Examples of Cyber Attacks

Target, the IRS, Anthem BlueCross/BlueShield, Yahoo, and Ebay; these are just a few of the biggest data breaches over the past five years. When a person hears about a data breach in 2018, it is human nature to envision an IT Scientist cracking the code of an in-depth system of cyber security. Sometimes this is the source of a cyber attack, but many of the largest data breaches in history were started by something not highly technical. Here are some Examples of Cyber Attacks and how they begun.

Examples of Cyber Attacks | My Insurance Question

General Manager of a Professional Baseball Team uses a Weak Password

This actually happened between the Houston Astros and the St. Louis Cardinals when the Astros General Manager used the same user name and password in Houston that he had previously used when he worked in the Cardinals Front Office. Some employees from the St. Louis Cardinals Organization used this information to log in to the internal computer systems of the Houston Astros and obtained access to a database known as Ground Control, which was created by Luhnow. This database included details about confidential discussions within the Astros organization, player evaluations, trade recommendations, statistical information and more.

High-level Industry Executive uses the same password for all accounts

Many high level industry executives have extensive experience and expertise in their particular profession, but have only used computers for some or a small portion of their career. Many high level execs deal with interpersonal relationships between departments, partners and even competitors much more than the day to day operations of a business. For this reason they may not be as in tune with the risks a business faces in the realm of cyber security. These execs also have access to some of the most precious information a business may possess. This makes them prime targets for cyber attacks. In many industries there are many computer programs that require these execs to remember many different usernames and passwords. When you pair these accounts with all of the accounts these people have to use in their personal life, it is human nature to use the same password for multiple platforms. This makes it easy for hackers to find their password from one platform and use it to gain access to a bigger platform with more valuable sensitive information.

Salesman is travelling across country and has their laptop stolen in an airport

A few of the most common examples of cyber attacks are when an employee has a laptop stolen when they are away from the office. Depending upon the information saved on the device, it can be the source a hacker uses to start a data breach. Several data breaches have started when an employees laptop was stolen when their car was broken into and another occurrence happened at an airport while travelling for business. Bringing this to the attention of your employees when they use devices remotely will go a long way towards protecting your business.

Employee leaves the password to his computer on a post-it note attached to his desk

Leaving out a password in plain view can be a common way someone gains access to internal servers. Most offices have commercial cleaning companies in the facility after hours with little to know supervision. The people who work for these third party companies may or may not be ethical. Regardless it is imperative to not give them the opportunity to gain access to your internal computer systems. Many banks do monthly walk-throughs on unannounced days to find if employees are leaving sensitive information out on their desk. Depending upon the type of information your organization works with, this might be necessary for your business.

An employee clicks on an email that is actually a phishing scam

Phishing scams are a very common way for hackers to either install something malicious on one of your businesses computers or gain access to your internal servers. A phishing scam is when a hacker sends an email that looks legitimate asking the receiver to click on something within the email. Many of the emails look very authentic. There are businesses out there that can help you send out test emails to prepare your employees for a phishing scam. The company will send out an email periodically to see who will fall for the request. If the employee clicks on the link you are notified and you can go through additional training with that employee.

Odd ways businesses get hacked.

3 ways your Small Business can be Hacked

If your small business has eve been hacked, you know the importance of cyber security for small business.  You more than likely know that data breaches are no longer just a problem for big business. Any business can be hacked and the ways in which a business is hacked are very widespread. Here are 3 ways your small business can be hacked that are within your control to stop.

Hacked

Not periodically resetting a password

A few years ago there was a hack that occurred between two baseball teams, the St. Louis Cardinals and the Houston Astros. This hack occurred because a rogue employee (Chris Correa) within the Cardinals Organization guessed what the password of a former Cardinals Employee who now works for the Astros (Jeff Lunhow). It has never been confirmed what exactly the password was and if Correa knew what Lunhows’ password was when he was with the Cardinals, but Correa has admitted that he guessed the correct password for Lunhows’ log in credentials with his new team the Houston Astros.

This could have been prevented by simply resetting a password periodically and not using the same password for all log ins. Here is one tactic, many people use to remember their password when it has to change.  Start with a password like:

BaSkeTBaLl_2741+3657

The word Basketball can change with the seasons.  For instance, you could use the word baseball in the Summer and Football in the Fall.  You could also keep the same password and change the special character. In this example you would change the _ and the +. Be careful using this method because you are not changing much about the password.

Old Employees Still Have Network Access

When an employee leaves your organization there shoul dbe adequate steps taken to ensure the terminated employee no longer has access to any networks or internal files. There also may be several Sales as a Service (SAAS) companies out there that your business has an account with, but the terminated employee is the only employee who used the account. Having a way to keep access to those accounts or to change the password is important.

Third party vendors getting hacked

Two of the largest data breaches in history, Home Depot and Target, were started by a third party vendor being hacked first. In both of these cases a small business was hacked several weeks or months previously and the criminals waited until they realized they had access to the much larger database through this vendor partnership.  In the case of Target it was a local HVAC company that serviced a few of their locations in the Pittsburgh area. Home Depot had a vendor partner that processed the credit and debit card transactions at their self check out stations in most of their locations.

3 Types of Cyber Insurance Every Business Should Have

What if my business does not deal with computers.  Does that mean I really don’t need Cyber Liability Insurance?  What if I am the only person in my business who uses a computer.  Doesn’t that mean I don’t face all that much risk?  Let’s say I might need Cyber Insurance, but what kind and how much?

Do any of these statements sound familiar? If so, you definitely need Cyber Liability Insurance. The term Cyber Liability Insurance is used pretty generally because cyber security is such a young sector and the data about the risks are changing very rapidly.  Business owners and insurance companies are still having trouble determining who is at risk and how much risk those businesses actually face. Just because this is a new type of insurance coverage does not diminish the importance it can have for protecting your business.

Cyber Liability Insurance

Many business owners think a data breach can only occur to a big multi-national corporation. For the big data breaches that make the news, this is certainly true, but the truth is most data breach first start out with small mom and pop businesses. These mom and pop businesses are first hacked with the hackers intention of gaining access to a much larger database.  This usually occurs through carious types of vendor partnerships. In the case of Target and Home Depot both of these breaches were first accessed by a much smaller business partner, who was hacked.  For this reason it is immensely important for you to talk with an experienced independent insurance agent about all the risks your business faces.

The three main types of Cyber Liability Insurance Coverage are Cyber Security, Cyber Liability and Technology Errors and Omissions Insurance. The first two deal with risks relating to a Data Breach. The third deals with companies that provide technology services and products.

Cyber Security

Cyber Security Insurance is also known as Privacy Notification and Crisis Management Expense Insurance.  This coverage includes coverage for first party damage to you and your business. This coverage does not protect your business from damage done to third parties. Cyber Security Insurance deals specifically with the immediate response costs associated with a data breach. In many cases it is required by law to find out how the breach occurred, notify those affected and provide credit monitoring services for one year.

Examples of costs included in Cyber Security Coverage include:

  • hiring a forensics expert to determine the cause of the breach, suggest measures to secure the site and prevent future breaches

  • hiring a public relations agency to assist in dealing with the crisis

  • setting up a post-breach call center

  • notifying affected individuals whose personally identifiable information (PII) has been compromised

  • monitoring these individuals’ credit (usually for 1 year)

  • paying the costs to “restore” stolen identities as a result of a data breach (e.g., expenses of notifying banks and credit card companies)

Cyber Liability

Cyber Liability Insurance, also termed Information Security and Privacy Insurance, covers the insured’s liability for damages resulting from a data breach. It does not cover expenses that deal with the immediate response cost. This type of insurance protects businesses which sell products and services directly on the internet.  Also, it protects businesses which collect data within its internal electronic network. The most common forms of data breach involve personal or financial information like credit card numbers, bank account information, social security numbers, health information, trade secrets or intellectual property.

The types of situations where this information are accessed include:

  • An employee’s car is broken into and a business laptop is stolen.

  • An email containing sensitive customer information is sent to the wrong person.

  • Important paperwork, like a credit application, is taken during a break-in.

  • Failure to timely disclose a data breach.

Technology Errors and Omissions

Technology Errors and Omissions Insurance, also referred to as Professional Liability or E&O, is a form of liability coverage that protects businesses who provide or sell technology services and products. This coverage prevents businesses from bearing the full cost of defending against a negligence claim made by a client, and damages awarded in a civil lawsuit. This can include business who sell and service computer products, but it can also include graphic designers and advertising agencies who create digital content that can harm a company’s reputation. It covers computer programmers who may create faulty code for a website that causes that business to mail products to the wrong addresses.

Cyber Liability Insurance is a new and emerging part of the insurance industry and it is not going anywhere. These risks are only going to become stronger as more and more business operate online. Before too long Cyber Security Insurance will be a normal part of businesses insurance policy just like workers compensation Insurance and general liability Insurance are today. Now is the time to consider if and how much cyber insurance your business needs.

Eight CyberSecurity Tips for Small Businesses

Cyber Security

In-depth Training for Employees in Cyber Security Prevention

You and your information technology expert need to come up with basic security practices for your employees. There need to be clear and concise rules of behavior for your employees regarding passwords and customer information.

Protect all sensitive Information from Cyber Attacks

Starting with just keeping the computers clean and always running the latest security software on schedule.  Make sure you are install all of the proper malware, antivirus, and key software updates. If you and your IT Professional are constantly paying attention to cyber security, the employees will take more of an interest as well.

Make sure you purchase the proper Cyber Insurance Policies

Cyber Security Insurance comes in two forms that are usually packaged together. The first is commonly referred to as Data Breach Insurance and it covers your first party damages to you and your business. The other coverage is commonly referred to as Cyber Liability Insurance. This coverage protects your business from the third party liability your business may have to customers and other parties who may be damaged by a data breach that occurs within your business.

Get the best answers to Data Breach and Cyber Security Insurance questions at MyInsuranceQuestion.com

Do not forget about having a policy regarding Mobile Devices 

Mobile devices are such a common part of our lives now that many people forget to realize their phones are a prime target for criminals to access a business’s sensitive information. Many employees may want to have access to their company email on their phones, especially if they travel much for work.  Having a well thought out policy that you are comfortable with and adequate measures to check that your employees are following the procedures is essential.

Make backup copies of important business data and information

There should always be a way for you to retrieve customer’s sensitive information. Microsoft one drive is a great fairly new software program that allows you to store and share information internally.  If you can afford it, having a second server at a separate location may be necessary depending on how much information your business does store.

Cyber Security Insurance is needed for most small businesses.

Strictly control access to your computers and create user accounts for each employee

This can help dramatically if you have an internal problem. Knowing who was logged in at the time of the access can help determine where to go to find information about a hack. It may be as simple as an employee who opened a zip file in an email and they are scared to bring that to your attention fearing retribution or it may help you find the source of employee theft.

Secure your Wi-Fi networks

Properly securing your Wi-Fi network may seem like something obvious to prevent a hack. For small businesses owners without a lot of technology experience may not know how to do this or the need for this type of security. This should be the first and foremost thing a small business should do to prevent unauthorized access.  This is important to consider for businesses that are open to the public or may offer Wi-Fi access to their customers.

A Strong Password is essential to a good Cyber Security Program.

Passwords and authentication

Passwords protection is crucial to defending your business from a data breach.  It is important to give your employees hard examples of what is a good password and what is not.  What may seem secure to one employee may be something as simple as October which is not acceptable in the least bit.  Here are some examples of password you can use to demonstrate strong and weak passwords.

6f8Il,E6pg%j2

This would be an example of a password that is extremely secure.

BaSkeTBaLl_2741+3657

This would be an example of a password that is a little less secure, but easier to remember.

JoeSmith or password

These are examples of terrible passwords that should never be used.

You will find many employees like to use something similar to the middle password. This is because it has some resemblance to a word they can associate with to remember the password more easily.  I personally like this because, in the Fall I might use Football or Autumn, in the Winter I might use basketball or Thanksgiving. As long as you are keeping the other numbers and special characters random it is difficult for hackers to hack through these secure passwords.  The birthdays of yourself or a family member should never used. There should also be a time period for how frequently a password must be changed. Every 90 days is a good rule of thumb, but many businesses have different requirements based on the needs of their organizations.

6 Ways to Keep Your Small Business Safe

Safety can mean a lot of things to a lot of people. In the business world, the perception of safety can mean a lot of things to a lot of different business owners. What it takes to properly protect your business should be something that is taken very serious by all of the decision makers within your business. Safety can mean securing the property at night when you are away from the building or it can mean properly training your employees to use the equipment they will be using as part of their job. It can even be having the proper policies in place to prevent your business from a data breach. There is a laundry list of things that can be included in your businesses strategy to properly keep your business safe. Here are 6 strategies to keep in mind when protecting your small business.

Hire the right people

It may seem obvious, but the people you hire are your most precious asset. Making sure they are the right people can go a long way towards the safety of your business. There are many ways you can go about checking up on your applicants. Criminal background checks, motor vehicle driving records, investigating their references and checking their college transcripts are all great places to start. Sometimes you will have to rely on your gut reaction to them from an interview, but taking extra time to make sure the people you hire are the right people will start your business off on the right foot when attempting to keep your business safe.

recruiting-new-employeeshire

Train people effectively in the first place

Once you have hired the correct people for your organization it is not enough to just set them loose. You must properly train them in the art of protecting your business the way that is best for your organization within your industry. and think everything in your business will remain secure. They need to know what is important to your organization and how you expect them to conduct business. This may seem obvious, but far too many business owners forget this part of their organization. An employee in HR or Marketing might be coming to you from another industry. They may not see the potential risk that exists for your business in your industry. Take the financial services industry for example. This industry deals with every bit of a customers’ sensitive information, most importantly their financial accounts. If they are coming from another industry where the business does not have access to these types of materials’ they may not fully understand the need to safeguard everything they do. Another industry, like commercial cleaning, has risks where they are allowing employees in to a business after hours when they are the only people in the facility. This opens up the possibility for theft or access to internal computer networks. Training new employees properly will prevent risks from getting out of hand later.

Have well-documented, well thought out Safety Programs

Safety programs entail a lot depending on your business. Don’t be afraid to make them more or less extensive based on the needs of your business. It should start during the initial training/onboarding process for all employees. If you make it clear to them from the beginning that safety is important to your business than they will implement this in to their daily work routine. Like many things in life it is always easier to start tight and loosen up than to start loose and try to tighten up later. That works for a safety program as well.

Defensive Driving Class

Defensive Driving Program

Having a Defensive Driving Program in place can make drastic difference in the frequency and severity of accidents that occur among your employees. If you have employees that operate a vehicle as part of their job they need to have their driving record pulled at least once a year. As part of the hiring process, many businesses require employees to pay for the driving record themselves. This can help weed out applicants with the worst driving records. It saves you time and money on the front end from going through the hiring process with someone who will not be getting the job because of their driving record.

Buying the proper insurance.

Having proper insurance is essential to any good business plan. How much and what types of insurance a business needs, is completely dependent upon the business owner. It depends on how much risk they are comfortable taking and what types of risk they actually face. This is something a good independent insurance agent can help you determine. Many business owners face risks they do not realize and that is where having a long honest conversation with your agent can help you get properly insured. In most states and in most industries it is legally required to carry Workers Compensation and General Liability Coverage. But there are several other coverages that may be necessary depending upon the industry you operate in. Most carriers have programs set up for each specific classification code and they are called Business Owners’ Policies. In most cases this is the best way to go about purchasing commercial insurance.

Take cyber security seriously

Cyber security is a real threat to nearly all businesses. Regardless of how technologically advanced your business is there is a threat in the cyber world. Two of the largest data breaches in history were first started by small businesses first being hacked and allowing access to a larger network of customers through a vendor partnership. Many business owners think data breaches occur through highly technological criminals hacking in to a computer. That is the source of many data breaches, but many start with something as simple as someone leaving out a post-it note with their username and password or an employee taking a laptop home for remote work and the laptop getting stolen out of their car. Those are real risks that any business can have and they can cause a huge cost to your business when they do happen.

Get the best answers to Cyber Security questions for small business owners here at my insurance question.com

Business Loss of Income Coverage

Business Loss of Income Coverage is an addition to a Commercial General Liability Policy.  It can be added to a Business Owners Policy (BOP) for as little as a few hundred dollars, depending on the size of your business. It covers the loss of income from damage to your building that results in a slow down or suspension in business. For many business owners; this coverage may not seem all that necessary, but when an incident occurs this coverage can many times be the difference between a business reopening or closing for good.

The most basic way a need for this coverage occurs is when a building catches fire. When this happens, the general liability and commercial property policies will cover a businesses expenses to repair the building to its previous condition. These policies will not pay to cover loss of revenue if your business is slow or suspended for an extended time. This can be thousands of dollars depending on how long your business is closed.

As a business owner it is important to realize that a Business Loss of Income Policy only kicks in if the loss is a covered loss. Meaning that if the loss occurs from something like an earthquake or flood; and the business does not have special coverage for that peril, than the business loss of income policy does not kick in. This is important to note in areas that have natural disaster risks. Examples of this are Florida for hurricanes, California for earthquakes, Missouri for tornadoes, everywhere for flood risks. Another risk that is associated with Business Loss of Income is Data Breach. When a data breach occurs it very likely can cause you to be closed for a certain amount of time while the data breach is dealt with. If you have Data breach Coverage in place than this will be a covered peril. If not the Business Loss of Income will not kick in and you are liable for the additional loss of revenue.

When a business owner decides to add this coverage the important thing to consider is how much risk you are willing to take and determine if that risk is worth the amount you save in premium. For most businesses this coverage can be added for a few hundred dollars. If it is added to a business owners package it can be even less. In most cases this cost is well worth the benefit you get when an occurrence does happen. In most instances, when a devastating accident occurs and a business does not have this coverage, the chances of them ever reopening are far less than if they have this coverage.

Data security becoming a bigger issue for hotels

The hotel industry is seeing a rapidly growing trend of data security breaches that are part of the latest trend of industries targeted by cyber criminals. The trend is now reaching the radar of the general public, after Hilton Hotels & Resorts acknowledged hackers stole credit card information from a large number of the franchise locations in November.

According to Barry Kouns, President & Chief Executive Officer at Risk Based Security, there have been 49 reported data breaches from the hospitality industry between 1/1/14 and  11/31/15. Kouns acknowledges that many breaches go unreported by organizations. Of the group of reported breaches, almost 60% exposed client credit card numbers, according to Risk Based Security.

This two-year long trend first received some notice after hotel owner, developer and management company White Lodging acknowledged a cyber hack in the first quarter of 2014. That attack (as has been the case with the Hilton breach and the Mandarin Oriental data breach) targeted point-of-sale devices inside of restaurants, coffee bars and gift shops located within the 14 hotels breached. The White Lodging  cyber attack was where the issue really first came on the radar for the hotel industry.

In fact, that attack prompted John Buchanan to write his article “Sources: Data breach shows industry liability” on Hotel News Now.com. In that report, Buchanan sites an expert who discusses how the industry is being threatened and is seen as a good target for cybercriminals — especially for franchise chains within the industry.

Part of the reason franchises make such an attractive target is because the franchise models typically have a standardized model, even within their computer systems. Because of that standardization, when a security deficiency exists within a specific system, it can be used against the entire franchise.

Former Washington Post reporter Brian Krebs broke both the Hilton and White Lodging breaches on his blog, Krebs on Security. White Lodging confirmed a second data breach in February 2015, attacking the same systems in different hotels.

What can hotels do to protect themselves?

The biggest issue most hotels seem to struggle with centers around their inability to quickly implement security patches in their networks. One of the easiest suggestions Mr. Kouns offers to those in the hospitality industry is for the company to conduct regular network scans and to fix issues.

Another key implementation step is to make sure that anti-virus software and definitions are kept updated. New viruses come out every day and the anti-virus protection software is usually pretty good at staying on top of the new viruses, offering fixes regularly. If a company isn’t updating their anti-virus software, that company is leaving itself exposed for a potentially avoidable hack.

Risk Based Security is one of several companies that offers different solutions to businesses to help them mitigate their risk of a data breach. They offer a subscription service designed to provide clients with the tools, services and resources to stay informed about the latest security threats and have ready access to security expertise while maintaining a continuous improvement posture.

Another key element is providing training to employees regarding cyber security. Many data breaches occur when an employee has either visited a website or clicked on an email that corrupts the computer. Most of the time, the employee is aware that they have made a mistake … but since nothing obvious happens right away the employee is tempted to stay quiet rather than bring up the issue to their IT department and potentially get in trouble.

Some of the most successful companies to avoid data breaches discuss open communication and react in a supportive way when a computer is attacked. That reaction encourages employees to report potential data breaches, which can make the difference between catching an issue quickly, or having your company’s name attached to the next data breach report.