24 Oct Cyber Security Awareness Month in Massachusetts – Part II
October is Cyber Security Awareness Month in Massachusetts – Part II
In Part I of our two-part blog on cybersecurity, HUB International discussed the important purpose of the U.S. Department of Homeland Security (DHS) National Cyber Security Awareness Month (NCSAM). We also enlisted the help of Jason LeDuc, Vice President of Consulting Services at Foresite, a global service provider of managed security and consulting solutions to give readers insight into the top cyberattack techniques your business should be aware of today and in the future.
Now, in Part II, we will share our perspective on how to protect your Massachusetts business against these cybersecurity threats, and share additional knowledge from LeDuc, whose specialty is helping companies, like yours and ours, identify online vulnerabilities and stop a data breach before it happens.
How To Better Protect Your Data Against Cybersecurity Threats
No company is risk-free from a cyberattack. Every business – large or small, publicly traded or a non-profit, academic or a government agency – should act to reduce threats, minimize risk and protect themselves against the most common cyber threats. In addition, there are several industries that are highly regulated and must manage critical data systems as mandated by law, including legal services, financial services, retail, healthcare, education, and, our very own, the insurance industry.
There are many resources that organizations, like yours and ours, can turn to for help in strengthening our cyber resilience, including using the National Institute of Standards and Technology Cybersecurity Framework. Based on this framework, here are some key questions that you should know the answers to – or need to get asap – in order to ensure the cybersecurity of your business:
1. What data do we keep?
It might be a hair-pulling exercise, but it’s critical to first compile what data your organization transmits and/or stores. Knowing the types of data you have will not only help you determine how to protect it but also identify any compliance requirements you may need to meet. Relying on your IT team for this is not enough; each department in your company will need to be involved in sharing all the types of information being processed.
2. What protects our data?
Now that you know what you have, the next step is to find out what you currently have in place to protect it. Do you encrypt all sensitive data? Is two-factor authentication used? It’s important not only to have a Plan A, but also a Plan B so that even if an attacker gets through one layer of security, they are not going to get through a second layer.
3. How do we detect a threat?
Just having antivirus software is not enough; malware and other cyber threats are constantly evolving and most antimalware software cannot keep up. Perhaps it’s time to consider advanced management security systems like 24/7 security monitoring and alerts from a third party. “Companies like ours will monitor your endpoints, firewalls, routers, switches, and all other logs in order to identify anything suspicious,” says LeDuc. “Having experts not only keeping watch over your vulnerability, but also assessing it regularly, will put you in the best security position possible.”
4. How will we respond to an incident?
When an employee realizes they may have allowed a cyber threat into their computer, and suspects it might attack the whole network, do they know what to do? It may seem obvious that they should inform you right away; however, in some cases, an employee may want to try to hide their mistake. Let your workers know that falling for a phishing email or clicking a virus-ridden link happens to the best of us and that the sooner they let you know about it, the more likely the impact of the attack can be mitigated. “Stop and report something suspicious immediately,” warns LeDuc. “It will be much easier for your internal security team to remediate the threat at this point, rather than after it’s infiltrated your network.”
In addition, working with a managed security company, you can actually uncover who in your company is most likely to fall for phishing or other attack. “An experienced team can actually engineer a threat that will test your employees’ understanding of how to respond to a suspicious email, link, or other activity,” explains LeDuc. “For example, we can send out an email that looks like it is coming from your company’s IT department, but is actually coming from a Foresite IP address. It might say something like, ‘We’ve recently experienced a hack and we need everyone to click this link, then login with your old password information, and then choose a new password.’” Once Foresite gets the results of the click-throughs from this impersonation attack, they create a report for the customer and develop training on how employees should have responded. As a business owner, it’s very important that your company is staffed with people who have the ability to quickly identify threats and know what action to take.
5. How fast could we recover from a data breach? You obviously want to ensure that you get back to business as quickly as possible should you experience a cybersecurity event. One part of the recovery process is to learn from what happened and, based on this knowledge, strengthen your processes and systems for the future. “You may have implemented firewalls and antivirus software and have great patch management routines where you are fixing security vulnerabilities and other bugs regularly,” says LeDuc. “But if you are not educating your people on the things they should and shouldn’t do in the online environment, then it’s highly likely your company is going to fall prey again and again to attacks.”
Another facet of recovery is having the right insurance coverage in place. “Data breach and cyber liability insurance coverage is essential for any business that handles or stores any private customer, patient, or employee data,” explains Bill Trudeau, President/CEO of HUB International. This includes, but is not limited to:
- financial institutions (e.g. banks, credit unions)
- accounting offices
- medical offices
- schools and universities
- large retailers (e.g. supermarkets)
- businesses that do a lot of credit card transactions online
If you should have an information security incident, your data breach and cyber liability insurance offers you time-saving professional services to help quickly restore your business’ reputation, guide you in handling a breach, and assist with regulatory compliance. In addition, this insurance covers response expenses, including mailing notification letters, credit monitoring services and public relations. Finally, having this coverage means that you have protection against defense and liability expenses in the event that the breach results in a lawsuit.
While you can address all of the above steps internally, you do not have to go through the process alone. “As your insurance partner, HUB International is here to help you understand your cyber exposures through a thorough risk assessment at the beginning of our relationship with you,” says Trudeau. Some of the questions we ask you upfront include:
- Do you use commercially available firewall and antivirus protection?
- Do you enforce a software update process including installation of software “patches”?
- Do you have and enforce policies concerning when internal and external communication should be encrypted?
Your responses to questions like these could actually help you uncover unsafe online behaviors that you, your company, or your employees may be engaged in.
Promoting Cybersecurity In The Workplace
Even if you have a comprehensive cyber incident response plan, as well as data breach insurance in place, we know you would prefer to never have to use either one. Below are four fundamental cybersecurity tips that we believe you should share with your employees that may help a damaging cyberattack from occurring.
Four cybersecurity tips to share with your employees:
Tip #1: Beware of the Signs
To spot malware before you or an employee invites it into your computer, heed these red flags:
- Pop-up antivirus alerts
- Links that are shortened, come to you in an unsolicited email, or have a bunch of strange characters
- Attachments with potentially dangerous extensions like .exe, .msi, .bat, .com, .cmd, .hta, .scr, .pif, .reg, .js, .vbs, .wsf, .cpl, .jar and more
- Microsoft Office files ending with an “m”, such as .docm, .xlsm, and .pptm, can contain macros and cause harm.
- Phishing tactics, like an email that appears to be from someone you trust, that preys on your human curiosity, or causes you concern or confusion
Tip #2: Investigate Anything Suspicious
If an email looks fishy or you are getting anxiety about clicking a link, there are some tools you, and your employees, can use to check for viruses before taking any action. For example, you can check strange-looking links by expanding them and checking their true destination with services such as CheckShortURL. You can also check the safety of a link with link scanners such as Norton SafeWeb, URLVoid, or ScanURL.
Tip #3: Stay Up to Date
Make sure all Antimalware/Antivirus Software is the most recent version because, if it doesn’t have the latest virus definitions, it’s not going to be able to catch the latest threats. To make this turnkey for you and your employees, this software should be set to auto update on a regular basis. You may want to consider enabling the “real-time” or “active” scanning options as well. This may use up more system resources, but as LeDuc said previously, wouldn’t you rather catch malware while it’s trying to enter your system rather than after a computer has already been infected?
Tip #4: Use a Variety of Login Credentials
In the case of cybersecurity, “recycling” is a very bad idea. Using the same logins and passwords for your credentials on websites and for computer applications makes you extremely vulnerable to an attack. It might not surprise you that there is a black market for usernames and passwords that have been collected from breached websites or services. Plus, once a cybercriminal has your credentials, they can be fairly confident that these will work on another website or service, including your email, bank account, favorite sports forum, and so much more. To better secure your company’s data, we highly recommend that you have your employees select different usernames and passwords for all apps and websites. If they complain about how tough it is to remember all their various credentials for everything, consider investing in a password manager to help your team keep track of this information.
As the DHS states, there are simple actions that each one of us can take – especially in the workplace – to protect ourselves online. In addition, there are many resources to help business owners understand what you can to do recover in the event a cyber incident does occur at your place of business.
Why HUB International Is A Trusted Advisor For Data Breach Insurance And More
The HUB International team has become an integral resource to many Massachusetts companies who have needed assistance in identifying and managing risks to their businesses, including cybersecurity threats.
“We are one of the largest and privately owned, independent insurance agencies in the region,” says Trudeau. “So, we have the capability to not only offer business insurance clients the optimal data breach insurance options for their needs, but can also provide the with an initial risk assessment through our detailed consultative approach.”
In addition, as your insurance professionals, HUB International will stay up to date on information coming in from the insurance industry marketplace, so we can identify potential new cyber exposures for which you may need additional coverage and protection. We also have an extensive network of partners and are happy to connect you with the best resources for testing your vulnerability to a cyberattack and helping you reduce the risk of something bad happening to your data. In some cases, these types of assessments can actually decrease your data breach and cyber liability insurance premium.
Most important, Trudeau would like to remind business owners, “Should you ever experience a data breach emergency, our dedicated team will be here to answer all your questions, to contact your insurer to file the claim, and to monitor your insurer throughout the claims process. HUB International has a dedicated claims expert whose responsibility it is to make sure that your insurer is working on your behalf to resolve the situation as quickly and effectively as possible.”
If you are ready for a more personal relationship with a trusted insurance agent who is always looking out for you and your company, then call us today at 833-GoCallHUB or stop into any one of our five convenient Massachusetts offices.