Cybersecurity Is Crucial. Learn the Fundamentals to Limit Your Exposure.
Cybersecurity breaches have been increasing in both number and scale. Global losses to cybercrime are projected to reach more than $6 trillion annually by 2021, making it more profitable than the entire global drug trade.
With all of the well-intentioned advice out there about cybersecurity, there are a lot of misconceptions companies face about how to protect themselves against this increasing threat. In the video above, President of ProWriters Brian Thornton debunks the most common myths surrounding cyber basics. With 20 years of experience in the industry, ProWriters can give you the tools you need to limit exposure, enhance your information security, and mitigate risk from cyberattacks.
Common Misconceptions: Mastering Cybersecurity Basics
Because cybersecurity is a complex topic, there are many misconceptions about how to best protect businesses and their network security from a cyberattack. Debunking the myths and understanding the basics is an important step to managing your exposure. Below are the basics every broker and every business owner should know about cybersecurity.
PII/PHI Opens Companies up to Third-Party Exposure
Companies that handle a lot of Personally Identifiable Information/Personal Health Information (PII/PHI) have obvious liability exposure with this sensitive information. Even companies who don’t have very much PII/PHI still have third-party exposure. As Brian explains in the video above, hackers can attack a company via unauthorized access through a third-party vendor, and such instances could result in lawsuits against the affected company for negligence and damages.
The Home Depot and Target breaches are two cases that illustrate this. Both instances involved hackers obtaining the credentials of a third party and using those credentials to invade each company’s system, deploying malware, and stealing confidential data.
Technology Is Only Part of the Solution
A common misconception Brian covers in the video above is the idea that investing in technology provides the ultimate cybersecurity and protects against all malicious programs, malicious software, and potential data breaches.
While technology can play an important role, it’s only part of the solution, and any security expert can tell you that no technology is 100% effective against cyber threats and their ability to gain access to network systems. With threats evolving every day, cybersecurity technology has the challenge of keeping up with many different types of malware and cyber threats, including social engineering and spear phishing attacks.
A recent study concluded that nearly half of the top antivirus scanners failed to detect malware when it was installed. During this penetration testing, one-third of antivirus scanners still did not detect malware samples two months after infection. Additional security steps such as two-factor authentication and strong passwords (which are unique passwords) are still not impervious.
With these exposures left by technology, insurance is an important part of protecting companies from cyberattacks. As the video explains, cyber and privacy liability insurance mitigates exposure and covers the gaps left by cybersecurity software and technology, ultimately limiting liability in the event of a breach.
PCI Compliance Doesn’t Guarantee Security
PCI compliance refers to the Payment Card Industry Data Security Standard. Any company that accepts credit card payments, regardless of size, falls into this category. As Brian points out, many companies who are certified as PCI-compliant believe they are completely secure. Compliance is an important aspect of cybersecurity, but it is still only one part of a larger picture. PCI compliance just means a company was certified compliant on the day they were audited; it’s not necessarily indicative of 24/7 security.
As many companies have learned, being PCI-compliant isn’t a foolproof solution. A great example of this is Heartland Payment Systems, which experienced a major cybersecurity breach even after six consecutive years of PCI compliance. Heartland Payment Systems isn’t a rare exception; many of the major retail credit card breaches in the news today happened to companies that were PCI-compliant. In short, while PCI compliance is part of cybersecurity, it doesn’t equal cybersecurity.
Cyber Insurance Covers More Than Many People Think
While some businesses believe cyber insurance does not cover much, in reality, cyber insurance policies can be broad and comprehensive. Companies tend to run into issues with insurance when they try to use general liability policies, E&O policies, or fidelity bonds to cover data breaches, which they were not designed to do. A cyber insurance policy is specifically designed to protect businesses from a wide range of cyber exposures.
The quality of the coverage also matters. There are rare instances where a business is denied coverage under cyber policy, but in most of these cases, the business did not consult an expert like ProWriters and opted for cheap, inadequate coverage. And, as these companies quickly learned, going for the cheapest coverage may actually end up being the most expensive option in the event of a breach. Cyber policies today have never been more comprehensive and can address significant exposures, so it’s important to choose the one that addresses the right exposures.
Liability Cannot Be Outsourced
As Brian emphasizes in the video, outsourcing services like payment processing is not the same as outsourcing the accompanying liability. Businesses have a legal liability to their customers, and in the event of a breach, they are required to:
- Alert their customers of the breach
- Notify the appropriate regulators
- Offer credit monitoring services to their customers
- Cooperate with and provide support for investigations
Furthermore, a standard contract with a payment processor or processing bank often limits the liability to fees paid to that processor over the last three to six months—which is minimal in the context of even a small breach. Any time a customer does business with a company, that company is legally liable, even if they outsourced payment processing.
The Best Cybersecurity Is Holistic
As Brian Thornton mentions in the video above, cybersecurity requires a holistic approach to be effective. There is no silver bullet for preventing cybersecurity breaches, and companies both big and small can be the target of a cyberattack. Beyond things like technology and compliance, companies with the best cybersecurity will also have:
- Employee awareness and training
- Cybersecurity policies and standards that are clearly defined
- Mitigation measures in the event of a cyberattack
- Cyber insurance coverage
Understanding the common misconceptions around cybersecurity basics is an important step to managing cyber risk. ProWriters brings 20 years of expertise to this area and is here to help. To learn more about how our services can work for you, please book a call with us today.