About 30,000 records per minute are being leaked in data breaches and cyber attacks, the Stealth Report estimates.
Ransomware attacks — software that infects a system and blocks users from accessing computers until a ransom is paid — are particularly on the rise for businesses, industrial and manufacturing firms. A report from cybersecurity firm Malwarebytes found a 365 per cent increase in ransomware attacks this year against businesses.
Supply chain attacks are a growing concern — where a legitimate vendor pushes out what looks like a trustworthy update to accounting, computer or video game software — but it has actually been tainted by cyber criminals.
Phishing emails, despite being a well-known threat, continue to be successful. Cyber criminals often employ social engineering techniques to take advantage of people’s natural tendencies to want to help. Employees will click on emails they think are from a trusted source — such as a bank, colleague or boss — and release funds or sensitive data. And we’re all constantly hit with phishing emails from what seem legitimate requests for information from businesses such as Microsoft, PayPal and Facebook.
The variety and spectrum of cyber threats can seem limitless. What can you do to protect yourself and your business?
No plan is full proof, but here are 10 tips to help reduce your risk:
1. Develop a written plan that involves your IT team, lawyers and all necessary departments so there’s clear knowledge of the type of data collected, where it’s stored and who has access to it. Understand your level of risk. It may be necessary to hire help to prepare the plan and to update it regularly. Cyber criminals are always getting more sophisticated, so you need to be sure your plan is also constantly evolving.
2. Educate executives and employees about the most common dangers of cybercrime, ensure everyone knows security protocols, and limit access to sensitive corporate and/or customers’ data.
3. Everyone should use common sense. Slow down and think it through before acting. If your boss usually gives instructions for large financial transactions by phone or in person rather than email, double-check before you act. Enter a URL by hand if you are unsure about the source, instead of following links.
4. Follow the basics. Make sure all firewalls, routers and anti-virus programs are secure and up to date. Download and install software updates for your operating systems and applications as they become available. Never click on pop-ups. Enforce a strict password policy and change passwords every 90 days.
5. Consider encryption of sensitive information when sending by email. Or secure drop boxes to share data between customers or companies. Some industries require it. How long do you retain emails? Sometimes it’s a matter or law, other times companies implement a standard, such as 90 days, so exposure is limited if they are hit by a virus.
6. Develop a flash drive policy. Employees should never put unknown flash drives or USBs into their computers and should know to hold down the shift key when inserting to block malware. Sensitive information shouldn’t be sent through the mail on a flash drive.
7. New computers, laptops and mobile phones are required all the time. Be sure when upgrading to new technology that information on the old equipment is properly deleted.
8. Minimize the physical risks. Should you install tracking software on laptops and mobile phones? If computers are in a publicly accessible space consider locking cables. Employees working with sensitive information should angle monitors away from reception areas or check-in spaces. Those working in public areas need to be trained to never leave laptops or desk files unsecured when they walk away to help a client, for a break or at the end of their shift.
9. Create a cyber incident response plan. Everyone should know what to do if your business is hit by an attack. There are legal requirements around notification, depending on the industry, as well as best business practices to protect your reputation. Call police so there’s a record. Notify the Canadian Centre for Cyber Security. Fraud should be reported to the Canadian Anti-Fraud Centre.
10. Consider cyber insurance to protect your business against added costs and lost income. Foster Park Brokers will tailor a policy to meet your individual needs, but it can include notification costs, credit monitoring for customers, legal costs, ransom payments, forensic investigation, IT support and PR campaigns as needed.
Cybercrime is an unfortunate reality in today’s business world. You should have a clear knowledge of the risks, a strong security plan, be prepared in case of an incident, and have cyber coverage as a financial backstop.
For more information, contact Foster Park and we will have one of our Commercial Insurance professionals help to protect your business from this risk. 1-800-668-3213