxwell:

Absolutely. So let’s see with your questions. Do you need it? The answer is yes, that part’s easy. Generally speaking it is the most affordable if you look to your current carriers that you’re using for E&O or whatever your different policies are, and you’re looking at adding it to that.

If you’re just shopping the open market for cyber insurance, you can do that, but you’re generally going to be paying more for that. You’re going to talk to your broker, your agent, whoever that person is.

Drew McLellan:

Yeah.

Nathan Maxwell:

And they’re going to start asking you questions about what you do. They’re assessing risk, that’s what it is. The cyber insurance funds do not flow as quickly and as easily as they used to. And so they’re going to do their own little mini risk assessment. And I see sometimes that’s like a four question thing. Like, do you have a firewall? Do you use antivirus? Okay, yes, yes or no, yes. Like, right, whatever. However you’re going to answer that and done.

And other times it’s much longer. Their best screening process and so you do need it. There’s variations in the policies and I can’t just from a knowledge standpoint, I can’t get too deep into that, but they want to know what kind of data you store, what kind of data you have access to, are you involved in broadcasting or disseminating information.

The risk with that is like, okay, we are not just sending out a virus to a couple of computers. Hey, we have this distribution network that has the ability to infect 5,000 other computers. That’s a much bigger deal. So they’re asking things like that as they build that policy for you.

Drew McLellan:

Okay. And so if you have again, 25 employees, so you’re doing $3 million or whatever, what are we looking at price wise? I mean, I think a lot of people have no idea.

Nathan Maxwell:

Off the top of my head I’m not even entirely sure to give you the best answer on that because I see policy questions, but I honestly don’t see a whole ton of pricing. So I don’t really know exactly how to answer that for you. Generally speaking, I line up my liability and my coverages along the lines with my errors and omissions, I figure they’re very, very similar. And so I line those dollar amounts up.

And then again, just from an honest answer, I’m not exactly sure what that does for a lot of organizations from a price standpoint.

Drew McLellan:

Okay, you’re doing this every day. What do you see down the road? I mean, again most agencies haven’t even tackled this most simple of checklists, but what’s coming next? What do we have to be… I know we should be worrying about the things that are now that we’re ignoring, but what’s coming next that has to be on our radar screen?

Nathan Maxwell:

My theory, as far as what’s coming down, the pipe is less trust. Right now you’re providing that static spreadsheet, checklist, website, as far as data going back upstream, here’s what we’re doing. I think that we will continue to see less and less trust. You know, at what point is the insurance vendor providing your antivirus for you?

At what point are they mandating the type of firewall that you put in your environment? And then real time monitoring that. I do vulnerability scanning on devices that’s part of the service stack. At what point is the insurance company doing vulnerability scanning inside the organization where they are looking across the IP space in your network and saying, “Oh, I see a problem here and I see a problem here.” I think the trust level is going to go down.

Drew McLellan:

So do you think it’s mostly going to be our insurance companies that are intervening to verify that we are doing the things we say we’re doing? Or do you see clients asking to have access to some of that? Or where do you think that’s going to come from?

Nathan Maxwell:

Yeah, I think it’s going to come from the insurance side first, just because they have better teeth-

Drew McLellan:

And they have risk.

Nathan Maxwell:

Right, absolutely. But look, it’s business. Everybody can do anything they want at this point. And so we’re having an increased government regulation too. And so I think there’s going to be a piece of that as well, but yeah, absolutely. You know, a big business that has a well built out risk management department and a really impressive security and compliance stack. There’s no reason that they can’t be like, “Hey subcontractor, Hey vendor, see this program. I want you to put this on this location here.” “Well, what does it do?” “Well, it just gives us some information about you guys and your network and stuff like that.”

It’s not that far down the pike in my opinion. So I think we’ll see that. And then Drew, the other thing from a change standpoint is costs are going to keep going up. You Know we have unstable world affairs at this point, but from a cyber conflict, every single IP address on the internet is in scope for an attack from any other IP address.

And just to clarify that terminology when we connect to the internet, we have an IP address that represents us on that internet. That is the basis of all internet communication. And so just like with email, anybody with an email address can send an email to pretty much any other email address in the world. We have that same visibility from an IP standpoint. And so I’m hearing some just incredible things as far as what normalized cybersecurity costs are. Like we’re talking on par with what a company would be spending on an HR standpoint, when it comes to cybersecurity for their organization. So the costs are just going to keep going up out of necessity.

Drew McLellan:

Yeah. None of that sounds awesome.

Nathan Maxwell:

It doesn’t right? And that comes back to the standpoint of yes, there’s pain in this but ultimately this process makes you a better company as far as you’re doing things better, you’re being more thoughtful. You are covering the cybersecurity, low hanging fruit. There are benefits to it, but yeah, absolutely like there’s pain, not going to try to spin that.

Drew McLellan:

So other than you mitigate the risk, because I’m sure that on occasion you like to give your clients good news, as opposed to like, here’s this onerous list that we have to crunch through. Is there an ROI or is there value to being able to say, “Hey, you know what, we got this nailed.” And here’s like proactively saying, “Here’s what we do. Here’s how we behave.”

Are you seeing amongst your clients that that’s attracting more clients or allows them to work with bigger comp… what’s in it for us other than covering our rear ends?

Nathan Maxwell:

Right. So, yes. Right, CYA is a tangible part of that. Staying engaged with your current customers is a part of that, right? Because that customer that comes to you and says, “Here, congratulations, fill this out for me.” Then you are working on a continued engagement with them and there’s value there. Again, the first time that you go through a process like this is the heavy lift, the next time it comes up, you don’t have that same sense of panic.

You don’t have that same, like, “Oh no,” because you’ve already done 60, 70% of the work.

Drew McLellan:

Right.

Nathan Maxwell:

And now we’re just going to be massaging it a little bit to make it presentable, going to be answering the questions on this other forum or spreadsheet or whatever the case may be. But the pain point is not as tangible there. And so the win for a client in this respect is that degree of preparation, right? The fact that they are protecting themselves, they’re lowering their risk of being hacked of just making some rather tragic business mistakes.

And the next time that hits the inbox there’s some confidence in being able to go back to that contracting office or go back to that point of contact and like, “Oh yeah, absolutely, here.” Again, confidence, it just comes through in this, like, “Yeah, absolutely. Let me get you this information, let’s see, it’s Monday, let me get it you by Friday. Okay?” Totally, totally different and there’s a real win there.

Drew McLellan:

All right. Last question, because I know I need to let you go, but I still have so many questions, but if I have a compliance officer, how much time should I allow on their plate to do all of this? And I’m sure there’s a heavy lift on the front end of getting all the things done.

So A. What’s the heavy lift look like and then B. What does maintenance look like?

Nathan Maxwell:

You nailed it, heavy lift is on the front end because that is… and from my standpoint, when I engage with the customer, there is a lot of back and forth on drafting these policies. Because even though I’m saying, let’s keep it short and simple, we still got to make sure that it matches the business.

Drew McLellan:

Right.

Nathan Maxwell:

That it’s not like we’re dropping a policy and it is just this massive ripple effect through your organization and changing the way things are doing. Let’s draft a policy that meets best practice, but that meshes with your organization and then 25, 30, 35%, whatever of these different guidelines or these policies should be assessed on a yearly basis.

So I come in, I go, “Okay, let’s look at this, this, this, and this.” Going back to that consistent, because it’s something that resonates with all of us. All right. What are the last four employees that you’ve off boarded in the last six months, in the last three months, the last month, pick your number. Let’s look at that. Show me that you’re following this policy.

The last six employees that you’ve onboarded. Show me the multifactor on that. Show me where this is, prove to me that it’s set up. We’ll stay consistent with our examples. And so the timeliness on the front is tangible. But then after that, we need to make sure that that document is being kept updated. Sometimes-

Drew McLellan:

And the policies are being followed, right?

Nathan Maxwell:

Exactly. The policies are being updated and that they are being followed. Sometimes you’re upstream. Customers want copies of updated policies. There’s sometimes that they go, “Every time this updates, you send it back to us.” I’m not convinced anybody actually looks at it but they want it.

Drew McLellan:

Right.

Nathan Maxwell:

So are you following them? So absolutely heavy lift is on the beginning and then after that, the time commitment is 15 to 20% of what it was in the beginning, spread out over time. So it’s much, much easier.

Drew McLellan:

Okay. So for most companies, this is not a full-time job.

Nathan Maxwell:

Absolutely not.

Drew McLellan:

Okay.

Nathan Maxwell:

Like at scale, at size absolutely. But no, this is something that to get started with you need a person that engages, and that helps write this and helps build this and set it up correctly. And then the care and feeding of it after that is much less time intensive.

Drew McLellan:

Yeah. This has been fascinating. I feel like we’ve just scratched the surface, but at least we have started the conversation.

Nathan Maxwell:

Absolutely.

Drew McLellan:

I am grateful for your time. Thank you for sharing your expertise.

Nathan Maxwell:

It has been a pleasure, thank you.

Drew McLellan:

So if folks want to learn more about your work, if they want to reach out to you or contact you, or I’m sure that you’re putting out content that would be helpful to them. Where do they go?

Nathan Maxwell:

That’s a super question. Calling me right from an engagement and a conversation standpoint is great. Email is great. Email address is [email protected] Phone number is (913) 355-1308. And then yeah, it’s funny because as I’ve been catching up with your podcast Drew, it’s like, oh yeah, I need to be pushing this channel on that channel.

My website has content, has information and I am in the category of everyone else that should be putting more out on LinkedIn and things like that.

Drew McLellan:

Right.

Nathan Maxwell:

Yeah. You know I’m on LinkedIn and other places, but I will tell you that my content game is not where it should be.

Drew McLellan:

Okay. So we’ll include all of that in the show notes, too folks. So if you’re driving around the treadmill, don’t break your neck, trying to get it written down. We’ve got it for you.

So Nathan, this has been great, thank you for sharing your expertise. As you and I were talking about a pre record button, this is just not something agency owners want to think about. It scares them. They feel lost. And so I feel like we’ve at least shed a little light on the topic and given them some places to start. So I appreciate you keeping it simple for us and keeping it at the basics so we can get started, because it feels like that’s kind of where we’re all at.

Nathan Maxwell:

Hopefully it kind of reduces the panic that comes when that first compliance email comes in. Because yeah, that could be pretty rough.

Drew McLellan:

Yeah. Yeah. None of this sounds awesome.

Nathan Maxwell:

But we need to know, right? It’s just the nature of the beast at this point and this date and time.

Drew McLellan:

Yep. So thank you again.

Nathan Maxwell:

Happy to, thanks for having me.

Drew McLellan:

You bet. All right guys, if there was ever an episode of the show that has you both cursing my name, but hopefully going, okay, I got to do this. This is probably it. So I know for many of you, this is a topic that you have carefully avoided and justified why you don’t have to do it because you don’t have this, you don’t have that. And I think what Nathan is saying to us kind of loud and clear is it’s not a matter of if it’s just a matter of when this comes up and nips at you a little bit.

And it might nip at you in that you have a problem and now the client’s unhappy and you don’t have insurance to cover it. And it’s going to nip you in the wallet. It also could nip you in that you lose out on an opportunity with a prospect because you’re not really up to snuff. And so they’re not willing to take the risk. So either way it has the potential to cost us money and put our business at risk. So we have to begin to understand this. We have to begin to, as Nathan was saying, take care of some of the low hanging fruit that we could do ourselves and then figure out if we need some help to do some of the more complicated things.

But this is not an episode just to listen to and then calmly wait for the next episode. This is an episode where hopefully you were taking some notes or you were thinking about it, or you got that really uncomfortable feeling in your chest of, “Oh shoot, that’s us.” Let’s fix it, get started on it, do one or two things. And it just gets you a little further down the path. And then I suspect what happens is as you get going, then you’re like, “Oh, okay, well, we got that done. So let’s take on the next thing.”

So this is also not something you have to do all in one fell swoop. I suspect this is a ongoing effort and lots of tweaking. So listen clearly, take some action, mitigate your risk. That’s I guess my message for you today, from what Nathan taught us. So hopefully you will do that.

A huge shout out to our friends at White Label IQ, as you know they’re the presenting sponsor and they provide White Label PPC dev and design for lots of agencies in my world. So you can go to whitelabeliq.com/ami, and they’ve got some specials. I think you get some free hours on your first project. So check them out.

If nothing else, send them a thank you note, send them a note and just say, “Hey, I listen to the podcast. I don’t think Drew sucks and thanks for sponsoring it, making it possible.” So I want them to know that we appreciate what they do for us and that you appreciate the show. So even if you don’t want to hire them a thank you note or a thank you email would be really lovely actually and that would make me happy.

So if you’re enjoying the show and you wonder, because I know you probably think about this all the time. What can I do for Drew McClellan? What can I do to make his day brighter? Because I suspect that’s probably a nagging worry that you have, here’s something I’m giving you.

Just send the folks at White Label an email and tell them, “Thank you.” That would be really lovely. And in the meantime, you know that I’m around. So through agencymanagementinstitute.com, I’ll be back next week with another guest.

In the meantime, please know that I am super grateful that you keep hanging out with me every week. This is fun for me and I hope it’s useful for you. And I know how busy you are so I appreciate that you carved the time out. All right, I’ll see you next week and start doing some of the stuff Nathan said, okay, I’ll see you next week.

Speaker 4:

That’s all for this episode of AMI’s Build a Better Agency podcast. Be sure to visit agencymanagementinstitute.com to learn more about our workshops, online courses and other ways we serve small to mid-size agencies.

Don’t forget to subscribe today so you don’t miss an episode.