CEO's Losing Sleep Over Cyber Risks

What Can Be Done to Ease Sleepless Nights?

Cyber risk has been one of company executives’ top 3 concerns for years, but the will to secure networks, communications, financials and operational systems has been lacking. According to betanews, over 76 percent of CEOs are consistently losing sleep over the fear of becoming the next headline-grabbing security breach, yet less than half of them have a firm cybersecurity strategy in place. This has led to major failures at utility and shipping companies, as well as pharmacies, retailers and financial services providers. There is hardly any industry that hasn’t been hit — and hit hard, and it's worrying CEOs.

“It’s more important now than ever before for businesses of all sizes and types to give serious consideration to a solid cyber security plan that is reviewed and reassessed on a selected schedule. These crucial steps can help to alleviate some of the mounting pressures, over cybersecurity concerns, on business executives,” says Daniel McNamara, President of V.F. McNeil Insurance.

According to V.F. McNeil Insurance, a Trusted Choice®, independent insurance agency located in Branford, Connecticut, the main weaknesses are as follows, including what to do about them to ease some of that stress that’s causing sleepless nights for so many business executives.

Problem 1. Passwords

Hackers prefer the easiest route into your business networks. That typically is through exploiting weak or stolen passwords. While everyone hates dealing with them, password updates and unique, long, random strings of characters are a basic line of defense, pruning the low-hanging fruit that cybercriminals crave.

While it may be convenient to reuse passwords across multiple sites, this provides easy access to business networks. When a password is compromised on one account, it can swiftly be applied to all other accounts held by the user. So, for example, if your employee has a social media account that uses the same password as their email account for your company, you have a potential unlocked door.

The password warning has been repeated many times, but password insecurities remain the most exploited gateways for cybercriminals. According to the cybersecurity firm Trusona, more than 80% of cyber breaches stem from weak or stolen passwords. So what can your company do?

Password solutions: Even though employees may be annoyed by it, you should require a long string (12-16 characters) of mixed letters, numbers and symbols. Make sure your employees are not reusing their passwords on any other accounts, and require passwords to be changed frequently — as often as once a month. You may even want your information technology staff to change the passwords on their end and require users to authenticate themselves to renew access.

Trend: Some companies are moving toward biometrics to eliminate passwords on mission-critical systems. These are high-end, more expensive techniques, but they are becoming increasingly mainstreamed and, therefore, affordable. They include fingerprint, iris, facial and voice recognition. The drawback is loss of access if something happens to the unique user and the identifying asset is lost or compromised (for example, a burn, eye loss or death). If you go this route, make sure you have an administrative workaround.

Problem 2. Lack of Employee Training

The same as Passwords, hackers love to find easy routes into business networks. Unsuspecting employees who open up the door and let hackers in, is one of the easiest routes and it's being used frequently. This can undermine all security measures in place. Cybercriminals prey on untrained employees by tempting them with authentic looking emails, pop-up ads, links, and text messages, usually requiring some kind of action. These come in so many creative and convincing forms, such as Wiperware, Malware, Phishing, Social Engineering Fraud, and Ransomeware.

Training Solutions: Train all employees on how to file and store data and how to avoid malware and viruses. Make the training mandatory and develop a schedule of updates, reminders, and tests. Creating a human firewall for your company is one of your best lines of defense.

Trends: Proactive businesses are working together with IT providers and insurance providers to access resources and provide ongoing cybersecurity training and exercises to help staff remain current on emerging threats and develop awareness skills. Insurance carriers like Travelers Insurance, often provide risk control resources at no or low cost to policy holders, like this Cyber Security Training for Employees overview as only one example.

Problem 3. Lost devices

In today’s economy, company business is increasingly done via mobile devices, which creates multiple layers of security risk. The most common scenario is the loss or theft of a device. In these cases, the data on the device may be used to your company’s detriment. Devices include both company-provided and personal hardware that accesses business systems.

Lost device solutions: Every company that permits mobile access to its systems should ensure that devices can be tracked, recovered and/or rendered useless (bricked) if necessary. A clear policy should be instituted so employees understand that any hardware — even personal devices — used to access company networks may be monitored, searched and manipulated to protect company assets.

Trend: Endpoint hygiene, a series of protocols that provide device-level security, is increasingly being pushed by information security experts. It includes undeletable tethering, which ties devices (endpoints) to a governing program and cannot be turned off by the endpoint user. It allows real-time monitoring of a device’s location and activity and immediate action to lock the device, prevent unauthorized access, and maintain regulatory and security compliance.

Problem 4. Lost/compromised data

Data is vulnerable to internet hackers, as well as low-tech snoops who tie into hotspots, Bluetooth or other open lines of access. Businesses can and do use prevention, such as firewalls, encryption and virtual private networks, but professional hackers can pick basic commercial locks pretty easily.

And, unfortunately, businesses frequently don’t run software and firmware updates, leaving open doors for cybercriminals. Centralization of company data, whether on the cloud or an in-house server, is also problematic. Just one infiltration into that data store could take your company out of operation and cost large sums to remedy.

Lost data solutions: Make sure your IT team is regularly running software and firmware updates to keep your data protected. Proper cyber management can go a long way toward deterring cyberattacks on your business. Also consider replacing legacy hardware that can no longer support software updates. If hardware can’t be updated, your company is playing Russian roulette with every sign-on. It may be an expensive measure, but it will save you in the long run.

Trend: Data fracturing or “decentralization” is a new way to prevent hacker access to the mother lode of your crucial business files and ensure recoverability. Basically, your company stores pieces of encrypted data on segregated computers (called nodes) across a global network. It’s an adaptation of blockchain that restricts access via keys that you can tightly control and invalidate, if necessary (for example, if someone leaves your firm).

To illustrate, imagine you use a single cloud provider. If a hacker infiltrates, they can snake into all your files. With decentralized cloud storage, each node contains only pieces of your data set, and the interloper cannot do anything with those encrypted, partial assets. But you can because you have the keys for all the different nodes. This is a nascent technology, but some companies are already using and perfecting it.

Problem 5. Insurance

Cyber insurance was a relatively new commodity a decade ago. At the time, many insurers jumped into the market with products to pay out under different scenarios, such as a company’s liability for damage caused by a cyber breach; forensic research into what caused a cyber failure; and paying for data recovery and ransom demands.

Now, after five or so years of big losses and evermore intensive cybercrime attempts, insurers are reassessing and cyber insurance is becoming more expensive and harder to get.

Insurance solutions: Companies really can’t afford cyber losses on their own and must transfer some of that risk to insurers. The best way to qualify for good coverage is to have competent cybersecurity protocols in place. In fact, many insurers won’t consider a company that doesn’t take serious steps to protect its data and systems.

Trend: Putting cybersecurity in your business plan and naming an executive who owns the strategy are recommended courses of action for companies of all sizes. Even if your organization can’t afford an in-house cybersecurity team, you should consider what you can afford to outsource. This will ensure cyber needs are budgeted for, cyber solutions are rewarded and cyber failures can be minimized.

“Cybercrime is unavoidable in today’s always-on digital world. Chances are, if you haven’t already been victimized, it’s a very strong possibility you will be. Be vigilant in protecting your company, your customers, your employees, and your partners. Enact strong security policies to reduce vulnerabilities and create a clear plan of action to detect and remediate a privacy breach,” says Daniel McNamara. “V.F. McNeil Insurance will continue to inform and consult its clients and those who carry the responsibility of protecting the financial and reputational future of Connecticut businesses."

Request an Appointment with V.F. McNeil Insurance or call (203) 481-2684 to speak with a business insurance agent about protecting your business from Cybercrimes. Don't be among the numbers of CEO's losing sleep over cyberrisks. We can help you choose and manage insurance for your business needs, including cyber liability insurance.