We’ve all had the frustrating experience of thinking up complex passwords, then receiving an email a few months later with the news that the site was hacked and all passwords should be changed. Ransomware, email compromises, and other types of cybercrime are rampant. An individual user can only do so much to protect personal or corporate data; a hacker intent on getting all of a company’s credit card information won’t be impeded by a few particularly strong passwords.
Even if you don’t have customer credit card data, you do have valuable information. A general hacker might like access to employee Social Security numbers or corporate bank account numbers. Or, depending on your business, a crooked competitor might want to get your trade secrets.
The Federal Bureau of Investigation is the U.S. law enforcement agency in charge of cybercrimes. Its news page contains a sad litany of revenge, illegal competitive research, pornography, and stolen financial data. The victims are organizations of all sizes. Your business isn’t too small to worry about it. And even the largest of corporations, with sophisticated protections, are vulnerable. In 2015, the FBI’s Internet Crime Complaint Center received 288,012 complaints of cybercrimes with a total of $1.1 billion in financial losses.
The two growing categories, according to the FBI, are email compromises and ransomware. With an email compromise, someone uses the email address of a corporate executive and requests sensitive financial information. (Thanks to LinkedIn, it’s not difficult to figure out who works with whom these days). The person who receives the email assumes it’s legitimate and passes along the piece that the scammer needs to wreak havoc. Ransomware involves someone downloading a virus or clicking on a malicious link that locks up data on the computer and possibly the entire network. The victim then has to pay a ransom, often in bitcoin, to receive access to it. Neither of these necessarily involves a password hack, by the way.
The prevalence and sophistication of cybercrime make it difficult for a company risk manager to keep up. Many businesses are finding that they can’t keep up. It’s especially difficult for businesses that are too small to have dedicated IT security staff.
Let’s compare this to more “traditional” theft – like, someone stealing your television or your car. Of course you lock the doors, but you also have insurance to offset the cost of the theft it if happens anyway. And, as much as it pains you to admit it, a thief could be someone you invited inside. Similarly, in the office, it may be an employee who pads expense accounts.
The Insurance Information Institute (III) identifies five categories of losses from cybercrimes: liability for costs incurred by customers or others; system recovery expenses, including lost operational time; notification expenses to customers whose data may have been exposed (requirements vary by state); state and federal regulatory fines; and class action lawsuits. Hence, an evaluation of your company’s exposure has to start with a look at the laws that cover the states and industries where you operate.
Then, see what your current insurance policy covers. Your current business owner’s policy may cover some of the risks, but it probably won’t cover all of them. You can buy additional coverage to handle additional risks, especially if the cost would be burdensome to your particular business.
An assessment of your risks may not only show you what types of coverage you need, but it also helps you determine what you can do to make your network more secure. Travelers Insurance has an online data and network security questionnaire that gives you a high-level assessment of your risk – and you don’t need to give Travelers your contact information to receive it.
You can use the results to think about what investments in training, hardware, and software would offer your company the most protection. Some of these are inexpensive, too, such as updating security software regularly, forbidding the use of such obvious passwords as “password” or “123456”, and terminating an employee’s access to the system immediately upon termination of employment.
Then, you can decide what weaknesses or risks should be insured. It’s helpful to have a sense of this before talking to an insurance agent to increase the likelihood of getting the coverage you need.
Ultimately, cybercrime is like any other crime: the incidence will ebb and flow over the years, and there is no surefire way to prevent it. However, there are ways to reduce the likelihood of being a victim as well as reduce your losses if you end up experiencing cybercrime anyway.