Have you or your business been a victim of a cyber attack? If you haven’t, count yourself as fortunate. For the past 15 years, cybersecurity attacks have increased in frequency and severity. In 2017, almost 58% of businesses experienced some form of a cyber-attack1. Even with the seemingly endless amount of products, tools, and related “best practices” material available, it is frightening to see the continued rise of these successful cyber attacks. Target, Sony, and Delta are just a few of the large corporations aren’t exempt from this headache. The criminals are winning and winning at an ever-increasing rate.
In one of the more common cases we have seen at Shea Barclay Group, a business discovered that their servers were hacked by an unauthorized entity using a prior employee’s identification. In one particular case, this information indicated that there was a potential breach of the database which stored the personally identifiable information (PII) for approximately 2,500 clients. The information the attacker accessed also included bank account information and, in a few of the accounts, social security numbers.
What do you do from here?
If this happens to your business, you’ll need to retain counsel to oversee the forensic investigation and draft notification letters to all the compromised parties. A notification vendor will be set up as well to issue letters, set up a call center, and provide credit monitoring services. With a cybersecurity insurance policy, breach counsel, forensics, and notification/credit monitoring services are typically all covered. The total monetary cost for this breach was over $100,000, not counting the time it takes to repair reputation and regain customer trust.
No single cure-all
Unfortunately, due to the increasing sophistication of these attacks, there’s not a single cure-all when it comes to insurance coverage. The broad nature of these attacks means that the best solution usually includes multiple types of policies. Give us a call and we would be happy to walk you through our risk determination process to determine what is needed. We have many clients that have cyber coverages thrown in or added to other lines of insurance for free. Unfortunately for your business, if you’re getting coverage for free, you generally get what you pay for.
In addition to protecting yourself with the appropriate insurance coverages, we’ve also found firms need to be proactive in their defense. According to Verizon’s 2018 data breach investigations report, 70% of breaches against professional firms were opportunistic attacks2. These opportunistic attacks are financially motivated, and typically access is granted through an employee inadvertently clicking on a phishing email or through stolen credentials online. The below list was put together by the Kamala D. Harris, Attorney General, California Department of Justice3 and should be viewed, along with appropriate insurance, as a ‘best practices’ as it relates to cybersecurity.
- Assume you’re a target – Being a firm that is small in size that operates in relative anonymity no longer ensures that you will be left alone. Any company, whether big or small, can be the victim of cybercrime. Just as it has become second nature for most of us to lock our front doors when we leave the house, assume you are a potential target and take basic precautions to protect yourself and your company.
- Leaders must lead by example – Successful cybersecurity measures require the leadership and dedication of business owners. Cybersecurity is not simply the domain of the “IT person”; executive management has to get involved. Small business owners are uniquely positioned to ensure that they and their employees are following good cybersecurity practices. They are also in the best position to understand their company’s network and all the devices that connect to it.
- Manage your business’s data – To effectively protect your data, you first need to know the types of data you have and the location of that data. Comprehensively review the data you have stored on your IT systems, both on-site and off, and with third parties (include backup storage and cloud computing solutions in your data mapping project). Once you know what data you have and where it is, take a hard look and get rid of what you don’t really need.
- Encrypt Your Data – Encrypt the data you need to keep. Encryption is an important step you can take to protect the data you have on your systems.
- Bank securely – It is essential that small business owners put security first when they engage in online banking. This means that online banking should only be performed using a secure browser connection. Bank at home or on your phone – but not over the public wireless at your local coffee shop. Online banking sessions should be conducted in the private mode of your web browser or in the financial institution’s app. Also, we recommend setting limits on wire transfers. Sophisticated transnational criminal organizations are now routinely hacking businesses’ computers and wiring large sums overseas where they cannot be recovered.
- Defend yourself – In choosing security solutions, guard against single points of failure in any specific technology or protection method. This should include the deployment of regularly updated firewalls, antivirus, and other internet security solutions that span all digital devices, from desktop computers to smartphones, to tablets. Devices connected to your network should be secured by multiple layers of defensive technologies that include, but are not limited to, antivirus technology.
- Educate your employees – Raise employees’ awareness about the risks of cyber threats, mechanisms for mitigating the risk, and the value of your businesses’ intellectual property and data. Your employees are the first line of defense, and good security training and procedures can reduce the risk of accidental data loss and other insider risks
- Be password wise – Change any default username or passwords for computers, printers, routers, smartphones, or other devices. Anything is better than the default. Specifically, you should use strong passwords (more than 8 characters, using a mix of letters, numbers and symbols) and don’t let your Internet browser remember your passwords.
- Operate securely – Keep your systems secure by using layered security defenses and keeping all operating systems and software up to date. Don’t install software you did not specifically seek out and don’t download software from untrusted or unknown sources. Also, remember to remove or uninstall software you are no longer using.
- Plan for the worst – Every small business should put together a disaster recovery plan so that when a Cyber incident happens, your resources are used wisely and efficiently. Create an incident response team and assign a leader. Make sure the team includes a member of executive management. Define roles and responsibilities so that everyone is clear as to who is responsible for what should an incident arise. Communicate to everyone at your company who to contact if they suspect a Cyber incident has occurred (or is occurring). Gather and distribute after-hours contact information for your incident response team. Next, outline the basic steps of your incident response plan by establishing checklists and clear action items.
While none of this is foolproof, following these guidelines will reduce some of the risks of a cyber attack.
If you have questions or would like to review the Cyber coverage your firm has, please contact the Shea Barclay team at 813-251-2580.
About the author:
About Tim Nolen: Tim is a Tampa native and a graduate of Jesuit High School and the University of Central Florida. Tim, and his father, Phil Nolen worked very closely together until June 2017, when Shea Barclay Group acquired Nolen Insurance Services. Tim has played a pivotal role in the day to day operations and excels at providing constructive feedback for his clients on their onerous contracts. He is a board member of the Florida Board of Architecture and Interior Design as well as a Licensed Continuing Education provider for Architects, Engineers, and Landscape Architects.
- Nationwide Small Business Survey May 16 – 24 2017 < https://blog.nationwide.com/ news/ten-tips-to-prepare-for-cyberattacks/ > (as of April 18, 2018)
- Verizon 2018 Data Breach Investigations Report < https://www.verizonenterprise.com/ DBIR2018> (as of April 18, 2018)
- Kamala D. Harris, 2014 Cybersecurity in the Golden State < https://oag.ca.gov/sites/ all/files/agweb/pdfs/cybersecurity/2014_cybersecurity_gude.pdf > (as of April 18, 2018)