As recent as 10 years ago, cybersecurity was merely a passing thought for most businesses and consumers.
Today, the threat is front and center,
with thousands of headlines reporting the damage of cyber incidents like the worldwide WannaCry attack in May and the more recent Equifax data breach. Protection is now a priority for all companies, and it starts with business owners knowing the top threats, empowering employees and choosing the right insurance.
Small businesses, in particular, carry a higher risk of experiencing cyber threats.
In a study by NetDiligence, which looked at empirical data from actual breaches, organizations generating less than $50 million in revenue were the most impacted group in comparison to their larger counterparts. With the rate, speed and anonymity of attacks, it’s easy for business leaders to feel helpless in addressing cyber threats. However, taking the correct proactive steps regarding protection and insurance will lay a solid foundation for security, and ensure businesses can continue when this security is breached. Below are recommendations for businesses that can help mitigate these exposures:
Know the Top Threats
Business leaders need to be educated about the many faces of cyber threats. Below are some of the most common cyber threats today:
Malware (short for “malicious software”) — software intended to damage or disable computers or computer systems. A few signs that malware may be infecting your computer or network are slow speeds, pop-ups, suspicious activity, disabled security programs and high bandwidth usage.
Phishing — the practice of sending falsified emails, seemingly from reputable companies, to entice people to provide personal information, such as credit card numbers and passwords. Common characteristics of phishing emails include poor grammar or misspelled words, requests for personal information, URLs that don’t align with the business and requests for money.
Ransomware — software that blocks access to a computer system until an amount of money, or ransom, is paid. If you’re a victim of ransomware, you’ll likely see a screen blocking you from using your computer, files that won’t open, file extensions (.exe) replaced with .crypted or instructions on how to pay the ransom.
Choose the Right Insurance
Finding a trusted insurance partner to help navigate options and plans is an important first step. Having a trusted partner will ensure you’ll get the right coverage and your plan will be tailored to your business.
Understand what your general liability insurance does and does not cover.
Is cyber liability part of your coverage? Does that cyber liability coverage include business interruption? In 2013, Amazon lost $66,000 per minute when its website was down for 13 minutes. For Amazon, $858,000 was a hiccup, but for a small business owner, the loss of revenue due to a cyberattack could be devastating.
Make sure your coverage is enough.
Even if your business has cyber liability with business interruption coverage, it may not be enough. In fact, 40 percent of policy holders with business income insurance had a limit of insurance that was deemed to be 45 percent lower than needed. It’s important to accurately quantify your potential losses before deciding on coverage.
Get a combination of first- and third-party coverage.
A ransomware attack would typically be considered a first-party claim (covers the policyholder) while a phishing scam that impacts your customers resulting in litigation would be considered a third-party claim. Most cyber insurance policies are customizable, which allows you to adjust your policy based on your risks.
Know your master services plan with your technology providers.
Most technology companies have master service agreements with their clients that outline the services they provide and associated fees. Understanding these agreements will help you create a cyber insurance policy that is customized to your business and the vendors with whom you work.
Educate and Empower?Employees
A business’ best defense against cyber threats is its employees.
Business leaders can be well-informed on cyber threats and have the right insurance, but the reality is that they are not the only ones dealing with confidential information and the businesses’ technology and servers. All employees should be equipped with the information and training needed to maintain security.
Educate employees on common phishing and ransomware schemes.
Not only should you and your leadership be educated on the top threats, your employees should be, too. Keep them informed on the latest cyber threats so they can easily and quickly spot an issue.
Educate employees on security measures that should be in place and practices that should be followed.
Create clear policies regarding sensitive information sharing, computer and network access, password management, physical property and visitors. Make sure these policies are updated and reviewed regularly with employees and enforced when violated.
Empower employees to speak up when something looks amiss.
It is important that employees are comfortable with alerting their manager or IT of anything suspicious so they can effectively investigate and mitigate the incident. Encouraging a culture of security will ensure all team members are engaged in upholding the proper safeguards to mitigate these risks.
The need for business leaders to consider and implement cybersecurity is one that will impact the success and future of their organizations.
The question is no longer if your business will be hit by a cyber attack, but rather how prepared your business will be and how you will respond to these attacks. Knowing the threats, having a plan and engaging the whole company are effective ways to address the inevitable.
Jake Omann is management liability consultant with Associated Benefits and Risk Consulting: 952.947.9747; firstname.lastname@example.org; www.associatedbrc.com.