How to protect your most valuable asset … your data
ARMA Partners Adler Insurance Brokers and cyber security specialists Equilibrium Security Services offer advice on how to keep your business safe from cyber-attacks.
A managing agent’s most precious asset is now the information held on his IT system: client details, maintenance schedules, asset lists, HR and accounts – all are now stored digitally in our ‘paperless’ world. Yet, as was highlighted at the ARMA Annual Conference 2016, many members need to give more consideration to their digital resources and how to protect them.
Delegates at Conference were treated to an eye-opening presentation – a cybercrime seminar featuring a ‘live’ on-screen hack. Angela Irvine (Adler Insurance Brokers) and Anish Chauhan (Equilibrium Security Services) highlighted the reputational and operational damage that cyber criminals can cause; how if a customer or employee database was leaked, a business’ hard-earned reputation can be damaged and thousands of pounds worth of sales lost as a result.
Cyber risk is deeply woven into the fabric of modern-day business. A cyber-attack is not only something that happens to large companies either; a staggering 90% of large businesses and 74% of SMEs suffered a data breach in the last year, costing on average £190,000 to repair.
Many managing agents can be so focused on the day to day running of their businesses that they forget to protect themselves from the online security threats that would threaten to expose or target their systems. However, a lack of sufficient defence to thwart cyber breaches is why hackers view such businesses as easy targets.
So, no matter how big or small your organisation, it’s always prudent to protect your business from online breaches. Here are Angela and Anish’s top 10 tips.
1. Use Anti-Virus
Antivirus and anti-malware software are essentials in your arsenal of online security weapons. They are the last line of defence, should an unwanted attack get through to your network.
However, it’s essential to understand that new viruses are developed each day and some are well disguised and tough to pinpoint. Therefore, you should always ensure that the anti-virus software you are using is up to date to keep you safe.
2. Updates, Updates, Updates!
Making sure your computers are properly updated is a necessary step towards being fully protected; there is little point in installing the latest and greatest software if you do not maintain it.
Hackers often exploit security flaws in software. Businesses can look to prevent this by ensuring that they are running the latest versions. It is therefore essential that all software is properly ‘patched’ and up to date, fixing any recent issues or holes that programmers have identified.
3. Use Strong Passwords
One of the most simple, yet essential, ways to protect your data is to ensure you have secure passwords online. Security Company SplashData publishes an annual ‘Worst Passwords List’ demonstrating the risks that internet users continue to put themselves under by creating passwords which are easily breached by hackers. The top two on the list for 2016 were ‘123456’ and ‘Password’!
The Government’s cyber security campaign, Cyber Aware, is urging people and small businesses to #ThinkRandom to create strong passwords by using three random words. For example, combining three words which mean something to you but are random to others will create a password that is strong and memorable.
4. Don’t ‘Over Share’
Sharing what you are doing, where you are doing it and whom you are doing it with is a common practice for individuals and businesses on social media. Data often travels unprotected through social media channels and, when you consider how much people ‘over share’, social media can be a serious source of data leaks.
Data leaks can happen in a seemingly harmless post about relocating for work when that news is still confidential to your company. It can happen if you mean to send a private message and accidentally make a public social media post. While it’s easy to think, “There is no way I’d ever do that,” even Twitter's own CFO has done exactly that: posting confidential data via a public Tweet when he meant to send a private Direct Message.
5. Keep Regular Backups
Scheduling regular backups is a painless way to ensure that all your data is stored safely. Ideally, backup activity should be diversified, so that the failure of any single point won’t lead to the irreversible loss of data. For example, store one copy in the cloud and the other on offline physical media, such as a portable hard drive.
The general rule of thumb for backups is that servers should have a complete backup weekly, and incremental backups every night, but the key here is to backup for however long you could live without your data!
6. USB and Encryption
The thumb-sized USB drive is convenient and small. However, the more ubiquitous they have become, the greater the risk that they will get lost or stolen or be used to spread malicious programs; if someone plugs an infected USB drive into their business computer they could inadvertently upload the bug to the network and potentially cripple the company.
Malware isn’t the only problem. In 2008, British dry cleaners found an estimated 9,000 forgotten USB memory sticks in the pockets of people’s clothing. More than 12,000 handheld devices, including USB drives, get left behind in taxi cabs in London and New York every six months.
If you absolutely must put sensitive information on a USB device, encrypt it first. Some newer model USB drives also have safety features such as fingerprint authentication that protect data from theft.
7. Use a Next Generation Firewall
Users visiting web sites, social networking or collaborating online were still at risk of attacks such as key loggers, spyware and ‘backdoor’ attacks – these threat types represent over 50% of the breaches of financial information, personal data, trade secrets and other intellectual property.
In an effort to thwart these types of attacks, ‘Next Generation firewalls’ (NGFWs) were developed. NGFWs use a more thorough inspection style, checking data content for harmful activities such as exploitable attacks and malware, and they’re fast becoming a critical piece of IT infrastructure for modern businesses to be able to exert necessary control over their network traffic.
8. Regular Employee Training
One of the most difficult things to do is protect end users against themselves but ultimately, prevention is the best approach to handling your data security. Make sure your employees understand how important your company's data is, and all the measures they can take to protect it. Refraining from opening attachments that look suspicious and thinking twice before clicking links are two essential behaviours that staff should adopt.
We recommend drawing up a digital security policy with the help of an expert. It will codify the acceptable practices regarding things like internet use, portable devices and password strength.
9. Certifications – Cyber Essentials
The Government’s Cyber Essentials Scheme encourages organisations to take steps towards achieving at least a basic level of cyber security that might prevent some 80% of attacks to which they would otherwise be vulnerable.
It lays out a procedure for establishing resistance to cyber risk; it’s designed to enable those dealing with an organisation – customers, suppliers and perhaps insurers – to know whether it meets a measurable minimum standard of cyber ‘hygiene’. This in turn should create a competitive advantage for those who demonstrate compliance over rivals who do not.
Also, standards such as these may be used in the determination of negligence; losses that could have been prevented by the adoption of the Cyber Essentials may one day turn out to be uninsured and more easily shown to be the responsibility of the organisation that failed to prevent them.
10. Cyber Liability Insurance
This brings us to the insurance industry, which in the last couple of years has developed some cyber insurance policies to help businesses to cope should the worst happen and they suffer a digital security breach. It should also be noted that, at the same time, insurers have also been working to exclude ‘cyber’ risks from standard insurance policies. This ‘silent’ removal of cyber cover is in fact being encouraged by the regulator, the Prudential Regulation Authority, as it looks to foster contract certainty for policyholders as to the level and type of coverage they hold, by moving cyber cover out of the standard ‘all risks’ packages.
Business owners should be talking about the kind of insurance cover their business has; what cyber risks are excluded and what cover most meets their needs and perceived threats? There is, as yet, no ‘standard’ cyber cover, and even the word ‘cyber’ in the insurance context, does not have one single, accepted meaning.
A SOLUTION: CYBER SECURITY MEETS CYBER INSURANCE
Equilibrium Security Services and Adler Insurance Brokers have joined forces to help tackle the growing cyber security risks to managing agents. Businesses benefit most from a collaborative approach where cyber security and insurance go hand in hand. Therefore, this unique proposition provides ARMA members with a solution that encompasses both security vulnerability advice and cyber liability insurance protection.
Equilibrium Security Services can put in place a minimum level of security measures that include:
- Vulnerability assessments
- Firewall design and implementation
- Assistance designing a cyber security strategy
Adler Insurance Brokers can offer cyber-aware businesses a package that protects them against a number of exposures, which includes protection for:
- Liability: privacy and confidentiality
- Copyright, trademark, defamation
- Malicious code and viruses
- Business interruption: network outages, computer failure
- Attacks, unauthorised access, theft, website defacement and cyber extortion
- Technology errors and omissions
- Intellectual property infringement
For additional support and advice on ways to protect your business from cyber risks, please contact:
Angela Irvine at Adler Insurance Brokers: tel - 0121 764 7567; email - firstname.lastname@example.org
Anish Chauhan at Equilibrium Security Services: tel - 0121 663 0055; email - email@example.com