The enormous benefits of digital technology are clear, but the associated risks can be alarming, as massive cyberattacks and data breaches affecting well-known organizations continue to make headlines. Cyberattacks and data fraud or theft ranked in the top five global risks in terms of likelihood in the 2018 Global Risks Report from the World Economic Forum. Its authors note that cyberattacks against businesses have doubled in the past five years and the financial impact of data breaches continues to accelerate.1
High-profile, multinational companies aren’t the only potential targets of data breaches. For 2017, the Identity Theft Resource Center breach report cited a record-high 1,579 breaches, reflecting a 45 percent increase over 2016.2 Moreover, the Ponemon Institute reported in its “2017 Cost of Data Breach Study” that one out of four businesses is likely to experience a breach.3
These daunting figures could intimidate companies from fully protecting themselves from a potential breach, says Michelle Chia, Vice President of Specialty Products Errors and Omissions for Zurich North America. She also noted that some businesses mistakenly believe that a lack of reportable data (e.g., personally identifiable information, protected health information or credit card data) means they are not at risk of cyberattacks. But ransomware — malicious software that infiltrates a company’s computer system, disabling it until monetary demands are met — can have a substantial impact on operations. Ransomware accounted for 64 percent of all malicious emails in 2017, the Global Risks Report noted, which was double the number from 2016.1
Taking preventive steps doesn’t have to be difficult.
“There are a lot of things that organizations can do to improve their own risk posture,” Chia says. “You need to be prepared in advance of a data breach in order to have the best response after a breach. Although that seems obvious, a lot of people aren’t thinking about that.”
Containing the costs of an actual breach isn’t the only consideration. Chia shares the main steps a business can take to help reduce the impact of a data breach on companies. She also offers suggestions for points of contact if and when a breach occurs.
Data breach preparation and response
Pre-breach: Prioritize good cyber security habits
1. Make good cyber security hygiene part of your company’s culture
Practicing good cyber hygiene includes implementing appropriate security measures and network security updates with consistency and timeliness. Preach and teach online safety behavior to employees and robustly monitor the data traveling throughout your system.
“Know what’s going in and out of your network,” Chia says. “Know who’s within your network and what each person is doing. A lot of times data breaches are caused by human error. People make mistakes, even when they should know better.”
Although hacking (which can include phishing, ransomware/malware and skimming) accounted for the most prevalent type of attack in 2017 at 60 percent, employee negligence and accidental web exposure was blamed for nearly 17 percent of the breaches, according to the Identity Theft Resource Center.2
2. Risk mitigation: Protect your data to minimize vulnerabilities
Regulate access control. A company’s network and data should not be easily accessible, nor should everything within its network be available to everyone authorized to enter its corporate system. Establishing a robust log-on is one proactive example, Chia says, and multi-factor access control is another.
Access control can also include setting physical boundaries (for instance, access to your network can occur only within the company’s building or corporate campus). Role-based access control is also recommended to ensure that individuals and vendors are privy only to the files that apply to their position and responsibilities. For example, a manager of cashiers at a retailer should not be able to view the Human Resources records for a corporate employee, and the general manager of a construction company project should not be able to access the files of someone else’s project.
Access control not only defends against malicious hackers but also prevents inappropriate information from being shared indiscriminately within a company.
“Segmentation reins in the amount of damage from any one situation,” Chia says. “It works by creating subnetworks, allowing for increased security around more critical assets and reducing exposure. Now, instead of one network, the attacker has to break into two or more to get at the critical data. Not only does this prevent the wrong employees improperly or inadvertently going into different parts of a system, but it also protects the organization from expanding a breach with access to other files.”
Encrypt sensitive information. Encryption lets data move among networks without being compromised, providing “an additional layer of sensitive data exposure defense,” Chia says. “It prevents someone access to important data even if they are able to get into a system where that information is stored.”
Encryption is relatively inexpensive when compared to the price tag of a data breach, she adds. “Unfortunately, you’d be surprised by how many sophisticated businesses do not utilize encryption.”
Part of the challenge, she acknowledges, is that for some companies, myriad pieces of data are being saved in a variety of different places. Consider these floating islands of information a starting point. “Companies should know how much unstructured data they have, and put it into a structured format,” Chia says.
Maintaining an asset inventory can help. This inventory identifies all of the information within a company’s data processing system. In addition to documenting the specifics (serial numbers, descriptions, values, etc.), each class of document is ranked in terms of how much protection it should merit.
3. Develop an instant data breach response plan
Vigilant monitoring and detection capabilities are vital. Because the threat of attacks doesn’t stop, monitoring needs to be continuous — “24-7-365,” as Chia puts it — to ensure a timely response. Part of this effort includes businesses building a culture of awareness at all levels of their organization, from the mailroom to the boardroom.
Assume the worst and have a plan in place if a data breach should occur. “This means knowing who in the organization needs to know that there has been an event, who is responsible for each activity during the course of the breach,” she says. “Should the CFO get involved? Should the CEO get involved? Who in IT or HR should be involved? It depends on each scenario, and there are multiple scenarios.”
A company’s response invariably involves different business partners, and knowing these vendors can help reduce the damage incurred by a cyberattack.
“Develop a relationship with your vendors, and know which vendor to call at which point,” Chia says. Although Zurich customers can select the vendors they wish, Zurich has a panel of approved vendors to make it easier for customers. (Learn more about Zurich’s security and privacy solutions.) “Zurich’s approved vendors also offer preferred rates,” Chia notes, “which can help our customers’ dollars stretch further.”
4. If forming any part of a pre- data breach strategy seems too daunting, enlist outside assistance
“There are a lot of organizations that can help companies develop a basic structure and plan,” Chia says. “Zurich customers, for instance, have access to our Risk Engineers, who will provide up to two hours of services that are complimentary.”
In addition to addressing a variety of pre-breach security tasks, Zurich Risk Engineers also can help companies develop pre-incident response plans.
Post-breach: Corral your resources to help reduce the impact of a data breach
Should the worst happen and a company finds itself the victim of a data breach, it’s time to set the response plan into motion – and the sooner the better. The faster a data breach is identified and contained, the lower the costs, the Ponemon Institute report emphasizes.3 The industry generally believes an optimal response to a data breach should begin within 24 to 72 hours.
“If you don’t respond in a timely manner, and especially if you’re a publicly traded company, your customers and your shareholders will just think you don’t care,” Chia says. There also can be legal and/or regulatory requirements, which is why having a breach coach can be so valuable.
1. Know who to call, and when to call them
Chia outlined the three most important vendors to contact, in this order:
- Breach coach. “We at Zurich believe your first call should be your breach coach,” Chia says. “A breach coach is an attorney with experience in managing security or data breaches. They typically have experience in knowing which bucket your particular event will fall into, and they will know which vendors to call as well as whether law enforcement — local, state, federal — should be involved.”
Among the key reasons to hire a breach coach: helping internally organize the appropriate parties, prioritizing notification needs, having someone on hand whose sole focus is the cyber-event response, as well as understanding relevant state and/or federal laws and regulations.
- Forensics investigator. This is the person or team who “will help you figure out what happened, when it happened, how it happened and what was impacted,” Chia said. When you understand what information, and how much of it, was compromised, it will be clearer who needs to be notified.
- Public relations. Chia notes that PR specialists can help manage the messaging to help protect your company’s reputation. A skilled PR team can be proactive and understand how best to deliver unfortunate news. Because customers value transparency and preparation, timely and appropriate communication can help minimize reputational damage to a business and its brand.
2. Work closely with your broker and/or insurance provider
“Once a company recognizes there has been an issue, it needs to make sure the insurance policy will pay out in those circumstances,” Chia says. “The No. 1 potential insurance issue when a breach has occurred is that not all vendors are approved by insurance providers.” When a policy restricts vendor choice, it can create costly delays if a carrier-approved vendor is not immediately identified. “Zurich, fortunately, does not require prior approval for a company to engage with vendors, but many insurance providers do require prior written notice.”
“You also want to work with your insurance provider in advance to make sure that notice is provided in the right amount of time,” Chia noted. “Timely notice is very, very important.” A company should look at its policy for that information, or ask its broker or breach coach for direction.
Taking these steps can help mitigate the damage caused by a cyber event. It can also be beneficial to choose an insurance provider that offers pre-breach tools in addition to a risk-transfer solution.
Learn more about Zurich's cyber security insurance solutions.
1 The Global Risks Report 2018, 13th edition. World Economic Forum. 17 January 2018.
2 2017 Annual Data Breach Year-End Review. Identity Theft Resource Center. 25 January 2018.
3 “2017 Ponemon Cost of Data Breach Study.” Ponemon Institute/IBM Security. 26 July 2017.