Posts

cybersecurity, cyber security

Four Reasons You Should Have Cybersecurity Insurance

Do you have insurance on your house? Of course you do. So, the question is why wouldn’t you protect your business – your source of income – the same way you protect your home? Cybersecurity insurance won’t stop a breach. It will, however, help raise awareness and cover damages, should you be attacked.

Small or medium-sized business owners should check out these four reasons to have cybersecurity insurance.

GENERAL LIABILITY INSURANCE DOES NOT TYPICALLY COVER CYBERSECURITY ISSUES

Data breaches and other cybersecurity issues such as ransom are not typically covered in general liability insurance policies. It’s essential to understand what is, and what is not, covered in your policy.

COST OF A BREACH IS MORE THAN YOU THINK

The damage caused by a data breach will exceed the cost required to overhaul security procedures or replace lost or stolen laptops. Many business owners and managers fail to consider the costs over and above replacing tangible assets.

For example, the financial impact on corporate reputation could be devastating. Reputation costs range; it could be a few thousand dollars to build new processes and policies to reassure customers it won’t happen again. On a larger scale, it can result in stock prices dropping significantly. In worse case scenarios, approximately 60% of small businesses will cease operations within six months of a breach according to the U.S. National Cybersecurity Alliance.

A final cost consideration is the penalties rendered as a result of a data breach. Canada, like most jurisdictions, continues to modify its privacy regulations. It is anticipated that sometime this year, regulations requiring notifications of data breaches will be implemented in Canada. Fines of up to $100,000.00 could be issued.

YOU ARE STILL RESPONSIBLE FOR DATA PROTECTION EVEN IF YOU OUTSOURCE YOUR IT HOSTING OR USE THE CLOUD

Business owners and managers often fail to understand this important nuance. Just because you outsource IT, have another party host your data or use the cloud, does not remove your responsibility to protect personal data. You have collected the data, therefore, by law you hold the responsibility to protect it.

YOU PROBABLY DON’T HAVE A RISK MANAGEMENT TEAM

Risk management teams are reserved for larger organizations. They have bigger budgets and access to more resources for their overall operations. They look for, and assess, all types of risks, not just cybersecurity or data risks.

Smaller businesses have neither the budget nor the ability to have full-time risk management teams. Insurance providers typically have checklists or a minimum set of standards to follow for coverage. This is very similar to home insurance. If your insurance company recommends a new roof for example, and you don’t comply, don’t expect coverage if you have a major leak.

Cyber insurance is continuing to evolve as cybersecurity issues emerge. The one thing for sure, however, is that cybersecurity insurance can help protect your operation, your employees’ source of income and your client’s data.

Want to learn more about cybersecurity communications? Contact us at TaylorMade Solutions .

This blog post was previously posted on the CyberNB blog.

cybersecurity, cyber security, Heather-Anne MacLean

What Your Business Doesn’t Know About Cybercrime Will Hurt You

Cybercrime isn’t going away. In fact, it continues to grow. Cybersecurity Ventures predicts that cybercrime will cost the world in excess of $6 trillion annually by 2021. If that number doesn’t alarm you, the fact that 43% of attacks are focused on small business, and that 60% of small businesses attacked go out of business within six months, should.

In April, the Canadian Chamber of Commerce issued a report entitled: Cyber Security in Canada: Practical Solutions to a Growing Problem. This extensive report provides insight on the current cyber landscape, including business costs and business losses due to cybercrime. It also provides information on the growing role of cybersecurity insurance in protecting businesses. It also offers results from their important and timely research detailing significant gaps in five key areas. (Recommendations from the report are below):

  1. Technology;
  2. Public Relations;
  3. General Awareness;
  4. Legislative Requirements; and
  5. Insurance

This report is particularly interesting for small and medium enterprises (SMEs) because of the statistics above. “All companies are targets for cyberattack, and specific solutions change daily. Yet in many companies, there is a lack of ability to recognize these breaches. Today’s attacks are about the data, not the company or person, and they are designed to be invisible.

SMEs continue to believe risk does not apply to them because they believe criminals are targeting large enterprises. While this was certainly the case for a number of years, a shift that emerged beginning in 2013. Especially relevant and noted by Symantec in 2015, was 43% of Small Businesses were the focus of spear-phishing attacks versus 35% of large businesses.

One of the most significant and famous breaches–the Target attack–occurred as a result of a small business. It was an HVAC company working with the retail giant, which consequently had week security. A part of Target’s supply chain, they were ultimately breached and most probably unaware. This meant that criminals were able to breach Target. Three years later reports in the media detail how Target has agreed to pay $18.5 million to settle claims by 47 states and the District of Columbia. This is over and above the total cost of the data breach being $202 million. And what happened to the HVAC company? It went out of business.

Consequently, the Canadian Chamber of Commerce acknowledges in its report, SMEs know they have to do more. With 98 percent of Canada’s economy comprised of SMEs, taking steps to obtain cybersecurity certification, cybersecurity insurance, and more is not something that can be postponed any longer. “For most companies, data is now their most valuable asset. Our goal is to point business in the direction of finding a common sense approach to risk management to protect those assets,” notes Scott Smith, Director, Intellectual Property & Innovation Policy, Canadian Chamber of Commerce.

Recommendations

The Canadian Chamber of Commerce provides nine specific recommendations in this report that merit review and understanding to help mitigate cybercrime.

  1. Government cannot protect everything, but it does have pivotal responsibilities
  2. We need an outcome-based, systemic/cohesive approach and common model of understanding
  3. Develop a “Secure Canada” Approach
  4. Develop a National Cyber Policy Framework
  5. Adopt an Enterprise Risk Management Approach and Collaborate
  6. Increase Canadians’ Cyber Savviness
  7. Government endorsement and support for the deployment of Industry Certification
  8. Incentivize Security Innovations
  9. Both government and industry need to take a proactive approach to the inevitability of Quantum and develop a Quantum-ready Strategy.

For more information download Cyber Security in Canada: Practical Solutions to a Growing Problem.

This post previously appeared on the CyberNB Blog.

3 #Cybersecurity Must Reads for This Week

Cybersecurity is top of mind for a lot of people, and for good reason. Cyber risks and attacks are not only impacting individuals with identity theft, but they are also impacting hospitals and businesses.cyber security, cybersecurity

So, I thought I would compile my fav articles on this very subject that I discovered this week. Let’s take a look:

  1. Want Safer Passwords? Don’t Change Them So Often, by Brian Barrett

I say ‘hooray’ to this one. I can’t tell you how often I have forgotten passwords. Everything needs its own password and the love of God, I can’t remember them all!

2. A typo partially stopped hackers from stealing $1 billion from a Bangladesh bank, by Loren Grush

Maybe we should intentionally use typos as a protection tool?

3. Pay up or else: Ransomware is the hot hacking trend of 2016, by 

I think this one speaks or itself. Definitely a serious issue that is not going away.

Well, these were my top picks for the week. What would you add?

Information Security: What Small Businesses Don’t Know Will Hurt

Personally and professionally, we were not prepared for the growth of the Internet and the resulting information security needs.  For the vast majority of us, we still aren’t.  We’re human beings using advanced digital communication systems, and as users of these systems, we are defined by behaviours.  This is the single reason why organizations are failing; from small shops with two systems that make up their IT department through to enormous enterprises.  

Adam Mosher

Adam Mosher

Our behaviours towards information security remains stagnant. 

We are all familiar with the big stories of the day;

  • Privacy breaches;
  • Systems compromised; and
  • Inadequate security controls within organizations whose core business revolves around collecting and storing our personal data.   

As we’ve been thrown into this unknown world, we’re already behind in understanding the significance of how these threats affects us all.  It’s far more than just the inconvenience of having our email addresses leaked or our usernames and passwords exposed.  It’s what’s occurring behind the scenes with this information.  This is where and why malicious individuals are always ahead.  They know what the value of our systems and data are worth and they profit off of our behaviours towards our systems and data.   

These behaviours have left us ignoring fundamental concepts.

Fundamental concepts are easy.  Let’s look at a simple example; you lock the doors to your house because you want to protect your persons and belongings.  This simple concept translates into the business world, where belongings are classified as assets.  You lock the front door to your office because you want to protect your assets. 

These assets include:

  • Intellectual property;
  • Confidential company data; and
  • Clients’ personal financial and health information.

We move these concepts into the digital era.  Firewalls have become our doors and anti-malware solutions have become our alarm systems.  The list is enormous with Vendors offering hardware and software solutions for just about any issue one could think of.

Information Security

While some of these solutions serve a valid purpose, the one constant throughout the growth of the Internet is us and our behaviours.

Let’s look at some of the current threats, from Drupal’s SQL issue, the SSL v3 vulnerability and the highly publicized Heartbleed, it’s certain that our behaviour created these.  Rushing through the software development lifecycle where security has a very high percentage of being neglected until last minute, if at all.  Not patching systems or properly responding to threat notifications.

Vulnerabilities and risks throughout the systems do not happen by themselves, nor do malicious individuals accidentally retrieve our personal information.    

We have to stop looking at our failures as a way to shift blame onto someone.  This is another behaviour; we don’t blame something, such as a firewall or a software application, we blame someone.  With Brand names in jeopardy and as the blame to point the finger rises the corporate ladder, now is the time to look at these failures as a great opportunity for improving our behaviours towards information security.  It’s not to say all bad things that happen are intentional.  However, negligence and ‘I didn’t know’ are inadequate responses for cyber breaches.  Ownership falls on the responsibility of the business.    

There’s a current theme for professionals working in the information security realm; you pay for security now or you pay for it later.  When you’re a multi-billion dollar a year enterprise, you can absorb cyber breaches.  Still, when you’re financially responsible for distributing out in the hundreds of millions in costs because of a breach, is this not enough to change our behaviour towards information security?

So how do we change our behaviour towards information security?  How about we start with setting expectations?  We reward personnel for meeting sales targets and praise them for client satisfaction.  How about we reward them for not clicking on a phishing email by reporting it to the IT person in charge?  Or we reward them for not spending a copious amount of hours on social media sites in the workplace, although our acceptable use policy states ‘reasonable amount of time’?

It’s about bringing security to the forefront in your workplace.  Discuss it, reward it and it will become a workplace behaviour.  This is a behaviour worth expecting.    

Want to learn more about how this impacts your marketing efforts? Click here to connect with TaylorMade Solutions.