The Expert Podcast

If you're going to listen to anybody about what to do to prevent cyber liability losses—cyber hacking losses—you want to listen to the people who actually have to pay for it, and that's the insurance industry. There are a lot of experts about cyber defense and IT people and tech people who have theories about how to prevent cybersecurity losses or cyber insurance losses, but the only people that know it firsthand are the ones who actually have to pay the bills when these damages happen, and that's the insurance industry.

Here's a white paper from one of the largest risk management companies, who put together examples of all the losses they've seen and how to prevent them. The American Property Casualty and Insurance Association has a lot of members who are large insurance carriers that pay these claims, and they see what the losses are—and they tell you right in this white paper what you can do to prevent this.

Cybersecurity best practices: Businesses should implement a risk-based information security program. Here are the major components of that:

Multi-factor authentication — what that means is, you know, when you log in and it sends you a text message to make sure that you have a code to log in, that prevents a hacker from logging in directly to your account.

Backup management — making sure that anything that's critical, you have another copy of. And that means things like data, but also apps, programs. Because if you store all your data somewhere else but your programs are corrupted, what's it going to be like to reinstall all of your software? Your management software, your operational software. If you're a manufacturer, all your CAD CAM and digital manufacturing software. If you're an insurance company, your agency management system. If you're a car dealer, all of your processing systems. So, you want to back up everything. And if you have intellectual property—patents, trademarks, customer information—you want to have that all somewhere else, including financial information such as accounts receivable.

One of the biggest losses we see for clients is: your accounts receivable is erased, and you don't know who owes you money. Think about how much you have sitting out in AR right now. And what if you magically, suddenly didn’t know where all that was? That money would be gone. Your clients aren't going to come forward and say, “Hey, where do I send my money?” They're probably going to let sleeping dogs lie if you don't send them a bill.

What else? What about passwords? Yeah, you should get rid of all default passwords. Have it changed regularly. It's inconvenient to have your employees have to change their passwords, but it’s a good way to keep from getting hacked. You don’t want them writing them down on a sticky note on their desk either.

What about patches? Well, patches are updates to programs that block known hacks. So every piece of software you have—most medium to large businesses have dozens, if not hundreds of different pieces of software that you use every day: browsers, logins, management programs, apps. Every single one of those has regular patches so that if there is a breach—if there is a discovered back door to the software—the provider will put out patches on a regular basis. You get those notices on your machine: “Hey, we want to upgrade your software,” “We want to put a new update, new version.” Take advantage of those because that’s going to be what blocks most hacks from getting to your system.

What about testing? Well, this is a little more advanced but it can be done pretty easily. Have an employee try to get in to a system they’re not supposed to, with permission, to make sure that you perform periodically and make updates to prevent them.

This also goes along with training. Make sure all your employees have awareness of where these hacks come from. Look—if you get an email from somebody on LinkedIn pretending to be the CEO of the company, don’t send them this file, don’t give them access. Your insurance carrier will tell you what are the common ways that people try to do catfishing or social engineering to get in.

Make that part of your everyday regular meetings. You don’t have to have a separate meeting just for cyber liability. But if you have a 30-minute meeting anyway, spend three or four minutes going over some basic things to remind people of what to do and what not to do.

What about detection? Well, this is easy. There are some very simple plugins you can install on your server, on your systems, that will detect patterns of activity from hackers and cyber breaches so you'll know about them when it happens.

And then also break up your network. Have firewalls so that one section is for customer information, one section is for financial accounting information, one section is for management. That way, you don’t have somebody who’s only supposed to be able to get into the consumer side—like on your website and put in information—be able to get into your accounting. Have them detached from one another so that access is only given to where it’s supposed to go.

What about third-party risk? Well, your system probably ties into vendors, clients, banks, accountants on an everyday basis and exchanges information. That’s convenient. That allows your clients to get information about their accounts. It allows your vendors to be able to provide services and billing to you. But you want to make sure that you know what their risk protection is. You want to get their best practices to know if you're at risk from an outside party connecting to your system.

The other ones are a little more spear: data mapping. A little more kind of obscure. Data mapping—knowing where all your data is, having a map of your system—it is helpful though, for somebody to have a visual breakdown of where all your facilities are. Your data centers, your headquarters—you know where all the networks are. Even things like your hubs and your servers.

Most companies have more routers in their company than they realize. You may have Wi-Fi routers, you may have wired routers. Having a map of all those is important because all it takes is one of those to be breached for an outsider to get into your network. And if you know where all of them are, you can take an inventory of them and have a census, where you update those with patches—or if one is breached, you know which one to replace.

So this is a really good overview of what the best practices are for any company. You don’t have to pay anybody to do this for you—you could do it all yourself.

If you want a copy of this white paper, you can download it from the link in the video, or you can contact our office and we’ll be glad to send you a copy of it free of charge.

But this is a way that you, as a professional organization, can make your customers, your employees, your vendors all feel more secure—because they know you’re taking care of making sure you don’t have a catastrophic loss from some cyber event that was easily preventable.