Cybersecurity Awareness

Cybersecurity Awareness

Do You Know that October is Cybersecurity Awareness Month??

Of course you know.  Cybersecurity Awareness appears everywhere in October.  But, did you think about how it affects you?  Did you take action?  If not, here are a few reasons you should think about Cybersecurity and take action:

  • 43% of all cyberattacks are aimed at small business (Source: Small Business Trends)
  • 91% of attacks launch with a phishing email (Source: PhishMe Research)
  • 95% of data breaches have caused attributed to human error (Source: Cybint Solutions)
  • Ransomware attacks are growing more than 350% annually (Source: Cysco)
  • IoT (Internet of All Things) attacks were up by 600% in 2017 (Source: Symantec)
  • In most cases, it takes about 6 months to detect a data breach (Source: ZD Net)
  • The cost of a data breach can range anywhere from $120-600 per record (Source: Identity Theft Resource Center) – for a small company with 5,000 past, present, and prospective customers, this could total $600,000-$3,000,000

I know, it won’t happen to you.  Are you sure?

Top 5 Misconceptions:

  1. My data (or the data I have access to) isn’t valuable. Wrong – all data is valuable.
  2. Cybersecurity is a technology issue. Wrong – human error is the number one cause of data breach.  Train your employees and establish clear policies.  Do not discount the importance of physical security.
  3. Cybersecurity requires a huge financial investment. Wrong – many efforts require little or no financial investment – establishing policies, training employees, enabling multi-factor authentication, restricting administrative and access privileges, etc.
  4. Outsourcing to a vendor washes your hands of liability during a cyber incident. Wrong – you have a legal and ethical responsibility to protect sensitive data.  If you received it you are responsible for it.
  5. Cyber breaches are covered by general liability insurance. Wrong – Speak with your agent to understand your coverage and what type of policy would best fit your organization’s needs.

If you are still reading this, you are hopefully wondering if you are doing enough, if anything at all, to protect your data and systems.  Here are the steps as suggested by the National Cybersecurity Alliance (www.staysafeonline.org) to assess your organization:

Identify your vulnerable assets and systems

  • Computers, paper files, laptops, mobile devices

Protect your data and devices – build a culture of cybersecurity in your organization

  • Keep software current – use automatic updates
  • Use strong authentication and strong passphrases (not passwords)
  • Back up data on a regular basis
  • Limit access to data to employees who require it to perform the core duties of their jobs
  • Keep a clean machine – maintain clear guidelines restricting downloads
  • Make the call. If you are not absolutely sure the email, tweet, online ad, message, or attachments are safe, call the sender to verify or delete it.
  • Encourage your employees to report strange occurrences on their computers and devices.

Detect Incidents

  • The faster you know about an incident, the faster you can mitigate the impact and get back to normal operations.
  • Be suspicious.
  • Use cybersecurity products or services like antivirus and antimalware software for example.
  • Watch people including your employees. Pay attention to suspicious behavior.
  • Train employees to know what incidents and attacks look like and that they need to be reported quickly.
  • Talk to others in your industry and reach out to local IT experts. The availability of cybersecurity tools and services is growing.

Finally, consider purchasing Cyber Insurance from a reputable insurance company.  Why?

At the very least, filling out the application will expose your weaknesses.  It serves as a self-assessment.

More importantly, from a prevention perspective, most companies provide guidance and resources such as risk management tools, training, and cyber best practices.  Some companies may provide assistance with developing an incident response plan, information about and assistance with complex regulatory requirements, security and privacy awareness training resources.

Most importantly, cyber liability insurance provides coverage in the event of a data breach or cyber event.  The list of coverages and limits available is extensive creating the ability to tailor a policy to fit your organization’s needs.   Be careful though.  With this flexibility comes a lack of standardization in forms, policy language, and pricing.  Choose to work with an insurance agent who has thoroughly researched the options, understands the coverages, and considers potential overlap with your other policies.

Scenarios

Company Profile:  Construction Company with offices nationwide (Borrowed from www.Travelers.com)

A national construction company used a third-party cloud service provider to store their customers’ personal information. The cloud provider suffered a major data breach, compromising the Personally Identifiable Information belonging to thousands of the construction company’s customers in several states. As the owner of the data, the construction company had a legal obligation to provide adequate and timely notice. The Attorneys General in several states instigated a regulatory investigation against the Company to determine whether they responded appropriately to the breach in accordance with various state laws. As the construction company did not have a document retention procedure and stored far more data than was required, the Company was obligated to notify over 10,000 past and present customers that their company’s data had been compromised. In addition, they had to pay defense costs associated with defending the regulatory investigation.

According to the NetDiligence® Data Breach Cost Calculator* the estimated costs for this event for the construction company could be:  $181,900 Estimated Incident Investigation Costs; $41,775 Estimated Customer Notification/Crisis Management Costs; $639,100 Estimated Defense & Settlement Costs; $862,775 Estimated Total Costs

An average event of this type could drive the average costs up to $1,860,000 for a business.

Risk Management Tips:

  • Know where confidential information is stored, whether internally or with a vendor.
  • Understand vendor’s network security controls and any contract language involving data liability.
  • Have a document retention procedure in place to only store information that is necessary.

*The NetDiligence® Data Breach Cost Calculator and other tools are available to insureds on the Travelers’ eRisk Hub®.

eRisk Hub is a registered trademark of NetDiligence.

RANSOMWARE ATTACK (Borrowed from www.thehartford.com)

Type of insured: Regional accounting firm

What happened: A ransomware attack blocked all access to the firm’s computer system while deleting files. After the firm paid the ransom, it took several days to restore its applications and recover deleted files from its backup.

What followed:

  • The firm was unable to meet tax filing deadlines
  • Brand and reputation damage

What could help: Incident Response Expenses, Cyber Extortion Loss, Network Restoration Expenses, Business Interruption

HR IMPOSTER (Borrowed from www.thehartford.com)

Type of insured: Law firm

What happened: A thief purporting to be the managing partner of the firm sent the HR payroll manager an email, requesting W2 forms of all 150 employees via PDF. Too late, the payroll manager realized the email address was spoofed.

What followed:

The law firm had to notify and provide credit and identity monitoring services to its employees in the wake of the incident.

What could help: Incident Response Expenses

CARPETBAGGERS (Borrowed from www.thehartford.com)

Type of insured: Carpet factory

What happened: Unknowingly, an employee clicked on an email attachment laced with crypto wall malware. This led to a hack that paralyzed the company’s access to data and production files, with a demand for ransom. The company paid the ransom the next day.

What followed:

  • Production was halted and costs racked up
  • An external consultant was unable to clean up the network
  • Without up-to-date backups, the company lost data

What could help: Data Privacy and Network Security Liability, Incident Response Expenses, Cyber Extortion Loss, Network Restoration Expenses, Business Interruption

SIDEBAR:

What is Personally Identifiable Information (PII)?

  • Full name
  • National identification number (i.e. Social Security number)
  • International Protocol (IP) address
  • Vehicle registration plate number
  • Driver’s license number
  • Face, fingerprints, or handwriting
  • Credit card numbers
  • Digital identity
  • Date of birth
  • Birthplace
  • Genetic information
UPDATE Tonry Insurance Group’s Response to COVID-19