csimt.govcsimt.gov/wp-content/uploads/INS-CE-Cyber-Talk-2018.… · Web viewDefine what might be acceptable to download and what ... place the confidence in a Word document

“Understanding Cyber Liability”

Written and Presented By:

Mark Bassingthwaighte, Esq.Risk Manager, ALPS

www.alpsnet.com Page 1 of 18

Presenter Biography

Since 1998, Mark Bassingthwaighte, Esq. has been a Risk Manager with ALPS, an attorney’s professional liability insurance carrier. In his tenure with the company, Mr. Bassingthwaighte has conducted over 1200 law firm risk management assessment visits, presented over 400 continuing legal education seminars throughout the United States, and written extensively on risk management and technology. Mr. Bassingthwaighte is a member of the American Bar Association and the State Bar of Montana. He received his J.D. from Drake University Law School.

Contact Information:

Mark Bassingthwaighte, Esq.ALPS Property & Casualty Insurance CompanyRisk ManagerPO Box 9169 | Missoula, Montana 59807(T) 406.728.3113 | (Toll Free) 800.367.2577 | (F) [email protected] | www.alpsnet.com


Table of Contents

Just Because You Can Do Something Doesn’t Mean it’s a Good Idea ………………………….…….....4

Cyber Crime: Your Ignorance is Their Power! ………………………………………….…….….…….…….....4

The Goal is to Avoid the Breach ...................................................................................................................…...7

Data Security – It Starts Here So Stop Making Excuses…………………………………………………..……8

When Passwords Fail – A Personal Story…………………………………………………………….…………..10

But Why Bother? …………………………………………………………………………………………………………..12

Cyber Liability …………………………………………………………………………………………………………...…12

Managing Cyber Liability Risks …………………………………………………………….………………………..14

Checklist for Becoming Cyber Secure………………………………………………………………………….….15

THIS MATERIAL IS PRESENTED WITH THE UNDERSTANDING THAT THE PUBLISHER AND THE AUTHOR DO NOT RENDER ANY LEGAL, ACCOUNTING, OR OTHER PROFESSIONAL SERVICE. IN NO


EVENT WILL THE AUTHOR, THE REVIEWERS, OR THE PUBLISHER BE LIABLE FOR ANY DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OF THIS MATERIAL. THE VIEWS EXPRESSED HEREIN ARE NOT NECESSARILY THOSE OF ALPS.

©2018 ALPS, All Rights Reserved, www.alpsnet.com

Just Because You Can Do Something Doesn’t Mean it’s a Good Idea.

A decision to use an iPad, a cloud based service such as Dropbox, a smart phone, a Wi-Fi network, or even basic email as a business tool is not in and of itself a poor business decision. The real problem is with what those who use such tools do or don’t do with them. Portable devices, to include backup drives, are sometimes lost or stolen; rogue programs that capture banking passwords, encrypt your data, or steal your data can be unintentionally downloaded; your network resources can be used in a hacking attack; and this list could go on and on. Much of the risk comes from missteps such as lax security procedures, falling victim to a social engineering attack, and even simple ignorance about how a given device works or what the application really does.

Now we’ve all seen the headlines. Who hasn’t heard about Chinese cyber-spying, the CIA WikiLeaks dump, the Netflix breach, and Putin’s attempt to influence elections around the world just for starters? Yet it’s what isn’t making the headlines that should have our attention. A recent survey of 300 IT professionals in the U.S. and U.K, done by Vanson Bourne, found that 84% of respondents were victims of a spear phishing attack with the average cost of the attack coming in at $1.8 million. Security company G Data has recently reported that 8,400 new Android malware samples are discovered every day. In short, a new instance of Android malware pops up nearly every 10 seconds! Taken together, one can surmise that cybercrime is going to continue to be a serious concern for the foreseeable future. Not be pessimistic, but my personal perspective on the odds of a business having to deal with the fallout of a security breach is this. It’s not if it will happen, it’s solely a matter of when; and if your response happens to be “we’re too small to be on anyone’s radar,” please understand that a significant percentage of cybercrime attack vectors are automated. The size of the target isn’t part of the equation. It’s simply about taking as much data or money that the hacker can.

The real issue that must be addressed given that these kinds of breaches are occurring is this. What might the fallout be for a business whose system is involved in a data breach event?

Cyber Crime; Your Ignorance is Their Power


http://www.alpsnet.com/

Before we move to a more thorough discussion of liability for a data breach, one must first understand that the goal is to avoid having to deal with the problem in the first place. Unfortunately for most small business owners, it is their ignorance, as well as that of everyone else in their office, that’s the real problem. Regardless of all the precautions implemented, from taking steps like securing all digital assets with the latest and greatest in firewalls and antivirus software to upgrading to the latest in browser software or operating system, those efforts still aren’t going to be good enough. There is a weak spot that IT support can’t easily address or a business owner can’t quickly fix by throwing a little more money at it. The true vulnerability comes from the people who use the systems. I’m talking about you, your partners, your employees, and anyone else who has access to or uses a business computer, tablet, smartphone, and the like. How do you think the Target breach, the DNC email scandal, and many of the other ones we hear about with ever more frequency, happen? In short, someone does something stupid like open an infected email, click on a malicious link, or unwittingly verify a password for a cybercriminal because he or she didn’t know any better or simply got caught off guard.

To help bring the point home, ask yourself these few questions and focus not only on how well you can answer them but also think about how everyone else in the office might do. Do you know what Cerber and Dridex are? (Cerber is ransomware that encrypts files on every drive it has access to and Dridex is a banking Trojan that seeks to steal your online banking credentials.) If you did know what these two examples of computer malware were, do you know if you can still be infected by either if you have an Internet security software suite running? (Yes, until a patch is released for each new variant that is discovered in the wild; but be aware that malware is rapidly moving into the mobile space where many are woefully unsecure.) Can a computer attack start with a simple phone call? (Yes, it’s called a phishing phone call.) What is spear phishing? (Targeted attacks that appear to come from a trusted source.) Can identity theft occur via a text message? (You bet.)

Hopefully you start to see the point. As users, our actions can unintentionally circumvent the security tools that have been deployed and often it happens out of sheer naivety. Someone is uninformed and a cybercrime can occur as a result. What any of us do on the Internet and even how and where we do it does matter. For example, unsecured Wi-Fi is exactly that, unsecured. Just because a signal is available doesn’t mean using it is a good idea. Cybercriminals have the same ability to access that signal as you do and how would you know they’re there waiting for you? Again, perhaps you are smart enough to avoid most attacks but how about everyone else in your office? Do you know what they are doing online or with their mobile devices?


So what’s the solution? How does one address the very real threat that comes from each and every user? I wish it were easy. Unfortunately, it isn’t; but it is manageable. This is one of those situations where IT and business owners need to work together. Part of the solution will lie in periodic training in safe practices to include how to identify threats. This needs to be ongoing because the attack vectors will continue to evolve and change. Topics such as what do the latest social engineering attacks look like and how can they be avoided, why peer-to-peer file sharing networks like the ones that use a BitTorrent protocol can be dangerous, and how to securely login into the network from a remote location would all be worth discussing. Personally, I would start with a short session that teaches everyone how the particular security program you run on your network would respond should an actual threat be detected. What will that look like to the user and what should they do if it happens? Why do this? How many of your users know that if and when a pop-up box suddenly appears informing them that their computer is infected and telling them to click “yes” in order to start a scan is not, in fact, your security software doing its job? Instead, this can be an actual ransomware attack. If the user actually clicks on “yes,” truly believing that this is the right thing to do in order to protect the system, that act will initiate the malicious program. Trust me, that’s not what you want to have happen.

Another part of the solution will be in establishing and enforcing an office wide Internet use policy that spells out the dos and don’ts. Define what might be acceptable to download and what wouldn’t. Allowing someone to download an eBook off Amazon might be ok if they were to do it over the noon hour, but downloading free stuff along the lines of screen savers, emoticon programs, desktop wallpaper, and even music may not be the best idea. What about accessing Facebook, LinkedIn, Snapchat, WhatsApp, or Pinterest from an office device? There are security concerns that come with participation in social media. Do you want to allow access to things like Skype, YouTube, or even personal email accounts? In the absence of defined rules, there will be some who will expose the network if for no other reason than through naivety. Also, don’t focus just on the Internet spaces listed here. They are simply examples. All can bring value but all also bring a certain amount of risk.

Again, there is no easy solution and unfortunately there is a catch 22 for many business owners. For example, initially it may be tempting to simply block access to something like Facebook; but how might that impact your social media marketing efforts? The good news is that a great resource is available online to assist in the identification of the issues as well as in the development of an office policy or policies. For additional information see www.sans.org/security-resources/policies/.

The final piece will be in committing to seeing that systems and software remain as current as economically feasible. Why? If you have an older version of a program still in use at your office do you know if it is still being supported? As newer and more secure versions


http://www.sans.org/security-resources/policies/

of software come to market, software companies eventually stop supporting the older versions. Now this doesn’t mean the program stops working; but it does mean the security updates stop coming. Continuing to rely on older software, for example Windows XP, in order to save a little money is a serious misstep because many malicious programs specifically target older software. Cybercriminals know that the vulnerabilities in these older programs will never be addressed and that works to their advantage. Don’t make it easy for them. Understand that when it comes to computer security, newer and better solutions for hardware and software will continue to enter the marketplace. When you think about what is at stake, isn’t the investment cost of updating to the most current version of a software program available well worth it?

The Goal is to Avoid the Breach

Clearly computer security cannot be an afterthought and, as has been discussed, there is no one-step solution that will adequately address the problem. Maintaining data security is going to be a never-ending effort that will involve everyone in the office from the part-time receptionist to the owner of the business. At a minimum, every business owner should try to do all they can to become cyber secure, which means taking steps to protect data, particularly critical or sensitive data. The data of most concern would include personally identifiable information to include social security numbers, names, birth dates and the like; financial information which might include account passwords, credit card information, personal health or medical information not only of customers but of all employees. The challenge here is in understanding that the obligation to protect data means that steps must be taken to protect your systems from data corruption, unauthorized access, and unauthorized use; and you must address these issues as it relates to email, cloud storage, document collaboration in the cloud, the use of Wi-Fi, the use of personal devices (smart phones, tablets, home computers, laptops, jump drives, etc.) and the list goes on.

Here are a few things that can be done to help secure your systems and note that this list is not a complete list but is provided as more of an indication of what the minimum effort should be. Password protect and encrypt data on any mobile device to include laptops, jump drives, computer tablets, external hard drives, and smart phones. If you don’t know how to do this, seek help from your service provider or IT support person. Establish a patch management system to ensure that all devices, software programs, computers, operating systems, etc. remain up-to-date on critical security patches. Establish an ongoing training program for everyone in the office in order to safeguard against insider negligence. The goal is to ensure that no one does something like transfers work to a remote device or location such as a home computer in an insecure manner, improperly disposes of a device that is being replaced, or is tricked into opening an email that was carrying a malicious


payload. You might focus on keeping everyone apprised of the latest methodology being used with social engineering attacks. Install an Internet security software suite on all devices that will connect to the Internet. Backup all systems and maintain a copy of the backup at a remote location, which can be cloud-based storage, at all times. Establish a protocol for the secure use of Wi-Fi services with an absolute prohibition of the use of open unsecured public W-Fi- networks absent appropriate security. Finally, upgrade operating systems and Internet browsers as newer versions come to market as these upgrades often include improved security features or programing.

Data Security – It Starts Here So Stop Making Excuses

The days when one could send an unencrypted email without worry, remain blissfully ignorant about encrypting a laptop, or use the same easily remembered password for all accounts and devices are over. I believe most people know this, at least at a gut level; but far too many still seem to be confused about what steps they should be taking. If you see yourself as a card-carrying member of the “what the heck am I supposed to do” group, perhaps I can help.

Let’s start with email. It isn’t secure. The best description I’ve ever heard about how anyone should view email was this. Email is like sending a postcard written in pencil. Slap a little postage on it, drop it in the mailbox and it’s good to go. Think about that and then think about your ethical obligation to preserve and maintain client confidences. Still want to email a client confidential information using a free Gmail account? Hopefully not!

Encrypted email is on the horizon for all of us and a day-to-day reality already for

some. Certain customers (the financial and healthcare sector for starters) are beginning to demand the use of encrypted email. Say no and lose a customer. Is the use of encrypted email essential at this point? No, but I personally believe that day is coming, if for no other reason than the market will demand it. Until that time, however, here’s an easier solution.

When using email to send sensitive or confidential information, place the confidence

in a Word document or PDF file, password protect that document and attach it to the email. Now the attachment is encrypted even though the email itself is not. There are various other security settings that can be selected as part of this process and those vary depending upon the application in use. Learn what they do and how to use them. Now, one side note. Never put the password to the attachment in the text of the email itself. You’ll need to find another avenue to pass that information along and that’s just the way it is. Perhaps a text message or quick call will take care of it. Also understand that if the password is ever lost or forgotten, you won’t be able to recover the contents of the document so don’t get casual with this.


You also need to address the issue as it relates to mobile devices, backup storage

media, and placing documents in the cloud. I’m going to skip all the “put the fear of God in you” stories and ask in return that you put aside all the excuses. I believe you know what you should be doing. It’s just a matter of making the decision to actually do it.

Smartphone encryption is pretty easy. On newer smartphones, encryption is often a

matter of changing one setting. On the iPhone, enable the complex password setting, and for Android phones, enable encryption in settings. This basic step doesn’t necessarily encrypt everything on your phone so I would strongly suggest you review the security instructions of the device manufacturer and carrier, which means you need to go further than reviewing the quick start guide. The information you need to know is not there. And yes, I do understand this means you have another password to remember; but if your phone is lost or stolen and a customer is harmed in some way as a result, they are not going to be sympathetic once they learn the phone wasn’t encrypted because you didn’t want to have to remember a password. After all, would you if you were in their shoes? I doubt it.

Tablets and laptops can be a bit more difficult to set up but most of these computers

have full disk encryption functionality built-in. It’s just a matter of turning it on. If you don’t consider yourself tech savvy, however, this is the one time I would advise you to get a little help from your IT support so that it’s done correctly. Once setup, it’s easy as long as you never forget the password. Even better, these built-in encryption programs can often be used to encrypt backup drives. This is what I do for my personal back-ups. Takes me all of 5 seconds to decrypt a drive and run the next backup. There are also a number of third-party products (e.g. Backup Exec or BounceBack Ultimate) and cloud based solutions (e.g. Mozy or Carbonite) that are just as effective. If you do decide to go with a cloud-based vendor, make certain that you select the password because you don’t want the vendor to have the ability to decrypt your data.

While placing documents in the cloud is convenient, it also brings about privacy and

security concerns which, again, can be easily addressed through encryption. The condition, however, is you must be in control of the decryption key, not the cloud service provider. If you don’t control the decryption key, you don’t control your data. It’s as simple as that. Some cloud service providers, for example Box, provide for end user controlled encryption. If your cloud service provider does not, you must take the time to encrypt your documents before placing them in the cloud. Products such as BoxCrypter or Sookasa can get you there.

I’m well aware that I’m only focusing on encryption and acknowledge that there are

all kinds of other steps one can and should be taking to protect your data. I elected not to


share all the other tips here because encryption is the ultimate level of protection should something bad happen. Systems and devices can be lost or stolen, and worse yet, hacked in all kinds of ways. Encryption is your failsafe should something bad ever happen. Think about it this way. Your customers expect that you will protect data about them just like you expect your credit card carrier, your medical provider and your bank to protect information they have about you. You read the headlines, learn from the missteps of others. Stop with the excuses and just do it.

Obviously, the challenge with all the above and, truth be told, the success of the

effort relies upon the use of complex passwords that are never used twice and there’s a relatively easy solution to this problem as well; but first a story. When Passwords Fail – A Personal Story Sometimes married couples see things differently and the only way to resolve the tension is by finally deciding to agree to disagree. That’s how things played out in our home for a number of years on the issue of passwords. My wife seemed to view my focus on computer security and passwords as something approaching mild paranoia. I, on the other hand, viewed her insistence that the use of one easily remembered password for everything in her life was like tattooing the words “victim here” on her forehead. The only way for us to move forward on this issue was to agree to disagree and that’s just what we did. This state of marital bliss started to crack a few years later after I received an email from one of our sons letting me know my wife’s email account had been hacked and a bunch of spam was being sent out using her email address. I did what one normally does to remedy that situation and hoped all would be good. Sadly, it wasn’t to be. Our marital bliss abruptly ended a few months later after we received written notice from a credit union on the opposite side of the country telling us that they were most displeased with my wife. Apparently credit unions don’t like it when someone gets a new credit card, immediately maxes it out, and then fails to make any payments. Makes sense to me. Problem was she wasn’t the one who walked into that credit union and applied for a card in her name. While this tale has many more interesting twists and turns, in the interest of time I will simply share that as a result of this identity theft a federal and an out-of-state tax return were also fraudulently filed in her name. I spent over three years working to get everything cleaned up; but the one thing I can’t do, and honestly no one can, is ever get her identity back. That’s been taken and we’ll have to deal with the ramifications of that for the rest of our lives. Hopefully, it’s over; but only time will tell.


Today things are different around here. My focus on computer security is viewed in a much different light and my wife needn’t worry about any unsightly tattoos on her forehead. While we’ve returned to a state of marital bliss, this time around we’re both on the same page. Now understand that this entire saga started with someone managing to figure out a password and that password opened all kinds of doors that were supposed to be locked. I chose to share this story because I wanted to put a real-world spin on the problems that can arise when too little attention is given to the importance of passwords. I don’t care how big or small your business is. Everyone needs a password policy, formal or informal, in order to try and avoid becoming yet another victim of identity theft, and heaven help you if the identity theft turned out to be the identity of one or more of your customers because someone got into your office network. So not good. Let’s start by talking about bad habits. Here are the kinds of things you should never do. Use the same password on multiple devices or applications. Write down the computer password on a sticky note and hide it in your laptop so no one can see it if it’s closed. Believe that passwords like “qwerty”, “password”, “1234567”, or “letmein” are clever and acceptable. They aren’t. The better approach is to develop a policy that everyone in your office, including you, will abide by. It should mandate the use of a strong password, which is currently defined as one that is a minimum of 14 characters long and includes numbers, special characters, and upper and lower case letters if the device or application you wish to secure with a password will accept it. In addition, every application and device in use should have its own unique password and, at least with mission critical devices and applications (e.g. banking login credentials), these passwords should be changed every 6 - 12 months. Never recycle old passwords and never share your user ids and passwords with anyone. Finally, always use two-factor authentication for any device or application that allows it. Yes, keeping track of all these complex passwords can create its own problem. Fortunately, this problem can be easily managed with the help of a password manager such as RoboForm, LastPass, or Dashlane. Products like these can generate complex passwords and store them for you in an environment far more secure than a piece of paper hidden in your desk somewhere. In fact, my wife joined me in using password managers shortly after her kerfuffle with the credit union and it has made a world of difference. She still only needs to remember one password, albeit a strong one, to open the password manager and that’s it. Compliance with our home password policy has never been easier for her, and speaking frankly, she fully agrees that compliance isn’t optional. Trust me, she gets it now. The interesting question is, do you?


But Why Bother?

In spite of all that might be done to prevent a data breach, recognize that it is virtually impossible to have a completely secure system if for no other reason than people use it and it touches the Internet. There are no guarantees here. Some seem to respond to this reality too casually by not fully appreciating the fallout and they fail to prioritize becoming cyber secure. So then, what are the risks that come with a data breach? These things come immediately to mind: legal liability to others for the theft, loss or unauthorized disclosure of personally identifiable non-public information; legal liability for the theft or loss of third party corporate information; being subject to regulatory action or scrutiny due to the failure to comply with relevant security breach notification laws; having to cover the costs associated with responding to and recovering from the breach to include the costs of finding, notifying and perhaps providing one year of credit monitoring for all who were impacted by the breach; the consequences of any loss or damage to your reputation; and the loss of revenue due to the breach.

Cyber Liability

The above risks, which define cyber liability, are not something to take lightly. Let’s just look at the response and recover piece. What actually might be involved here? Once a breach has been discovered, the timing of which can vary from you immediately know with something like a lost laptop to it taking months or even a year or more after the breach in the case of a sophisticated hack. At the outset, you must first determine what and whose data has been breached. This might include asking questions like were the login credentials on the stolen laptop used to gain access to the network? What data was on the stolen backup drive? What data did the hacker have access to while on the network? The specifics of the response will vary greatly depending upon the circumstances of the breach, but for discussion purposes, assume that the network was breached in some fashion.

At this point the first thing one must do is terminate the breach. If a mobile device was stolen perhaps a remote wipe of the data could take care of that. If your business network was breached, this would mean that the network must be disconnected from the Internet and a computer forensic expert brought in to investigate. Obviously the network would be unavailable for use until that work is completed. Typical downtimes for a small business run from a day or two to a week or more. The forensic expert will create a duplicate image of the relevant systems in order to have the ability to properly analyze the


data. This expert will try to determine the who, what, when, where and how of the breach and then provide a report of the results. The costs associated with this service will vary widely depending upon the situation at hand. Plan on several thousand at a minimum but it could go much higher even for small businesses. Once this effort is done, however, the network is still not available. In addition to having someone come in to analyze the breach someone must also remove the rogue software; fix the vulnerability that enabled the attack to occur; and, if possible, try to recover or restore any damaged or lost data. Once all this is completed, the office can begin to use system resources again. Although the system recovery process may now be over, the overall process is just getting started.

With the forensic breach analysis report in hand, it’s now time to look into the breach notification laws that you might be subject to and unfortunately far too many are unaware of the existence and ramification of the breach notification laws. As of this writing 47 states, Washington DC, Puerto Rico, and the USVI have all enacted laws that require those who maintain personal information of others to not only protect that information, but to notify the owners of the information if and when a data breach occurs. (The states that have yet to enact such a law are Alabama, New Mexico, and South Dakota.) The bottom-line is that if you track social security numbers and/or financial account information, such as credit card numbers of employees and/or customers, these laws are in play. While an in-depth review of these statutes are beyond the scope of this presentation suffice it to say that a few even require the use of encryption of all records and files that will be transmitted across public networks or through wireless connections and that contain personal information such as social security numbers. Another also requires encryption if such information will be stored on a portable device like a laptop or computer tablet. Most importantly, in the event of a breach, these statutes require that state governments and those impacted by the breach be notified without delay and these notice requirements are not based upon where the holder of the information is located but based upon where those impacted reside. Thus a breach could result in an obligation to notify multiple state governments and comply with their various statutes.

The tasks associated with notification include determining which state law’s you’re going to be subject to (Current notification laws by state can be checked at http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx), meeting notification deadlines that can be as short as 5 days, setting up the contact database, verifying contact information, writing the notification letter, printing and mailing these letters, dealing with the returned mail, and handling all the calls that will come in once these letters are received. Costs for notification services alone typically run between $1 and $4 per notice. If a business’s entire contact database was breached, the total cost of complying with breach notification laws could be significant.


http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx

http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx

Perhaps it goes without saying that your business reputation could be in serious jeopardy post notification. One way this can be controlled is by offering to provide credit monitoring or other type of cyber-monitoring service depending upon what type of information was breached. Costs here can start anywhere between $5 to $20 per record and go up from there. Not only might this help with reputation damage control but this may prevent some customers from seriously considering suing your business because you have taken steps to help put their concerns to rest.

Managing Cyber Liability Risks

Clearly, technology is a double-edged sword. While its use is very appropriate, and I would argue essential in this day and age, doing so does expose any business to additional liabilities that can arise from identity theft, hacker malfeasance, cyber extortion, a security failure, hardware theft, etc. The problem is that for many there is an insurance gap in play. Should you ever find that your business has been a victim of cybercrime would your existing insurance cover it? As previously discussed, the costs can be significant and for far too many the answer to the coverage question would be no. Most general business insurance policies offer little to no coverage for cybercrime loses, thus the coverage gap. The good news is that the risk of incurring such losses can be properly covered by the purchase of cyber liability insurance which is becoming more widely available.

If you are not familiar with Cyber liability insurance products, know that they vary greatly in terms of cost and offered coverage provisions so a little comparison shopping might prove worthwhile. They are also claims-made policies which means they must remain in force if one is to have on-going coverage. As a group these policies are designed to provide protection against or coverage for things like the following:

Conduit Injury – a lawsuit resulting from a network security failure that caused additional damage to a customer’s computer network

Reputational Injury – a lawsuit resulting from your participation in social media

Disclosure Injury – a lawsuit resulting from the unauthorized access to or dissemination of customer information

Content Injury – a lawsuit alleging intellectual property or copyright infringement perhaps due to postings on your business website or blog


Privacy Notification Expenses – the costs associated with complying with relevant breach notification laws. Some policies also include the cost of attorney fees and/or credit-monitoring services.

Crisis Management Expenses – the costs associated with bringing in outside experts to investigate the incident and fix the problem. Some policies also include the cost of a public relations consultant.

Extortion Expenses – the costs associated with investigations or paying for the return of or gaining back access to data

Funds Transfer Fraud Coverage – available with some polices but note that a separate crime policy may cover this as well

While one can never be completely free of the risk of becoming yet one more cybercrime statistic, the good news is that with the addition of cyber liability coverage this risk can be appropriately managed.

_________________________________________________NOTE: This material is intended as only an example which you may use in developing your own form. It is not considered legal advice and as always, you will need to do your own research to make your own conclusions with regard to the laws of your jurisdiction. In no event will ALPS be liable for any direct, indirect, or consequential damages resulting from the use of this material.

Checklist for Becoming Cyber Secure

This checklist is intended to help those who have a desire to become more cyber secure know where to start. It may also be helpful in identifying areas of concern that can and should be discussed with IT support personnel. Most importantly, be aware that cybercrime attack vectors will continue to change and evolve as will the sophistication of the attacks. Becoming cyber secure is an ongoing process, not a once and done effort. That said, here are the basics; and note that when the word “devices” is used, this word is meant to include all mobile devices and any home computers that are being used for work.

____ Keep hardware and software as current as possible. You don’t need to be first in line for the latest and greatest; but don’t be the last in line either. Newer devices and programs typically include improved security features and cyber criminals often target older devices and programs.

____ Keep your server in a locked room because physical security matters!

____ Deploy effective security software suites on all devices.


____ Deploy effective intrusion detection systems.

____ Deploy a spam filter.

____ Keep all software on all devices up-to-date with the latest critical patches.

____ Determine where all office data is stored and then create a security policy that responsibly addresses the situation.

____ Password protect all devices.

____ Use two factor authentication whenever available on any device or with any application.

____ Develop a password policy that mandates the use of strong passwords (14 characters or more using upper and lower case, numbers, and special characters) and requires that passwords be changed on a periodic basis. Note: Every application and device in use should have its own unique password and no password should ever be reused once changed. The use of a password manager can make this task easier and more secure than, for example, storing passwords in a file labeled “passwords” or writing them down and placing that list in a desk drawer.

____ Prohibit the sharing of user IDs and passwords with anyone, to include others within the office.

____ Have your IT support person change the default values on all wireless routers, server operating systems, etc.

____ Wireless networks should be set up with proper security to include enabling strong encryption. This means you must disable WEP and WPA encryption and require WPA2 encryption. Do not overlook home networks if home computers are being used for work.

____ Backup all data, periodically do a test restore of the backup, and store the backup in accordance with a disaster recovery plan because floods, fires and ransomware attacks happen. Backups should also be encrypted if taken off site or stored in the cloud. If using a cloud vendor, the vendor should not have access to the decryption key.

____ Any device that goes off site and contains any client confidences must be password protected and should be encrypted. This includes jump drives, external hard drives, laptops, smart phones, tablets, and home computers.

____ Limit privileges and access as appropriate. For example, does everyone in the office need access to the business’s financial or employment records? Can everyone download and install anything they want on any device they have access to? Can everyone make changes to the system configuration? Don’t make it easy. Place limits on what people can


do. Such limits can either be set up electronically via file permissions or physically via a locked door or cabinet.

____ Encrypt email and all data you place in the cloud. Some cloud companies advertise that they encrypt your data but only do so while the data is in transit. You must make certain your data is encrypted “at rest” as well. Better yet, don’t rely on the cloud provider for this at all. Encrypt your data before placing it in the cloud to enable you to have control over the encryption key.

____ Mandate that all work related Internet sessions be encrypted and prohibit the use public computers and unsecured open public Wi-Fi networks. This does mean that access to the office network must always occur through the use of a VPN, MiFi, smartphone hotspot or some other type of encrypted connection.

____ Prohibit the use of any public computer for any reason. This would include the use of computer stations made available in the business center of a resort or hotel just as one example.

____ Have a policy that prohibits the jailbreaking of any mobile device that will be used for work. Jailbreaking is defined as modifying the operating system from its original state.

____ Never allow a non-employee to have access to your network absent appropriate oversight. In a similar vein, immediately upon the termination of anyone cut off all avenues of access to the network. Terminated individuals should never have access to any office computer or network plug, even if it’s to simply download personal files, absent a trusted escort.

____ Provide mandatory social engineering awareness training to everyone at the office at least every six months.

____ Develop a cyber breach incidence response plan and provide the necessary training. At its most basic, if anyone suspects a device has been breached, teach them how to immediately disconnect from the Internet and/or the office network and instruct them to contact IT support immediately. They should never try to resolve the problem themselves!

____ Purchase a cyber liability insurance policy.

____ Check your internal and Internet-facing network security at least annually to make sure your network is secure. This can be done by having a vulnerability assessment or penetration test done.

____ Properly dispose of any device or digital media that has or had any business-related data on it. Don’t overlook digital copiers, digital cameras, memory cards, CDs, DVDs, jump drives, backup tapes, etc. All devices and media must be digitally wiped clean and/or physically destroyed. This does mean that devices cannot be given away for personal use, donated, recycled, or sold unless the entire drives have been overwritten.



Documents

csimt.govcsimt.gov/wp-content/uploads/INS-CE-Cyber-Talk-2018.… · Web viewDefine what might be acceptable to download and what ... place the confidence in a Word document