As Cyber Threat Mounts, More Companies Take Measures

cyber attack protection

As attacks on businesses’ networks continue increasing at unprecedent levels, cyber risks have become the top concern among organizations of all sizes for the first time, according to a new survey.

The “Travelers Risk Index” found that 55% of executives surveyed said they worry “some” or “a great deal” about cyber risks. That’s more than they worry about medical cost inflation (54%), employee benefit costs (53%), the ability to attract and retain talent (46%) and legal liability (44%).

And the most common types of attacks, and which pose the biggest security threat to businesses, are phishing and fake e-mails. They are the hardest to combat because of the human factor involved, according to another survey, the “2019 Cyber Security Breaches Survey” published by the U.K. government.

In phishing e-mails, the cyber criminals will pose as colleagues or vendors to dupe an unsuspecting employee to hand over a password or click on a malicious link that will give them access to the company’s network.

In addition, ransomware has brought many businesses and government agencies to a standstill as the same technique is used to freeze an entire network and render it unusable until the company pays a ransom for a key to unlock the network.

As concerns about cyber threats have grown, more businesses say they are taking proactive measures to safeguard against cyber risks – even though a large percentage have not implemented preventive best practices.

The steps that companies are taking, according to the Travelers survey, are:

  • Purchasing a cyber insurance policy (51% of survey participants, up from 39% in the 2018 survey the insurer conducted).
  • Creating a business continuity plan in the event of a cyber attack (47%, up from 38%).
  • Taking a cyber-risk assessment for themselves (49%, up from 45%).
  • Taking a cyber-risk assessment for their vendors (41%, up from 37%).
  • Updating computer passwords (74%, up from 71%).

The fact is that a single cyber attack can put a company out of business. Taking the threat seriously and implementing a risk management program that addresses possible exposures can help a business not only avoid an attack, but also recover from one as quickly as possible.

How to lower the chances of an attack

The insurance company Chubb recommends the following steps to reduce the chances of a cyber attack on your organization:

Identify your sensitive data – Credit card and personally identifiable information is often the target of cyber attacks.

Educate your staff – Instruct your employees about cyber attacks and how to protect the network. The most important thing for them to remember is to not to open attachments from people they don’t know or in e-mails they don’t expect.
You should also post procedures for encrypting personal or sensitive information, and require them to change their passwords regularly.

Have security in place – You should have a web application firewall in place to protect your website, in addition to a firewall for your company’s network. If you accept credit card payments, you should have an e-commerce platform that is compliant with payment card industry data security standards Level 1.

Secure your hardware – Data breaches can be caused by physical property being stolen, too. If your servers, laptops, cell phones or other electronics are not secure and easy to steal, you are taking a big risk. Physically locking down computers and servers is a good idea.

Cyber insurance

As the cyber threat becomes more sophisticated and changes, cyber-insurance policies have evolved to meet businesses’ needs. There are many types of policies in the marketplace that are tailored for specific types of businesses. The key is getting a policy that best fits your organization and covers any eventualities that you may encounter.

Some coverages you may want to consider for inclusion in your cyber insurance are:

  • Business interruption – Covers the loss of business income due a cyber attack.
  • Computer fraud – Covers theft of money, securities and other forms of tangible property through computer fraud and social engineering schemes.
  • Data breach – Covers claims of failure to protect personally identifiable information and protected health information of clients.
  • Property damage – Covers replacement cost of computers damaged by a cyber attack.
  • Identity theft expenses – These are related to the business owner or their employees after identity theft.
  • Advertising and personal injury – Covers damage caused by defamation on website or social media.
  • Transmission of virus or malicious content – Covers failure to stop the transmission of a computer virus or malicious content.
  • Errors and omissions – Covers loss caused by failure to provide proper network security.

Some policies are stand-alone products, while others are endorsements to existing polices like a business owner’s policy.

As Cyber Attacks Rise, Is Your Business Protected?

Complex Circuit Board With Security Message

Cyber attacks on companies’ information systems and data have reached unprecedented proportions, and are growing with each passing year.

The biggest threat to an organization is if there’s been a breach of personally identifiable data or credit card information that it stores. That results in a number of costs, including notification costs, providing those whose data was compromised with credit monitoring, potential fines, legal costs if sued – and even reputational costs. If data is stolen, there are also restoration costs.

The threat is largest for smaller organizations. Because larger companies can afford to hire teams of technicians to thwart attacks, cyber criminals are increasingly targeting small and mid-sized organizations as they may not have the same resources to defend their data. The “2019 Internet Security Threat Report” by Symantec found that:

  • 48% of cyber attacks target small business.
  • Just 14% of small businesses rate their ability to mitigate cyber risks, vulnerabilities and attacks as highly effective.
  • 60% of small companies go out of business within six months of a cyber attack.

Ransomware

According to the Symantec report, in 2018, enterprises accounted for 81% of all ransomware infections. While overall ransomware infections were down, enterprise infections were up by 12% from the 2017 level.

With ransomware, hackers gain access to your IT system, lock it down and demand a ransom to release it. The ransom usually has to be paid in bitcoin or other cryptocurrency so that the criminals can avoid detection.

Phishing and malware

One of the most common ways for criminals to compromise an organization’s data is through phishing, a process through which employees are sent e-mails with links, which if they are clicked, gives the hackers entry into the company’s computer systems. Malware is usually the code that is inserted into the computer system to either slow systems down or to access the information.

What you can do

  • Install anti-malware software – This can weed out the latest malware before it does damage.
  • Keep your software up to date – Using up-to-date versions of operating systems, applications, firmware and browser plug-ins helps protect against the latest threats by patching security vulnerabilities.
  • Use strong passwords – Use a password manager tool to generate unique passwords and securely store your log-ins.
  • Lock down your devices – If your staff uses company-owned devices, or you allow them to use their own, require that the devices are locked with a password, fingerprint or other method.
  • Think twice before downloading – Remind staff to be cautious about downloading new software or browser plug-ins.
  • Click carefully – Teach your staff to look for telltale signs of phishing e-mails that prompt them to click on malicious links.

The ultimate protection

Cyber-liability insurance covers losses that result from data breaches and other cyber events.

While cyber-liability policies vary among insurers, there are some common threads:

Loss or damage to data – Many policies cover the costs to restore or recover lost, stolen or corrupted data, and may also cover the cost of outside experts or consultants you hire to preserve or reconstruct your data.

Loss of income or extra expenses – Many policies cover income you lose and extra expenses you incur to avoid or minimize a shutdown of your business after your computer system fails due a covered peril. The perils covered may be the same as those covered under damage to electronic data.

Cyberextortion losses – Cyber-extortion coverage applies when a hacker or a cyber thief breaks into your computer system and demands a ransom to unlock it, or to not damage the data. Extortion coverage typically applies to expenses you incur (with the insurer’s consent) to respond to an extortion demand, as well as the money you pay the extortionist.

Notification costs – Policies may cover the cost of notifying parties affected by the data breach by government statutes or regulations. They may also include the cost of hiring an attorney to assess your firm’s obligations under applicable laws and regulations.

Network security liability – This covers lawsuits that individuals or companies file against your organization alleging negligence on your part for failing to adequately protect data belonging to customers, clients, employees or other parties.

Protecting Your Important Data When Employees Leave

When is a business most susceptible to losing data, intellectual property and important records? No, not during a cyber attack or a break-in, but during lay-offs.

With employees maybe feeling disgruntled after being let go, it’s common for some of them to pocket important company data – usually client lists, old e-mails, vendor contacts and even intellectual property that is essential to the company’s competitive advantage.

During lay-offs or termination, you need to take steps to protect your data and intellectual property, but there are legal implications as well for how far you can go. Consider the following:

Non solicitation agreements – These protect from a departing employee taking with them proprietary, confidential information like client and vendor lists. A non-solicitation agreement bars an ex-employee from going to a competitor and contacting your clients for business.

These are not legal in all states, so check your state laws and consult with your attorneys. In California, for example, non-solicitation agreements are not enforceable.

Non-disclosure agreements – These are different than the above and no states bar them. They focus instead on company data that a competitor can use to harm the business.
These agreements spell out the employee’s fiduciary obligations under the law by identifying protected company proprietary and confidential information. The agreement requires that the employee keep such information secret for a certain period of time.

Before huddling with your lawyer, your management team should identify all of your company’s protected data that you feel is worth protecting.

Return and inventory all company property – Before your employee leaves the premises, make sure they have returned all of your property that may contain company information. That would include:

  • Originals and copies of company documents the employee has made.
  • Data on the worker’s personal phone or home computing devices (this may be difficult to enforce, but you should make them aware that they are required to delete it).

 

Passwords and access – On their last day, remember to delete from your database and systems their user names and passwords and access codes. This could include:

  • E-mail passwords
  • Voicemail passwords
  • Teleconference and intranet passwords
  • VPN access and passwords
  • Building or office coded lock-access codes.

 

Make sure to also collect any company ID cards. If you have concerns they may try to contact your current customers or vendors for any reason that could be detrimental to your firm, you can consider notifying them that the employee is no longer with you.

Conduct an exit interview – During this interview, you should go over boilerplate information like why they were let go and the importance of not taking with them any physical or intellectual property.
Ask questions to determine what, if any, company data they may have been privy to or had access to. Also, if you have non-disclosure or non-compete agreements in place, use this time to reiterate the consequences for violating those agreements.

 

What to look for

It’s more difficult to avoid data misappropriation by an employee that is planning on quitting, as they can make preparatory moves unbeknownst to you.

When employees are planning to take corporate data or are in the process of doing so, there are often one or more signs, which can be monitored with the right systems in place:

  • A spike in an employee copying information to the cloud, USB drives, personal devices, e-mail accounts, and more. An increase in such activity could mean that an employee is planning to leave or has gotten wind of an impending dismissal and wants to copy useful information before they go.
  • A surge in documents being deleted from an employee’s laptop or desktop computer. Files may also be deleted from corporate file shares.
  • Sudden spikes or drops in e-mail activity.
  • An employee accessing your customer relationship management system or financial accounts during late nights or very early mornings. This could mean they are scraping your files.
  • The employee is sending and/or receiving e-mails from a competitor.