Imagine getting this email: “Your company has retained our firm to identify security risks. Specifically, your computer has been identified as a possible security problem. Before we meet with your management team, please click this link to review our findings based on your knowledge. Thank you.”
How many people do you think fall for it?
In the cyber world, social engineering is the art of convincing someone to act so a perpetrator can gain unauthorized access to whatever he or she is after. According to Eugene Slobodzian, Vice President of Security for Winxnet in Portland, about 10 percent of people receiving this kind of email go ahead and click an infected link or cough up their access information.
This was just one example at our Cyber Security Planning Seminar of the threats posed by hackers in search of data. The seminar, sponsored by Clark Insurance, Winxnet, Fletcher Media and INSUREtrust, took 80 participants through the “before, during, and after” of a data breach, also known as a cyber event.
A couple of quick facts:
- More than 80% of people surveyed by INSUREtrust indicated they had received at least one breach notification letter.
- Over 90% of those surveyed have experienced identity theft or know someone who has.
- Insurance carriers are scrambling to get into this market, which gives businesses lots of choices and competitive pricing – for now.
- About half the costs for required notifications are typically covered by insurance policies.
- Law enforcement authorities may want to keep your system online to track a hacker while your data continues to be compromised. They also may wish to confiscate your hard drives for their investigation. Call your lawyer firstto know your rights.
Perpetrators are being evermore clever at accessing records (e.g. financial records, passwords, social security numbers, etc.) for resale on the black market. For example, Steve Haase, CEO of INSUREtrust said even internet addresses of banks now can be perfectly replicated, never giving customers a clue they are being directed to a phony web site – another reason to never click through from an email purportedly from your bank.
Haase also recommended that if you simply have a suspicion of a breach, report it to your insurance company immediately. Policyholders are obligated to provide prompt notice to minimize covered losses.
Crisis communications authority Dianna Fletcher of Fletcher Media noted that early planning for internal, external, and regulatory audiences pays huge dividends when an actual event occurs. Spokespeople have been identified, a response team is in place, and outside vendors are on notice that you will need assistance. When time is of the essence, having a written and current plan saves money, resources, and reputations.
So, where to begin? Start compiling a handy binder that addresses….
- Work with an insurance agent to evaluate and propose a cyber insurance policy.
- Include your insurance policy in your cyber security planning document.
- Establish written policies and procedures regarding use and security of company computers, smart phones, laptops, and tablets.
- Provide mandatory annual training regarding system and data security.
- Conduct a penetration test to see if security policies are the same as practices.
- Assemble a Computer Incident Response Team (CIRT) with their 24/7 contact information.
- Have addresses/contacts accessible for all regulatory compliance requirements.
- Have your team trained and practice how to respond.
- Contact your insurance carrier and agent immediately and in writingfor coverage, consent for expenses, and defense arrangements as well as to tap their resources.
- Document your expenses.
- Contact your attorney (information can be handled under attorney-client privileges).
- Contact your IT and Security vendors.
- Implement your internal communications plan.
- Do notgo public or notify regulators without all the facts.
- Detect, analyze, contain, and eradicate the threat.
- Preserve evidence.
- Proceed with notification on advice of counsel and the CIRT.
- Issue one statement at a time, the first being the foundation of all communications, rather than conducting a series of interviews.
- Review and analyze your actions and refine your plan.
- Implement any additional security measures.
- Create an incident report.
- Monitor news media and social media, and respond as advisable.
- Listen to your stakeholders: What do they need?
Complicating your life is that no Federal law yet exists around data breaches, but 47 states have adopted their own. This means that should your data be compromised and it includes information for out-of-state businesses or consumers, you may have to comply with the regulations of multiple states as well as be subject to their penalties.
This work simply begins to scratch the surface of being prepared for a world that just will not stop at your door.