As attacks on businesses’ networks continue increasing at unprecedent levels, cyber risks have become the top concern among organizations of all sizes for the first time, according to a new survey.
The “Travelers Risk Index” found that 55% of executives surveyed said they worry “some” or “a great deal” about cyber risks. That’s more than they worry about medical cost inflation (54%), employee benefit costs (53%), the ability to attract and retain talent (46%) and legal liability (44%).
And the most common types of attacks, and which pose the biggest security threat to businesses, are phishing and fake e-mails. They are the hardest to combat because of the human factor involved, according to another survey, the “2019 Cyber Security Breaches Survey” published by the U.K. government.
In phishing e-mails, the cyber criminals will pose as colleagues or vendors to dupe an unsuspecting employee to hand over a password or click on a malicious link that will give them access to the company’s network.
In addition, ransomware has brought many businesses and government agencies to a standstill as the same technique is used to freeze an entire network and render it unusable until the company pays a ransom for a key to unlock the network.
As concerns about cyber threats have grown, more businesses say they are taking proactive measures to safeguard against cyber risks – even though a large percentage have not implemented preventive best practices.
The steps that companies are taking, according to the Travelers survey, are:
- Purchasing a cyber insurance policy (51% of survey participants, up from 39% in the 2018 survey the insurer conducted).
- Creating a business continuity plan in the event of a cyber attack (47%, up from 38%).
- Taking a cyber-risk assessment for themselves (49%, up from 45%).
- Taking a cyber-risk assessment for their vendors (41%, up from 37%).
- Updating computer passwords (74%, up from 71%).
The fact is that a single cyber attack can put a company out of business. Taking the threat seriously and implementing a risk management program that addresses possible exposures can help a business not only avoid an attack, but also recover from one as quickly as possible.
How to lower the chances of an attack
The insurance company Chubb recommends the following steps to reduce the chances of a cyber attack on your organization:
Identify your sensitive data – Credit card and personally identifiable information is often the target of cyber attacks.
Educate your staff – Instruct your employees about cyber attacks and how to protect the network. The most important thing for them to remember is to not to open attachments from people they don’t know or in e-mails they don’t expect.
You should also post procedures for encrypting personal or sensitive information, and require them to change their passwords regularly.
Have security in place – You should have a web application firewall in place to protect your website, in addition to a firewall for your company’s network. If you accept credit card payments, you should have an e-commerce platform that is compliant with payment card industry data security standards Level 1.
Secure your hardware – Data breaches can be caused by physical property being stolen, too. If your servers, laptops, cell phones or other electronics are not secure and easy to steal, you are taking a big risk. Physically locking down computers and servers is a good idea.
As the cyber threat becomes more sophisticated and changes, cyber-insurance policies have evolved to meet businesses’ needs. There are many types of policies in the marketplace that are tailored for specific types of businesses. The key is getting a policy that best fits your organization and covers any eventualities that you may encounter.
Some coverages you may want to consider for inclusion in your cyber insurance are:
- Business interruption – Covers the loss of business income due a cyber attack.
- Computer fraud – Covers theft of money, securities and other forms of tangible property through computer fraud and social engineering schemes.
- Data breach – Covers claims of failure to protect personally identifiable information and protected health information of clients.
- Property damage – Covers replacement cost of computers damaged by a cyber attack.
- Identity theft expenses – These are related to the business owner or their employees after identity theft.
- Advertising and personal injury – Covers damage caused by defamation on website or social media.
- Transmission of virus or malicious content – Covers failure to stop the transmission of a computer virus or malicious content.
- Errors and omissions – Covers loss caused by failure to provide proper network security.
Some policies are stand-alone products, while others are endorsements to existing polices like a business owner’s policy.