Monday, July 23, 2018

Why Cyber Insurance?

Before I begin the last segment on cyber risk, I want to thank those of you who are still following this blog. You may have noticed the posts have been rather sporadic over the past four months and I would like to share why. I have faced personal tragedy this year with the loss of both parents in close succession. The inevitably of death is a fact and no matter how prepared one might believe they are, it seems we are never truly ready when the time comes. These unfortunate events have distracted me from contemplating risk management issues. I recently remembered a quote by Winston Churchill, “If you are going through hell, keep going.” So here we go.

In previous posts, we reviewed several different cyber risk exposures and how to develop a strategy to protect against them. We also looked at how to manage a social media presence and the associated risk. But even with a well-defined plan, a cyber risk strategy should also include a layer of insurance to fill any gaps and potential exposure. General liability insurance does not provide adequate protection as most policies exclude losses resulting from a cyber-attack. Cyber insurance, on the other hand, will cover most of the following:

Legal fees and court costs
Investigative costs related to a data breach
Mandatory customer notification requirements
The cost to recover data
The cost to repair and restore compromised software and systems

In this post we will address three common questions about cyber liability insurance:

What is cyber liability insurance?
What should you as a business owner or decision maker look for when purchasing cyber liability insurance?
How do insurance companies price cyber liability insurance?

A cyber insurance policy, also referred to as cyber risk insurance or cyber liability insurance coverage (CLIC), is designed to help an organization mitigate risk exposure by offsetting costs involved with recovery after a cyber-related security breach or similar event. With its roots in errors and omissions insurance, cyber insurance began catching on in 2005 and is still evolving. Cyber risks change frequently, and the true risk of cyber-attacks is not completely understood.

Although there are few standards for underwriting these policies, the following costs are commonly paid or reimbursed:

Investigation expense: After an event, a forensics investigation is necessary to determine what occurred, how to repair damage and how to prevent the same type of breach from occurring in the future. Investigations may involve the services of a third-party security firm, as well as coordination with law enforcement and the FBI.
Business interruption and reputational damage: A cyber insurance policy may pay for similar items that are covered by an errors & omissions policy (errors due to negligence and other reasons), as well as monetary losses caused by network downtime, business interruption, data loss recovery and costs involved in managing a crisis, which may also involve repairing reputation damage.
Privacy breach notifications: This includes the costs of required data breach notifications to customers and other affected parties, which are mandated by law in many jurisdictions, and credit monitoring for customers whose information was or may have been breached.
Lawsuits and extortion: This includes the cost of legal expenses due to the release of confidential information and intellectual property, legal settlements and regulatory fines. This may also include the costs of cyber extortion, such as from ransomware.

While the number of insurance companies that offer cyber liability insurance is growing, there is still no standard form. Therefore it is important for the buyer to pay closer attention to what is covered and excluded. Below are some questions to ask and items to consider when discussing cyber liability and reviewing the proposals with your insurance broker.

Does the insurance company offer one or more types of cyber insurance policies? In most cases, a stand-alone policy is best and more comprehensive. Also, ask if the policy is customizable to an organization.
What are the deductibles? Be sure to closely compare deductibles among insurers.
How do the coverage and limits apply to both first and third parties? For example, does the policy cover third-party service providers? On that note, find out if your service providers have cyber insurance and how it affects your agreement.
Does the policy cover any attack to which an organization falls victim or only targeted attacks against that organization in particular?
Does the policy cover non-malicious actions taken by an employee?
Does the policy cover social engineering as well as network attacks? Social engineering plays a role in all kinds of attacks, including phishing, spear phishing, and advanced persistent threats.
Since advanced persistent threats take place over time, does the policy include time frames within which coverage applies? In other words, if an advanced persistent threat is discovered during the current policy period yet the origin was in an earlier policy period or before coverage was secured, is the policy limited to only damages caused during the current policy period?

Many insurance brokers and insurance companies will offer a checklist of items to consider when purchasing cyber insurance. Gather several examples and compile your own customized list of items important to consider based on your particular operations.

When pricing cyber liability coverage, an insurance company wants to see that your organization has taken some steps to assess your vulnerability to cyber attacks. They may ask:

Do you follow established best practices enabling defenses and controls?
Do you have an established employee education program for security awareness, especially for phishing and social engineering?
Have you conducted a cyber threat assessment (even if not required by regulations)?
Have you consulted threat intelligence services for the latest information on targeted attacks?
Have you engaged the services of ethical hackers to reveal security weaknesses?

A threat assessment and ethical hacking services may be financially out of reach for many small businesses. However, investing in some type of vulnerability assessment tool or engaging the services of a penetration tester to probe external network defenses may go a long way toward improving security and benefit the negotiation of cyber insurance.

As cyber risk evolves, and insurance coverage becomes more standardized, an insurer might request an audit of an organization's processes and procedures as a condition of coverage, although this is not currently a common practice. An insurer may agree to provide coverage but perhaps at a level below what you feel you need. Keep searching for the right fit because the cyber risk is real and there is too much at stake to settle on coverage that leaves you vulnerable.

Until next time, stay safe and be kind to one another.

Sunday, June 24, 2018

Social media risk…keeping it sociable

A recent study by Goldman Sachs revealed that businesses who use social media well are 34% more likely to be trusted by young, working-age people. As the population of professional millennials reaches an all-time high, so must your business’s social media presence. Eric Berkowitz, VP of Solutions Engineering at Tracx, commented in a recent webinar “Whether you’re a small, medium, or large-sized business, your brand’s health and reputation is often defined by the way you engage in public environments”. Tracx is the leading social business cloud assisting the world's top companies to identify and target audiences, improve social media planning strategies, and effectively engage consumers.

As the world becomes more constantly connected and social media increasingly becomes a marketing and consumer engagement norm, businesses need to adjust strategies to fully embrace social media. While small and medium companies may not have budgets to hire consultants to navigate a social media plans; you can still develop a social media strategy, considering these five factors and four steps to keep in mind when managing social media risk. Finally, I am going to share an excerpt from a post I read by Tony Robbins on “How to manage a crisis on social media”. He does a great job of some do’s and don’ts when engaging the larger social media outlets.

When you are committed to engaging social media on a regular basis to advance your business, you need to identify the risks of social media, develop comprehensive governance policies to mitigate risk and then deploy the right processes and technology to reinforce those policies. Some risk considerations are as follows:

In this era of engaging directly with the public, in real time, mistakes are bound to happen.
Employees may be hacked because they trust fellow social media users and may be tricked by cybercriminals.
Confidential client and other information can leak out.
Bad actors can introduce malware into the organization when employees are targeted by cybercriminals.
Mistakes and hacks can have a negative impact on the brand and loss of employee, customer, or investor confidence.

Resources are required to develop, manage, supervise and adjust both internal and external social media programs. Although social media can be a competitive advantage, it can be disruptive and reduce the employee productivity. Content can be created in real time, outside of the firewall, with resultant reputational risks. Not adopting social media can have an adverse impact of competitive advantage, and a negative perception by clients, employees, vendors, and partners.

A strategy should be designed to identify, measure, monitor and control the risks related to social media. Engaging stakeholders from across the organization, such as IT, legal, human resources and marketing and operations will provide cross-functional perspective and ensure buy-in. Some key concepts of an effective plan are as follows:

Strategic goals and on-going risk assessment measures should align with existing business initiatives.
There should be clear policies and procedures to address online postings that are compliant with any laws and regulations. Policies should include the following elements:

Strong compliance administration and oversight across the organization
A periodic risk assessment
Requirement for training
Escalation processes for reporting wrongdoing and suspected violations
A requirement for adequate documentation of compliance communications and training

Guidelines for work-related use of social media is essential. Permissions and approval workflows should be put in place for proper training and to moderate operational, compliance and reputation risk. It should be clear who is responsible for approving the content or replies, and the chain of command in case of a crisis.
Everything posted to social media sites needs to be monitored. It is essential that team members are set up with relevant permissions, roles and approval functions in place.

HOW TO MANAGE A CRISIS ON SOCIAL MEDIA

By: Tony Robbins

“FACEBOOK

WHAT’S BEST: Announcements, invitations, photo galleries, videos, and longer-form storytelling work very well on Facebook. Any content immediately interesting and conversation-worthy will keep people coming back.

IN A CRISIS: Learn to distinguish unhappy customers from trolls. If a customer or client shares a negative story or comment, don’t engage immediately. If you can’t respond privately, express empathy for their experience and offer to open a calm dialogue, over the direct message, to resolve the issue. Reaching out privately is always best as it reduces the opportunity for the exchange to become magnified as a public performance.

DON’T EVER: Don’t respond to trolls, ever — use blocking features or report them. Give yourself a waiting period when responding to negative comments, to reduce the potential blowback from posting in anger.

LINKEDIN

WHAT’S BEST: LinkedIn is a must for any business, brand or working professional — it’s most powerfully used as continual networking, recruiting and value sharing.

IN A CRISIS: Users are less likely to post reviews of businesses, through personal recommendations are incredibly common and encouraged through the platform’s interface. However, comments of any kind can be posted in response to individual posts, which typically run for a short lifecycle in user feeds.

DON’T EVER: Avoid using LinkedIn for content that is excessively personal, or not relevant to a business networking audience. Joining LinkedIn groups to post offers, obvious ads or low-value posts is considered spam, at best. Purchasers of LinkedIn InMail plans allow users to send messages to users they aren’t connected with, but observe common-sense rules and don’t spam.

TWITTER

WHAT’S BEST: In the realm of business, Twitter has replaced customer service as a first point-of-contact for both negative and positive experiences. Observe basic rules for addressing complaints, criticisms and troll messages in this, most volatile, of all public spheres and transition disputes to private, direct messages whenever possible. Twitter is key to expanding awareness, special incentive offers and linking to longer-form content that adds value. Just be careful while co-opting popular memes, current slang and trending hashtags without forethought, or risk stirring up ridicule.

IN A CRISIS: More so than any other channel, Twitter makes mass-conversation as easily spread and impossible to control as a wildfire. For good or groan. If you’re not actively provoking controversy, your small or medium-sized business likely won’t ever inflame a negative PR storm.

DON’T EVER: Block trolls rather than responding directly, but don’t ignore legitimate complaints — users can easily launch smear campaigns against brands and businesses they feel have slighted them. And don’t ever feel discouraged by the possibility of negative feedback — unless your business has a problem or conflict with multiple people simultaneously, the likelihood of bad PR surrounding an SMB is slim-to-none.

YELP

WHAT’S BEST: Unless your company is online-only, listing on Yelp is becoming perhaps more vital than LinkedIn for any business involved in customer service, retail or brick & mortar. Once listed, add rich descriptions and all relevant information, as well as photo galleries to ensure your first-glance impression is a first-class lure to potential customers and clients. Be careful of asking or aggressively incentivizing users to post positive ratings in exchange for discounts or freebies — feel free to reward great reviews, privately. The use of discretion will help create that “warm-fuzzy” illusion, making a lasting positive impression.

IN A CRISIS: Yelp is becoming notorious for angry, negative and even satirical business reviews. The rules of engagement listed earlier are perhaps even more vital to adhere to, as your collective, user-submitted star-rating on the site can either massively boost or bury a small business struggling to get noticed. Be careful with public replies; even an innocuous positive message to a happy customer can create a distancing effect with every other person you didn’t personally thank or acknowledge.

DON’T EVER: Take a lesson from Amy’s Baking Company’s failure and don’t ever post angry, vitriolic or argumentative replies to negative reviews. Always offer to discuss and mediate the situation over a direct message to maintain contextual control. Even if the negative review remains, users will have the opportunity to view your level-headed response and offer to rectify the situation.”

Creating and building a steady engagement across social media channels with your company is no longer a should — it’s a MUST. The potential fans and customers can seem daunting. Learn when, why and how to engage best to avoid crash and burns, and gain the most from social media.

Until next time, stay safe and be kind to one another.

Monday, April 23, 2018

Cybersecurity - What's in your strategy?

Our constant connectivity to the Internet exposes us all to a hostile environment of rapidly evolving threats. Because of the size, complexity, and continual evolution of the cyber environment, there is no simple, one-size-fits-all approach to managing the risks associated with cybersecurity. In this post, we will discuss five components of a cybersecurity strategy. This is not an exhaustive list, by any means. I highlight some key attributes that can establish a sound strategy with limited resources and, as I did in the two previous posts, I include links to some helpful resources.

Understand your network and your potential exposure

The best way to start is with an identification of your company network systems, hardware, and software and their location(s).

· Physical devices and systems

· Software platforms and applications

· Maps of network resources, connections, and data flows

· Connections to the company’s networks

Network physical and system security

The physical security of your network and IT assets (computers, networks, servers, smartphones, multi-media printing devices, etc.) is a cybersecurity first line of defense. The effect of a stolen laptop or smartphone can be just as disruptive to an organization as a cyber-attack. Below are six best practices for consideration.

· Install anti-virus and anti-spyware programs and firewall on all computers. Ensure that they are enabled and configured for automatic updates.

· Keep all security programs, along with the operating system and software, current with the most recent updates. If the operating system is discontinued, support may no longer be available.

· Upgrade to a newer operating system. Centrally manage both physical and systems access. Audit system activities, such as successful and failed user logins, file and system access. All operating systems, and most applications such as firewalls, have the ability to audit system activities.

· Back up files incrementally (daily) and fully (weekly). Test restore function to ensure backups are working as intended. Keep backups off-site.

· Employees should put away sensitive items before leaving their work area. In addition, a clean desk will keep sensitive information out of the hands of personnel who do not have a legitimate reason for accessing this information.

· Restrict access to your computer’s contents by locking the screen when you are away.

Personnel screening and insider threat

An insider threat is defined by Wikipedia “as a malicious threat to an organization that comes from people within the organization, such as employees, former employees, contractors or business associates, who have inside information concerning the organization's security practices, data and computer systems.” Here are six areas where an insider threat can pose a risk to the organization.

· A disclosure of confidential – jeopardizing an organization’s relationships

· Fraud

· Loss of intellectual property

· Monetary loss

· Regulatory repercussions

· Embarrassment, public relations and/or reputational risk issues

By recognizing the potential harm posed by current or departing employees, you can mitigate the damage that may arise from insider threats. Regularly auditing the network for suspicious activity, promptly removing system access when an employee departs, and monitoring for system use by former employees are three best practices to protect again insider threats.

Cybersecurity awareness and training

When it comes to a cybersecurity strategy many organizations focus heavily on the technical aspects of network security (we even discussed first the technical and physical security solutions in this post). However, most of these technical controls can be ineffective when employees lack a general awareness of cybersecurity. Employees can take risks online that greatly increases cyber-related risks to their organization. Risky activities include opening suspicious emails and not protecting sensitive information stored on, or transmitted from, their computers. Employee education and a culture of cyber awareness are often just as impactful to the overall strategy as the implementation of the most advanced cybersecurity systems. Here are eight best practices to create a cybersecurity awareness.

· Implement policies covering the acceptable use of, and the secure use of, computer systems.

· Make cybersecurity training and awareness mandatory for all personnel. This includes executives and the C-suite. Creating a culture needs to begin at the top of the organization.

· Instruct users not to open suspicious emails or click on suspicious links, regardless of the source.

· Instruct users not to connect devices to the network and are using pre-approved devices.

· Instruct users to follow good password practices.

· Train users about the dangers and safe use of external media (USB sticks and CDs).

· Train users not to download or install unauthorized applications. (Restricting administrative access to computers so general users cannot download software or applications is a good practice).

· Provide continuing education for executive management and employees to include videos, webinars, policy updates or articles that educate users.

Assessment of threats and vulnerabilities

Cybercriminals continue to take advantage of basic security vulnerabilities in computer systems. Organizations that do not scan for vulnerabilities and proactively address weaknesses in their network face an increased likelihood of having their systems compromised. A vital element of a cybersecurity program is to a perform a risk assessment of all systems, sub-systems, and devices to determine what vulnerabilities are present.

· Run an automated vulnerability assessment tool against all systems on the network on a regular basis.

· Develop a prioritized list of the most critical vulnerabilities and an action plan to mitigate or resolve.

· Stay aware of emerging threats and exposures. (Most network security software companies have user groups or blogs to help keep you up to speed with the latest threats)

· Ensure that the vulnerability scanning tools you use are regularly updated and contain the latest security vulnerabilities information.

· Ensure computer software/applications are updated with security patches regularly.

Resources

For additional information on how you can protect yourself and your business from criminal activity and data loss, below are several good resources I have discovered.

U.S. Department of Transportation, National Highway Traffic Safety Administration - McCarthy, C., Harnett, K., & Carter, A.. (2014, October). A summary of cybersecurity best practices. (Report No. DOT HS 812 075). Washington, DC: National Highway Traffic Safety Administration.

Microsoft - Internet Safety for Enterprise & Organizations offers tools to help your employees learn the skills they need to work more safely online and better defend company and customer data and their own personal information.

Norton by Symantec - Norton Small Business Resources offers information on scams, IoT, family safety and more.

IoTCrimes.com – All Internet of Things (IoT) devices are at risk of theft, damage or destruction

Department of Homeland Security - DHS, has created a webpage that has information and resources on cybersecurity and combating the threat of cybercrime.

Until next time, stay safe and be kind to one another.

Monday, April 16, 2018

Knowledge is Power

They say that knowledge is power, data and information give one knowledge, and with power comes a tremendous responsibility to protect. Continuing our conversation from the previous post Phishing Anyone?, we will dive a little deeper into information and data management and the some of the risk associated with the responsibility to protect. In this conversation, we will talk about hard copy data as well as electronic data. The handling of paper files and information tends to get overlooked with the intense focus on securing electronic data. As such this can be an easy target for a criminal. We will look at five best practices for handling, storage, and disposal of hard copy sensitive information. We will then move to protecting electronic data and discuss five best practices for protecting electronic data. Finally, as I did in the last post, I will provide some resources to further develop your knowledge and understanding.

Let’s begin with framing the conversation around what information and data need to be protected. In most cases, we all have a basic understanding of what needs to be protected. For our conversation, we are going to divide data into three categories:

Confidential Information

“Confidential Information” is that which has been so designated by statute or by promulgated rule or regulation based on statutory authority. Examples include Corporate Records relating to pay and the payment of benefits which are considered confidential.

Privileged Information

“Privileged Information” is that which is available only to authorized persons and is granted access to by one’s position. This information is not confidential pursuant to the law but is sensitive in nature. For simplicity in management, privileged information is often subject to the same restrictions as confidential information.

Personal Information

“Personal Information” refers to a corporate record that contains a person’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such person:

(a) Social Security Number (“SSN”);

(b) Driver’s license number or state-issued identification card number; or

(c) Financial account number, or credit card or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a person’s financial account. Personal Information does not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.

Through the daily course of business, the use of confidential, privileged and personal information is common. Creating an awareness and developing processes to manage this information can prevent sensitive information from getting into the hands of criminals. Below are five best practices for managing hard copy files and data.

Personal Information collected, received and stored should not be shared with any unauthorized party. Authorization to access such information is limited to those employees determined to need access to carry out their job responsibilities and such other persons or organizations who are legally entitled to receive such information, such as, auditors, regulators, and outside counsel.
All paper records and data containing personal information should be stored in locked storage areas or containers, and access to such records and data should be limited to authorized persons.
Printing, transportation or duplication of personal information must be limited to the greatest extent possible.
Each year, inactive paper files should be purged from the active files storage location and placed into archive storage. Archive storage should be in a locked facility with very limited access. Unless ample space is available in the general office area, arrangements to store archive documents with a third party such as Iron Mountain can ensure secure storage with limited access. Third Party archive storage also mitigation the risk of maintaining onsite storage for prolonged periods of time.
Companies should develop an archive data management and destruction policy which outlines the storage requirements for various files and a file destruction process.

Historically, hackers seeking to steal data and money used to target primarily large corporations and government bodies. The focus has now shifted and they now direct quite a bit of attention to hacking small businesses and individuals. This change is not surprising since larger corporations and governments may offer larger higher bank balances and jackpots of data to steal, they also have both large information-security departments and tighter relationships with law enforcement–lowering the odds of a hacker's success and increasing the chances of them getting caught and imprisoned.

With the new dynamics, it is increasingly important for small business owners, entrepreneurs considering starting a business, and people in general to cyber-protect themselves. Here are five best practice recommendations for managing your company’s electronic data.

Understand that you are a target. Educating employees and creating a general awareness of the importance of caution and vigilance can be a good defense. Employees who believe that criminals want to breach their computers and phones act differently than those who don't understand this reality.
Store all sensitive data in an encrypted format. If you have doubts as to whether something is sensitive enough to warrant encryption, err on the side of caution and encrypt.
Conventional wisdom is to require complex passwords for all systems. Inevitably, that leads to people writing down passwords or using the same password for multiple log-ins. The new best practice is to ask employees to select combinations of words, numbers, and proper names (e.g., "investing9goats2Starbucks"), or create a passphrase (“My1dog2is3George”). For extremely sensitive systems, consider stronger forms of authentication such as biometrics or multi-factor authentication.
Inappropriate social media posts can cause many problems–such as leaking sensitive information, violating compliance rules, and assisting criminals to carry out attacks. Implement technology to ensure social media does not become a problem. Do not rely on simply telling people not to make particular types of posts on Facebook or Twitter–history tells us that many people simply do not realize when they are making such posts, and even those who do, may inadvertently leak data when posting from a smartphone that "auto-corrects" a misspelled word to a sensitive, internal term.
If your company uses the internet for eCommerce, or if your company falls under state or federal requirements for handling information and data, make sure that you be sure to comply with all regulations. This sounds very basic, but in a world of a myriad of requirements and regulations, electronic data management should be a focus.

For additional information on how you can protect yourself and your business from criminal activity and data loss, below are several good resources I have discovered.

National Cyber Security Alliance - The National Cyber Security Alliance (NCSA) builds strong public/private partnerships to create and implement broad-reaching education and awareness efforts to empower users at home, work and school with the information they need to keep themselves, their organizations, their systems and their sensitive information safe and secure online and encourage a culture of cybersecurity.

Norton by Symantec - Norton Small Business Resources offers information on scams, IoT, family safety and more.

Federal Trade Commission - The FTC, has created a webpage that has information on scams targeting small businesses, and tips to help avoid them. It also includes cybersecurity articles and videos to help small business owners protect the networks and systems and their employees’ and customers’ sensitive data.

Until next time, stay safe and be kind to one another.

Monday, April 2, 2018

Phishing anyone?

Digital Treat Management, eCrime, Cyber Security; all terms associated with one of the fastest growing areas of risk facing business operations. Today, criminals do not need to break through network firewalls to have access to a company’s private information. In most cases, access through network security can be provided by unsuspecting computer and mobile device users. In a recent report by APWG (an international coalition of governments, law enforcement sectors, and NGOs to combat cybercrime) the volume of cyber-attacks has continued to increase. These attacks are most often carried out through phishing scams.

In this post, we will discuss a general overview of phishing and five ways to protect yourself and your firm from a phishing scam. We will also look at malware and ransomware (usually the result of falling prey to a phishing scam), and five ways to protect against a ransomware attack. Finally, we review a couple of good resources to get some additional information about cybercrime.

What is Phishing?

Phishing is when someone uses fraudulent emails, texts or copycat websites to get valuable user information or to gain access to your computer or company network. Once inside the network, these people can install programs like ransomware that will lock out users from important files. Phishing scammers lure their targets into a false sense of security by spoofing the familiar, trusted logos of established, legitimate companies. Or they pretend to be a friend or co-worker.

In a 2017 survey conducted by Wombat Security, 70% of the working Americans surveyed knew what a phishing scam was, but only 37% of the same group knew about ransomware. Education is the best defense against phishing since phishing requires the user to take some sort of action. While awareness will allow the user to recognize a potential threat and take the appropriate precautions, here are five other things you can do to protect against a phishing scam.

Be suspicious of any email or communication (including text messages) with urgent requests for personal financial information.
Avoid clicking on links. Instead, go to the website by typing the Web address directly into your browser or by searching for it in a search engine. Calling the company to verify the legitimacy of a request is also an option.
Don’t send personal financial information via email and avoid filling out forms in an email that ask for your information.

You should only communicate information such as credit card numbers or account information via a secure website or telephone if you have called the company requesting the information.

Use a secure website (https:// and a security “lock” icon) when submitting credit card or other sensitive information online.

Never use public, unsecured WiFi for banking, shopping or entering personal information online, even if the website is secure.
When in doubt, 3/4G or LTE connection is always safer than using public WiFi. Most computer security software programs will offer a virtual private network (VPN) option for mobile devices, or they will recommend a VPN app.

Typically, phisher emails are not personalized, but they can be. Messages from the bank and eCommerace institutions are usually personalized. When in doubt, call the company directly to see if the email is in fact from them.

What is Ransomware?

Even with education and vigilance, there is still the chance that your computer or company network will receive malware. Malware (malicious software) is any program or file that is harmful to a computer user. Malware includes computer viruses, worms, Trojan horses, and spyware. There are ever increasing news reports about a type of malware called ransomware. Ransomware is a type of malware that accesses a victim’s files, locks and encrypts them and then demands the victim to pay a ransom to get them back. Cybercriminals trick users to click on attachments or links that appear legitimate but contain malicious code to attack the system. Under a ransomware attack, the victim has a certain amount of time to pay to get “the code” that will unlock and release the files. Even if the victim pays, there is almost never a code provided that will unlock the files. Any individual or organization can be a potential ransomware target.

Education and awareness are the best defense against a ransomware attack, but combining an awareness with the steps below can help mitigate the risk.

All critical software, including computer and mobile operating systems, security software and other frequently used programs and apps, should be running the most current versions.
Back up all files, photos, music and other digital information by making a copy and storing it in the cloud or on a removable device or both.
As a departure from traditional password schemes, use a sentence that is at least 12 characters long. Focus on positive sentences or phrases that you like to think about and are easy to remember.
Links in email, are often how cybercriminals try to steal your personal information. Even if you know the source, if something looks suspicious, delete it.
If you use USBs and other external devices to share files, or if you use email to attach and share files, these can all be infected by viruses and malware. Use your security software to scan them before downloading files onto your computer.

Resources

There are a number of great resources centers to get a better understanding of cybercrime and how to protect your business from any malicious attacks.

Anti-Phishing Working Group, Inc. (APWG) - APWG is the international coalition unifying the global response to cybercrime across industry, government and law-enforcement sectors and NGO communities.

STOP. THINK. CONNECT. - STOP. THINK. CONNECT.™ is the global online safety awareness campaign to help all digital citizens stay safer and more secure online. The message was created by an unprecedented coalition of private companies, non-profits and government organizations with leadership provided by the National Cyber Security Alliance (NCSA) and the APWG.

Associated with these organization are a number of private companies that can provide additional resources in the protection against cybercrime. Cybercrime is a rapidly changing and evolving risk to individuals and businesses. The more we know, the better we can be vigilant and protect.

Until next time, stay safe and be kind to one another.

Monday, March 26, 2018

Risk Management Strategy

Congratulations! You have successfully navigated the process of identifying your risk appetite and tolerance; you have identified the potential risk that can have an impact on your business, and you have analyzed and prioritized these risks.

Now what? Do you:

Avoid the risk?
Accept the risk?
Mitigate the risk?
Transfer the risk?

But before we get into the post, I want to give you a little explanation about the photograph I chose. It is a picture of the board game Risk. Probably my most favorite board game growing up. I would analyze and rank the different scenarios to my conquering the world and would plan my different strategies for success. I loved it and was excited about this week so I could use this photo.

OK, on to the task at hand, in this post we will review each of the strategies mentioned above and weigh the benefits. How do you determine which is the right course? The right course will depend on your risk appetite, your analysis and prioritization of the risk you have identified. You will use these tools to determine your risk management strategy.

All too often, we see one or more of the following methods used as a risk management strategy:

Pretend the risk does not exist.
Pray the risk will sort itself out so you will not have to deal with it.
Acknowledge the risk, but deny that it will have any impact on operations.

These approaches are not risk management or good strategies. In the first case, if a risk is not acknowledged, acting as if the risk does not exist is not a realistic approach, and only forces one to deal with the risk once it becomes a crisis. Second, I cannot recall a situation where a risk has sorted itself out. And finally, in my experience, though you can control the impact the risk will have, I have not come across a situation where simply denying that a risk will impact operations has been a successful strategy.

The following methods are risk management strategies for addressing risk:

Risk Avoidance

The first strategy is to avoid the risk altogether. The benefit is by doing so your business is not exposed. The downside is that by avoiding, you may not achieve the goal or accomplishment this potential risk is associated with. For example, you might not gain the profits associated with the business venture you choose to avoid. When considering risk avoidance as a strategy, you need to really understand the full impact of the decision. Usually, this approach is considered for a risk that has a low impact on operations or if the organization’s goals can still be achieved without confronting the risk.

Risk Acceptance

By accepting the risk, you determine that the risk will not have a significant impact to operations, the benefit of the goal is greater than the risk, or the risk is infrequent enough that it is worth the gamble to accept it in order to achieve the goal.

Risk Mitigation

Even though you have made the decision to accept the risk where a program or activity has a high-risk impact, there are steps or actions that you can take to reduce the exposure or to mitigate the possible financial risk or impact to operations. You’ll want to explore detective and preventative actions before you introduce the activity on a larger scale.

Detective action involves identifying the points in a process where something could go wrong, and then putting steps in place to fix the problems promptly if they occur.
Preventative action involves aiming to prevent a situation from happening. It includes activities such as health and safety training and firewall protection on corporate servers.

Risk Transfer

The last strategy is to transfer identified risk to another party. The two main mechanisms for this approach include:

Contractual risk transfer (transfer the risk to another party through a contract). With this method, we can transfer the liability for damages caused by a subcontractor’s work, or by the goods and services purchased from a vendor.
Risk financing. This is otherwise known as insurance. By purchasing an insurance policy, we are effectively transferring our risk to an insurance company. They, in turn, accept the risk for a price.

With any strategy or combination of strategies, you must continuously monitor your strategies, measure their effectiveness, and adjust as necessary. During the 1990s, I attended several workshops by a scholar and management consultant by the name of Dr. Edward Deming (https://en.wikipedia.org/wiki/W._Edwards_Deming) his teachings in continuous process improvement resonated and I began to apply them regularly. Plan-Do-Check-Act is a four-stage approach for continually improving processes, and for resolving problems. It involves systematically testing possible solutions, assessing the results, and implementing any changes to the process to continue toward the goal.

The four phases are:

Plan: identify and analyze the problem and decide a strategy (or combination of strategies) to implement.

Do: test the potential solution, ideally on a small scale, and measure the results.

Check/Study: study the result, measure effectiveness, and decide whether the strategy is effective or not.

Act: if the strategy is successful, implement it. Continue to monitor the performance for any changes.

Risk management strategies are like any other business strategy and involve monitoring key performance indicators and adjusting the strategy as necessary to ensure the greatest success.

We now have the basic tools for developing and implementing a more formalized risk management process which can be as simple or complex as you have the time to manage. As I said in an earlier post, you are probably doing some of these activities already but perhaps now you can better see your activities as part of an overall risk management strategy for your firm where you can embrace risk and use it to your advantage.

Until next time, stay safe and be kind to one another.