Cyber Security Awareness

The federal Internet Crime Complaint Center received more than 330,000 complaints in 2009, and more than a third of them ended up in the hands of law enforcement. The damages from those referred to the authorities totaled more than a half billion dollars. The Government Accountability Office estimated that cyber crime cost U.S. organizations $67.2 billion in 2005; that number has likely increased since then. With so much of business today done electronically, organizations of all types are highly vulnerable to theft and corruption of their data. It is important for them to identify their loss exposures, possible loss scenarios, and prepare for them. Some of the questions they should ask include:

What types of property are vulnerable? 

The organization should consider property it owns, leases, or property of others it has in its custody. Some examples:

• • Money, both the organization’s own funds and those it holds as a fiduciary for someone else

• • Customer or member lists containing personally identifiable information, account numbers, cell phone numbers, and other non-public information

• • Personnel records

• • Medical insurance records

• • Bank account information

• • Confidential memos and spreadsheets

• • E-mail

• • Software stored on web servers

Different types of property will be susceptible to various threats, such as embezzlement, extortion, viruses, and theft.

What loss scenarios could occur?

The organization needs to prepare for events such as:

• • A fire destroys large portions of the computer network, including the servers. Operations cease until the servers can be replaced and reloaded with data.

• • A computer virus infects a workstation. The user of that computer unknowingly spreads it to everyone in his workgroup, crippling the department during one of the year’s peak periods.

• • The accounting department discovers a pattern of irregular small funds transfers to an account no one has ever heard of. The transfers, which have been occurring for almost three months, were small enough to avoid attracting attention. They total more than $10,000.

• • A vendor’s employee strikes up a casual conversation at a worker’s cubicle and stays long enough to memorize the worker’s computer password, written on a post-it note stuck to her monitor. Two weeks later, technology staff discovers that an offsite computer has accessed the human resources database and viewed Social Security numbers, driver’s license numbers, and other personal information.

In addition to taking steps to prevent these things from happening, the organization should consider buying a Cyber insurance policy. Several insurance companies now offer this coverage; although no standard policy exists yet, the policies share some common features. They usually cover property or data damage or destruction, data protection and recovery, loss of income when a business must suspend operations due to data loss, extra expenses necessary to maintain operations following a data event, data theft, and extortion.

However, each company might define these coverages differently, so reviewing the terms and conditions of a particular policy is crucial. Choosing an appropriate amount of insurance is difficult because there is no easy way to measure the exposure in advance.

Consultation with the organization’s technology department, insurance agent and insurance company might be helpful. Finally, all policies will carry a deductible; the organization should select a deductible level that it can afford to pay and that will provide it with a meaningful discount on the premium. Once management has a thorough understanding of the coverages various policies provide in relation to the organization’s exposures, it can fairly compare the costs of the policies and make an informed choice.

Computer networks are a necessary part of any organization’s environment today. Loss prevention and reduction techniques, coupled with sound insurance protection at a reasonable cost, will enable an organization to get through a cyber loss event.

According to a phishing study conducted by KnowBe4, employees in the insurance, manufacturing and technology industries click phishing emails or open infected attachments more than employees in other industries.However, no industry is immune to phishing attacks. Use several practical tips to protect your company from phishing attacks.

1. Recognize spam.

Emails designed to gather and steal information can be disguised to look like they originate from a legitimate company. Check every email carefully before you open it, and look for this and other signs of spam.

• Originate from an unrecognized sender.
• Ask for confirmation of personal, financial or banking information.
• Contain a sense of urgency.
• Threaten to contact the police or other organization if you don’t comply.

If you notice any of these signs, mark the email as spam and delete it.

2. Use secure websites.

Employers may need to order or pay for items online. In this case, they should only use secure websites to share personal or financial information. A lock icon on the browser status bar and https URL indicate that the site is secure.

3. Carefully update information via email.

Cybercriminals can practically duplicate the look, logo and other details of a legitimate company as they attempt to steal data. Your employees should always verify that the email is from the right company before they submit personal, financial or other secure information. Even then, they should use caution since anyone can hack into email and access the sensitive data it contains.

4. Avoid clicking on certain links, files and attachments.

Links, files and attachments from unknown senders may contain a virus or spyware that can compromise your entire network. Remind employees not to click on email links, files or attachments from senders they do not know or are not expecting.

5. Beware of pop-ups.

Annoying pop-ups can also be a tool cybercriminals use to gather sensitive data. Legitimate companies do not gather information via a pop-up, so employees should not click on pop-ups, copy a pop-up’s web address into a browser or enter personal information into a pop-up screen.

6. Utilize IT security measures.

Your computer system should feature IT security, including a firewall, anti-virus and anti-spyware software, and spam filters. Update these measures regularly, and instruct your employees to keep them intact.

7. Hold frequent training.

Human forgetfulness and evolving phishing scams require you to host frequent cybersecurity training. It teaches your employees to recognize and avoid phishing scams and can dramatically decrease risks.

Phishing scams can harm your company now and into the future. In addition to purchasing cyber insurance, protect your company when you take these practical steps.

By 2019, the cybersecurity industry will face a deficit of over two million professionals. Whether your company needs a solid cybersecurity team or already has a great team in place, consider taking steps to fight this deficit and protect your business.

Detail the Threat

Incite current employees to enter the cybersecurity industry when you detail current threats, including phishing scams and cyber breaches. Employees who are aware of the threats may step up and seek further training so they can protect others.

Make Cybersecurity Everyone’s Job

Cyberbreach costs exceed $100 billion annually in the United States. Despite your cyber liability insurance policy, your company is not immune to breaches. Ensure that every employee understands the basics of privacy and security in their daily operations. With ongoing training, your team will be equipped to protect your company.

Recommend Schools that Align with National Cybersecurity Guidelines

The National Security Agency (NSA) and Department of Homeland Security (DHS) sponsor a program that supports cybersecurity education for all elementary to postgraduate students and aims to improve the number of trained cybersecurity professionals. Currently, 200 universities have earned the Centers of Academic Excellence in Cyber Defense (CAE-CD) status in the U.S. Highlight these schools as you encourage people to enter the cybersecurity field.

Encourage Hands-on Training

In addition to four-year degrees, a variety of hands-on certification programs also train students to handle cyber challenges. They include the Certified Information Systems Security Professional (CISSP), Systems Security Certified Practitioner (SSCP), Security+, Network+, GIAC Penetration Tester (GPEN), and Certified Ethical Hacker (CEH). The hands-on education means graduates are prepared to succeed as security specialists, security analysts or other security professionals immediately after graduation.

Introduce Practical Skills

A cybersecurity training program will include technical classes in risk management, data mining and statistical analysis. However, students must know other skills such as collaboration, conflict management, perseverance, and attention to detail. These practical skills provide a well-rounded education and enhance a student’s ability to succeed in the cybersecurity field.

Offer an Annual Scholarship or Tuition Reimbursement

Sometimes, finances prevent someone from pursuing a cybersecurity career. Reduce financial strain with a scholarship for current employees and their family members. You could also offer tuition reimbursement that allows employees to boost their current cybersecurity skills or pursue advanced training.

Allow Flexible Work Hours

If your employees express interest in pursuing cybersecurity training, give them a flexible work schedule. They can work a different shift, share duties with another employee or telecommute as they balance work and classes.

Your company can do its part to train new cybersecurity professionals. Take these steps so that more trained personnel can fight cybercrime and keep data safe.

Cyber breaches that affect big businesses make the news, but over 60 percent of all cyber breaches target small and medium-sized businesses. Because you must protect your business, no matter what its size, purchase adequate cyber liability insurance.

What is Cyber Liability Insurance?

When your business suffers a data breach, you can file a cyber liability insurance claim. The policy won’t prevent a hack, but it will cover your financial losses and assist your company during recovery.

Common Cyber Breach Risks

Any company, from international mega corporations to small family-owned businesses, that operates online or handles customer data faces cyber breach risks such as:

• Human error – using the same password for all websites, losing unlocked devices or downloading malware.
• Mobile devices – gateway for thieves when used over unsecured Wi-Fi connections or left unlocked.
• Disgruntled former employees – use old login information to hack into your system.
• Ransomware – hackers introduce malware onto your computer, encrypt data and require a ransom before they release and decrypt your system.
• Coordinated attacks – international hacker groups target the sensitive information your company stores.

How Much Does a Cyber Breach Cost?

After a cyber breach, your company will owe first-party expenses, such as damages to your systems and data, and third-party expenses related to your liability to customers. Examples of these two expenses include:

• Customer losses – direct financial loss, credit monitoring and other related expenses.
• Business disruption expenses – account for up to 39 percent of a breach’s total cost.
• Direct financial loss – resources the hackers steal from your company bank accounts.
• Legal costs – handling lawsuits customers may file against your business.
• Regulatory fines – imposed by the FCC, FTC, HHS and your state.
• Public relations expenses – required to rebuild your company’s reputation.

These and other expenses contribute to the $3.62 million global average cost of a cyber breach. Each breach affects an average of 24,000 records, reports the Ponemon Institute, and costs $141 per individual lost or stolen record. Multiply this figure by the number of confidential or sensitive records your company stores, and you get an idea of how expensive a breach would be for your business.

Purchase Adequate Cyber Liability Insurance

Many experts suggest that businesses purchase at least $1 million in cyber liability insurance. Without this valuable coverage, your company could face insurmountable financial challenges and possible bankruptcy after a cyber breach.

On average, small businesses pay from $750-8,000 per year for this valuable coverage. Because your needs vary, schedule a consultation with your insurance agent and get a detailed quote.

Protect your customers and your business with cyber liability insurance. It’s essential coverage for every company.

Your company’s website shares information about your business and promotes sales. Hackers can access your website and wreak havoc on your business, though, as they steal customer data, post negative messages to customers or destroy records. As you lock your company’s doors every day, implement several tips as you protect your website, your reputation and business.

Stay Informed About Security Threats

Hackers change tactics often in an effort to access data, so stay informed. Follow tech sites, including The Hacker News, as you secure your website.

Boost Admin Portal Security

Because the admin portal serves as the brain of your website, you need to secure it.

• Utilize a username and password that are hard to guess.
• Never share login information with unauthorized users or via email.
• Limit login attempts.
• Require a multi-factor authentication for logins.
• Reduce access to the portal.
• Scan devices that connect to the network, and ensure they’re not affected by viruses or malware.

Install Security Software

A web application firewall (WAF) scans all the information that passes between your data connection and web server. It catches hacking attempts, malicious bots and spam, so choose one to install.

Update Software

Software updates or patches may close security vulnerabilities and fix bugs. Because hackers can scan thousands of websites each hour, set your devices, web servers and all aspects of your website to update software automatically as you protect your business.

Add an Encrypted SSL

You may use your company’s website to gather customer email addresses or credit card information. In this case, use an encrypted SSL to hide personal information that’s transmitted from your website to your database.

Minimize File Upload Access

You may carefully scan uploaded files for security threats, but smart hackers can easily hide bugs in those files and gain access to your website. Counteract hackers when you store uploaded files outside of the root directory, then use a specific script when you’re ready to access the stored information.

Backup Your Website Frequently

Several times a day, schedule website backups. Choose a local and off-site backup location so you can get to your data if a hacker does manage to access your website, the hardware fails or you suffer a power outage.

Prioritize Security

Everyone in your company should prioritize security and take steps to deter hackers. Train employees to secure their devices that connect to your server, follow password security protocols and set logins to expire quickly after inactivity.

With these tips, you can protect your website from hackers. Additionally, talk to your cyber liability insurance agent and ask about other strategies and steps you can take to protect your website, customers and business.

Your customers entrust their personal data to you and your company. Your employees may easily share information, though, particularly if you operate an open office with little privacy. Protect your customers’ information and identities when you follow several tips.

Collect Only the Data you Need

Unless you need a customer’s driver’s license number or Social Security number for a specific purpose related to the transaction, don’t collect this data. Ask only for the data you need, and reduce access to information that could be compromised.

Use Data Only for Legitimate Purposes

The data you collect may be used to complete a sale or open a line of credit, but don’t use a customer’s data for any other purpose. Improper use of data can compromise a customer and place your company at risk.

Store Data Properly

Protect sensitive customer data when you store it electronically and never on paper. Then encrypt all data and lock it in a centralized location, not on a USB drive or other removable media. When you’re ready to erase the data, wipe it from your system and shred any paper files.

Use a Dedicated Server

While you could use a shared server to save money, a dedicated server reduces a hacker’s ability to access your data. It reduces vulnerability and improves security.

Protect Your Network

Secure the information on your network when you update your system’s anti-virus and firewall protection and scan often for malware. Perform regular updates on all computers and other connected devices, too.

Secure Your Devices

Use only updated computers, tablets, smartphones, printers, fax machines and all devices as you improve security. Then ensure all devices that connect to the internet are kept locked when not in use. When employees must connect remotely to your network, ensure they use a secure VPN (Virtual Private Network).

Backup Data Regularly

Schedule data backups at least daily. This step secures data as you collect it and reduces the risks of theft.

Restrict Access

Maintain a “need to know” attitude as you protect data. If employees don’t need access to the information stored on paper or electronically, they shouldn’t have access to it.

Train Employees

Educate your entire staff about how to protect customer information. They should know how to maintain confidentiality during every step of their customer interaction, including before the sale,  when they collect payment and during any follow-up.

Employees should also know how to:

• Update software.
• Lock computers when they’re not in use.
• Avoid downloading malware.
• Change passwords often.

Protect customer data in your open office when you take these steps. When you and your team secure data during every step of your customer interaction, you reduce the risk of an expensive cyber breach.

With a virtual payment terminal, you can take payments over the internet. Not only will you boost sales, but you’ll also offer convenience to your customers. Your virtual payment terminal may be vulnerable to security risks, though, so follow several tips as you reduce liability and protect your customers and business.

What is a Virtual Payment Terminal?

Your virtual payment terminal allows you to accept credit card payments without using a credit card terminal. Simply log into the virtual terminal website from your device, enter the sales amount and key in the credit card information. You’ll then receive authorization if the sale is approved and can print or email the receipt.

After each sale or when it’s convenient for you, check the transaction history to see details about your sales and processing activity. The terminal also includes performance data and financial reports, and you can adjust the admin settings.

With your virtual payment terminal, you can accept payments anywhere. You’ll also save money with lower processing fees and increased opportunities to make sales.

Security Tips for Your Virtual Payment Terminal

Your virtual payment terminal offers convenience and can boost sales, but you must secure it. You will be liable if your actions compromise a customer’s credit card number or if fraud occurs to your account.

• Never store customer payment information. Use credit card data to make the sale, but never make or store a copy of the card number or other details.
• Use a PCI-compliant virtual payment terminal provider.
• Utilize fraud filters that identify potential fraud and help you respond properly.
• Partner with a provider that uses Point-to-Point encryption.
• Implement tokenization. It replaces data with a token and inhibits hackers.
• Avoid public Wi-Fi connections that are often unsecure.
• Follow all the security protocols mandated by your virtual payment terminal provider. These protocols may include annual PCI compliance training or software updates as you protect your customers’ data and company.
• Limit login access. Only authorized employees should be able to log into your virtual payment terminal as you prevent unauthorized transactions or other information compromises.
• Log out after each transaction or when you need to walk away from your device. This step prevents someone from accessing the terminal and information between sales.
• Secure the computers, smartphones and tablets you use to access your virtual payment terminal. If possible, use devices that require a pin or use fingerprint or face recognition, and store these devices in a secure location.

Your business benefits from a virtual payment terminal. Secure it as you limit your liability and protect customers and your company.

The federal Internet Crime Complaint Center received more than 330,000 complaints in 2009, and more than a third of them ended up in the hands of law enforcement. The damages from those referred to the authorities totaled more than a half billion dollars. The Government Accountability Office estimated that cyber crime cost U.S. organizations $67.2 billion in 2005; that number has likely increased since then. With so much of business today done electronically, organizations of all types are highly vulnerable to theft and corruption of their data. It is important for them to identify their loss exposures, possible loss scenarios, and prepare for them. Some of the questions they should ask include:

What types of property are vulnerable? The organization should consider property it owns, leases, or property of others it has in its custody. Some examples:

• Money, both the organization’s own funds and those it holds as a fiduciary for someone else
• Customer or member lists containing personally identifiable information, account numbers, cell phone numbers, and other non-public information
• Personnel records
• Medical insurance records
• Bank account information
• Confidential memos and spreadsheets
• E-mail
• Software stored on web servers

Different types of property will be susceptible to various threats, such as embezzlement, extortion, viruses, and theft. What loss scenarios could occur? The organization needs to prepare for events such as:

• A fire destroys large portions of the computer network, including the servers. Operations cease until the servers can be replaced and reloaded with data.
• A computer virus infects a workstation. The user of that computer unknowingly spreads it to everyone in his workgroup, crippling the department during one of the year’s peak periods.
• The accounting department discovers a pattern of irregular small funds transfers to an account no one has ever heard of. The transfers, which have been occurring for almost three months, were small enough to avoid attracting attention. They total more than $10,000.
• A vendor’s employee strikes up a casual conversation at a worker’s cubicle and stays long enough to memorize the worker’s computer password, written on a post-it note stuck to her monitor. Two weeks later, technology staff discovers that an offsite computer has accessed the human resources database and viewed Social Security numbers, driver’s license numbers, and other personal information.

In addition to taking steps to prevent these things from happening, the organization should consider buying a Cyber insurance policy. Several insurance companies now offer this coverage; although no standard policy exists yet, the policies share some common features. They usually cover property or data damage or destruction, data protection and recovery, loss of income when a business must suspend operations due to data loss, extra expenses necessary to maintain operations following a data event, data theft, and extortion. However, each company might define these coverages differently, so reviewing the terms and conditions of a particular policy is crucial. Choosing an appropriate amount of insurance is difficult because there is no easy way to measure the exposure in advance. Consultation with the organization’s technology department, insurance agent and insurance company might be helpful. Finally, all policies will carry a deductible; the organization should select a deductible level that it can afford to pay and that will provide it with a meaningful discount on the premium. Once management has a thorough understanding of the coverages various policies provide in relation to the organization’s exposures, it can fairly compare the costs of the policies and make an informed choice.

Computer networks are a necessary part of any organization’s environment today. Loss prevention and reduction techniques, coupled with sound insurance protection at a reasonable cost, will enable an organization to get through a cyber loss event.

The recent security breach at Sony underscored not only the need for better security in protecting sensitive internal documents and information, but also the appalling lack of care being taken on an individual level to protect passwords and take other steps to protect (or remove) sensitive conversations and data. Despite a litany of other widespread and serious data breaches in recent years, many businesses still don’t seem to be taking cybersecurity as a serious issue that not only could affect them, but very well may.

As a business owner or manager, you’ve heard time and again how important it is to delegate in order to streamline processes and be more productive – and more profitable. But delegating does not mean turning a blind eye; and when it comes to cybersecurity issues, unless you have a dedicated chief information security officer, you need to take an active role in ensuring your data is adequately protected.

The key to effective management begins with understanding the types of threats that exist and how they’re evolving, as well as identifying new threats as soon as they begin to emerge. At the same time, management needs to develop actionable steps to counteract potential breaches, looking for weaknesses at every level, from individual employee passwords and use of personal devices like smartphones, to the way data is encrypted and stored, both in the cloud and on any on-site or remote servers.

Strong, company-wide policies backed up by employee education programs and Q&A sessions are the cornerstones of an effective cybersecurity policy; managers must clearly communicate to employees – at every level – the vital roles they play in protecting the company from cyber threats so they see BYOD and other policies as being protective rather than punitive.

Involving employees in cybersecurity discussions also helps ensure their cooperation and compliance.
One more lesson from the Sony breach: Unlike other cybersecurity attacks that have targeted customer identification and banking information, the Sony attackers also focused on employee emails, revealing information that proved both embarrassing and potentially costly. Many businesses fail to consider emails and personal files when considering cybersecurity measures, leaving themselves wide open to similar breaches.

In a nutshell, companies that assess and manage cybersecurity issues as vigilantly as they do financial, operational and reputation-related risks have the greatest chance of thwarting attacks and breaches. Start today to plan how to avoid breaches as well as how to respond if a breach does occur.

Cyber attacks threaten more than your company’s computers. They could affect your company’s ability to stay in business. Prepare for a safe and secure 2018 when you boost cyber security.

Update Software Often

Ensure that every device in your network is equipped with anti-virus software and set to update automatically. Commit to check for patch updates, too, often throughout the year.

Use Firewalls

Firewalls protect your computer from many viruses and other malicious content. They can block suspicious content and prevent employees from accessing malicious websites. Double check that your firewalls are working and updated.

Open Email Carefully

Cybercriminals often place viruses, malware and other malicious content in email attachments, or they entice readers to share personal information. Because your employees may receive hundreds of daily emails, host a training and equip them to recognize and avoid threats.

Improve Passwords

Require employees to change passwords every month or more frequently. Also, encourage them not to share their password with anyone, even with coworkers, and never to write down their passwords. For security, passwords should follow several guidelines.

• Be hard to guess
• Include eight or more characters
• Contain a mix of uppercase and lower letters, characters and numbers
• Be different for every site

Share Files Wisely

Many companies rely on file sharing, and your employees and clients can collaborate safely when you use cloud-based sharing resources like Google Docs, OneDrive or Dropbox. Remind employees never to share files with strangers, and disable sharing of all hard drives to prevent infections.

Back Up Data

All systems should automatically back up data throughout the day. Now’s also a great time to select and begin using an off-site data storage option for greater security.

Perform Regular Security Scans

Legitimate anti-spyware programs scan your computer and remove damaging files, malware and other malicious content. Choose a program carefully, then set it up to scan daily.

Implement a Cybersecurity Team and Safety Protocol Steps

Whether you hire several IT specialists or rely one one chief security officer, your company needs a team who will monitor, prevent and address cyber threats. Additionally, implement protocols that guide your employees on how to address and report cyber security challenges they face like pop-ups, outdated network security certificates or suspicious emails.

Purchase Cyber Insurance   

Insurance can’t prevent a cyber attack, but it does cover financial costs associated with breaches. Purchase or update your cyber insurance so you can pay for damages, remediation and other costs that result from a cyber attack.

Cybersecurity threats affect hundreds of businesses every year. These steps boost your security and prepare your business to stay safe in 2018.