The executive order released Feb. 12, 2013, by the White House on improving critical infrastructure in many ways confirms cyberattacks have become a serious threat to national security.
While the order’s focus is on protecting critical infrastructure, such as power grids and hospitals, private sector companies also should take cyberattacks seriously.
“Business owners will lock their cars and protect their homes in sophisticated ways but won’t protect the most critical area, which is where their data sits,” says Pervez Delawalla, president and CEO of Net2EZ. “Because it’s not happening in front of us, but in the cyberworld, many tend to not pay attention.”
Smart Business spoke with Delawalla about cybersecurity, the threats that exist and how companies can protect themselves.
What are the threats?
The biggest threat facing our digital information is foreign governments trying to penetrate our systems for intelligence from which economic value can be gained. A great deal of proprietary information, such as designs and ideas for new products, is being stored on company servers. If that information were extracted, it could offer a competitive advantage.
The common thought used to be that a cyberattack would result in a company’s website going down. A hacker looking to make a name for him or herself would attack a site by bombarding it with bogus traffic, and it would cease to function. Now, hackers are looking to stay behind the scenes because the data they gain can be a lot more valuable than shutting down a site.
What could be the extent of the damage?
In extreme cases, a data breach could trigger the complete downfall of a company. Depending on the nature of the attack, a breach could cause customers to lose trust in the company and its brands. That’s in extreme cases. In other instances, valuable intellectual property could be lost and the associated R&D investment would be hard to recoup.
How can a company recognize its exposure to cyberthreats?
Many times exposures come from within the company, so it’s important to understand what employees are working on and who has access to what data.
Also, consider the risk when an executive travels overseas. When using his or her smartphone, it’s possible software can be downloaded on the phone without his or her knowledge. When that person comes back and connects to his or her office network, the software that was downloaded could penetrate into his or her network.
What are some critical components of good cybersecurity?
It’s important to establish layers of protection. For example, set criteria for employees to access certain company information on its servers. Similarly, companies should employ hardware in layers in order to protect critical data. There are hardware devices designed specifically to stop distributed denial-of-service attacks.
Intrusion protection systems can detect when someone penetrates a company’s network and identify who, where and how. Firewalls also are useful to block unwanted traffic, but have them periodically audited to ensure their effectiveness.
It’s important to have all of these systems audited. Too often companies set up these systems and forget about them until something bad happens.
Regarding mobile security, executives traveling overseas should take a conventional cellphone. Another option would be to back up the data on your smartphone before the trip, use the phone overseas, and then wipe the entire phone before connecting to any of your home networks again.
Who can help put a solid cybersecurity plan in place?
There are professionals who have expertise specifically in cybersecurity. Companies in some cases are adding chief security officers to work alongside chief technology officers. However, if a company is not large enough to appoint someone to such a position, then the best option is to work with a consultant who is focused on the security side or a company that provides cybersecurity services on an ongoing basis.
Pervez Delawalla is president and CEO at Net2EZ. Reach him at (310) 426-6700 or email@example.com.
Insights Technology is brought to you by Net2EZ
The Division of Corporation Finance, a part of the Securities and Exchange Commission, issued guidance on disclosure obligations related to cybersecurity risks and incidents a few years ago. Public companies aren’t yet required to disclose this information to shareholders, but they could be at some point, says Brittany Teare, IT advisory manager at Weaver.
“Right now, this is guidance that is in the best interest for your shareholders, but that will likely change. It could become a requirement sooner rather than later,” she says.
Smart Business spoke with Teare about the guidance and how businesses can measure and guard against cyberrisks.
What are the SEC reporting requirements for cybersecurity under this guidance?
The guidance expands upon the existing requirements that public companies follow, but there’s no mandatory piece yet that results in a direct impact if a company doesn’t disclose information.
Basically, the guidance states that if cybersecurity risks and cyber incidents have a material effect on your shareholders — if it could affect how financial information is reported — you have to report them.
How do you know when cybersecurity risks materially impact your company?
The guidance addresses some possible risks and whether they should be voluntarily reported to shareholders. If you don’t have cybersecurity controls around your key financial systems, for example, then the way you record or report your data can be easily manipulated or altered. Even if a cyber breach has not yet occurred, it is very likely.
Cybersecurity is a gray area. Employers typically know that network and perimeter security, access and change controls should be in place, but executives may not consider disclosing vulnerabilities. CEOs and CFOs typically look at balance sheets and see line items for hardware and other things they can touch, but it can be challenging to consider the ways a breach can happen.
How would you advise CEOs to quantify data and see vulnerabilities?
First, designate a person or group of people to be responsible for cybersecurity. They should not only understand SEC requirements and where they are potentially heading, but also must identify specific risks.
There is a central entry point in any network, so key people need to know where the sensitive data is because if an attacker gets there, it could add up to a huge loss. If the company does not store much sensitive information, an attack could impact its reputation, which is more difficult to value.
Another challenge is improving communication from the CIO or IT manager. Often, IT will say, ‘We need X dollars for new equipment, applications and hardware that are going to help make our organization more secure.’ When management hears this number, which can be millions in larger organizations, they want to know the ROI. However, IT personnel typically struggle to quantify that.
A CIO needs to be able to tell other executives, ‘If this firewall, application or system is not installed, a breach would cost us X dollars, or the company could lose X dollars per day,’ for example. Not everything can be quantified, but this gives CIOs a starting point.
What will protect your data and reputation?
Some key, high-level steps to consider are:
• Take inventory of the data systems and gain an understanding of where critical data is located. Then, work to ensure that there is an appropriate amount of security in those areas.
• Use complex, strong passwords to protect the network, systems and data, and regularly change them. Have the system lock out users after a certain number of failed attempts and log all such activity.
• Heavily monitor networks and systems. Check who is logging in and from where, who is successfully entering and who is failing. Then, set a baseline to understand any abnormalities.
• Use the principle of least privilege, especially for critical accounts and functions. This ensures that no single employee has all access; rather, access is tailored to the job function.
There is more companies can do. But by implementing key, basic controls, if a breach occurs, the business can more easily identify what happened and how.
Brittany Teare is IT advisory manager at Weaver. Reach her at (972) 448-9299 or firstname.lastname@example.org.
Website: More information about the SEC guidance.
Insights Accounting is brought to you by Weaver
In this day and age, only a small number of businesses can function without a network of computers. Unfortunately, there are inherent risks to computer usage — hackers, viruses, worms, spyware, malware, unethical use of stolen passwords and credentials, unauthorized data removal by employees with USB flash drives, or servers crashing and bringing productivity to a halt. Owners of small to midsize businesses have to be cautious of cyberattackers, and depending on your industry, your business many be an easier target than larger businesses.
With cyberattacks on the rise, Smart Business spoke with Jalal Nazeri, a certified information systems auditor at Sensiba San Filippo LLP to discuss what business owners can do to protect themselves.
What is the first step toward protection?
The first task in creating a secure network is to draft a security policy, which, if carefully managed, can lower the risk of these threats.
When drafting a policy, consider every perceived threat, no matter how unlikely it may seem. Communicating and monitoring these policies regularly will lay the groundwork for compliance in defense of your network.
There are a number of core ideas to consider in implementing a policy. First, you will need to do a risk assessment to identify risks and determine the best methods to prepare for them. Then you will need to classify data by sensitivity level and develop access restrictions. Consider what the security requirements are of an authorized user and assess the possible risk, both logical and physical. In addition, create a plan to back up each user’s data. Finally, ongoing monitoring and maintenance of your risk assessment and the underlying policies and procedures is a must.
How do you manage employees’ usage of company computers?
An acceptable use policy is a common element to include in your security policy. The acceptable use policy restricts users by giving them guidelines on what they can and cannot do on your company’s network. Adding these restrictions can place an inconvenience on the end user, but it’s imperative to have them in place for the protection of your organization. The end user can be an organization’s weakest point.
Once a user reviews the policy and accepts the restrictions in place, it’s important that he or she sign the policy. Users should be made to re-sign the policy whenever it changes, and at regular intervals even when unchanged. Some companies set a six-month timeline, others vary. The value of the policy depends on the communication and monitoring of compliance. Without enforcement, its value is greatly reduced.
What are other tools business can use?
A few other key items a business can use are firewalls, content filters, encryption, virus protection, and accounts and passwords. Business owners need to maintain these tools, not just put them in place and forget about them.
Firewalls act as a barrier to the internal network, blocking unwanted traffic, while content filters restrict material delivered on the network and control what content is available to users on the Internet. Encryption is becoming more vital for transferring and storing data, whether it is for regulatory compliance or customer protection from theft.
Anti-virus software is a must on all your servers and workstations. A scheduled virus scan should never be missed, and always have automatic updates turned on.
Never use generic passwords or account names, and restrict users to using only their own login. Passwords should follow a complexity requirement, like the use of a mix of letters, punctuation, symbols and numbers, and should also have a limited lifetime and a rotation.
What is the value of taking these steps?
With small to midsize businesses, budget is always a major consideration in what is plausible in obtaining the most secured environment. With a good policy in place, identification of priority spending can be determined and can reduce the need for excess software and hardware.
Cyberattackers look to gain access to networks that have the least amount of resistance. A good security policy protects data against potential threats. Without one, the company may incur significant remediation costs, lose productivity and even lose clients.
Jalal Nazeri is a certified information systems auditor at Sensiba San Filippo LLP. Reach him at (925) 271-8700 or email@example.com.
Visit our blog for more market insights.
Insights Accounting is brought to you by Sensiba San Filippo LLP
On Feb. 12, President Barack Obama signed the executive order, Improving Critical Infrastructure Cyber Security, which will set cybersecurity standards for certain private companies.
However, remarks by Lisa J. Sotto, chair of the U.S. Department of Homeland Security (DHS), Data Privacy and Integrity Advisory Committee, raised red flags. She said: “I would suggest that these standards will become the standards by which companies will be judged, so that if there is a cybersecurity event there may be negligence claims that follow if the standards are not complied with. Also, there could be shareholder suits, if a company suffers damage as the result of a cybersecurity event where they’re not complying with the cybersecurity framework.”
“If the government says, ‘We’re officially setting the bar and if you’re not above it you’re going to be found negligent,’ then companies will need an insurance policy that will defend them,” says Karl Henley, vice president at SeibertKeck Insurance Agency.
Smart Business spoke with Henley about possible implications of this executive order.
What is the executive order’s goal?
After failing to pass the Cyber Intelligence Sharing and Protection Act of 2012, the Obama administration wanted to protect what it felt was critical infrastructure — private companies. This executive order establishes the foundation for a ‘framework’ between the private sector and government, seeking to set standards for certain industries. The goal is to improve communication and awareness so the private sector can take steps to protect itself.
Currently, only some private industry sectors have set cybersecurity standards, such as the credit card processing industry. This is the government’s first attempt to set a wider standard for all private companies.
Do you think many are aware of this?
Large corporations should be aware, but this could have been missed by many middle-market and owner-managed businesses that may not have an in-house compliance group to stay on top of developing regulations.
What will be impacted?
The areas that will be impacted are defined as critical to our country and economic infrastructure, such as financial services, and electrical, water, water treatment and fuel suppliers. Before July 12, the secretary of the DHS will identify where a cyberattack could cause catastrophic problems, regionally or nationally, for public health or safety, economic security or national security.
Executive orders cannot make mandates, so this will be voluntary for most. However, courts may choose to use these as the standard for negligence. Government contractors will be incentivized to comply as a criterion for contract selection.
What are the cybersecurity implications?
One positive is the improved flow of information from government to the private sector about cyberthreats. CIOs and IT staff will have improved access to timely information about potential hazards.
However, Sotto’s remarks are troubling. Anytime someone in government uses the words ‘negligence,’ ‘judged’ and ‘claims,’ it’s generally not good for businesses. It will be critical that companies minimize potential weaknesses in cybersecurity infrastructure.
What does this mean for insureds?
A general liability policy excludes most cyber-related losses, so insureds will need to fill coverage gaps with a cyber liability policy.
It also will be important to keep informed as insurance policy language changes to incorporate the standards within your policy. Good dialogue around your business model, Internet presence, and interaction with customers with an informed adviser or the right consultants will be essential to helping companies adapt and protect themselves from negligence claims. Director and officers executive liability policies, often overlooked by non-publicly traded companies, generally cover the defense of shareholder suits.
What are some next steps?
The private sector, in conjunction with the National Institute for Standards and Technology, is being asked to help design the standards and develop a fluid framework, as cyberattackers frequently change tactics. The proposed framework will be published Oct. 10, with the final due Feb. 12, 2014.
Karl Henley is vice president of SeibertKeck Insurance Agency. Reach him at (330) 294-1358 or firstname.lastname@example.org.
To keep up with the latest insurance news and how your company could be impacted, sign up to receive our newsletter.
Insights Business Insurance is brought to you by SeibertKeck
On Feb. 12, President Barack Obama signed the executive order, Improving Critical Infrastructure Cybersecurity, which will set cybersecurity standards for certain private companies.
“If the government says, ‘We’re officially setting the bar and if you’re not above it you’re going to be found negligent,’ then companies will need an insurance policy that will defend them,” says Cliff Baseler, vice president at Best Hoovler Insurance Services Inc., a SeibertKeck company.
Smart Business spoke with Baseler about possible implications of this executive order.
What is the executive order’s goal?
Do you think many are aware of this?
What will be impacted?
Executive orders cannot make mandates. However, courts may choose to use these as the standard for negligence. Government contractors will be incentivized to comply as a criterion for contract selection.
What are the cybersecurity implications?
What does this mean for insureds?
What are some next steps?
Cliff Baseler is vice president of Best Hoovler Insurance Services Inc., a SeibertKeck company. Reach him at (614) 246-7475 or email@example.com.
Insights Business Insurance is brought to you by SeibertKeck
Many businesses neglect cyber and privacy issues because they simply don’t believe they are at risk or they do not fully understand the exposure.
“The majority of them think they’re safe because they have a secured firewall in place and virus protection. This is the biggest misconception out there. In reality, data thieves are simply looking for the path of least resistance. Owners of small to midsize businesses who become complacent or think they have adequate protection against cyber and privacy attacks can actually be a bigger target than large companies,” says Derek M. Hoch, president of Leverity Insurance Group.
Attacks can be harder for small and midsize businesses to recover from. Many businesses close permanently within six months after being victimized by cybercriminals.
“That’s why it is vital to have adequate controls and the proper insurance in place,” says Hoch.
Smart Business spoke with Hoch about cyberattacks and how business owners can protect themselves.
What are the cyber and privacy issues for business owners?
Cyber and privacy liability is best described as any third party or first party hacking into your database for personally identifiable information (PII). This includes access to names, dates of birth, Social Security numbers, credit card information, emails and passwords. Ultimately, this can potentially lead to identity theft and/or cyberextortion.
In addition, businesses that operate with paper files or ‘non-electronic’ information have the same potential to be compromised by both third parties and employees.
However, the most overlooked exposure to business owners is the actual cost of a data breach when your records have been compromised. On average, a data breach can cost a company more than $200 per record when considering loss of business, ongoing forensic expenses, notification costs and credit monitoring.
What types of businesses need cyber and privacy liability coverage?
Every business owner has exposure on some level if they have third-party and/or employee information stored on a computer or in paper files.
Cyber and privacy liability is relatively new, so most business owners don’t even know that the coverage exists or is available in today’s insurance market. It is a significant exposure and should be included in your overall risk management program.
How can businesses protect themselves?
It starts with the culture of the business owner and includes training employees to use proper cyber and privacy security policies and procedures. This list of procedures should include the following at a minimum:
• Use passwords on all computers, laptops, tablets and smartphones.
• Regularly change passwords every 30 to 40 days.
• Limit employee access to data.
• Restrict authority to install software unless approved by management.
• Provide ongoing training for employees who gather, use, transmit and dispose of confidential data.
• Install and update anti-virus and anti-spyware programs on every computer. Smartphones and tablets are often overlooked, yet most salespeople out in the field are using them.
• Back up your data off-site in a secure location, not in the same facility of your day-to-day operations. If the system is hacked or temporarily shut down, you can still retrieve the information and continue to operate your business.
Isn’t cyber and privacy liability part of standard business insurance?
No, most insurance policies exclude this coverage or may offer a small amount of ancillary coverage to recover or reconstruct any lost data. Cyber and privacy exposures are not covered under any property, general liability, crime, directors and officers liability, or umbrella policies. Business owners need to purchase a true cyber and privacy liability policy including security and privacy liability, notification and forensic expenses, business interruption, and cyberextortion to complete the proper risk management of their business.
Derek M. Hoch is president of Leverity Insurance Group. Reach him at (216) 861-2727 or firstname.lastname@example.org.
Social Media: Keep up on issues that could impact your business at www.linkedin.com/company/leverity-insurance-group-inc.
Insights Business Insurance is brought to you by Leverity Insurance Group
Data breaches are becoming more commonplace, causing millions of dollars in damages for companies that have personally identifiable information (PII) hacked by cybercriminals.
“Think about all of the losses you can incur. Not only do you have to hire a security expert to find what happened, you may be assessed fines or penalties by the merchant’s acquiring bank or payment card brand. In addition, you could be responsible for credit card charges made by the criminals and lose business because no one trusts you anymore,” says William M. Goddard, CPCU, principal, Insurance Advisory Services at Brown Smith Wallace.
Smart Business spoke with Goddard and Lawrence J. Newell, CISA, CISM, QSA, CBRM, security and privacy manager, about protecting companies from cybercrime.
How do cybercriminals access networks?
One typical method is spear phishing. Unlike traditional phishing attempts, which are fraudulent emails sent at random claiming to be from a reputable organization like a bank or eBay, spear phishing emails are sent to targeted employees or customers of a company.
The email appears to be coming from the company and requests that the recipient click on a link, which then goes to a fraudulent website. They may ask for personal information or they may launch a virus they’ll use to get into your network.
If you click on the link, it launches a program in the background that goes onto your workstation and canvasses the network for other vulnerabilities. The program collects data, whether that’s credit card information or other PII, and uploads it to the cybercriminal.
How can you reduce cyberattack risk?
The first thing to do is develop an information security policy, document it and disseminate it throughout the organization.
Other protective measures are:
- Conduct an inventory of authorized devices on your network. Guests can come into your place of business with a laptop and leave a device on your network that goes undetected. That device could have Trojan horses or viruses that, when executed, plant a program on your network.
- List an inventory of software allowed to run on workstations or servers. That helps when looking for rogue programs or software installations.
- Install an anti-virus program to detect malware. Anti-virus protection also needs to be maintained and updated for the latest definitions.
- Run vulnerability and penetration tests on servers and networking equipment to make sure you don’t have unnecessary services running that could lead to a vulnerability and potential unauthorized access.
- Prevent data loss by running programs to detect outbound calls or connectivity to remote sites that are not authorized to receive data output.
- Create security awareness within your company to ensure that people who have access to information are not sharing anything that is confidential or private.
- Develop an incident response plan to react to a breach and quarantine activity before it spreads throughout the network.
Companies think they’re protected because they are compliant with some standard such as PCI, but that’s no guarantee their systems will not be compromised. Your security program needs to go beyond PCI and focus on more than credit card information. Cybercriminals go after the easiest target along with whatever PII is available that has value. For instance, not-for-profit organizations may have names, addresses and checks with banking information; all of that information is valuable to somebody. For similar reasons, credit cards are often targeted because they’re so widespread and it’s the easiest information to sell.
What can companies do to protect against losses if they are hacked?
A variety of insurance policies cover things like the cost of fines, notification that PII has been compromised, liability and business interruption. All cyber policies are slightly different, and you have to be careful to buy the right coverage.
Businesses are smart enough to buy fire insurance in case a building burns down. Cyberattacks can be just as damaging, depending upon what happens and what information has been compromised.
William M. Goddard, CPCU, is principal, Insurance Advisory Services, at Brown Smith Wallace. Reach him at (314) 983-1253 or email@example.com.
Lawrence J. Newell, CISA, CISM, QSA, CBRM, is manager, Risk Advisory Services, at Brown Smith Wallace. Reach him at (314) 983-1218 or firstname.lastname@example.org.
Brown Smith Wallace can help you with cybersecurity. Visit them here to learn more.
Insights Accounting is brought to you by Brown Smith Wallace