Data breaches and cyberattacks on businesses have grown in frequency, with breaches hitting a record number in 2016. Losses due to this scourge are on the rise.* “Experts say you need to assume your business will be hit with a cyberattack—and hit soon, ” says Stephen Frew, JD, Vice President and Risk Consultant with Johnson Insurance. “Considering the increased prevalence and immense risks posed by cyberattacks, this is a great attitude to have.”
Fortunately, there are steps you can take to protect your business' sensitive data, your customers' data, trade secrets and any other information critical to your success. Prevention strategies are the first step.
Prevention begins with knowing your potential targets and their physical locations. “That may seem obvious, but it's not at all the case,” Frew notes. “Many networks have multiple servers, and you need to know which ones contain sensitive data. There's also equipment you probably wouldn't think about immediately, such as printers and copiers containing hard drives. Smart devices—the internet of things—are also targets. In the attack on Target in 2013, hackers gained access to credit and debit card data through the thermostat system.”
Consider using an internet security company to perform an inventory for your business. This may be a better choice than your own IT department (if you have one), which likely doesn't have the spare capacity to do a thorough, physical survey.
Use technology to protect your data
To prevent your systems from being hacked, it's a good idea to employ technology that can offer protection. Here are a few tips:
Install a firewall. “This is an absolute necessity,” Frew comments. A firewall can be a physical piece of equipment or software. However, a combination of both provides more security than either one can offer standing alone.
Use anti‐virus and anti‐malware software. Although not 100 percent effective, you can increase protection by layering multiple anti‐virus and anti‐malware products. Each software package comes with distinct capabilities and is sensitive to picking up new, unique threats that the other may not catch.
Establish a vulnerability patching routine. When you receive notifications of software updates, it means a vulnerability that could be exploited has been discovered. You should install the update immediately. In addition, make sure to maintain a regular schedule of checking for updates on all software you use. “Two‐thirds or more of software breaches are a result of known vulnerabilities that could and should have been prevented through patching,” Frew notes.
Employ a white‐listing strategy. “Essentially, you set up your computers so that nothing can run that hasn't been preapproved,” Frew explains. “Rather than trying to find the bad thing coming in, it blocks anything that isn't preapproved. This strategy is very effective, but it requires someone to actively analyze and white‐list the programs you use. Some companies think it's too labor‐intensive.”
Play strong defense
Frew recommends putting defensive strategies in place to help protect your company in the event of an attack:
Train and test employees. Most hacks start by conning or tricking employees into revealing information. Train employees to be suspicious of emails, phone calls and other communications. “Training is most effective when you remind employees frequently and make the training specific to what they do,” Frew says.
Use a 3‐2‐1 backup strategy. This is aimed at defending against ransomware, which is currently one of the most common types of attacks. Hackers gain access to your system and lock it before demanding a ransom to restore your access. Some hackers now also encrypt your backup, so you need three copies of your data: two on your existing system, and one on a completely separate, unconnected system. It could be a hard drive, another server, DVD, tape backup or something else offline.
Employ penetration testing, also known as white‐hat hacking. A cybersecurity company will attempt to hack your computer system, looking for holes in the defenses. “There are areas that your IT department would probably overlook because not everyone thinks like a criminal,” Frew notes.
Create an incident response plan. Write out a plan including what to do and who to notify in case you're struck by an attack. “If you have cyber insurance, the insurance company will immediately put you in touch with experts in their response department who do this all the time. That's a major benefit of having insurance,” Frew remarks.
Purchase cyber insurance. “We suggest that every business consider it,” Frew says. “Some business insurance packages include a nominal amount, but a separate policy typically offers better coverage.”
When a cyberattack occurs, follow this simple six step process to protect your business and your clients:
Click here to download a printable version of this infographic.
Seek expert help
As data breaches and cyberattacks become more common, it's critical to understand the steps you can take to protect sensitive data for your business and your customers. If you have any questions about how our team of experts can help, or if you feel your information has been compromised, contact your Johnson Insurance Advisor immediately.