Protect Your Organization: Cyber Risk
By: Rebecca Gomez
“A company’s cyber security is only as strong as its weakest link“-Nicole Hung, Dow Jones News Service 2015
According to a recent article in Rough Notes (March 2014), cyber-attacks against smaller businesses (with fewer than 250 employees), have increased significantly over the past two years. Criminals have learned that smallbusinesses have valuable data and is relatively easy to get because often small business owners skimp on security measures. A company which obtains confidential information (Social Security Numbers, Drivers’ License numbers, bank account numbers of employees or clients, etc.) carries a significant cyber risk exposure when they rely on a computer network, allow laptops or access to their network from a remote location, and/or provides online access to sensitive data.
A more recent report by The Dow Jones News Service indicates that employee error is one of the most common reasons for data breach at companies. For example, an employee can make a mistake by accidentally sending an email with sensitive information to someone outside the company. According to the article, thirty percent of breaches have occurred as a result of employee error. Another reason for a data breach is when third parties send spam emails designated to trick employees into giving their personal information.
There are many misconceptions when it comes to Cyber Security, below are just a few examples:
- “I’m a small organization so I am not a target for hackers.”
Statistics show that breaches affect organizations of all sizes. In fact, Organizations under 100 employees accounted for thirty-one percent of the breaches in 2013, according to the Verizon Data Breach Investigation report. - “I outsource my data to a 3rd party vender (data center/cloud provider).”
Most data centers/cloud providers do NOT accept liability in their service agreements. Check your contracts. - “My IT security is top notch.”
Even the most sophisticated IT security systems cannot protect against human error or intentional acts of employees. This is not just an IT issue, but an issue for other stakeholders within an organization (HR, Finance, Operations, and Board of Directors). - “My funding sources do not require that I purchase cyber coverage so it must be covered under one of my other policies.”
Most commercial General Liability and Property policies will not cover data loss suffered by a non-profit because electronic data is excluded from most policies. Some insurance companies are now adding limited coverage to their policies.
The following are a few basic tips for businesses to protect themselves against cyber criminals:
- Continually train employees in security principles
- Protect information, computers, and networks from viruses, spyware, and other malicious code
- Provide firewall security for your internet connection
- Make backup copies of important business data and information
- Secure your Wi-Fi networks (make sure that it is secure and hidden)
- Regularly change passwords and make sure they use strong passwords that will not be guessed easily (such as “1234” or “password”)
What security measures does your organization have in place to protect your data from a breach?
Do you have a Crisis Management plan?
Who is going to deal with the regulatory requirements?
Review/ Update H.R. Policies:
- Document Retention:
Having a document retention policy and procedures in place to properly discard and destroy files containing Personally Identifiable Information (PII) - Equipment Usage
Develop an effective E-mail and Internet User Policy. Employers should monitor use of system and devices to maintain the policy’s integrity. Employers should consider requiring employees to acknowledge in writing that they have received and reviewed these policies and procedures. - Bring Your Own Device (B.Y.O.D.)
There are risk management concerns when employees bring their own devices (smart phones, laptops, tablet) for business use.Employers can fail to protect organizational data by:Losing a device that contains sensitive data. (employee error), Exposing the business’ network to malware located in the employee’s device
Retaliating against the organization by destroying essential data (Employee intentional act).Develop a B.Y.O.D. policy that outlines which devices and operating systems the organization will support and require all devices to be accurately password protected. Determine which functions employees can access from their personal devices (email, word documents, etc.) Note that some Cyber Liability Insurance excludes B.Y.O.D. claims.
Cyber Insurance
A special form of commercial insurance created to protect business against cyber (Internet) risks, such as hackers and other breaches of computer system security. However, there is no standard policy form for Cyber Insurance, so look for a policy that provides broad and comprehensive coverage and includes Crisis Management Services.
Cyber Insurance should be considered part of your overall risk management plan.
If you have any questions regarding Cyber Insurance please do not hesitate to ask.