Does your business have an extra $653,587 lying around? If you are like many small to midsize businesses, the answer is no. Unfortunately, recent statistics show that the average spending to recover for cyber security incidents as a small business can be that high depending on the severity of the attack. While statistics like this are alarming, they are also a reminder that cyber security at your business should be a top priority.
The following is an interview with cyber security insurance expert Kiran Pande, RPLU, CPLP, Specialty Practice Leader at Lamb Insurance. Lamb Insurance is the industry-leading property and casualty brokerage focusing on nonprofit and social service organizations. The insights and best practices Kiran shares below are valuable to all small and medium-sized businesses.
Q: What are the most common cyber claims you see? What contributes to them?
A: Probably does not come as a surprise – phishing and ransomware are the #1 and 2 biggest threats. Phishing is the most common, and ransomware tends to be the largest claims in terms of dollars.
A big contributor to claims for non-profits is the fact that their financial data and some of their inner workings are publicly available through tax filings. Hackers can do their homework ahead of time in a way they can’t with most for-profits.
Accepting online donations is another one. In a lot of cases, the security around accepting payments and storing payments is not too robust. Hackers look to find a way in so they can steal some of the money being collected.
Volunteers are also becoming a risk factor. If organizations aren’t properly vetting their volunteers with things like criminal background checks and limiting their access to sensitive data, criminals will look to take advantage. It’s a trend our carriers are noticing.
Best Practice: Always Update Your Software
When software companies provide updates, they are not just doing so for superficial reasons. Instead, they are often working to resolve existing issues and make the software even more secure. When you prioritize cyber security at your business, you should automatically turn on updates for all software on every one of your computers.
Q: How does training play a role in cybersecurity? Can you name a few best practices?
A: Not so much training, but really an FYI for your employees. The size and complexity of your passwords REALLY matter.
Computers that are within the budget of most hackers are extremely powerful – as computers become more powerful, it takes them less time to guess a password. The best defense against this is long and complex passwords. It may be a pain if you must retype the password, but this type of password can be made almost uncrackable.
I’d say the best guideline is to have at least 10 digits, and include numbers, letters, and symbols. You never want to have a password below 8 digits – hackers may be able to guess these in only minutes if they’re really trying.
Best Practice: Create Secure Passwords
Even though awareness about the importance of password security has increased overall in the past years, the most commonly used password on the Internet is still 123456. Additionally, almost 60% of American adults use their own name or birthday in their password. This is a major hazard for businesses, and it can lead to your information being compromised. As part of your cyber security efforts, encourage employees to create secure passwords that cannot easily be guessed or uncovered with basic research.
Q: What should a baseline cyber defense include? (i.e. monitoring, multi-factor authentication, malware)
A: Multi-Factor Authentication for access to email and important applications should be item #1. It’s the most effective defense you can have in place because it requires a hacker to have your physical device – the majority of hackers are not going to go any further than their computer chair, and it’s probably not worth their time to find a way to get physical possession of your device, usually a phone. On the other hand, if someone simply finds the device and tries to access your data via the phone, they would need also have the username and password to get in. Either way, you’re secure.
Number 2 would be cyber insurance. I put this behind Multi-Factor Authentication because increasingly Multi-Factor Authentication is required in order to get coverage. Modern cyber insurance policies provide very broad coverage – they protect your digital and physical assets, and they protect you against the possibility of being sued or fined because you had a breach.
Maybe just as valuable though are the resources and vendors that come along with most cyber insurance policies. Most carriers will set you up with a full array of breach services like IT professionals, cyber security vendors, attorneys (cyber regulation), and PR firms. If there’s a breach, they’ll assign you a “breach coach” to coordinate your response and advise on matters like whether it makes sense to pay a certain ransom demand or let the hacker proceed.
Best Practice: Work with the Right Partners
Working with the right partners when it comes to cyber security is imperative for any business. The cyber threat landscape is ever-changing, and it is nearly impossible for small and medium sized organizations to stay ahead of these threats on their own. By working with the right partners, you can protect your organization with the proper coverage and access to the resources needed to prevent a breach.
Even if it might sometimes feel that way, no business is an island. Don’t be afraid to work with trustworthy partners to improve the technology and security of your business. At TriBridge Partners LLC, we offer compelling technology consulting services that make it easy for you to grow and thrive.
To discover how our experts can assist your organization or business, please call our office today at 240-422-8799 or email Jessica Storck at Jessica.storck@tribridgepartners.com . Thank you to Kiran Pande and Lamb Insurance, Kiran can be reached at KPande@lambis.com.
