By Jason Huber/Consulting
As we are learning, technology is a double-edged sword. It has significant benefits to organizations of all sizes but is quickly becoming one of the largest threats to any organization and individual. We think it would never happen to our business because cyber attacks only happen to government organizations, colleges, big businesses and financial institutions, right?
It may come as a surprise that more than half of all companies who experience a cyber attack have fewer than 1,000 employees and a Symantec 2012 report found 31 percent have less than 250 employees. A recent report from the Small Business Committee Subcommittee on Health and Technology found that 60 percent of small businesses will close within six months after experiencing a cyber attack, as it can cost anywhere between $30 to over $200 per compromised record. This does not include the cost of down time, lost customers and reputation.
Although traditional breaches are still a threat, we are seeing an emergence in hackers following users to new forums such as social media and mobile technology. In addition, the culprit could be halfway around the world or sitting in a cubicle down the aisle. Or, it could very easily be an employee using a personal device surfing the web through the company wireless network and contracts a virus from a website. So the big question is, how do you protect yourself and what exactly are you protecting?
The scope of risk will differ from organization to organization but at a high-level, breaches can occur through a company website, client/vendor portal, social media, mobile devices, physical hard-drive theft, email phishing, e-business, cloud computing and point-of-sale devices. The data at risk can include sensitive customer information, intellectual property, financial information, trademark/copyright material, or could lead to defamation or system failures. Again, the scope of risk is subjective as is the scope of risk management.
A well-rounded cyber risk management program will consist of two complimentary parts. 1) A risk management plan to prevent and manage cyber attacks and 2) a risk transfer plan to respond in the event a cyber attack does occur.
At a high-level, a risk management plan should consist of the following basic elements:
- Cyber policy and mobile device policy.
- Employee education.
- Secure network/firewall technology/anti-malware and anti-virus software.
- System password protection that is regularly changed.
- Blacklisting websites that are non-work related.
- Data encryption
- Cyber risk management strategic plan for prevention and reaction.
A risk-transfer plan will help determine the amount of risk your business is willing to absorb and the amount of risk your business prefers to transfer through a cyber/privacy insurance policy. A cyber/privacy insurance policy responds in the event of a cyber attack and covers a variety of both liability and property losses. Depending upon the policy, coverage may respond to the following third-party claims and lawsuits arising from:
- Privacy/identity theft.
- Intellectual property, trademark, and copyright infringement.
- Reputational injury alleging libel, slander, defamation, and invasion of privacy.
- System security failures that result in harm to third-party systems.
Optional coverages may also extend to first-party (you) cyber crime expenses and property exposures. Dependent upon the insurance company and their policy it may include some of the following coverages:
- Third-party notification expenses.
- Business interruption.
- E-vandalism expenses caused by an employee.
- Public relations costs.
A recent TMT Global Security Study found that 88 percent of companies surveyed do not believe they are vulnerable to cyber attacks, over 70 percent do not have a cyber risk management program in place and more than half of those companies surveyed experienced a cyber security breach in 2012. As technology continues to advance, hackers will continue to adapt. Evaluating the appropriate cyber risk management program for your organization will help mitigate this risk and help protect your business.
Jason Huber is a risk consultant for Millhiser Smith Agency.
This article is intended for informational purposes only and is not to be construed as legal or insurance consultation. Please consult your attorney for legal advice or insurance agent for risk transfer advice.
