by Michael Tomlin
Does my company fit the profile of being considered high risk for cybercrime?
Any company with large volumes of customer information is a target. Most people automatically think that cyber insurance is only needed for Financial Institutions and the Payment Card Industry because they carry sensitive data. These industries are undoubtedly high risk, but generally speaking, because of the nature of their business, they usually are well protected. What we might call “low-hanging fruit” for these hackers are companies with either:
- High volumes of unencrypted Personally Identifiable Information (PII) which criminals are looking to sell in bulk on the dark web. (i.e. your company is a target if you store your client’s information such as driver licenses, Barbados IDs, Passport numbers and email addresses)
- Highly sensitive corporate data in small volumes is very susceptible to ransomware. Suppose your company has sensitive third -party information. In that case, hackers will take advantage of this by stealing the data and threatening to post the data online unless you pay them a ransom.
What are the most significant risks to my commercial company when dealing with cybercrime?
- Incident Response – First and foremost, the risk would be in the incident response. (i.e. an investigation of systems by an IT forensics specialist, data and system rehabilitation, and the assistance of legal and PR counsel in the event of a breach.) When you purchase cyber insurance, it includes access to this level of expertise, typically.
- Ransomware – This is a type of malicious software cyber criminals use to block you from accessing your data. These “digital extortionists” encrypt the files on your system and hold it “hostage” until your company pays the ransom. If your company does not pay the ransom, the criminal encrypts (or wipes) your computer systems and all the data. We see more and more of this in the Caribbean. There was a recent high-profile case of this with a regional company that refused to pay the ransom, the cybercriminals encrypted the data, and weeks later they are still suffering.
- Social Engineering – This is, unfortunately, also becoming more and more prevalent in the Caribbean. It is the use of deception (i.e. phishing) where cybercriminals trick victims into providing confidential information or sending funds to wrong bank accounts. Usually, the criminal hacks into one person’s email address and then approaches their trusted friends or business associates with a request for money or to download a link which then allows them to control their account. I have seen a recent situation where a lawyer received a request from one of their clients to transfer a significant amount of funds to another account. Cybercriminals had hacked the client’s email, but luckily, the lawyer followed good risk management procedure and contacted the client to confirm the transfer before sending the funds. The client and the lawyer averted disaster fortunately.
- System Failure which leads to Interruption of Business: This is the focus for small to medium size businesses. The more complex/integrated your system is within your business, the more relevant it is to have business interruption if a hacker shuts the system down.
What are my company’s key considerations in reducing the risk of cybercrime?
Five years ago, I would never have thought this insurance was something critical to a business. Now, I would encourage companies to consider cybersecurity as part of their risk management procedures, and it is just as crucial as your hurricane plan. Key considerations would be, for example, do you have a strong backup for all your data? Are your staff trained to not ‘click’ on that suspicious email? Is there a ‘call back procedure’ before you send any bank funds to a third party? Suppose you are considered ‘low hanging fruit’ for hackers as you carry personally identifiable information or highly sensitive corporate data. Have you explored the option to purchase cyber insurance to at least protect you for some of these risks?
What should my commercial business seek in terms of an insurance provider?
It is vital to choose a provider who understands your business. A good starting point would be if the provider can offer a threat intelligence report and simulated phishing exercise, which can point out some weaknesses. In my view, the insurance company must include a very experienced, trusted incident response team, as getting timely advice and recommendations when your company is under attack is the most critical part of the insurance.
Contact us today to discuss a custom cybersecurity plan for your commercial business
Originally published in The Business Authority, Nation News Barbados, November 2020