The first step to solving problems is knowing you have them. And if you’re doing anything online then cyber security is certainly one of them – in fact, it should be on pretty much everyone’s minds these days.
“There used to be a time when cyber security was mostly a threat to big companies,” says Cory Gould, CWB’s Chief Information Security Officer. “But these days it’s something that affects everyone – whether you’re an individual or a business of any size, any industry. And while it’s not insurmountable, it is certainly everyone’s problem.”
“People often think that cyber security insurance is only for large companies,” she says. “They also often think that their business doesn’t really have any exposure to cyber security risk. In fact, everyone is at risk to some degree or another. Even if you have the best security set-up in the world, one accidental click on a malicious email link can sometimes be all it takes.”
In their roles, both Gould and Cammidge are plugged into the realm of risk and protection every day. Here they give a quick download on some cyber security fundamentals, including what key threats to look out for, how to protect yourself, and how to ensure you’re not left virtually (or literally) drained if you do unfortunately suffer a breach.
Top three threats to cyber security
What’s the old saying? Bad things come in threes? Gould says the following three cyber security threats should be on your radar at all times:
Ransomware: This is a form of malware (malicious software) that threatens to render inaccessible, withhold, or release the victim’s data or files unless a ransom is paid to the attacker to unencrypt and restore access to the data.
Business email compromise: If a threat actor (a person or a group of people that take part in an action intended to cause harm) gains access to a business email account they can begin to learn your normal correspondence with your supply chain, your financial institutions, and other third parties. Just that small amount of information combined with access to your email account can set them up to start issuing requests on your behalf – like changing your billing information or accounts payable information. So a lot of loss can be generated from what may seem like a fairly innocent compromise.
Compromise of financial or other online accounts: Another result of the pandemic is that many of the things we used to do in person, we’re now doing online – including financial transactions. If an online account is compromised, this can lead to things like fraudulent bill payments or fraudulent wire transfers where threat actors are paying themselves with your hard-earned dollars.
How to protect yourself
While cyber security can feel complicated and daunting, Gould says the most effective defenses against a breach are actually a lot more straightforward than you might think.
“Eighty per cent of compromises are 100 per cent preventable,” says Gould. “And while the best ways to protect yourself might seem over simplified, I encourage you to take them seriously. We tend to think about cyber breaches as being these hugely complex things, but the reality is that these threat actors gain access to your environment in quite simple ways that can be prevented through some fundamental cyber security best practices.”
Here are Gould’s top tactics for denying access to cyber criminals:
Password hygiene: Use passwords that are complex and more on the lengthy side (like a passphrase). And of course, don’t use the same password for everything – particularly when it comes to your social media accounts and your online financial accounts. “If a threat actor gets access to your social media account password for example, they’ll then cycle it through your other online accounts to see what other access they can get with it,” says Gould. He adds that, wherever possible, you should always use multi-factor authentication. This is an electronic authentication method that requests two or more pieces of evidence to prove you are who you say you are – such as sending a code to your mobile phone that you’ll need to enter to gain access to your account.
Use a password manager: Having trouble remembering all those passwords? A password manager is a computer program that allows users to store, generate, and manage their passwords in a virtual ‘vault’. When choosing one, Gould says to do your research and read the reviews, make sure it encrypts your passwords within the vault, and to create a password for accessing the vault that is as strong as humanly possible. And while he understands there may be some trepidation about entrusting all your passwords to a password manager, he says the risks for using one are far less than not using one. “Cyber security is a balance between functionality and protection of information,” says Gould. “I mean, the very best security is to unplug your internet connection, but the world we live in today revolves around the world wide web.”
Be email aware: Email is the #1 way a threat actor enters an organization’s environment, says Gould. Unfortunately, remote working has brought with it an increase in the shear volume of email people are wading through on a daily basis, with the days of simply swinging by a colleague’s desk to ask a quick question now seeming like a distant memory. We’re all feeling a little digitally fatigued these days and that’s exactly when mistakes can happen – and it can take just one little slip up like clicking on a malicious email link or attachment. Gould says that’s why when you get an email it’s so important to pause and take that 30 seconds to read it, understand what it’s asking, and discern if it’s a threat before taking any action on it.
Know the vulnerabilities within your environment – and do something about them: Often when a breach happens it’s due to a weakness or risk that was known about for months and even years. If you know your trouble spots, don’t delay in addressing them. And if you don’t know where you’re vulnerable, do a scan or assessment to figure that out…. before a threat actor beats you to it.
Cyber security insurance
Just as it’s crucial to do everything you can to protect yourself from a cyber breach, it’s also important to ensure you’re prepared if a breach does occur. This is where cyber security insurance can help.
Cammidge says this type of insurance has a number of benefits (pardon the pun) – the first and most obvious being that some coverage is better than none (she recommends a limit of at least $1 million). But she thinks the greatest value comes from getting connected to a network of cyber security experts and services who are there to help you.
“Cyber insurance and cyber policies also come with risk management support, such as access to vulnerability scans, preferred vendors and discounted rates for things like IT consulting, support for the cost of implementing protocols, and resources for risk management protocols like cyber security checklists,” says Cammidge. “I think the biggest benefit is that you have access to a breach coach in the event that you do have a breach. You get one number to call and you’re connected with an expert. They’ll be able to manage and direct everything and tell you what you need to do. They’ll coordinate the response. That in itself can be a huge weight off your shoulders during an incredibly stressful time.”
Cammidge says cyber security insurance policies typically cover four main areas:
Third party liability/network security: This coverage responds to allegations of damages from a third party resulting from a cyber breach or incident that's occurred because of your actions or inactions. For example, a security breach where there is a release of other parties’ confidential information, or unknowingly sending a corrupted email or virus that causes damage to another’s network.
Regulatory investigation: This provides you with legal representation if your company is under investigation from a regulatory body.
First party coverage: This is a suite of coverages payable to the insured to cover the cost of a breach or cyber incident. For example, forensic IT costs, business interruptions (e.g. your website is attacked and you can’t sell your product), credit monitoring for those whose records have been breached, and ransomware (if insured) could fall into this category.
Cyber crime: Generally, an add-on coverage for a situation where there is a theft of funds or securities involving electronic means, such as a fraudulent request by someone impersonating someone else, or a fraudulent request to your banking institution. This coverage can also be a part of a crime insurance policy.
How to get cyber security insurance
When it comes to how much coverage to get, Cammidge says it depends on the type of business and the kind of data you’re handling (for example an accounting firm versus, say, a massage therapy business) as well as your risk and how vulnerable you currently are.
Here’s how to get the ball rolling:
- Call your broker.
- You’ll have to fill out an application and/or
- Some insurers underwrite by performing a network scan through publicly available information to determine your risk and vulnerabilities. Some can also issue a risk management report showing the results, which can be very helpful to identifying your potential weak areas and managing cyber risk.
- Cyber risk exposure scorecard
- Prioritizing cyber security
- Cyber smart cyber safe
- Preventing e-commerce fraud
- Protecting against online fraud
Getting started: Steps for small business owners