Did you know that 93% of data breaches could have been avoided? Everyone should be interested in this somewhat shocking statistic because cyber threats and data security remain primary concerns among virtually every organization, regardless of size, industry or purpose. It’s true that some cyber threats simply cannot be avoided, which is why businesses should do everything in their power to avoid those that can.
The first step is recognizing and addressing some of the more common avoidable causes of security breaches and data loss. According to the Online Trust Alliance, these include:
- Employee errors (lost data, files, drives or devices and improper disposal);
- Accidental disclosures (via email and public postings);
- Business Email Compromises (socially engineered exploits like phishing and whaling);
- Unencrypted data and disclosed keys;
- Improperly configured systems, networks and devices;
- Failing to update or patch systems against known vulnerabilities; and
- Using end of life devices, operating systems and applications.
The next step is implementing security processes and procedures. When it comes to defending against cyber threats and ensuring data security, business-specific circumstances and operations typically determine which essential preventative measures are most likely to be effective. Nevertheless, there are various baseline security best practices recommended by the Online Trust Alliance that most businesses can easily implement and manage, such as:
- Encrypting data at rest, in storage and in transit. Without the corresponding cryptographic keys, encryption renders data useless to hackers. It may also exempt businesses from having to comply with various state data breach notification laws.
- Managing passwords. Use password managers to generate and store passwords. Multi-factor authentication (smartcards and PINs in addition to passwords) can also be required to access sensitive information or accounts.
- Adopting the least-privilege user account (LUA) strategy. User accounts should be given the least amount of privilege (access) required to perform their necessary functions.
- Auditing security measures. Periodically conduct penetration tests and vulnerability scans to identify and mitigate vulnerabilities.
- Monitoring emails. Require email authentication of all inbound and outbound mail servers to detect malicious and spoofed emails.
- Managing mobile devices. Require authentication to unlock devices, lock out devices after numerous failed login attempts, encrypt communications and storage, and enable remote wiping of mobile devices that are lost or stolen.
- Managing wireless networks. Only authorized wireless devices should be given network access. “Guest” network access should be kept on separate servers.
- Implementing a data breach response plan. Conduct a post-mortem after every incident and make necessary adjustments. Practice by regularly testing response plans and personnel.
Since it’s impossible to protect against every cyber threat or prevent every data breach, the final step is obtaining Cyber Liability Insurance. According to PricewaterhouseCoopers’ 2016 Global State of Information Security Survey, 59% of businesses surveyed purchased cyber security insurance to mitigate the financial impact of data breaches and cyber incidents when they do occur. Businesses are increasingly realizing that what can’t be protected or prevented must be insured.
Unlike traditional business insurance policies, Cyber Liability and Security Breach (Cyber Perils)Insurance policies protect against privacy injuries, such as identity theft, and cover the cost of complying with data breach notice laws. Given the complexity of the risk and the absence of one-size-fits-all coverage, an experienced insurance agent should be consulted to ensure that adequate coverage is obtained.
Please contact us if you would like more information about insurance specifically designed to protect against cyber threats.
Additional information is also available in our weekly Risk Management Newsletters.