Businesses face a double threat from cyber-attacks now more than ever before. The costs related to business interruption due to such attacks can be the death stroke for many businesses. In addition, if your company handles sensitive data online, such as the personal details of employees, suppliers and customers, a breach of your IT system can also open you up to serious liability claims.
With the new reality that millions of employees are working remotely only raises every company’s vulnerability to cyber-attacks. Cybersecurity protocols, protection of sensitive client data, and compliance with confidentiality legislation is at an all-time high. One data leak due to carelessness can bring an organization to its knees or close its doors–permanently.
Protecting Your Organization from Cyber-Attacks
1. NETWORKING REMOTELY VIA VPN
If your employees are working remotely, they should be doing so via a Virtual Private Network (VPN). A VPN creates a secure and encrypted connection between your company’s data and the computer they are using at home. A VPN is much more secure than the public internet.
When set up, your employees can access your company’s resources on this network as quickly as they start up their computer. The VPN security comes by requiring employees to login, using passwords, biometric data, or security tokens.
2. PERSONAL VS. COMPANY ISSUED COMPUTERS
If you allow employees to use their personal computers (PCs), you increase the risk of a cyber-attack. Employees’ PCs might be already filled with viruses or compromised with malware. Although they may have installed anti-virus software, it may not be up-to-date against the latest known viruses, and other malware such as Trojan horses, spyware, worms, adware, and ransomware.
It is prudent to supply your employees with company issued computers that your IT department continuously monitors and updates with the latest antivirus software.
3. ESTABLISH NETWORK POLICIES FOR YOUR COMPANY
Education is the first line of defense against cyber attackers. It starts with developing clear procedures on the usage of Wi-Fi and personal devices. Employees need to know up-front the risks that the company faces, and how they are personally the first line of defense. The training should include such procedures as:
- Shutting down systems properly
- Setting strong passwords and using 2 Factor Authentication (2FA)
- Not using a company laptop/computer for personal reasons
- Not letting family or friends use the company’s computer
The chain is only as strong as its weakest link. And humans are always the weakest link. One compromised PC can expose an entire network.
4. CYBERSECURITY RISK ASSESSMENT
Cyber risk assessments help your company discover its vulnerabilities that then leads to mitigating actions to prevent hackers from accessing your systems.
Live-fire training exercises are an excellent way to see how effective current cybersecurity measures are. Live-fire training sessions simulate an attempted attack during regular working hours. They help determine which department needs improvements and in which processes. They also help identify setting staff training priorities, which should be part of your induction process for new hires. Cybersecurity is not only for the IT team.
5. INTERACTIVE TRAINING
Cybersecurity training requires a structured program that engages and motivates employees to take seriously their responsibility to protect the company’s assets.
Organizations grow and change, and so do their working practices and the technologies they use. And don’t forget that cyber criminals are constantly finding new and better ways to exploit financial and other sensitive data of your business. Cybersecurity training is not a once-and-done event.
Prevention is much better than cure. And employees will be more engaged and vigilant when they receive continuous, comprehensive training that puts them at the front lines.
6. KNOW THY ENEMY
Cybersecurity research indicates that it is not whether a company will be hit by a cyber breach, but when. It’s only a matter of time. Critical first step in your training program is to educate employees about:
- Types of attacks and how damaging they can be
- How to block, prevent, reduce, or eliminate such attacks
Here is a partial listing of attacks that should be part of your training.
| · Denial of Service (DoS) | · Drive-by |
| · Distributed Denial of service (DDOS) | · Password Attack |
| · Man-in-the-middle (MITM) | · SQL Injection |
| · Phishing / Spear-phishing | · Cross-site Scripting (XSS) |
| · Eavesdropping | · Birthday Attack |
| · Malware | · Trojan Horses |
| · Botnets | · Ransomware |
| · Wiper Attacks | · Intellectual Property Theft |
The goal of employee training is not to make them cybersecurity experts. However, you do want them to clearly understand that there is a broad spectrum of potentially deadly attacks on company’s assets and they play a highly critical role in protecting them—particularly when working from home. “Trust but verify,” is the new mantra for any employee whether working remotely or not.
Additional training for employees should include procedures to follow when they think the company’s network may be compromised.
7. IT’S NO LONGER AN OPTION—CYBERSECURITY INSURANCE
The FBI reports that since the COVID 19 outbreak and subsequent economic crisis commercial cybercrime has quadrupled. Research indicates that 60% of small businesses already get hacked each year. It’s a near-certainty that cybercrime is coming for you in 2020 and beyond. Cybercriminals are an opportunistic bunch. They identify the most vulnerable departments in your organization and will pick apart your defenses with phishing and malware campaigns that have evolved to capitalize on the fact that thousands of employees are now working from home.
The reality is that even with the very best of processes, businesses will always have weak links. There is only one way to truly remove the risk of business failure in the likely event of an attack on your operations—cybercrime insurance tailored to your business. This isn’t a self-serving need, but a part of corporate responsibility to customers/clients and the general public. Don’t let another week pass without securing cyber coverage.
At Park Insurance, we are pleased to provide cyber coverage advise without obligation, call us at: 604-659-3130 or email commercial@park.ca
