Have a pressing compliance or digital security question or topic you’d like for us to discuss? Write to our editor at [email protected].
Understanding the impact of cyber-attacks on your business.
by SCOTT GARCIA
Congratulations! Your data has been held hostage. A criminal has hacked into your computer and taken control of all of your critical files. On your screen is a message, “For $10,000, you can have your computer back.”
Sound like a movie? Unfortunately, this happens every day to unsuspecting business owners and remarkably, this type of criminal act is one of the least costly hacks that can happen to your network compared to other more sophisticated and less detectable cyber-attacks.
In the previous scenario, the FBI advises that you pay the ransom as it will ultimately be less expensive than trying to crack the code. This is the hacker’s intent. They figure the majority of businesses will pay the ransom rather than hire a forensics company to try and break the hacker’s encryption. More times than not, the hacker will leave with the money; but how can you ensure that your computer is protected?
The truth is that you can’t. We have reached a point in our society where we are too reliant on the internet for conducting business, and criminals are often one step ahead of the latest security measures. Thinking that your organization would not be a target would be a false sense of security as criminals are looking for all types of information, and there is a good chance that your network has something they are interested in. Hackers use various methods to steal private information such as personal identifiable information, client records, financial information, proprietary data, health records and more.
Malware may also be launched on your computer devices in order to spread their virus across your entire network and other networks. Regrettably, criminals have become very knowledgeable in the way they leverage stolen information for financial gain, and the effects of a breach can be so crippling that a single event can bankrupt an organization overnight.
To put this into context, a 2015 report from the Ponemon Institute found that, on average, a breached file will cost an organization $217 per record. A small organization with 10,000 records would be on the hook for over $2,000,000 in order to recover from a single breach. With these damages, it is not surprising that an AERIS Secure report found that approximately 60 percent of small businesses close within the first six months of a data breach. Larger organizations may be able to fair through the fallout, but their losses are often much more severe and damages extend beyond financial, impacting an organization’s reputation and trust with its clients.
Having a solid understanding of the life cycle and vulnerability of data within an organization is a critical step to mitigating and understanding your exposure to a cyber-attack. Employees make up a significant exposure that most organizations may not think about as a cyber risk. Human error or corruption makes up approximately 19 percent of a cyber exposure to an organization, and while it may take the form of a rogue employee deleting or manipulating data, it is more often than not a result of an accidental release of information by an unsuspecting employee who opened a file they shouldn’t have or clicked on a corrupted link.
So what is the best way to protect your organization from a devastating cyber-attack? The first step is to work with a specialist to do the following:
- Review contracts with all vendors
- Review your organization’s data information security policy
- Review your incident response plan and determine the response team
- Review your organization’s social media policy
- Enforce strict computer usage policies
- Review document retention policies
- Audit security of the organization’s protection of physical devices
- Conduct training on all security policies
- Require confidentiality agreements of employees, vendors and visitors
The next step is reviewing the remaining risk and choosing a proper cyber insurance policy to protect your organization. Choosing an appropriate cyber policy is critical, however, cyber insurance policies vary dramatically from carrier to carrier, so be sure to work with a cyber insurance specialist to obtain a policy with proper coverage for your organization’s exposure.
Cyber breaches are only going to become more common, and while it may be impossible to stop every criminal, it is possible to mitigate the effects of such an attack. Computers are the lifeblood of most organizations, and business owners need to be proactive in protecting their company against cyber terrorism.
The question is no longer if your organization will be breached, but when. ■
Scott Garcia is a professional services risk advisor and leads the Lawyers Professional Liability team for Smith Brothers Insurance. His goal is to help firms and organizations manage and mitigate risk. Garcia provides clients with experienced underwriting, program management, risk management and insurance placement. He can be reached at [email protected].
Are you prepared for a breach?
Here are six simple questions an organization should be able to answer if they have prepared for a breach.
- How many files are you responsible for?
- Do you understand your state’s privacy notification laws, penalties and fines?
- Have you performed penetration testing on your network?
- Do you have an incident response plan in place in the event of a breach?
- Do you have an information security policy in place for the way your organization handles confidential information?
- Do you have an ongoing strategy in place to continually identify and assess cyber related risks?
