2021 marked a milestone year with a record-setting number of data compromise events. There was a 50% increase in cyberattacks per week on corporate networks compared to 2020. In the United States, ransomware actors shifted their focus from “big game” organizations to midsize victims halfway through 2021 after they suffered disruptions from cyber authorities. Arguably, small and medium-sized businesses felt the increase the most. Evolving tactics and techniques of cybercriminals demonstrated their growing sophistication and their increased threat to organizations globally.
Authorities recognized ransomware as the biggest cyberthreat facing the United States. Most commonly, cybercriminals continued to initiate ransomware attacks via phishing emails, stolen remote desktop protocols (RDP) credentials, and exploited software vulnerabilities. Much of the cyber turmoil that plagued the world in 2021 will continue into 2022, according to Experian’s annual Data Breach Industry Forecast for 2022.
As big-time players are increasingly hacked, breached, and attacked, smaller businesses realize that it is no longer a question of “if” the attack is coming but rather “when” it is coming. This raises the serious question of what businesses can do to mitigate the risks and improve the odds of surviving an attack. “Businesses must increase their focus and move past simply catching up to the ‘new normal’ in how they operate,” said Michael Bruemmer, global vice president of Experian Data Breach Resolution.
It is recommended that organizations:
- keep all operating systems and software up to date
- encrypt cloud data
- secure and monitor potentially risky services (e.g., RDP)
- implement user training programs and phishing exercises
- require multifactor authentication (MFA)
- require strong and unique passwords
- protect cloud storage by backing up to multiple locations
Today, as we continue to see cybersecurity threat numbers rise, more companies than ever prioritize cybersecurity and cyber insurance as a single unit to mitigate potentially crippling risks that cyber incidents pose. The challenge for many organizations is understanding what cyber insurance offers, what it covers and how it can be secured.
Generally, cyber insurance is designed to protect the company from cybersecurity risks, privacy risks, operational risks, and service-related risks. In most cases, a cyber policy protects organizations in case of network interruptions, network security and privacy liability, media liability as well as errors and omissions. Often the coverage includes legal expenses, data restoration costs, IT forensics, public relations and other costs. Of course, all of this depends on the specifics that a company and insurer agree upon.
When applying for cyber insurance, businesses ought to understand that securing a policy heavily depends on the already existing security infrastructure and security practices.
It is important for businesses to move past the thinking that cyber insurance is just a nice thing to have in case of an emergency and adopt a view that a cyber policy is an integral part of a company’s security infrastructure. For more information on cyber insurance, contact Gulfshore Insurance today.
Gulfshore Insurance is a Naples, Florida based insurance agency specializing in business insurance including liability insurance, property insurance, workers compensation insurance, vehicle insurance, business income interruption insurance, cyber insurance, commercial umbrella insurance, and more. Our insurance and risk management advisors are industry specialists for condominium associations, golf and country clubs, oil and petroleum marketers, construction, landscaping, churches and non-profits, and work comp. Navigating insurance requires an experienced and trusted insurance agent who understands your business risks and exposures. Gulfshore Insurance services Naples, North Naples, Marco Island, Bonita Springs, Fort Myers, Sarasota, Lido Beach, Longboat Key, Bradenton Beach, and Southwest Florida. We have office locations in Naples, Fort Myers, Fort Lauderdale, and Sarasota.
A growing number of cybersecurity threats have companies on high alert. More sophisticated cyberattacks have been aimed at the data and assets of corporations, and carriers are increasingly requiring insureds to implement multifactor authentication as a subjectivity for a cyber liability policy.
What is MFA?
Multi-factor Authentication (MFA) is an authentication method that requires the user to provide two or more credentials in order to gain access to an account. Rather than just asking for a username and password, MFA requires one or more additional verification factors unique to the individual, which decreases the likelihood of a successful cyber attack.
Picture yourself at an ATM withdrawing money from your bank account. Your debit card (something you have) is one authentication factor. However, to access your account, you also need to enter the PIN that is associated with your debit card. Your PIN (something you know) is your second authentication factor.
Credentials May Include:
- Things you know: a password or personal PIN
- Things you have: a badge or cellphone
- Things you are: biometric information such as fingerprints or facial recognition
Why is it Important for Cyber Security?
Password compromises have accounted for 81 percent of data breaches in recent years. There are limits to what a single password can do. Rather than asking for a single password that hackers and cyber criminals can gain access to, this adds an additional layer of security. MFA helps protect against unauthorized access, data breaches and password-based cyber-attacks.
Where Should it be Implemented?
MFA is recommended to be implemented across:
- all remote access to data or the environment (email, VPN, etc.) for access to cloud and on-premises applications
- for any additional applications (internal or external) that contain personally identifiable information (PII)
- internal activity with privileged users (owners of a credential that has admin access locally to a part of the system or domain-wide across many devices or servers).
In plain English, companies should look to secure any remote access points to their systems or data with MFA. Internal usage of privileged accounts, such as local administrators or domain administrators, should be also secured with MFA where possible.
Some Factors are Stronger than Others
Cybersecurity professionals have long advocated that two factor authentication utilizing text messages (SMS) is less secure than other methods. The US government stopped using SMS authentication in 2016 — and encouraged others to do the same. Since then, there have been successful breaches across organizations that still utilize this less secure variation of MFA.
There are countless ways for criminals to bypass SMS authentication, some more complex than others, but opt for utilizing MFA apps like Duo, Google Authentication, or Microsoft Authenticator if you’re using a smartphone as a means to enable MFA for your organization.
MFA is Not the End-All-Be-All
MFA is an important preventive measure to take to avoid security breaches, but it is not an all-encompassing solution to protect an organization. As noted above, there are weaknesses with SMS-based authentication — and even the most secure forms of MFA have limitations.
For example, if an employee’s personal computer was already compromised and they were utilizing a VPN to work from home, MFA may not prevent malware spreading throughout the corporate network . Additional external defenses would be necessary for further risk mitigation.
What Does an MFA Roll-out Involve?
The timeline and cost of implementing MFA is dependent on several factors, like the size of your organization, the email provider and other technology platforms you’re using, and how you plan to introduce the concept to all of your employees (from stakeholders to the IT department). In some cases, for companies who are already using a system, like Microsoft O365, that has MFA built in; it would only be a slight exaggeration to say that the process for implementing MFA at these organizations is as easy as flipping a switch. In other organizations, with many overlapping technology platforms and access points that have accumulated over time, implementation can be a bit more involved.
While the ultimate goal of MFA implementation is to eventually cover all users across your systems, it’s good to prioritize where to begin based on the risk level to the organization. Starting with administrative (and high-risk) accounts has two key benefits: privileged accounts have the greatest security impact, and you can use what you learned in the roll-out with senior leaders to aid in deploying to the next round of employees. As you consider what systems require user log-in, recognize where you’ll need to update (or replace) older infrastructure that doesn’t support modern authentication.
Click to download instructions on setting up MFA in Office 365.
Like many businesses, your company probably uses computers to send, receive, or store electronic data. Such data might include sales projections, tax records, and other information owned by your business. If the data is lost, stolen, or damaged due to a security breach, it could be very costly to replace or restore. Your computer system might also contain sensitive data that belongs to other parties such as clients, employees, and vendors. If the data is lost or compromised by a hacker, the owners might sue your company for damages. You can protect your business against the costs associated with data breaches by purchasing a cyber liability policy.
What Cyber Insurance Covers
Generally, cyber insurance is designed to protect your company from these primary risks through four distinct insuring agreements: network security, privacy, interruption to your business, and media liability. Below you will find an explanation of each and what specific cyber risks it covers.
Network Security
This aspect of cyber insurance covers your business in the event of a network security failure; which can include a data breach, malware infection, cyber extortion demand, ransomware, or business email compromise. Network security coverage includes first-party costs––expenses that you incur directly as a result of the cyber incident, including:
- Legal expenses
- IT forensics
- Negotiation and payment of a ransomware demand
- Data restoration
- Breach notification to consumers
- Credit monitoring and identity restoration
Privacy Liability
Privacy Liability coverage protects your company from those liabilities arising out of a cyber incident or privacy law violations. These third-party costs can arise, for example, from liabilities required in a contractual obligation, all the way to regulatory investigations by governments and law enforcement. An example would be defending your organization from consumer class action litigation and funding a potential settlement in the event of a cyber incident or data breach.
Network Business Interruption
Network business interruption coverage provides a solution for companies that face an operational cyber risk. When your network, or the network of a provider that you rely on to operate, goes down due to an incident, you can recover lost profits, fixed expenses, and extra costs incurred during the time your business was impacted. This includes loss arising from:
- Security failures, like a third-party hack
- System failures, such as a failed software patch or human error
Media Liability
This provides coverage for intellectual property infringement, other than patent infringement, resulting from the advertising of your services. It often applies to both your online advertising, including social media posts, as well as printed advertising.
At Gulfshore Insurance, we understand the complexity of cyber policies. Regardless of your business’ size or industry, we have a cyber insurance solution to fit your needs.
Jon White is Client Advisor at Gulfshore Insurance specializing in community and condominium associations. Jon works with a wide range of business clients to deliver strategic risk analysis and guidance. Comments and questions are welcome at jwhite@gulfshoreinsurance.com
Gulfshore Insurance is a Naples, Florida based insurance agency specializing in business insurance including liability insurance, property insurance, workers compensation insurance, vehicle insurance, business income interruption insurance, cyber insurance, commercial umbrella insurance, and more. Our insurance and risk management advisors are industry specialists for condominium associations, golf and country clubs, oil and petroleum marketers, construction, landscaping, churches and non-profits, and work comp. Navigating insurance requires an experienced and trusted insurance agent who understands your business risks and exposures. Gulfshore Insurance services Naples, North Naples, Marco Island, Bonita Springs, Fort Myers, Sarasota, Lido Beach, Longboat Key, Bradenton Beach, and Southwest Florida. We have office locations in Naples, Fort Myers, Fort Lauderdale, and Sarasota.
In today’s world, doing business online is an everyday occurrence, but for businesses, it does carry increased risks. Do you know what your exposure is? Gulfshore Insurance is pleased to offer Cyber Liability insurance. To find out if you may need this type of protection, take this 8-question quiz. Your answers to the questions below help determine your level of risk.
Evaluate Your Level of Cyber Exposure:
- Does your business retain physical or electronic records of employees or other third parties with any of the following?
– Social Security Numbers
– Drivers’ License Information
– Tax Identification Numbers
– Birth dates
– Medical or Health Records
– Court Records
– Police Records
– Banking Information (Checking/Savings Account)
– Email Addresses or Home Addresses
- Does your business have employees?
– Yes
– No
Fact: Most data breaches involve an employee mistake. They can lose a mobile device, laptop, or paper records, or make costly errors such as opening an unauthorized email containing malware. In addition, they can even intentionally steal data.
- Does your business have an active website?
– Yes
– No
Fact: Material posted electronically, or in written format, may lead to copyright or trademark infringement, or defamation litigation. If the website is transactional, additional exposures include possible hacking or disruption of your business via denial of service attacks.
- Does your business use third-party vendors (e.g. cloud, IT services)?
– Yes
– No
Fact: Businesses in possession of personally identifiable information may be held liable for privacy breaches caused by their vendors or other third parties. As the owner of the data, your business is ultimately responsible for protecting it.
- Does your business use mobile technology (smartphones, tablets, laptops)?
– Yes
– No
Fact: Loss of mobile devices and the electronic content contained therein is one of the leading causes of data breaches today.
- Does your business accept credit card payments, electronic payments, or have online bill pay?
– Yes
– No
Fact: Almost 40% of all data stolen is credit card and other payment information. This is a category of data that is highly desired by criminals for resale on the black market.
- Does your business allow employees to use personal devices to connect to your network?
– Yes
– No
Fact: Personal devices may not have the same security software and other connectivity procedures as company-provided devices. As a result, when these personal devices are connected to your network, there may be a higher exposure to virus or malware threats.
- Does your business store your customers’ corporate confidential information?
– Yes
– No
Fact: Companies face liability for failing to protect their customers’ and business partners’ confidential information.
If you answered “yes” to one or more of the questions, your business has exposures which may lead to cyber-related claims or suits. Can you afford to self-insure these exposures? At Gulfshore Insurance, we understand the complexity of cyber threats and have solutions to help protect your assets. Regardless of your business’ size or industry, we have a cyber insurance solution to fit your needs.
Click here to download the Cyber Exposure Quiz
Joe Thompson is a Client Advisor and Partner at Gulfshore Insurance who specializes in managing risk for community associations and various contractors. Comments and questions are welcome at jthompson@gulfshoreinsurance.com
Gulfshore Insurance is a Naples, Florida based insurance agency specializing in business insurance including liability insurance, property insurance, workers compensation insurance, vehicle insurance, business income interruption insurance, cyber insurance, commercial umbrella insurance, and more. Our insurance and risk management advisors are industry specialists for condominium associations, golf and country clubs, oil and petroleum marketers, construction, landscaping, churches and non-profits, and work comp. Navigating insurance requires an experienced and trusted insurance agent who understands your business risks and exposures. Gulfshore Insurance services Naples, North Naples, Marco Island, Bonita Springs, Fort Myers, Sarasota, Lido Beach, Longboat Key, Bradenton Beach, and Southwest Florida. We have office locations in Naples, Fort Myers, Fort Lauderdale, and Sarasota.
Below is an infographic that shows how serious ransomware attacks have become. Ransomware is by far the leading data breach exposure and the ransom amounts are growing exponentially. The cost of paying the ransom is just the tip of the iceberg when it comes to resolving all of the associated attack issues.
Working with a trusted insurance agent who has proven expertise in cyber security and familiarity with the unique risks posed to the construction industry is the best way for companies to ensure that they are adequately covered.
Gulfshore Insurance is a Naples, Florida based insurance agency specializing in business insurance including liability insurance, property insurance, workers compensation insurance, vehicle insurance, business income interruption insurance, cyber insurance, commercial umbrella insurance, and more. Our insurance and risk management advisors are industry specialists for condominium associations, golf and country clubs, oil and petroleum marketers, construction, landscaping, churches and non-profits, and work comp. Navigating insurance requires an experienced and trusted insurance agent who understands your business risks and exposures. Gulfshore Insurance services Naples, North Naples, Marco Island, Bonita Springs, Fort Myers, Sarasota, Lido Beach, Longboat Key, Bradenton Beach, and Southwest Florida. We have office locations in Naples, Fort Myers, Fort Lauderdale, and Sarasota.
