From Large to Small Businesses, a Focus on Cyber Security Risk Management is No Longer an Option
May 29, 2020
You protect your property, assets, image and employees with a solid insurance plan. These are critical to your continued success. But in these modern times, there are new dangers and risks that must be addressed. Data, it can be (but does not have to be) argued, is the most important asset to the modern business organization. It has value. It gives advantage. It is also making business extremely vulnerable to attack.
Our data driven and tech-based society has been a boon for both individuals and businesses alike. However, this double-edged sword can cut deep into the unsuspecting and under-prepared. We are not safe…unless we are aware of the dangers out there and active in ensuring our own safety. No one is looking out for us.
Businesses must protect their data and information systems. Every system, every device, every person in your organization is a means to a hacker’s end. Perhaps you will be lucky and just experience a minor, inconvenient incident and not a devastating denial of service or ransomware attack. Luck is not how successful business leaders plan their fate though, is it?
Coupled with a solid cyber risk management program, cyber and data breach insurance coverage will help to ensure that you are not only aware of the myriad of evolving cyber risks out there, waiting, but that you are prepared to fight for the health and safety of your hard-earned success.
From large to small businesses, a focus on solid cyber security risk management and insurance protection is no longer an option, it is a requirement for survival.
What is Cyber Risk and Data Breach?
Cyber-Attack – A cyber-attack is an assault on computers, devices, and networks with the intent to cause disruption or gain access to the systems and data they contain. A cyber-attack may disable computers, steal data, or use a breached computer as an entry point for the initiation of other attacks.
Data Breach – A data breach is a security incident in which data/information is accessed by unauthorized individuals. Data breaches incur costly expenses to remediate. Data breaches can damage lives, finances, and reputations and take a long time to repair.
How, What, Why
How do they get into my systems? What do they do once inside? WHY are they doing this? The below lists are not exhaustive, but will offer some insights for your further research.
The Internet, Your website, Email, Handhelds/Connected Devices, Apps, Cloud, Your employees and leaders, Internal IT Network – Lan/Servers, WIFI, POS Systems, USB Stick, External connected partners.
Methods/Type of Attack
Malware, Phishing, MTM (Man in the middle) attacks, DoS or DDoS (Denial of service), SQL Injection (database infiltration), Zero-day exploits, DNS tunneling.
Note: These are broad terms and cover a wide range of other types of attack. e.g., ransomware is a form of malware.
The Criminal’s Goal
Ransom, Blackmail/extortion, Spying, Identity Theft, Data Theft – customer information or theft of proprietary business information, Fraud in your name, Theft of money, Terrorism.
Risk Management Considerations
An Information Security Program is a formal set of rules and policies created by an organization to that guide the management of IT systems and structures within the organization to ensure the security of organizational data and assets.
A robust information security program will address the specific needs of the organization and as such will be different depending on your industry, organizational structure and size. A good ISP may include, but is not limited to:
Risk assessment of the entire organization – Where are the vulnerabilities, what is the exposure, how to address or mitigate each risk, which risks will be prioritized?
Contingency plans in case of disaster or emergency – What happens if your systems are attacked and your business cannot operate?
Systems Access – Who has access to systems, which people or groups have restricted access, remote usage, etc.
Password management – how are passwords generated, handling of compromised passwords, storage of password information.
Change management – Structure and communication around changes in the IT environment within the organization.
Clean Desk Policy – Documents with sensitive information (or all documents/papers) locked away, general guidelines for acceptable workspace standards, “locked” computers when away from desk.
Acceptable Usage – Defines proper use of internet, email, and all systems and devices
Antivirus/Firewall – proper use and updates performed regularly
Data backup and security – Securing data, backups off-site, data recovery procedures.
Employee Education – Education of staff to ensure they are aware of and comprehend the corporate position and focus on cyber security initiatives, ongoing training, communication of current threat assessments.
A Focused Approach
A focused approach to implementing and maintaining an practical and efficient information security risk management program for your organization will ease the path to your success.
Some things to consider:
Your risk management efforts are not just about your company. You should also consider the impact of your competitors, supply-chain partners, and other external entities on your efforts.
Leadership must foment a culture of cyber risk management focus and compliance with company cyber security policies.
Information on potential cyber risks should be discussed with everyone within the organization, tailored to role. Focus on what can be achieved given the available resources. Focus on high-impact projects first. Plan for ways to continue critical projects and missions should a cyber event occur.
Incident response and recovery planning, along with rehearsing your planned response, is critical to a quick recovery when a cyber event occurs.
Are you practicing safe cyber? Identify, prioritize, plan, implement, test, educate, monitor, audit and repeat. Your program is a work in progress, not a one and done document and by no means is it fail-safe. The more you nurture and fine-tune your processes, the better protected you will be in the event of a cyber incident.
An important tool to have in your overall information security program is the proper insurance coverage for your needs. These coverages/policies will respond to cyber and breach incidents by providing a broad range of coverage on a first party and/or third-party basis. Individual insurers will vary in their offerings regarding limits, coverages, exclusions, and restrictions. Depending on the specifics of your business, options to obtain coverage can range from a simple endorsement on your BOP or package policy to a full stand alone Cyber and/or Data Breach Policy. Premiums will vary with your specific needs, so speak with your insurance agent to explore the right coverage option for you.
Here is a general summary of coverages that are available. This is not a list of coverages from any one specific insurer, and is not intended to be an exhaustive list.
First Party Defense Includes
Legal Services, Computer Forensics, Notification Expenses, ID Monitoring and Protection, Relations and Crisis Communications, Extortion Payments, Data Restoration, Business Interruption, Dependent Business Interruption, Cyber Fraud/Transfer
Third Party Defense and Indemnity
Privacy and Security related litigation, Regulatory Fines, Payment Card Loss, Internet Media
Insurance is only one tool in your toolbox
As with any insurance product, you must read the policy language and engage with your insurance agent to help you understand the options available to you and the final coverage you select. A cyber/data breach insurance policy is NOT a final solution for all your cyber security concerns; it is a tool that works in conjunction with a strong risk-management program to help with covering expenses in the event of a cyber incident impacting your business. Speak with your Risk Manager and Insurance Agent soon, before you regret that you didn’t.