Even though I’m a techie neophyte, I began writing this article by jotting down a few general ideas and, in no time flat, I had a list nearly a page long. The subject of risk management and computer security, breaches and hackings is that extensive.
So, let’s start with the basics. Cyber threats (“exposures,” in risk management lingo), are internal and external, intentional and unintentional.
You’re familiar with skimming at the pumps, so I won’t discuss that. And your company’s liability arising out of not having POS EMV equipment…who’s going to pay for that?
With a click of a button, your employee can accidentally and unknowingly:
- Email all your 941’s to an outsider (it happened);
- Release malware into your company’s computer system by opening an attachment received from someone they think they know; or
- Wire funds to you, although it’s not you, it’s an outsider who sent an email from your email address (different by one character). This exposure is deemed, “social engineering.”
Hacks: They are everywhere, but you never see them, only the results of their work. Think your IT/computer system is secure? How do you know?
Be resigned to this reality: It’s not a matter of if you or a colleague’s company will be hacked or PII is released, it’s when. And the financial impact of these disruptions can be tremendous, with both direct and indirect costs, the latter usually being several times greater than the former.
DO NOT presume your standard property and general liability insurance coverages will respond to losses and claims arising out of a breached network or unauthorized release of personal data.
So what’s a company to do? Again, start with the basics. Look into the twelve items below, which begin with quick and inexpensive band-aids (not the end-all, be-all solutions), then consider efforts over which you have less control or are more expensive. By the way, this list is definitely NOT all inclusive.
- Ask your insurance agent if your company’s:
- Crime insurance policy provides Funds Transfer Fraud or Computer Crime coverage. If not, get a quote; $50,000 in coverage can ease a breach headache.
- General liability policy can be, or is, endorsed to provide at least some coverage for response notification expenses, assistance, and third-party claims arising out of the release of PII. If not, get a quote.
- Do you have antivirus software on your computers and devices? Good. Update it regularly.
- A loss and/or use of stolen data may be thwarted by having it ENCRYPTED even when at rest. Don’t forget about mobile devices, too.
- BACK-UP, store offsite and periodically retrieve your company’s data to confirm you can access your info when you need to! Why? Ransomware can infiltrate your IT system, lock it up and not release it unless you pay the ransom…sometimes in bit-coin.
- Passwords should be changed regularly – no less than once per quarter. I understand this is not easy and maybe a pain, but it’s nothing like the pain a hack can inflict.
- How do your employees dispose of your employees’ and customers’ PII? If anything’s on paper, don’t just throw it out, SHRED it!
- Tell all your employees to only open email attachments they are expecting. Attachments can contain programs and viruses that sit in your IT system (called “dwell time”) waiting for instructions from the HQ, i.e., the person who sent the email and attachment.
- Sign up to receive and skim through the daily NACS emails, which often contain articles on cyber-related risk management issues. For example, the December 9, 2015 edition offered, “NACS Releases Skimming and Payments Security Resource,” complete with Best Practices suggestions.
- Disable the locator apps on your mobile devices. This doesn’t mean you can’t access Wi-Fi or use the Maps app, it just means companies (FB, Amazon, etc.) can’t track your location. A client of mine travelled from Wisconsin to Miami, back to Wisconsin and on to China. During his time away from the office, his controller and corporate secretary (two different people) received two separate emails asking for funds to be wired to him. Either his smart phone or iPad had been hacked because the hacker knew he was out of the office. We suggested he wipe the devices clean or get new ones.
- Phishing – not ice, fresh or salt water. Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication. Make sure your employees are alerted to the possibility that a website they open up is not the real one.
- Hire a hacker (Penetration Testing/Pentest). If you think your system is pretty secure, hire a firm to attempt to hack into your system. They may find nothing…or vulnerabilities that can be easily fixed.
- Get a proposal for cyber insurance. I didn’t say buy it; I’m saying get a quote, so you have a sense of its cost. Most Cyber insurance policies provide superior guidance and services to help respond to a breach, such as how to notify people of the breach (required by state law), what to say, figuring out how the breach occurred, etc. Some say those serves are more valuable than the cyber liability protection.
Cyber exposures exist in every kind and size of business. It’s overwhelming, but you’ve got to start somewhere. Questions? Call Joy Gänder at Gänder Consulting Group, 608-286-0286, or email your questions to her at firstname.lastname@example.org.
By Joy M. Gänder, CPCU, ARM
Copyright © 2015 Gänder Consulting Group, LLC
Phone: (608) 286-0286 │Fax: (608) 442-6811