Cybersecurity Risk Management 101

The breach

Cyber hacking is big business, which is why it is becoming more and more likely that your electrical contracting firm could suffer from a cybersecurity breach. At first glance, the greatest risk might seem to lie with high-profile and high-risk businesses. However, small- to medium-sized businesses are increasingly finding themselves at risk. According to a recent study by the U.S. Secret Service and Verizon Communications, Inc., more than 72% of all data breaches occurred in small- or medium-sized businesses.

Think about your day-to-day work activities. You regularly correspond through e-mail, transfer information via the Internet, and conduct business meetings online. If you secure names, social security numbers, or any other sensitive customer information, you’re required by law to take all the necessary steps to protect this data from loss and theft. If a breach occurs, do you know what you’re required to do after such an event?

In the United States, most states have breach notification laws, and other countries are following suit. In other words, many laws mean written notification must be sent to the affected individuals. Even where such laws are not in place, your firm would be wise to provide breach notification if there’s ever an issue.

Losing the trust of customers can be much more damaging than the financial loss of repairing the effects of any breach. To make matters worse, your business can be held liable for the loss of third-party data. If there is a data breach, your operation could find itself facing expensive damage claims.

Do-it-yourself risk management

The increasing threat of data breaches makes it important for every business to reinforce security practices. How do you manage this risk?

Security experts agree that the easiest place to start is with strong password protection. That’s right, password protection. Believe it or not, this is something a surprising number of IT-sophisticated businesses often fail to master. Many recently exposed “hacking” cases have been traced back to weak passwords that were either not encrypted, “salted,” or not changed regularly.

If managing passwords for all of the operation’s servers, apps, cloud services, databases, tablets, and laptops seems daunting, there are affordable password management professionals and software that will do it for you — usually avoiding the often big price tag of cyber insurance. Other tips to help secure your operation’s data, reduce potential liability, and, in many cases, reduce the cost of insurance, include:

• Get a firewall. There are hardware and software approaches that are both cheap and easy to use.
• Conduct regular assessments of possible risks to reveal hardware, software, and individual site vulnerabilities.
• Isolate computers that are used for sensitive applications, such as making electronic bank deposits, from the rest of your company’s network.
• Control access to data, which often means limiting delivery and exchange of customer or client-related documents and information to secure channels.
• Get antivirus software, and use it. There are a number of popular packages, most of which are relatively inexpensive. Although free updates are typically included, make sure to update the program regularly, or, better yet, allow the software to do so automatically.
• When an employee who has had access to the system leaves the company, make sure his or her passwords are no longer valid. Many companies lock an employee out of the system just before or at the same time he or she is being terminated.
• Create and implement a data security plan that includes immediate notification of all affected parties.
• Share the liability by demanding similar protocols with vendors, and check for compliance.

Insurance to the rescue

It’s important to realize that the data in your electrical contracting firm is probably not protected because liability for loss of customer or employee data is not typically covered under many of today’s insurance policies. Some existing business insurance policies do offer general liability, while Directors and Officers (D&O) liability may provide a measure of coverage for these areas. However, as the risk escalates, most electrical professionals, business owners, managers, and executives are discovering significant gaps in what is and what isn’t covered after a hack attack. Unfortunately, by then it’s too late.

A business interruption insurance policy will rarely come to the rescue in the event of a system failure because of a malicious employee, computer virus, or a hack on a business. Identity theft, telephone hacking, and phishing scams are all very real possibilities rarely covered by traditional business interruption policies. While few “umbrella” policies or blanket liability insurance policies cover these types of losses, a new form of insurance, “cyber liability insurance,” has been available for approximately 10 years. Regrettably, it is rarely purchased.

Cyber liability insurance can cover hacker attacks, viruses, and worms that steal or destroy a business’s data. Even e-mail or social networking harassment and discrimination claims can be covered along with trademark and copyright infringement. Cyber liability insurance will often cover the loss of profits because of a system outage caused by a non-physical peril such as a virus or attack.

When looking into cyber insurance, common sense dictates that all potential risks should be covered, including laptops and mobile phones. Portable devices make it much easier to both store and lose information. For example, a missing USB stick, a stolen iPad, or a laptop left in a job-site trailer are all real possibilities — and ultimately a gold mine for hackers. There are even viruses being built today with the sole purpose of attacking mobile devices.

A good insurance company will ensure a policy holder has all the protection in place that is possible. It can make sure a firewall is in place to protect your network and help create social media policies that reduce your company’s risk. Even if data is stored in the cloud, your firm may still be liable for a breach. Although controlling how a cloud provider handles the operation’s data is almost impossible, cyber insurance can protect the operation from its mistakes.

Although large corporations often have risk management budgets, small businesses typically don’t. Unfortunately, most hack attacks target businesses with less than 250 employees — a group where few firms have the financial means to pay the fines and lawsuits that result from breaches or data losses or to stay afloat throughout the repair and reconstruction process.

The bottom line for small- to medium-sized electrical contracting firms is this: Hackers are getting more sophisticated every day, sometimes forming syndicates of like-minded criminals to share information and new techniques. Businesses, even small ones, are increasingly in their crosshairs and need to use every protection strategy available to combat this growing cyber threat.     

Battersby is a freelance writer in the suburban Philadelphia community of Ardmore, Pa. He can be reached at [email protected].

SIDEBAR: Hacking Threats

The stats related to cyber risk may surprise you:

• The cost of a data breach per record is $204, according to Tim Francis, enterprise cyber lead for Travelers.
• That amount of money can add up quickly. According to a Ponemon Institute report, the average total per-incident cost of a data breach was $6.75 million, based on figures compiled for the 2013 calendar year.
• Identity theft is the second most common concern among Americans today, according to Travelers’ Consumer Risk Index.
• A recent Pew Research survey showed 21% of Internet users have had an email or social networking account compromised or taken over by someone else without permission.