On June 21st, Ralph Vanner, our CEO and cyber specialist spoke about Data Breaches and cyber liability at The Buffalo Club. Here are his biggest take away’s from the event:
No company, big or small, is immune to a data breach. Many small employers falsely believe they can elude the attention of a hacker, but the number of companies with fewer than 100 employees reporting data breach have increased significantly over the past year. One of the best ways to reduce a data breach is with a solid prevention plan. Measure your IT risk prevention plan and check for:
- A documented plan that includes the scope, roles, responsibilities, compliance criteria and methodology for performing cyber risk assessments.
- Identify the systems used based on their function, the data stored and processed and importance to the organization.
- Cyber space is constantly changing, so review and update your cyber risk plan on an annual basis, at the very least.
- Educate your employees about different cyber-crimes like phishing and pharming scams.
- If your company doesn’t have an IT department, hire an outside company that will not only just set up proper security measures, but also establish clear responsibilities in the event of a potential breach.
- Monitor credit reports and financial data for the company. If you see things that don’t belong, investigate immediately.
- Secure customer, employee, or patient data by encrypting files and password protection.
Even by using preventative measures to avoid a breach, you are not immune. If a breach takes place in your system, it’s your responsibility to immediately investigate. The following basic information must be reported to appropriate management:
- When did the breach happen? Include at least date and time.
- How did the data breach happen? Identify the type of hack and where in the system the hack occurred.
- How many customers may be affected?
- What personal identifying information was possibly compromised? This should be as detailed as possible: name and social security, account information and password, etc.
- What events and people were involved? This should include internal and external personnel and environment
Once those five questions have been answered, decide what needs to be quickly communicated to your clients. The more quickly and honestly a breach can be dealt with, the fewer negative effects your company will endure. Perform a risk assessment that rates the:
- Sensitivity of the client information lost. Customer contact information alone may present much less of a threat than financial information
- Amount of information lost and number of individuals affected.
- Likelihood information lost is usable or may cause harm.
- Likelihood the information was intentionally targeted. Increases chance for fraudulent use.
- Strength and effectiveness of security technologies protecting information. Encrypted information on a stolen laptop will be much more difficult for a criminal to access.
- Ability of your company to mitigate the risk of harm.
Before you are hacked, make sure to check your policy. A traditional business liability policy is very unlikely to protect against most cyber exposures, since standard commercial policies are written against injury or physical loss. Be aware of potential cyber liabilities your company faces so you can manage the risk through proper coverage.