Lines of Defense
While major data breaches at national companies justifiably make news, small businesses may not recognize that hackers target businesses of all sizes and types. But awareness is on the rise, especially as insurance companies hone their products aimed at protecting against cyber threats — and help clients understand that buying insurance is only one line of defense, and that complete protection requires in-house diligence, too.
When is cybercrime not cybercrime?
When it falls under the broad category of something called ‘social engineering,’ said Bill Trudeau, president and CEO of the Insurance Center of New England.
That term refers to a broad range of ways to manipulate people into giving up confidential information, or even money. It can include anything from phishing schemes to leaving a flash drive on the ground, hoping someone will find it and load it onto their computer out of curiosity, thereby installing malware on their company’s network.
Or say, Trudeau suggested, a CFO receives an e-mail he thinks is from the company CEO, reading, “we worked out a new deal with ABC Company. Wire them a $20,000 deposit; I’ll have full details when I return.”
“If they get your CFO to wire money to an unknown source, it’s not really theft because they did it voluntarily; it was a trick,” Trudeau said. More importantly, the loss would not be covered by typical cyber liability insurance, because it’s not technically a cybercrime, which involves the perpetrator physically hacking a network, not conning someone else into doing it. Instead, the client would need a fraud endorsement on its insurance policy.
“Social engineering is cropping up more, spreading like a pandemic,” Trudeau said. “Now, enough bookkeepers have been embarrassed or fired that, when they see an e-mail like this, they usually say, ‘wait, I’m not falling for this.’”
But the ones who do succumb to social engineering make it abundantly clear that, while cyber liability insurance is still an important part of a company’s defense against risk, just as important is a culture that trains employees in avoiding being conned.
“Social engineering is a relatively new term that refers to illegal fund transfer or diversion,” said John Dowd Jr., president of the Dowd Insurance Agency. “You can also unwittingly introduce a virus to a third party. This virus may have been put on your website by someone without you knowing it, and when people go onto your website, they get infected … and it’s your fault.”
That’s not to say cybercrime the way most people understand it — a hacker breaking in and exposing confidential data, for example — isn’t still a major problem, one that companies need to work with their insurance agents to cover. While historic breaches like Target in 2013, with 70 million customer records exposed, make headlines, the reality is that most breaches occur in businesses with 100 or fewer employees.
According to the latest report by Cybint Solutions, which provides cybersecurity education and training solutions to businesses and organizations, a hacker attack occurs every 39 seconds, affecting one in three Americans each year.
In 2016, 95% of breached records came from three industries: government, retail, and technology. However, 64% of all companies have experienced web-based attacks, and 43% of cyberattacks targeted small businesses. Meanwhile, 62% experienced phishing and social-engineering attacks.
The threat is growing due to the increasingly interconnected nature of the world today, Cybint notes. According to a recent Symantec Internet Security threat report, there are 25 connected devices per 100 inhabitants in the U.S. By 2020, there will be roughly 200 billion connected devices.
The total cost for cybercrime committed globally has added up to $100 billion, Cybint adds. “Don’t think that all that money comes from hackers targeting corporations, banks, or wealthy celebrities,” the report notes. “Individual users like you and me are also targets. As long as you’re connected to the Internet, you can become a victim of cyberattacks.”
It’s concerning, the report notes, that only 38% of global organizations claim they are prepared to handle a sophisticated cyber attack.
“Many businesses, by and large, do not manage the threat as well as they should,” Dowd told BusinessWest. “This could be due to lack of understanding the true exposure and financial implications of a breach. Certain businesses have a greater exposure than others, but any business that stores personal information or uses a computer has the potential for a claim.”
While the average cost for each lost or stolen record containing sensitive and confidential information increased 4.8% last year, to $148, according to IBM’s annual “Cost of a Data Breach” report, Trudeau said companies need to individually assess what they have at stake.
“You’ve got to look at this on a granular level,” he said. “What data do you have? What data-breach exposure do you have? Do you store information that’s a concern?”
The answer to that question could vary by quite a bit. “You might have blueprints or schematics, designs, but how critical is it? Some might shake their heads and say, ‘no one cares; it’s on the Internet, so it’s not top secret.’ But if a law firm’s files are stolen, there could be embarrassment and reputation risk. You have to decide what you’re trying to accomplish.”
Cyber liability coverage typically protects against a wide range of losses that businesses may suffer directly or cause to others, and these come in two forms: first-party and third-party losses. Third-party losses involve regulatory fines and lawsuits brought by affected customers, while first-party losses are what the business itself incurs up front, such as business-income loss, data-retrieval services, downtime, and notification of customers, to name a few.
The costs to businesses associated with a data breach, from lawsuits to regulatory fines to notification expense, can be staggering, Dowd noted, and insurance companies have responded with new policy forms that protect against many cyberthreats that customers may never have heard of.
“Policies today are much broader than they used to be out of necessity — the crooks keep coming up with unique ways to hack into your computers and steal information,” he said. “In some cases, they will charge you a ransom to return the information they stole from you. Insurance policies can cover all of the costs associated with a breach, including fines and penalties.”
When a data breach does occur, how a company responds up front — self-reporting to authorities and having a turn-key response — can reduce its liability. In fact, carriers that specialize in this type of coverage, like Beazley and Chubb, have turn-key response operations as part of the policy.
“Social engineering is cropping up more, spreading like a pandemic. Now, enough bookkeepers have been embarrassed or fired that, when they see an e-mail like this, they usually say, ‘wait, I’m not falling for this.’”
Immediately notifying victims and paying for identify-theft-prevention services can help avoid the liability costs that typically outweigh the first-party losses, Trudeau added. “You need liability coverage, but you hope you’ll never have to use that if you handle everything correctly with the victims.”
Businesses need to have not only insurance against cybercrime, but a plan of defense in case something does occur, Dowd said. “Virtually no one is immune from this danger. The laws on the books today are very strict with regard to protecting personal information, whether it is your clients or your employees.”
In response, according to the Cybint report, approximately $1 trillion is expected to be spent globally on cybersecurity from 2017 to 2021. Meanwhile, unfilled cybersecurity jobs worldwide will reach 3.5 million by 2021. Even now, more than 209,000 cybersecurity jobs in the U.S. are unfilled, and postings are up 74% over the past five year. Clearly, it’s a threat that isn’t expected to go away.
Eyes Wide Open
Employers can take a number of steps to prevent data theft, such as protecting every computer connected to the Internet or the internal network with anti-virus and anti-spyware software; installing security-software updates promptly to stay ahead of hackers; securing the company’s wi-fi network by requiring passwords or even configuring the wireless access point or router to hide the network name; securing computers and network components and requiring log-on passwords for all employees; and continually educating employees on security guidelines for computer, network, database, e-mail, and Internet usage, as well as penalties for violating those guidelines.
And, of course, training employees on how to spot a scam.
“It’s not a data breach when you fool someone into giving up data,” Trudeau said. “In the last few years, insurance providers have seen a striking increase in people voluntarily parting with their money. We need to make sure we’re having the right conversations.”
He said he’s heard of someone posing as a technician visiting a business, and asking to use the bathroom. Once out of sight, he ducks into the first empty cubicle he sees and inserts a flash drive onto a computer to upload malware.
“Certainly prevention is important. A lot of little things can happen,” he told BusinessWest. “Awareness is important, to stay fully ahead of all the shenanigans.”
Some cybersecurity-insurance carriers pose a long series of questions on their application forms about the details of a company’s exposure to data risk, and if the underwriter isn’t satisfied with the answers, they may not write the policy until certain practices have been changed and safeguards put in place. Companies may also choose to hire a third party to poke around their computer systems and challenge their operations when necessary.
“Prevention is critical because the fallout from a breach is not limited to out-of-pocket expense,” Dowd said. “You can also lose clients and sales.”
Indeed, according to an Economist Intelligence Unit consumer survey conducted in 2013, 18% of respondents had been a victim of a data breach, and, of those individuals, 38% said they no longer did business with the organization because of the breach. Meanwhile, 46% said they advised friends and family to be careful of sharing data with the breached company.
“Having a good IT firm who knows how to protect your system on an ongoing basis is critical,” Dowd continued. “Going through the application-for-coverage process is very helpful and often eye-opening because it reveals what you may or may not be doing correctly from a prevention standpoint. I will often suggest to clients that they go through the process of applying in order to educate themselves, even if they ultimately choose not to buy the insurance policy.”
After all, the best policy against becoming a victim is knowledge and vigilance. But an actual insurance policy is a good idea, too.
Joseph Bednar can be reached at [email protected]