The first step to solving problems is knowing you have them. And if you’re doing anything online then cyber security is certainly one of them – in fact, it should be on pretty much everyone’s minds these days.
“There was a time when cyber security was a threat to only the largest of companies,” says Cory Gould, CWB’s Chief Information Security Officer. “But those days are long behind us. Cyber security is something that affects everyone – whether you’re an individual or a business, any size, any industry. And while the problem is not insurmountable, it can only be managed with focused attention.”
Magdalena Cammidge, a partner at commercial insurance brokerage Lloyd Sadd Insurance Brokers, agrees, adding she often sees two common misconceptions when it comes to this topic.
“People often think that cyber security insurance is only for large companies,” she says. “They also often think that their business doesn’t really have any exposure to cyber security risk. In fact, everyone is at risk to some degree or another. Even if you have the best security set-up in the world, one accidental click on a malicious email link can sometimes be all it takes.”
In their roles, both Gould and Cammidge are plugged into the realm of risk and protection every day. Here they give a quick download on some cyber security fundamentals, including what key threats to look out for, how to protect yourself, and how to ensure you’re not left virtually (or literally) drained if you do unfortunately suffer a breach.
Top threats to cyber security
Gould says the following five cyber security threats should be on your radar at all times and notes that if you’re using third-party providers you need to also be aware that any breaches they experience could affect your organization by association. Regardless of the level of service a third party may provide, you are ultimately responsible for the risks associated with the work they do on your behalf.
Ransomware: This is a form of malware (malicious software) that threatens to render inaccessible, withhold, or release the victim’s data or files unless a ransom is paid to the attacker to unencrypt and restore access to the data. Ransomware is evolving and becoming extremely efficient in its ability to compromise an environment. As technology continues to evolve, we can assume that ransomware will evolve as well.
Business email compromise: If a threat actor (a person or a group of people that take part in an action intended to cause harm) gains access to a business email account they can begin to learn your normal correspondence with your supply chain, your financial institutions, and other third parties. Just that small amount of information combined with access to your email account can enable them to issue requests on your behalf – like changing your billing information or accounts payable information. Large losses can result from what may seem like a fairly innocent compromise.
Compromise of financial or other online accounts: Another result of the pandemic is that many of the things we used to do in person, we’re now doing online – including financial transactions. If an online account is compromised, this can lead to things like fraudulent bill payments or fraudulent wire transfers where threat actors are paying themselves with your hard-earned dollars.
Digital adoption: For many businesses, the pandemic expedited digital initiatives as they looked for alternative ways to support their customers and employees with less human interaction. The introduction of any new technology or processes brings the potential for additional risk, particularly if organizations aren’t fully prepared for the shift.
Remote work: Securing a home environment against cyber threats poses a different challenge compared to protecting an office. As remote and hybrid work remain in the picture, organizations will need to recognize the associated risks and have plans in place to mitigate them.
Protecting your business
CWB's guide to help you identify & prevent fraud.
How to protect yourself
While cyber security can feel complicated and daunting, Gould says the most effective defenses against a breach are actually a lot more straightforward than you might think.
“Eighty per cent of compromises are 100 per cent preventable,” says Gould. “And while the best ways to protect yourself might seem over simplified, I encourage you to take them seriously. We tend to think about cyber breaches as overly complex, Hollywood-worthy stories, but the reality is the ways in which most threat actors gain access to your environment involves quite simple techniques that can be prevented through some fundamental cyber security best practices.”
Here are Gould’s top tactics for denying access to cyber criminals:
Password hygiene: Use passwords that are complex and more on the lengthy side (like a passphrase). And of course, don’t use the same password for everything – particularly when it comes to your social media accounts and your online financial accounts. “If a threat actor gains access to your social media account password for example, they will attempt access to your other online accounts using the same password.,” says Gould. He adds that, wherever possible, you should always use multi-factor authentication. This is an electronic authentication method that requests two or more pieces of evidence to prove you are who you say you are – such as sending a code to your mobile phone that is required in addition to your username and password.
Use a password manager: Having trouble remembering all those passwords? A password manager is a computer program that allows users to store, generate, and manage their passwords in a virtual ‘vault’. When choosing one, Gould says to do your research and read the reviews, make sure it encrypts your passwords within the vault, and to create a password for accessing the vault that is as strong as humanly possible. And while he understands there may be some trepidation about entrusting all your passwords to a password manager, he says the risks for using one are far less than not using one. “Cyber security is a balance between functionality and protection of information,” says Gould. “The very best security is to unplug your internet connection, but I can’t imagine a world today without it. The key is finding the right balance and the reduction of risk to an acceptable level.”
Be email aware: Email is the #1 way a threat actor enters an organization’s environment, says Gould. Unfortunately, remote working has brought with it an increase in the shear volume of email people are wading through on a daily basis, with the days of simply swinging by a colleague’s desk to ask a quick question now seeming like a distant memory. We’re all feeling a little digitally fatigued these days and that’s exactly when mistakes can happen – and it can take just one little slip up like clicking on a malicious email link or attachment. Gould says that’s why when managing your email it’s critically important to pause and take that 30 seconds to read it, understand what it’s asking, and discern if it’s a threat before taking any action on it.
Know the vulnerabilities within your environment – and do something about them: Often when a breach happens it’s due to a weakness or risk that was known about for months and even years. If you know your trouble spots, don’t delay in addressing them. And if you don’t know where you’re vulnerable or don’t know where to begin, seek professional assistance to figure that out…. before a threat actor beats you to it.
Cyber security insurance
Just as it’s crucial to do everything you can to protect yourself from a cyber breach, it’s also important to ensure you’re prepared if a breach does occur. This is where cyber security insurance can help.Cammidge says this type of insurance has a number of benefits (pardon the pun) – the first and most obvious being that some coverage is better than none (she recommends a limit of at least $1 million). But she thinks the greatest value comes from getting connected to a network of cyber security experts and services who are there to help you.
“Cyber insurance and cyber policies also come with risk management support, such as access to vulnerability scans, preferred vendors and discounted rates for things like IT consulting, support for the cost of implementing protocols, and resources for risk management protocols like cyber security checklists,” says Cammidge. “I think the biggest benefit is that you have access to a breach coach in the event that you do have a breach. You get one number to call and you’re connected with an expert. They’ll be able to manage and direct everything and tell you what you need to do. They’ll coordinate the response. That in itself can be a huge weight off your shoulders during an incredibly stressful time.”
Cammidge says cyber security insurance policies typically cover four main areas:
Third party liability/network security: This coverage responds to allegations of damages from a third party resulting from a cyber breach or incident that's occurred because of your actions or inactions. For example, a security breach where there is a release of other parties’ confidential information, or unknowingly sending a corrupted email or virus that causes damage to another’s network.
Regulatory investigation: This provides you with legal representation if your company is under investigation from a regulatory body.
First party coverage: This is a suite of coverages payable to the insured to cover the cost of a breach or cyber incident. For example, forensic IT costs, business interruptions (e.g. your website is attacked and you can’t sell your product), credit monitoring for those whose records have been breached, and ransomware (if insured) could fall into this category.
Cyber crime: Generally, an add-on coverage for a situation where there is a theft of funds or securities involving electronic means, such as a fraudulent request by someone impersonating someone else, or a fraudulent request to your banking institution. This coverage can also be a part of a crime insurance policy.
How to get cyber security insurance
When it comes to how much coverage to get, Cammidge says it depends on the type of business and the kind of data you’re handling (for example an accounting firm versus, say, a massage therapy business) as well as your risk and how vulnerable you currently are.
Here’s how to get the ball rolling:
- Call your broker.
- You’ll have to fill out an application and/or
- Some insurers underwrite by performing a network scan through publicly available information to determine your risk and vulnerabilities. Some can also issue a risk management report showing the results, which can be very helpful to identifying your potential weak areas and managing cyber risk.
- Cyber risk exposure scorecard
- Prioritizing cyber security
- Cyber smart cyber safe
- Preventing e-commerce fraud
- Protecting against online fraud
Getting started: Steps for small business owners