Last month, the whitepaper of the Sixth Annual Survey on the Current State of and Trends in Information Security and Cyber Risk Management was released. As we can see, the survey had a lot of interesting and important information to help small businesses and CIOs make meaningful decisions regarding their approach to cyber security. It discussed key themes, like evolving threats and how companies can build up resilience to those threats. In addition to all the findings and suggestions in the survey, there were also some facts that readers and business owners may find very interesting.
Let us know what you think!
According to the survey, 78 percent of respondents from personal data-driven industries purchased a security & privacy insurance policy, compared with only 59 percent from all other industries. Data-driven industries certainly have more sensitive, customer data to protect, which may be why their number is higher. But, either way you look at it, more than half of the industries surveyed take out cyber insurance. That’s a lot.
The study revealed that approximately 60 percent of pre-breach services are provided by internal resources such as IT, risk management, human resources (HR) and legal. While it’s a good idea to outsource security management, we can see that some companies are still relying on their in-house staff for pre-beach services.
According to the survey, when asked to what extent an internet, cloud or technology disruption would impact their daily business operations, 87 percent said it would have a moderate-to-significant impact. That’s a whole lot of people that feel if a breach were to happen, they would really be in a bad situation.
76 percent of respondents in the communications, healthcare, finance and banking, and retail industries viewed cyber risk as a significant threat compared to only 55 percent of all the other industries. If your industry falls into that 76 percent, then you may want to consider what aspects of your industry make it more vulnerable and assess your company’s cyber security measures based on that.
A question was asked in the survey, “In your experience, are cyber risks viewed as a significant threat by your organization’s leadership?” In response, 83 percent said “yes” for Board of Directors, which is 15 percentage points higher than in 2015. Just a year ago, it seemed as though higher level executives and other leaders simply did not see cyber security as much of a threat that they needed to consider it in their budget. It looks like that’s starting to change.
According to all respondents, “employees unintentionally infecting the company’s network with malware” is the top concern with 50 percent rating it a high or extremely high risk. So, if you’re an employee, your higher-ups may be worried more about you making a mistake than a dangerous hacker.
When asked which services are utilized in response to a cyber-security breach, it’s no longer the IT guy. Based on the survey, for the first time, the general counsel is the department most frequently responsible for assuring compliance with all applicable federal, state or local privacy laws, including state breach notification laws. While the IT person at your company should be fully aware of policies, it may be better to play it safe and go with the general counsel for any of your cyber-security questions, comments, or concerns.
Smeester & Associates understands the questions that arise when it comes to protecting your own company’s cyber-security. We’re here to answer those questions and provide you with the tools and recommendations necessary in order to make the best decisions for your company.
Discover how much risk you’re exposed to and get a complimentary RiskAware™ Cyber Security Scan & Report today!
When it comes to contracts in the digital world, there are none quite as important as service level agreements, or SLAs. Service level agreements are the agreements outlined between a service provider and the user. It discusses what the user expects to receive from the service provider, and in turn, what the service provider will provide to the user. A strong SLA should erase any gray areas between the user and the service provider, clearly outlining what the relationship entails.
You do have a say in your SLA
Though the service provider should be the one to present the service level agreement, as the user, you do have a say in what you want it to include. If there’s an aspect of the job that you want to be covered but the service provider didn’t mention in the SLA, you can have them add it in. An SLA is certainly not one-sided.
An SLA provides targets for measuring performance
Whichever sector the service provider is in will determine the type of contractual agreements that are laid out in the SLA. Whether a service provider is providing an internet service, managed services, cyber security, of a combination of these services, the service level agreement should have observable and measurable objectives that are obtainable. If you, as the user, want to be clear about what you’re paying your service provider for, take a look at that SLA.
It explicitly outlines the “what happens when…?”
A good SLA should answer all the questions you didn’t know you had or perhaps the ones you don’t want to ask. Even if we trust our service providers to give us what they say they will, we still want to know “what happens when…” The SLA makes things more transparent, so you can be confident in your decision.
An SLA encourages responsibility and protection for both parties
Anytime we invest money as a user, we need to make sure we’re protected. Likewise, a service provider needs to look out for themselves, too. So, while an SLA can protect you from losing any money, it also protects the service provider from being held responsible for something that may not be their fault. Why would either party want to take a risk?
They can be continuously reviewed and updated
As technology continues to grow and more companies are moving over to the cloud, there’s no predicting what the cyber world holds for us in five years, or even one year, from now. The good news is, an SLA isn’t technically set in stone. While nothing should be changed without both parties’ consent, there is always the opportunity to sit down together and adjust the terms as things may change.
Discover how much risk you’re exposed to and get a complimentary RiskAware™ Cyber Security Scan & Report today!
While cyber attacks can happen to anyone regardless of the size of your company or what sector you’re in, there are some exceptions. Though hackers are good at what they do, you can make it harder for them to target your company. Even if everyone is a potential victim, you can make sure you’re not at the bottom of the totem pole. Don’t be the low hanging fruit for cyber criminals.
Follow these tips to make you less desirable or less obvious to hackers on the prowl.
While you might want an easy way to remember all your passwords, keeping them all the same is essentially asking hackers to come knocking at your door. And, they probably won’t be so polite that they’ll knock first. Your passwords should not only be unique and very difficult to figure out, but they should be different for each one of your accounts associated with your website or business.
It’s also a good idea to use fake answers for security questions and two-step verifications, as any cyber criminal with a little but of time can figure out your personal answers. If you’re worried about remembering all these passwords, you can use a password manager to help. Additionally, think twice before saving your password on websites (and credit card information) when your browser asks you.
Use a VPN
Using a VPN is a great way to protect your connection, especially if you’re hooking up to a public WiFi network. That’s because a VPN hides your IP address and encrypts all traffic coming in or out over a certain internet connection. This is one of the easiest ways to avoid being the low hanging fruit for cyber criminals.
Don’t make your hard drive an open door. Encrypt it. There are thousands of ways hackers can get into your hard drive, sometimes even physically. Block it off and make sure you’re the only one that can access it.
In addition to encrypting your hard drive, you also shouldn’t keep everything in one place. Sensitive information should be spread out among different places to make it harder for a cyber criminal to really cause damage.
We shouldn’t have to say this, but if you need a reminder, please, oh please, don’t open anything in your email that looks suspicious. A lot of the times, hackers use phishing as an easy way to hack your system. Anything that looks out of the norm probably is. DELETE and notify the company that someone is using their name and logo to try infect you.
An easy way to be the low hanging fruit for cyber criminals is by simply ignoring the issue of cyber security. Even if you’re a small business (actually, especially because you’re a small business), you should really take advice from someone who knows best. Using a managed security service is one way to go about it. Another way is to talk to us at Smeester & Associates, because we can steer you in the right direction.
Discover how much risk you’re exposed to and get a complimentary RiskAware™ Cyber Security Scan & Report today!
A data breach doesn’t discriminate based on the size of your company. Making sure you’re protected, therefore, is extremely important. This is more or less the reason why a lot of companies take out cyber insurance to help pay for indirect costs associated with a data breach. While it’s great news that companies are taking security very seriously, it comes at a bit of a shock once you see how much these claims actually cost. And, not only that, but also where those costs are coming from.
A study done by NetDiligence on cyber claims costs tells us a lot of interesting information. Though the larger companies make up a higher total average of claims at six million dollars, it was actually the smaller companies with less than two billion dollars in revenue that represented a higher cost of claims individually. That’s a whopping 87% majority of the all the companies surveyed.
But, why? Why would a smaller company who makes a heck of a lot less than a larger one be claiming more money than their larger-company counterparts?
Here are a few possible reasons.
For many years, only Fortune 500 companies and government organizations were the main targets for data breaches. IT teams and managed service providers were still an up and coming career. Those who knew how to prevent hackers were mostly hired to protect large organizations like these. But, times are a changin’, and smaller companies are just as likely to get breached. Particularly, in retail and financial sectors.
Without putting any of you small-company folks down, these kind of companies just are not as aware of their exposure as much as large companies are. This means that not only are they unfamiliar with how much sensitive information they possess, but how much of that information isn’t safe from attackers.
When it comes to smaller companies, there aren’t as many resources available to guard against data breaches. Unlike larger companies, they might have a smaller budget or they may be currently preoccupied with getting their business off the ground or managing their customer relations. During these times, a small company may not realize how vulnerable they are. But, that doesn’t necessarily mean they aren’t protecting themselves. When companies have less resources to invest in IT, they may just put that towards insurance. Hence why we see more claims from small companies.
You might wonder why a smaller organization with less to offer hackers would have more incidents than a larger organization. But, believe it or not, the size of your company has both a lot to do and very little to do with it. One thing to note is that hackers don’t really care about the size of your company. If you have important information somewhere in your ne
twork, then you can be a target.
That being said, the fact that you are a small company, in general, may mean you’re not quite up to par with larger companies when it comes to cyber security. That means more incidents can happen, thus leading to a higher cost of claims.
So, where does your company fall in all of this? Smeester & Associates is here to provide you with more information on these topics, so you can make the right decisions for your company.
Over the last few months, Samsung has made the news for their Galaxy Note 7, which has had its batteries exploding, causing danger for users. The problem has gotten so bad that you can now get into serious trouble for bringing one onto an airplane. Though, the recent round of total recalls on all devices should help prevent that from happening.
Besides the fact that a phone exploding in your pocket or under your pillow can be a serious physical risk to a person, it also presents a huge security risk. If you were one of the one million users who had to send their phone back, then you must know Samsung now has a ton of phones with sensitive information on it. One of them could be yours.
So, Samsung may care less about your information. But, this whole situation is a clear representation of the security risks mobile devices can present if not handled correctly. All it takes is one bad person to get their hands on a device to ruin your identity or your company. Whether you owned a Galaxy Note 7 or not, you might want to give more attention to your own company’s mobile security situation.
And, you can do it in less time than a phone blows up. Here’s how.
If you already have a current security plan managed by a service provider, you don’t need to take out a new one for your mobile devices. It’s easy to call up whoever is helping you run your network and ask them to add on security for any devices that are or will be connected. There’s no sense making things more difficult for yourself and your budget when you can keep everything simple.
If you rely on your IT team or an IT person to manage your security, then there are some things you need to understand. First of all, it’s time to consider outsourcing to a managed service provider, because then you can be sure your bases are covered. We live in a world where technology is rapidly changing and therefore mobile device security must be a priority. Unfortunately, not all IT personnel can keep up. If you’re still using your IT person or team, then that’s fine, but make sure you’re investing in their tools and resources which would be necessary to ensure you’re protected
A BYOD policy is definitely not something you want to take away from your employees if you’ve already implemented it. We know that having a BYOD policy allows for a happier and more efficient workplace. That being said, in light of the events of Samsung, you might need to tighten up your mobile device security until things get under control. This could involve anything from keeping very close tabs on who is starting to bring in their own devices, to having a stricter procedure altogether.
Does your company have a WiFi system that anyone can connect to? What about people who work at your company for a year, have access to everything, and then they just leave? Shouldn’t their devices be swiped of all company-related information and access before they’re gone for good? Remember, when it comes to cyber security, you can’t trust anyone. And, when mobile device usage continues to grow as such a fast rate, companies need to crack down.
Smeester & Associates can provide you with the tools and recommendations needed to make sure your company’s mobile devices aren’t putting you at risk.
How can a lone IT guy compete with large teams of certified technicians? Though having one IT guy may be easier, there are just a lot of factors of why going with he or she can put you at risk. If you’re still stuck with choosing between an IT person or an outsourced team, then we’re going to make your choice very easy. Don’t be the client who went with the IT guy. Be the client who went on to a bigger and better managed service provider.
Here’s what you need to know!
Now, not all things are better when they are left to more than one person. But, in the case of managing your network, you want there to be more people. When you’re counting on one IT guy, there may be a problem that he or she just can’t figure out. After all, we are only human. That being said, an entire team of certified technicians can work together to quickly find a solution to your problem.
On the surface, it may seem like hiring just one IT guy is more affordable for a company. But, when you go with a team of certified technicians, it will lower your costs. This is due to ‘economies of scale,’ in which production is increased across the board, and therefore, costs decrease.
Maybe your IT Guy is super-efficient and gets things done, sometimes even before you ask. But, the reality is, if your business is growing, there are just some things that can’t be dealt with alone. For example, let’s say your company is thinking of switching over to the cloud. That’s a big switch on its own, but it’s something that requires a lot of monitoring. Monitoring that an IT person can’t handle by him or herself. Something like the cloud is constantly changing and growing, with new features and additions. Only a team of managed service providers can stay on top of everything associated with something as vast as the cloud.
So, you’re starting to see the advantages of having a managed service provider. But, what are you supposed to do with the IT guy you already have? Or, what about the in-house IT team you already rely on to help you manage everything? Well, the good news is, doing what’s right for your company doesn’t always mean having to let your staff go. Choosing one over the other isn’t necessarily mutually exclusive.
Instead, use both. Managing your network is one of the most important things you can do for your company, but there are ways to go about it so no one needs to lose their job. One way to do this is by keeping your IT guy, but hiring a managed service provider to help him or her as a back up; an extra set of hands, if you will.
If your company is in a place where they can choose between an IT guy and a managed service provider, then you know what you need to do. A managed service provider can conduct an entire array of useful services, and you can choose how much help you need (or how much you want to pay for).
Whether you choose to go full throttle with a managed service provider or you’re going to make the transition gradually, make the best decision for your company. Even if you choose to keep your IT guy, a managed service provider can be there to pick up any dust that wasn’t swept up by your IT person.
Smeester & Associates is here to provide you with the tools and recommendations necessary to choose the appropriate IT management option for your company.
When it comes to taking out insurance for anything, it can be a controversial issue. Many people tend to wonder why they should get insurance when the chances of something happening are slim, or they feel as though the insurance wouldn’t really help them out much if something did happen. This isn’t any different for cyber security. No matter how much you’ve already invested in preventative security measures, it’s still vital that you take out cyber insurance.
When it comes to cyber security, the risks of not getting insurance make it a no-brainer. There are thousands of ways data can be breached, and those numbers are only continuing to grow. You can be hacked through independent devices, social media, software, ransomware, malware, etc, etc. The list goes on and on and a company should never think of itself invincible to an attack.
Even if you take all the proper precautions and have a vendor or IT team to help you with managing your network, there’s never really any guarantee there won’t be a breach. Therefore, it’s really important to take out insurance because it can cover you for indirect costs, such as sending letters to those who were affected (which can be rather expensive).
Cyber security insurance hasn’t been around for too long. In fact, it’s a rather new concept, which began roughly around 2005. However, by 2020, it’s predicted that the total cost of cyber security premiums will reach $7.5 billion. Therefore, there’s still time to take advantage of this new “trend” before it starts becoming more pricy.
Major companies have had data breaches, including Target in 2013. This year alone, there have been attacks on Snapchat, the U.S Department of Justice, Yahoo!, and Oracle. And, let’s not forget about the Ashley Madison hack in 2015. If hackers want to get your information, they’re going to get it, and it doesn’t matter whether you run a jewelry store or thrift shop. Your information and the information of your customers can be gold in a hacker’s eyes. If it can happen to these companies, it can happen to you, too.
When you think about the potential of your company having a data breach, it may seem like something you’d be able to take on, especially if your company is small. However, each data breach, no matter the size or equity of the company, has default costs associated with it. Companies must pay for a forensic investigation, business losses, privacy and notification, and potential lawsuits and extortion. Of course, cyber insurance would help take care of a majority of those things.
Compared to the crazy costs of repairing a breach, cyber insurance costs nothing. While we’d like to give you a precise number, the fact of the matter is that premiums can range a lot. It all depends on the size of your business, what kind of coverage you’re looking for, data risk exposure and the revenue of the company. But, when you think about how Playstation’s 2011 data breach costs them $171M, a lot of which could have been offset by cyber insurance, you might realize you want to avoid that for your business.
When it comes to taking out cyber insurance, there’s not too much you have to worry about. The first thing you should do is create a cyber risk profile for your company. You should think about if you were to have a data breach, what kind of estimated costs would you have to make repairs? Then, sit down and discuss your budget. Lastly, consult insurance companies, many of whom have insurance calculators on their website, to see what your company can afford to pay (and what you can’t afford to lose).
So, are you ready to invest in cyber security insurance? Smeester & Associates can help give you the tools and recommendations you need to choose the insurance policy that’s best for your company.
When it comes to protecting your company’s network, there are a lot of questions you need to ask yourself. What type of approach is right for your company? Should you choose the hands-on IT management, or the remote and resourceful vendor management?
The two are very different, and depending on various factors, like the size of your company or what kind of company you have (like e-commerce), makes a difference as to which type of management will be right for you.
If you’re having trouble deciding, then this is what you’ll need to look at.
IT management is a type of network management that’s in the hands of one individual, or in some cases, an IT team. It’s the actual management of network resources, including, but not limited to, patch management, service pack updates, or just any quick adjustments that need to be done. Their expertise is more general.
Vendor management, on the other hand, happens remotely. The vendor is managing and monitoring your backups, mobile devices, and your security. The vendor has all the resources beside them to deal with a whole array of network issues. They are able to do this because they know the specific products and networks they are dealing with and can leverage them effectively.
IT management is hands on and it usually involves one IT person at a company. In IT management, your network resources are being managed as best as they can. When those are confirmed to be working well, then business should run smoothly. An IT person checks on your software, your firewalls, your devices, and any other type of network resources your company is currently using, to make sure they’re working correctly.
If you are a small company or you’re just starting out, then IT management is a good way to go. It’s best for companies that just want to be sure everything is working how it should be; that nothing gets in the way of you interacting with your customers or managing your website.
Vendor management is essentially when your management is outsourced to one person or group who can help you remotely. A vendor typically has better resources than your company’s IT management, simply because this is what they specialize in. They are therefore able to manage each thing in your company that needs to be managed, one at a time, and with precision. They can do what they need to do from the back-end, without interrupting your flow of business.
Vendor management is, therefore, better for small and medium sized companies, if they are able to switch over.
Make Your Choice
Still not convinced?
We are. Having a vendor to manage your network is just more reliable and consistent than a single IT person. While having an IT person around is certainly a nice thing, as companies grow, they simply can’t manage it all alone. With vendor management, you simply won’t have to worry because they have EVERYTHING covered.
Ransomware can happen to anyone, though many people tend to think it will never happen to them. Unfortunately, if you fall victim to ransomware, you could end up paying a hefty amount; a ransom, to get back your files. Ransomware occurs when someone hacks your system, corrupts your files, and asks for at least $500 in bitcoin. In case you don’t know, bitcoins are not an easy thing to get your hands on.
For those who have the money to pay up, maybe ransomware is not such a problem for you. But, for most people, ransomware can be a very scary thing to have to face.
Luckily, there are solutions when it comes to fighting off ransomware, but it all starts with you. If you want to make sure this cyber-kidnapping doesn’t ruin your network, then here’s what you can do.
This goes without saying. If you see an email or something suspicious on your system, don’t click on it. Delete it, and if possible, advise your IT person or CIO about what you saw.
As with any form of cyber security, it’s essential you know what it is that you need to protect from potential ransomware. Do you have customer credit card information? Intellectual property? A list of email addresses of potential leads? Decide what it is you need to protect and make sure everyone who’s dealing with it is aware as well.
This is the most important thing you can to do when it comes to protecting yourself from ransomware. The people behind these attacks will take your files, lock them, and only give them back to you once you pay.
Therefore, in order to always be prepared for a ransomware attack, it’s essential that you’re constantly backing up your information. The main goal of these people is to get money from you, so while you should be concerned about what they have, there’s not too much to worry about it.
Make sure you are backing up your data as much as possible. It’s good to also back it up on an external hard drive, as ransomware can get into your cloud. While backing your data up everyday may be a bit overboard, it’s really not. Imagine the one day you don’t do it is the day you get hit with a ransomware attack. But, if doing it everyday is too much for you, then just make sure you at least do a backup whenever you have new important data.
When you find out that you’ve been a victim of a ransomware attack, you’ll know pretty quickly. When you try to access your files, it will ask you to pay up by buying a bitcoin (or several). The first rule and the only rule is to not pay. If you’ve backed up your information, you’ll have nothing to worry about.
If you haven’t backed up your data, then that’s another story. Your options are a bit more limited. However, if the information they have isn’t so vital to you continuing on with your routine matters, then forget about it. After all, giving these guys money just enables them to keep doing what they’re doing. Also, there are occasions where people pay the ransom, only to find the files are inaccessible. Don’t fall into that trap.
Ransomware can happen to anyone, as can any other kind of cybersecurity attack. Of course, each type of attack has different ways of preventing it. But, when it comes to ransomware, the best way to prevent any attack is simply by backing up your information at all costs.
Can you ever really trust anything 100%?
Perhaps you feel like you can, but the answer is no. When it comes to your network, you should never trust any device or any person without checking things first. What happens when an intruder who looks like someone or something you recognize gets in? Instead of kicking yourself for being so trusting, why not put that fence up from the very beginning?
This is known as “Zero Trust Level.” When companies are looking to install new devices, software, or even allow access for certain individuals at a company, absolutely everything should be verified first. It only takes one thing, one time, to breach your cybersecurity.
In the real world, making assumptions about something is never a good thing. But, in the cyber world, it’s quite the opposite. As an administrator or an IT professional at a company, it’s imperative that you assume any device or person wanting to access your network has malicious intentions. While this may not always be true, if you don’t look at it this way, you could be making your company extremely vulnerable to an attack.
Welcome to the world of where assumptions get you ahead in life. The Zero Trust Network. If you ever get pop-ups or warnings every time you want to download an app on your phone, then you know what we’re talking about. Of course, when it comes to your company’s entire network, it’s a little bit different…a little bit more serious. The warnings you want to have may not always be there, and therefore it’s your job to protect your data as best you can, even when you’re not around to do so.
Zero Trust Level was started when perimeter-centered security strategies were no longer effective. This kind of approach became quickly outdated, and networks with information to protect needed something to keep up. Not too long ago, it seemed as though the people or devices you let in were trustworthy enough. However, we’ve seen over time that that’s not quite the case. That being said, there are always hackers that can pose as the most trustworthy of people or devices.
Zero Trust was started by Forrester Research. It’s guiding principle is that there is no default trust for any entity, whether it be a living or non-living thing. With Zero Trust, you can reduce the exposure of vulnerable systems. This program understands your network specifically and everything involved within that network, unlike a VLAN, which can’t inspect your traffic for threats.
How to Set Up a Zero Trust Network
“Never trust-always verify.” You remember this, you’re already on the right path. The Zero Trust idea is actually a form of architecture that if you follow correctly, will help protect your data to the fullest. However, there are certain steps you need to follow.
Step One: Identify what portions of your network you need to protect. Don’t leave anything out. There’s no right or wrong here. If you think something is valuable enough to protect, then you better do so.
Step Two: Develop your trust boundaries. Decide at what point someone or something has essentially “broken your trust.” This could be something like attempted access from “countries of interest.” When those boundaries are crossed (or before they are crossed), IT teams can deploy Zero Trust segmentation gateways to the right places before a breach occurs.
Step Three: Implement and grow. Once you implement your Zero Trust program, it’s crucial that you keep an eye on your data at all times. Networks always grow and change, as do the people and devices who may or may not have access to that intellectual property. Always watch what’s going on around your network so you can make sure Zero Trust architecture is there to protect you whenever.
In other words, you need to help it to help you.
The fact of the matter is, you can never trust anyone or anything fully, especially when it comes to your information. Live by the Zero Trust Level policy, and you’ll be alright.