Click to Call
Keslar Insurance Agency

114 Main Street
Newmarket, NH 03857

Get Directions
Keslar Insurance Agency Blog

Insurance Blog

Small or midsized businesses are Most Prone to Cyberattack – How You Can Protect Your Company

internet screen security protection
Photo by Pixabay on Pexels.com

Considering that cyberattacks occur every day and cost the global economy a staggering $350 billion plus worldwide*, you would think strategizing to avoid such assaults would be a top priority of all businesses. Incredibly, it is not. In fact, according to a recent survey of 1,377 small and midsize company CEOs** 62% said their firms don’t have an up-to-date or active cybersecurity strategy…or any strategy at all.

That’s a significant problem, given the crippling damage that can occur – the National Cyber Security Alliance recently reported that 60% of small and midsized businesses that get hacked are out of business within six months.

If you’re running a small or midsize business (SMB) you are, plain and simple, at high risk. In fact, the majority of all cyberattacks happen to SMBs. Why? because SMBs tend to:

  • Lack sufficient security measures and trained personnel
  • Hold data that’s valuable to hackers (e.g., credit card numbers, protected health information)
  • Neglect to use an offsite source or third-party service to back up their files or data, making them vulnerable to ransomware
  • Connect to the supply chain of a larger company, and can be leveraged to break in

In 2013, hackers were able to breach Target via a link in their supply chain: a small HVAC company based in Sharpsburg, Pennsylvania. This single event is in large part why so many SMBs are beginning to receive Information Security Questionnaires from their clients today. This is an effort by your clients to ascertain the strength of your information security program and mitigate risk.

SMBs also are prime targets for ransomware, which encrypts company data until a ransom is paid. Why? Unlike many large companies, SMBs often neglect to use an offsite source or third-party service to back up their files or data. In the event of an attack, they almost always need to pay the ransom to decrypt their files.

In addition, the use of social engineering for the propagation of malware is a persistent issue. The success rates and frequency of these types of attacks continues to grow. Social engineering and impostor detection should be included in any comprehensive user awareness training package. It also is important to realize that as great as security awareness training is, it can’t be used in isolation. Even with the best training in the world, your organization will succumb to social engineering tactics if you don’t stem the flow of incoming attacks.

Sensible security measures include controls such as a sophisticated spam filter, which should prevent the majority of simple phishing emails from finding their way into your users’ inboxes. Other measures might include email and attachment scanning, segmented network architecture, and an endpoint security system.

Consider the following steps to start building a cybersecurity strategy that keeps hackers out of your business.

1. Select an information security standard

Before a fortress can be built, the structure must be laid out in blueprints by an architect. You need a detailed plan to properly build your security program. ISO 27001 is an ideal choice due to its flexible, pragmatic approach and global recognition and acceptance.

2. Inventory your assets, determine their value and prioritize those most critical.

Identify the key assets in your company, whether those are databases, customer data, employee records, or intellectual property and determine their value and who is responsible for them.

3. Determine your company’s current cybersecurity risk surface.

Perform a comprehensive risk assessment of the assets to understand the threats, vulnerabilities, likelihood of occurrence and impact if the threats were realized. Work to reduce the risk to a level the organization is comfortable with.

Here are some other best-practice considerations:

  • Remain vigilant; keep up to date on the evolving nature of threats, join a threat-sharing organization (like Infragard)
  • Patch your systems: many recent attacks took advantage of vulnerabilities for which a CVE had already been published
  • Reduce your attack surface: harden the infrastructure, remove unneeded services and programs, close unused or risky ports
  • Employ strong antivirus, email and web filtering
  • Limit administrative rights
  • Segment the network to limit propagation
  • Educate and train your employees; regularly test their awareness

The best defense is a good offense. Make it a priority to protect your data for the benefit of your employees, your customers and the long-term health of your business.

*According to the National Center for the Middle Market (NCMM) at The Ohio State University Fisher College of Business.**Cisco and the National Center for the Middle Market.

Blog graciously provided by our partner:

Darrin Maggy, CISSP |vCISO, Managing Director| Ezentria, Inc | +1 (603) 339-4553 | dmaggy@ezentria.com

 

Cyber-attacks are a real threat to most small businesses.

Cyber-attacks are a real threat to most small businesses.

Many businesses think- “I don’t keep my customers personal data, so I’m not at risk of a cyber attack.”. That isn’t completely true.  If you do collect any personal information for any reason, including employee data or prospect information or more you may be at risk. Many assume that because they are using a third party software product that they aren’t responsible. This also isn’t true. Anytime you collect any type of personal information, you could be putting yourself at risk.

Cyber attacks aren’t always done by someone in a foreign country looking for information from big stores. More than 50% of attacks are on small businesses.

This happens a wide variety of ways. For instance, did you know email is the most popular method to get data? They often use legitimate login information. One common ploy is that someone will pretend to be your “support” personnel and ask unsuspecting employees to give login information.  Another common problem is when laptops are lost or hacked. Another common situation is when an employee is working remotely using public wifi.  Furthermore, the “bad guys” are still finding success with phishing schemes. Some claims have come from instances where a disgruntled rogue employee steals names, addresses, social security numbers and other personal information from customer files.

Some other real world examples include:

A manufacturer nearly transferred $315,000 to China based solely on an email request to pay for raw materials that appeared to be legitimate.

A man sent an email to his ex-girlfriend hoping to monitor what she did on her computer. She opened the email on her work computer, and over the course of two weeks, the spyware emailed the man more than 1,000 screenshots of confidential data on 150 customers.

If any of these things happen to you, finding and remedying the issue can be very costly and slow. There are very specific steps you likely have to take. For instance, at least 47 States require notification of breach to customers.  This has to happen a certain way and at an expense to your organization. Furthermore, if you have a breach or loss, everything stops in your business until you address the situation. This may require forensic experts, steep legal fees and more. The expense of resolving this can be in the hundreds of thousands of dollars or more.

How do you minimize these risks? Your traditional business insurance doesn’t typically cover this type of situation. Fortunately, there are now additional insurance solutions available to help not only cover the cost of paying to notify all clients, hiring forensic experts, data restoration expenses and other required legal steps, but the insurance companies often have a team of experts to help you address the required steps and get your business running again even more quickly.  Check with your insurance agent to see where your most likely risk are and what products can best protect you in the event of a cyber-attack.

Have more questions on Cyber risk? Need help with commercial insurance? We’d love to help. We can be reached at www.keslarinsurance.com or 603-273-0953.  Keslar Insurance Agency is an independent insurance agency offering business, home, auto and life insurance in NH and in ME.

 

Not at risk for a cyber attack? Think again. 10 Cyber risk myths

  1. I’m not at risk because I don’t maintain any personally identifying information on my customers. Every commercial entity has an exposure because all commercial entities have customers and employees. Typically, an entity will have employees’ social security numbers as well as health information for benefits programs. If you have this information- you have risk.
  2. I’m not at risk because I don’t conduct business over the internet. While the more sensational breaches involve hacking information via the internet, the majority of breaches occur by other means such as accidentally released or stolen physical files or electronic media (i.e. laptops, CD-ROM’s, thumb drives, etc.).
  3. I have coverage under my property, commercial general liability or other commercial policies. You may want to review your insurance policies again.  Property policies may provide coverage for business interruption but generally are triggered by a direct physical loss to the insured property. “Physical” is though of as “tangible” and case law generally maintains that data is not tangible property. Typically, commercial general liability (CGL) policies contain exclusions for damages as a result of the release, disclosure or access to personally identifiable information. It is for this very reason cyber risk coverage was developed.
  4. Personal Data breaches only happen to large companies and public entities. The media tends to focus on larger data breaches because it impacts a significant number of people but breaches impact entities of all sizes. In fact, smaller entities may be more susceptible to breaches as they do not have the resources to dedicate to the issue.
  5. Laws requiring notification of personal data breaches only apply to large businesses. Currently there are 47 states that have legislation requiring notification in the event an entity breaches personally identifying information. These laws are consistent on one point- they do not address the size of the entity.
  6. Coverage that wouldn’t enable my company to provide a professional response to a personal data breach requires a lengthy application and various audits. Unless limits of $100,000 or great are required, no underwriting questions are asked. A security audit is not required for this program.
  7. There is nothing I can do to reduce my company’s chances of having a personal data breach. There are several steps an organization can take to require its cyber liability exposure. Click here to learn more about how to reduce your changes for breach.
  8. If we have personal data breach data and need to notify our customers, we can just send them a “we’re sorry” letter and our customers will understand and continue to do business with us. While ending a “we’re sorry” letter will often satisfy the various legal requirements, the entity is then left with a marketplace reputation problem and the challenge of retaining customers in the wake of a breach. our program offers additional service to the people affected by by the breach. These service include access to a toll free information line, credit monitoring service and identity recovery services.
  9. I don’t need cyber risk insurance if I spend more information Technology security. While robust information technology security will help reduce your exposure, it will not prevent all breaches from occurring.  Breaches often occur from procedural mistakes or “rogue” employees who have access from the inside. Insurance, as well as appropriate spending on security and information technology is part of a holistic risk management strategy.
  10. In this economy, I can’t afford any more insurance. You cannot afford not to have cyber risk insurance. A recently Ponemon Institute study indicated that direct costs to respond to a breach were $60/record. Even a small breach that only impacts 100 records could cost you several thousand dollars.

For further information about cyber liability coverages- as well as any other business or personal insurance needs, we can help. We can be reached at www. keslarinsurance.com or 603-273-0953.

Source: The Main Street America Group. This document is intended for information purposes only and does not modify or invalidate any of the provisions, exclusions, terms or conditions of the policy and endorsements. For specific terms and conditions, please refer to the coverage form.

Get a Quote


What we offer

SERVICING THESE STATES

  • New Hampshire
  • Maine
  • Massachusetts

Archives

Categories

Our Trusted Partners

  • Concord Group Insurance
  • Foremost Insurance Group
  • Great Falls
  • Hanover Insurance Co.
  • Main Street America
  • MetLife
  • Mt Washington Mutual
  • Providence Mutual
  • Progressive
  • Safety Insurance