Financial: Managing Cybersecurity Risks

Financial: Managing Cybersecurity Risks

By Mark E. Battersby / Published February 2015

top-pic

 

The recent headlines about Internet hacking and security breaches have focused on large retailers, such as Target, Neiman Marcus, Home Depot, and big banks like JPMorgan Chase. Unfortunately, fraud and financial data losses are not limited to retailers or even to one industry. Small pressure cleaning businesses are increasingly vulnerable to cybercrimes like online identity theft, hacking, or phishing.

Today, with almost every pressure washing contractor, supplier, and equipment dealer involved with some form of Internet connection or storage of data, such as customer lists, employee information, books, records, receipts, and tax documents, nearly 83 percent of small businesses do not have a contingency plan outlining procedures for responding and reporting data breach losses. However, according to the National Cyber-security Alliance, a nonprofit cyber-security educational organization, one in three small businesses is a victim of cybercrime each year with 60 percent of those victimized going out of business within six months.

Protection Basics

We correspond through e-mail, transfer information through the Internet, and hold business meetings online. Many businesses are even completely paperless.

Often overlooked is the fact that any pressure washing business that takes names; social security numbers; and other sensitive, customer information, may be required by law to take all of the steps necessary to protect this data from loss and theft. No business can hope to remain safe from cyber threats if they fail to take the necessary precautions.

A data breach or hacking incident can not only harm the pressure cleaning business, but it can also lead to a lack of trust on the part of consumers, partners, and suppliers. Small businesses must make plans to protect their operation from cyber threats and help employees stay safe online. In fact, it is the pressure washing operation’s obligation to protect the data and the financial information of its customers, suppliers, and employees.

The Problem Times Ten

So-called “cyber hacking” is big business, and no one, not individuals, not small businesses, and not large corporations are safe. In the U.S., most states have breach notification laws, and other countries are following suit. In other words, many laws mean written notification must be sent to those individuals who have been affected. Even where such laws are not in place, a reputable business should provide breach notification.

It should come as no surprise that social media sites can expose information at light-speed with little control. It is becoming more and more likely that a pressure cleaning business’s reputation will suffer from a cybersecurity breach.

It is not only a business site but also an employee’s activity on social media sites that can trigger liability, especially if the business is responsible for the sites. Defamatory statements, leaked information, and copyright infringement are all growing concerns.

Losing the trust of customers can be much more damaging than the financial loss of repairing the effects of any breach. Making matters worse, a pressure cleaning business can be held liable for the loss of third-party data. If there is a data breach, the operation could find itself facing expensive damage claims.

Do-It-Yourself Risk Management

The increasing threat of data security breaches makes it important for every pressure cleaning business to reinforce their security practices. But, how can any business manage this risk?

Security experts agree that the easiest place to start is strong password protection. Yes, password protection, something a surprising number of IT sophisticated businesses often fail to master. Many recently exposed “hacking” cases have been traced back to weak passwords that were either (1) not encrypted or “salted,” or (2) not changed regularly.

If managing passwords for all of the operation’s servers, apps, cloud services, databases, tablets, and laptops seems daunting, there are affordable password management professionals and software that will do it for you—usually avoiding the often big price tag of cyber insurance.

Other tips to help secure a pressure cleaning business’s data, reduce its liability and, in many cases, reduce the cost of insuring against potential losses, include:

Get a firewall. There are hardware and software approaches that are both cheap and easy to use.
Conduct regular risk assessments to reveal hardware, software, and individual site vulnerabilities.
Computers that are used for sensitive applications such as making  electronic bank deposits, should be isolated from the rest of the business’s network.
Control access to data, which often means limiting delivery and exchange of customer-, supplier-, or employee-related documents and information to secure channels.
Get anti-virus software and use it. There are a number of popular packages, most of which are relatively inexpensive. Although free updates are usually included, make sure to update the program regularly or, better yet, allow the software to do so automatically.
When an employee or contractor who has had access to the system leaves the pressure cleaning business, the employer should make sure their passwords are no longer usable. (Many employers lock an employee out of the system just before or at the same time he is being terminated.)
Create—and implement—a data security plan that includes immediate notification of all affected parties. In many cases, it is the law.
Share the liability by demanding similar protocols with suppliers—and checking for compliance.

Insurance to the Rescue

Little of a pressure cleaning business’s data is typically covered under today’s insurance policies. Thus, liability for any loss of customer or employee data is probably not protected. Admittedly, some business insurance policies might offer general liability protection. Directors and Officers (D&O) liability may, for instance, provide a measure of coverage for these areas. Unfortunately, as the risk escalates, it is only after a hack attack that many contractors, distributors, and manufacturers discover what is and what isn’t covered by their insurance policies. Unfortu-nately, by then it’s too late.

A business interruption insurance policy rarely helps in the event of a system failure because of a malicious employee, computer virus, or a hack attack on a pressure washing business. Identity theft, telephone hacking, and phishing scams are all very real possibilities rarely covered by traditional business interruption policies.

While few so-called “umbrella” policies or blanket liability insurance policies cover these types of losses, a relatively new type of policy, cyber liability insurance is available. Cyber liability insurance has been available for almost 10 years although it is very rarely purchased.

Cyber liability insurance can cover hacker attacks, viruses, and worms that steal or destroy a business’s data. Even e-mail or social networking harassment and discrimination claims can be covered along with trademark and copy- right infringement. Cyber liability insurance will often cover the loss of profits because of a system outage caused by a non-physical peril such as a virus or attack.

A pressure cleaning business purchasing cyber liability insurance enjoys special protection from most digital issues. The new cyber liability insurance products available today can help protect the business from cyber problems that could cause tremendous hardships.

When looking into cyber liability insurance, common sense dictates that all potential risks should be covered including laptops and mobile phones. Portable devices make it much easier to both store and to lose information. For example, a missing USB stick, a stolen iPad, or a laptop left in a taxi are all real possibilities and, for a hacker, a goldmine. There are viruses being built just to attack mobile devices.

A good insurance company will ensure a policyholder has all the protection in place that is possible. They can make sure a firewall is in place to protect the network and help create social media policies that reduce risk. Even if data is stored in the cloud, the business may still be liable for a breach. Although controlling how a cloud provider handles the business’s data is almost impossible, cyber liability insurance can protect any operation from their mistakes.

Large corporations often have risk management budgets, while most small businesses usually don’t. Unfortunately, most hack attacks target operations with fewer than 250 employees, a group where few have the financial means to pay the fines and lawsuits that often result from breaches or data losses, or to stay afloat throughout the process.

Hacking Threats

Sixty-six percent of small business owners and managers are not concerned about cyber threats—either external or internal. External threats include a hacker or cyber-criminal stealing data, while internal threats include an employee, ex-employee, or contractor/consultant stealing data.

Unfortunately, data breaches or hacking incidents can really harm a pressure cleaning business and often lead to a lack of trust from consumers, partners, and suppliers. Every pressure cleaning business, especially those transacting business online, should have a cybersecurity plan that includes keeping computers “clean,” protecting information, frequently changing passwords, and having good anti-virus software.

Hackers are getting more sophisticated every day, sometimes forming syndicates of like-minded criminals to share information and new techniques. Businesses, even independent, small pressure cleaning businesses, are increasingly in their crosshairs and need to use every protection strategy including cybersecurity—available to combat the growing cyber threat.