Know the risks, consequences and best practices.
As custodians of highly sensitive data, businesses across various industries are entrusted with their clients’ personal and financial information, making them prime targets for cybercriminals. Smaller organizations are especially vulnerable, as they often lack the resources needed to effectively defend against these threats. In fact, over half (55%) of all small businesses surveyed have already fallen victim to a cyber-attack.
Know the risks, consequences and best practices.
As aggregators of extremely sensitive financial data, accounting firms are entrusted with their clients’ personal and financial information, which makes them a primary target for cyber criminals. Smaller businesses are particularly at risk, as in most cases they don’t have the appropriate resources to properly combat these criminals. In fact, more than half (55%) of all small businesses surveyed have already been the victim of a cyber-attack.
The nature of cyber risks vary.
First-party risks directly impact a business, meaning the loss of data can lead to a significant loss of business income. Third-party risks, on the other hand, arise when a company fails to uphold its duty of care to others. These risks can be triggered by the unauthorized disclosure of sensitive or non-public personal information, or by the infection of a client’s network, resulting in data corruption.
Other risks businesses face due to cybercrimes include regulatory action by state and federal agencies, reputational damage, and the costs associated with complying with various breach response laws. Currently, 48 states, including California, have data breach notification requirements. Additionally, HIPAA requires notification after the disclosure of unsecured personal health information, while the recently enacted California Consumer Privacy Act (CCPA) establishes a framework that businesses operating within the state must follow to maintain data security. In California, companies must also offer credit monitoring services to each affected client and can be held liable for civil penalties of up to $7,500 per violation.
Successfully avoiding a cyber threat means first understanding the mindset and motivation of cybercriminals. Make no mistake, hackers are in this for the money in what is now a multi-billion dollar industry. Many are disgruntled, ex employees or nation state-sponsored paramilitary groups lurking on the deep web hawking their skills, exchanging tradecraft and selling stolen data. Some are involved in traditional hacking methods, such as breaking into networks to steal and corrupt data. Still others manipulate users through phishing expeditions and social engineering to receive access into a system. Regardless of their motives — from mischievous, to malicious, to moneymaking schemes – cybercriminals can seriously threaten your firm’s continued success and profitability.
What can you do to thwart cybercriminals?
The best defense to a data breach is to implement procedures to minimize these threats. Understand the nature of the data in your possession and establish methods for how to discover a breach. Having a robust SIEM or internal reporting process and incident response plan is key. Two major points of vulnerability for most firms are the wide spread use of mobile devices, which can be vulnerable to malware when not patched properly, and easily lost exposing unencrypted data, and remote access to internal systems for the mobile workforce.
To protect against these threats we recommend the following Best Practices in regard to cyber security:
12 steps you can take now to help protect your business:
Seem overwhelming? Skyward Technical Solutions offers these services as a “done for you” package. We offer 24/7 critical service monitoring; best in class helpdesk where our techs answer live, speak clearly and have the ability to remote into your systems to assist in a matter of seconds. Our security experts are always on standby waiting to assist. Contact us today for a risk free assessment.
An inadequate breach response can be devastating to recover from.
Not only does it result in reputational harm, but can result in higher out-of-pocket expenses, including heavy fines, and more. Often times, the firm becomes a future “target” for other cybercriminals.
An inadequate breach response can be devastating both financially and reputationally.
Not only does it result in reputational harm, but can result in higher out-of-pocket expenses, including heavy fines, and more. Often times, the firm becomes a future “target” for other cybercriminals.
To further help insulate your firm from exposure, purchase appropriate cyber liability coverage.
Remember that your existing coverage may not adequately cover a data security breach and the necessary response. Accordingly, consult with your insurance agent or broker when assessing your cyber coverage. Read the general terms and conditions of the policy and understand how it applies to first party risks (i.e., business interruption and data restoration) as well as to third party risks (i.e., network damage, privacy injury, event expenses, regulatory proceedings and extortion).
Cybercrimes are constantly evolving, which means businesses need to stay abreast of the latest threats and take measures to impede them. In the meantime, firm employees should be fully trained in security awareness. Most of all, recognize that statistically, you have a greater chance of being hacked than not. Having adequate data security measures in place can make all the difference between being just another data victim or being a bulwark against data fraud.
- 2016 State of Cybersecurity in Small & Medium-Sized Businesses (SMB), Ponemon Institute LLC and Keeper Security.
- NetDiligence 2015 Cyber Claims Study.
- Ponemon Institute© Research Report, 2015 Cost of Data Breach Study: United States (based on 2015 reported breaches).
About the Authors:
Stanley D. Sterna, JD, serves as Vice President in the Professional Firms Division of Affinity Insurance Services, Inc. (Aon Affinity). As a Claim and Risk Management Consultant, Stan provides quality control, claim/litigation management, and risk control expertise to many of the country’s largest accounting firms. He also advises clients on broader enterprise risks including cyber liability. He supports business planning, client relations, and sales/marketing initiatives for the AICPA Professional Liability Program and Aon Affinity’s business partners. Aon Affinity has been the endorsed administrator of the AICPA Professional Liability Insurance Program since 1974. To learn more about the AICPA Program, visit www.cpai.com.
Nick Graf serves as Consulting Director of Information Security for CNA’s Risk Control unit. Nick has more than a decade of information security experience and specializes in data leakage prevention, security policies, incident response, data breach and security awareness. He has presented courses on privacy, big data, the cloud and healthcare risks, and has also written and contributed to articles regarding information risks, social engineering, mobile device security, phishing and personal password management.
This article is provided for general information purposes only and is not intended to provide individualized business, risk management or legal advice.
Continental Casualty Co., one of the CNA insurance companies, is the underwriter of the AICPA Professional Liability Insurance Program. Aon Insurance Services, the National Program Administrator for the AICPA Professional Liability Program, is available at 800-221-3023 or visit cpai.com.
This article provides information, rather than advice or opinion. It is accurate to the best of the authors’ knowledge as of the article date. This article should not be viewed as a substitute for recommendations of a retained professional. Such consultation is recommended in applying this material in any particular factual situations.
Examples are for illustrative purposes only and not intended to establish any standards of care, serve as legal advice, or acknowledge any given factual situation is covered under any CNA insurance policy. The relevant insurance policy provides actual terms, coverages, amounts, conditions, and exclusions for an insured. All products and services may not be available in all states and may be subject to change without notice. “CNA” is a registered trademark of CNA Financial Corporation. Certain CNA Financial Corporation subsidiaries use the “CNA” trademark in connection with insurance underwriting and claims activities. Copyright © 2018 CNA. All rights reserved.