First created in the early 2000s, cyber insurance has been steadily evolving to protect businesses against all kinds of losses that result from attacks by sophisticated cyber-criminals. Hackers are constantly looking for new ways to exploit weaknesses in network and security software in order to extort businesses, steal and sell data, and otherwise wreak economic havoc on companies of all sizes.
Along with computer and network security protocols, a cyber insurance policy is an integral part of your company’s cybersecurity and risk management strategies. E-commerce sites are no longer the only businesses vulnerable to attack – every company that stores sensitive data on its systems needs to protect itself against the possibility of any number of potential data breaches.
Even the relatively simple act of locking your company out of its systems for a few hours can have serious and unanticipated financial and reputational consequences. In fact, according to the Canadian Chamber of Commerce, Canadian businesses are losing billions of dollars each year to cybercrime making cyber insurance coverage a must-have for companies that conduct business online or use computer systems in their day-to-day operations.
How Your Business May be Vulnerable to Cyber Threats
There are several ways that anyone with computer access and the right knowledge can compromise your company’s data for financial gain.
Below are just a few examples of security breaches you might be exposed to:
Phishing
This is the most common type of social engineering attack (an attempt by the fraudster to get a victim to divulge personal information). Phishing is usually done by sending a phony email that looks legitimate and sends the recipient to a malicious website designed to steal the person’s login credentials or other personal information.
Tips to protect your company from a phishing scam
- The most important tip for protecting your company from phishing scams and other cybersecurity threats is to educate your staff.
- Cybersecurity best practices include employing dedicated, full-time cyber-security experts (either in-house or outsourced) to continually train your staff on new cybersecurity threats, including how to identify the latest phishing attacks as they are constantly evolving and becoming more convincing.
- Use anti-phishing software. There are several options that can detect vulnerabilities, identify malware attachments, recognize man-in-the-middle attacks and prevent suspicious emails from reaching staff inboxes.
- Installing ahead-of-attack software that can detect and block suspect URLs and requests.
- Limit staff access to sensitive and high-value data and systems.
Denial of Service (DoS) and Distributed Denial of Service (DDoS)
One of the oldest tricks in the book, a hacker uses one computer (DoS) or multiple computers (DDos) to flood a network, server or system to overwhelm its resources and hold it hostage until the hacker’s demands are met.
Preventing DOS and DDoS attacks
- The first step in preventing a DOS or DDoS attack is being prepared for one. The first steps taken immediately following an attack will have a significant impact on how much damage is done and how long it will take to recover.
- This means having a professionally crafted response plan and updating it regularly. A DOS or DDoS attack response plan can include identifying hardware and software tools designed for such attacks and having them in place, creating a response team with clearly defined roles and responsibilities and developing a contact list of internal and external support staff and stakeholders for the response team that includes clients, cloud service providers and outside security providers.
- Build and maintain solid and secure network architecture. This will include a combination of tools such as firewalls, VPN, content filtering, load balancing and DDoS migration options and keeping them up-to-date.
- Consider third-party hosting, cloud services and DDoS-as-a-Service.
- Know the threats and monitor your network for unusual activity.
Malware
The well-known method of attacking a system using viruses, worms, spyware, and the increasingly popular ransomware. An employee or user within the system unknowingly downloads the malware by clicking on a link or opening an email attachment. The malicious software then causes damage and data breaches by disrupting the system or crashing it all together; the spyware secretly sending out sensitive information; or in the case of ransomware, blocking access to data or the network until a ransom has been paid.
How to prevent malware attacks on your business
- Similar to preventing phishing attacks, the first steps in protecting your company from malware attacks include education and regular training of staff to be able to identify malware threats.
- Deploy a robust network security firewall, anti-virus, anti-malware and anti-ransomware software and ensure that they are regularly updated. Enforcing strong password usage, using two-step verifications and limiting admin access are also recommended.
- Use encryption software to protect your sensitive data in case of a breach. Backing up your data and storing it in several off-site locations is also crucial in the event of a breach, allowing you to replace lost data and mitigate losses.
SQL Injection
This can be done by simply entering malicious code into a website’s search box and infecting a server that uses SQL. This type of attack will allow a hacker to access and tamper with server data, giving him/her the ability to alter, delete and download transactions, balances, and other stored, sensitive information.
Protecting your company from SQL injections
- Input validation. This verifies that information entered by a user conforms to an accepted format, length, type, whitelisted data structures (e.g. name, age, address), radio and drop-down menu options, etc.
- Parameterized queries or statements that are database query templates that can prevent SQL injections that do not conform to the template.
- Use a web application firewall that monitors incoming and outgoing traffic of your web servers, identifies threat patterns and acts as a barrier between web applications (e.g. a search box) and the internet.
What is Cyber Insurance and What it Covers
Cyber insurance, also known as cyber risk and cyber liability insurance, is not generally included in traditional business liability policies. A cyber insurance company policy is specifically designed to help your business recover from costs related to a cyber attack.
Some of the losses that a cyber insurance policy may cover include:
- Business interruption costs – this includes loss of income during the time that business was unable to complete transactions due to a cyber attack.
- Data loss recovery – the costs incurred by restoring or repairing data.
- Theft – money that was taken directly from a business through a cyber event.
- Extortion – payments to an extortionist who locks a company out of its systems or threatens to release sensitive information.
- Investigations – to find out the full extent of the intrusion, how it happened, and how to avoid the same thing, or something similar, from happening again. This is an involved and costly process that may even require hiring a third-party forensic investigator.
- Third-party damages – this can include the costs to customers or other companies you do business with who suffered a loss through a breach of your system.
- Privacy and notification costs – most countries have laws requiring a business to notify its customers if their information was compromised in a cyber intrusion. There may also be costs to compensate victims of identity theft when personal information is stolen.
- Legal expenses – some cyber liability insurance policies will pay for legal fees, fines and damages, and settlements awarded in lawsuits due to the exposure of confidential information.
- Reputation recovery costs – with a breach of information, a business could suffer a significant loss of revenue due to a lack of confidence from existing and potential customers. Some cyber liability insurance policies will help a company with its costs to recover from the damage to its reputation.
Is Cyber Insurance Necessary?
Considering how much businesses in every industry have come to rely on technology to perform even the most basic tasks, the importance of cybersecurity can not be overstated. Having said that, even the most reputable software and computer systems are not 100% reliable as we have seen time and again with major corporations and government agencies suffering data breaches. We have also seen that hackers are increasingly targeting small and medium-sized businesses.
Cyber liability insurance policies are specifically created to help businesses recover from the losses resulting from cybercrime and add an extra layer of protection against the risks of digitizing your business tasks and records.
For companies that conduct transactions online, the answer is even more straightforward – an uninsured cyberattack that results in your customers’ private information being compromised would be catastrophic, and could very likely mean bankruptcy.
Why ALIGNED is the Right Choice for your Cyber Liability Insurance
Our ALIGNED Advocates are experts in commercial insurance broker coverage and protecting businesses from all threats, physical and digital. Cyber liability insurance, privacy coverage, and proactive cyber risk tactics are all part of a comprehensive risk management strategy. Talk to us about the best cyber solutions.
