By: Charles Giroux, Technology Manager, CSIO | December 2019
Your eyes already glazing over at seeing yet another article on cybersecurity? Data breaches are becoming a mainstay of headlines, and warnings over security concerns are common. In fact, the number of cybersecurity attacks is quickly rising: according to Chubb Insurance, ransomware attacks in the first half of 2019 bypassed the total number of ransomware claims Chubb saw in all of 2018. Here’s a brief summary of what’s at stake and the most effective ways to help mitigate your risk.
Cybersecurity is an umbrella term for the defences put in place to protect your digital assets – the electronic data stored by your company, and the systems you use to store and manage that data. A cyberattack is an assault on those electronic data and systems.
What are Cyberattackers After?
Depending on the type of criminal, cyberattackers may be interested in:
- Immediate Gain: An attacker may penetrate your computer systems to gain access to anything they can find, including confidential data, bank accounts, credit card numbers, etc.
- Data for Sale: An attacker may harvest sensitive personal information, passwords, or financial data for resale to others. Attackers may strike once or break into your system and silently gather data over an extended period.
- Ransom: This increasingly common strategy uses malware to encrypt or lock your data. A cyberattacker then demands payment to unlock your systems. Even if you pay, you may not receive an unlock code, or you may find yourself victimized again by the same criminals.
- Business Disruption: Cyberattackers aren’t always interested in financial gain – they may be just as interested in hurting your business by corrupting your information, or tampering with your systems to prevent you or your customers from being able to use them.
- Business Intelligence: Cyberattackers may also be interested in your information to try to steal intellectual property, access your strategic or financial information, legal matters, etc.
How Do They Do It?
Some of the most common attack methods are:
- Phishing: This is the use of a faked email or text message to lure an unsuspecting person into disclosing personal information or credentials to a cyberattacker. Traditionally, these spoofed emails were easy to spot with their poor grammar and spelling; modern phishing attacks are much more sophisticated.
- Malware: Malicious software can damage your computer systems, open up channels for cyberattackers to gain access to your data, or even use your systems to launch attacks on third-parties.
- Denial of service (DOS): This type of attack swamps your computer systems with unwanted requests, preventing you, your staff, or your customers from accessing your systems.
Clearly, the impact of a cyberattack can be devastating not only to your business, but to your staff and client base as well. Consider how your brokerage would cope if you were unable to use your computers for a day or for a week or more. How would your reputation be affected if news of a breach of confidential client information were to appear on the front page of the Globe & Mail or Vancouver Sun? Recovering from a cyberattack can be costly and time-consuming in terms of lost time and business, rebuilding customer confidence and goodwill, regulatory fines and penalties, and heightened audit scrutiny. Some businesses never recover.
What to Do?
While your IT staff and service providers should be taking steps to lock down your technology to prevent or detect cyberattacks, educating yourself and your staff about being more “cyber aware” is an inexpensive and important approach to reducing your risk. If your business handles credit cards, then you’re obliged to provide security training for all staff at least annually in order to maintain PCI compliance. Cyber risks are constantly changing, so it’s essential to keep the training fresh and current. Interactive training modules are effective in raising staff awareness about cyber risks. Staff benefit from the training as they can use their newly raised awareness and knowledge to help defend themselves in their personal lives, as well as at the office.
Prepare, Prepare, Prepare
Preparing for the worst is also essential. Another PCI compliance requirement is the development of a data breach/incident response plan. Serving as part of your brokerage’s business continuity plan, an incident response plan outlines the steps that you and your firm would take in the event of a data breach. There simply won’t be enough time to react on the fly if a breach occurs: having a playbook at hand as a reference is invaluable.
How Can CSIO Help?
As part of its role in supporting brokers in increasing their digital competencies, CSIO offers free online elearning courses to IBABC members. These courses cover cybersecurity essentials and several other topics. Members of provincial associations are automatically members of CSIO. Once you’ve finished a course, you can submit the certificate of completion to the Insurance Council of British Columbia for consideration for CE credit. You can register for courses at csio.com/eLearning.