Cyber Liability: Employee Management to Reduce Occupational Fraud

Some of the most damaging cyber-attacks can come from within the business, in ways that many employers overlook when it comes to their cyber security. Occupational fraud is one of these ways. It’s an employer’s worst nightmare—an employee is dissatisfied with his or her job and decides to defraud or steal from the company. Employees can cause enormous damage by committing these crimes. By recognizing signs of occupational fraud and implementing practises to prevent it, you can lead a happy and productive workforce.

Occupational Fraud Facts

Types of occupational fraud include embezzling, insider trading, forging checks, expense reports and vendor invoices, and any other type of internal fraud.

According to an occupational fraud report by the Association of Certified Fraud Examiners (ACFE), the typical organization loses 5 per cent of its annual revenue to fraud. The median loss caused by fraud was $160,000. For a small company, this could mean the end of the business. Small businesses are more at risk because owners inherently treat their employees like family, leading to complacency and lax security measures. Small businesses also tend not to have anti-fraud measures in place as many lack the knowhow and enforcement capabilities of larger businesses. Nearly half of victim organizations do not recover any losses that they suffer due to fraud. 

The Fraud Triangle

Certain conditions must be met for an employee to commit occupational fraud—these three conditions are known as the “fraud triangle.”

  1. Motive: The defrauder must have a motive to commit fraud, and this motive is often pressure. This can come from feeling too much stress at work to meet deadlines or trying to live a lifestyle that is above his or her means. Outside problems can exist as well, such as a gambling addiction. Monetary gain is often the motive behind occupational fraud.
  2. Opportunity. If anti-fraud measures are too lax, the opportunity can be there for fraud to occur. Even if the perpetrator is financially stable, the opportunity to commit fraud for financial gain might be too much to pass up. Being employed in a high-level, trustworthy position can also lead to opportunity.
  3. Rationalization. The perpetrator must be able to justify his or her actions. If employees sense some sort of wrongdoing from the company, they might be able to justify the fraud. They may also tell themselves they are just “borrowing” money from the company with no intention to pay it back, or they might feel entitled to a raise and will commit fraud to give themselves that “raise.”

Understanding these conditions can be the key to recognizing occupational fraud at your business.

 Recognizing Occupational Fraud

It is often difficult to know when occupational fraud has occurred. Frauds last a median of 18 months before being detected, according to the ACFE study. Occupational frauds are much more likely to be detected by tip than by any other means. Because of this, many companies have set up employee tip lines to catch the person(s) responsible for wrongdoing.

While detecting occupational fraud may be a difficult task, there are a variety of warning signs that an employee might be defrauding your business, including the following:

  • Invoices from fake vendor – an employee can create a fictitious vendor, mail a cheque to the fake vendor with your business’ name on it and then cash the cheque for themselves.
  • Missing property – laptops or other computing equipment can be an easy target for employees.
  • Fraudulent expense reports – some company reports are merely skimmed over for approval, offering an employee an easy way to fake expenses.
  • Forged cheques – if an employee consistently works around a high-level executive, it becomes easy for the employee to forge signatures.
  • Employee lives beyond his or her means – if an employee is living a lavish lifestyle on a modest salary, he or she could be defrauding the business. Alternatively, an employee who is having financial troubles yet seems to be living within his or her means may indicate fraud.
  • Unusually close association with a competitor – if an employee seems to have a close relationship with a direct competitor, he or she could be sharing your trade secrets in return for money.

Preventing Occupational Fraud

  • If you run a small business, chances are you have a few employees who are in charge of several different areas of the organization. Split up the duties among a larger pool of employees to decrease the likelihood of fraud.
  • Perform a pre-employment screening on all potential employees. A resume might not tell the entire story about a prospective employee’s past.
  • Let employees know there are policies on employee theft in place. Don’t assume they are already aware of the policies and the consequences of fraud.
  • According to ACFE’s study, more than 80 per cent of the frauds in the report came from employees in one of six departments: accounting, operations, sales, executive/upper management, customer service and purchasing. Recognize these high-risk departments as potential sources of fraud and implement the proper policies to prevent it.
  • Establish an anonymous tip line that employees, clients or vendors can use to report cases of occupational fraud.
  • Don’t get complacent. Any employee can commit fraud at any time. While most fraud is committed for monetary gain, that doesn’t mean an employee won’t commit fraud if the opportunity is there.
  • Conduct random audits. Work with a CPA to set up and maintain effective internal financial controls to ensure you’re not losing money as a result of fraud.

Proper Employee Management

One of the best ways to prevent occupational fraud at your company is to ensure all your employees are satisfied with their work and the company as a whole. Lead by example—if you and your high-level management team conduct business properly and ethically, your employees will likely do the same. Good ethics also carry over into the market, where your company will be looked on favourably, which can lead to higher revenue and greater goodwill from the community.

Reward employees for doing well. Let them know how important they are to the success of the business. Don’t emphasize only the things that haven’t been achieved—focus on the positive things employees have done, too.

Insuring Against Occupational Fraud

Recognizing and preventing occupational fraud can be a daunting task. Contact your insurance broker today to ensure you have the proper coverage to protect your company against losses from occupational fraud and maintain a productive workforce.

© Zywave, Inc. All rights reserved

Only 4 in 10 Businesses Have Data Breach Policies in Place

Last year, the Office of the Privacy Commissioner of Canada (OPC) ordered a telephone survey—2017 survey with Canadian businesses on privacy-related issuesof around 1,014 Canadian businesses. The goal of this survey was to learn how knowledgeable organizations are on privacy issues and requirements, understand the types of privacy policies and practices they have in place, and determine their privacy information needs.

The following were some key findings from the survey:

  • Only 4 in 10 companies surveyed have policies or procedures in place in the event of a breach.
  • When asked to rate their level of concern regarding a future data breach, the results were split. Overall, nearly half (48 per cent) expressed at least a moderate level of concern while 50 per cent expressed low or no concern at all. The OPC said that this data indicates concern over data breaches has decreased among Canadian businesses over previous years.
  • Around 68 per cent of respondents placed an emphasis on protecting their customers’ personal data. In addition, according to data from previous OPC reports, consumer concern about privacy breaches remains high. In fact, 85 per cent of Canadians indicated that news reports about privacy breaches affected their willingness to share personal information.

Among other things, the OPC survey illustrates a disconnect between organizational beliefs regarding data protection and the existence of real privacy policies. Despite continued, high-profile cyber breaches and increasing customer concern, many companies surveyed remain complacent with their level of security.

The OPC will use these survey results to enhance its outreach efforts and more effectively guide organizations on their privacy responsibilities.

© Zywave, Inc. All rights reserved

Keeping Your Data Secure

Data security is crucial for all businesses. Customer and client information, payment information, personal files, bank account details—this information is often impossible to replace if lost and is extremely dangerous in the hands of criminals. Data lost due to disasters such as a flood or fire is devastating, but losing it to hackers or a malware infection can have far greater consequences. How you handle and protect your data is central to the security of your business and the privacy expectations of customers, employees and partners.

What kind of data do you have?

Your business data may include customer data such as account records, transaction accountability and financial information, contact and address information, purchasing history, and buying habits and preferences as well as employee information such as payroll files, direct payroll account bank information, Social Insurance numbers, home addresses and phone numbers, and work and personal email addresses. It can also include sensitive business information such as financial records, marketing plans, product designs and tax information.

Complete a data inventory to identify and classify all of your potential areas of vulnerability. Common data classifications include the following:

  • Highly confidential: This classification applies to the most sensitive business information that is intended strictly for use within your company. Its unauthorized disclosure could seriously and adversely impact your company, business partners, vendors and/or customers in the short and long term. It could include credit card transaction data, customer names and addresses, card magnetic strip contents, passwords and PINs, employee payroll files, Social Insurance numbers and patient information (if you’re a health care business). If you collect personal information such as this, make sure you have a privacy policy that explains how the information will be used and what individuals’ rights are regarding the data.
  • Sensitive: This classification applies to sensitive business information that is intended for use within your company; information that you would consider to be private should be included in this classification. Examples include employee performance evaluations, internal audit reports, various financial reports, product designs, partnership agreements, marketing plans and email marketing lists.
  • Internal use only: This classification applies to sensitive information that is generally accessible by a wide audience and is intended for use only within your company. While its unauthorized disclosure to outsiders should be against policy and may be harmful, the unlawful disclosure of the information is not expected to negatively impact your company, employees, business partners or vendors.

Classifying your data allows your company to set parameters for how the data is accessed, transported, shared and ultimately kept secure.

Where is your data stored?

Data is most at risk when it’s on the move. If all your business-related data resided on a single computer or server that is not connected to the Internet, and never left that computer, it would be very easy to protect. But to be meaningful, data must be accessed and used by employees, analyzed and researched for marketing purposes, used to contact customers and even shared with key partners. Every time data moves or changes hands, it can be exposed to different dangers.

It’s important to create a company policy that dictates safe data transfer and storage. The policy should include information on how to back up, transport and safely store physical and virtual data.

  • Physical data: Keep in mind that physical media, such as a disc or drive used to store data or a data backup, is vulnerable no matter where it is located, so make sure you guard any physical data stored in your office or off-site, and make sure that your physical data storage systems are encrypted. As much as possible, try to avoid data transport on physical media such as flash drives or CDs. These media can easily end up in the wrong hands.
  • Website data: Your website can be a great place to collect information, from transactions and payments to purchasing and browsing history, and even newsletter sign-ups, online inquiries and customer requests. This data must be protected, whether you host your own website and manage your own servers or whether your website and databases are hosted by a third party. If a third party hosts your website, be sure to discuss systems it has in place to protect your data from hackers and outsiders as well as employees of the hosting company.
  • Virtual data: Storing data virtually is a very common practice, but it has certain risks you need to consider. If your company contracts with a third party to house data virtually, be sure to keep an updated, thorough contract that outlines who accesses your data, how it is encrypted and how it is backed up. And make sure you know the location of the company you are trusting with your data. Different rules about data sharing and security apply in different Canadian jurisdictions and in the United States.

Who accesses your data?

Once you have identified, classified and located your data, you must control access to it. The more sensitive the data, the more restrictive the access should be. As a general rule, access to data should be on a need-to-know basis. Only individuals who have a specific need to access certain data should be allowed to do so.

Not every employee needs access to all of your information. For example, your marketing staff shouldn’t need or be allowed to view employee payroll data, and your administrative staff may not need access to all of your customer information.

The first step in controlling access to your data is assigning rights to that data. Doing so simply means creating a list of the specific employees, partners or contractors who have access to specific data, under what circumstances, and how those access privileges will be managed and tracked. As part of this process, you should consider developing a straightforward plan and policy—a set of guidelines—about how each type of data should be handled and protected based on who needs access to it and the level of classification.

How do you protect your data?

Once you understand the type of data your company makes use of, where it is located and who accesses it, you can begin planning how you will protect it. Protecting data, like any other security challenge, is about creating layers of protection. The idea of layering security is simple: You cannot and should not rely on just one security mechanism—such as a password—to protect something sensitive. If that security mechanism fails, you have nothing left to protect you.

Businesses have many affordable backup options, whether it’s backing up to an external drive in the office or backing up online so that all data is stored at a remote and secure data centre.

Are you planning for the future?

Every business has to plan for the unexpected, and that includes the loss or theft of data from your business. Not only can data loss or theft hurt your business, brand and customer confidence, it can also expose you to significant legal actions.

That’s why it’s critical to understand exactly which data or security breach regulations affect your business and how prepared you are to respond to them. At the very least, all employees and contractors should understand that they must immediately report any loss or theft of information to the appropriate company officer.

Identifying your exposures will help determine how to protect your data. In addition to data security measures, insuring your data is crucial.

© Zywave, Inc. All rights reserved

Precautions for Better Cyber Security

Many business operations revolve around the functionality of computers, network connections and the Internet. It’s no secret that with computer use there are many risks, including damaging viruses, hackers, use of your system to attack others or use of sensitive data to steal identities or other illegal actions. As a result, companies must respond by preventing, detecting and responding to cyber attacks through a well-orchestrated cyber security program.

Get Familiar with Risks

The first step in protecting your business is to take notice of the multitude of cyber risks.

Hackers, Attackers and Intruders

These people seek to exploit weaknesses in software and computer systems for their personal gain. Although their intentions are sometimes benign, their actions are typically in violation of the intended use of the systems that they are exploiting. The results of this cyber risk can range from minimal mischief (creating a virus with no negative impact) to malicious activity (stealing or altering data).

Malicious Code (viruses, worms and Trojan horses)

  • Viruses: This malicious code requires a user to take action to let into the system, such as open an email attachment, download a file or visit a webpage.
  • Worms: Once released, this code reproduces and spreads through systems on its own. They usually start by exploiting a software flaw. Then, once the victim’s computer is infected, the worm will attempt to find and infect other computers through a network.
  • Trojan horses: This disguised code claims to do one thing while actually doing something else (a program that claims to speed up your computer system but is actually sending confidential information to a remote intruder).

Risk Management Planning

To reduce your cyber risks, it is wise to develop an IT Risk Management Plan at your organization. Risk management solutions utilize industry standards and best practices to assess hazards from unauthorized access, use, disclosure, disruption, modification or destruction of your organization’s information systems. Consider the following when implementing risk management strategies at your organization:

  • Create a formal, documented risk management plan that addresses the scope, roles, responsibilities, compliance criteria and methodology for performing cyber risk assessments. This plan should include a characterization of all systems used at the organization based on their function, the data stored and processed, and importance to the organization.
  • Review the cyber risk plan on an annual basis and update it whenever there are significant changes to your information systems, the facilities where systems are stored or other conditions that may affect the impact of risk to the organization.

In addition, your organization should take precautionary measures when selecting your Internet service provider (ISP) for use for company business.

ISP Considerations

Almost all ISPs offer Web browsing capabilities with a varying degree of user support and Web hosting capabilities. Your company should determine what ISP to use, along with a plan for backing up emails and files and what firewalls to implement.

To select an ISP that will reduce your cyber risks, consider the following:

  • Security – How concerned with security is the ISP provider? Does it use encryption and SSL to protect any information that you submit?
  • Privacy – Does the ISP have a published privacy policy? Are you comfortable with who has access to your information, and how it is handled and used?
  • Services – Does your ISP offer the services that you want and does it meet your organization’s needs? Is there adequate support for the services provided?
  • Cost – Are the ISP’s costs affordable and are they reasonable for the number of services that you receive? Are you sacrificing quality and security to get a lower price?
  • Reliability – Are the services provided by the ISP reliable, or are they frequently unavailable due to maintenance, security problems and a high volume of users? If the ISP knows that its services will be unavailable, does it adequately communicate that information to its customers?
  • User Supports – Are there any published methods for contacting customer service, and do you receive prompt and friendly service? Does its hours of availability accommodate your company’s needs?
  • Speed – How fast is your ISP’s connection, and is it sufficient for accessing your email or navigating the Web?
  • Recommendations – What have you heard from industry peers about the ISP? Were they trusted sources? Does the ISP serve your geographic area?

Cyber security is a serious concern for your business. Contact your insurance broker to learn about our risk management resources and insurance solutions for emerging technology exposures.

© Zywave, Inc. All rights reserved

Basic Cyber Loss Control Techniques

Protecting your business from cyber risks can be an overwhelming venture. With each passing month, new and more sophisticated viruses are being discovered, more spam is reaching your inbox and yet another well-known company becomes the victim of a data breach.

The world will never be free of cyber risks, but there are many loss control techniques you can implement to help protect your business from exposures.

Install a firewall for your network.

Operating systems often come with pre-installed firewalls, but they are generally designed to protect just one computer. Examine the firewall’s options and select the best configuration to keep the computer safe.

If your business has a network of five or more computers, consider buying a network firewall. They can be pricey but network firewalls provide a fine level of coverage for an entire network.

Install anti-virus, anti-malware and anti-spyware software.

This loss control technique is the easiest and most effective way to increase security at your business. Make sure to install the software on each computer in your network—computers that don’t include these types of software are much more likely to be exposed and can possibly spread malware to other computers in the network. There are a host of viable options for each type of software, ranging in price from free to an annual subscription. Be sure to keep the software as up-to-date as possible.

Encrypt data.

No firewall is perfect. If a hacker manages to get through your firewall and into your network, your data could be a sitting duck. Encryption will make the data unreadable to a hacker. Consider using an encryption program to keep computer drives, files and even email messages safe from hackers.

Use a Virtual Private Network (VPN).

A VPN allows employees to connect to your company’s network remotely. VPNs eliminate the need for a remote-access server, saving companies lots of money in remote server costs. In addition to these savings, VPNs also provide a high level of security by using advanced encryption and authentication protocols that protect sensitive data from unauthorized access. If your company has salespeople in the field or employs workers who work from home or away from the office, a VPN is an effective way to minimize cyber risks.

Implement an employee password policy.

One of the most overlooked ways to keep your business safe is instituting a password policy. Essentially, a password policy should force employees to change work-related passwords every 90 days. The policy should encourage the creation of easy-to-remember, hard-to-guess passwords that include letters, numbers and special characters. For example, an easy-to-remember, hard-to-guess password could be “M1dwbo1025.” (My first daughter was born on Oct. 25th.)

Passwords that contain words from the dictionary or contain sensible combinations (abc123, qwerty, etc.) should never be allowed. Let employees know that they should not write passwords down and leave them in a desk or out in the open. If they are having trouble remembering passwords, there are password-keeping programs available for download.

Back up data regularly.

Important data should be backed up daily and in multiple locations, one being off-site. In addition to being safe from cyber risks, off-site data would not be exposed from physical attacks, like a fire or tornado.

Restrict access to backed up data. The public should never have access to it. If the data is tangible, keep it in locked filing cabinets in a locked room, and only issue keys to those who absolutely need them.

Develop a business continuity plan.

If the worst should happen and your company suffers a data breach or similar attack, you should have a business continuity plan in place. A business continuity plan helps:

  • Facilitate timely recovery of core business functions
  • Protect the well-being of employees, their families and your customers
  • Minimize loss of revenue/customers
  • Maintain public image and reputation
  • Minimize loss of data
  • Minimize the critical decisions to be made in a time of crisis

The plan should identify potential cyber risks, along with the recovery team at your company assigned to protect personnel and property in the event of an attack. The recovery team should conduct a damage assessment of the attack and guide the company toward resuming operations.

Contact Your Loss Control Expert

Keeping your data safe from cyber risks requires constant attention to ensure an attack never happens. Your insurance broker can help you identify potential risks and keep your business running smoothly in the event of an attack.

© Zywave, Inc. All rights reserved

Federal Budget Details $600 Million Investment in Cyber Security

The federal government recently released its 2018-19 budget. Among other important allocations, the government announced an investment of more than $600 million in data privacy. Specifically, the budget calls for $507.7 million over the next five years and $108.8 million each year thereafter for a new national cyber security strategy to help protect Canadians and their sensitive personal information.

A portion of the funds—$155.2 million during the next five years and $44.5 million per year thereafter—will go toward establishing a new Canadian Centre for Cybersecurity. This centre will allow the government to consolidate its cyber expertise under one roof as well as establish a single source of advice, guidance, services and support on cyber security-related matters.

In addition to funding the creation of the Canadian Centre for Cybersecurity, the government will provide $236.5 million over the next five years and $41.2 million per year thereafter to support the national cyber security strategy. This strategy is designed to do the following:

  • Enhance the government’s ability to investigate, prepare for and respond to cyber crime.
  • Create a voluntary cyber-certification program to help students and businesses improve their cyber security.
  • Improve cyber security on a national level by working alongside provincial, territorial, private-sector and international partners.

To learn more about these and other investments, review the government’s website on the 2018-19 federal budget.

© Zywave, Inc. All rights reserved

Avoid Costly Phishing Scams

Phishing, a type of cyber attack in which hackers disguise themselves as a trusted source online in order to acquire sensitive information, is a common scam that can put your employees and business at risk. The Canadian Internet Registry Authority recently published a survey of businesses who use the .ca domain and found that 32 per cent of firms had unwittingly divulged sensitive information after falling for phishing tactics.

Falling for a spear phishing attack can give a hacker access to personal and financial information across an entire network. What’s more, successful spear phishing attacks oftentimes go unnoticed, which increases the risk of large and continued losses.

Though it is difficult to completely avoid the risks of spear phishing attacks, there are ways to prevent further damage to your business. Make sure that your employees are aware of these simple techniques:

  • Never send financial or personal information electronically, even if you know the recipient well.
  • Be cautious when you are asked to divulge personal or sensitive business information in an email. Even if it appears to be from a trusted source, it could be a hacker impersonating another person or group.
  • Only share personal information on secure websites or over the phone.
  • Never click on links or open attachments from unknown sources. In addition, encourage employees to think twice about what they post online.
  • Ensure that your company’s security software is up to date. Firewalls and antivirus software can help protect against spear phishing attacks.

It’s important to encourage employees to be overly cautious when it comes to preventing phishing scams. Together, these strategies can go a long way toward keeping your business safe.

© Zywave, Inc. All rights reserved

Network Security

As the amount of sensitive information on your computer network grows, so too does the need for appropriate measures to ensure this data is not compromised. To properly secure your company’s network:

  • Identify all devices and connections on the network,
  • Set boundaries between your company’s systems and others, and
  • Enforce controls to ensure that unauthorized access, misuse or denial-of-service events can be thwarted or rapidly contained and recovered from if they occur.

Use the following tips to create a safe and secure network.

Secure internal network and cloud services

Separate your company’s network from the public Internet with strong user authentication mechanisms and policy enforcement systems such as firewalls and Web filtering proxies. You should also employ additional monitoring and security solutions, such as anti-virus software and intrusion detection systems, to identify and stop malicious code or unauthorized access attempts.

  • Internal network: After identifying the boundary points on your company’s network, each boundary should be evaluated to determine what types of security controls are necessary and how they can be best deployed. Border routers should be configured to only route traffic to and from your company’s public IP addresses; firewalls should be deployed to restrict traffic only to and from the minimum set of necessary services; and intrusion prevention systems should be configured to monitor for suspicious activity crossing your network perimeter. In order to prevent bottlenecks, all security systems you deploy to your company’s network perimeter should be capable of handling the bandwidth that your carrier provides.
  • Cloud-based services: Carefully consult your terms of service with all cloud service providers to ensure that your company’s information and activities are protected with the same degree of security you would intend to provide on your own. Request security and auditing from your cloud service providers as applicable to your company’s needs and concerns and ensure the provider’s policies and workflows comply with your jurisdiction’s regulations governing how data is handled and stored. Make sure to review and understand service level agreements, or SLAs, for system restoration and reconstitution time.

You should also inquire about additional services a cloud service can provide. These services may include backup-and-restore services and encryption services, which can further bolster your data security.

Develop strong password policies

Two-factor authentication methods, which require two types of evidence that you are who you claim to be, are generally safer than using only static passwords for authentication. One common example is a personal security token that displays changing passcodes to be used in conjunction with an established password.

Additionally, password policies should encourage your employees to use the strongest passwords possible without creating the need or temptation to reuse passwords or write them down. That means using passwords that are random, complex and long (at least 10 characters), that are changed regularly and that are closely guarded by those who know them.

Secure and encrypt your company’s Wi-Fi

Your company may choose to operate a Wireless Local Area Network (WLAN) for the use of customers, guests and visitors. If so, it is important that such a WLAN be kept separate from the main company network so that traffic from the public network cannot traverse the company’s internal systems at any point.

Internal, non-public WLAN access should be restricted to specific devices and specific users to the greatest extent possible while still meeting your company’s business needs. Where the internal WLAN has less stringent access controls than your company’s wired network, dual connections—where a device is able to connect to both the wireless and wired networks simultaneously—should be prohibited by technical controls on each such capable device. All users should be given unique credentials with preset expiration dates to use when accessing the internal WLAN.

Encrypt sensitive company data

Encryption should be employed to protect any data that your company considers sensitive, in addition to meeting your local applicable regulatory requirements on information safeguarding. Different encryption schemes are appropriate under different circumstances. If you choose to offer secure transactions on your company’s website, consult with your service provider about available options for an SSL certificate for your site.

Regularly update all applications

All systems and software, including networking equipment, should be updated in a timely fashion as patches and firmware upgrades become available. Use automatic updating services whenever possible, especially for security systems such as anti-malware applications, Web filtering tools and intrusion prevention systems.

Set safe Web browsing rules

Your company’s internal network should only be able to access those services and resources on the Internet that are essential to the business and the needs of your employees. Use the safe browsing features included with modern Web browsing software and a Web proxy to ensure that malicious or unauthorized sites cannot be accessed from your internal network.

If remote access is enabled, make sure it is secure

If your company needs to provide remote access to your internal network over the Internet, one popular and secure option is to employ a secure Virtual Private Network (VPN) system accompanied by strong two-factor authentication, using either hardware or software tokens.

Create a Safe-use Flash Drive Policy

Ensure that employees never put any unknown flash drive or USBs into their computers. Businesses should set a clear policy so employees know they should never open a file from a flash drive they are not familiar with, and that they should hold down the Shift key when inserting the flash drive to block malware. By doing so, you can stop the flash drive from automatically running.

© Zywave, Inc. All rights reserved

Ransomware Insurance

With ransomware attacks on the rise, the role of insurance is becoming more robust. And, although ransomware coverage has been traditionally sublimited within cyber policies, stand-alone cyber policies that cover ransomware are becoming more necessary.

In an attempt to find additional coverage for ransomware, many businesses and carriers have turned to kidnap and ransom (K&R) policies. K&R policies have traditionally been used by organizations to protect their executives, not to protect against ransomware. Because K&R policies were not designed for ransomware, they may only provide a quick fix. K&R policies tend to be less suitable for ransomware than cyber policies and payouts tend to be lower.

Policy Definitions, Terms and Conditions

Since cyber insurance isn’t standardized, organizations should review all policy language with a broker before choosing a plan. Policies can vary significantly in their language and coverage options, so insurance experts recommend policies that—at the very least—provide coverage for extortion demands and payments as well as lost income resulting from an attack.

Organizations should also take a close look at the following definitions, terms and conditions when choosing a policy:

  • Sublimits and deductibles—Most policies set a sublimit for covering ransomware. It is important to review this limit carefully, considering that demands may start on the low side, but can increase quickly. Additionally, since making a ransom payment may make organizations a target for subsequent ransom demands within the policy year, the deductible amount should reflect that risk.
  • Payment terms—Most policies require prior written consent before the insured can pay any ransom. This can result in payment delays and increased demands by the hackers. If an organization pays a ransom in order to resume business, without prior written consent by the insurer, there’s a chance that it may not be reimbursed. Therefore, organizations need to be comfortable with a policy’s terms in order to avoid compromising coverage.
  • Definition of extortion—It is important for organizations to fully understand and agree with their insurance company’s definition of extortion, since the definition dictates the trigger for coverage. For example, although hackers may intend to sell or misuse information, the ransom demand may only involve a countdown timer and demand for money. While the combination of the two may seem like an obvious threat to the insured, a carrier could possibly deny coverage on the basis that there was no explicit threat to sell or misuse information—all because of its unique definition of extortion.

What to Look for in a Policy

Companies should look for ransomware coverage that uses broad terminology and protects against a wide range of threats, including threats to do the following:

  • Access, sell, disclose or misuse data stored on your network, including digital assets.
  • Alter, damage, or destroy software or programs.
  • Introduce malicious software, including viruses and self-propagating code.
  • Impair or restrict access. Look for policies with broad terms like, “threats to disrupt business operations.”
  • Impersonate the insured in order to gather protected information from its clients, also known as pharming or phishing.
  • Use your network to transmit malware.
  • Deface or interfere with your company’s website.

The Importance of Risk Management

Ransomware insurance is most effective when coupled with an effective risk management program, as there are many components in the fight against cyber crime. Risk managers should work with an insurance broker to review all applicable options before choosing cyber coverage.

Contact your insurance broker today to learn more about available cyber policies and effective risk management techniques to protect your organization from ransomware attacks.

© Zywave, Inc. All rights reserved

Privacy and Cyber Security

With the enormous amount of sensitive information stored digitally, companies need to take appropriate measures to ensure this data is not compromised. Ultimately, it is the responsibility of business owners to protect their clients’ data. Understanding the risks involved with data security can help you prevent a privacy breach.

Know the Risks

The first step in protecting your business is to recognize types of risk:

  • Hackers, attackers and intruders. These terms are applied to people who seek to exploit weaknesses in software and computer systems for their personal gain. Their intentions are usually malicious and their actions are typically in violation of the intended use of the systems that they are exploiting. The results of this cyber risk can range from minimal mischief (creating a virus with no negative impact) to damaging activity (stealing or altering a client’s information).
  • Malicious code. This is the term used to describe code in any part of a software system or script that is intended to cause undesired effects, security breaches or damage to a system.
    • Viruses: This type of code requires that you actually do something before it infects your system, such as open an email attachment or go to a particular Web page.
    • Worms: This type of code propagates systems without user interventions. They typically start by exploiting a software flaw. Then, once the victim’s computer is infected, the worm will attempt to find and infect other computers.
    • Trojan horses: Trojans hide in otherwise harmless programs on a computer, and much like the Greek story, release themselves to cause damage. A popular type of Trojan is a program that claims to speed up your computer system but actually sends confidential information to a remote intruder.

IT Risk Management Practices

To reduce your cyber risks, it is wise to develop an IT Risk Management Plan at your organization. Risk management solutions use industry standards and best practices to assess hazards from unauthorized access, use, disclosure, disruption, modification or destruction of your organization’s information systems. Consider the following when implementing risk management strategies at your organization:

  • Create a formal, documented risk management plan that addresses the scope, roles, responsibilities, compliance criteria and methodology for performing cyber risk assessments. This plan should include a characterization of all systems used at the organization based on their function, their importance to the organization and the data stored and processed.
  • Review the cyber risk plan on an annual basis and update it whenever there are significant changes to your information systems, the facilities where systems are stored changes or other conditions occur that may affect the impact of risk to the organization.

Due Diligence When Selecting an ISP

Your organization should take precautionary measures when selecting an internet service provider (ISP) to use for company business. An ISP provides its customers with Internet access and other Web services. In addition, the company usually maintains Web servers, and most ISPs offer Web hosting capabilities. With this luxury, many companies perform backups of emails and files, and may implement firewalls to block some incoming traffic.

To select an ISP that will reduce your cyber risks, consider the following:

  • Security – Is the ISP concerned with security? Does it use encryption and SSL to protect any information that you submit?
  • Privacy – Does the ISP have a published privacy policy? Are you comfortable with who has access to your information, and how it is handled and used?
  • Services – Does your ISP offer the services that you want and do they meet your organization’s needs? Is there adequate support for the services provided?
  • Cost – Are the ISP’s costs affordable and are they reasonable for the number of services that you receive? Are you sacrificing quality and security to get a lower price?
  • Reliability – Are the services provided by the ISP reliable, or are they frequently unavailable due to maintenance, security problems and a high volume of users? If the ISP knows that their services will be unavailable, does it adequately communicate that information to its customers?
  • User supports – Are there any published methods for contacting customer service? Do you receive prompt and friendly service? Do their hours of availability accommodate your company’s needs?
  • Speed – How fast is your ISP’s connection, and is it sufficient for accessing your email or navigating the Web?
  • Recommendations – What have you heard from industry peers about the ISP? Were they trusted sources? Does the ISP serve your geographic area?

Protection is our Business

Contact your broker today to ensure you have the proper coverage to protect your company against a data breach.

© Zywave, Inc. All rights reserved