As Cyber Attacks Rise, Is Your Business Protected?

Complex Circuit Board With Security Message

Cyber attacks on companies’ information systems and data have reached unprecedented proportions, and are growing with each passing year.

The biggest threat to an organization is if there’s been a breach of personally identifiable data or credit card information that it stores. That results in a number of costs, including notification costs, providing those whose data was compromised with credit monitoring, potential fines, legal costs if sued – and even reputational costs. If data is stolen, there are also restoration costs.

The threat is largest for smaller organizations. Because larger companies can afford to hire teams of technicians to thwart attacks, cyber criminals are increasingly targeting small and mid-sized organizations as they may not have the same resources to defend their data. The “2019 Internet Security Threat Report” by Symantec found that:

  • 48% of cyber attacks target small business.
  • Just 14% of small businesses rate their ability to mitigate cyber risks, vulnerabilities and attacks as highly effective.
  • 60% of small companies go out of business within six months of a cyber attack.

Ransomware

According to the Symantec report, in 2018, enterprises accounted for 81% of all ransomware infections. While overall ransomware infections were down, enterprise infections were up by 12% from the 2017 level.

With ransomware, hackers gain access to your IT system, lock it down and demand a ransom to release it. The ransom usually has to be paid in bitcoin or other cryptocurrency so that the criminals can avoid detection.

Phishing and malware

One of the most common ways for criminals to compromise an organization’s data is through phishing, a process through which employees are sent e-mails with links, which if they are clicked, gives the hackers entry into the company’s computer systems. Malware is usually the code that is inserted into the computer system to either slow systems down or to access the information.

What you can do

  • Install anti-malware software – This can weed out the latest malware before it does damage.
  • Keep your software up to date – Using up-to-date versions of operating systems, applications, firmware and browser plug-ins helps protect against the latest threats by patching security vulnerabilities.
  • Use strong passwords – Use a password manager tool to generate unique passwords and securely store your log-ins.
  • Lock down your devices – If your staff uses company-owned devices, or you allow them to use their own, require that the devices are locked with a password, fingerprint or other method.
  • Think twice before downloading – Remind staff to be cautious about downloading new software or browser plug-ins.
  • Click carefully – Teach your staff to look for telltale signs of phishing e-mails that prompt them to click on malicious links.

The ultimate protection

Cyber-liability insurance covers losses that result from data breaches and other cyber events.

While cyber-liability policies vary among insurers, there are some common threads:

Loss or damage to data – Many policies cover the costs to restore or recover lost, stolen or corrupted data, and may also cover the cost of outside experts or consultants you hire to preserve or reconstruct your data.

Loss of income or extra expenses – Many policies cover income you lose and extra expenses you incur to avoid or minimize a shutdown of your business after your computer system fails due a covered peril. The perils covered may be the same as those covered under damage to electronic data.

Cyberextortion losses – Cyber-extortion coverage applies when a hacker or a cyber thief breaks into your computer system and demands a ransom to unlock it, or to not damage the data. Extortion coverage typically applies to expenses you incur (with the insurer’s consent) to respond to an extortion demand, as well as the money you pay the extortionist.

Notification costs – Policies may cover the cost of notifying parties affected by the data breach by government statutes or regulations. They may also include the cost of hiring an attorney to assess your firm’s obligations under applicable laws and regulations.

Network security liability – This covers lawsuits that individuals or companies file against your organization alleging negligence on your part for failing to adequately protect data belonging to customers, clients, employees or other parties.

Protecting Your Important Data When Employees Leave

When is a business most susceptible to losing data, intellectual property and important records? No, not during a cyber attack or a break-in, but during lay-offs.

With employees maybe feeling disgruntled after being let go, it’s common for some of them to pocket important company data – usually client lists, old e-mails, vendor contacts and even intellectual property that is essential to the company’s competitive advantage.

During lay-offs or termination, you need to take steps to protect your data and intellectual property, but there are legal implications as well for how far you can go. Consider the following:

Non solicitation agreements – These protect from a departing employee taking with them proprietary, confidential information like client and vendor lists. A non-solicitation agreement bars an ex-employee from going to a competitor and contacting your clients for business.

These are not legal in all states, so check your state laws and consult with your attorneys. In California, for example, non-solicitation agreements are not enforceable.

Non-disclosure agreements – These are different than the above and no states bar them. They focus instead on company data that a competitor can use to harm the business.
These agreements spell out the employee’s fiduciary obligations under the law by identifying protected company proprietary and confidential information. The agreement requires that the employee keep such information secret for a certain period of time.

Before huddling with your lawyer, your management team should identify all of your company’s protected data that you feel is worth protecting.

Return and inventory all company property – Before your employee leaves the premises, make sure they have returned all of your property that may contain company information. That would include:

  • Originals and copies of company documents the employee has made.
  • Data on the worker’s personal phone or home computing devices (this may be difficult to enforce, but you should make them aware that they are required to delete it).

 

Passwords and access – On their last day, remember to delete from your database and systems their user names and passwords and access codes. This could include:

  • E-mail passwords
  • Voicemail passwords
  • Teleconference and intranet passwords
  • VPN access and passwords
  • Building or office coded lock-access codes.

 

Make sure to also collect any company ID cards. If you have concerns they may try to contact your current customers or vendors for any reason that could be detrimental to your firm, you can consider notifying them that the employee is no longer with you.

Conduct an exit interview – During this interview, you should go over boilerplate information like why they were let go and the importance of not taking with them any physical or intellectual property.
Ask questions to determine what, if any, company data they may have been privy to or had access to. Also, if you have non-disclosure or non-compete agreements in place, use this time to reiterate the consequences for violating those agreements.

 

What to look for

It’s more difficult to avoid data misappropriation by an employee that is planning on quitting, as they can make preparatory moves unbeknownst to you.

When employees are planning to take corporate data or are in the process of doing so, there are often one or more signs, which can be monitored with the right systems in place:

  • A spike in an employee copying information to the cloud, USB drives, personal devices, e-mail accounts, and more. An increase in such activity could mean that an employee is planning to leave or has gotten wind of an impending dismissal and wants to copy useful information before they go.
  • A surge in documents being deleted from an employee’s laptop or desktop computer. Files may also be deleted from corporate file shares.
  • Sudden spikes or drops in e-mail activity.
  • An employee accessing your customer relationship management system or financial accounts during late nights or very early mornings. This could mean they are scraping your files.
  • The employee is sending and/or receiving e-mails from a competitor.