By Ryan Gilway and
Glenn Gray
 |
| Image by commons.wikipedia.org |
Cybercrime
has jumped off the big screen of Hollywood and onto the small screen of
business computer users from coast to coast. Unlike the Hollywood
blockbusters, in most cases the hero doesn’t arrive in the nick of time to save
the day. Given the international nature of cybercrime, even the FBI is
all but helpless to put a stop to this growing scourge, no matter how big the
headlines produced by data breaches get.
In
recent years, high-profile cyberattacks on companies such as Target, Home
Depot, Sony and Sears have alerted the public to the growing threat of
cybercrime. Criminals are endlessly creative when it comes to monetizing
breaches. They exploit easily guessed or re-used passwords, lost or stolen
laptops and human error. More and more, they trick people into giving them
access to their machines, followed by a demand for money. Hackers sometimes
breach a computer and send fraudulent emails directing others—in the name of
the breached victim—to pay them a ransom. More often, they sell the purloined
financial information to the highest bidder. Who loses? Not the banks but
rather companies with minimal internal controls and weak security protocols.
Many business owners are still operating under a false sense of cyber security.
Businesses
have to ask themselves “what cyber exposures exist for me?” In our
technologically dependent world, cyber risks arise from the most common
business operations like processing credit card transactions and collecting
basic customer information. Every retail and e-tail operation in the U.S. needs
to process payments electronically. The vast majority of firms maintain client
records on their computers that contain some form of private information.
Private information such as a customer’s first initial and last name along with
social security number, driver’s license number, password, account number,
credit card numbers or other financial information is routinely stored on
computers, servers and sometimes the cloud. When you come to realize the
exploitation of private information makes up 45% of all cyber security claims,
it is no longer a question of “If” but “When” a business will be hacked.
 |
| Image courtesy of commons.wikimedia.org |
Sticking
your head in the sand is not going to make this problem go away. If you
run a business that collects customer information of any kind, you should be
aware that when a breach occurs, you are going to be held liable. Federal and state laws require companies who have had customer records stolen to shoulder
the burden of notifying, investigating, recovering and compensating those
affected by the theft.
When a breach occurs, expenses add up fast, including breach-event expenses like notification
required by law enforcement and credit reporting agencies. Should
identity theft result, you will need to provide identity restoration services
to victims and hire a privacy attorney to guide you through the complex legal
landscape of laws and lawsuits. You will need to hire a data forensics team to
identify where the breach occurred so that it can be remedied. You might need to cope with network
extortion or reimburse clients for payments made under duress. You may even face network
business interruptions that lead to a loss of income and extra expense. You
might need to restore, recreate or recollect data that has been corrupted,
altered or destroyed.
To get an idea of the potential costs associated with a
breach follow this link for a free data breach cost calculator. http://www.hubinternational.com/business-insurance/cyber-risk-solutions/tools/data-breach-cost-calculator/
 |
| Image courtesy of en.wikipedia.org |
Following
a breach, you will also face regulatory challenges. Although there are only a
few federal laws on the books for data privacy— Health Insurance Portability
and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA) and Children’s
Online Privacy Protection Act (COPAA) - you will be dealing with 47 state laws
as well as with their attorney generals and the Federal Trade Commission. Since
most firms have workers’ compensation data and employees enrolled with health
insurers, you are also likely to deal with federal and state healthcare laws
such as HIPPA, Cash Management Improvement Act (CMIA) and their regulators: the
U.S. Office of Civil Rights and Health and Human Services
You also need to bear
in mind that small to mid-sized businesses do not have the resources for a full
data breach response. As a result, they generally need an insurance company to
assign vendors, privacy attorneys, data forensics experts, credit monitoring
and PR firms and to manage the claims process. Below are several steps
you need to take to make sure that you minimize the disruption to your business
resulting from loss of data.
- Make sure that
every sensitive piece of private information is encrypted. Use a
backup data system to ensure that if your system is compromised that you
do not lose vital data. The backup strategy should guard against data loss
and theft so should include cloud based backup as well as redundant
physical backup on site. Dropbox is not a backup , nor is a RAID
file system. Test the backups to make sure the right data is being backed
up.
- Utilize
preventative measures such as firewalls, intrusion detection systems,
anti-virus software, strong password policies and procedures for document
handling, storage and destruction of private information.
- Train employees to
recognize social engineering tactics: spear phishing emails (email fraud),
fake anti-virus software, malware, ransomware and ensure identity
verification over the phone when dealing with finances.
Phone calls from Microsoft and banks must always be
regarded as hostile and terminated. Always call the bank back and
speak to a known person before giving ANY information.
- One of the most effective ways to determine if an
organization has adequate controls is to complete an application for cyber
insurance coverage. Using the application as a guide, your HUB
International risk broker can help determine if you have adequate internal
controls and protection of individual information.
Effectively
prioritizing cyber risks can become a challenge in establishing mitigation
programs. Understanding the fast paced cyber environment can be crucial in
avoiding potential problems. The HUB International team provides information
and delivers education programs to clients that include:
-
Cyber liability
-
Employee training
-
Blogs, bulletins, newsletters
-
eBooks
 |
| Image courtesy flickr.com |
Ransomware, in which data is encrypted by an encryption virus, is very real and a
huge threat. Glenn Gray from Compufix, a Jacksonville based IT Company,
has seen 6 instances of ransomware in Jacksonville since January. A
ransom is demanded to decrypt the data, which varies from a mere $500 to many
tens of thousands of dollars. In most cases the data is lost unless the
ransom is paid, except in cases where decent backups have been made. The
worst case he encountered was a doctor's practice where HIPPA
compliance rules had been breached during the attack. The resulting collateral damage could have included a very large
penalty, as well as patient lawsuits that would have put the practice out of business.
In that case a $20,000 ransom was paid and the police were not involved
or informed. There is always the risk that even paying the ransom will not end the treat. Even if the data is decrypted, the whole network must be
regarded as suspect and completely replaced down to the router and the hard
drives, and reinstalled from secure backups. The additional cost of that
can be extremely high.
If you own or manage a small business that routinely handles and stores personal or financial data, you need to be proactive in understanding and defending your digital resources before it's too late. Like it or not, the cybercrime clock is ticking.
Ryan Gilway, AAI
Account Director
Greene Hazel
Insurance Group | HUB International Southeast
Direct: (904)
446-3152
Glenn Gray
Compufix Jacksonville
9048381208
Glenn.gray@compufixjax.com
The foregoing content is informational in nature. It is based on information that is generally available, and neither the author nor Hub International makes any representation or warranty as to its accuracy. Any recommendation, analysis or advice provided therein is not intended to be taken as advice regarding any particular situation and should not be relied upon as such. Any decision regarding the amount, type or terms of coverage shall be the ultimate responsibility of the reader.
 |
| Get your FREE copy. |
If you feel your business could use some help with its marketing, contact us at 904-410-2091. We will provide a free marketing analysis to help you get better results. If you found this article useful, please share
it with friends, family and co-workers. You can find other articles on our blog
by typing in “marketing” or your desired search term in the search box at the
top of this blog. Also, don’t forget
to plus us, on Google+.
For a comprehensive list of articles on this subject, we recommend reading The State of Internet Privacy & Security in America Today. It has a list of 25 related articles spanning a wide variety of perspective to enhance the readers understanding of this subject.
No comments:
Post a Comment