Think you know cyber?. . . Think again.
Cybersecurity and cyber threats are evolving and growing more complicated every day. Cybersecurity is a business risk that everyone must take into consideration; it is no longer only an IT problem.
Small and Mid-Size Businesses are Rising Targets
You hear about data breaches almost on a daily basis. In the media, we usually hear about the big names, like Target or Equifax, but in reality, it’s the small- to medium-size businesses that cyber criminals prefer to target. The good news is that these high profile stories have raised cyber awareness, but the bad news is that most small businesses don’t think a cyber incident will happen to them. This false sense of security needs to disappear. The majority of small businesses lack formal cyber policies, procedures and training. Most, only have surface-level prevention measures in place. Plus, sometimes the biggest threats are lurking inside your office: your employees. Many smaller companies have a family-type atmosphere and allow for a lot of leniency, which can expose cyber vulnerabilities. It’s time to get familiar with the lingo, risks, options, prevention, and solutions regarding cybersecurity.
What’s at risk?
+ Banking information and financial losses
+ Business operations
+ Sensitive data
+ Proprietary information
+ Trade secrets
+ Equipment losses
THE FBI DOES NOT SUPPORT PAYING RANSOM because doing so does not guarantee that you or your company will have the data returned to you. Paying ransoms can also encourage the attacker to go after additional victims.
- The average ransom fee requested has increased from $5,000 in 2018 to around $200,000 in 2020. (National Security Institute, 2021)
- In a recent survey by Advisen and Zurich, 83% of respondents had cyber insurance – the highest percentage in the 11 years of the survey.
- The cyber insurance market in the U.S. grew to roughly $4.1 billion in direct written premiums in 2020, an increase of 29.1% from the prior year, reports the National Association of Insurance Commissioners (NAIC).
- Malicious emails are up 600% due to COVID-19. (ABC News, 2021)
- In 2021, the largest ransomware payout was made by an insurance company at $40 million, setting a world record. (Business Insider, 2021)
- According to a 2020 Verizon report, 86% of global data breaches are financially motivated.
What are the top cyber threats?
- Ransomware – A threat that has grown in recent years, in attacks, costs and impact. Cybercriminals lock down your system and hold your information hostage until the ransom is paid. A new trend in ransomware is “double extortion” where the victim’s data is potentially posted online or sold if the ransom is not paid.
- Malware – This is a large category that includes a number of intrusive software options, including worms, viruses, spyware, ransomware, and adware. Malware installs software that can deny access to users, install destructive software, access databases, and steal data – just to name a few things. Preventing malware requires continual scanning of your network. Early detection is key.
- Zero-Day Attacks – Involves targeting a known vulnerability before a solution or patch has been implemented. Organizations that fail to act quickly may find themselves the target of this type of attack.
- BYOD (Bring Your Own Device) Attacks – Remote work and a gig economy have increased the number of employees using their own equipment. Cybercriminals are increasingly targeting these devices since many do not have the same security as a company device.
- Phishing – Not a new threat, but one that always catches many victims. Hackers try to fool people into doing something that seems fairly harmless or normal. Phishing scams can be delivered through a seemingly legitimate download, link, or message. People quickly scan the info or trust the supposed source and data is compromised typically in the form of passwords, credit, or account information.
- Password Guessing Attack – Also know as a Brute Force Attack. Hackers exhaustively guess usernames and passwords to get access to systems. Many times, hackers will use known credentials from past data breach events. The best defense to avoid this attack is to use strong, unique passwords and 2FA.
- DDoS (Distributed Denial of Service) Attack – The hacker floods a network or system with a ton of activity (such as messages, requests, or web traffic) in order to paralyze it. The goal of the attack is to knock the victim offline.
Good cybersecurity requires work and commitment from multiple parties. There are tasks that need to be carried out at a company level and tasks that need the cooperation of individuals. An effective blend of people, process, and technology practices provide your best prevention odds. Here are some of the tips we recommend integrating into your company’s cybersecurity plan:
+ Follow password guidelines – Create strong passwords per company guidelines as well as update as required.
+ Stick to the Clear Screen Policy – Make sure your computer screens are protected from prying eyes. Consider screen shades when using and screen savers that automatically lock your display.
+ Embrace a cyber-secure culture – Take part in trainings and employ the prevention tactics you learn at work, on the road, and at home.
+ Implement SSO (Single-Sign On) – Helps employees deal with password fatigue and makes the login process much easier. The fewer passwords, the lower chance of 20 post-its with passwords on a desk.
+ Use 2FA/MFA (Two-factor/Multi-factor Authentication) – While complex passwords can help discourage cyber criminals, they can still be hacked. 2FA adds a layer of security by requiring users to provide extra information, e.g. a text code to access company systems.
+ Install anti-virus/anti-malware software – keep it current. This is not a one and done install.
+ Install patches and updates on a regular basis – Download and install software updates for your operating systems and applications as they become available. Many cybercriminals exploit systems that have not implemented bug fixes.
+ Backup data plan – Ensure you have a system in place, most likely cloud or off-site storage, that will provide a secure option.
+ Establish a cybersecurity culture – Make cybersecurity a priority and a regular part of discussions and meetings. Treat it as a normal, yet integral, part of business operations.
+ Conduct a regular cyber risk assessment – Consider an annual (at least) review of your cyber risk. This includes updating policies as needed, evaluating software, reviewing risks, and more.
+ Institute workplace policies – Build a structured set of rules for employees to follow. Include the cyber policies and procedures as part of orientation and inform employees of updates on a regular basis. Make sure employees know what is expected of them when it comes to cybersecurity.
+ Create strong password policies and requirements – Ongoing password management can help prevent unauthorized attackers from compromising your company’s protected information.
+ Secure appropriate cyber insurance coverage – Based on the assessment of your company’s risk, determine what type of cyber policy is right for you.
+ Provide security training – Offer (and mandate if at all possible) cyber training that will educate employees on cyber threats and how to stay safe. Employees are your first line of protection.
+ Create an incident response plan – In case of emergency, know what will be done in case of a data breach or other cyber incident. Create a clear set of responsibilities and who needs to carry them out.
COVID-19 CYBER IMPACT – CYBER CRIMINALS CAPITALIZE ON PANDEMIC:
Criminals prey on unfortunate circumstances, seeking to capitalize on victims during
times of panic and disruption. Enter COVID-19. Cyberattackers have seized the
opportunity and have been targeting all industries, with healthcare, municipalities
and education being hit the hardest. Additionally, more threats and attacks have
resulted due to remote work and employees working on personal devices.
Know What’s Coming
Cyber threats and trends are constantly evolving. It’s vital for organizations to reassess their cyber prevention practices on a regular basis. Here are a few cyber trends on the horizon:
- More sophisticated attacks – especially regarding ransomware.
- The spread to mobile devices – Hackers have been taking advantage of mobile device features such as emergency alerts and relaxed permissions to spread malware. The majority of mobile ransomware variants have the ability to cover every browser window or app with a ransom note, rendering the mobile device unusable.
- AI-powered cyberattacks – using artificial intelligence to create programs that impersonate human behavior, potentially tricking individuals to share sensitive data.
- Vehicle cyberattacks – could include accessing vehicles to steal personal data, track an individual’s location, obtain driving histories, or disable safety functions.
Know the Solutions
Even with diligent cybersecurity prevention policies, procedures, tactics, and initiatives, there are times you may need more support. Wells insurance is available to provide guidance and resources for you and your company. Here are a few cyber tools and options that can help:
Conventional commercial general liability and property insurance policies typically don’t include cyber risks in their coverage. This has led to an emergence of cybersecurity insurance as an independent line of coverage. That coverage provides protection against a wide range of cyber incident losses that businesses may suffer directly or cause to others, including costs from data theft, ransom demands, business interruption, hacking, DDoS attacks, crisis management activity related to data breaches, and legal claims. Cyber liability insurance policies should be tailored to meet your company’s specific needs. We have tools to help quantify cyber risk that allows businesses to understand what areas are vulnerable to attack, what the impact could be on their organization, and helps us provide guidance on the appropriate amount of insurance to purchase through limit adequacy analyses, as well as traditional benchmarking analyses that give insights on peer purchasing behavior.
It’s extremely difficult to keep up with the fast-changing world of cyber. No matter the size of your business, one challenge every business faces is risk originating from their employees. Poorly trained employees are less likely to be safe and productive on the job, which can open you up to risk from cyber threats.
At Wells, we not only provide insurance solutions, we also offer an education and training platform, providing resources and training tools on cyber security that can help you stay safe and run your business more effectively. Get in touch with us to find out more.