Mitigating Cyber Liability Risks for Small Business Owners
HSB, part of reinsurer Munich Re, and Trail of Bits, a cyber security firm in New York held a “Hacker Lab” event where by small business owners got an inside view of how cyber criminals work. “White hat” hackers used a simulated small business system to demonstrate how hackers choose their targets, how they enter the system and what they do after they’re able to infiltrate.
What did we learn from this event?
- Small businesses are both a cybercriminal’s target and a conduit to attack clients.
- Companies should identify their assets and what data is valuable to others.
- Most cyber attacks come through a company’s email and browser.
“No business is ‘too small’ for a hacker. All businesses are vulnerable,” said Eric Cernak, vice president, strategic products, HSB. “In a study HSB conducted with the Ponemon Institute, we found that more than half of all small- and mid-sized businesses experienced a data breach and nearly three-quarters can’t restore all their data. The problem is big and growing. The good news is that businesses can take steps to protect themselves from destructive criminal intrusions.”
Along with insights on how hackers can infiltrate a small business network, the Hacker Lab also provided these risk management tips to help prevent data breaches, which you can share with your insureds. These tips include:
- Outsource payment processing. Don’t handle card data on your own. Reputable vendors, whether it’s for point-of-sale or web payments, have dedicated security staff that can protect that data better than you can.
- Separate social media from financial activity. Use a dedicated device for online banking. Use a different device for email and social media. Otherwise, just visiting one infected social site could compromise your banking machine and your savings account.
- Go beyond passwords. Never reuse them and don’t trust any website to store them securely. You can never tell when a website has already been hacked and your password has been exposed. Set up a two-factor authentication; this sends a secret code to your phone verifying your identity.
- Educate and train employees. Establish a written policy about data security, and communicate it to all employees. Educate employees about what types of information are sensitive or confidential and what their responsibilities are to protect that data. Also, most scams and malicious attacks arrive through email so be sure your team is prepared and alerts others when they are received.
- Stay informed. Evaluate the entire chain of events in a potential attack. From assessing your email infrastructure to your users’ responsiveness to your browser’s vulnerability, identify where your organization is most at risk. Then, question the security posture of your business lines, vendors, suppliers or partners.
- Stop transmission of unencrypted data. Mandate encryption of all data. This includes data at “rest” and “in motion”. Also consider encrypting email within your company if personal information is transmitted. Avoid using Wi-Fi networks; they may permit interception of data.
- Secure your browser. With the growing popularity of watering holes – malicious code installed on trusted websites – how do you know which websites you can trust? Forget individual patches. Focus on keeping up to date with the latest version of your browser. Then, test your browser’s configuration for weakness.
- Secure your operating system. It’s far easier to break into older operating systems like Windows XP or OS X 10.6. Take advantage of major security improvements baked into newer operating systems.
- Secure your router. It connects your computer to the Internet. Make sure someone can’t intercept all the data sent through it. It’s important to set a strong admin password on your router and a WPA2 password on your Wi-Fi.
- Secure your data. Whether you lose data to an accident or an attack, you’ll always be glad to have a backup. Ideally, your backups should be encrypted and off-site in case there’s a fire or burglary.
Even with robust practices in place, be sure your insureds understand the financial consequences of a breach and the need to have proper Cyber Liability insurance in order to effectively respond in the event of an attack. Small business owners don’t think they are at risk, unfortunately. This is partly due because of the barrage of headline news that feature big corporations such as Target, Home Depot and others that have been hit by cyber attacks. But the fact remains that smaller businesses get hacked more often than their larger counterparts – and these attacks are more commonplace than owners may believe. In fact, according to security software developer Symantec’s Internet Security Threat Report 2013, companies with fewer than 250 employees were the focus of 31% of all cyber attacks in 2012— that’s a jump of 58% from 18% in 2011.
At Caitlin Morgan, we can help you make the case for cyber liability insurance. We offer a cyber liability insurance policy for many industry sectors, and can provide a competitively priced policy for your insureds. Give us a call at 877.226.1027 to find out more about our cyber products.
Source: Wall Street Journal