How many times have you received an email from someone telling you that you’ve recently “come into some money”? All you have to do is respond with your bank account information and they’ll transfer the funds immediately. Or someone impersonating your IT department asking you to open an attached file to upgrade your email account. Or what about the email from a “close friend” who is out of cash in a foreign country and needs money to get home safely.
These are just a few common examples of cybercriminals trying to gain access to your company data or finances through malware.
In a recent interview with Carol Leaman, President and CEO of Axonify, the creator of the world’s first Employee Knowledge Platform; Eldon Sprickerhoff, Founder and Chief Security Strategist of eSentire, the creator of an award-winning cybersecurity platform for mid-sized organizations; and Leon Punambolam, Technology Industry Leader at Cowan Insurance Group, a preeminent insurance brokerage and consulting operation, and one of Canada’s Best Managed Companies; we discussed how cyber risk affects companies today and what we can do to protect ourselves, our employees and our businesses from these potentially severe crimes.
Cyber risk comes in a variety of forms from phishing attacks to social engineering to ransomware and beyond. Cyber risk is real. Cyber risk is serious. Cyber risk affects every business, big or small. It’s not a matter of if it’ll happen to your business; it’s a matter of when.
What is Cyber Risk?
According to Eldon Sprickerhoff, “any threat that affects the confidentiality, the integrity or the availability of electronic information, is a cyber risk to your business.”
Arguably, the most devastating form of cyber risk to a business is ransomware. This involves a cybercriminal gaining access to your company files through malware and often requires your company to pay thousands, if not hundreds of thousands or millions of dollars to get those files back. This can be incredibly detrimental to those industries housing personal, financial or other uniquely valuable electronic information.
A recent survey sponsored by Malwarebytes and conducted by Osterman Research found that Canadian companies are more likely to pay ransom demands than those in Germany, the U.S. and the U.K.—the other regions included in the survey. More than 82% of the Canadian companies surveyed, affected by ransomware, lost company files if they didn’t pay the ransom; 43% lost revenue; 25% experienced an interruption in business.1
Fortunately, there are varieties of prevention strategies your business can exercise to protect itself and its employees from the damaging effects of a cyber breach.
It Can Happen (Where and) When You Least Expect
So, what is the true threat to your business’s cybersecurity? It’s technology, right? Wrong. It’s your people.
People are the gateway to your business’s data. They have passwords and access to your business’s backend information, they’re receiving the infected emails, and they’re clicking the links to open the door to the cybercriminals.
If you’ve grown your business beyond the 10-employee mark, you’ve likely outgrown your security processes and need to reevaluate where your threats lie. The family atmosphere and personal trust often found in small, close-knit businesses can remain, however, that doesn’t mean everyone needs access to your backend information if their job description doesn’t warrant it.
What about the less obvious cyber risks? The ones you’d never think could happen to your business: insider threats. Employees experiencing hardships—financial, health related or otherwise—can be susceptible to taking part in these insider cybercrimes. If they’re the ones who have access to your data, you may want to consider how you’re protecting your business from this risk too.
Empowering Employees through Education
Just as you would train your employees on the dangers of chemicals and their appropriate use, the same considerations apply to cyber use.
Since employees are your greatest risk when it comes to a cyber breach, employee education on the subject should be included in your new employee training and education programs and, as ongoing training initiatives for existing employees. If your employees are aware of the dangers of cyber threats, how they can be targeted, what to look for, and how to respond (or not respond), your business is one-step closer to cybersecurity.
It’s likely your new employee training is a one- or two-day training session where loads of information is piled on new employees and they’re expected to remember it all six months down the road. Your employees won’t absorb this information and recall it days, weeks or months from now when they encounter one of those malicious emails they’re guaranteed to receive.
“A typical human being will remember 5-10% of what they learned 30 days earlier,” says Carol Leaman. “All the effort put into those one-day employee training sessions goes to waste because the brain is incapable of moving all information from short-term memory to long-term memory effectively.”
It takes ongoing training to ingrain that information in your employees’ memories. Using learning techniques like delivering small chunks of training several times per week, querying employees on their knowledge repeatedly over time, and allowing them to play games while they learn, will engage your employees and help them retain that information long term. Then, when they receive one of those malicious emails, they’ll know not to open it, click on any links or respond to the sender with confidential information.
It’s important to remember that employee education will reduce the risk of a cyber breach; however, it doesn’t stop the criminals from trying. Providing ongoing education and training to employees, revamping the information, altering how you deliver it, and staying up to date on prevention strategies are effective ways to protect your employees in the fight against cybercriminals.
Protecting Your Business from the Ground Up
Now that you know the risk to your business when it comes to cybercrime, along with the systematic and human resource mitigation tactics, how are you going to further protect your business assets?
You insure your house from a fire, your car from an accident and your life from illness—your business needs protection from its threats too. Since cyber risk has only recently become a common theme at the Executive table, not everyone is aware of the risk protection and liability coverage available. And those who are aware often think they don’t need the insurance because a cybercrime will never happen to their business.
“Surprisingly, many company executives and business owners in Canada aren’t seriously considering the impending threat from cybercriminals,” says Leon Punambolam. “In reality, it’s much easier than you think for the ‘bad guys’ to target your business and damage what you’ve worked so hard to achieve—including your positive corporate reputation.” What would happen to that reputation and the trust that your clients place in your business if it were to experience a cyber breach? The longer you wait to protect your assets, the more time and opportunity you’re giving these criminals to hone their skills and hit your business.
A medium-sized organization can receive upwards of 10,000 emails to their spam filters per day. If a failure in technology or process were to occur and one of those emails were to cause a cyber breach, the impact on the business could result in: significant financial costs, damaged reputation, decreased public trust, fines or sanctions for regulatory non-compliance, loss of business or competitive edge, and loss of productivity.
In addition to understanding the impact on your business and insuring your assets from the ground-up, it’s important to consider your risk tolerance. Risk management is about identifying risks, mitigating risks and transferring risks—which is where insurance comes into play. Knowing what assets are most at risk in your business (when it comes to cyber) and how much risk your business is willing to take, will help you identify your insurance needs.
Working with a broker who is well versed in cyber risk will help your organization understand its overall threat of cyber, address insufficiencies to mitigate the risks, and leverage insurance coverage for the balance of the risk to your business. Additionally, your broker can identify and help you create a plan to implement proactive process controls to further minimize the impact of a breach.
At the end of the day, it’s about protecting your business from the inevitable. Cybercrime is a risk to all businesses. The armour you use to protect your business, from cybersecurity to employee education to business insurance, will make it harder for cyber risk to damage your business and your bottom line.