As the number of users who utilize the Internet and technology each and every day increases, so does the exposure to cyber attacks.
According to the Department of Homeland Security, 31 percent of all attacks targeted small businesses, and nearly 59 percent of small and medium-sized U.S. businesses do not have a contingency plan for responding to or reporting a breach.
Take the example of a company with locations across four states and approximately 300 employees who experienced cyber-extortion (i.e., social engineering). The type and amount of data stored is in line with other companies their size and included engineering diagrams, payroll and account data, and general business documents. The type of network system was small and standard firewall security protection was in place.
The company owner was working remotely on the day of the breach and was not linked into the network. He received an email from what he thought was a recognizable address, but upon opening the email, the computer screen went blank. Within a few seconds he received a message that said if he wanted access to his computer, he needed to purchase $500 in Bitcoin using the instructions below. For those who are unfamiliar with Bitcoin, it is a software-based online payment system, using its own unit of value. The transactions are untraceable and unregulated, which makes it perfect for illegal activity such as cyber extortion.
The company tried the usual fixes like rebooting, but the screen remained the same and within a few minutes the price began to increase to $1,000 Bitcoin, then to $1,500 and so on. After the IT group examined the computer, it was determined that the basic operating instruction file had been corrupted, and it would be impossible to recover the data on the computer.
Unfortunately, this computer contained some valuable information, which caused some production delays. However, because he was not working on the network at the time, the network systems remained undamaged. If that was not the case, the company’s entire business data could have been inaccessible unless a ransom was paid, and at the time the company did not have any insurance that covered such an event. Stopping operations for a few days can be devastating to a company and even put it out of business. Since this event, the owner has significantly upgraded the company’s network security and backup systems and improved data storage protocols and contingency plans.
Looking to avoid a scenario like that? When it comes to the company’s data, it is important to know the types of information collected, where that information is stored and who has access to it. Risk managers should ask themselves these five questions:
- How is company leadership informed about the business impact of cyber risk?
- What is the current level and business impact of cyber risk and what is our plan to address the identified risk?
- How does the cyber security program apply industry standards and best practices?
- How many and what type of cyber incidents are detected in a normal week and what is the company’s threshold for notifying the leadership team?
- How comprehensive is the cyber incident response plan and how often is it tested?
While a cyber incidence response plan is highly recommended, not all companies have the resources to create and implement one. There are many simple, cost-effective steps any construction company can take to help prevent a data breach.
- Ensure employees never give sensitive information like Social Security or credit card numbers out over the phone unless they can verify the identity of the person on the other line.
- Have a system for properly shredding sensitive data before disposal.
- Educate employees about phishing and pharming scams. Remind them not to click on anything that looks suspicious or seems too good to be true.
- Hire an outside company to set up the proper security measures for your computer network, if there is no internal IT department.
- Monitor credit reports and other financial data for the company. If someone sees things that don’t belong, then investigate them.
- Do not allow employees to write down passwords in the office.
- Encrypt sensitive data.
More companies are looking toward the insurance industry to assist in managing this risk. Cyber liability policies can cover a variety of costs associated with a breach, including credit monitoring, expenses to defend claims, fines and penalties, notification costs and any loss resulting from identity theft. There are a select but growing number of insurance carriers offering cyber and privacy liability coverage.
Until now, many companies have been relying on their commercial general liability (CGL) policies to cover the costs of data breach claims. However, insurance carriers are increasingly denying coverage for cyber claims filed through CGL policies. Traditional business liability policies also do not protect against most cyber exposures.
The cyber insurance market is highly competitive, with many insurers currently focused on building market share, so one might be willing to extend coverage or terms another will not. One of the most important issues in negotiating cyber insurance is determining the appropriate limits of liability. Cyber insurance is not particularly expensive, so choose limits in line with total potential liability in the event of a breach. The insurance broker should help ensure proper coverage.
Remember, it doesn’t matter the size or type of business; every company has data that cyber criminals want. And they will always focus their efforts on easy targets, so putting up a good defense along with appropriate response measures will reduce a company’s exposure and lower its cost.