Charles Giroux, Technology Manager, CSIO
It’s hard to know where to start with cybersecurity awareness these days. Data breaches are becoming a mainstay of headlines, and security concerns are commonplace. In fact, the number of cybersecurity attacks is quickly rising: Consider that Munich Re Canada recently presented the following stats at IBC’s Commercial Insurance Symposium: 90 percent of all cyber breaches are due to human error, and 64% of small businesses don’t have any security measures to manage the use of personal devices. Here’s a brief summary of what’s at stake and the most effective ways to help mitigate your risk.
Cybersecurity is an umbrella term for the defences put in place to protect your digital assets – the electronic data stored by your company, and the systems you use to store and manage that data. A cyberattack is an assault on those systems and data.
What do Cybercriminals Want?
Depending on the type of criminal, cyberattackers may be interested in:
- Immediate Gain: An attacker may penetrate your computer systems to access anything they can find, including confidential data, bank accounts, credit card numbers, etc.
- Data for Sale: An attacker may harvest sensitive personal information, passwords, or financial data for resale to others. Attackers could strike once or break into your system and silently gather data over an extended period.
- Ransom: This increasingly common strategy uses malware to encrypt or lock your data. An attacker then demands payment to unlock your systems. Even if you pay, you may not receive an unlock code, or you may find yourself victimized again by the same criminals.
- Business Disruption: Cyberattackers aren’t always interested in financial gain – they may want to hurt your business by corrupting your information, or tampering with your systems to prevent you or your customers from being able to use them.
- Business Intelligence: Cyberattackers may also try to steal intellectual property, access your confidential strategic or financial information, etc.
How Do They Do It?
Some of the most common attack methods are:
- Phishing: This is the use of a fraudulent email or text message to lure an unsuspecting person into disclosing personal information or credentials to a cyberattacker. Traditionally, these spoofed emails were easy to spot by their poor grammar and spelling; modern phishing attacks are much more sophisticated.
- Malware: Malicious software can damage your computer systems, open up channels for cyberattackers to gain access to your data, or even use your systems to launch attacks on third-parties.
- Denial of service (DOS): This type of attack swamps your computer systems with unwanted requests, preventing you, your staff, or your customers from accessing your systems.
How Does a Cyberattack Affect Your Business?
Clearly, the impact of a cyberattack can be devastating not only to your business, but to your staff and customer base as well. Consider how your brokerage would cope if you were unable to use your computers for a day or for a week or more. How would your reputation be affected if news of a breach of confidential customer information were to appear on the front page of the Globe & Mail or Calgary Herald?
Recovering from a cyberattack can be costly and time-consuming in terms of lost time and business, rebuilding customer confidence and goodwill, regulatory fines and penalties, and heightened audit scrutiny. Some businesses never recover.
What Can You Do?
While your IT staff and service providers should take steps to lock down your technology to prevent or detect cyberattacks, educating yourself and your staff on how to be more “cyber aware” is an inexpensive and important approach to reducing your risk. If your business handles credit cards, then you’re obliged to provide security training for all staff at least annually in order to maintain PCI compliance. Cyber risks are constantly changing, so it’s essential to keep the training current. Interactive training modules are effective in raising staff awareness about cyber risks. Staff benefit from the training as they can use their newly raised awareness and knowledge to help defend themselves in their personal lives, as well as at the office.
Prepare, Prepare, Prepare
Preparing for the worst is also essential. Another PCI compliance requirement is the development of a data breach/incident response plan. Serving as part of your brokerage’s business continuity plan, an incident response plan outlines the steps that you and your firm would take in the event of a data breach. There simply won’t be enough time to react on the fly if a breach occurs: having a playbook at hand as a reference is invaluable.
Enroll in the CSIO Digital Broker eLearning Program
As part of its role in supporting brokers in increasing their digital competencies, CSIO has recently launched the CSIO Digital Broker eLearning Program. This new program offers IBAA members free, online courses that are accredited in Alberta. These one-hour interactive courses cover cybersecurity essentials as well as topics in digital marketing and insurance technology. Laurie Bauer, Business Development Manager with TW Insurance Brokers in Edmonton has recommended the CSIO Cybersecurity course to her colleagues. “The schemes have become far more sophisticated, and this type of information is so important to avoid being a victim!”
IBAA members can access the courses at csio.com/eLearning.