Cyber Exposures and Controls
The recent high profile ransomware attacks have brought this issue to the front page. Cyber security breaches are growing at an alarming pace and the damages done can be substantial. The exposure is real for anyone with an internet connection. If you have business or personal data on machines that are internet connected, you are at risk.
The risks go beyond a systems outage. You can have loss of market, reputation damage, and lost income from the period of impairment. If your systems adversely affect others, you may have a liability exposure. Cyber exposures are getting more significant every day.
Cyber Security Basics
Most cyber attacks are not highly sophisticated endeavors. They are successful because many systems are simply easy to compromise. Systems that lack effective security software for antivirus and malware detection are easy targets. The lowest level of security is a password an many users use predictable passwords and never change them. This creates an easily compromised system.
Rank your System Security Effort on this Scale:
No controls that I know
Minimal level of control – whatever was provided with the computer- no password standards
Purchased security suite with automatic updates – no password management
Security suite and regular password changes with strong password standards
Multi factor authentication required for access
A rating less than 4 makes you an attractive target. 4 is the absolute minimum you should provide, and this is a level that leaves you vulnerable to a focused attack. If your response is that IT handles this, you are vulnerable. Cyber security involves every user and is an enterprise-wide undertaking. If you do not have effective security controls, you could have a liability exposure as well as potential system breach potential.
Many compromises are the result of “phishing” attempts. Phishing is when an attacker gains access to your systems via a message. That can be an email, a text message, or a web site that you are asked to visit. The pretext is created to ask for personal or business information; ask you to click on an attachment or getting you to connect to a website that installs malware to infect your system. Once you grant the information or click on the attachment you have opened the door. In some cases when you fall victim to phishing, you may lose insurance coverage. Since you provided the access or gave the information away, you authorized the transaction.
Rate your Resistance to Phishing
You spelled fishing incorrectly
Have heard about it
Have attended some training, read something
Have done training and hands on exercises
Have ongoing audits with simulated attacks and training
If you score less than 4 you have a significant exposure. You need to know how to check out links and email addresses. This means hands on experience. Phishing is highly effective at compromising your systems. You invite or allow the intrusion add once inside your system the hackers can take control, steal information or shut down your network.
Many of the attacks are based on vulnerabilities in operating systems and common applications. Most of these providers have regular updates to their products to address security and normal bug fixes. If you fail to routinely apply software updates you leave the door open to attack.
Rate your use of Update Services
No automatic updates enabled
Windows updates are enabled
Service to scan applications and detect and alert you to updates, but not scheduled to run periodically
Software to detect and install updates – alerts you to updates that require your intervention. Scans are scheduled routinely.
A score of less than 4 on this leaves the door open to system compromise. Software must be regularly updated to be effective at resisting the attack. You should also consider applications that do not have an update service. If these products are connecting to the internet or you network, old or outdated security protocols are a hazard.
Security and system updates take time and resources to properly administer. Password management requires ongoing effort. Software updates require installation time and often restarting your system to fully install. A best practice is to test updates on a dedicated system to make sure there are no adverse results from an update. The discipline around these issues will pay dividends in system protection.
Know Your Exposure
The quantity and type of data on your system can help you understand your exposure to loss. If you store Personal Identifiable Information (PII) about your employees, customers, prospects, or others you have data that is attractive to bad actors. This data is the first step to identity theft and your management of the data places a liability on you to secure it properly.
Collection and storage of payment information is another consideration. Having bank account data, credit card data or other payment related information on your system makes your data a high-profile target. Using a third party for this lowers your exposure as long as the third party provides proper data protection. Transferring risk to a poorly managed provider does not serve your interests.
The intellectual property unique to your business can also be a target for cybercrime. From customer data to proprietary designs and products, a breach of your intellectual property can have devastating implications. Reputational damage from a data breach can be a costly outcome from a security lapse.
Data related to process control may lead to business interruption and damage to process equipment. Data and code that is unique to you does not make it off limits to a bad actor. These systems can be ransomware targets.
The National Institute of Standards and Technology (NIST) has developed a cyber security framework as a guide for national assessment and implementation of cyber security. For small and medium businesses there are specific NIST tools and resources to help you assess and implement your cyber security controls. Visit NIST Small and Medium Business Resources to see what the security framework entails and to get practical assistance in implementing this process. See a short video to get an introduction to this framework https://youtu.be/J9ToNuwmyF0
The Driehaus Difference
We recognize this is an extraordinarily complex issue and one that requires expertise to implement controls. We have access to carriers with cyber expertise and we can refer clients with cyber security concerns to an expert. Call us 513-977-6860 or reach out to us via our web site www.driehausins.com. Watch for our next installment on the insurance coverages that are available for cyber exposures.