Catherine Smola, President & CEO | Canadian Underwriter insBlogs
Even as 2015 drew to a close, one of the year’s most pressing business risks – cyber security – made a headline-worthy splash. Well, at least it would have made headlines if the target hadn’t been the British Broadcasting Corporation (BBC), whose news and entertainment websites were shut down by hackers for several hours on New Year’s Eve. Businesses large and small should take note: Cyber risk isn’t going away.
Having an effective, current cyber security policy in place is crucial to protecting business systems and the sensitive customer information they store, and the only way to ensure it remains current is to review it regularly. At CSIO, we reached out to several security experts to get their recommendations and tips on how organizations can best protect themselves from an attack. Some key recommendations they provided:
Educate Staff on Cyber
Many security breaches occur not because of coding expertise or technological sophistication, but as a result of good, old-fashioned human error. Broadly known as social engineering, this approach takes advantage of common human behaviour to trick employees into downloading malicious code or divulging sensitive information.
One common type is called phishing, where hackers create websites or emails that look as though they are official, urgent communications from a bank or other recognized company. When employees click a link, they may inadvertently download malicious code. Another method is to physically visit the target business, leaving USB memory sticks or CDs labelled with names such as “Payroll” or “Staff Evaluations” for curious employees to find and load on their computers. An even simpler approach is for attackers to target specific records by posing as an authorized individual over the phone.
A more recent form of attack, known as ransomware, uses malicious code to encrypt computer systems and render them unusable. Affected businesses must pay the attacker a specified sum of money, after which the encryption may (or may not) be removed.
All staff should be educated about the latest strategies and techniques that rely on human error to minimize the risk of exposure.
Reduce Cyber Risk Inside and Out
As a general rule, a thorough cyber security review will include numerous internal factors such as:
- Employee password rules
- Administrator rights
- Physical document storage
- Employee computer and document management (i.e., automatic lock-outs or clean desk policy)
However, it is a good idea to extend the review to include any third-party companies who manage data on your behalf, such as IT providers, website hosts and database managers. Do these providers have security procedures in place to meet your company’s needs? Is there a risk that a successful cyber attack on their systems could impact your business?
As noted in a previous blog, cyber crime is not restricted to large businesses – in 2011, 40% of those attacked in Canada were in the small to medium size category. Many small businesses feel that they are too insignificant to be attacked, failing to realize that many cyber attacks are not targeted at all, but instead cast as wide as possible to exploit any vulnerability they encounter. And because the insurance industry collects exactly the type of information cyber attackers so often seek to acquire – names, addresses and financial information – every insurance professional should take cyber very seriously.