Category Archives: Loss Control

Cyber Liability Insurance, Loss Control, Risk Financing, Risk Management

Buying Cyber Insurance Does Not Protect Your Organization From Hackers

Understand that purchasing Cyber Insurance does not protect your organization from hacking. It simply finances some, not all components of the loss. A recent report by cybersecurity company Barracuda reported that Google-branded Spear Phishing attacks are up significantly since the start of 2020. These attacks only accounted for 4% of the total cyber attacks in 2020 so far. Barracuda reported over 100,000 form based attacks since Jan 1. 2020, 65% of them were branded to look like a Google form. These Google-branded attacks are significantly more prevalent than other branded competitor attacks.  Microsoft was the 2nd most impersonated account at 13% of the total spear-phishing attacks (2)

With 43% of all cyberattacks targeting small businesses (1), and the attacks increasing by 73% since the pandemic we encourage your company to build out “Operation Lockdown”. That’s what we called it at Metropolitan Risk after we read a Wall Street Journal article on how cybercriminals are increasingly attacking small businesses and holding their work files for ransom. Cybercriminals understand that many small and medium-sized businesses haven’t the focus, the budgets, and the staffing to defend against these cyber attacks. They are in effect low hanging fruit and easy prey. 

Further many businesses now are even more vulnerable due to the recent mobilization of the workforce from the physical office. This is because home networks aren’t secure, the data doesn’t sit behind a firewall or is not encrypted like in the office.  While newly remote employees were struggling to create routines, employers focusing on this new shift in workflows, cybercriminals know the back door is unlocked.

 

Here are two really important concepts to understand assuming we have your rapt attention with respect to the soft underbelly of your org. Understand that locking down your company from a cyberattack doesn’t guarantee that you won’t be hacked and won’t suffer damage. What it does do is significantly lower the probability that such an attack will be successful or cause much damage. A friend of mine Nick Lagalante from Tenable Cyber Security explains it this way. “Your goal is not to outrun the bear, your goal should be to outrun the slowest runners”. In essence, by making it more difficult to penetrate your systems and employees, cybercriminals should in effect move on quickly and find a softer target. 

Here’s the second big picture item to understand; Cyber Insurance is NOT cyber risk management. Cyber insurance functions as a way to finance the loss you incurred from the hack. It’s a safety net when plan A (Operation Lockdown) fails. It should NEVER BE PLAN A. Here’s more good news. Once you have been hacked the chances of you being hacked again goes up exponentially. Insurance carriers know this which is why the Cyber Insurance policies increase significantly in cost once you have been hacked as the carriers’ exposure to loss increases if they decide to insure you! 

 

This is why we built this case study on how at Metropolitan Risk took this challenge on for ourselves. It’s not the holy grail of cybersecurity prevention, and we don’t want to lead you to believe it is. What our case study does is make you a bit faster than most of your competitors who will suffer a hack and the corresponding costs that go with it. At Metropolitan Risk our goal is to keep you cost-efficient and cost consistent. When you read our Case Study it gives you an idea of how to organize the challenge, and address each item incrementally. The case study is only available to current Metropolitan Risk clients or potential prospects. 

 

Last point, this is a big one. You don’t have to figure all this out on your own. As a reminder, we actually built a Cyber Assessment built for small to medium-sized businesses that assess your current systems, protocols, and security measures. Upon completion, you get a report that gives you a green light for things you have done well, yellow for items that need to be tweaked, and red for let’s jump on this ASAP.

 

Then we suggest we get you a really solid cyber insurance policy as a Plan B just in case. Our Cyber polices are 25% less expensive IF you execute our assessment and tackle the items in red. 

 

How do you eat an Elephant? Piece by piece. CLICK HERE to sign up for our Cyber Assessment. 

 

Claims Management, Cyber Liability Insurance, Line of Insurance, Loss Control, Risk Management

Social Engineering: Meaning and Impact

Definition

Social Engineering is the means of deception to extract sensitive, personal information that can then be used for further purposes, such as bank fraud, account takeovers, or identity theft. Cyber hackers primarily use social engineering when attempting to steal information of online users unaware of a hack currently happening. The main type will include phishing which fraudulently fishing for people’s information online through malicious contact.

Importance of Social Engineering

So why is cyber engineering important? Well, it can impact any of us at any time. Think about this. Currently, hackers have software applications designed to override firewalls and cybersecurity worth millions of dollars. However, hackers know technology is strict; a firewall will not listen give up information easily, but humans will. However, in a world of technology and hacking, hackers use human emotion and volatility as its main weapon. Hackers can sue the main target or those who directly know them to get any sliver of personal information that can help them in their quest. This is why every cyber user (which is most to all of us) needs to be aware of social engineering and its extreme dangers.

/p>

Impact of Social Engineering

Every day, cyber-attacks occur on users without them ever having the proper protection against the attack. Then, they lose precious financial or personal information to hackers. Social engineering will continue to happen and impact us as long as certain things remain constant. If users are still inputting too much personal info into websites that can be hacked at any time. If people remain unaware of releasing personal info of themselves or others to a hacker. Or if their cyber liability coverage does not protect themselves or their company against social engineering.

An Example

The scariest part of social engineering is sometimes the hackers never need to come in contact with the targeted account’s user. Once you give your personal information to a website like Facebook or Twitter, the social media company and all its employees with high-level access can access your data and sell it for profit.

In late July 2020, there was an aggressive twitter hack, According to a WSJ article, a user named “Kirk” on a hacking forum claimed he was a twitter employee who had gained access to many twitter accounts and was selling them from $500-$10,000 an account, including Joe Biden, Elon Musk, and others.

The problem with these social media companies is due to the employees’ level of cyber knowledge they will give everyday employees who make normal amounts of money way too much access to the internal networks of its website. These employees can take this information used for large-scheme hacks like that seen a week ago. Or, they can give bits and information to hackers of different user’s accounts, without the user ever knowing.

Social Engineering is a component of cyber liability coverage that is often overlooked by businesses in any ndustry. However, it should be a crucial component of any written policy regarding cyber liability protection, individually or company-wide. For more information, click here.

Claims Management, Cyber Liability Insurance, Line of Insurance, Loss Control, Risk Management

Why Passphrases are the Future of Logins

Every so often, whether it be for a company software program like MOZ, a school database like blackboard, or even a personal social media account on twitter, you get one of the two ominous messages.

The Unwanted Messages

You get the “time to reset your password” right after you slowly got used to your new password. Now you have to create a new password that’s memorable but is also hard to crack. Yes, it is a measure of security and caution from the website that is admirable. It is a pain at best for the user.

Then there’s the other message: “oops, you forgot your password too many times. Let’s reset it!” This one is arguably worse because of two things. One, you have to create a whole new password just like the mandatory reset times. But, you have to make it easier to remember than your last one, since you just forgot it. That makes hacking for these passwords so easy.

Where we are with Passwords

While there are some awesome dual-factor authentication apps and tricks as well as new biometric security measures, hacking password details could not be easier right now. Soon, we’ll be strictly using biometric passwords like eye scanning and finger pad touch. Or just using dual-factor using an app like duomobile. But for now, passwords are becoming ever so easy to hack for cyber criminals. They have more advanced technology that can run dictionary hacks and algorithm checks at 1,000,000,000 searches a second. And the only thing standing between your account with credit card info and their supercomputer is the password “qwerty12345.” All jokes aside, that password is extremely common, and there’s simpler derivatives of that password that make the 25 most common passwords of 2020.

Passphrases

While waiting for that futuristic physical password technology, allow me to introduce you to a better password type: pass-phrases. Pass-phrases are exactly what it sounds like. It’s not a word with numbers and symbols, it is a whole phrase that may include further numbers and symbols. While some say it is only a small step of improvement over passwords, let me tell you why they are much more protected.

Benefits of Passphrases

First, the guideline check is simple. They’re just as protected against password guidelines on the vast majority of sites. They are also supported by many sites as well, meaning you will be able to use these wherever you can use your normal pass-word.

They’re more secure. It’s that simple. The more characters and difference in the change of characters, the better. As in, if your password is football10!, that is a password a hacker can crack manually, it’s so straightforward. Now imagine it being “Mile High Miracle 512!” That’s 21 characters compared to 11, which makes the computers check for 10 factorial more possibilities. Simply, that means “football10!” Is a mid-sized fish in a river, “Mile High Miracle 512!” Is a krill in the Pacific.

Example of good Passphrases

Also, football is too simple, and there’s no change after football. Being as specific as possible is best. Take Mile High Miracle 512! Mile High Miracle is a nickname for a specific famous game that my favorite team, the Baltimore Ravens won (it’s a reference to them beating the Denver Broncos in Denver). Next, the 512 part. The game is mostly famous because of one play. The Baltimore quarterback, number 5, threw a last-gasp touchdown to Baltimore wide receiver number 12, to tie the game. 512 is incredibly more random than 10, yet feels more memorable. See how easy that was?

Concluding Thoughts

My point is that passphrases are easier to remember than those one word and 2 number passwords. Especially if they’re close to your heart and mean something. That could mean a song lyric/title/album, or a movie phrase, or a famous sports moment. So if you are a big music fan, next time you are resetting your Chase account, take a minute before you rush to put “RockFan12345.” Think about passphrases, and try something more along the lines of “St41rway 2 Heav3n” instead. Trust me, the time it’ll take to remember which e becomes a 3 is the difference between a bank account compromise and having your financial records safe.

Still confused? Want to learn more about passphrase protection? Or just about cyber security in general? Contact a risk advisor today at 914-357-8444 or visit our website here.

Employers Practice Liability Insurance, General Liability Insurance, Human Services Practice Group Content, Line of Insurance, Loss Control, Transportation Practice Group Content

Adult Day Care Considerations for Your Business

Running an adult daycare seems to be one of the harder gigs. Between keeping employees in check and fully trained and clients safe, it is a hard organization to manage. Our adult daycare inspection considerations list should help you keep insurance claims and deductions down. One less thing to worry about!

Insurance Considerations when Choosing which Adult Daycare Services to Provide

 

When running an adult daycare, you must understand that there are multiple types of insurance to cover you, your employees, your property, and your business. Some that you should consider when deciding on setting up your daycare center are:

  • Professional Liability – Covers your business from the negligence of employees and other defense/legal costs
  • General Liability – Liability for any incident that occurs within your business (slip & fall hazards or a loose handrail)
  • Auto Liability – For your workers who may transport clients/services to and from other locations
  • Abuse and Molestation Coverage – If the worker physically, sexually, mentally, or emotionally abuses a client

 

Adult Daycare: Safety Inspection Checklist 

Adult Daycares are meant to help adults who cannot supervise themselves during the day & may need help with basic care functions. This naturally means that these workers are constantly focusing on keeping patients/clients safe. Worker’s may overlook small issues, like a cracked sidewalk or an unsteady handrailing as their main focus is on the client, not their surroundings. A Supervisor should focus on making sure safety is a priority for employees & that the surrounding areas also well maintained & safe.

Here are just a few things you might want to keep constantly asking/monitoring:

  • Is the loading/unloading area clearly marked?
  • Are there any potholes in the parking lot?
  • Are there cracks in the pavement that needs to be repaired?
  • Do you have wheelchair-accessible ramps & handrails leading up to the main entrance clearly marked?
  • Are these ramps and handrails in good condition?
  • Are the emergency exits clearly marked and free of obstructions?

Safety Tips for Your Adult Daycare Center

 

While having a safety inspection checklist is definitely important, having certain safety parameters in play is just as necessary. This includes, but is not limited to:

  • Rigorous, continuous safety training – your employees are dealing with real-life adults that can be unable to perform simple functions without supervision. This means your employees need training to the max. Rigorous training with in-depth expert advice is important. What is also important is that this training never stops and is not just a 3-day course. It is a continuous learning process.
  • Safety Guideline/Handbook – Having a written word on the safety parameters and rules already gives the employees a better idea of how to handle their clients.
  • Mechanical Lifts & Safe Patient Handling
  • Handrails on stairways
  • Handicapped Bathrooms
  • Proper Lighting
  • Large, spacious areas
  • Medical supplies ready for immediate use

 

Adult Day Care Transportation Considerations 

When running an adult daycare, you need to think about how the adults in need of assistance will come to the daycare facility. If their caretakers at home do not have the time or resources to drive them there and back or make trips to various other locations to aid the adult, this is where your daycare service can flex its muscles. Having a transportation wing of your facility will make your daycare more profitable immediately. Offering the transportation of clients from home to daycare and back is the most important, but you can also offer trips to the grocery store, hospital, and sources of entertainment.

 

Before setting any of this up, you might want to think about the potential risks of implementing this transportation system. Who will be driving? Will they be using their own vehicle or a vehicle provided by your organization? Are they a good and safe driver? Do they need a specific type of license to drive an organization owned fleet vehicle? Will their actions cost me thousands of dollars? We suggest following these tips to make sure you have the necessary guidelines set to open up your transportation service.

 

Have a Motor Vehicle Record open for every single driver. Essentially, a MVR is a small summary of the driver’s previous record and any information pertaining to tickets they may have received. This report includes driver’s license info, date of birth, previous driving history, violations, etc.

 

Obtain comprehensive automobile insurance with medical, property, and liability damage included. That means if you/your driver is liable for an accident, you are protected and covered. If your car receives damages or is stolen (your property), you are covered. And if there is a medical injury due to a crash, you are also covered.

 

Contracting a professional driving company may be worthwhile for your company’s success. If you are unsure of your workers serving as part or full-time drivers, hiring professionals is worth it. They are experienced and bring less risk into the equation. Spending more on their services may cost you less in the long-run.

 

Conclusion

To conclude, running a daycare for adults is not easy. There are a lot of risks and potential costs to consider. But taking our adult daycare inspections tips into consideration will help your organization to succeed.

 

Still, need help? Still, have questions? Contact a risk advisor today at 914-357-8444. Or, visit our website here.

 

Cyber Liability Insurance, Loss Control, Risk Management

Capital One Data Breach: Assessment and Prevention

 Last year, after the Capital One Data breach, Capital One agreed to terms with US regulators to pay $80 million dollars in fines because of a data breach. The hacker accessed approximately 100 million credit card applications. Maintaining online security for a small or midsized business can be a hassle. There is a lot that goes into maintaining good security practices, and the truth is, it’s hard to keep up with all the new rules and regulations. The last thing you need while trying to grow your business is for someone to somehow steal your information. In the case of someone hacking into your business, YOU are responsible for the lost data.
The fines are to address the lack of security that allows a breach of this scale to happen. Also to address the issue of the bank not solving the problem on time. This gives the opportunity to steal and distribute credit card information, social security numbers, and the potential for large scale identity theft. Capital One claims to have tightened up its online security system. According to the OCC, the bank will take additional steps to show its computer system has bettered its security.

So what do I do as a business owner to protect myself from a data breach?

Purchase cyber liability insurance. If there is one thing that I have learned from my time working at a risk management firm, it’s that it’s better to be safe than sorry. US regulators have the ability to fine your business into the dirt after a single breach. It is a huge money saver in the long run to buy cyber liability insurance. One of the primary costs of data breaches is notifying affected users of a hacked online resource. The cost of maintaining a data breach notification system can be very high. It has only increased and only will increase since the escalation of hacking in recent years. Without cyber liability insurance, a company is liable for all of the costs associated with creating and maintaining a breach alert system.

 
Hacking is only becoming more prevalent in our society. Soon, cyber liability insurance will become a necessity, and most likely more expensive. Before we know it, all businesses carrying different varieties of data will be required to purchase cyber liability insurance. Don’t end up like Capital One, paying millions of dollars in fines because you skimped on your security system to “save money.” In the long run, the best way to protect your business and save money is to do right by your customers.
If you still have questions, you can contact a risk advisor today at 914-357-8444. Or, you can visit our website here.

 

Claims Management, Cyber Liability Insurance, Loss Control, Risk Management

Cognizant Gets $400 Million Payout After Cyber Attacks

Technology consultant firm Cognizant fell victim to cyber-attacks caused by a ransomware attack last April. The hack disrupted thousands of employees from accessing networks from their home during quarantine. Clients also disallowed Cognizant to use their networks in case of further breach, causing major revenue and clientele loss.

Cognizant losses total $50-$70 million in lost sales, higher premiums, and defense/legal costs. Without cyber insurance however, the losses would be catastrophic.

Cognizant had out extensive money into cyber insurance premiums with multiple carriers. Insurance insider reports this investment turned out to be a good decision as they earned $400 million in cash reserves from their carriers, another huge loss for carriers in the cyber market. Carriers have been hard with higher loss ratios and claims frequency in the cyber market recently.

What is the overarching message? Right now, allocating resources towards cyber protection is no longer recommended but required. Cyber insurance of some form is necessary to protect against ransomware attacks and saving your company millions. However, insurance is not the only resource that needs investment. There is no way to fully protect yourself against cyber attacks with just insurance. We recommend proper employee training, duel-factor password authentication, and data encryption software.

Stay ahead of the curve and protect your company’s invaluable data. Invest properly and do not be afraid to spend a little extra for full protection. The premiums upfront may prove cheaper in the long run.

Still have questions? Contact a risk advisor today at 914-357-8444 or visit our website here.

Cyber Liability Insurance, Loss Control, Risk Management

What is Cyber Insurance and How Does it Work?

What is Cyber Insurance and How Does it Work?

With the vast majority of companies’ sensitive data being online, the vulnerability for data breaches is obvious, especially now that cybercriminals are becoming more tactical and clever with their hacking approach. These factors have played into the upbringing of cyber insurance, where companies can manage their risk by buying policies to cover potential losses from data breaches. However, there are many speed bumps that come with buying cyber insurance. These are the 6 main questions that come with buying cyber insurance.

  • How Do Companies Decide What They Want Covered?

Before companies fill out applications to buy cyber insurance, they first need to find where they need to be covered. To do this, they need to find where their highest risks of data breaches are located and how much they need to be covered in each part. Some companies use the likes of private, experienced network security specialists to figure out where they need to buy insurance.

What Prices do Brokers Charge for Cyber Insurance Premiums?

Usually, there are 3 or 4 main questions insurance companies ask potential insureds before pricing a cyber insurance premium:

First Question: Industry

  • What industry is your company in? Usually, insurers want to know what type of work your company does. This gives a clue to how much data you may be storing and how valuable that information may be. For example, an IT firm may have more quality and valuable information stored in their networks than a trucking company.

Profit

  • How much is your company’s annual revenue? More income from a company attracts more cyber-criminals to their information stored online.
    What kind of data do you have online and where? Insurers want to know where you are storing this data, and on how many different networks. Based on their judgment, the easier it is for cyber-criminals to extract this valuable information and more of it at once, the more the insurance premiums will cost.

Current Systems

  • How much security does your company have installed to protect your sensitive data? What kind of security protocols do you have in place other than insurance to protect your security? How much training do your employees have from professionals to keep phishing scams and ransomware at bay? These types of questions are frequently on insurance applications as the insurers can gauge two things. How seriously a company takes cyber-security? How much are companies willing to put into top-notch cyber-security in terms of people, money, time, and resources?

  • What Type of Claims/Cyber Attacks do Insurers Usually Keep Out of Policies?

Typically, insurance companies will not cover thighs such as preventable security breaches, cyber-attacks due to negligence to maintain proper cybersecurity, an employee mistake with sensitive information, or any attack from an employee within the company. Other than that, there are other policies that may or may not be excluded, it is up to the individual broker for how much, if at all, they want to cover that policy.

  • So if the Company/Insured is Liable for any Breach, they Will Not be Covered?

In some cases, this is true, but not in every situation. An insurer may not cover an employee mishandling sensitive information, but the insurer may cover a simple mistake. This may include losing a device with information on it or losing information due a phishing scam. Every situation is different, and that is why insurers investigate every claim thoroughly. This is especially in cyber security as there may not be any physical evidence.

  • Speaking of Liability, What Constitutes First-party Liability vs. Third-Party Liability?

The difference between the two is who actually loses the data and who is actually responsible for the losses. In first party-liability policy, the insured is covered for any data breach they are liable for within their open company. To make it simple, if a company had their own sensitive information stolen and had a first-party liability policy, they would be covered. This is different from third-party liability, which is coverage for an insured that is liable for the data breach of information kept by another person or company. For example, if an IT company makes their money by creating private networks and software and encryption programs to protect their client’s private information, they may buy third-party liability. In this case, if their client has their data hacked, the IT company is liable. But third-party liability may cover them.

  • Not All Companies Know They’ve Been Hacked Instantly. When do Companies say that Their Coverage for a Specific Claim has Expired?

This is up to the insurers to determine when they feel it is within the proper scope of time after the insureds REALIZED the hack. This is important because it is not when the hack or attack actually occurs, since it may take a small-market company over 200 days to realize their systems are compromised. Insurers go by when the insurers have figured out they had lost sensitive data and information, and the timeline begins on that date. Insurers know that the first thing on companies minds is not to file a claim. Companies want to figure out the exact damages, enforce accountability, and re-secure/change the data security program first. Then, many companies will file a claim within a reasonable time frame. Most insurance brokers say about 6 months before carriers hand down warnings and coverage for that claim expires.

To Conclude

With cyber-attacks increasing significantly in the last 2 years through Ransomware and Business Email Compromises (BEC), having your data not only protected but insured is crucial in today’s modern corporate environment. Hopefully, these tips have helped with the frequently asked questions about the confusing intricacies of cyber insurance.

 

For more information about Cyber Liability Insurance contact a Risk Advisor or call 914-357-8444.

Cyber Liability Insurance, General Liability Insurance, HR Challenges, Line of Insurance, Loss Control, Risk Management

Secure Your Organization Using Multi-Factor Authentication

In a time where most organizations have transitioned to remote work, cybercriminals have doubled down on network attacks. The FBI recently released a statement saying that cybercrime attacks are up over 300% since 2019. Cyberattacks range from ransomware baked into spam emails to phishing emails posing as trustworthy entities, to gain access to account information. One way organizations can better protect their business from these attacks is to mandate policies that direct every employee to utilize multi-factor authentication on every business account.

 

Password authenticators vary between digital & physical authenticators, as well as options that are a combination of both. Below we have listed  a few of the most commonly used authenticators:

Digital Authenticators

One of the benefits of digital verification is that users do not need an additional physical token or device for authentication.   

Email authentication

Email verification is when a user needs to click a link or obtain a code sent to their email address to verify ownership of the account they are logging into. One of the biggest problems with email authentication is a majority of people will reuse the same password for all of their important accounts.

Using email as a second method of authentication looks like this: 

  • A user logs in to a website with their username & password
  • A unique code or link is then sent to the users’ email address linked to the account
  • The user logs in to their email account, they find the code, and enter the code into the application or website or clicks the link into the email
  • If the code is valid, the user is authenticated and granted access to the account.

Cellphone authentication (SMS)

The most common authentication method is through SMS messaging on a cellular phone. This method is considered more secure than email authentication because email authentication includes the risk of the email account also being compromised.  The downside of SMS authentication is SIM-hacking can render the cellphone number useless.  

SMS Authentication will look like this for a standard user:

  • A user logs in to a website with their username & password
  • A unique code is sent to the cellular phone number linked to the users’ account
  • The user takes the 4-6 digit code off of their device and enters the code into the application or website
  • If the code is valid, the user is authenticated and granted access to the account. 

Physical  Authenticators 

A physical authenticator is more secure than digital because there is a real device that is needed to authenticate an account. This means that the user has a tangible key or an application downloaded to a physical device that is in their presence. These physical objects make it harder for cybercriminals to hack accounts.

Application-based authentication

Applications like Google Authenticator and other verification apps use a token/code to determine ownership of the account. These applications are linked to the device, not the phone number. Application-based authenticators can be as simple as a push notification going to the phone or the application, delivering a 4-6 digit code for users to enter on the website or application of the account they are attempting to access. 

  • A user logs in to a website with their user name & password
  • The website they are attempting to access will send the user credentials to the authorization server.
  • The authorization server will authenticate the user credentials and generate a token.
  • The access token is sent to the user via an application downloaded to the users’ device
  • The user inputs the time-sensitive access token into the website they are attempting to gain access to.
  • If the token is valid, the user will gain access to the website.

Physical authentication device

At Metropolitan Risk, we supply our staff with the hardware authentication device YubiKey. This ensures that our staff is using one of the safest methods of authentication. These keys are simple to deploy to everyone in your organization. These devices help promote digital security health within an organization.  

This physical device plugs into the USB port of a computer and requires a human touch to unlock the device. 

The process of using a physical authentication device looks like:

  • Launch the authenticators’ device 
  • On the account that the user wants to log into, enter the username and password as normal
  • Find the authenticator code needed in the authenticator
  • Insert the physical authenticator key into the desktop to show the credentials needed to log into the account
  • Enter the code on the website
  • If the code is valid, the user is authenticated and granted access to the account.

Developing An Organization-Wide Plan To Implement Multi-Factor Authentication 

Once you’ve decided on a method of multi-factor authentication, your next step is execution. The size of your organization will determine how you implement this plan. While working on a plan, consult your IT department, your HR department, and various managers throughout your organization. Having your entire management staff on board with a plan helps convey the agenda to lower-level employees. 

  • Have a meeting with your supervisors, managers, and IT team about your organization’s cybersecurity efforts. 
    • Discuss how you feel you’re currently doing as an organization with cybersecurity to determine weak spots in your plans. 
  • If your organization is not currently using any method of multifactor authentication, determine which method would be best for your organization. At Metropolitan Risk we always suggest a physical key device.
    • Create a list of pros and cons for each authentication method and determine which is the best fit for your organization.
  • If you’ve decided to use a physical authentication device, determine which physical device is best for your organization.
  • Distribute the authentication devices and instructions to your employees
    • Make sure all employees are on the same page with how to manage this new software. 
    • Include additional information on how to install the authentication devices and how to better manage passwords and other important digital assets
  • Provide additional training to any employees who are struggling with updating their accounts with the new cybersecurity measures. 

Remember, cybersecurity only works if the entire organization is working towards the same goals. 

Metropolitan Risk is here to help your organization overcome obstacles that can affect your organizations’ operations. Contact A Risk Advisor to book a meeting to discuss cybersecurity challenges that may be affecting your business’s insurance coverage or Call 914-357-8444.

Claims Management, Cyber Liability Insurance, Loss Control, Practice Groups, Risk Management

Disturbing Hacking Trends

Security experts commonly say that there are only two types of companies these days. There’s companies that have been hacked, and those that don’t yet know that they’ve been hacked. Here are some important hacking trends given by a statistical study.

Verizon’s 2020 Data Breach Investigations Report counted 3,950 CONFIRMED data breaches last year in addition to more than 32,000 “security incidents.”

Victims spanned a wide range of 16 industries with these 4 having the largest number of cases:

  • Professional Services – 7,500 incidents, 325 breaches
  • Public Administration – 6,850 incidents, 350 breaches
  • Information – 5,500 incidents, 360 breaches
  • Financial/Insurance – 1,500 incidents, 450 breaches

*Totals slightly off due to rounding

 

Any business that operates online is at potential risk of suffering a data breach. Doesn’t matter how small your business is either.

According to Verizon’s report more than 3 out of 4 breaches are done by profit-minded criminals for financial gain. 

Other alarming stats:

  • Only 30% of data breaches were the work of insiders.
  • 86% of data breaches occur due to financial profit of hackers
  • Also, 58% of victims had personal information compromised
  • In 17% Verizon said the attackers installed malicious software on the victim’s systems, whereas the more common tools are spear phishing, ransomware, or business email compromise.
  • In 22 percent of breaches, the attackers leveraged social tactics, such as spear phishing, in which a tailored e-mail to the victim purports to come from a friend or business contact. The e-mails contain malicious links or attachments that, when clicked, give the attacker a foothold in the victim’s computer network. See below image for an example of what NOT to click.

Photo from Wikimedia Commons

The good news? The Verizon report highlighted the lag between the breach and the time of breach realization. This year, companies and external third-party software experts were able to improve that time. 81% of the time, it takes only days to contain a breach. Compare this to years past, where it is months, maybe even a year. In previous yearly reports, Verizon sates things like “The compromise-to-discovery timeline continues to show in months and even years, as opposed to hours and days.” No longer is this trend true. Don’t be another cog in one of the larger hacking trends currently ongoing. Click the link below or call 914-357-8444 today.

Click here for advice on preventing hacking theft or if you are still interested in a crime policy to protect your assets.