Tag Archives: best practices

Best Practices in Cyber Security

Cyber crime is the fastest-growing segment of the global criminal economy, now including state-sponsored hacking from the likes of North Korea, China and Russia. According to a 2015 FBI report, cyber crime has now overtaken illegal drug activity, moving into first place.

As a result, the cyber liability insurance market is surging. Premiums are expected to top $5 billion by 2018.

More than 60 companies currently offer cyber liability coverage on a standalone basis. Much of the underwriting for cyber risks includes the company-specific details and security breach data available in the public domain through websites such as Privacy Rights. 

According to Privacy Rights, nearly one billion records have been stolen from organizations of all sizes that are all running anti-virus software and firewalls. Unfortunately, anti-virus software misses as much as 30% of malware. Firewalls are perimeter traffic cops with no intranet security capabilities.

Screen Shot 2016-04-25 at 2.42.40 PM

How does a savvy cyber insurance or reinsurance underwriter determine when breach-prevention measures have been taken by a given risk? How can today’s technology solutions be used to disarm the hackers and prevent cyber losses, reducing the potential for a significant claim?

Today, like never before, we face the frequent barrage of spear phishing attacks, new forms of very creative and nasty malware such as remote access Trojans (RATs), ransomware, zero-day malware (that means your antivirus doesn’t yet have a signature for the malware), not to mention the risks of malicious insiders, infected laptops coming and going behind our firewalls. In addition, many small and medium-sized businesses (SMBs) face increased scrutiny by government regulators. Cyber crime is growing at a tremendous rate – it’s become an organized, big business opportunity for criminals, projected to grow to $600 billion this year, larger than any other form of crime, according to the World Bank.

Cyber liability underwriters will want to appreciate what a network security, cyber risk management-focused, underwriting prospect looks like relative to the broader market.

Screen Shot 2016-04-25 at 2.44.21 PM

All cyber liability enterprise policyholders are not equal when measuring breach prevention methods and techniques that may be deployed with an eye toward mitigating significant future losses.

You might ask – why would my smaller business be a target – we’re not Bank of America – we’re not Home Depot or TJMAXX or Anthem? Yes, they all are big targets for big hackers, but cyber criminals don’t discriminate. In fact, they find SMBs easier targets because, traditionally, your level of defenses against cyber crime might not be as advanced as those at Bank of America – which has a $400 million annual information security budget. To the cyber criminals in in the dark corners of the Internet, you’re called a “soft” target – they feel you are easier to exploit.

One piece of ransomware and you might be out of business. Some of the latest ransomware exploits will not only encrypt your laptop or desktop, but they also look for file servers and do the same, automatically. Then, you won’t have any access to your own files – or, even worse, customer records – until you pay the ransom. The FBI even recommends you pay the extortion fee. We find this all wrong. It’s completely backward. We cannot let ourselves be victims. It’s time to get more active and be one step ahead of the next attack – you are a target but you don’t have to be a victim.

It all starts with best practices. For example, if you did frequent daily backups and tested these backups, then, when you’ve been victimized by ransomware, instead of paying the extortion fee, why not wipe the infected computer, re-image it then restore the latest backup? When asked, most SMBs say “I don’t do frequent, daily, backups” or “I haven’t figured out how to wipe and re-image all of our systems in the event they get infected.” So, it’s that simple, one best practice – Backup and Restore — would save you thousands of dollars in extortion fees. You could thumb your nose at the cyber criminals instead of giving them some of your hard-earned revenue.

Cyber liability policy terms and conditions should reflect more favorably on “Breach Prevention”-focused organizations.

Best practices are things you do – steps you take – actions and plans, risk management and claims mitigation techniques. Within those plans, we are certain you will include which security countermeasures to budget for this year.

Seven Best Practices to Reduce Risk

Although we thought about going into details about recent security concepts, such as next-generation endpoint security or network access control, it seems more appropriate to focus on the best practices instead of the best security tools you might consider deploying.

For example, we consider encryption a best practice and not a product or tool. We are sure you’ll find many commercial and freely available tools out there. You can always evaluate those tools that you find most suited for your own best-practice model.

So let’s consider the following as MUST-DO best practices in cyber security to defend your SMB against the risk of a breach:

1) Roll out corporate security policies and make sure all your employees understand them.

2) Train employees and retrain employees in key areas – acceptable use, password polices, defenses against social engineering and phishing attacks.

3) Encrypt all records and confidential data so that it’s more secure from prying eyes.

4) Perform frequent backups (continuous backups are even better than daily backups) and have a re-image process on hand at all times.

5) Test your system re-imaging and latest backups by restoring a system to make sure the backup-restore process works.

6) Better screen employees to reduce the risk of a malicious insider.

7) Defend your network behind your firewall using network access control (NAC) – and make sure you can block rogue access (for example, the cleaning company plugging in a laptop at midnight) and manage the bring your own device (BYOD) dilemma.

Screen Shot 2016-04-25 at 2.46.20 PM

More Than 95% of Breaches Happen Behind Firewalls – It’s Usually an Employee Mistake

How many times have you heard of a trusted insider falling for a phishing scam or taking a phone call from someone sounding important who needed “inside” information? It’s happening too frequently to be ignored. Some employees love browsing Web sites they should not or gambling online or chatting using instant messenger tools. You need to educate them about acceptable usage of corporate resources. They also usually don’t know much about password policies or why they shouldn’t open the attachment that says “you’ve won a million – click here and retire now.” It’s time to start training them.

Invite employees to a quarterly “lunch and learn” training session. Give them bite-sized nuggets of best practice information.

For example, teach them about the do’s and don’t’s of instant messaging. If you are logging e-mail for legal purposes, which in some cases is required by law (SEC requirements for financial trading firms), let them know that you are doing it and why you are doing it. Give them some real-world examples about what they should do in case of an emergency. Teach them why you’ve implemented a frequent-password change policy and why their password should not be on a sticky note under their keyboard.

Let these sessions get interactive with lots of Q&A. Give an award once per year to the best security compliant employee who has shown initiative with your security policies. If you can keep them interested, they will take some of the knowledge you are imparting into their daily routines. That’s the real goal.

Are My Best Practices Working? Time for Self-Assessment Before an Audit

Perform your own security self-assessment against these best practices recommendations I’ve listed above. Find all of the holes in your information security environment so that you can, document them and begin a workflow process and plan to harden your network. Network security is a process, not a product, so to do it right, you need to frequently self-assess against the best guidelines you can find.

Boards of directors, CEOs, CFOs and CIOs are under extreme compliance pressures today. Not only are they charged with increasing employee productivity and protecting their networks against data theft, but they are also being asked to document every aspect of IT compliance.

We recommend, whether or not an outside firm is performing IT compliance audits, that you begin performing measurable compliance self-assessments. You’ll need to review those regulations that affect your organization. In the U.S., these range from GLBA for banks to HIPAA for healthcare and insurance providers to PCI for e-tail/retail to CFR-21-FDA-11 for pharma to SOX-404 for public companies.

Some states have their own regulations. In California, for example, if there has been a breach in confidentiality due to a successful hacker attack, companies are required by law to publish this information on their Web sites. The California Security Breach Information Act (SB-1386) requires the company to notify customers if personal information maintained in computerized data files has been compromised by unauthorized access. California consumers must be notified when their name is illegitimately obtained from a server or database with other personal information such as their Social Security number, driver’s license number, account number, credit or debit card number, or security code or password for accessing their financial account.

If you are a federal government agency, you need to comply with Executive Order 13231, to ensure protection of information systems for critical infrastructure, including emergency preparedness communications and the physical assets that support such systems. Also, if you are a non-profit organization, you are not exempt from the reporting requirements of regulations in your industry (banking, healthcare, etc.). Please make sure to seek legal counsel if you are not sure of which regulations you’ll need to address.

The easiest thing you can do to prove you are in compliance is to document your steps of protecting data.

Document Your Best Practices

Documentation showing that you’ve implemented best practices for risk reduction and against cyber crime will come in handy if you ever have a breach and need to defend yourself to enforce your cyber insurance policy or to keep the government regulators off your back. This kind of documentation is also good in the event someone sues your organization.

You should be able to prove that you have in place all the best policies and practices as well as the right tools and INFOSEC countermeasures for maintaining confidentiality, availability and integrity of corporate data. By frequently assessing your compliance posture, you’ll be ready to prove you “didn’t leave the keys to the corporate assets in the open.” If your network is ever hijacked and data is stolen, you’ll have done your very best to protect against this event and it will be less of a catastrophe for your organization.

Do you have a cold, warm or hot backup site in case of a critical emergency? If not, you should start planning one. If you can’t afford one, could you create a “virtual” office telecommuting situation where your organization could continue to operate virtually until you’ve resolved your emergency situation?

Knowing we are under constant attack and risk, now is the best time to begin implementing these seven best practices for network security. Hackers, malicious insiders and cyber-criminals have had their field day this year, and it’s only going to get worse – hijacking our SMB networks and placing most organizations at risk of being out of compliance, tarnishing our brands, reducing our productivity and employee morale — placing most of us in the passenger seat on a runaway Internet.

By taking a more active approach, setting measurable goals and documenting your progress along the way, you might find yourself in the drivers’ seat of cyber security.

Are ‘Best Practices’ Really Best?

Best practices can help companies gain a competitive advantage. However, the opposite is often true. There are various reasons for this, but, in our experience, we have observed three major problems with implementing what a company perceives to be best practices.

  • First, the benefits are elusive. They are often difficult to measure, with no baseline or true comparison, and the costs to implement them are often excessive and misunderstood. This often means there are significant implementation costs and effort with few tangible results.
  • Second, best practices exist in the rearview mirror. By the time you have adopted them, business conditions and the right ways for implementing them will have changed.
  • Third, once adopted, these practices can be very difficult to change. The organization has invested emotion, credibility, time and money, and it’s very difficult to abandon a practice even if it doesn’t work or needs to be adapted.

What’s often missing is clarity on the best practices that are most relevant to the business.

Companies naturally want to be competitive, and many seek inspiration outside their own industry in their search for the best-of-the-best. Companies tend to reach broadly, embracing a great number of potential best practices. Conversely, some companies narrowly benchmark themselves against only their peers. Following either extreme often results in missed opportunity for real improvement. In addition, if implementation occurs in silos, then best practices tend to compete with one another and increase complexity and overhead.

Although the benefits from deftly applied best practices can be real and demonstrable, they often are more elusive than anticipated and can result in frictional costs, impasses, noise in the system and ultimately few concrete benefits to the bottom line. Moreover, implementation costs can be high but may not be visible until the cost of adoption or compliance becomes evident throughout the organization. Finally, benefits may elude adoption, specification, measurement and capture.

Our observations

Best practices tend to be selected and defined in isolation. Once they have a mandate, individual business and functional areas, centers of excellence and shared services often tend to implement new practices without giving sufficient consideration to downstream implications, such as costs. New best practices come with costs, and when they are supposed to result in higher service levels, they may come with higher-than-average costs.

Accordingly, the application of new practices requires balance and compromise. They may reduce expenses in part of the organization but may increase frictional costs and place an extra burden on people, process and technology elsewhere.

A common problem is that many companies attempt to implement too many new practices in too many places. Most organizations’ ability to adapt to change is limited, and change tends to be undermanaged, especially when new best practices are required by new control mandates.

Many companies also tend to overestimate the opportunities that standardization offers. We have seen some companies try to standardize everything and inevitably encounter challenges they had not anticipated. New best practices need to be capable of changing and evolving over time, as well as being able to adaptable to local differences and requirements.

Lastly, many companies fail to conduct a cost/benefit analysis when instituting new best practice mandates. If a best practice is central to the business strategy’s success, then frictional costs are an acceptable risk. However, excessive application of best practice improvements can waste resources (e.g., a need for excess staff to perform the work, complex policies and procedures, standardization for its own sake and demands for “unnatural acts of cooperation” that hinder the business’ ability to respond to changes in the marketplace).

What should companies do differently?

Many companies have the habit of relying on practices that are not appropriate for them and therefore fail to effectively execute desired strategy. To help prevent these problems, we suggest using a success framework that prioritizes and enhances company focus on improvement efforts. This framework should have the following six characteristics:

Success Framework A Mechanism…
1.  Prioritization To identify what’s most important and to align implementation effort with strategy.
2.  Proportion To confirm that the implementation effort is proportionate to the practice’s perceived value.
3.  Readiness To assess organizational appetite and readiness.
4.  Implementation To assign authority, accountability, responsibility, and appropriate resources.
5.  Impact To track impact, including both intended and potentially unintended consequences.
6.  Change To drive continuous improvement and to authorize a full stop if warranted.

 

It is critical to first identify which best practices are worth the effort, through prioritization.

Implementing leading practices can cost money, but there may or may not be tangible benefits or related savings. The question to ask is: How good is good enough? Moreover, when the implementations of best practices compete with each other for time and focus, there are frictional costs that further minimize expected benefits. Being cognizant of frictional costs and avoiding them is critical to optimizing investment and benefit realization.

What we’ve concluded

Best practices are about performing better and therefore adding strategic and operational value.

Accordingly, because of the highly subjective nature of “best,” we suggest the term “value added practice” (VAP) instead. By putting value at the center of practice improvement efforts, a company can better plan and implement new practices. Frameworks for investment and continuous improvement are key, especially at larger organizations where budgets, controls and approvals tend to be complex.

Before embarking on a new best practices initiative, a company should perform a quick self-diagnosis. Are you trying to implement a best practice for its own sake, or are you clearly focusing on the value you hope to realize?

If you plan to invest in new capabilities without tying them to specific business objectives, then you should step back and determine just how implementing new best practices will benefit the company.

4 Keys to Competitiveness in the New Economy

This post is the first of a four-part series.

Ask any business owner today how the marketplace has treated them the last few years, and you’ll hear a recurring theme: “It’s been hard.” But some have learned how to improve their risk management and shore up several facets of their business where profit leaks can occur. You can explore your own vulnerabilities to claims and correct them by following a system known as “PX4.”

The 4 P’s are:

1. Pre-Hire : What does your hiring process look like?

2. Post-Offer: What should you be doing after you’ve offered someone a job?

3. Pre-Claim: What policies and procedures do you have in place before you have your next loss (whether via workers’ compensation or something else)?

4. Post-Claim: What systems do you have in place to keep yourself and the insurance carriers from losing money because of things you let fall through the cracks?

We’ll cover the first P in this article, then discuss each of the other three in subsequent pieces, as we cover the concept of TCOR (Total Cost of Risk) and lay out tools you can use to streamline and organize various aspects of your business, such as training and claims management. Our goal is for you to take away several insights that could save your company hundreds of thousands of dollars or maybe even millions of dollars in lost profits and revenues.

Pre-Hire

If you’ve had to deal with an employee lawsuit in the past few years, you know they’re frustrating and lead to a major loss of profits. Lawsuits can come from many issues; for this series, we’ll cover lawsuits coming from EEOC issues or workers’ compensation claims.

In the last 10 years, the settlement costs of lawsuits have risen to more than $310,000. If you were sued by one of your employees, and the settlement was a mere $15,000, how much do you think that would cost your company? Would you be surprised to learn a claim like that would cost your company more than $50,000? If your profit margins were 4%, it would take you $1,250,000 in additional sales to make up for that loss.

Reducing your risk is critical to your bottom line. Business risk can take many forms, such as:

1. Financial Risk: Asset price volatility (currency, interest rates, material and labor costs)

2. Operational Risk: Efficiency, productivity, etc.

3. Hazard Risk: Lawsuits, insurance claims (workers’ comp, general liability, fire, etc.)

Of those three areas, companies are surprised to learn that operational risk is the costliest to companies. Although hazard risks are expensive, they can be transferred through the purchase of insurance policies.

To reduce your risk, you must begin with an assessment of your hiring practices. Do you feel like you have a watertight system in place, or have you gotten rusty because you’ve not been doing a lot of hiring in the past several years? Do you feel you’re using good employment applications and asking appropriate questions?

What successful companies realize is that the effectiveness of their hiring can be a great indicator for profitability in the future. Studies have shown that hiring the wrong person can be very costly, and not only from the loss of productivity or from having to find a replacement; bad hires can be fertile ground for workers’ compensation claims.

To avoid bad hires, it is always wise to request a Motor Vehicle Report on potential hires from a vendor who specializes in that service. A couple of good sources are the Insurance Information Exchange (www.iix.com) or LexisNexis Employment Screening (www.screennow.com).

You may also want to consider conducting a personality profile to make sure you don’t hire the proverbial “dog that can point but that can’t hunt”—someone who can tell you exactly what you want to hear but who isn’t a good fit for your company. Predictive Results (www.predictiveresults.com) and Zero Risk HR (www.zeroriskhr.com) are two companies that specialize in personality profiles; they claim a 96% success rate in helping you make sure you’re hiring the best person.

Back ground checks have become a routine part of the pre-hire process these days. You can contact First Advantage (www.FADV.com), Edge Information Management (www.edgeinformation.com) or National Crime Search (www.nationalcrimesearch.com ) for this important process.

Getting the Pre-Hire process right will get you moving in the right direction but is just the start. In our next post, we’ll look at the second part of the “PX4” plan – The Post –Offer process.