risk
e p o r t
with Henriott Group, Inc. Workplace and Risk Management topics aimed at business owners, managers and other organizational leaders.
When the President Speaks, Will People Listen? Privacy & Cyber Security Henriott News & Updates
Image courtesy of Damian Brandon/http://www.freedigitalphotos.net
Image courtesy of pixtawan/freedigitalphotos.net
B y R ic k D a vis , C I C , C R M C E O a t H e n r io t t G r o u p , I n c .
The excerpt on the cover was taken from President Obama’s recent State of the Union address, where he highlighted the real threat of cyber-terrorism and other forms of cyber-attacks being waged against our government and key businesses and/or institutions across the U.S. Although it’s unlikely any of you reading this are a cyber-terrorism target, it’s extremely likely that some of your organizations have had or will be a target for cyber-attacks of some kind in the future. We want to take this opportunity of heightened awareness around this topic to provide some education, tools and other resources to help your organization address this emerging risk. We’ll commit a few Risk Reports to this topic but there is a lot more where this came from, so if you have questions or need assistance, don’t hesitate to call us. For starters, consider these facts: 1. In most cases, your existing insurance policies do not cover Cyber Liability or first party losses you might incur as a result of a breach. If they do provide any coverage, it will most likely be very limited. 2. Businesses of all sizes and types are targets for Cyber-attacks. A recent study by Symantec found that 40% of attacks are against organizations with fewer than 500 employees. 3. Attacks don’t always come from the outside….many organizations don’t have the IT security infrastructure in place and sometimes place too much trust in employees, which is exactly what a disgruntled or recently fired employee needs to execute an attack on the business. 4. Another recent study found that the average claim per breach over the last two years was $3.7 million, but if you carve out the very large claims in excess of $75 million, the average was still $200,000.
Many businesses can’t afford a $200,000 hit to their operation not to mention the time and effort and complexity involved in dealing with a claim like this. 5. The cyber insurance market is growing rapidly, over 25% in 2012, and nearly equal to the size of the market for Employment Practices Liability coverage which has been around twice as long. Companies are obviously seeing the need for this coverage as a way to transfer some of this risk to the insurance market. 6. Availability of the coverage is still strong and pricing, terms and conditions have stabilized as well. Depending on the size and type of business involved, premiums can range from $5k to $25k per $1 million in coverage, or higher. With those facts in mind, following is some additional information on where the risks might come from and some basic risk management practices to consider.
Privacy & Cyber Security | Rick Davis With the enormous amount of sensitive information stored digitally, companies need to take the proper measures to ensure this data is never compromised. Ultimately, it is the responsibility of business owners to protect their clients’ data. Failing to do so can result in a data breach, which costs companies billions of dollars every year. Understanding the risks involved with data security can help you prevent a privacy breach.
Know the Risks
The first step in protecting your business is to recognize basic types of risk:
Malicious code. This is the term used to describe any code in any part of a software system or script that is intended to cause undesired effects, security breaches or damage to a system. o Viruses: This type of code requires that you actually do something before it infects your system, such as open an email attachment or go to a particular Web page. o Worms: This code propagates systems without user interventions. They typically start by exploiting a software flaw. Then, once the victim’s computer is infected, the worm will attempt to find and infect other computers.
Hackers, Attackers & Intruders. These terms are applied to people who seek to exploit weaknesses in software and computer systems for their personal gain. Although their intentions are sometimes benign, their actions are typically in violation of the intended use of the systems that they are exploiting. The results of this cyber risk can range from minimal mischief (creating a virus with no negative impact) to malicious activity (stealing or altering a client’s information).
o Trojan horses: Trojans hide in otherwise harmless programs on a computer, and much like the Greek story, release themselves when you’re not expecting it and cause a lot of damage. For example, a program that claims to speed up your computer system but actually sends confidential information to a remote intruder is a popular type of Trojan.
Image courtesy of Panda Security
Privacy & Cyber (cont.) IT Risk Management Practices To reduce your cyber risks, it is wise to develop an IT Risk Management Plan at your organization. Risk management solutions utilize industry standards and best practices to assess hazards from unauthorized access, use, disclosure, disruption, modification or destruction of your organization’s information systems. Consider the following when implementing risk management strategies at your organization: ď ą Create a formal, documented risk management plan that addresses the scope, roles, responsibilities, compliance criteria and methodology for performing cyber risk assessments. This plan should include a characterization of all systems used at the organization based on their function, the data stored and processed and importance to the organization. ď ą Review the cyber risk plan on an annual basis and update it whenever there are significant changes to your information systems, the facilities where systems are stored or other conditions that may affect the impact of risk to the organization.
Due Diligence When Selecting an ISP When selecting an internet service provider (ISP) for a company’s business use, precautionary measures are a must. An ISP provides its customers with Internet access and other Web services. In addition, the company usually maintains Web servers, and most ISPs offer Web hosting capabilities. With this luxury, many companies perform backups of emails and files, and may implement firewalls to block some incoming traffic. To select an ISP that will reduce your cyber risks, consider the following: Security – Is the ISP concerned with security? Does it use encryption and SSL to protect any information that you submit? Privacy – Does the ISP have a published privacy policy? Are you comfortable with who has access to your information, and how it is handled and used? Services – Does your ISP offer the services that you want and do they meet your organization’s needs? Is there adequate support for the services provided? Cost – Are the ISP’s costs affordable and are they reasonable for the number of services that you receive? Are you sacrificing quality and security to get a lower price? Image courtesy of KROMDRATHOG/freedigitalphotos.net Image courtesy of stuart miles/freedigitalphotos.net
Cont. on next page
Reliability – Are the services provided by the ISP reliable, or are they frequently unavailable due to maintenance, security problems and a high volume of users? If the ISP knows that their services will be unavailable, does it adequately communicate that information to its customers? User supports – Are there any published methods for contacting customer service, and do you receive prompt and friendly service? Do their hours of availability accommodate your company’s needs? Speed – How fast is your ISP’s connection, and is it sufficient for accessing your e-mail or navigating the Web? Recommendations – What have you heard from industry peers about the ISP? Were they trusted sources? Does the ISP serve your geographic area?
Government Regulations There aren’t many federal regulations regarding cyber security, but the few that exist cover specific industries. The 1996 Health Insurance Portability and Accountability Act (HIPAA), the 1999 Gramm-Leach-Bliley (GLB) Act and the 2002 Homeland Security Act, which includes the Federal Information Security Management Act (FISMA) mandate that health care organizations, financial institutions and federal agencies, respectively, protect their computer systems and information. Language is often vague in these laws, which is why individual states have attempted to create more specific laws on cyber security. California led the way in 2003 by mandating that any company that suffers a data breach must notify its customers of the details of the breach. As of Aug. 2012, 46 states and the District of Columbia have data breach notification laws in place. Alabama, Kentucky, New Mexico and South Dakota have yet to enact such a law.
The Latest ‌ Henriott News & Highlights We are privileged to tell you about our new artist, Roger Carnes, who is currently displaying his beautiful photos in our office. Roger and his wife Beverly love to travel and document their experiences through photography. He does just that and when you view his works here, it’s like you are experiencing his travels with him. Please stop by and enjoy his wonderful art with us. Thank you for sharing Roger!
Protection is Our Business Your clients expect you to take proper care of their sensitive information. You can never see a data breach coming, but you can always plan for a potential breach. Contact Henriott Group today; we have the tools necessary to ensure you have the proper coverage to protect your company against a data breach.
Image courtesy of Stuart Miles/freedigitalphotos.net
THANK YOU FOR HELPING US CELEBRATE 50 WONDERFUL YEARS OF PARTNERING WITH AMAZING CLIENTS!
WE COULDN’T HAVE DONE IT WITHOUT YOU!
Client Focused. Results Driven.