by Felicien | Oct 19, 2017 | Education
Why Florida Businesses Need Cyber Insurance to Manage the Risk of Cyber Threats from Hackers or Accidents
Many Florida companies rely upon a business owners policy, usually called a BOP, to protect themselves against typical threats. A BOP usually includes property, general liability, and business interruption insurance in one package. While some insurers offer to customize these policies, they typically don’t include cyber insurance. Small, mid-sized, and even some large companies may fail to realize that they lack protection for their digital assets until they have already lost valuable information or computer systems.
It’s important for Florida business owners, managers, and executrices to understand the kinds of cyber threats they face. Many companies should consider cyber insurance as a tool to help them manage their risks.
Cyber Threats Faced by Florida Businesses
First, it’s important to understand cyber threats and to acknowledge the risk:
External Threats From Malicious or Greedy Hackers
After reading news stories about hackers who attacked large companies like Target or Home Depot, you might not believe that any determine or skilled criminals would bother with your small business. This belief can actually make you more vulnerable than the big corporations that invest a lot of money in preventing these risks. Your smaller company probably also has fewer resources that you can use to recover after you have lost valuable data or computer systems.
A 2016 survey from the Ponemon Institute focused entirely on small companies and was reported upon by CNBC:
Half of small businesses had been hacked in some way during the previous year.
Many attacks derailed business for a week or longer.
Small businesses may not have the funding or manpower that larger companies do to prevent hackers and deal with the fallout when cybercrimes occur.
In particular, Florida has earned the distinction of leading the entire country for digital fraud and ID theft, according to the South Florida Sun-Sentinel. Other types of digital crime that commonly plague small businesses include social and email phishing attacks that allow criminals to infiltrate networks, PCs, and even mobile devices. Small businesses don’t have immunity from cyber crimes, and they may be the most vulnerable.
Do Business Insiders Threaten Your Company’s Cybersecurity?
Certainly, small business owners should invest in security to minimize the risk of external threats. At the same time, you should learn that the greatest threats to your company may originate on the inside, according to Eric Meyer, the CEO of Apvera, a threat intelligence company. Mr. Meyer says that over half of today’s attacks occurred because of malicious acts from employees. Also, unintentional lapses may contribute to much more.
For instance, Edward Snowden stole classified information from the government before he left the United States. Jun Xie took valuable, private data from GE Healthcare. They didn’t need to hack these systems because they already had access privileges to that data. Insiders may already have the ability to login to private networks, and they are also most likely to know how to cover their tracks to avoid detection. More commonly, employees accidentally allow security breaches because they fall for phishing schemes or use unsecured devices for work.
Either way, the most difficult cyber threats to prevent begin on the inside of companies and not on the outside. You should invest in security policies and software; however, no solutions can offer you the 100-percent assurance that you won’t have problems because of intentional or unintentional acts from the inside of your company.
How Does Cyber Insurance Protect Businesses?
As with any other type of business insurance you may consider, cyber insurance can vary between companies. These are some common kinds of coverage to consider and reasons why you might need them:
Loss of data or computer systems: Again, your traditional business insurance might protect you against the loss of your physical computers, but it probably doesn’t pay to replace data or software that you may have lost. Cyber insurance may pay for the costs and time you will need to invest in replacing computer systems, recovering lost data, and getting your business operational again.
Business interruption: Your BOP may offer coverage for business interruption if your business got derailed because of a covered risk. For example, your insurer may give you money to operate until you can recover if your computers were damaged by a fire. If cybercrime isn’t a covered risk, you won’t get compensated. Your cyber insurance policy should offer you the money you need to keep going.
Customer notifications and bad press: In Florida, you have to comply with notification rules in case you lost private information. You might need to spend money to communicate with customers and government investigators. You may also have to spend some money to deal with the PR fallout from the loss. Any loss of your reputation can be very costly to recover from. You should look for a specialized policy that will fund your efforts to comply with government regulations and salvage your good name.
Government compliance: After you’re done notifying everybody you legally need to communicate with, you shouldn’t be surprised to find that some government agencies want to investigate your issue. In some cases, you may have to spend money to deal with regulators and auditors. You might even face compliance penalties and lawsuits. You need specialized cyber liability insurance to provide you with funds.
How to Protect Your Florida Small Business From Cyber Threats
Naturally, your company’s own good security software and policies will give you the best line of defense against external and internal threats to your digital assets. Since security experts and skilled hackers still race to keep up with each other, you should also consider managing your risks with cyber insurance. You won’t find a one-size-fits-all cyber insurance policy in the Florida business insurance marketplace, so you should look for an experienced business insurance agent to help you obtain the right coverage for your company. Often, these professionals can also offer you good ideas to protect your business to prevent common digital security issues.
by Felicien | Oct 19, 2017 | Education
Whether or not you believe Kaspersky was an active partner in the recent malicious hack of NSA documents, things aren’t looking good for the security giant.
Kaspersky is in the antivirus business, and business isn’t good these days. The Russian-owned organization is at the center of the massive conspiracy around data theft from the NSA, with multiple unverified reports stating that Kaspersky software is behind the hack that allowed an unspecified number of files to be stolen from a contractor’s PC in 2015. While the investigation is still ongoing, rumors continue to cycle about potential collusion with the Russian government to reveal U.S. secrets — even potentially providing data to foreign state actors attempting to target computers containing sensitive NSA files. While there is a great deal of secrecy and suspense around the topic of Russian hackers, there’s no denying that Kaspersky’s U.S. operations have been negatively impacted by the ongoing reports.
Cybersecurity Leaks
It’s an unfortunate fact that the current challenges that Kaspersky is dealing with all lead back to a single contractor who made a bad decision to take his laptop home — and the lax security procedures that allowed him to access secure files from a remote location. It’s ironic that a massive cybersecurity company with contracts with the government and other multi-national corporations was unable to control the most basic challenge for all organizations: controlling physical access to sensitive information. Companies of all sizes are challenged with finding the right balance between allowing necessary access to data without providing employees with a way to leverage that same information in a way that will be damaging to the organization. Turns out, Kaspersky fell victim to a rogue contractor who just happened to be a Vietnamese national.
Private Contractors: Sensitive Data
With thousands of contractors and private companies making up the backbone of the security infrastructure of the government, the question remains how to adequately contain these types of leaks in the future. Aside from the relative ease of a contractor walking out of a government building with a thumb drive full of sensitive information, the fact remains that there has been a spotlight pointed on contractors since Edward Snowden’s release of internal NSA documents in 2013 to journalists. The shocking exposé severely damaged the intelligence capabilities of the U.S. as well as ruining the trust of millions in the government’s ability to protect sensitive information.
Hacking the NSA
While cybercriminals may look for ways to breach traditional organizations for monetary gain, hacking the NSA often has a more dangerous slant. The NSA actively develops listening and hacking tools themselves, that allows them to perform remote espionage without detection. These tools are critical in the ongoing war on terrorism and they allow operators to pilfer information quietly as well as break down invisible doors. When these tools were released to the broader world, they lost their efficacy which resulted in what some retired NSA officials consider a “devastating” loss of the agency and their ability to monitor the financial infrastructure of terrorist organizations.
Kaspersky’s Role in the Breach
Technically, the antivirus giant’s role in the breach is a little tenuous and involves a fair bit of theory that has yet to be proven. It’s possible that the breach didn’t even occur when the contractor took home their laptop and accessed the files. One version of the story postulates that the hack occurred earlier the same year is what provided the access to the files on the contractor’s laptop. Still, others believe that the incidents are unrelated. The vulnerability in the system was found by leveraging the standard operating procedure of uploading snippets of viruses found on systems, which was then likely identified by Russian actors who followed the trail back to the NSA files. The major outstanding question is how data that was on Kaspersky servers made its way into Russian computer networks. There is still a significant conversation insecurity and government circles around whether any breach was malicious or could simply be attributed to technical carelessness.
Release of Information
While the Wall Street Journal hasn’t gone quite as far as stating that Kaspersky was solely responsible for the NSA leak, the type of information released is important to consider. According to multiple sources, the material included “details about how the NSA penetrates foreign computer networks, the computer code it uses for such spying, and how it defends networks inside the US.” The information, obtained sometime in 2015, is said to have been stolen by hackers sponsored by Russia who targeted the contractor upon review of the contractor’s files. Unfortunately for Kaspersky, the Kaspersky AV software is thought to have been the mechanism by which the files were identified as belonging to an elite NSA group called TAO, or Tailored Access Operations group. The hacked details, along with the details in the recent Vault 7 WikiLeaks release, render many U.S. government hacking and anti-spyware tools useless or reduce their efficacy overall.
Russian Proxy or Innocent Victim?
The jury is still out on whether Kaspersky is a Russian proxy via the Wall Street Journal narrative, or simply an organization stung by weak security procedures in regards to contractors. The organization’s nationality as Russian and the recent furor around Russian interference in the election have made for great media coverage of a story that may have been buried in quieter times. It doesn’t help that Eugene Kaspersky, the fiery CEO of the organization, received training from the Russian government from an early age. As the U.S. government continues to draw back from utilizing Kaspersky tools, and corporate partners such as Best Buy and others retreat and remove products from sale, it may be that the answer doesn’t matter. The recent move by the Department of Homeland Security to direct all government organizations to stop using Kaspersky services and products doesn’t bode well for their future. However, there is still no hard evidence to be found and a lot of anonymous sources.
What has Kaspersky learned from this ordeal? Hopefully, the lesson includes the importance of maintaining the strict security of physical devices — especially when it comes to the laptops of their myriad contractors. Need help creating your own organization’s cybersecurity manual and putting processes in place to ensure enforcement?
by Felicien | Oct 18, 2017 | Education
KRACK is a bug that can affect any device with Wi-Fi capabilities. However, the news isn’t all bad. There are silver linings that come from any catastrophe.
Cybercriminals are trying to get your devices” hooked on” KRACK (the Key Reinstallation Attack)–It’s a flaw in the WPA2 protocol, the security used on wireless networks.
Since 2006, WPA2 has been used on all certified Wi-Fi hardware. It’s meant to protect the Wi-Fi connection between your computer and router by encrypting traffic using the most updated standards. What this means is simple: Your data is encrypted so anyone who sees your traffic can’t understand it because it’s a bunch of “mumbo-jumbo.” That is until now.
KRACK can “crack” your security and read your traffic (like your confidential personal and business data). Just when you think you’re safe, something else comes along to threaten your business.
Here’s the “Good, Bad, and Ugly” on KRACK.
The Good: You May Be Ok, for Now.
For those of you who like getting the good news first, here it is:
Although the quantity of people who could be affected is huge, the actual damage may be minimal.
A hacker must be within Wi-Fi range to take advantage of KRACK’s capabilities.
This is good news because it means that a hacker can’t carry out an attack over the internet from a distance, but must be physically present and within range of a network.
Plus, only one network can be exploited at any given time by one hacker. This inconvenience is your saving grace: A hacker can only attack after a lot of thought and preparation beforehand. So, for most of us, we’re likely out of the “bulls’ eye.”
Golden Rule Revisited: Stay Off Public Wi-Fi. KRACK re-enforces what you’ve been told over and over again: Don’t use public Wi-Fi. It’s not secure. It makes it all the more easy for a hacker to go to the local coffee joint and hack into your devices.
Anyone who uses Wi-Fi is susceptible. That said, a successful attack on your device may be difficult to execute. Even if successful, the reward to the hacker may be limited. If someone wants to exploit this bug to hack into your device, it would demand a lot of preparation to the point where it may not be worth it.
This bug confirms what we have always known: Don’t Use Public Wi-Fi!
The Bad: The Harm Can Still Potentially Affect You.
Everyone knows crack is bad for you, even if they consume it, they still know it’s bad. KRACK, likewise, is bad. But unfortunately, it’s not a choice, unless your choice is to live without the devices that make our lives so much more convenient.
Although you’re likely not a target of a KRACK hacker, a problem still remains: There’s a serious flaw in our devices’ security technology. Patches for the bug are required, but they weren’t immediately available. However, hours after news of KRACK was made public, Microsoft had a patch already created, while Apple and others quickly followed with their own patch. ( If you use an Android device, Netgear or other brands, you may still be waiting for a patch.)
As said, KRACK is a weakness in the WPA2 system. When the WPA2 system is weakened, a hacker can get into it, and from that access point can either eavesdrop on your traffic that’s now unencrypted, or insert ransomware or malware to compromise your computer, iPhone, or other devices.
We’re just learning about KRACK, when manufacturers have known about it for an entire month!
But access to a patch for your own devices isn’t the only problem or, for that matter, patching isn’t necessarily a solution to the problem. Does Equifax ring a bell?
That’s right. A lot of large companies have your confidential information. The likely target of a KRACK hacker is a big company. If a hacker can get into a company’s network, then access to volumes of private information can be stolen. If your information is included, then you have a battle on your hands to protect your identity, finances, and everything else that matters in the digital world we now inhabit.
The Ugly: The Future of the Internet of Things is in Question.
The Internet of Things (IoT)–That was our future. A convenient interconnection of all our devices and appliances via the Internet–Where computing devices are embedded into everyday objects so they can send and receive data. Are you low on milk? Your refrigerator can send you a text. Are you stuck in the middle of traffic and want the stove turned on or off? Just tell it to do so via your phone. It’s nice having your security camera system, too, right? You can logon and see what’s happening in and around your house. These are all conveniences that we appreciate and can use to our benefit.
But we should wait a minute and reflect. The Internet of Things and all that makes it beautiful is now a possible threat. It could be years before any of these items get their own patches. What’s more, you may not even realize they need a patch. Imagine if someone intercepted your Internet of Things devices, say your garage door opener–That’s right, the hacker can now access your home conveniently and secretly, especially if they also hacked into your security camera system.
This isn’t to say all your devices connected to Internet of Things are vulnerable (though they are); but KRACK highlights the deeply flawed security network for the Internet of Things.
KRACK reminds us that everything digital can be hacked–And once all our things become connected and digital, we can be hacked, exploited, and victimized. Every rose indeed has its thorn. We try to make life a little simpler, and we just make it more complicated.
The ugly though, is always about perspective and innovation. The tech industry has taken note of the problem KRACK revealed. Auto-updates and other measures are being assessed so that when KRACK or other bugs occur, countermeasures can quickly be put into place to reinforce security and reduce threats. These measures, however, are not currently in place, that’s the ugliest part of the problem but also an indication of a hope for a solution.
by Felicien | Oct 18, 2017 | Education
In business, one of your greatest assets is foresight. Put your planning potential to good use with a solid business continuity plan to ensure your company survives any incident, big or small.
When it comes to business, we have to foresee an entire range of potential bumps in the road. From minor challenges like toll bridges or traffic jams. To serious threats such as black ice in a sudden white out. Having an established business continuity plan in place will help you foresee potential threats to your company’s operation, prepare for these problems, ensure a speedy recovery, and mitigate major loss. Although we wish you nothing but safe travels, your company’s journey might not always cover freshly paved roads on sunny days. Follow these eight steps to creating an effective business plan so you can rest easy knowing that in the event of flat, you have a spare tire in the trunk and the tools to get you back on the road.
Identify Potential Threats– If there was ever a time for telling scary stories, this is it. An effective business continuity plan is one which prepares for a myriad of situations including minor hiccups such as a brief power outage to problems like natural disasters which completely halt operations. One of the qualities which set people apart from the animal kingdom is our exceptional ability to imagine, foresee, predict, and prepare for a countless number of possible future scenarios. This foresight is especially handy in the business world; putting it to good use in your business continuity plan will ensure you are well prepared for a host of challenges.
Have a Backup Plan – An essential part of any business continuity plan takes place prior to an actual emergency, backing up everything. Be sure all essential data has a backup located offsite. Plan an alternative power strategy (such as a spare generator), a temporary location for operations, replacements for essential supplies and equipment, and even an alternative means of communication.
Lay Out an Initial Response Protocol– This plan should specify a chain of command in the event of an emergency, and it should also designate members of an incident management or disaster recovery team. (Keep in mind that members might vary depending on the type of incident.) This ensures that anyone potentially involved in the incident knows whom to notify first and also ensures no time is wasted deciding whose responsibility it is to take charge.
Plan an Impact Assessment– During any emergency, chaos can easily overwhelm. A quick, calm impact assessment will help keep panic to a minimum. Before you can handle and contain a situation, you must understand the extent of the problem and its impact.
Take Action– The action step contains the meat of your business continuity plan. Here you must consider the potential threats and how you can best restore your company’s services, operations, and/or assets in order to control the damage. Determine a reasonable response strategy, whether you have the proper resources in place, and how you will measure, monitor, and manage the recovery response.
Communicate– During an emergency, the initial communication to those in charge and perhaps emergency responders will have already taken place. This step is to notify, inform, and update other involved parties such as the rest of management, company stakeholders, and those who will need to collaborate in order to facilitate an adequate response. Your business continuity plan should include contact information for all who might need to be involved such as emergency responders, vendors, and employees.
Make a Long-Term Plan– An incident can occur in seconds, but its impact can last for weeks, months, or even years. Consider what resources you might need in order to handle an extended response to an incident and prepare for the possibility of working with outside government entities.
Resume Business– After an incident, you might not be able to go back to business as usual. Be prepared to make changes to your company’s standard operations and procedures. Consider how you will implement these changes, facilitate necessary training, and cover the cost of finding a new normal.
As Benjamin Franklin said, “If you fail to plan, you plan to fail.” Plan for success with a business continuity plan. Taking the time to establish a thorough business continuity plan will ensure you minimize both short term and long term damages as a result of any type of incident. Not only will this save you stress in the moment, but it will also help you retain clients and customers into the future.
Draft a Solid Plan by Consulting a Professional
Our IT professionals can help you develop a solid business continuity plan for your business. We can provide you with years of expertise, experience, and the assistance you need to ensure your business carries on – no matter what sort of roadblocks you encounter. For advice regarding business continuity plans, data backup strategies, communication solutions, and more contact an experienced professional.
by Felicien | Oct 17, 2017 | Education
When you hire a managed service provider to help your company, be sure you select the right one.
Whether you just opened your doors, your business is flourishing, or your company is well-established, as a business owner you have a lot on your hands. If you are without an internal IT department and manage your own technology, then chances are you could benefit a great deal from hiring a managed service provider. With the right managed service provider, you will have more time to focus on what you do best – running your business. Selecting the best-managed service provider for your company, however, can be complicated. To ensure you choose the right company, consider the following thirteen items before deciding which managed service provider will help your business grow.
Industry Experience– Most IT professionals will be excited to face a new challenge, but it is best for your business if your managed service provider has real experience working in your industry. If you run a restaurant, then an IT expert with food service industry experience will be able to serve you much better than one who has primarily worked with accounting agencies. Industry experience ensures your managed service provider will be able to foresee potential problems and also anticipate your operational needs.
Good References– Verify the company’s industry experience and customer service skills by asking for a few references.
Longevity– You want to select a managed service provider who will be around as long as your company (hopefully forever). You can verify a provider’s history by searching for press releases, asking for financial statements, or checking with references.
Insurance– By checking that your provider is properly insured, you can be certain that the cost of any mistakes made on their part will be paid. Verify your provider has a current policy in place, just like you would for any outside vendor.
Billing Structure– The way a provider bills will affect more than your accounts payable; it can also reveal the quality of the company’s integrity. Avoid those which strictly charge by the hour, looking instead for providers who charge flat fees for certain services. For these managed service providers, doing the job right the first time is mutually beneficial.
Service Contract Scope– Be sure your provider offers a contract and list of services which covers the entire scope of your company’s needs, including computers, laptops, phones, tablets, payment systems, and even cloud computing. You do not want to get stuck in a contract with a company that cannot handle the entire job.
Agreeable Contract Terms– You also do not want to get trapped in a contract which does not have flexible terms. Look for a contract which allows you to add or remove services, or curtail service altogether without too great a penalty.
House Calls– Depending on your needs and IT skill level, a managed service provider which offers in-house service might be a real necessity.
Processes– A well-established managed service provider will have established procedures for handling various tasks. Ask what the typical course of action is when troubleshooting a problem for a client.
On-Site Availability– Find out whether the company handles all aspects of their services in-house or if they outsource.
Staff– If the managed service provider does not outsource services, then ask about their staffing levels. You want the company you choose to have enough personnel to handle your business.
Response Times– A managed service provider should be able to give you an upfront estimate of response times in any given situation. This will give you a good idea of the time it will take to fix problems which arise in the future.
Ability to Innovate– While you probably do not want your company to be the guinea pig that discovers all of the bugs in the latest technology, you also do not want to fall behind. Offering the latest services and adopting new technology early on will ultimately give your business an edge over its competition. A managed service provider which stays on top of the latest innovations and offers the most advanced options in IT will ensure your company remains contemporary, functional, and relevant.
Why Invest in a Managed Service Provider?
Your company stands to gain a great deal from selecting the right managed service provider. With your technology needs in the hands of experienced professionals, you will have more time to focus on what you do best, while your company benefits from the following:
Increased efficiency
Convenient access to knowledge, advice, and skills
Improved service and business continuity
Reduced technology-related risk
Increased IT security infrastructure
Improved regulatory compliance
Increased adaptability to technological innovations
Even though investing in a managed service provider will add an operating expense to your business, the cost is minimal compared to the benefits. With a managed service provider your company stands to benefit overall from reduced expense as a result of increased efficiency, improved production, better operations, improved products and services, and the mitigation of costly, detrimental risks.
Comprehensive IT Management Services Suited to Your Business
If you own a small to a medium-sized company and need assistance with implementing, improving, or maintaining your information technology systems, but are not prepared to hire a full-blown IT department staff, then a managed service provider might be the right solution for you. Similar to hiring an accountant to handle your taxes or a repair person to fix the air conditioning, outsourcing IT management can save you time, money, and a considerable amount of stress by eliminating the job of maintaining the network and devices you need to run your business. At {company} in {city}, our experienced IT professionals provide our clients with a comprehensive menu of IT management services.
