Whether dealing with intangible threats from a murky cyber world or those closer to home such as litigious employees, business owners need to be protected on a myriad of fronts. While many threats that businesses face today are not new, there is a growing faction of creative criminals looking to attack companies through electronic vulnerabilities. As part of the Business First Breakfast series, a panel of experts recently gathered for a Reno event to address some of these issues, both old and new.
The panel discussion, which was held in early November, was moderated by Connie Brennan, publisher and CEO of Nevada Business Magazine. The breakfast event was hosted by the magazine and sponsored by Heritage Bank of Nevada, Holland & Hart and L/P Insurance Services. Panelists included Rich Bullard, principal/vice president carrier relations for L/P Insurance Services; Steve Carrick, senior vice president of Heritage Bank of Nevada; Romaine Marshall, a partner with Holland & Hart and James Patterson, cyber specialist at AIG.
The expert panelists were able to speak from a variety of backgrounds and provided insights on what decision-makers need to know to make sure their companies are protected.
“First of all, do everything you can to help yourself,” said Carrick. “We see that attacks happen quickly and there’s nothing you can do to prevent those except just to watch for them. Some of these things sound so basic but many of the losses that we see within businesses actually happen from the inside.”
“Do you have an exposure,” asked Bullard. “If you’re taking any kind of personal information you have an exposure.” He advised that company owners need to look at it from the perspective that they are vulnerable to attacks and should protect themselves accordingly.
Patterson added that while it may seem like common-sense to today’s computer-literate company cultures, the importance of having good back-ups cannot be overstated. “It’s a combination of backing everything up and having a good protocol for backing up data,” he said.
The Human Aspect
While employees are a company’s greatest asset, they are also where the biggest risk lies for businesses looking to protect themselves. Both from an internal and external perspective, employees have the ability to wreak havoc for any business.
“One of the weakest areas in most businesses is actually people,” said Carrick. “From our experience, that’s how fraudsters make their way into your business. They’ll do things such as send bogus emails and employees like to do what I call ‘unsafe surfing’ which opens your system up to all kinds of dangers.”
“We all think hackers from Russia or China are going after financial, credit card numbers and so forth,” explained Patterson. “The reality is, from the claims we see, 60 percent of them involve employee negligence rather than hackers breaking into your system. Employees make mistakes.”
And it’s not just from those looking to break into a company’s system from the outside, employees themselves are oftentimes culpable in a business’ downfall. For every loyal member of the team, there may also be those bad eggs that don’t have the company’s best interests at heart. Carrick advised that business owners utilize smart business practices when it comes to employees.
“Don’t over-trust your trusted employees,” he said. “What you want to do is maintain those separation of duties and make sure that, if you can’t watch them, you have another employee watching them to protect your interests in those accounts.”
So the question then becomes, how can a company mitigate risk in its largest area of vulnerability? The panelists agreed that a carefully planned, multi-pronged approach to dealing with employees is important and that when it comes to outside attacks, training is key.
“Train your employees,” said Patterson. “If you can get them to be concerned about data security and understand the serious ramifications of failing to take it seriously, that will go a long way toward protecting your organization.”
“There’s no excuse for any of us anymore not to be technologically savvy,” added Marshall. “We need to be aware of the latest technology, patches, trainings – all those things need to become standard. You’ve probably heard of dual authentication where you need two passwords to get onto your network. The IT department needs to be training employees on these types of protocols.”
Regardless of the tech savvy necessary for today’s workplace, Patterson advised company owners to remain wary as even security companies are not immune to threats. “I was on a panel and one of the other panelists told the story of how his company sent out a test email to their employees to see if they would click on the links,” he explained. “Nearly 20 percent of employees at a computer security company clicked on the link.”
Carrick added that suspicious emails are deceptive and oftentimes look genuine. He said, “[People] still respond to them today because they are veiled to look legitimate. They appear to come from people you know. They appear to be from links you recognize. There’s no misspellings. They have proper sentence structure and good grammar.”
The Financial Aspect
While employees may be the weakest link when it comes to gaining access to a company’s secure data, they aren’t the only way in and if a company is making money, there’s always someone out there that’s trying to steal it. When it comes to financial security, banks are working overtime to ensure the safety of their client’s funds.
“To protect your money, we spend a lot of our own,” said Carrick. “We spend tens of thousands of dollars every year with network security, patch management, virus definitions and training. We also use some pretty sophisticated fraud protection modules, especially in debit card processing.”
Even so, Carrick advised that business owners can never be too vigilant when it comes to bank security and even a simple two-step verification process can mean the difference between a secure account and a hacked account. In addition, common sense plays a key role in protecting a company’s assets. For example, if a banker calls on a business account and that person is unknown to the business, simply calling the bank back and asking to speak with them is one way to authenticate the caller.
Carrick added that, “banks will never ask you to provide any information that only you should know. Our fraud system for debit cards does send out either a text message or make an outbound call, but it never says enter your card number to continue. Those types of notification systems typically will have a reference number which has nothing to do with your account at all.”
He went on to add that the bank’s own system has a series of checks and balances to protect customers. “We have internal protocols to be sure that, in the event we get an email from the company that says to wire out $1 million, we won’t ever operate solely on an email because it’s impossible to verify,” he said. “We will actually take the risk of angering the customer and not send that wire until we actually follow those authorization protocols.”
The Legal Aspect
While businesses struggle with evolving threats, on the legal side, changing legislation from state to state has become an issue.
“There are current regulations and legislation that have been referred to as a ‘patchwork’,” explained Marshall. “Everything is evolving. There’s no standard federal data breach response act yet. It is on the horizon. Many of us do business in multiple states and each state will have the same data breach response statute framework but there will be subtle differences. You need to know all of those.”
And, if a company is compromised, it affects more than just that business. Oftentimes, especially when the breach occurs in a major corporation, customer data, both financial and otherwise, is compromised. This breach then opens the company up to litigation from their customers. This then becomes an even greater challenge when businesses fear litigation and don’t report a breach. Lawmakers are working to open up those lines of communication to allow for greater protection.
“Just [recently] there was federal legislation passed regarding information sharing,” said Marshall. “Companies are now encouraged to share information about the security breaches that have happened to them with other companies and with regulatory agencies without fear of retribution for having been hacked in the first place. That’s just one step towards an overall federal framework.”
So, while it’s important for businesses to come clean when there has been a breach, particularly those that affect their clients, there are ways that company owners can protect themselves from being sued.
“The attorney-client privilege gives you the ability to disclose what’s necessary for your defense and not disclose what may hurt you because it’s going to be mischaracterized by the other side,” explained Marshall. “It’s a very strong defense and it is applicable and is being applied.”
The Insurance Aspect
It’s clear that business owners must be on-guard for threats and inevitable that hackers will target them at some point. Protecting a business then comes down to arming employees with the knowledge they need to recognize threats, understanding where a company’s weak spots are and the legal ramifications of a breach as well as having the coverage to protect assets if a breach occurs.
“A lot of people have cyber exposure in their business,” said Bullard. “It’s such a new coverage and it’s so undersold that most don’t have it. Whether they have an exposure or believe they have an exposure to it, most of them don’t have it. How do you protect yourself from it? The only way I can think of is to buy more limit.”
“Cyber attacks are on the upswing,” added Patterson. “They’re certainly in the news almost everyday now. We are having almost three claims per day filed for cyber events.”
So, for business, understanding the importance of coverage is the first step. Asking the right questions of a broker to get the right kind of cyber insurance is also vital and having a basic understanding of what a company may need can help.
“You’re going to look first, for expertise,” said Bullard. “Does the agency or broker know the marketplace? Do they have carriers? Do they represent carriers? You need to ask the questions and really drill in for references and expertise.”
Bullard went on to add that, “brokers are real good at saying we give good service. Service can be answering the phones, sending out certificates, basic stuff. I’d like to recommend you choose a broker based on services. Those can include having a risk management department that does contract review. Different people walk jobs, do safety training, look for problems. Those are all services in addition to just being a broker and just finding coverage.”
The Technology Aspect
Protecting a company is one thing, but many wonder if there will ever come a time when businesses are one step ahead instead of one step behind in regards to cyber attacks. Many new technologies are coming into the market to protect both businesses and consumers from attacks. After several large-scale attacks in recent years on big retail chains, Europay, MasterCard and Visa (EMV) chip technology has come to the forefront.
“You’re lucky just to stay step and step with them,” said Carrick in regards to cyber criminals. “I’m already reading about ways that they’re trying to get around the EMV chip, but we work very hard. Banks have rolled out these EMV cards and we realize their value. Everyday’s a new scheme and we find the best way to protect the customer and the bank.”
Prior to EMV chip technology, banks were experiencing heavy losses as they had to bear responsibility for attacks on consumers as they make purchases.
“If your customer has an EMV card and you don’t have an EMV capable terminal and there’s fraud on that card, the merchant will now take that loss,” explained Carrick. “That’s a really new perspective in the U.S. The best way to protect yourself if you take debit or credit cards is to immediately get those terminals upgraded to EMV capable.”
EMV cards have added this greater security by creating a unique transaction code that cannot be used again. By contrast, the traditional magnetic strips contain data that can be replicated over and over because it doesn’t change. This is why the breaches recently levied against Target and Home Depot, among others, were so effective. The hackers were able to gather data that can be used over and over until the breach is discovered. However, if a hacker attempts to steal information from a point of sale transaction involving a chip card, the stolen transaction number created wouldn’t be reusable and the card would just be denied.
The Attack Aspect
Chip technology is one of the more widely recognized new technologies working to protect businesses as well as their customers from fraud. However, it’s not the only one. From increased cloud security to smarter computer systems, technology across the board is increasingly becoming geared towards security minded professionals. This is, unfortunately, the result of criminals becoming more technologically creative in their attacks.
“One third of all cyber attacks are by hackers,” said Marshall. “Some people think all cyber attacks are a result of hackers. Sometimes they come from within. Sometimes they come from malware that has no other purpose other than just to disrupt. In the last two years, it’s been a big uptick in my practice.”
Marshall added that he’s seen an increase in, “the business consciousness and awareness of what [clients] need to be doing to make sure their cybersecurity procedures are up to the industry standards.”
One type of attack that has become much more prevalent in recent years is the use of cryptolocker malware.
“Essentially what cryptolocker malware does is it encrypts everything on the hard drive and the criminal sends you a ransom note saying, ‘Please send $25,000 to this off-shore bank account and we’ll give you the key to unlock your computer,’” explained Patterson.
While this type of ransom demand doesn’t involve the theft of a loved-one, it does involve the theft of what is essentially the heart of any business: data. Whether customer data or financial information, nearly all companies store their information in a computer or online. And, information is money. Fortunately, there is an easy way for business owners to protect their company if retrieving data is the primary goal; simply have up-to-date back-ups of company information, preferably in multiple locations. Sometimes, however, it’s the type of data that is in jeopardy and, in those instances, remaining vigilant to prevent the breach is paramount.
“I’m aware of a small law firm that paid half a million dollars for ransom by hackers,” said Marshall. “They had no choice but to pay that. Locked up was all of their client’s information and trade secrets. They had intellectual property portfolios they were managing. They, of course, implemented since then the very best technology that’s out there. Hackers are that sophisticated and evil, frankly.”
While it’s clear that businesses seeking to be successful today must contend with a variety of issues that weren’t a problem in days past, those seeking to do harm are nothing new. Rather, the way in which they attack businesses has become more advanced. Regardless, business owners that remain aware of the threats seeking to gain access to company valuables will be better prepared to combat those threats.
“It’s a constant battle,” said Marshall. “The software is being updated and the hackers are becoming more sophisticated.”