Keeping Your Data Secure

Data security is crucial for all businesses. Customer and client information, payment information, personal files, bank account details—this information is often impossible to replace if lost and is extremely dangerous in the hands of criminals. Data lost due to disasters such as a flood or fire is devastating, but losing it to hackers or a malware infection can have far greater consequences. How you handle and protect your data is central to the security of your business and the privacy expectations of customers, employees and partners.

What kind of data do you have?

Your business data may include customer data such as account records, transaction accountability and financial information, contact and address information, purchasing history, and buying habits and preferences as well as employee information such as payroll files, direct payroll account bank information, Social Insurance numbers, home addresses and phone numbers, and work and personal email addresses. It can also include sensitive business information such as financial records, marketing plans, product designs and tax information.

Complete a data inventory to identify and classify all of your potential areas of vulnerability. Common data classifications include the following:

  • Highly confidential: This classification applies to the most sensitive business information that is intended strictly for use within your company. Its unauthorized disclosure could seriously and adversely impact your company, business partners, vendors and/or customers in the short and long term. It could include credit card transaction data, customer names and addresses, card magnetic strip contents, passwords and PINs, employee payroll files, Social Insurance numbers and patient information (if you’re a health care business). If you collect personal information such as this, make sure you have a privacy policy that explains how the information will be used and what individuals’ rights are regarding the data.
  • Sensitive: This classification applies to sensitive business information that is intended for use within your company; information that you would consider to be private should be included in this classification. Examples include employee performance evaluations, internal audit reports, various financial reports, product designs, partnership agreements, marketing plans and email marketing lists.
  • Internal use only: This classification applies to sensitive information that is generally accessible by a wide audience and is intended for use only within your company. While its unauthorized disclosure to outsiders should be against policy and may be harmful, the unlawful disclosure of the information is not expected to negatively impact your company, employees, business partners or vendors.

Classifying your data allows your company to set parameters for how the data is accessed, transported, shared and ultimately kept secure.

Where is your data stored?

Data is most at risk when it’s on the move. If all your business-related data resided on a single computer or server that is not connected to the Internet, and never left that computer, it would be very easy to protect. But to be meaningful, data must be accessed and used by employees, analyzed and researched for marketing purposes, used to contact customers and even shared with key partners. Every time data moves or changes hands, it can be exposed to different dangers.

It’s important to create a company policy that dictates safe data transfer and storage. The policy should include information on how to back up, transport and safely store physical and virtual data.

  • Physical data: Keep in mind that physical media, such as a disc or drive used to store data or a data backup, is vulnerable no matter where it is located, so make sure you guard any physical data stored in your office or off-site, and make sure that your physical data storage systems are encrypted. As much as possible, try to avoid data transport on physical media such as flash drives or CDs. These media can easily end up in the wrong hands.
  • Website data: Your website can be a great place to collect information, from transactions and payments to purchasing and browsing history, and even newsletter sign-ups, online inquiries and customer requests. This data must be protected, whether you host your own website and manage your own servers or whether your website and databases are hosted by a third party. If a third party hosts your website, be sure to discuss systems it has in place to protect your data from hackers and outsiders as well as employees of the hosting company.
  • Virtual data: Storing data virtually is a very common practice, but it has certain risks you need to consider. If your company contracts with a third party to house data virtually, be sure to keep an updated, thorough contract that outlines who accesses your data, how it is encrypted and how it is backed up. And make sure you know the location of the company you are trusting with your data. Different rules about data sharing and security apply in different Canadian jurisdictions and in the United States.

Who accesses your data?

Once you have identified, classified and located your data, you must control access to it. The more sensitive the data, the more restrictive the access should be. As a general rule, access to data should be on a need-to-know basis. Only individuals who have a specific need to access certain data should be allowed to do so.

Not every employee needs access to all of your information. For example, your marketing staff shouldn’t need or be allowed to view employee payroll data, and your administrative staff may not need access to all of your customer information.

The first step in controlling access to your data is assigning rights to that data. Doing so simply means creating a list of the specific employees, partners or contractors who have access to specific data, under what circumstances, and how those access privileges will be managed and tracked. As part of this process, you should consider developing a straightforward plan and policy—a set of guidelines—about how each type of data should be handled and protected based on who needs access to it and the level of classification.

How do you protect your data?

Once you understand the type of data your company makes use of, where it is located and who accesses it, you can begin planning how you will protect it. Protecting data, like any other security challenge, is about creating layers of protection. The idea of layering security is simple: You cannot and should not rely on just one security mechanism—such as a password—to protect something sensitive. If that security mechanism fails, you have nothing left to protect you.

Businesses have many affordable backup options, whether it’s backing up to an external drive in the office or backing up online so that all data is stored at a remote and secure data centre.

Are you planning for the future?

Every business has to plan for the unexpected, and that includes the loss or theft of data from your business. Not only can data loss or theft hurt your business, brand and customer confidence, it can also expose you to significant legal actions.

That’s why it’s critical to understand exactly which data or security breach regulations affect your business and how prepared you are to respond to them. At the very least, all employees and contractors should understand that they must immediately report any loss or theft of information to the appropriate company officer.

Identifying your exposures will help determine how to protect your data. In addition to data security measures, insuring your data is crucial.

© Zywave, Inc. All rights reserved

Precautions for Better Cyber Security

Many business operations revolve around the functionality of computers, network connections and the Internet. It’s no secret that with computer use there are many risks, including damaging viruses, hackers, use of your system to attack others or use of sensitive data to steal identities or other illegal actions. As a result, companies must respond by preventing, detecting and responding to cyber attacks through a well-orchestrated cyber security program.

Get Familiar with Risks

The first step in protecting your business is to take notice of the multitude of cyber risks.

Hackers, Attackers and Intruders

These people seek to exploit weaknesses in software and computer systems for their personal gain. Although their intentions are sometimes benign, their actions are typically in violation of the intended use of the systems that they are exploiting. The results of this cyber risk can range from minimal mischief (creating a virus with no negative impact) to malicious activity (stealing or altering data).

Malicious Code (viruses, worms and Trojan horses)

  • Viruses: This malicious code requires a user to take action to let into the system, such as open an email attachment, download a file or visit a webpage.
  • Worms: Once released, this code reproduces and spreads through systems on its own. They usually start by exploiting a software flaw. Then, once the victim’s computer is infected, the worm will attempt to find and infect other computers through a network.
  • Trojan horses: This disguised code claims to do one thing while actually doing something else (a program that claims to speed up your computer system but is actually sending confidential information to a remote intruder).

Risk Management Planning

To reduce your cyber risks, it is wise to develop an IT Risk Management Plan at your organization. Risk management solutions utilize industry standards and best practices to assess hazards from unauthorized access, use, disclosure, disruption, modification or destruction of your organization’s information systems. Consider the following when implementing risk management strategies at your organization:

  • Create a formal, documented risk management plan that addresses the scope, roles, responsibilities, compliance criteria and methodology for performing cyber risk assessments. This plan should include a characterization of all systems used at the organization based on their function, the data stored and processed, and importance to the organization.
  • Review the cyber risk plan on an annual basis and update it whenever there are significant changes to your information systems, the facilities where systems are stored or other conditions that may affect the impact of risk to the organization.

In addition, your organization should take precautionary measures when selecting your Internet service provider (ISP) for use for company business.

ISP Considerations

Almost all ISPs offer Web browsing capabilities with a varying degree of user support and Web hosting capabilities. Your company should determine what ISP to use, along with a plan for backing up emails and files and what firewalls to implement.

To select an ISP that will reduce your cyber risks, consider the following:

  • Security – How concerned with security is the ISP provider? Does it use encryption and SSL to protect any information that you submit?
  • Privacy – Does the ISP have a published privacy policy? Are you comfortable with who has access to your information, and how it is handled and used?
  • Services – Does your ISP offer the services that you want and does it meet your organization’s needs? Is there adequate support for the services provided?
  • Cost – Are the ISP’s costs affordable and are they reasonable for the number of services that you receive? Are you sacrificing quality and security to get a lower price?
  • Reliability – Are the services provided by the ISP reliable, or are they frequently unavailable due to maintenance, security problems and a high volume of users? If the ISP knows that its services will be unavailable, does it adequately communicate that information to its customers?
  • User Supports – Are there any published methods for contacting customer service, and do you receive prompt and friendly service? Does its hours of availability accommodate your company’s needs?
  • Speed – How fast is your ISP’s connection, and is it sufficient for accessing your email or navigating the Web?
  • Recommendations – What have you heard from industry peers about the ISP? Were they trusted sources? Does the ISP serve your geographic area?

Cyber security is a serious concern for your business. Contact your insurance broker to learn about our risk management resources and insurance solutions for emerging technology exposures.

© Zywave, Inc. All rights reserved

Basic Cyber Loss Control Techniques

Protecting your business from cyber risks can be an overwhelming venture. With each passing month, new and more sophisticated viruses are being discovered, more spam is reaching your inbox and yet another well-known company becomes the victim of a data breach.

The world will never be free of cyber risks, but there are many loss control techniques you can implement to help protect your business from exposures.

Install a firewall for your network.

Operating systems often come with pre-installed firewalls, but they are generally designed to protect just one computer. Examine the firewall’s options and select the best configuration to keep the computer safe.

If your business has a network of five or more computers, consider buying a network firewall. They can be pricey but network firewalls provide a fine level of coverage for an entire network.

Install anti-virus, anti-malware and anti-spyware software.

This loss control technique is the easiest and most effective way to increase security at your business. Make sure to install the software on each computer in your network—computers that don’t include these types of software are much more likely to be exposed and can possibly spread malware to other computers in the network. There are a host of viable options for each type of software, ranging in price from free to an annual subscription. Be sure to keep the software as up-to-date as possible.

Encrypt data.

No firewall is perfect. If a hacker manages to get through your firewall and into your network, your data could be a sitting duck. Encryption will make the data unreadable to a hacker. Consider using an encryption program to keep computer drives, files and even email messages safe from hackers.

Use a Virtual Private Network (VPN).

A VPN allows employees to connect to your company’s network remotely. VPNs eliminate the need for a remote-access server, saving companies lots of money in remote server costs. In addition to these savings, VPNs also provide a high level of security by using advanced encryption and authentication protocols that protect sensitive data from unauthorized access. If your company has salespeople in the field or employs workers who work from home or away from the office, a VPN is an effective way to minimize cyber risks.

Implement an employee password policy.

One of the most overlooked ways to keep your business safe is instituting a password policy. Essentially, a password policy should force employees to change work-related passwords every 90 days. The policy should encourage the creation of easy-to-remember, hard-to-guess passwords that include letters, numbers and special characters. For example, an easy-to-remember, hard-to-guess password could be “M1dwbo1025.” (My first daughter was born on Oct. 25th.)

Passwords that contain words from the dictionary or contain sensible combinations (abc123, qwerty, etc.) should never be allowed. Let employees know that they should not write passwords down and leave them in a desk or out in the open. If they are having trouble remembering passwords, there are password-keeping programs available for download.

Back up data regularly.

Important data should be backed up daily and in multiple locations, one being off-site. In addition to being safe from cyber risks, off-site data would not be exposed from physical attacks, like a fire or tornado.

Restrict access to backed up data. The public should never have access to it. If the data is tangible, keep it in locked filing cabinets in a locked room, and only issue keys to those who absolutely need them.

Develop a business continuity plan.

If the worst should happen and your company suffers a data breach or similar attack, you should have a business continuity plan in place. A business continuity plan helps:

  • Facilitate timely recovery of core business functions
  • Protect the well-being of employees, their families and your customers
  • Minimize loss of revenue/customers
  • Maintain public image and reputation
  • Minimize loss of data
  • Minimize the critical decisions to be made in a time of crisis

The plan should identify potential cyber risks, along with the recovery team at your company assigned to protect personnel and property in the event of an attack. The recovery team should conduct a damage assessment of the attack and guide the company toward resuming operations.

Contact Your Loss Control Expert

Keeping your data safe from cyber risks requires constant attention to ensure an attack never happens. Your insurance broker can help you identify potential risks and keep your business running smoothly in the event of an attack.

© Zywave, Inc. All rights reserved

Federal Budget Details $600 Million Investment in Cyber Security

The federal government recently released its 2018-19 budget. Among other important allocations, the government announced an investment of more than $600 million in data privacy. Specifically, the budget calls for $507.7 million over the next five years and $108.8 million each year thereafter for a new national cyber security strategy to help protect Canadians and their sensitive personal information.

A portion of the funds—$155.2 million during the next five years and $44.5 million per year thereafter—will go toward establishing a new Canadian Centre for Cybersecurity. This centre will allow the government to consolidate its cyber expertise under one roof as well as establish a single source of advice, guidance, services and support on cyber security-related matters.

In addition to funding the creation of the Canadian Centre for Cybersecurity, the government will provide $236.5 million over the next five years and $41.2 million per year thereafter to support the national cyber security strategy. This strategy is designed to do the following:

  • Enhance the government’s ability to investigate, prepare for and respond to cyber crime.
  • Create a voluntary cyber-certification program to help students and businesses improve their cyber security.
  • Improve cyber security on a national level by working alongside provincial, territorial, private-sector and international partners.

To learn more about these and other investments, review the government’s website on the 2018-19 federal budget.

© Zywave, Inc. All rights reserved

Avoid Costly Phishing Scams

Phishing, a type of cyber attack in which hackers disguise themselves as a trusted source online in order to acquire sensitive information, is a common scam that can put your employees and business at risk. The Canadian Internet Registry Authority recently published a survey of businesses who use the .ca domain and found that 32 per cent of firms had unwittingly divulged sensitive information after falling for phishing tactics.

Falling for a spear phishing attack can give a hacker access to personal and financial information across an entire network. What’s more, successful spear phishing attacks oftentimes go unnoticed, which increases the risk of large and continued losses.

Though it is difficult to completely avoid the risks of spear phishing attacks, there are ways to prevent further damage to your business. Make sure that your employees are aware of these simple techniques:

  • Never send financial or personal information electronically, even if you know the recipient well.
  • Be cautious when you are asked to divulge personal or sensitive business information in an email. Even if it appears to be from a trusted source, it could be a hacker impersonating another person or group.
  • Only share personal information on secure websites or over the phone.
  • Never click on links or open attachments from unknown sources. In addition, encourage employees to think twice about what they post online.
  • Ensure that your company’s security software is up to date. Firewalls and antivirus software can help protect against spear phishing attacks.

It’s important to encourage employees to be overly cautious when it comes to preventing phishing scams. Together, these strategies can go a long way toward keeping your business safe.

© Zywave, Inc. All rights reserved

Network Security

As the amount of sensitive information on your computer network grows, so too does the need for appropriate measures to ensure this data is not compromised. To properly secure your company’s network:

  • Identify all devices and connections on the network,
  • Set boundaries between your company’s systems and others, and
  • Enforce controls to ensure that unauthorized access, misuse or denial-of-service events can be thwarted or rapidly contained and recovered from if they occur.

Use the following tips to create a safe and secure network.

Secure internal network and cloud services

Separate your company’s network from the public Internet with strong user authentication mechanisms and policy enforcement systems such as firewalls and Web filtering proxies. You should also employ additional monitoring and security solutions, such as anti-virus software and intrusion detection systems, to identify and stop malicious code or unauthorized access attempts.

  • Internal network: After identifying the boundary points on your company’s network, each boundary should be evaluated to determine what types of security controls are necessary and how they can be best deployed. Border routers should be configured to only route traffic to and from your company’s public IP addresses; firewalls should be deployed to restrict traffic only to and from the minimum set of necessary services; and intrusion prevention systems should be configured to monitor for suspicious activity crossing your network perimeter. In order to prevent bottlenecks, all security systems you deploy to your company’s network perimeter should be capable of handling the bandwidth that your carrier provides.
  • Cloud-based services: Carefully consult your terms of service with all cloud service providers to ensure that your company’s information and activities are protected with the same degree of security you would intend to provide on your own. Request security and auditing from your cloud service providers as applicable to your company’s needs and concerns and ensure the provider’s policies and workflows comply with your jurisdiction’s regulations governing how data is handled and stored. Make sure to review and understand service level agreements, or SLAs, for system restoration and reconstitution time.

You should also inquire about additional services a cloud service can provide. These services may include backup-and-restore services and encryption services, which can further bolster your data security.

Develop strong password policies

Two-factor authentication methods, which require two types of evidence that you are who you claim to be, are generally safer than using only static passwords for authentication. One common example is a personal security token that displays changing passcodes to be used in conjunction with an established password.

Additionally, password policies should encourage your employees to use the strongest passwords possible without creating the need or temptation to reuse passwords or write them down. That means using passwords that are random, complex and long (at least 10 characters), that are changed regularly and that are closely guarded by those who know them.

Secure and encrypt your company’s Wi-Fi

Your company may choose to operate a Wireless Local Area Network (WLAN) for the use of customers, guests and visitors. If so, it is important that such a WLAN be kept separate from the main company network so that traffic from the public network cannot traverse the company’s internal systems at any point.

Internal, non-public WLAN access should be restricted to specific devices and specific users to the greatest extent possible while still meeting your company’s business needs. Where the internal WLAN has less stringent access controls than your company’s wired network, dual connections—where a device is able to connect to both the wireless and wired networks simultaneously—should be prohibited by technical controls on each such capable device. All users should be given unique credentials with preset expiration dates to use when accessing the internal WLAN.

Encrypt sensitive company data

Encryption should be employed to protect any data that your company considers sensitive, in addition to meeting your local applicable regulatory requirements on information safeguarding. Different encryption schemes are appropriate under different circumstances. If you choose to offer secure transactions on your company’s website, consult with your service provider about available options for an SSL certificate for your site.

Regularly update all applications

All systems and software, including networking equipment, should be updated in a timely fashion as patches and firmware upgrades become available. Use automatic updating services whenever possible, especially for security systems such as anti-malware applications, Web filtering tools and intrusion prevention systems.

Set safe Web browsing rules

Your company’s internal network should only be able to access those services and resources on the Internet that are essential to the business and the needs of your employees. Use the safe browsing features included with modern Web browsing software and a Web proxy to ensure that malicious or unauthorized sites cannot be accessed from your internal network.

If remote access is enabled, make sure it is secure

If your company needs to provide remote access to your internal network over the Internet, one popular and secure option is to employ a secure Virtual Private Network (VPN) system accompanied by strong two-factor authentication, using either hardware or software tokens.

Create a Safe-use Flash Drive Policy

Ensure that employees never put any unknown flash drive or USBs into their computers. Businesses should set a clear policy so employees know they should never open a file from a flash drive they are not familiar with, and that they should hold down the Shift key when inserting the flash drive to block malware. By doing so, you can stop the flash drive from automatically running.

© Zywave, Inc. All rights reserved

Ransomware Insurance

With ransomware attacks on the rise, the role of insurance is becoming more robust. And, although ransomware coverage has been traditionally sublimited within cyber policies, stand-alone cyber policies that cover ransomware are becoming more necessary.

In an attempt to find additional coverage for ransomware, many businesses and carriers have turned to kidnap and ransom (K&R) policies. K&R policies have traditionally been used by organizations to protect their executives, not to protect against ransomware. Because K&R policies were not designed for ransomware, they may only provide a quick fix. K&R policies tend to be less suitable for ransomware than cyber policies and payouts tend to be lower.

Policy Definitions, Terms and Conditions

Since cyber insurance isn’t standardized, organizations should review all policy language with a broker before choosing a plan. Policies can vary significantly in their language and coverage options, so insurance experts recommend policies that—at the very least—provide coverage for extortion demands and payments as well as lost income resulting from an attack.

Organizations should also take a close look at the following definitions, terms and conditions when choosing a policy:

  • Sublimits and deductibles—Most policies set a sublimit for covering ransomware. It is important to review this limit carefully, considering that demands may start on the low side, but can increase quickly. Additionally, since making a ransom payment may make organizations a target for subsequent ransom demands within the policy year, the deductible amount should reflect that risk.
  • Payment terms—Most policies require prior written consent before the insured can pay any ransom. This can result in payment delays and increased demands by the hackers. If an organization pays a ransom in order to resume business, without prior written consent by the insurer, there’s a chance that it may not be reimbursed. Therefore, organizations need to be comfortable with a policy’s terms in order to avoid compromising coverage.
  • Definition of extortion—It is important for organizations to fully understand and agree with their insurance company’s definition of extortion, since the definition dictates the trigger for coverage. For example, although hackers may intend to sell or misuse information, the ransom demand may only involve a countdown timer and demand for money. While the combination of the two may seem like an obvious threat to the insured, a carrier could possibly deny coverage on the basis that there was no explicit threat to sell or misuse information—all because of its unique definition of extortion.

What to Look for in a Policy

Companies should look for ransomware coverage that uses broad terminology and protects against a wide range of threats, including threats to do the following:

  • Access, sell, disclose or misuse data stored on your network, including digital assets.
  • Alter, damage, or destroy software or programs.
  • Introduce malicious software, including viruses and self-propagating code.
  • Impair or restrict access. Look for policies with broad terms like, “threats to disrupt business operations.”
  • Impersonate the insured in order to gather protected information from its clients, also known as pharming or phishing.
  • Use your network to transmit malware.
  • Deface or interfere with your company’s website.

The Importance of Risk Management

Ransomware insurance is most effective when coupled with an effective risk management program, as there are many components in the fight against cyber crime. Risk managers should work with an insurance broker to review all applicable options before choosing cyber coverage.

Contact your insurance broker today to learn more about available cyber policies and effective risk management techniques to protect your organization from ransomware attacks.

© Zywave, Inc. All rights reserved

Privacy and Cyber Security

With the enormous amount of sensitive information stored digitally, companies need to take appropriate measures to ensure this data is not compromised. Ultimately, it is the responsibility of business owners to protect their clients’ data. Understanding the risks involved with data security can help you prevent a privacy breach.

Know the Risks

The first step in protecting your business is to recognize types of risk:

  • Hackers, attackers and intruders. These terms are applied to people who seek to exploit weaknesses in software and computer systems for their personal gain. Their intentions are usually malicious and their actions are typically in violation of the intended use of the systems that they are exploiting. The results of this cyber risk can range from minimal mischief (creating a virus with no negative impact) to damaging activity (stealing or altering a client’s information).
  • Malicious code. This is the term used to describe code in any part of a software system or script that is intended to cause undesired effects, security breaches or damage to a system.
    • Viruses: This type of code requires that you actually do something before it infects your system, such as open an email attachment or go to a particular Web page.
    • Worms: This type of code propagates systems without user interventions. They typically start by exploiting a software flaw. Then, once the victim’s computer is infected, the worm will attempt to find and infect other computers.
    • Trojan horses: Trojans hide in otherwise harmless programs on a computer, and much like the Greek story, release themselves to cause damage. A popular type of Trojan is a program that claims to speed up your computer system but actually sends confidential information to a remote intruder.

IT Risk Management Practices

To reduce your cyber risks, it is wise to develop an IT Risk Management Plan at your organization. Risk management solutions use industry standards and best practices to assess hazards from unauthorized access, use, disclosure, disruption, modification or destruction of your organization’s information systems. Consider the following when implementing risk management strategies at your organization:

  • Create a formal, documented risk management plan that addresses the scope, roles, responsibilities, compliance criteria and methodology for performing cyber risk assessments. This plan should include a characterization of all systems used at the organization based on their function, their importance to the organization and the data stored and processed.
  • Review the cyber risk plan on an annual basis and update it whenever there are significant changes to your information systems, the facilities where systems are stored changes or other conditions occur that may affect the impact of risk to the organization.

Due Diligence When Selecting an ISP

Your organization should take precautionary measures when selecting an internet service provider (ISP) to use for company business. An ISP provides its customers with Internet access and other Web services. In addition, the company usually maintains Web servers, and most ISPs offer Web hosting capabilities. With this luxury, many companies perform backups of emails and files, and may implement firewalls to block some incoming traffic.

To select an ISP that will reduce your cyber risks, consider the following:

  • Security – Is the ISP concerned with security? Does it use encryption and SSL to protect any information that you submit?
  • Privacy – Does the ISP have a published privacy policy? Are you comfortable with who has access to your information, and how it is handled and used?
  • Services – Does your ISP offer the services that you want and do they meet your organization’s needs? Is there adequate support for the services provided?
  • Cost – Are the ISP’s costs affordable and are they reasonable for the number of services that you receive? Are you sacrificing quality and security to get a lower price?
  • Reliability – Are the services provided by the ISP reliable, or are they frequently unavailable due to maintenance, security problems and a high volume of users? If the ISP knows that their services will be unavailable, does it adequately communicate that information to its customers?
  • User supports – Are there any published methods for contacting customer service? Do you receive prompt and friendly service? Do their hours of availability accommodate your company’s needs?
  • Speed – How fast is your ISP’s connection, and is it sufficient for accessing your email or navigating the Web?
  • Recommendations – What have you heard from industry peers about the ISP? Were they trusted sources? Does the ISP serve your geographic area?

Protection is our Business

Contact your broker today to ensure you have the proper coverage to protect your company against a data breach.

© Zywave, Inc. All rights reserved

Is Data Quality the Unspoken Risk of Connected Devices?

Source: Insurance Business

Our lives are becoming more and more data-centric. Sally next door uses an average of 897 kWh of electricity per month, and about 90 gallons of water each day. She’s had one costly car accident, multiple speeding fines, and her car has been broken into twice because she parks it overnight on an unlit street.

Sally’s insurance premiums are calculated using this data. We know what utilities she uses because of her home sensor device, and her connected car is catching out her heavy-footed acceleration tendencies.

Connected devices and the Internet of Things (IoT) are proliferating fast. Experts at the leading research and advisory company Gartner suggest there could be more than 20 billion connected devices in use across the world by 2020, up from 8.4 billion connected things in 2017.

As the number of IoT devices continues to boom, so will the amount of analytical data insurers will have at their fingertips. But can we always trust this data?

“Data quality is a risk we might need to consider as the world becomes more connected,” said Jeff Wargin, vice president, product management at Duck Creek Technologies. “As we get access to more and more data, we’re bound to come across false positives and false negatives. Insurance companies need to have analytics experts and data scientists working through the data and eliminating the poor-quality false positive and false negative results.

“Until that process becomes automated and we can identify the poor data with ease, I think we all run the risk of doing things we shouldn’t be, whether that’s during the underwriting process, claims adjusting, or any purpose outside of insurance.”

Connected devices are not perfect. With the global market booming the way it is, manufacturers are under pressure to release state-of-the-art products ahead of the competition. The occasional slip-up or malfunction is to be expected.

“As the number of connected devices continues to proliferate, and the amount of data we receive increases, it’s going to get harder to spot the problem areas,” Wargin added. “There’s a risk that poor data could slip through the cracks.”

Up to 100,000 Bell Customers Impacted by Data Breach

Bell Canada, one of the nation’s largest telecommunications companies, announced Tuesday, Jan. 23 that up to 100,000 customers were affected by a data breach. The company has said that hackers likely obtained sensitive customer information, including subscriber names, phone numbers, account names and email addresses. At this time, there is no indication that credit card numbers or other banking information was compromised.

The company is advising customers to change their passwords and security questions. Affected users should also be on the lookout for suspicious activity, as cyber criminals will likely use the lost email addresses and user profiles to carry out more harmful phishing and social engineering scams.

Bell is currently working with law enforcement and the Office of the Privacy Commissioner of Canada to investigate the event. Officials are looking to determine how the breach occurred, what Bell is doing to mitigate the situation and potential follow-up actions.

This latest breach comes just eight months after 1.9 million customer emails were stolen from Bell’s database by an anonymous hacker. High-profile cyber security events are becoming commonplace, and organizations must continue to conduct security audits, review their record retention polices and provide employee training if they are to prevent future breaches. While customers can’t prevent companies from being hacked, they can take the following steps to reduce the risk of losing personal information:

  • Encrypt data whenever possible.
  • Back up data.
  • Use anti-malware protection.
  • Update phones and computers regularly.
  • Secure wireless networks.
  • Use a firewall.
  • Make passwords complex and change them often.
  • Avoid clicking suspicious links or navigating to deceptive websites.

To read the official statement from Bell regarding its most recent data breach, click here.

© Zywave, Inc. All rights reserved