High profile hacks — or cyber security breaches — continue to make headlines and fuel consumer concerns over the sanctity of their personal information, including credit card data and social security numbers. Malicious viruses that create havoc on corporate networks remain a major concern for businesses. But hacks and viruses aren’t just aimed at huge, international companies. Any organization, regardless of size or industry, can be victimized. Being prepared for such an event can make a world of difference in your bottom line.
Businesses and non-profits can tackle cyber liability head-on by deploying risk-based security strategies and by purchasing cyber liability insurance. Both steps are essential for protection, which helps minimize exposure while also protecting you in case a data breach occurs. As part of your preparation you should implement a strong cyber liability risk management program, which incorporates both of these components, along with an educational and preparedness tool comprised of these four steps:
- Performing a risk assessment to educate your management team about potential cyber liabilities and best practices to mitigate risk.
- Designing an information technology cyber security policy.
- Sourcing and securing the appropriate insurance and risk management program.
- Creating a data breach incident response workbook so you can be prepared and know what course of action to take in the event of a breach.
In this blog, I pose some of the key questions to help you start your risk assessment as the first step of instituting a comprehensive cyber security risk management program.
What kind of cyber-breach could occur at your business?
One of the biggest threats you face is a malicious breach of your firewall, exposing your information to a third party intending to use the information or data for its own gain. If you conduct business over the Internet, over other networks, or use electronic storage technology, then you are at risk.
A “first party” breach occurs when your own information is breached or compromised, while a “third party” breach — which can often have the worst consequences — occurs when customer or partner information your organization has promised to keep safe, is compromised.
Are you aware of the costs and your responsibilities associated with a breach?
How vulnerable is your business, and what will a breach do to your organization? Consider the following statistics from a study by TrendMicro and the Ponemon Institute:
- 77 percent of employees leave their computers unattended.
- 65 percent of small businesses say their sensitive information is not encrypted.
- 56 percent of employees frequently store sensitive data on their laptop or mobile device.
- The average cyber liability claims payout in 2013 was $954,253.
- The average cost for crisis services in 2013 was $209,625.
In the event of a security breach of your data system containing personal information of your clients and prospects, according to the Maryland Personal Information Protection Act (PIPA) you are required to notify all individuals whose personal information has been compromised so they can take steps to protect themselves. The law provides a detailed guideline to help you notify the affected individuals, which includes several different ways, including through statewide media, your website, phone, email or a letter.
Do you have a set of best practices to protect your company?
Implementing the proper protection takes planning and varies by organization. In addition to a comprehensive risk management program, here are some best practices you can follow:
Employees:
- Train your employees to have a security mentality, and keep them informed of the latest threats. Hold meetings on how to prevent the most common vulnerabilities.
- Be very aware. Don’t open unknown or unexpected emails, and keep your communications limited to clients, co-workers, and vendors. If you don’t know the person sending the email, approach it with great caution.
- NEVER click on a suspicious link or file within an email. If in doubt, type the link into your browser directly.
- Don’t use USB sticks from outside the company, as these may sometimes have a virus stored on them.
- Remember that antivirus software catches many, but not all, viruses. Don’t assume that you’re protected just because antivirus software is in place.
Managers/Information Technology:
- Prepare internal net-security and privacy teams. Make sure they are educated around a diverse set of best and baseline safeguard practices. Also make sure they understand privacy laws and standards.
- Administer background checks on employees in sensitive positions.
- Install baseline network security controls that meet accepted industry standards for firewalls, anti-virus, access controls, and encryption.
If you are interested in conducting a complete risk analysis to learn more about your specific exposures and implementing a comprehensive risk management program including designing a cyber security policy, sourcing appropriate insurance or receiving an incident response workbook, feel free to contact me at jeffw@psafinancial.com.