1-888-643-2217 Email ABEX
Keeping you updated

Tag Archives: cyber risk management

Cyber Liability: Protect Your Email

Spam EmailEmail is a critical part of everyday business, from internal management to direct customer support. The benefits associated with email as a primary business tool far outweigh the negatives. However, businesses must be mindful that a successful email platform starts with basic principles of email security to ensure the privacy and protection of customer and business information.

Set up a spam email filter.

It has been-well documented that spam, phishing attempts, and otherwise unsolicited and unwelcome email accounts for more than 60 per cent of all email that an individual or business receives. Email is the primary method for spreading viruses and malware. Consider using email-filtering services that your email service, hosting provider or other cloud providers offer. A local email filter application is also an important component of a solid anti-virus strategy. Ensure that automatic updates are enabled on your email application, email filter and anti-virus programs. Additionally, ensure that filters are reviewed regularly so that important email and/or domains are not blocked in error.

Protect sensitive information sent via email.

With its proliferation as a primary tool to communicate internally and externally, business email often includes sensitive information. Whether it is company information that could harm your business or regulated data such as personal health information (PHI) or personally identifiable information (PII), it is important to ensure that such information is only sent and accessed by those who are entitled to see it.

Email is not designed to be secure, so incidents of misaddressing or other common accidental forwarding can lead to data leakage. If your business handles this type of information, you should consider whether such information should be sent via email, or at least consider using email encryption. Encryption is the process of converting data into unreadable format to prevent disclosure to unauthorized personnel. Only individuals or organizations with access to the encryption key can read the information. Other cloud services offer secure Web-enabled drop boxes that allow secure data transfer for sensitive information, which is often a better approach to transmission between companies or customers.

Implement a sensible email retention policy.

It’s important to manage the email that resides on your company messaging systems and your users’ computers. You should document how you will handle email retention, and you should also implement basic controls to ensure information is retained for the necessary period. Many industries have specific rules that dictate how long emails can or should be retained, but the basic rule of thumb is only as long as it supports your business efforts. Many companies implement a 60- to 90-day retention standard if not compelled by law to use another retention period.

To ensure compliance, consider mandatory archiving at a chosen retention cycle end date and automatic, permanent email removal after another set point, such as 180 to 360 days in archives. In addition, discourage the use of personal folders on employee computers (most often configurable from the email system level), as this will make it more difficult to manage company standards.

Develop an email usage policy.

Policies are important for setting expectations for your employees or users, and for developing standards to ensure adherence to your published polices.

Your policies should be easy to read, understand, define and enforce. Key areas to address include what the company email system should and should not be used for, and what data is allowed to be transmitted. Other policy areas should address retention, privacy and acceptable use.

Depending on your business and jurisdiction, you may have a need for email monitoring. The rights of the business and the user should be documented in the policy. The policy should be part of your general end user awareness training and reviewed for updates on a yearly basis.

Train your employees in responsible email usage.

The last line of defence for all of your cyber risk efforts lies with the employees who use email and their responsible and appropriate use and management of the information under their control. Technology alone cannot make a business secure. Employees must be trained to identify risks associated with email use, how and when to use email appropriate to their work and when to seek professional assistance. Employee awareness training is available in many forms, including printed media, videos and online training.

Consider requiring security awareness training for all new employees and offering refresher courses every year. You can provide monthly newsletters, urgent bulletins when new viruses are detected and even posters in common areas to remind your employees of key security and privacy do’s and don’ts.

 

© Zywave, Inc. All rights reserved.


Is a BYOD Policy Right for Your Company?

Executive with laptopMore and more employees—especially the young and technologically savvy—are no longer satisfied with company-issued tools to get the job done. Known as Bring Your Own Device (BYOD), businesses are finding that employees want to swap company equipment in favor of personally owned devices, such as laptops, tablets or smartphones that they are more comfortable using.

BYOD can be a money-saver for companies, reducing the amount spent on hardware and software purchases, maintenance and the cost of training employees to use the equipment. Especially for rapidly expanding companies, allowing personally owned devices could save thousands of dollars in upfront IT hardware costs for new employees. With BYOD, employees buy and maintain their own equipment. Companies can choose to compensate them by subsidizing or reimbursing their purchases, or offering flexible work schedules and the ability to work remotely.

In addition to saving money, BYOD can be effective for recruiting and retaining staff. With the freedom to choose the technology they are more comfortable working with, employees are more productive and satisfied with their jobs.

While BYOD saves some companies money, others could end up spending a lot more. Businesses that require the standardization of their applications, hardware and operating systems—meaning that some equipment must be integrated with others—could actually increase IT management costs if personally owned devices were added to the mix.

Adopting BYOD can expose companies to two major risks: IT security risks and data loss. This alone may be enough to compel a company to ban BYOD altogether. If you are considering adopting a BYOD policy, you should ask yourself whether the benefits are worth the risks. If your answer is yes, then employ risk management to mitigate those risks.

 

© 2015 Zywave, Inc.


Tailoring a Cyber Policy to Your Business

Hazards to insureCyber insurance is relatively new to the insurance market, which can present some challenges for both businesses and insurers. To date, there are no official industry standards for cyber insurance, but there have been major strides made in recent years to establish some regulations.

Due to the breakneck pace of the technological evolution and increasing pressures to digitize data, most businesses are left vulnerable to cyber attacks. The best way to protect yourself and your company is to conduct a risk assessment and identify any gaps in your coverage. Here are a few things worth looking for:

Understand the coverage that you have, and the coverage that you don’t. Many people might make the mistake of assuming that a commercial general liability (CGL) policy covers losses in the event of a cyber attack. However, assumptions like that can be costly, as many CGL policies specifically exclude electronic data. Take the time to review your current coverage and identify any exclusions that might leave you vulnerable.

Understand your company’s specific needs. Companies vary in their use of and dependence on data. For instance, customer data held by financial businesses is comparatively more valuable to criminals. Other companies, like online merchants, may potentially suffer greater losses as the result of an attack that crashes a website or interrupts service. Different policies have different limits, sublimits and exclusions for different kinds of losses, so it’s important to work with an expert who can find exactly where your liabilities lie and what kinds of coverage you need.

Consider retroactive coverage. Unfortunately, cyber breaches often go undetected for a long time. As a result, a policy that only offers coverage to the date of inception might leave you vulnerable to a cyber attack that hasn’t yet been discovered. To mitigate your liability as much as possible, get coverage with the earliest possible retroactive date.

Obtain coverage for third-party vendors. Many businesses outsource their data processing or storage to a third-party vendor. This is a smart move, especially if you aren’t equipped to handle the IT side of your business. Unfortunately, it may leave you liable for damages if the actions of that third party are responsible for a breach. Make sure you have coverage for the actions or omissions of third parties with which you do business.

 

 

© 2015 Zywave, Inc.


Physical Protection of Cyber Assets

Cyber attacks aheadWhen it comes to securing cyber assets, many people often think of only mitigating cyber risks like spam, phishing and malware. However, cyber assets can also be compromised physically. This article examines the physical exposures your cyber assets face and provides steps for mitigating these risks.

Secure company facilities.

The physical security of a facility depends on a number of security decisions that can be identified through a comprehensive risk management process. It is easy to think about physically securing your company’s facility as merely an exercise in maintaining control of access points and ensuring there is complete visibility in areas that are determined to be high-risk—either because of the threat of easy public access or because of the value of information located nearby. However, maintaining facility security also includes the physical environment of public spaces. For instance:

  • Employees whose computers have access to sensitive information should not have their computer monitors oriented toward publicly accessible spaces such as reception areas, check-in desks and waiting rooms. Employees should be trained to not write out logon information on small pieces of paper affixed to computer equipment viewable in public spaces.
  • Easy-to-grab equipment that could contain sensitive or personally identifiable information (PII), such as laptops, tablets and mobile phones, should be located away from public areas. If you have an environment where employees are working in a waiting room or reception area, train them to not leave these types of devices out on their desks unsecured.
  • Consider using cable locks as an easy way to increase security for laptop computers. Most laptops feature a lock port for a cable that can be connected to the user’s desk. Be sure to store the key to the cable lock in a secure location away from the desk to which the computer is locked.
  • If extremely sensitive information is stored on a laptop, consider installing tracking software. Most tracking software programs run unnoticed, and allow stolen computers to be located more easily. Many also allow administrators to wipe the hard drive remotely, if necessary.
  • Consider implementing a badge identification system for all employees, and train employees to stop and question anyone in the operational business area without a badge or who appears to be an unescorted visitor.

Minimize and safeguard printed materials with sensitive information.

The most effective way to minimize the risk of losing control of sensitive information from printed materials is to minimize the quantity of printed materials that contain sensitive information. Establish procedures that limit the number of copies of printed reports, memoranda and other material containing PII.

Safeguard copies of material containing sensitive information by providing employees with locking file cabinets or safes. Make it a standard operating procedure to lock up important information. Train employees to understand that simply leaving the wrong printed material on a desk, in view of the general public, can result in consequences that impact the entire company and your customers.

Ensure mail security.

Your mail centre can introduce a wide range of potential threats to your business. Your centre’s screening and handling processes must be able to identify threats and hoaxes and to eliminate or mitigate the risk they pose to facilities, employees and daily operations. Your company should ensure that mail managers understand the range of screening procedures and evaluate them in terms of your specific operational requirements.

Dispose of trash securely.

Too often, sensitive information, including customers’ PII, company financial data and company system access information, is available for anyone to find in the trash. Invest in business-grade shredders and buy enough of them to make shredding convenient for employees. Alternatively, subscribe to a trusted shredding company that will provide locked containers for storage until documents are shredded. Develop standard procedures and employee training programs to ensure that everyone in your company is aware of what types of information need to be shredded.

Dispose of electronic equipment securely.

Be aware that emptying the recycle bin on your desktop or deleting documents from folders on your computer or other electronic device may not delete information forever. Those with advanced computer skills can still access your information even after you think you’ve destroyed it.

Disposing of electronic equipment requires skilled specialists in order to ensure the security of sensitive information contained within that equipment. If outside help, such as an experienced electronic equipment recycler and data security vendor, is not available or too expensive, you should at a minimum remove computer hard drives and have them shredded. Also, be mindful of risks with other types of equipment associated with computer equipment, including CDs and flash drives.

Train your employees in facility security procedures.

A security breach of customer information or a breach of internal company information can result in a public loss of confidence in your company and can be as devastating for your business as a natural disaster. In order to address such risks, you must devote your time, attention and resources (including employee training time) to the potential vulnerabilities in your business environment and the procedures and practices that must be a standard part of each employee’s workday.

And while formal training is important for maintaining security, the daily procedures you establish both in how you normally conduct business and in the way you model good security behaviours and practices are equally important. In short, security training should be stressed as critical and reinforced through daily procedures and leadership modelling.

Establishing procedures and training employees to physically protect your company’s cyber assets will allow for a secure work environment.

 

© Zywave, Inc. All rights reserved.

 


Cyber Extortion Hits Close to Home

“It took me 26 hours of work… without sleep… to get the network back online. Not fun…” says Richard Mash of Network Partners.  In his most recent encounter with hackers Mr. Mash was helping his client, a local small business, after the hackers stole and encrypted the client’s information, demanding a ransom.

Mr. Mash continues “The client’s network became infected with a really nasty virus called CryptoLocker. The virus was sent to them in an email with an attachment that was supposedly a resume from a job applicant. Not surprisingly, someone in the HR department opened the attachment and within minutes the network was infected with a virus and all their critical data files were encrypted… The authors of the virus demanded a significant amount of money in return for decrypting the files, effectively holding the company to ransom. Luckily, we had good backups of all their data and we were able to recover everything without paying the ransom request. The important thing to note is this company had 3 different levels of anti-virus protection, all of which allowed the virus to penetrate the network.

I’m sure all of you are aware that computer viruses can be spread by email. Even though many of us maintain excellent anti-virus products on our networks to help protect our data from viruses, these programs are not 100% foolproof.  We also need help from our employees to keep important data safe.”

Mr. Mash shared some very helpful tips with ABEX to help us protect our network so we don’t encounter a similar problem.  We thought these tips would be worth sharing with you so that you can protect your network from viruses.  The most important thing is to be vigilant about emails that you receive:

  • NEVER open an attachment in an email that comes from someone you do not know or do not trust.
  • A simple rule of thumb: NEVER click on a link in an e-mail and avoid opening attachments if at all possible (Especially ZIP archives). And, if a link must be clicked on in an e-mail, hover the mouse cursor over the link to see where it leads to. If it looks suspicious please ask!
  • These emails may seem to come from companies that you trust, like Canada Post or UPS. If you are not expecting a “delivery notification” from a courier, then don’t open it.
  • Banks or Credit Unions will not send you unsolicited emails with attachments… ever. Just delete them.

How can businesses protect themselves?

To manage and minimize the potential damage from a cyber attack, companies should employ a comprehensive cyber risk management strategy that along with a cyber insurance also includes appropriate loss control techniques, an assessment of company’s networks vulnerabilities, and employee security awareness training.

Businesses should make sure that their cyber insurance policy coveres costs in case the company is unable to access its computer system, the system is infected by a virus, confidential information is compromised, or its brand and reputation is tarnished by posts on social media. In addition, the policy should cover the cost of independent computer security consultant to assess any threats, prevent immediate threats, offer reward to prevent perpetrators of the threat and reimbursement of any ransom the company is required to pay in the event above measures fail to mitigate the threat against them.

Please contact ABEX today for more information on our cyber risk management process.


Blog

FOLLOW OUR BLOG

Receive notifications of new posts automatically.



ABEX - AFFILIATED BROKERS EXCHANGE IS ON FACEBOOK.

Like us on Facebook

Connect with us on LinkedIn