Protecting Your Nonprofit – Understanding Cyber Security Risks and Cyber Insurance

October is Cyber Security Awareness Month and our friends from the Co-operators are sharing important insights on how to keep safe online with the essentials of cyber insurance coverage.

Cyber security continues to be one of the biggest risks – topping the annual business “Risk In Focus” survey at ICAEW 1 – for businesses; with Cybercrime business models maturing. With emerging trends, and new exposures, you may be asking, what can we do to help ourselves and what are the risks we face?

Understanding the anatomy of a cyber event, what exposures exist and various strategies to protect against cybercrime will put your organization in a position of strength. Reflecting on how insurance can support and protect against cybercrime is an integral part of protecting yourselves and your organization, along with the people you serve.

Emerging Trends

There has been an uptake on small to medium enterprises being targeted for cyber-crime beyond large enterprises. Being a smaller, yet mighty organization doesn’t preclude you from being a victim or having cyber-security needs. In 2022, nearly half (45%) of small businesses experienced a random cyber-attack, with 27% of those experiencing a targeted attack2.

Is there a balance between convenience/function of your technology vs. security? Finding that right balance and level of protection is the answer to beat cybercriminals and keep your organization safe. Cyber-security set up, systems and support can be costly, but a cyber-attack is always costlier. There is a sacrifice to convenience to achieve higher level security.

Trends and exposures

Ransomware attacks increased by 105% since 2020, with more than 623 million attacks globally, that number has tripled since 2019. The sophistication of phishing campaigns has increased significantly.

Social engineering is a top threat and exposure to businesses. While many hacking methods are technical in nature, social engineering exploits a human vulnerability. In a social engineering attack, people are tricked into revealing sensitive information, opening malicious files, or transferring funds to a perpetrator. The perpetrator might be posing as a supplier, the company’s CEO, or someone from the IT team. ​

6 Social Engineering hacks looking to fool you:

  • Phishing: emails sent under false pretenses to trick users into supplying attackers with their login credentials.
  • Spear phishing: a targeted phishing email.
  • Vishing (voice phishing): calling a target pretending to be a person of authority, such as an IT supervisor, to pump someone for credentials or important information.
  • Smishing (SMS phishing): Phishing messages sent through text messages instead of emails.

Successful social engineering attacks can result in:​

  • Unauthorized financial transactions and payments​
  • Privacy breach of protected information
  • Leaked credentials providing access to network resources -> leading to extortion/ransomware and therefore business interruption costs etc.
  • Risk to reputation

Being mindful of cyber risks and keeping yourself informed around trending exposures will keep your organization safer from these risks.

The makings of a cyber attack

Recon: Cybercriminals spend their time searching for publicly available data to identify targets and gain entry to your systems during the reconnaissance stage.

Compromise: It takes an average of 181 days3 for an organization to identify a breach. During this time, cybercriminals may have access to your information without anyone realizing it, allowing them to recognize what data may fulfill their agenda, mining to gain further access to other systems, continue to develop their attack strategy and get ready for their final move.

Breach or attack: This is when the attacker activates their plan by launching the breach or attack. Examples include cyber extortion, ransomware, or hacking. The average cost of a privacy breach, loss, or theft of data in Canada is $4.74M, with 50% of all breaches caused by malicious or criminal attacks3.

Response: The average time to contain a breach is 69 days​3. Having a Risk Management and Business Continuity Plan integrating cyber security will help contain or lessen the impact of the breach. Who, internally or externally, should be part of the team when a cyber-attack happens?  Your path forward will be guided by questions such as:​

  • What is the potential damage to the business with this event? (financial, reputational etc.)​
  • Where and what is the need for evidence preservation​?
  • What is the service availability? (e.g., network connectivity, services provided to external parties)​
  • What time and resources are needed to implement the strategy​?
  • What is the effectiveness of the strategy? (e.g., partial containment, full containment)​
  • What is the duration of the solution? (e.g., an emergency workaround to be removed in four hours, a temporary workaround to be removed in two weeks, permanent solution)​

Cyber Insurance Coverage Explained – one way to help protect your organization.

Just as your organization would have insurance to protect your general liability, your property and tangible assets, your directors and officers, there is coverage available to protect against cybercrime losses. The options available are:

  • Privacy Liability and Network Security​
  • Electronic Media Liability​
  • Regulatory Proceedings Coverage​
  • Privacy Breach Expenses​
  • Cyber Extortion​
  • Digital Assets​
  • Business Interruption​

Privacy Liability and Network Security​

This coverage protects the insured against losses for the failure to protect a customer’s personally identifiable information (credit card numbers, medical information, name, address, etc.) via theft, unauthorized access, viruses, or denial of service attack. ​

Electronic Media Liability

Provides coverage against wrongful publication, defamation, libel, slander, product disparagement, invasion of privacy, misappropriation, copyright infringement, plagiarism, intentional torts, and related liabilities. ​

Regulatory Proceedings Coverage​

This coverage includes civil, administrative proceedings against an insured brought by or conducted by a regulator. With payments of regulatory fines and penalties. ​

Privacy Breach Expenses​

Will reimburse you for costs that you incur for expenses or losses because of a breach. This includes notification expenses, credit monitoring, data recovery, cyber investigation, and crisis management.​

Cyber Extortion​

Triggered when an insured receives a threat in which the extortionist threatens to either attack the Insured’s computer system or to release confidential information in the Insured’s possession for the purpose of demanding something of value, usually money. ​

Digital Assets​

Helps cover a business’s costs following a data break or cyberattack. It can help pay for data recovery, restoration or recollection that have been altered, corrupted, destroyed, disrupted, deleted, or damaged. This could include software and/or other information stored electronically.  ​

Business Interruption​

Occurs when a company has a loss of income as the direct results of a system failure or impairment due to a failure of network security. Covered losses include net profit before taxes and extra expenses arising out of the interruption of network service due to an attack on a company’s network. ​

What else can your organization do to help itself?

Your organization can take these steps to further protect from social engineering attacks:

1. Delete any request for personal information or passwords. You should not be receiving unsolicited requests for personal information via email. If you get asked for it, it’s a scam.​

2. Reject requests for help or unsolicited offers of help. Social engineers can and will either request your help with information or offer to help you (ex. posing as tech support). If you did not request any assistance from the sender, consider any requests or offers a scam. Do your own due diligence about the sender before committing to sending them anything in return.​

3. Set your spam filters to high. Your email software has spam filters. Check your settings and set them high to avoid risky messages coming into your inbox. Remember to check your spam or junk boxes periodically as it is possible legitimate messages could be trapped there from time to time.​

4. Secure your devices. Install, maintain, and regularly update your anti-virus software, firewalls, and email filters. Set automatic updates for these items to install if you can. Only access secured websites. Consider a virtual private network (VPN) for your organization. ​

5. Always be mindful of risks and make employee cyber awareness education part of your enterprise culture. Employee training is a huge factor for mitigating the cost of a breach.

Having a plan and testing it, ensuring your employees and those working with your organization have the tools and training to avoid cyber-attacks, and understanding the current exposures your organization faces will go a long way in preventing a cyberattack.

Resources:

25 Cyber security terms not just your IT security team should know: https://www.sovereigninsurance.ca/-/media/Images/Sovereign-Content-Images/PDF/Sovereign_Cyber-Tip-Sheet_Eng.pdf

5 ways to Bolster your IT Security Strategy with Employee training:  https://www.sovereigninsurance.ca/-/media/Images/Sovereign-Content-Images/PDF/Bolstering-IT-Security-w-Employee-TrainingTip-SheetEN.pdf

Source:

1 ICAEW, “Businesses face perfect storm of risks,” Oct. 10, 2022 

2Survey by Canadian Federation of Independent Business (CFIB)

3Ponemon Study: survey includes 477 companies of which 28 are Canadian.