Jessica Kearney With Travelers Insurance

Intro: Broadcasting live from the Business RadioX Studios in Atlanta, Georgia. It’s time for Atlanta Business Radio. Brought to you by on pay. Atlanta’s New standard in payroll. Now, here’s your host.

Lee Kantor: Lee Kantor here another episode of Atlanta Business Radio, and this is going to be a good one. But before we get started, it’s important to recognize our sponsor, Onpay. Without them, we couldn’t be sharing these important stories. Today on Atlanta Business Radio, we have Jessica Kearney. She’s the executive director of the Travelers Institute. Welcome, Jessica.

Jessica Kearney: Thank you. Thank you for having me.

Lee Kantor: I’m so excited to learn what you’re up to. Tell us about the Travelers Institute. How are you serving folks?

Jessica Kearney: Yeah, so the Travelers Institute is the public policy division and really the educational arm of the larger Travelers Insurance Company. And we take on all different public policy topics that intersect with the insurance industry and public policy. Think things like auto safety and distracted driving, autonomous vehicles, cybersecurity, disaster preparedness. And we try and bring insights and education to these topics and really be a convener to advance important conversations on these issues.

Lee Kantor: Now, you were here in Atlanta last week. Can you talk about the reason you came here?

Jessica Kearney: Yeah, absolutely. So the Travelers Institute just recently kicked off our Fall 2023 cybersecurity education tour. This is part of our larger national series, Cyber Prepare, Prevent, mitigate, Restore. It’s our educational initiative, which really aims to help businesses tackle evolving cyber threats. And and I think we all know this. These are evolving every day, every week. And so our first stop on this national education tour was actually in Atlanta, as you just mentioned. So we convened folks from across the business community, insurance agents and brokers, small and medium sized business owners for an informational session to really arm them with knowledge around cybersecurity. And we hosted it at the Georgia Tech Research Institute. So we convened experts and partners from across the federal government. So we had folks from the US Small Business Administration talking about cybersecurity for small businesses. We had the US Department of Homeland Security. They’ve got an arm called the Cybersecurity and Infrastructure Security Agency or Cisa. This is really the lead cyber agency for the federal government, as well as folks from Travelers and data privacy law firm Mullen Coughlin, really to help leaders understand the threats facing them today and importantly, learn what we can do about it. That’s the most important piece. We started this series back in 2016, so we’ve been at this for for many, many years, but really focusing on those small and mid-sized business owners, arming them with the knowledge that they need to protect themselves from cyber threats.

Jessica Kearney: And since that time, we’re really proud that we’ve hosted nearly 60 in-person events. We’ve hosted a number of national webinars that are free and open to the public, bringing folks together with risk experts, government experts to discuss best practices and access resources. In the last two years alone, we’ve visited 15 cities and we’ve really prioritized collaboration across the federal government, as I mentioned. So bringing in multiple perspectives to help business owners hear about this issue from every angle. We were just in San Ramon, California last week and October. Looking ahead is National Cybersecurity Awareness Month. So this is a aptly timed conversation. There’s going to be lots of conversations taking place across the US in October around cybersecurity awareness and education will be in Worcester, Massachusetts, and Kansas City, Missouri, coming up in October. And then in November, we’re going to head out to Washington State, to Bellevue, Washington, and we’ll wrap up the series this fall in Dallas, Texas. So lots going on in the month of October. And your listeners can join us at Travelers Institute.org for our virtual or in-person programs.

Lee Kantor: Now, you mentioned small to midsize businesses, and this issue may not be top of mind for those folks. Can you explain how important maybe cyber hygiene is for that small to mid-sized business because they might think, look, you know, you know, the old saying, the people rob banks because that’s where the money is. And these small businesses may not feel that they’re at risk where some of these mega firms or these large health care financial services companies, you know, have, you know, teams of cyber experts deployed to protect them. But a small business, they don’t feel the threat or they don’t understand that the threat is to them as well. Can you explain how important it is for small to sized businesses to really invest in cyber hygiene?

Jessica Kearney: Absolutely. So we know that all companies are vulnerable to cyber attacks regardless of size. And that’s why it’s really, really important to understand the risks and to foster a culture of security across your business. And so I think that’s the that’s the point of our educational initiative, as I just mentioned, and I’ll give you some stats to kind of back that up. So for the last ten years, we’ve been surveying this traveler’s risk. Index that we publish every year. Cyber risks have remained among the top overall business concerns among business leaders of all sizes. You know, despite everything else right. That’s going on in the broader business community. So we’ve got workplace and workforce risk challenges, the economy, energy costs. You think about supply chain risks, all of these things that we know, the business owners and leaders of all sizes need to be concerned about. And cyber has continued to be among the top for the seventh consecutive year. Our more survey respondents said that their company had suffered a data breach or a cyber incident. So 26% of companies said that they had been a cyber victim in 2022, with nearly half of those reporting that the event has happened within the past 12 months.

Jessica Kearney: So, so fairly recent time horizon, in addition of those who had said that their company had suffered a data breach, 71% and this is this is alarming, said they’ve been a victim more than once. Right. So this is this is really happening. This is out there. And I think we see a disconnect. So when we talk about, you know, small to mid-sized businesses, we’re seeing that many in the survey are very confident that they’ve implemented best practices that they need to prevent or even mitigate a cyber event. Yet we’re also finding that most businesses have actually not implemented some of those basic prevention measures. And so I think this is where, you know, we can’t underscore it enough education, education, education. And that’s why we’ve undertaken this tour. There is so much that you can do. Some of it is, you know, low cost, no cost to help arm your business, to be ready and to be able to bounce back. There are really you know, there are really significant steps that you can take. And that’s those are all part of our tour and why we’re out there having these conversations.

Lee Kantor: So what are some of the the attacks like? What are some of the things that are happening to the small to mid-sized businesses, the breaches? What exactly is going on so that the person could maybe they’re these things are happening and they’re just saying, oh this is just things that happen like they’re not taking it as seriously as maybe they should. So what are some of the common breaches or attacks that are occurring?

Jessica Kearney: So we found in talking to our experts that criminal cyber criminals often go for the low hanging fruit. Right? So you think about those little pop up alerts that come on your screen that say, you know, your phone or your software system. It’s time for that update, Right. One of the most common cyber intrusions is actually just exploiting those very well known vulnerabilities. So one of the things that we really like to emphasize when it comes to taking issues and taking matters into your own hands and really being proactive on these issues is simply updating your systems, right? So so that’s one really easy thing that people can do the most. Again, the most common way attacker gets into the system is by exploiting, exploiting a known vulnerability. So automating those patches whenever possible and making sure that you keep your systems up to date. It’s sometimes it’s the really simple stuff. I think cybersecurity can seem like and many times is, you know, this big, complicated topic. But more often than not, when you do the simple things, it can really arm you against and protect your organization.

Lee Kantor: So I know for myself, I’ve gotten to this level of paranoia when it comes to like emails or any type of communication on the Internet. If somebody asks me to do something, my instinct isn’t to click on the thing. It’s to go to the website of the entity and then check to see if this really is a thing. Is that just me being paranoid or is that just kind of the due diligence you have to do nowadays?

Jessica Kearney: You know, I think it’s part of that due diligence. I think you’re right. I think that all of us as individuals collectively are getting a little bit smarter when it comes to clicking on links and, you know, being being pulled in. But also the sophistication of some of these attacks are getting better and better. Right? So it’s this balance between trying to stay ahead of the latest, the latest attack and the latest scam. And I think, you know, organizations can and should be testing their employees and sending these, you know, educational awareness campaigns in a safe environment. So if an employee does click on a link that is suspicious, you can use that as an opportunity to start a conversation and and provide that educational training. So that is definitely one of the recommendations is for employers and organizations to have these training cybersecurity trainings within their companies for their employees and have that conversation and really build it into the culture. Right? And that’s not an easy thing to build a culture, but it’s a really important one. And to bring all employees on board is really important. I think you just hit that on the head.

Lee Kantor: So now what are some of the other kind of low hanging fruit? You mentioned low cost, no cost things that organizations can be doing to protect themselves.

Jessica Kearney: Yeah. So I’d say one of the big ones is multi-factor authentication. So you think about when you potentially log into your personal banking, for example, I think that’s an example that could be familiar to folks. You often are asked to set up two factor authentication where you might get texted a code, so you’d have to sign in with a username and password, but then you have to have this other layer, this second factor, where you verify your identity and verify who you are. So according to Microsoft, simply doing that, that alone can can really stop an attack in its tracks. So if you have those types of verification systems on your most important logins, your most important systems, that’s shown to be 99.9% effective at stopping intrusions. And I mean, I can’t underscore that enough. That’s just an incredibly powerful number. Multi-factor authentication is usually an expensive it’s often easy and it’s very, very effective. You know, sometimes people can say the reasons they haven’t done it, it might be inconvenient or they don’t know what systems to to begin with. But that’s one where we are really encouraging everyone to lean in and learn more about it and implement it across their systems. It’s very, very effective.

Lee Kantor: Now when you’re you’re an organization and you start kind of understanding the threat level, it’s important to understand the bad guys, too. How? Who are the bad guys? And is this it’s no longer kind of this lone wolf, Right. These are kind of organized entities that this is their job. You know, they’re going into an office and whiteboarding and coming up with strategies like it’s not just somebody, you know, in the basement eating Cheetos, trying to, you know, hack into a system for for laughs.

Jessica Kearney: Yes, it’s increasingly sophisticated and increasingly, to your point, operating as a business model. Right. But cyber attackers can really come from anywhere. So they include anything from hackers. You think state sponsored cyber attacks that might target infrastructure like banks or utilities or even hacktivists, which means they could break in for political reasons. But I think you’re right. And I think bottom line is, no matter where they’re coming from, those same cyber hygiene, same cyber preparedness, best practices still apply to help an organization protect themselves from from any of those. All of the above.

Lee Kantor: Now, is it kind of like whack a mole? Like, you know, you start figuring out how to defend yourself and then they’re coming up with ways to then exploit something and then it’s just a never ending thing. Like, is this something that we’re ever going to have an answer where it’s like, Oh, this problem is behind us now.

Jessica Kearney: You know, I think I think you’re right in that I don’t think cybersecurity is something that you can set it and forget it. Right. I think this is an evolving threat. It’s something that business owners and boards of directors are need to be concerned with and need to be prepared for. That said, I think the good news is we know there are things that work. We know there are steps and proactive measures. And I think prioritizing being proactive versus reactive is one really just across the board way for your folks and your organization to to get on board with this issue and really make it a priority across your business.

Lee Kantor: Now, you mentioned that Travelers has been evangelizing and educating for a while now. What percentage of folks out there are listening and behaving in the manner you would like them to behave? Is this something that we’re making progress or is there still a ways to go to get the, you know, people on board to be doing even the the kind of the low hanging fruit level of cyber hygiene?

Jessica Kearney: Yeah, I think we’re absolutely making progress. Absolutely. You know, that said, there’s always room to improve. We actually did a survey of Atlanta area businesses ahead of going to Atlanta for our for our program recently. And, you know, and that yielded some interesting results. So you know, for example, um, we we talked about employee training and testing their knowledge from our Atlanta business survey. Less than half of those surveyed train and test their employees regularly. Right? So so that that is an opportunity. That’s one of those low hanging fruit opportunities for that education and training to really come in and help businesses and organizations. 62% in Atlanta said that their company or organization could handle the cost and logistics of a cyber event were to were to occur. So that’s a really great sign. So there are there are good there are good signs, there are positive signs. But there is always more that we should do. And I think as with any evolving area of business, it’s something that we need to stay vigilant on and stay on top of. And I guess one other thing I’ll I’ll add to that when we’re talking about vigilance. So one of the other recommendations that we would make, one of these things that we would consider a must do in terms of cybersecurity preparedness, cybersecurity hygiene is having an incident response plan, right? So once that alarm sounds, you found out through some channel that you’ve been hacked or you’ve had a data breach, how is your organization going to respond? So this is not something that anyone wants to come up with on the fly, right? So this is something that we really encourage folks to have a plan, a well thought out living, breathing document.

Jessica Kearney: Who’s going to do what, When are they going to do it? Like the exact concrete steps for, you know, the moment of crisis. Right. So you wouldn’t want to be standing there figuring it out when it’s actually happening. And it’s funny, one of the one of the one of the elements after you’ve figured out your plan is that you should have copies, both electronic and physical copies that are easily accessed at a moment’s notice. So if your computer’s organizations do go down, you have that plan. It’s in a paper copy somewhere. So you don’t need to go into your computers to access it. You don’t want to have to rely on employee memory during that moment of crisis. So it’s little things like that that you can do beforehand. I think being prepared that preparedness angle is is critically, critically important.

Lee Kantor: So if somebody wants to learn more, maybe take advantage of some of the education or attend some of the events that you’re doing throughout the country, is there a website they can go to? Can you share that again?

Jessica Kearney: Absolutely. So you can visit Travelers Institute.org to look at all of our upcoming cybersecurity education programs. And I will just say we have one coming up during October National Cybersecurity Awareness Month on October 11th at 1 p.m. Eastern, free and open to the public. We’re going to be chatting with Mullen. Collins uh, Carolyn Purwin Ryan and our own Enterprise Cyber Lead, Tim Francis here at Travelers about these five key cybersecurity practices, many of which I’ve just mentioned here. But they’re going to dig into it and kind of all the details around that. And so we’ll have a series of articles that are launching that day as well. But we welcome everyone to join us on October 11th.

Lee Kantor: Well, Jessica, thank you so much for sharing your story today. You’re doing important work and we appreciate you.

Jessica Kearney: Thank you for having me.

Lee Kantor: All right. This is Lee Kantor. We’ll see you all next time on Atlanta Business Radio.