Contributed by: Jennifer Costanzo, CRIS®, Risk Manager - Promark Agency
Cyber losses have risen exponentially in the past few years as have the risks to small and mid-sized design firms. Cyber threats are no longer only a concern to large retail stores and financial institutions with mountains of personal data to mine. As these larger operations become more vigilant in securing their data, hackers have turned their attention to unsuspecting, and typically un(der)protected, smaller business operations.
Nearly all organizations rely upon the internet to transact business daily. That reliance translates to a regular onslaught of viral threats. Considering that a hacker can purchase a trojan (malware that disguises itself as legitimate software) for as little as $500 on the dark web, the source of an attack can be anyone from a technical mastermind to a petty thief with an internet connection. Worse still, those attackers aren’t targeting you necessarily, they are targeting anyone who will open and download their malware and they are using programs that just run continuously in the background.
I have firewalls and spam filters.
Me, too. But, I’m still getting emails from a law firm in Canada that has a significant amount of money for me from a long lost relative if I’d just send money and click on that link…
None of my staff would click on a link in an email from a law firm in Canada promising money for money.
You’re right. They probably wouldn’t. But what about the email I received from Apple about my Mac. It came from appIe.com. That’s a legitimate email, no? And it has an update for me to download. Except, if you could hover over the link, you’d see that the email is from appie.com. See, the “i” was capitalized to look like an “l”. Tricky, tricky.
What about the email from a sub with an invoice and new banking information? The amount and the party asking for the money is correct, but it turns out the sub was hacked.
Did you know that your VoIP phone system has a password? Have you changed it from its original settings?
Did you know that hackers can access your network printers if not properly protected?
Does your staff know not to leave their company laptops, tablets and smartphones where they can be stolen? Or their own, if they are accessing company data with them? And what kind of protections do they have?
What about your liability to third parties who are injured because of your breach? What if you are the sub that sent that false invoice? Or an email from you contained malware that infected another firm’s system?
But what does a hacker want from me? I don’t keep much personal or financial information.
A hacker wants money. Your data may not be valuable to them, but it’s valuable to you. If they can’t sell your data to an interested party, or use your system to hack someone else, they can simply lock your data up and demand money from you to retrieve it. It’s likely to be in bitcoin and it can be any amount they want it to be. This is called ransomware. Sometimes it’s worth paying it and sometimes it’s worth calling in the backups.
These are just a few examples of how your data can get into the wrong hands and used against you. Implementing strong computer policies, using firewalls, encrypting data and backing up regularly along with commonsense strategies like never downloading a file unless you are expecting it and verifying financial data before making any transfers, are good, non-insurance risk management strategies.
For the expenses you can’t absorb – breach investigation, ransomware payments and data restoration, potential replacement of hardware, handling data leak notification protocols, potential liability to a third party, and others - you should know that coverage is typically very limited or non-existent in your traditional insurance policies like a business owners policy or professional liability. Stand-alone coverage or endorsements to existing policies can be purchased to cover your losses (first party) and/or losses you cause to another (third party).
Consider your exposure. Consider your strategies. Consider calling us to discuss how we can help you deal with a loss you can’t afford.
For more information on Cyber Risks to design firms, I invite you to listen to our recorded webinar, Navigating Cyber Risks for Design Firms.