Protect YourBusiness

From Cyber Attacks

No Guarantee of Results: The suggestions, comments, tactics and strategies contained herein are meant only to provide examples about running a successful business. They are not intended as a guarantee that the same or similar results can be obtained in every matter undertaken by you or your company; and you should not assume that a similar result can be obtained in any circumstance, no matter how similar to the example. The outcome of a particular strategy or tactic, or any combination thereof can depend on a variety of factors and, often, unexpected developments and circumstances beyond the control of any person, business owner or industry play a role in the resultant outcome. Professional Liability Insurance Group (PLIG) is not responsible for any action or inaction on your part as a result of reading this material. It is only to be used as a general guide. PLIG does not accept liability for any errors or omissions in the contents of this writing.

I. INTRODUCTION:

Data breaches are big news these days, with companies like AOL and Adobe experiencing security issues, and even the more recent Target security breach over the holidays, but what you do not hear about is the smaller companies that get breached everyday. These stories don’t make it into the news because small data breaches just do not make great fodder for sensationalized news stories. But, don’t be fooled. Data security breaches happen to smaller entities on a grandiose scale because hackers know that smaller companies just do not have the resources to prevent an attack.

Follow the advice in this guide and please do not hesitate to contact us if any of these tips help to send you on your way to a more secure and sheltered business environment. Our main goal at the Professional Liability Insurance Group is to not only protect our clients, but to educate them as well. Your success is our success and we want nothing but the best for your business’s data security this year!

Sincerely,

Shayne Bevilacqua, MBAPrincipalThe Professional Liability Insurance Group

II. What is Data Privacy?

Data privacy is one of the most important factors in the success and retention of a company’s fundamental growth. Privacy, or lack thereof, affects a company’s management, employees, and most importantly customers. More and more of a person’s life is on the internet with the advent of online banking, social media, insurance and medical enrollments all being processed through online functionality. And although the government has created a myriad of laws to help protect a company and individual from the harms of cyber hacking and theft, it is up to a company’s security and risk professionals (S&R professional) to help stave off security risks that may affect, harm or damage an entity’s precious data storage.

Mostpeoplecannoteasilydefinedataprivacy.Weliveinanage where data such as birthdates, opinions, locations and intimate moments are captured and displayed through various forms of social media. Some may not know exactly what data privacy is in this day and age, but what they do know is that they do not want their information displayed to the public without their consent. The public feels angry and violated when they feel a trusted entity has breached their private information, and thus the need for a secure and solid data privacy program. The emotional aspect of privacy makes both customer and employee privacy a critical issue for business and S&R professionals. If you breach a customer’s privacy, it all but guarantees an intense emotional reaction and the likelihood that you will lose their trust,confidence,andbusiness.Thesamegoesforyour

employees, except for the added factor that betraying their trust can lead to more security issues.

III. 4 Things to Consider About Data Privacy

1. Governments have taken an active role in protection of privacy.

Sincethedawnofthisnewerainwhichdataisfreeflowing,governments have passed rigorous laws and regulations that address data breach reporting and privacy.

2. Social media has changed what we consider private.

For example, 4.7 million individuals have“liked”aFacebookpageaboutspecifichealthconditionsortreatments, 4.8 million used Facebook to say where they planned to go on a certain day, 20.4 million included their birth date (which identity thieves are very excited about), and 900,000 discussedfinancesontheirFacebookwall.

3. Consumers will welcome new technology even if it infringes upon their privacy.

iPhones, iPads and Android devices all have location-based technologyandhavethepotentialtoinfluenceaconsumer’spurchasing habits. For instance, services like Groupon can send

users coupons based on their personal preferences as well as their location-based data. For example, 67% of smartphone and tablet users consider it very convenient and useful to have location-based coupons sent to their mobile device. However, 45% of respondents are concerned about security issues based on tracking their location.

4. Personally Identifiable Information and Protected Health Information

PersonallyIdentifiableInformation(PII)iseasilysoldintoday’sblack-market of information. Cyber criminals can sell names, addresses, phone numbers, bank information and more in these underground marketplaces and until recently, criminals have been having an easy time getting away with stealing such information. Protected Health Information (PHI) is a bit harder to get a hold of, but in terms of value it is much more heralded in the underground market. Simple identity theft pays about $2,000 on average, but a thief using a medical ID number can earn an average payout of $20,000 for a medical record.

IV. Six Ways to Keep Information Private

1. Understand who should have access to this informationChiefPrivacyOfficersorCPOsshouldhavetightlycontrolledaccess to private information. Companies should have strong measures in place that limit the number of people who have access to this information. There should be policies that govern the storage of data, the way data is handled and the way records

are managed.

2. Understand what information should remain privateDataclassificationcatalogsshouldbeusedeffectivelyinordertoinstate a life-cycle approach to manage privacy for sensitive information. These catalogs also make data easier to control.

3. Understand when it’s OK to destroy private informationAll information has a life cycle, that is, when the information is relevant to the company and when it is no longer necessary to retain. At some point you should destroy some information because it’s no longer valuable to the business; yet it may contain information that should remain private, and therefore, is toxic.

4. Understand where private information is in your organization.Companies have private information that can reside in various places. It is necessary for organizations to develop asset inventories along with descriptions that value the privacy implications of said inventories.

5. Understand why the information needs to be private.It’s critical to have a good working knowledge of applicable regulations that affect privacy, and even though there are a multitude of regulations that address privacy, they all have common features.

6. Understand how to keep information private.Thefirststeptothisismovingsecuritycontrolsclosertotheimportant data. There are three main ways to do this: tokenization, data encryption and masking. Tokenization replaces sensitive information with unique but random identificationsymbolsthatretainalltheessentialdataabouttheinformation without compromising its security. Masking replaces sensitive information with realistic but not real data. Data encrypting is similar to cyber-shredding and ensures that information is not compromised should thieves get a hold of the information.

V. Create a Culture of Data Security

You may think that hackers are the primary source of breaches in your security wall, but the truth is that employees have just as much a hand in breaching your security measures as a hacker does. That is why it’s paramount to regularly educate the members of your company—from the guys in the mailroom to the bigwigs in the corporate suite—in the proper protocols when it comes to network security. In truth, even well intentioned employees are your biggest threat because they open the door and turn the lights on for hackers. Although you may have an IT department whose main function is to protect and safeguard your company’s data, it really is everyone’s duty to maintain a level of security that will ensure that hackers have the toughest of times breaking through your digital wall of defense. Let’s take a look at some ways hackers may break into your firewallandhowyoucanpreventit.

Phishing E-mails

This is a good place to begin educating your employees on the dangers of opening suspicious emails, because it is one of the more common ways hackers tend to break into an entity’s security system. Train everyone in your organization to detect and deal with suspicious e-mails, links and attachments. Phishing e-mails can bypass many of the security measures you have set in place, so this is one of the best places to start when educating your staff.

Mobile Devices

Malware is being developed for smartphones and tablets at an alarming rate, making those devices fertile ground for the nastiest of viruses. It’s pertinent that you work with your staff in choosing robust anti-virus software while educating them on the need to have strong password settings on their device. You may also opt to use a mobile device management platform that enforces security policies, which can greatly limit your exposure by only allowing approved applications.

Public Wi-Fi Network

Many employees do not understand the risks of connecting to a hotel’s Wi-Fi system as unencrypted information can be seen by anyone else tapped into the same network. Public Wi-Fi networks can be hazardous to your company’s data if the correct operations are not met during usage. You should consider

creating a Wi-Fi FAQ that explains to all employees with mobile devices how to use their laptop in the airport and coffee shop without opening up sensitive data to prying eyes.

VI. 10 Ways a Cyber Liability Policy Can Save Your Business

Privacy and data security is a growing concern among Americans as not only are cyber criminals a domestic threat, they are also an international threat as countries like China and Iraq have been hacking into our mainframes with the intentions of cyber terrorism. However, it’s necessary to recognize that this can happen on any scale.

Small businesses are especially not immune to these types of attacks as hackers know that perhaps a smaller entity does not havethefinancesorresourcestothoroughlyprotectthemselves.So how do most data privacy and cyber security insurance policies protect you? Here are ten ways…

1. You should look to be covered if sensitive information is released under your command and claims arise from it, including any HIPPA violations.

2. You should look to be covered for failing to properly maintain your data security system if a breach occurs and sensitive information is stolen, lost or damaged.

3. A good data security insurance policy will cover regulatory finesandpenaltiesandcompensatoryawardsresultingfroma

security or privacy breach.

4. Should a breach occur, some policies would help you with all legal and electronic forensics necessary to retrieve the lost or stolen data.

5. Even if a breach does occur, you could receive a public relations consultant in response to adverse media reports made against you, the insured. This will help eliminate any disparaging affects against your business.

6. You can be covered for the expenses to repair, replace, recreate or restore digital assets as a result of accidental damage, alteration, corruption, distortion, misuse, destruction or theft.

7. A cyber threat that interrupts (cyber terrorism) or disrupts your assets can be covered as your expenses and income loss may be reimbursed to you.

8.Moststatesrequirenotificationstotheclientswhoseinformation was stolen. A data privacy plan could help you cover the costs in doing so.

9. Should your computer and data security system fail—from non-physical means— you should look to be covered in the retrieval of any income loss resulting from the failure.

10. Finally, you can be covered for all forms of a data breach,

which includes “skimming”, in which credit card information from clients may be compromised.

With this free white paper, my hope is that I’ve been able to educate and enlighten you on the potential cyber security risks that may be present in your current business environment. There are many proactive measures that you can take to secure your data, many of which have been listed here. If you have found this paper useful, or if you have any suggestions yourself on how to further protect your sensitive data, please send us an e-mail at info@PLIGofSJ.com. We welcome your comments and suggestions! We, at the Professional Liability Insurance Group,wishyouthebestofluckincontinuingthefightagainstcyber criminals. For further information on how to protect your data, please visit www.PLIGofSJ.com.