Archive for the ‘Cyber Liability Insurance’ Category
19% have Cyber Insurance, 50% expect more attacks
Most companies don’t have cyber/data breach insurance. And most think attacks are getting worse (and they’re right). But even large companies are 4 times more likely to use insurance to protect loss of physical assets than loss of data.
These figures come from a current Ponemon Institute study quoted by the national Professional Insurance Agents. (PIA) There’s a link to the study at the bottom of this post.
What do we have to do to convince businesses to protect themselves?
I think, as President of the New Jersey Professional Insurance Agents in addition to GBW Insurance, that most agents are including information about Cyber issues in their talks with clients. But the level of misinformation and ignorance at the client end is still very high.
Smaller businesses tend to assume 1) that they are not exposed, and 2) that there is adequate coverage in their basic insurance policies. #1 is a bad joke; small businesses are great targets for hackers and even better for disgruntled employees. And #2 is a fantasy.
I’m going to go write another letter to all our business clients…
Professional Insurance Agents (PIA) link to the study
The Ponemon Institute study has many other entertaining facts. For example, large publicly held companies said they would have to disclose large lawsuits or large-scale damage to physical assets, but not cyber penetration. I’d like to hear a business litigation attorney on that one.
The Scope of Cyber Liability And Data Breach Exposures – And Insurance
These are complicated exposures that now affect even small businesses. And the necessary insurance coverages are complex too.
Business owners must think about paper records, physical system security, and electronic data.
- It will involve their physical building locations, as well as their e-systems.
- They’ll need to know how much data they use and/or archive, as well as how many, and what nature of customers that they have.
- They must think not just in terms of the operations that they solely control, but also of the “Network” in which they are engaged.
A network is as everything and everyone that business owners allow to have some portion of access to their corporate operations, whether they are employees (on-site or remote), on-site or remote contractors, connected third parties and even connected customers. This is especially true when it comes to the use of mobile devices.
Look at how broad the term “mobile device” is, legally, now.
Mobile data includes workstations, computer terminals, internal IT operations, their websites, Facebook pages, Twitter, and other social media connections, as well as all employee connections whether through company provided devices or their own. It also includes all other connections that your customers use to and from third parties to connect to you and accomplish their work, including off- site physical and e-storage locations. It involves current, stored/backed-up and archived data, and documents and files. It is everything.
Take a few hours a year to consider the risks to which your business is exposed. Walking through that allows a business to better see what needs to be done, including insurance.
If you’d like to discuss this and other issues in cyber related insurance, or more traditional business insurance, give us a call at 800-548-2329. We are a NJ insurance agency.
Do You Allow Surfing At Work?
Why would you worry about your employees surfing the Net?
A Salary.com survey said that 64% of workers admitted visiting websites not related to work, every day while at work. 24% of those employees said they spent 5 or more hours a week on such websites. (Note that Salary.com, ironically, has a section for job searches.)
Since another survey suggests that 40% of Internet use in the workplace is not business related, I’d guess that (surprise!) people are understating how much they use your computers for non-work purposes.
Let’s just skip over how much your company’s bandwidth may be used for watching porn.
In 2012 the Federal Court of Appeals for the Ninth Circuit held that using an employer’s computer for inappropriate purposes is not a Federal crime, though one statute called that into question. You the owner may have to prove that your employee was harming your company before you can discipline/fire/jail him or her. Here’s a link to a Wall Street Journal law blog.
IT service provider IT Radix recommends that you implement Internet monitoring software to go with your anti-virus, encryption, and other defenses. It’s not insulting any more than a railing on stairs is insulting. Tell your employees what the rules are, have a written policy, and the software will remind people when they trip.
(Thanks to our client Surfernetwork for the picture of the surfboard hanging from the ceiling of their office. Surfernetwork provides live streaming of radio stations, virtual radio station support, and streaming of corporate meetings and messages. )
Data Breach – Learn Some Lessons from the Big Companies
You’ve seen data breach announcements at companies like Home Depot and Target. And Morgan Stanley announced that it fired an employee who stole account data on 350,000 clients. From those breaches come huge cyber liability lawsuits.
All are big companies with huge market value, large customer databases, strong brand names and plenty of budget to spend on data security.
We in the smaller businesses don’t have all those resources. But are there lessons from these breaches that can provide learning to the owner or manager of a small business?
Yes, there certainly are.
The key lesson? In most cases, part or all of the data breach was caused by people very close to the organization:
- Home Depot – Criminals stole a vendor’s credentials. Then they exploited a weakness in Microsoft Windows. Then it looks like Home Depot may not have implemented the existing patch for that weakness. That would be vendor weakness and poor IT procedures.
- Target – It looks a Target emplyee clicked on a link in a vendor e-mail; the vendor had been hacked, and the link let criminals in the Target system. That would be vendor weakness and poor security procedures at the employee level. A Federal judge is allowing a lawsuit by credit card issuers to proceed against Target.
- Morgan Stanley – Morgan Stanley is said to have caught the employee before the majority of the information was published or sold. They said they’ve turned the information over to law enforcement.
These company probably spend more on data security that you or we bring in with total sales. And they were still burned.
What should you learn from their examples? (Our thanks to IT Radix for much of this material. Click here to visit their page for more info or to get their help with IT problems.)
1) People you know are the most likely cause of a breach. A former employee, a careless employee, an employee not implementing security, a vendor opening your door to hacking.
2) Have a secure back up program in place both onsite and offsite – ensuring that at least one part of the backup program is not directly attached to your network.
3) Have a password policy in place and follow it. It should include:
- A password strength protocol
- A password change policy
- A plan to change passwords
4) Consider putting an employee monitoring program in place that will help:
- To monitor and filter website and web traffic
- To guard against company secrets being shared via email
- Delete files or lock a computer if a laptop is stole
5) Whether a user is accessing company files in the office or remotely, ensure that your file access permissions are correct and that at least double security identification measures are in place.
6) Put a strong email program in place where:
- Email is backed up
- Email is encrypted as it goes through the Internet.
7) Ensure that anti-virus and malware protection is in place and up to date.
8) Server and computer operating systems, software, anti-virus software, firewalls, applications of all sorts should patched and updated regularly – some daily.
9) Consider putting a hardware firewall appliance in your network and if outsiders need access to some company data, place that data outside / securely apart from the internal company network.
10) Separate your secure Wi-Fi network from any that guests use to access the Internet.
11) Cover yourself with data breach insurance for your own problems, and cyber liability insurance for losing control of client information.
The smart business owner or manager may not have heard all these recommendations before, but they are becoming survival issues for any organization, regardless of its size.
While we’re happy to talk about data breach insurance issues (in NJ 800-548-2329), the first stop is a good IT organization. Call a good provider like IT Radix (at 973-298-6908.)
Cyber Security, Mobil Devices – Threats and Insurance
We have now seen, month after month, one major company after another suffering data breaches.
You would think that people would have gotten the message about the dangers of cyber penetration and other forms of data breach. You would also think businesses would take strong preventive measures and buy more insurance for their own protection.
But it looks as though, even while mobile device data breach is a real threat, businesses and consumers are not catching up with the problems.
The Ponemon Institute (click here for the website), dedicated to data protection and information security policy, found that IT security specialists believe mobile devices to be the fastest frowing part of networks, and less secure than other components. But at the time of the survey, 30% said that they had no security system in place for corporate mobile assets.
In a survey of consumers, Kaspersky Internet Security found that 58% are concerned about the safety of their information on mobile devices. But 38% still store highly sensitive data on their mobile devices, even though they fear it can be hacked. 80% of consumers surveyed think that financial cyber attacks are becoming more frequent, and 40% still use their obile devices to transact banking business.
One implication for businesses is that consumers and your B2B customers regard data breach protection as your responsibility. Over 75% of consumers in the study cited above believe that businesses, banks, and online payment systems, either have or should provide secure applications and systems to protect them against cyber attacks.
Businesses need advice; if there is one field of insurance coverage which is not largely uniform across the industry, it is cyber liability/data breach.
If you’d like to work on your corporate protection for data breach losses, give us a call at GBW Insurance 800-548-2329, or click here to leave a quick request for info or a quote.
Thank you to the National Association of Professional Insurance Agents for some of this material.
Data Breach Recovery
The news media are starting to use hysteric phrases like “cyber war”. At least we think those are way overblown. However, the threats and costs of data breach and cyber liability are growing.
We’ve offered some ideas about protection and recovery in our blog. And data breach insurance is available. (Not cheap, unless you compare it to the possible loss.) But your best protection is planning, first for prevention, and then for recovery. Here’s a quote from an IT professional we respect.
“It’s not enough to buy a “data backup solution”. You need to understand how it works and you need a clearly documented plan on how to access your data when and how you need it.” Frank Ableson of Navitend www.navitend.com “The costs to your business in terms of time and money are stunning in the event that you need to recover more than a file or two.”
Here are some planning steps
1) Look at what can take your IT systems down, whether by direct impact or because your entire business is disrupted. How long might each last? This is assessing the potential causes of loss.
2) How much might that cost you initially? What are the long term losses? (Money, time, customers, potential customers, lawsuits, etc.) This is assessing the financial impact, the chances of your recovery.
a) Make a list of impacted vendors. What are they doing or what could they do to help you recover faster?
b) Make a list of key customers. Which are the most affected if your systems are out? Which have the most critical information in your hands, so that your loss of information is most threatening to them? What can you do to increase protection for that information?
3) What is your back up? Where is it? How will you access it?
4) Talk with your IT provider about those issues. What can they do to improve resistance and recovery time? What is that worth vs. potential losses?
5) Review physical protection if you still store key information or records in physical form. How do you restrict employee access to those who need to know?
6) Where is recovery money going to come from? Insurance for physical damages is obvious; review data breach for your own losses and cyber liability for loss of customer information.
Given the costs of data breach recovery and cyber liability insurance, and the threat to your business, this is worth some planning time. You can ask Frank Ableson of Navitend for advice on the IT end; 973-448-0070. And we can discuss the insurance issues with you; 800-548-2329.
Keep Intruders Out
From IT provider IT Radix , a parable about protecting your business from Cyber Breach. A few simple steps to a better lawn, and a safer computer environment.
Stinkgrass, Hairy Galinsoga, Goosegrass, Bull Thistle, Prickly Lettuce, Fizzer, Zeus, Rootkit, and Sasfis.
Do these names mean anything to you? This is a list of nine intruders! You might not know all of them, but they sure can cause trouble for you. The first five listed are all very common weeds that invade gardens and lawns in New Jersey. The last four are names of famous computer viruses. These viruses are as bad as or worse than some of these weeds. A computer virus can take over a computer network faster than kudzu growing along a southern country road in the heat of July.
What can you do to protect yourself from these garden intruders?
In New Jersey lawns and gardens, there are a number of things you can do to keep the weeds at bay without the use of strong pesticides and chemicals. Things to consider include:
Reduce open areas — Weeds are simply plants that take advantage of open areas. Crowd them out in your lawn by cutting the grass very high or in your garden by minimizing open space and adding healthy mulch or covering with sheeting fabric where necessary.
Maintain healthy soil — Fertilize, aerate, drain, till and hoe your garden soil.
Weed garden beds — No method is 100% foolproof, so there will be some weeds that pop up from time to time. Get at them quickly, and do not let them go to seed! Some people believe dousing some with vinegar does the trick. Whatever method you choose, weeding keeps intruders from spreading.
Okay, you’ve protected your garden from these intruders. Now, how can you protect yourself from those intruders that can take over your computer or network?
There are a number of things you can do to protect your computers from hackers and viruses. Just like keeping weeds out of your landscape, it is important to employ a number of these recommendations in order to heighten your chances of success and lower your risk of allowing intruders in:
Have the right hardware — A firewall is an important piece of equipment that can help block hackers from entering and using your network. It blocks communications to and from sources you do not permit.
Have the right software — Anti-virus software protects your network from viruses that can destroy your data and/or slow down or even crash your network. Anti-spyware software prevents items from being installed on your network without your knowledge or consent.
Secure your Wi-Fi network — Encrypting your Wi-Fi network is the key step—using WPA encryption at least.
Share files only as needed — File sharing software and web portals can be avenues that create risks. Be careful when sharing files and/or use sharing services like Drop Box.
Use strong passwords — Choose passwords that use a variety of characters and symbols and are difficult to guess. Longer is always better (minimum of ten characters). Mums the word when it comes to your passwords—don’t share!
May is here; time to get out and enjoy the nice weather and keep your garden and lawn happy and healthy. You can always count on the master IT gardeners at IT Radix!
Thanks from GBW Insurance – 800-548-2329
Some Simple Steps to Increase Cyber Security
Cyber liability and data breach are becoming bigger issues for all business owners. You see the headlines for large business, but small and mid-size businesses are hit all the time. Here are a few simple improvements you can make quickly to improve your defenses.
1) One of the first key and easy things to do is to make sure your passwords are all long, use several kinds of characters (there are around 95 characters on a keyboard, not just 26) and don’t have company or employee names in a password.
(26 possible characters in a 4 character password is less than half a million possibilities and can be cracked faster than you can type it. If you only count 50 possible characters for each place in a 10 character password, you have about 97,650,000,000,000,000 possibilities and should slow the bad guys down. That leaves you with malware and employee caused data breaches to worry about, but it’s a start.)
Don’t let employees tape their passwords to their monitors. We see this all the time in client’s offices. And some owners keep their passwords written and “hidden” in the uppermost left-hand drawer of their desk.
How many passwords does it take to get to your data? One of our clients has a start-up password on each computer. Then they have a cloud service for their operating systems, so each employee needs a second password to open that. And there is a third password to open client data at the cloud center.
Note that sensitive data is not stored on the computers in that client’s office. They’re still vulnerable to some kinds of malware, such as those that capture keystrokes. But a good firewall, up to date protective software, and restrictions on what employees can do with the company’s computer help.
2) Don’t let employees use the office computers for anything other than work. And warn them not to click on offers, package tracking, offers from foreign nobles who need help getting their hands on money, or all the other fishing (phishing) attempts that cross their desks. You’d think nice, honest, dedicated, intelligent employees would know better; remind them anyway.
3) Keep track of who has any access to key information.
4) Have an up to date firewall, an up to date router, and malware prevention software. The first three practices won’t cost you any money. These will but they’re worth it. Lost client info will cost you a lot more than an annual contract with a good IT services provider. Some will conduct a free network audit to give you an idea of your problems. http://www.it-radix.com/it-support/ leads you to a company working in Northern New Jersey. We like their work; we don’t get anything for recommending them.
If you’d like to talk with us about your exposure if you were to have a data breach, please call us at 800-548-2329. There are cyber liability insurance products available and multiple markets.
Applying for Data Breach/Cyber Liability Protection
Data Breach, Cyber Liability, rising issues, increasing danger to your company, changing insurance requirements.
Here are some of the questions you have to answer to have insurance protection; and they are good questions to ask yourself in advance of a loss for risk management and company protection. (We reviewed materials from Risk Placement Services Inc., CNA Insurance, Chubb Insurance, and several other insurance carriers in preparing this.)
Here’s the sample of simple questions from a generalized application:
1) Do you have a firewall on your computer network?
2) Do you have anti-virus/malware software on all computers? How is it updated?
3) Do you have computer and information security policies which all employees and third parties must follow?
4) Are employees allowed to store or download any personally identifiable information to laptops or removable storage media? How do you control it?
5) Do you use wireless networks? If so, is your security at least as strong as WPA, and requires two-factor authentication? (Ask your IT service provider.)
6) Do you have physical protection for computers and, for that matter, physical records and old computers? (Did you ever go through an office and see a cubicle piled with old computers? How secure is that?)
7) Does your IT service provider have Cyber Liability insurance? Do they have Errors & Omissions insurance to protect you if they make a mistake? Does your contract with your IT service provider make you an additional insured on their policy?
One thing the insurance companies ought to ask is how well you maintain passwords. (No names, 10 or more characters, use all the characters on keyboard, no sharing passwords, change them once in a while, etc.)
If you’d like to discuss this, and what insurance is available in New Jersey, please give us a call at 800-548-2329.
GT Insurance Blog 