It was likely a morning that began as any other at the small business in this true story. Employees arrived for work, had some coffee and checked their email inboxes. A few noticed an email regarding a transfer of funds that had failed, and forwarded it to their in-house accountant, who clicked on the attachment to see if there was a problem that required attention. Twelve hours later, the bank account of the business was wiped clean of the $150,000 or so that represented the business’s operating liquidity.
Chris Hauser, 2nd Vice President, Travelers Investigative Services, leads a team that can be called upon in such situations. After his team’s investigation, they were able to quickly piece together how the cyber breach had taken place. At 5:00 am, the company received about 30 spam emails describing a failed transaction. The emails were “laced with poisoned attachments,” says Hauser, and all but a few were blocked by firewall as spam. But the few that got through were passed around by employees and found themselves to the accountant—putting the virus on the exact computer that the bad guy wanted to access.”
The accountant recognized something wasn’t quite right and ran an antivirus scan, but even though the virus was detected it couldn’t be removed in time. “It was a preventable incident,” says Hauser, “and there were several opportunities to thwart it if the employees were aware of computer security and the appropriate response.”
But they weren’t.
What You Can Do to Help Protect Your Small Business Against Cyber Attacks
Small businesses, big risks
In the past year alone you’ve undoubtedly heard of several instances of big businesses falling victim to hackers, imperiling the sensitive personal information of millions of customers.
What don’t make the news are the countless incidents of cyber crime perpetrated against small businesses. For example, the latest iteration of sophisticated cyber attacks is ransomware, which quietly goes about encrypting all of a business’s data and then locks it down. Small businesses that have mountains of information—think local law firm, CPAs, dentists—are in a world of hurt if their data is taken hostage and they don’t have it backed up. (The endgame here for the bad guys is that you pay a ransom, typically in Bitcoin, to have the keys to your data returned to you. So intriguing is this particular type of cyber crime that it was recently featured on the hit TV show The Good Wife.)
According to Symantec Corp., a leader in information protection, targeted cyber attacks against small businesses nearly doubled in 2013, skyrocketing 91 percent compared to 2012. If you’re a small-business owner and your kneejerk reaction to that fact is Why would anyone bother to attack my business? you have essentially answered your own question.
“That’s exactly the reason someone might target your small business,” says Travelers’ Mike DeHetre, Vice President of Product Development, Select Accounts. DeHetre is focused on small businesses in his work, and according to him, it’s a mistake to think the size of your business makes it safe from cyber attacks.
“You might think your small business doesn’t have much to steal and that it’s fairly low-profile, and as a result you might not incorporate cyber risk management into your operations as thoroughly as you should,” says DeHetre. “That makes your business an extremely vulnerable and soft target for cyber criminals who aren’t looking to take down a multinational corporation—not all bad guys are after big fish. Some of them are happy to sit around and pick off low-hanging fruit until they aggregate a couple of thousand dollars of valuable material. From the mom-and-pop locksmith, the florist next door, the auto body shop down the street—and they just line them up and take them down in that fashion.”
Cyber Attacks Affect Businesses of All Sizes
The true nature of the threat
Part of the challenge and reward of running a small business is that, as the owner, you are involved in everything—which makes it hard to focus on any single thing. Risk management tends to be something you think about when the risks are actually becoming reality, only to give way to the daily responsibilities of your “day job” once those apparent risks recede.
“We encourage small businesses to change the lens they use to view cyber risks,” says DeHetre. “For example, most small-business owners have no trouble envisioning the risks associated with a fire, burglary or lawsuit regarding their products. Intrinsically, they get how those risks could impact their business. What we try to do is get them to consider cyber risk in that same category.”
The good news is that while it might seem like a lot of extra work to incorporate cyber risk management into your overall risk considerations, it’s quite possible you’re already doing so without realizing it.
“A lot of what you’re already doing as a small-business owner within your business practices and safety and security programs are also important for cyber security, which allows you to focus on additional controls to be put in place to upgrade the quality of your cyber risk preparedness,” says Bob Gazdik, National Director, Risk Control, at Travelers.
Cyber Events Happen Every day, is Your Small Business Protected?
Putting the pieces in place
Being subjected to a hacker attack isn’t the only technology-related risk faced by your business. An employee could leave a laptop in a car and return to find it stolen, or a trusted vendor could have a careless moment with sensitive information. And there is the now not-so-new threat posed by social media, which can quickly turn a small event into reputational damage.
One of the best ways to address all of this, according to Gazdik, is to build your cyber security plan into your business continuity plan— you’ll find a lot of time-saving overlap here—and on top of that, prepare a cyber-incident response plan to protect your business and meet any regulatory requirements that might apply. “Cyber risk management is so important, we actually deliver resources with a self-assessment tool via our customer portal at Travelers.com to help our customers build their own core competencies,” says Gazdik.
The key, says Gazdik, is making sure your cyber security program stays aligned with your business strategies and your legal requirements. If you don’t have cyber security policies you should develop them, and be certain that your employees and vendors are aware of them, and follow relevant procedures. “Keeping your technological controls constantly updated is an important part of cyber risk management,” says Gadzik, “but just as important is to self-evaluate what types of information your business is compiling, and to classify it by sensitivity level to decide who has access to the various levels of information and what level of security should be provided for each sensitivity level.” And you can add to that list bricks-and-mortar security actions such as employee training, physical security and access controls.
Into the breach
For a small business to have a risk specialist in its employ is unlikely, and in many cases an independent insurance agent could end up being a sounding board and de facto chief risk officer for your business. Think of it as a type of outsourcing. Even with that, your goal should be to have a complete risk management strategy.
“We have a flexible available product suite that provides coverage in the event that your small business suffers from a cyber event,” says DeHetre. “It covers the essential exposures for small businesses and can expand to a tailored product as your business grows and becomes more complex. The coverage and costs vary, so we recommend discussing the specific needs of your business with your independent agent.”
In short, Travelers can cover property issues and lawsuit and liability concerns—think of those as risk management essentials. But that’s not the end of the road. “You don’t want the entirety of your cyber risk management plan to be, ‘Well, it’s a good thing I bought an insurance policy,” says DeHetre.
No comments:
Post a Comment