That’s why it’s essential to understand basic cyber attack patterns, develop a cybersecurity plan and purchase cyber liability & data breach insurance to cover first- and third-party expenses.
Your sales process and related data are crucial to your business’ success. So imagine what would happen if a hacker placed malware on your computer that disabled your sales application and locked you out of your pipeline data. Without access to your prospects and customers—and to the status of each pending case—your sales effort would grind to a halt. How long would your business survive without new revenue?
Preparing for such an attack is essential today. However, if you wait until after an attack to devise a plan, it will be too late. Yet, according to a Ponemon Institute/Keeper Security study, many companies fail to do just that. The report found that only 28% of firms rated their cybersecurity as “highly effective.” And almost half of respondents (47%) said they didn’t know how to mount a cyber-defense.
Also essential is having cyber liability & data breach insurance to cover your first- and third-party cyber costs, a topic we’ll cover later in this article.
Consider Your Cyber Risks
The first step in developing a cyber-defense is to understand your current risks. Although the external climate is the same for all businesses, your specific risks will depend on:
- The nature of your firm.
- The computer hardware, software and networks you use.
- How you specifically access the Internet.
According to Verizon’s 2020 Data Breach Investigations Report, cyber attacks follow certain basic patterns. One involves who launches the assault. Verizon’s analysis of 157,525 incidents revealed that external actors were responsible 70% of the time, with 30% involving internal actors. Of cases with external actors, organized crime groups were responsible 55% of the time.
How do cyber attacks happen? The most common attack method was hacking (45% of the cases), followed by capitalizing on internal errors (22%), launching attacks via social media (22%) and malware (17%). Authorized-staff misuse was responsible for 8% of the breaches, Verizon reported.
Whom do cyber criminals target? Yes, 72% of the incidents are large businesses, however, 28% of the cases involved small businesses. Verizon also found that 58% of the victims had personal data compromised. Other cyber-attack patterns you should know about include:
- 43% of the incidents involved web applications
- 37% of cyber criminals stole or used company credentials
- 27% of malware incidents involved ransomware
- 22% of data breaches involved phishing
According to the Gallagher Cyber Liability Practice, a division of Arthur J. Gallagher & Co., it’s essential to understand the core motivations of cyber criminals. There are six main drivers, Gallagher said in its report, Cyber Risk Insurance Advisory & Risk Management Capabilities:
- Seeking financial reward by accessing personal identifiable information (PII) and then selling it on the Internet or leveraging it for identity theft (cybercrime).
- Trying to gain a competitive advantage by stealing trade secrets, formulas, product designs, business processes and methods (corporate spying).
- Uncovering secret business information to help a hostile foreign power (cyber espionage).
- Seeking to promote a social agenda or to expose a perceived injustice (“hacktivism”).
- Pursuing social, ideological, religious or political objectives (cyber terrorism).
- Being entertained or thrilled by perpetrating a successful hack (thrill seekers).
Develop a Cybersecurity Plan
Once you know what you’re dealing with in terms of cyber risk, how should you prepare for an attack? Here are some key steps to follow in mounting your cyber defense:
- Conduct a cybersecurity audit. The goal of a cybersecurity audit is to determine where your vulnerabilities lie. It should consider your biggest targets (loss of computer functionality, damage to or theft of data, theft of intellectual property or customer information, etc.) and the entities that pose the biggest threats.
- Conduct a compliance review. Identify all data security regulatory frameworks affecting your business (federal, state and foreign). Specifics will depend on your industry. Once you know your compliance obligations, obtain copies of relevant regulations and determine the degree to which you are (or aren’t) in compliance. If there are gaps, schedule an ongoing remediation process to bring your company into compliance.
- Assess data security. It’s important to know where all your valuable data resides and privileges. Also identify your most sensitive data and the people who have permission to use it. Determine whether essential data is too easy to access. Also make sure you have the ability to track who uses specific data, when and how. Having a process for granting and then reevaluating data access is essential, as well.
- Evaluate password policy. Determine the effectiveness of your password policy. If you lack one, develop one. It should mandate use of strong passwords, require periodic creation of new passwords and prohibit reusing the same password for multiple applications. Consider installing a password manager and instituting multi-factor password authentication.
- Assess user account security. Evaluate your system for restricting user access to sensitive data unless it’s needed to perform job. Have a system for reviewing/changing access when someone switches assignments or leaves your company. Make sure to give extra scrutiny to users who routinely use high-value data.
- Evaluate device security. If you use Internet of Things (IoT) devices, make sure all firmware is current and put all IoT devices on a dedicated network. If you allow employees to use their personal devices at work, review your bring-your-own-device (BYOD) policy. If you lack such a policy, create one. Also make sure it applies to wearable devices, which must be updated prior to being used on your business network.
- Review your endpoint security. This entails assuring the safety of all remote connections being made to the network by laptops and other wireless or mobile devices. Endpoint security typically involves security software installed on a network server or gateway. This includes antivirus applications, antispyware, firewall protection and host intrusion software. Endpoint security also involves installing client software on the network endpoints (or devices). Make sure all endpoint security software is current.
- Security policies. Cybersecurity hinges on enlisting the assistance of all employees to safeguard your computer systems and data. The starting point is to make sure you provide sufficient cybersecurity training to assure secure use of devices, networks and data. In addition, have a system in place for detecting insider threats and a disciplinary mechanism for dealing with employees who violate policy.
- Update your disaster response plan. In the event you suffer a cyber attack, you must have a plan for assessing and mitigating the damage and getting your business up and running as soon as possible. Having full data backups and access to cloud functionality should be plan elements. Once you have a written disaster-response document, also known as a contingency or incident response plan, be sure to train your employees on how to execute it. Also have periodic refresher training on how to deploy the plan (“table top exercise”).
Importance of Cyber Liability & Data Breach Insurance
Once you have formulated a cybersecurity plan, it’s time to consider transferring the costs of a cyber attack to a third party. You can do this by purchasing cyber liability and data breach insurance. Cyber liability & data breach insurance provides two types of protection: first party and third party.
First-party protection means the policy helps to mitigate a breach’s negative impact on your business. Here are some of the items a cyber insurance policy covers:
- Investigation: hiring a forensics IT expert to determine how the breach happened and to fix the security hole.
- Ransoms: meeting a cybercriminal’s payment demand to unlock your computers, especially if you lack a current system backup.
- Regulatory fines: providing funds to cover penalties or fines that result from the incident.
- Public relations: hiring a PR or crisis management firm to help stem customer defections after a data breach.
- Consumer credit monitoring: providing credit monitoring to all patients involved in the incident.
- Notification expenses: letting your customers know their personal data was released in a data breach and in some states, providing them with free credit monitoring.
- Legal advice: retaining an attorney to counsel you on the legal impact of the attack.
- Business interruption support: providing cash to replace lost income after an incident.
Third-party protection involves covering your legal expenses in the event you’re sued after a cyber attack. If a judge or jury finds that your negligence helped to precipitate the attack, then your insurance will provide funds to pay for attorney fees, legal settlements and judgments to plaintiffs and costs relating to state, federal or foreign regulatory investigations, among other third-party costs.
Together, first-party and third-party insurance coverage offer a safety net for the major cyber-related risks your company faces. This will reduce the stress, worry and financial burden of a cyber incident.