Data breaches are becoming more commonplace, causing millions of dollars in damages for companies that have personally identifiable information (PII) hacked by cybercriminals.
“Think about all of the losses you can incur. Not only do you have to hire a security expert to find what happened, you may be assessed fines or penalties by the merchant’s acquiring bank or payment card brand. In addition, you could be responsible for credit card charges made by the criminals and lose business because no one trusts you anymore,” says William M. Goddard, CPCU, principal, Insurance Advisory Services at Brown Smith Wallace.
Smart Business spoke with Goddard and Lawrence J. Newell, CISA, CISM, QSA, CBRM, security and privacy manager, about protecting companies from cybercrime.
How do cybercriminals access networks?
One typical method is spear phishing. Unlike traditional phishing attempts, which are fraudulent emails sent at random claiming to be from a reputable organization like a bank or eBay, spear phishing emails are sent to targeted employees or customers of a company.
The email appears to be coming from the company and requests that the recipient click on a link, which then goes to a fraudulent website. They may ask for personal information or they may launch a virus they’ll use to get into your network.
If you click on the link, it launches a program in the background that goes onto your workstation and canvasses the network for other vulnerabilities. The program collects data, whether that’s credit card information or other PII, and uploads it to the cybercriminal.
How can you reduce cyberattack risk?
The first thing to do is develop an information security policy, document it and disseminate it throughout the organization.
Other protective measures are:
- Conduct an inventory of authorized devices on your network. Guests can come into your place of business with a laptop and leave a device on your network that goes undetected. That device could have Trojan horses or viruses that, when executed, plant a program on your network.
- List an inventory of software allowed to run on workstations or servers. That helps when looking for rogue programs or software installations.
- Install an anti-virus program to detect malware. Anti-virus protection also needs to be maintained and updated for the latest definitions.
- Run vulnerability and penetration tests on servers and networking equipment to make sure you don’t have unnecessary services running that could lead to a vulnerability and potential unauthorized access.
- Prevent data loss by running programs to detect outbound calls or connectivity to remote sites that are not authorized to receive data output.
- Create security awareness within your company to ensure that people who have access to information are not sharing anything that is confidential or private.
- Develop an incident response plan to react to a breach and quarantine activity before it spreads throughout the network.
Companies think they’re protected because they are compliant with some standard such as PCI, but that’s no guarantee their systems will not be compromised. Your security program needs to go beyond PCI and focus on more than credit card information. Cybercriminals go after the easiest target along with whatever PII is available that has value. For instance, not-for-profit organizations may have names, addresses and checks with banking information; all of that information is valuable to somebody. For similar reasons, credit cards are often targeted because they’re so widespread and it’s the easiest information to sell.
What can companies do to protect against losses if they are hacked?
A variety of insurance policies cover things like the cost of fines, notification that PII has been compromised, liability and business interruption. All cyber policies are slightly different, and you have to be careful to buy the right coverage.
Businesses are smart enough to buy fire insurance in case a building burns down. Cyberattacks can be just as damaging, depending upon what happens and what information has been compromised.
William M. Goddard, CPCU, is principal, Insurance Advisory Services, at Brown Smith Wallace. Reach him at (314) 983-1253 or firstname.lastname@example.org.
Lawrence J. Newell, CISA, CISM, QSA, CBRM, is manager, Risk Advisory Services, at Brown Smith Wallace. Reach him at (314) 983-1218 or email@example.com.
Brown Smith Wallace can help you with cybersecurity. Visit them here to learn more.
Insights Accounting is brought to you by Brown Smith Wallace
Eighty-five percent of small business owners feel that their cyber security is adequate, according to a recent survey. However, that sense of security may be a false one, as two out of three businesses have been victimized by a data breach or cyber security incident, according to a national preparedness report recently released by the Federal Emergency Management Agency.
“There’s a false sense of security out there by business owners,” says Jason Corrado, commercial insurance advisor for First Commonwealth Bank. “They believe that it will never happen to them or that they are properly protected, but things are changing so quickly that more times than not, that is not the case.
Smart Business spoke with Corrado about the cyber threats facing businesses and how to prepare for them and protect your business.
Why is cyber security so important to businesses, especially mid-sized ones?
Look at where technology has gone. Think about where we were 10 years ago, where we were five years ago and where we are today as far as the transfer of electronic data, customer information, etc. And it’s only advancing faster and faster. It’s an important subject, especially now, because many businesses have been slow to realize the severity of the risk they face, and 40 percent of businesses don’t even back up their data.
As larger companies — such as Sony and Zappos.com, that have had data breaches — take this more seriously, they are investing time, energy and money into protecting their clients’ information. As a result, hackers will pursue the low-hanging fruit — the smaller and mid-sized businesses that haven’t invested the time and energy into security because they don’t think they have the resources.
What are some of the risks that employers face?
There are the obvious ones, such as hackers who find weaknesses in software and electronic systems to gain access, sometimes with the aid of malicious codes such as viruses, worms and Trojan horses. Cyber extortion, in which someone will hijack your website and hold it hostage until you give them X, Y and Z, is also increasing.
However, there are other risks you might not think about. If a company allows its employees to take laptops with them on the road or home, and one of those is stolen, what happens to the data on there, especially if it includes sensitive customer information.
Another risk is your Wi-Fi network. Have you taken steps to make sure it is secure? It sounds simple and you may assume that most people do so, but as many as 50 percent of businesses have open Wi-Fi networks that can be picked up by a smartphone, making them easier to hack.
What steps can a business take to combat exposure?
The first step is risk assessment. If you have a website, if you do business online, you need to figure out what your exposures are, and if you don’t know, then enlist the help of someone who does. What kind of data are you capturing from clients? Where are you storing it and how are you backing it up? If you don’t understand your risks, you can’t eliminate them.
Risk management is the second part. Put together an IT risk management plan, which is a formal written document that addresses the scope of the plan, the roles employees in your company play, the responsibilities of individuals and departments, compliance criteria, how you’ll tell customers if there is a breach, etc.
The plan outlines what you can do to prevent cyber attacks. You can train employees on cyber security; install and update anti-virus, anti-spy software on computer systems; check your Internet firewalls; make sure software and systems are up to date; back up and make copies of critical data; and control physical access to computers by ensuring employees use the proper passwords and don’t leave terminals or laptops open.
You can also take smart business steps such as evaluating your Internet service provider. All service providers are not created equal, so beyond getting you on the Internet, what does it offer to reduce exposure with security and privacy?
Once the IT risk management plan is in place, you need to hold all employees – including yourself — accountable. Sometimes owners and officers are the biggest offenders for not following proper procedures where data is concerned. You also need to review your plan annually, or when you make significant changes to the systems that you are operating.
Aside from an IT risk management plan, are there other ways to manage your risk?
You can identify all the exposures that are out there and getting a plan in place, but risk financing can also act as a backstop if your prevention measures fail to protect your company.
With cyber liability insurance, you pay a premium to an insurance company to help you in case something does happen. If your systems are hacked and you’re down for a couple of days or you lose data, the insurance will protect your company’s assets and help you recoup costs. Cyber liability insurance also will protect you if one of your employees sends an email with a virus and a third party’s system gets infected. In addition, you can use business interruption insurance to fill the gaps of lost revenue if a cyber attack stops you from conducting business.
By using risk assessment, risk management, risk prevention and risk financing together, even mid-sized businesses can hedge against cyber attacks.
Jason Corrado is a commercial insurance advisor for First Commonwealth Bank. Reach him at (724) 934-4569 or Jason.Corrado@fcfins.com.
Insights Wealth Management is brought to you by First Commonwealth Bank