We’ve all been warned to change our passwords regularly, make sure they’re not easy to guess, and keep a sharp eye on our credit card statements. And many of us are diligent in doing what we can to keep our information secure.
But the irony of the situation is that most times our personal data is hacked from behind the firewalls of the companies we do business with—and not because of a lack of our own personal data hygiene. I’m not saying we should ease up on those best practices, but as the headlines have proven, much of data security is out of our hands.
And although the headlines tend to be about the big names with big databases full of customer information, we provide our personal data to vendors large and small, in person and online.
Let’s take a look at what’s really going on. Hacking isn’t a headache reserved for large businesses. Many small business owners may think they can fly under the radar of cyber hackers, but they’re wrong. Cyber attacks targeting small businesses have risen from 18 percent in late 2011 to 36 percent today. Perhaps that’s not surprising when 87 percent of small businesses don’t have a formal written Internet policy for employees.
If there’s any doubt as to the dire impact, according to the National Cyber Security Alliance, some 60 percent of small businesses are expected to close within six months of a cyber attack.
While we assume hackers will attack large companies because their potential haul will contain the personal information of millions, hackers may target smaller prey anticipating weaker cyber defenses. And while many of us also might assume that personal data is more at risk in an online purchase than in a store, transacting in either environment typically involves some kind of electronic activity.
Confirming that a jagged disconnect remains between assumption and reality, we at Verisk Analytics found some surprising and not-so-surprising trends through a recent survey we commissioned of 400 consumers. We asked about their cyber experiences with retailers across the United States and how secure they feel from a cyber attack.
Their responses were alarming: about half (48.8 percent) said they had been notified by a business (restaurant, retailer, financial institution) that personal information may have been compromised in a hacking or cyber attack. (An example might be exposure of a credit card number from a dinner out or theft of a Social Security number while doing some online banking.)
And yet the same group still feels unaware of or unprepared for a cyber attack or other attempt to hack personal information. More than 40 percent said they believe they are unprepared; another 29 percent just aren’t sure.
Facing an existential threat, that sense of denial can be a very human reaction. But it shouldn’t be the case for businesses, even though cybersecurity experts are noting these troubling trends in business defenses:
- a lack of specialist security and legal expertise
- fewer controls and less oversight of processes
- employees working remotely with Wi-Fi that’s not secure
- less secure websites, e-mails, and payment processes
Cybersecurity and the insurance protection designed to shield small businesses from cyber attacks have become essential parts of business survival. According to the National Institute of Standards and Technology (NIST), cyber attackers sometimes use small businesses—which they see as easy targets—to attack larger businesses, possibly through the supply chain or payment portals. NIST developed a guide that explains basic steps that small business owners not experienced in cybersecurity can take to better protect their information systems.
Know thy retailer
What in general is the difference between a security-minded business and others less secure? One common theme among many businesses that have overhauled their cybersecurity practices is culture change. That transformation very often starts at the top, with C-level executives integrating secure cyber practices within the workforce and bringing cyber risk to the forefront of operational strategies. A resilient culture may be difficult to define, but it’s arguably one of the best measures to help prevent a cyber loss event or mitigate losses from outside attacks.
More than half of all cyber attacks in 2013 were the result of employee negligence, according to Infosecurity magazine. Since then, that number has declined, in part due to other forms of attack but also because of stringent policies and education programs instituted within many large companies.
Analyzing the cyber exposure of a commercial business introduces challenges not necessarily present in more traditional risks. The first and foremost challenge in understanding cyber risk is sourcing relevant data.
Many small and medium-size enterprises (SMEs) outsource many of their IT services to vendors. Facilities managers may not know information about the mail server host or SSL certificate. Understanding the value of the data and assets that employees collect, store, and analyze is also highly important. “Thinking like a hacker” allows a business to consider data and web-facing assets with a view of what’s most vulnerable, what needs additional protection, and how to prioritize resources to help ensure more secure operations.
Who’s responsible?
In our consumer survey, only 22 percent of respondents indicated an awareness of insurance coverage for personal cyber crime. The rest either didn’t know or weren’t sure.
The fact is the insurance industry as a whole also currently struggles with sharing and communicating intelligence about cybersecurity information. This often puts many insurers at a disadvantage from the start. In contrast, the hacker space is rife with knowledge sharing and communication, exposing vulnerabilities and strategies to attack systems and improve attacks through phishing, malware, and ransomware.
At present, the insurance industry lacks a central source of claims- and loss-related information. But the industry has a long and successful history of sharing policy- and claims-related data to help improve market conditions and performance in more traditional lines, and it’s likely that this same practice can benefit the cyber risk insurance space.
Cyber risk presents a challenging environment for many insurers and businesses, large and small, to operate in—primarily due to the dynamic risks and hazards and a lack of understanding of the vulnerabilities. Generally, the hacked entity bears the responsibility for the loss of personal data. An opportunity exists for many insurers to work directly with their business policyholders to educate, gather operational data, and begin building product solutions that match the risk variations presented in different industries.
Sharing data, using third-party data experts, and devising new ways to serve customers can foster a more secure marketplace that benefits everyone but the bad guys.
Ultimately, we, the customers, will be better served and better protected. All this gives the old Latin phrase caveat emptor—let the buyer beware—a whole new meaning, doesn’t it?
