Adam Puharic, President of Puharic and Associates, Inc. and John Kalli. co-founder of Trinity Worldwide Technologies, LLC provided a discussion on five steps to protect your business from cyber attacks, but more importantly steps to protect your company and every person from cyber attacks so we all a chance to win the war!
Five Practical Moves to Keep Hackers Out of Your Firm—Lessons from the 5 May 2022 CPES “Hot Topic”
When cyber insurers begin refusing renewals for perfectly loss-free clients, it is a flashing red light for every business owner. That was the message from Adam Puharic, president of Puharic & Associates, Inc., and John Kalli, co-founder of Trinity Worldwide Technologies, LLC, during CPES’s 5 May 2022 Hot Topic webinar.
Puharic and Kalli made the case that cyber risk is no longer limited to large utilities, hospitals or global retailers. With ransomware kits selling on the dark web for a few hundred dollars, any organization—down to a two-person consultancy—can be targeted. Worse, insurers now demand detailed evidence of security controls before they will quote, rendering the old “roll-on” cyber endorsement obsolete.
Below are the five action areas they said every firm should tackle now.
1. Recognise That You Are a Technology Company
Whether you design bridges, drill monitoring wells or sell professional services, your core operations run on email, cloud drives, smartphones and VPNs. Treat those systems as critical infrastructure, not office accessories.
2. Break the Silos Between IT and Insurance
Cybersecurity is a business-risk function, not purely a technical one. Puharic urged owners to convene their insurance broker and IT provider at least twice a year so each side understands the other’s requirements and limitations.
3. Train (and Test) Your People
Humans still click the links that launch most breaches. Trinity Worldwide uses monthly phishing simulations and targeted micro-training so that staff learn to spot bogus invoices, spoofed executive requests and malicious attachments.
4. Implement the “Vital Six”
| Control | Why It Matters |
|---|---|
| Multi-Factor Authentication (MFA) | Stops attackers who harvest passwords from the dark web. |
| Verified Back-ups (3-2-1 rule) | Three copies, on two media, with one off-site/cloud so you can restore after ransomware. |
| Least-Privilege Access | Users get only the data they need, limiting damage if an account is hijacked. |
| Endpoint Detection & Response (EDR) | Goes beyond antivirus by isolating or killing suspicious processes automatically. |
| Phishing Simulation & Awareness | Reinforces secure behaviour and documents compliance for insurers. |
| Full-Disk & Mobile Encryption | Protects laptops, phones and USB drives that leave the building. |
5. Embrace Zero-Trust Architecture
Zero trust assumes every device and user is untrusted until proven otherwise. After a short learning period, approved applications are whitelisted; anything else is blocked automatically. Kalli predicted that insurers will soon make zero trust a prerequisite for affordable cyber cover.
What Changed? Three Market Signals
- CNA’s Own Breach (2020): The global cyber insurer needed more than 30 days to restore its policy-management system after ransomware encrypted its network.
- SolarWinds Supply-Chain Attack: By compromising a single IT-management vendor, attackers gained reach into thousands of client networks.
- Insurer Appetite Shrinkage: Carriers such as Hiscox and Beazley non-renewed up to 25 percent of cyber accounts in 2022 unless firms could prove robust controls.
Passwords: Think Pass-Phrase, Not Pass-Word
Eight-character “complex” passwords fall in seconds to modern cracking tools. Kalli recommends a unique 16-character phrase for every account—secured in a professional password manager—and MFA wherever offered.
Next Steps
- Audit your defences against the Vital Six.
- Schedule a joint session with your IT partner and insurance adviser—make cyber a standing agenda item.
- Test and train staff quarterly; phishing campaigns cost little and pay huge dividends.
- Review your policy—does it cover first-party restoration, ransomware business interruption and third-party liability?
Stay Ahead of Emerging Risks with CPES
CPES Hot Topics deliver practical, one-hour briefings that translate fast-moving regulatory and technical issues into clear action items for New Jersey’s environmental and engineering community.