“Let’s draw an analogy and see if it holds water,” to quote Joe Pesci from “My Cousin Vinny”.
You drive a car.
You’re a good driver.
You don’t text and drive. Okay, you do, but only at stoplights. Okay, you rarely text and drive. We know.
You don’t drink and drive.
So, what do you do with respect to your car, yourself, and your family to protect all three?
- Put good gas in the car
- Keep it well maintained
- Keep it clean
- Wear your seatbelts
- Drive prudently
- Stay focused on the road…AND
- Purchase insurance. However, you don’t stop there. Yes, it’s legally required; but, you BUY MORE than what is legally required because you know weird things can happen. Expensive weird things can happen. Additionally, you also buy Uninsured Motorists coverage because other people don’t have insurance. You’re buying more insurance to protect yourself from others! And, as anyone who buys auto insurance knows– IT’S NOT CHEAP.
- Provide electricity and keep a backup power supply available
- Perform ongoing maintenance of equipment, servers, software patches, etc.
- Outsource your data (Cloud)
- Require (MFA) Multi-Factor Authentication
- Encrypt your devices
- Instruct employees to change passwords, be wary of suspicious links, etc.
- Purchase insurance? Why not? Do you think the value of your data is worth less than your car? The paltry ($25,000 or $50,000) limit that might be provided by your general liability (GL) policy as a token benefit will be surpassed in a few days with legal fees, forensic accountants, and IT professionals working to restore your data and help you survive. Note: most GL policies today specifically exclude cyber liability – that’s a hint.
What do you do to protect your organization’s data?
Every business owner that has experienced an “incident” has said the same thing to me: “I wish I had purchased higher limits.” Why? Because there are so many things that create exposure and the risk is so highly leveraged. Here’s a pneumonic to remember the risks: “Dave noticed four restored businesses in Puerto Rico legally fined for ransom and social engineering + bricking.” What follows are the multiple risks to your business and how insurance can help.
- Dave = Data breach – This is liability you have to others for losing their information. Hmmm, what’s the possible real dollar cost of a pending purchase of a business being exposed to their competitors? What if your CPA allowed your and others’ personal financial information out?
- Noticed = Notification (laws vary by state) – Do you know what you have to do to comply with each and every state’s requirements? Who will do this – you, at night, while watching TV? Someone on your team?
- For = Forensics – What happened and why? Talented, expensive professionals will sift through your computers to find the problem and identify what happened and what’s really going on.
- Restored = Restoration – Putting things back in order. You’ve stopped the hack. Now, how long can your organization survive without its brain? How many days of production have been lost? What’s the real dollar cost?
- Businesses in = Business Interruption – Both dependent and direct interruption. Does your insurance only protect you for a loss of your data? What if a key supplier gets hacked and your production stops? Coverage is limited by the definition of “interruption.” Details matter.
- Puerto Rico = Public Relations – how do potential clients now view you? Do you have anything on your company’s server that might be embarrassing? Think of this as a positive: What if an industry is hacked but you’re the quickest survivor – do you think you could gain market share?
- Legally = Legal expense – Now you need an attorney who can act as your “data breach coach”, someone with specific experience, not your business attorney. These experts are paid by the insurance you bought to resolve this quickly and with as little disruption as possible. This may be one of the few attorneys you’ll love after a disastrous event.
- Fined = Fines/Penalties – The government may penalize you for losing data. Do you work with government agencies or municipalities? Do you know what their protocol is and what penalties they may assess for a breach?
- Ransom = Ransomware – This is your LARGEST exposure currently. Everyday, a new one is exposed. Have you already established a bitcoin account so you are ready to pay the requested ransom? What if you pay the ransom and the hackers smile and just say “thank you, let’s play again”? What’s your recourse? With a policy this is handled for you by experts.
- Social engineering = Social Engineering – The hackers may imitate trusted insiders to steal money from you. There may be hackers in your system long before they take the opportunity to pounce. They know more about your daily online activity than your spouse. The fact is; they will leverage this information to have you willingly part with your hard earned cash.
- + Bricking = Bricking – This means your entire system is rendered useless, e.g., your computers are now the equivalent of bricks. This may be done by someone who doesn’t like you, or your politics, or your last name, or at random just for “fun.” You can buy more computers anytime….or, can you? See this article for more information: https://www.zdnet.com/article/pc-market-to-surge-in-2021-despite-global-chip-shortage-but-other-parts-in-short-supply/
Who can be breached? Ask yourself who can be involved in a traffic accident? You can be sitting at the red light, minding your own business and WHAM! someone slams into the back of your car. (It has happened to me more than once). You did nothing wrong, but you will certainly pay a price. You may do everything right with respect to your data but your employees or a contractor you work with may innocently introduce something malicious and WHAM! someone has taken control of your data. Human error accounts for over 90% of data breaches. See this article for more information. https://blog.usecure.io/the-role-of-human-error-in-successful-cyber-security-breaches
Large corporations and government entities can withstand (usually) a cyber incident. However, 60% of small to medium size businesses go out of business after a data breach. Here’s more information on that topic. https://hacked.com/small-businesses-get-hacked/ Yes, you do all the right things to protect your data – as you do with your car – and still accidents can (and will) happen. Sadly, they can happen to you and those you know and with whom you do business.
Have you ever done business with or used one of these companies? Adobe, eBay, Equifax, CVS, Apple, Heartland Payment Systems, Exxon, Toyota, LinkedIn, Marriott International, My Fitness Pal, Target, Yahoo? Each of these well-known companies have suffered data breaches; and, this is just the tip of the iceberg and doesn’t include the government and municipality entities that have been hacked.
So, right now you’re sitting at your desk, reading this article, minding your own business; and . . . you hope nothing happens to your data. I sincerely hope I’m wrong; but, hope is not a plan (nor is it an insurance policy). Sooner or later it’s likely something will happen to your data. You can rely on hope and your earnest efforts alone to get your through the event or you can purchase cyber insurance and all the resources a quality policy offers as an additional layer of protection.
Did the analogy hold water? For more information or questions related to your cyber security contact Casey Fernandez, Hylant Insurance 407.492.4248 or [email protected]
