Barely a week goes by without report of a new major cyber attack. According to Hiscox, larger firms are still the most likely to suffer a cyber attack, but the proportion of small firms (less than 50 employees) reporting one or more incidents is up from 33% to 47%. For medium sized firms with between 50 and 249 employees, the proportion has leapt from 36% to 63%.
Travelers Insurance is reporting that 54% believe it is inevitable that their company will be a victim of a data breach or cyber attack. If you are holding clients’ personal data, you have an exposure. Think doctors offices, attorneys, retailers, non profits, financial advisors and insurance agencies. You are likely not immune.
Cyber attacks are happening, and they are very costly. It can cost upwards of $500,000 to repair the damage from an attack. For a series of claims stories and estimated costs, click here.
As a small business owner, do you have cyber insurance? And are you taking the right steps to prevent a cyber attack?
As a small business owner, you should attempt to prevent and prepare for a cyber attack in addition to buying cyber insurance.
Prevention is key to avoiding a cyber attack. In addition to having cyber insurance, all businesses should have a cyber policy that all of their employees must abide to. But what exactly should be in a business’ cyber policy? Isn’t cyber insurance enough to protect your business?
The simple answer is that cyber insurance will not prevent an attack – it will only pay for losses as a result.
Here are 9 key elements to a data security policy as suggested by Travelers Insurance:
Essential Elements of a Data Security Policy
- Establish Password Management: A password policy should be established for all employees or temporary workers who will access corporate resources. In general, password complexity should be established according to the job functions and data security requirements. Passwords should never be shared.
- Govern Internet Usage: Most people use the internet without a thought to the harm that can ensue. Employee misuse of the internet can place your company in an awkward, or even illegal, position. Establishing limits on employee internet usage in the workplace may help avoid these situations. Every organization should decide how employees can and should access the web. You want employees to be productive, and this may be the main concern for limiting internet usage, but security concerns should also dictate how internet guidelines are formulated.
- Manage Email Usage: Many data breaches are a result of employee misuse of email that can result in the loss or theft of data and the accidental downloading of viruses or other malware. Clear standards should be established regarding use of emails, message content, encryption and file retention.
- Govern and Manage Company-Owned Mobile Devices: When organizations provide mobile devices for their employees to use, a formal process should be implemented to help ensure that mobile devices are secure and used appropriately. Requiring employees to be responsible for protecting their devices from theft and requiring password protection in accordance with your password policy should be minimum requirements.
- Establish an Approval Process for Employee-Owned Mobile Devices: With the increased capabilities of consumer devices, such as smart phones and tablets, it has become easy to interconnect these devices to company applications and infrastructure. Use of these devices to interconnect to company email, calendaring and other services can blur the lines between company controls and consumer controls. Employees who request and are approved to have access to company information via their personal devices should understand and accept the limitations and controls imposed by the company.
- Govern Social Media: All users of social media need to be aware of the risks associated with social media networking. A strong social media policy is crucial for any business that seeks to use social networking to promote its activities and communicate with its customers. Active governance can help ensure employees speak within the parameters set by their company and follow data privacy best practices.
- Oversee Software Copyright and Licensing: There are many good reasons for employees to comply with software copyright and licensing agreements. Organizations are obliged to adhere to the terms of software usage agreements and employees should be made aware of any usage restrictions. Also, employees should not download and use software that has not been reviewed and approved by the company.
- Report Security Incidents: A procedure should be in place for employees or contractors to report malicious malware in the event it is inadvertently imported. All employees should know how to report incidents of malware and what steps to take to help mitigate damages.
The Murray Group is committed to bringing security to our partners lives. We provide you with valuable tips and advice that you can apply in your daily life. Visit our blog for tons of information on all kinds of insurance.
Also, you can connect with The Murray Group further on The Murray Group Facebook Page.
Disclaimer: This article is for informational purposely only. There is no legal advice being suggested. The author assumes no responsibility or liability for the actions taken or not taken by the readers based upon such information.