Attempting to keep our clients informed about the risks of a data breach or cyber-attack we periodically send out reminders to clients that do not have cyber insurance of the need to have cyber insurance. We also make our clients aware of cyber security webinars when they occur. Unfortunately many clients ignore the webinars and the need to have cyber data breach insurance coverage. Telling our clients that a cyber-attack will happen to them is close to a certainty. It is like predicting the weather in Dallas Texas in the summer. Pretty sure bet that the high will be between 95 to 105 degrees from June through most of September.
This is a recent e-mail that we received from one of our clients:
“Subject: Hacked 4:06 on Nov 7th
Our IT person was able to back up to the 1 pm server backup.
Lost very little.
But two computers needed replacing due to virus.
Still not completely up and running.
How ironic I received on Nov 9th Cyber Insurance Essential Coverage email.”
So what is a small firm supposed to do on a limited budget. Generally you do not have a full time IT department keeping your systems safe and your employees aware. The following are common sense steps to building security walls for your firm.
1. Train your employees--Staff cause almost 50% of data breaches in small and mid-size firms. An innocent mistake because of staff’s basic lack of data security awareness and how hackers work cause most breaches. Staff education is the 1st essential wall to keeping a cybercriminal out.
A growing threat for firms is where hackers pose as a trusted source in need of confidential data, for example the boss asking for a complete list of all payroll data including birthdates and social security numbers. Through phishing, employees are invited to click on a link putting holes in your wall unknowingly installing viruses/Ransomware on their computer.
To avoid these traps:
- Confirm the legitimacy of the source before giving out confidential information
- Never open attachments from people you don’t know
- Avoid suspicious links in emails, websites and online ads
2. Secure sensitive information—Cybercriminals covet sensitive data as a valued commodity for profit. This includes personally identifiable information for staff, clients and vendors as well as client business trade secrets, financial data and other firm-confidential information. In the wrong hands, this information can damage your firm and clients reputation opening a firm up to sanctions and fines. Build a wall around this data by limiting access to online files based on a need to know. And put a good old fashion wall around paper files and removable storage devices containing sensitive information in a locked drawer, cabinet, safe or other secure container when not in use.
3. Properly dispose of sensitive data--When disposing of sensitive data shred documents containing confidential information prior to recycling. Remove all data from electronic devices—whether computers, tablets, smartphones or storage hardware—before disposing of them. Dumpster diving is not out of style for criminals and your right to privacy generally ends at the curb.
4. Use strong password protection--Password-protect your business computers, laptops, smartphones, network access, and accounts. Require employees to change default passwords and set a strong, complex password with a variety of characters that must be changed at least quarterly. Make sure to not use the same password for different applications. Imagine a cybercriminal discovering that the same password is used for accessing all systems and data.
5. Protect against malware--Malware can be installed by unsuspecting staff having a malware-laden USB device such a thumb drive, smart phone or an unsecured laptop in addition to clicking on an infected link in an email or on a website. To prevent a malware attack, install and use antivirus and anti-spyware software on all company devices and be sure your employees are on the lookout for suspicious links. If possible have a policy that no external devices are to link into your data systems. This will prevent another possible breach to your wall.
6. Control physical access to your business computers--Create user accounts for all staff needing access and prevent unauthorized users from gaining access to your business computers. Make sure that the outside public does not have physical access to your computers. Laptops can be easily stolen, make sure they’re password protected. Limit the firm’s data that is stored on a remote device. Install software on remote devices that allows for wiping of all data on the hard drive if stolen. Limit network access on computers located in or around public spaces, such as the reception area. All your security does you no good if the data can be access outside of the wall.
7. Encrypt data—Encrypt sensitive data stored on devices, in the cloud or being transmitted over the Internet. Make sure that only the staff member with the proper key can decode it. Encrypt data on laptops, mobile devices, USB drives, backup drives and email. Anything that cannot be nailed down should be encrypted.
8. Keep your software and operating systems up to date—Not updating your systems starts to allow bigger and bigger holes in your walls, think Equifax. Malware continuously evolves and software vendors continuously update or “patch” their programs in order to address new security vulnerabilities.
9. Secure access to your network--To prevent cybercriminals access to private network information, enable your operating system’s firewall and/or purchase reputable firewall software. Configure a Virtual Private Network (VPN) to provide staff with a secure means of accessing your network while working remotely. If you have a Wi-Fi network for your workplace, make sure it is secure and encrypted. Also require a password to gain access. If you want to offer ‘guest’ Wi-Fi, set up a separate ‘Wi-Fi’ login with no access to firm data or systems. Nothing like having great security only to allow cyber criminals easy access via Wi-Fi in your parking lot.
10. Verify the security controls of third parties--Firms rely on third-party vendors for parts of their operation, such as payroll, credit card processing or to manage their security functions. Many firms are tightly integrated with their clients. But there are security risks in doing so. If a vendor or client breach occurs your data can be compromised. Or if your systems are breached you could also expose a client’s data systems. In either case you can be held liable.
11. Obtain Cyber/Data Breach Insurance--Even with best security in place a breach can happen. Security walls are only good for defense. Cyber Criminals are constantly looking for ways to breach your security. Even the best defense eventually gets scored on. A good Cyber Liability/Data Breach Insurance policy provides both 1st party and 3rd party coverages in case the worst happens.