The Cybercrime Clock is Ticking

By Ryan Gilway and Glenn Gray

Image by commons.wikipedia.org
Cybercrime has jumped off the big screen of Hollywood and onto the small screen of business computer users from coast to coast.  Unlike the Hollywood blockbusters, in most cases the hero doesn’t arrive in the nick of time to save the day.  Given the international nature of cybercrime, even the FBI is all but helpless to put a stop to this growing scourge, no matter how big the headlines produced by data breaches get.
In recent years, high-profile cyberattacks on companies such as Target, Home Depot, Sony and Sears have alerted the public to the growing threat of cybercrime. Criminals are endlessly creative when it comes to monetizing breaches. They exploit easily guessed or re-used passwords, lost or stolen laptops and human error. More and more, they trick people into giving them access to their machines, followed by a demand for money. Hackers sometimes breach a computer and send fraudulent emails directing others—in the name of the breached victim—to pay them a ransom.  More often, they sell the purloined financial information to the highest bidder.  Who loses? Not the banks but rather companies with minimal internal controls and weak security protocols. Many business owners are still operating under a false sense of cyber security.
Businesses have to ask themselves “what cyber exposures exist for me?” In our technologically dependent world, cyber risks arise from the most common business operations like processing credit card transactions and collecting basic customer information. Every retail and e-tail operation in the U.S. needs to process payments electronically. The vast majority of firms maintain client records on their computers that contain some form of private information. Private information such as a customer’s first initial and last name along with social security number, driver’s license number, password, account number, credit card numbers or other financial information is routinely stored on computers, servers and sometimes the cloud. When you come to realize the exploitation of private information makes up 45% of all cyber security claims, it is no longer a question of “If” but “When” a business will be hacked. 
Image courtesy of commons.wikimedia.org
What many business owners believe is that they are too small of a fish to entice cybercriminals to hack their systems.  Or they take the attitude that, “If Sony can’t stop cyber criminals, what am I supposed to do about it?”  What indeed?  While major retailers and multinational corporations get all the press, make no mistake about it, small businesses are targeted every day by hackers.  And why not, when you consider that these are soft targets that are relatively easy to breach.  Most small businesses do not report these attacks as to do so would be extremely bad publicity, so they are never made public.  This can lull other businesses into thinking it can't happen to them.  It does.  

Sticking your head in the sand is not going to make this problem go away.  If you run a business that collects customer information of any kind, you should be aware that when a breach occurs, you are going to be held liable.  Federal and state laws require companies who have had customer records stolen to shoulder the burden of notifying, investigating, recovering and compensating those affected by the theft.  

When a breach occurs, expenses add up fast, including breach-event expenses like notification required by law enforcement and credit reporting agencies. Should identity theft result, you will need to provide identity restoration services to victims and hire a privacy attorney to guide you through the complex legal landscape of laws and lawsuits. You will need to hire a data forensics team to identify where the breach occurred so that it can be remedied. You might need to cope with network extortion or reimburse clients for payments made under duress. You may even face network business interruptions that lead to a loss of income and extra expense. You might need to restore, recreate or recollect data that has been corrupted, altered or destroyed.

To get an idea of the potential costs associated with a breach follow this link for a free data breach cost calculator. http://www.hubinternational.com/business-insurance/cyber-risk-solutions/tools/data-breach-cost-calculator/

Image courtesy of en.wikipedia.org
Following a breach, you will also face regulatory challenges. Although there are only a few federal laws on the books for data privacy— Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA) and Children’s Online Privacy Protection Act (COPAA) - you will be dealing with 47 state laws as well as with their attorney generals and the Federal Trade Commission. Since most firms have workers’ compensation data and employees enrolled with health insurers, you are also likely to deal with federal and state healthcare laws such as HIPPA, Cash Management Improvement Act (CMIA) and their regulators: the U.S. Office of Civil Rights and Health and Human Services
You also need to bear in mind that small to mid-sized businesses do not have the resources for a full data breach response. As a result, they generally need an insurance company to assign vendors, privacy attorneys, data forensics experts, credit monitoring and PR firms and to manage the claims process.  Below are several steps you need to take to make sure that you minimize the disruption to your business resulting from loss of data.

  1. Make sure that every sensitive piece of private information is encrypted.  Use a backup data system to ensure that if your system is compromised that you do not lose vital data. The backup strategy should guard against data loss and theft so should include cloud based backup as well as redundant physical backup on site.  Dropbox is not a backup , nor is a RAID file system. Test the backups to make sure the right data is being backed up.
  2. Utilize preventative measures such as firewalls, intrusion detection systems, anti-virus software, strong password policies and procedures for document handling, storage and destruction of private information.
  3. Train employees to recognize social engineering tactics: spear phishing emails (email fraud), fake anti-virus software, malware, ransomware and ensure identity verification over the phone when dealing with finances.    Phone calls from Microsoft and banks must always be regarded as hostile and terminated.  Always call the bank back and speak to a known person before giving ANY information.
  4. One of the most effective ways to determine if an organization has adequate controls is to complete an application for cyber insurance coverage. Using the application as a guide, your HUB International risk broker can help determine if you have adequate internal controls and protection of individual information.

Effectively prioritizing cyber risks can become a challenge in establishing mitigation programs. Understanding the fast paced cyber environment can be crucial in avoiding potential problems. The HUB International team provides information and delivers education programs to clients that include:
-          Cyber liability
-          Employee training
-          Blogs, bulletins, newsletters
-          eBooks
Image courtesy flickr.com
Ransomware, in which data is encrypted by an encryption virus, is very real and a huge threat.  Glenn Gray from Compufix, a Jacksonville based IT Company, has seen 6 instances of ransomware in Jacksonville since January.  A ransom is demanded to decrypt the data, which varies from a mere $500 to many tens of thousands of dollars.  In most cases the data is lost unless the ransom is paid, except in cases where decent backups have been made.  The worst case he encountered was a doctor's practice where HIPPA compliance rules had been breached during the attack.  The resulting collateral damage could have included a very large penalty, as well as patient lawsuits that would have put the practice out of business.  In that case a $20,000 ransom was paid and the police were not involved or informed.  There is always the risk that even paying the ransom will not end the treat.  Even if the data is decrypted, the whole network must be regarded as suspect and completely replaced down to the router and the hard drives, and reinstalled from secure backups.  The additional cost of that can be extremely high.
If you own or manage a small business that routinely handles and stores personal or financial data, you need to be proactive in understanding and defending your digital resources before it's too late.  Like it or not, the cybercrime clock is ticking.

Ryan Gilway, AAI
Account Director
Greene Hazel Insurance Group | HUB International Southeast
Direct: (904) 446-3152


Glenn Gray
Compufix Jacksonville
9048381208
Glenn.gray@compufixjax.com

The foregoing content is informational in nature.  It is based on information that is generally available, and neither the author nor Hub International makes any representation or warranty as to its accuracy.  Any recommendation, analysis or advice provided therein is not intended to be taken as advice regarding any particular situation and should not be relied upon as such.  Any decision regarding the amount, type or terms of coverage shall be the ultimate responsibility of the reader.

Get your FREE copy.
This article discussed how Cybrcrime has become an everyday occurrence in America today. It provides many examples of these crimes and ideas on how to protect your business from these cybercrimes and hackers. It also discusses cyber liability insurance, a new way to help mitigate circumstances if your hacked.

If you feel your business could use some help with its marketing, contact us at 904-410-2091. We will provide a free marketing analysis to help you get better results. If you found this article useful, please share it with friends, family and co-workers. You can find other articles on our blog by typing in “marketing” or your desired search term in the search box at the top of this blog. Also, don’t forget to plus us, on Google+.


For a comprehensive list of articles on this subject, we recommend reading The State of Internet Privacy & Security in America Today. It has a list of 25 related articles spanning a wide variety of perspective to enhance the readers understanding of this subject.

No comments:

Post a Comment