Cyber Insurance

One of the greatest threats to your business is invisible

How am I exposed?

Phishing

Social Engineering Fraud: a broad term describing scams in which a bad actor tries to trick, deceive and manipulate victims into providing confidential information and/or funds

Funds Transfer Fraud: refers to scenarios in which a bad actor obtains money based on false representations

Business Email Compromise: when a bad actor obtains access to a business email account and imitates the owner’s identity

Computer Fraud: the act of using a computer to take or alter electronic data, or to gain unlawful use of a computer or system

Tips for avoidance to the right.

Do not open attachments or click on links from senders you do not know
Verify the sender’s email address and check for spelling mistakes
The email itself will typically have a sense of urgency

Ransomware

A type of malicious software, or malware, designed to deny access to a computer system or data until a ransom is paid.

Ransomware typically spreads through phishing emails or by unknowingly visiting an infected website.

Ransomware can be devastating to an individual or an organization.

Tips for avoidance to the right.

Have multiple backups of data
Keep operating systems and software up to date
Avoid using public WiFi or use a VPN when doing so
Do not open attachments or click on links from senders you do not know

Data Breaches

A breach of security safeguards is defined in PIPEDA as “the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards that are referred to in 4.7 of Schedule 1 of PIPEDA, or from a failure to establish those safeguards.”

Did you know?

“PIPEDA’s accountability principle provides that an organization remains responsible for the personal information it has transferred to a third party for processing.” Therefore, the principle organization is responsible for breach reporting if a breach occurs with the third party processor.

Tips for avoidance to the right.

Do not open attachments or click on links from senders you do not know
Restrict access to confidential information and remove access of those employees, internal and external, who no longer require it
Use encryption to secure confidential data being transmitted, at rest and stored

Why Cyber is a Risk to your business as a whole:

Technological Integration

Technological integration and interconnected products (Internet of Things) are transforming our lives and the way we do business.

The smartphones we know today didn’t exist ten years ago. Thirty years ago, people didn’t even own computers!

In today’s world we’re surrounded by smart products and computing devices embedded in everything from your fridge to the industrial control systems that keep our country running.

These devices collect data that computer scientists combine with analytics to enhance processes and improve products, efficiencies, the customer experience and much more.

Increased Exposure

Increased connectivity also means increased exposure to cyber threats, and all devices connected to your network become possible points of entry for cyber criminals to access that network.

Additionally, all device groups (i.e. cameras, alarms, lights, etc.) are running different software. This matters because all software contains bugs, and the bugs that can be exploited leave you vulnerable to cyber-attacks.

Every unique piece of software requires regular, ongoing updates and patches to fix these bugs, hopefully before they’ve been exploited by cyber criminals.

Reliance on Technology

Most, if not all, areas of business rely on a combination of the internet, computers, IT infrastructure, and support for day-to-day operations.

If any one of these 4 requirements are not available then all other areas of the business will be affected.

The reality is cyber incidents threaten the organization as a whole. These incidents have the capacity to suspend a company’s entire operation, which may affect its ability to meet contractual obligations, result in reputational damage, or even leave the company exposed to legal claims.

Precedent is clear

Directors & Officers have a fiduciary duty to effectively manage an organization’s risk. The consequences for inadequacy can be irreversible. The responsibility put on those in upper management is held to a higher standard as they make decisions on behalf of the company.

Better Funding

Being a cybercriminal is a full-time job. They “punch in” and “punch out” every day, have weekends off, vacation days, etc. With so much time and money dedicated solely to cybercrime it’s no surprise that they are better equipped than most of our IT departments.

Your People

It’s human nature to make mistakes and those mistakes may be at your company’s expense.

Your Resistance

When it comes to cyber security, complacency is not an option. Those in upper management have a higher standard of responsibility placed upon them as the decisions they make impact the entire company. As a result, Directors and Officers are held accountable for their actions or in-actions.

How to make sure “It won’t happen to me” doesn’t happen to you

Backups

Not just one, but multiple. We’re talking backups for your backups! Online, offline, cloud, external hard drives, paper… whatever the medium you need to ensure there is more than one copy of the critical data needed to run your business.

VPN

A VPN creates an encrypted tunnel between you and a remote server. It offers a secure way to connect to the internet, encrypting the data sent over the connection which gives you better levels of privacy while online.

End-Point

What’s an end-point? An end-point is any device that is physically an end point on a network. Laptops, desktops, mobile phones, tablets, servers, and virtual environments can all be considered end-points. Keep an inventory, ensure all end-points have up to date software and antivirus, and wipe all sensitive data from end-points that are no longer in use.

NextGen Anti-virus (NGAV)

Next-Generation Antivirus (NGAV) uses a combination of artificial intelligence, behavioural detection, machine learning algorithms, and exploit mitigation, so known and unknown threats can be anticipated and immediately prevented. NGAV is cloud-based, which allows it to be deployed in hours instead of months, and the burden of maintaining software, managing infrastructure, and updating signature databases is eliminated.

Patching

Why is patching so important? Security! The most critical and obvious benefit of patch management is heightened network security. Patches are often created after a company has experienced a data breach to ensure other businesses’ data remains safe, and applying a patch as quickly as possible lessens the risk of your business becoming affected. Patches typically come with performance improvements which results in increased productivity.

Employee Education

For cyber security to truly be effective you need participation from everyone. Every employee, every day. The most cost effective way to avoid unnecessary cyber incidents is to constantly educate and train your staff. Once a year. “Code of conduct” style training is not enough in today’s world. The threat landscape is constantly evolving therefore you should be constantly educating. Your people can be your best defence, but without the proper tools and training, we can assure you they are the weakest link.

Insurance

Insurance is an integral part of any risk management strategy. Cyber risks are complex and difficult to comprehend, but what we do understand is these risks exceed almost all organizations’ risk tolerance thresholds.

Multi-Factor Authentication

MFA, sometimes referred to as two-factor authentication or 2FA, is a security enhancement that allows you to present two pieces of evidence – your credentials – when logging in to an account. Your credentials fall into any of these three categories: something you know (like a password or PIN), something you have (like a smart card), or something you are (like your fingerprint). MFA helps protect you by adding an additional layer of security, making it harder for bad actors to log in as if they were you.

Incident Response Planning

An incident response plan (IRP) is a set of instructions to help IT staff detect, respond to, and recover from network security incidents. These types of plans address issues like cybercrime, data loss, and service outages that threaten daily work.

By having a well-documented and practiced IRP, your organization will be better equipped to handle and recover from cyber incidents.