Net Losses

Massive cyber crimes may generate big headlines, but major corporations are not the only possible targets. With a recent survey showing that 40% of cyber attacks are on small and medium-sized businesses, smaller organizations also need to protect themselves against related risks.

Information is a powerful tool — and in the information age, it has become a popular target for criminals.

Computer hackers recently posted 2 million compromised usernames and passwords attached to Facebook, LinkedIn and Twitter accounts, just months after a similar attack affected 38 million Adobe software users. Sony, meanwhile, lost at least US$171 million responding to a 2011 cyber attack that exposed approximately 77 million customer files connected to the PlayStation Network and Qriocity service. Each case generated headlines around the world.

BIG AND SMALL

But the threat of cyber crime is hardly limited to major corporations. Forty percent of attacks are on small and medium businesses, notes survey results issued last year by Symantec, which offers online security services.

In October 2012, Symantec and the National Cyber Security Alliance also released results from a survey of 1,015 small and medium-sized businesses (less than 250 employees) across the United States. “Almost 40% of the over 1 billion cyber attacks Symantec prevented in the first three months of 2012 targeted companies with less than 500 employees,” the company noted in a press release at the time.

Small businesses are also victimized in an ever-growing share of the crimes as thieves look for easy access to personal information, credit card numbers and vulnerable paths into the computer
networks used by larger suppliers and customers.

Put another way, every business is at risk.

The challenge is that many related insurance offerings that have been developed for massive U.S. organizations, such as national retailers and financial institutions, are offered by specialty companies, and come complete with the high premiums and steep deductibles that smaller Canadian enterprises cannot afford. While options for small and mid-sized businesses are beginning to emerge, addressing the growing demand for coverage that is just as robust as the support enjoyed by big business, some insurance providers offer limited protection and exclude certain types of risks.

A good example of the gaps that exist can be seen when companies need to notify customers about lost personal data. Some insurers will only cover the cost of mandated notices — such as those that apply to every breach that occurs in Alberta — but other provinces only mandate notices in certain circumstances, or have no mandatory reporting requirements at all.

Businesses with this restricted coverage will be left to pay the cost of informing customers about the other leaked details. In contrast, robust cyber coverage helps a business notify customers even if the reports are not mandatory.

BUSINESS… INTERRUPTED

Some of the steepest losses of all can emerge in the form of interrupted business. A virus uploaded to a manufacturer’s computer server might bring production equipment to a halt for several days, requiring a costly response by information technology teams. But this financial damage can easily be eclipsed by the price of idled production and unfilled orders. Business interruption insurance can help to offset the related threat.

An Internet attack on a small retail florist, for example, might translate into the cost to rebuild a website, send letters to thousands of customers, and pay for a credit-monitoring service to limit future losses where credit card data has been compromised.

In each case, attacks also affect productivity as employees are pulled away from their usual activities to restore data or respond to an attack. It is why comprehensive cyber risk coverage should protect a small business from lost revenue.

Potential issues can even be traced to the information that a small business, without the support of an in-house legal team, willingly shares through a website or Internet server. Consider the scenario where a small hotel posts pictures of local tourist attractions without paying for the Internet-sourced images, and is then sued for $10,000.

Other lawsuits can arise if a business incorporates another company’s trademark into its own website without gathering the required permission, or if any other damaging information is published. Cyber risk insurance for small businesses would protect against online legal liabilities such as these.

As important as the appropriate coverage will always be, insurers can also offer access to in-house risk management teams or third-party experts to help prevent breaches and contain any of the issues that emerge. After all, small businesses may need access to this help from their insurer more than larger companies, which tend to have the required in-house expertise.

STAFF EDUCATION KEY

Unwitting staff members have been known to surrender important data like usernames and passwords by responding to “phishing” emails, which appear to come from internal executives or human resources teams. But they are less likely to leak these details if they know how to recognize the fakes.

Beyond educating staff about possible risks, however, their hardware also needs to be guarded as carefully as the data itself. Valuable business information is often compromised when employees lose laptops, hard drives or USB keys. To compound matters, many people struggle to remember where they put every storage device after loading them with data. Businesses can minimize these potential losses by encrypting data and tracking the hardware on which it is stored.

These threats are not even limited to a company’s hardware. A growing number of businesses have adopted Bring Your Own Device (BYOD) strategies, allowing employees to access corporate files through personal devices such as tablets and smartphones. Symantec reports that 37% of working adults surveyed now use a personal device for both work and play, and 17% of them store personal information on a work device.

While multiple uses enhance productivity, they also create new threats that can be lessened with clearly defined policies on exactly how devices can be used.

Corporate Canada clearly recognizes the need to protect information. The 2012 Canadian Businesses and Privacy-Related Issues report, prepared by Phoenix Strategic Perspectives Inc. on behalf of the Office of the Privacy Commissioner of Canada, asserted that 77% of companies polled recognized the importance of protecting privacy.

The same study showed that a mere 44% of respondents encrypt data storage devices. And even fewer know how they would respond to a problem. In addition, the survey found that less than a third of Canadian businesses have established guidelines to deal with a security breach. Findings are based on a random-digit dialling telephone survey administered to 1,513 Canadian residents 16 years of age and older.

If personal information is compromised, a sound crisis management strategy will ensure that everyone is informed about the loss and prepare managers for the moment the media comes calling.

Other strategies will back up, recover and encrypt lost data as quickly as possible, while disaster plans will help to prepare for the worst and hope for the best.

No single strategy is foolproof, but these steps will help to discourage possible cyber attacks.

Coupled with the right coverage, these efforts will help small and mid-sized businesses minimize their Net losses.

This article was co-written by Scott Vandeberg, Northbridge’s AVP of Product Innovation and Patrick Cruikshank, Director of Professional Liability. It appeared in the January 2014 issue of Canadian Underwriter.