A quick Google search of the phrase “cyber security” will result in more than 19,000,000 results in less than a second.
If that’s not an indicator that this is a hot button issue, I don’t know what is.
Based on my experience personally, and professionally in the medical device and insurance industries, cybersecurity (and the levels of complexity within) is constantly evolving.
While statistics on data incidents show that events are on the rise many think they don’t have any information hackers would want.
Or they think “I have insurance for that,” when in reality what they have could be a drop in the bucket compared to their actual needs.
Below are three rising areas that are worth a second look:
- Ransomware is on the rise and we are all susceptible. When people hear about data breaches they often think of patient records being stolen, like the Anthem data breach last year; or credit card information which occurred during the Target breach in 2013 and more recently at Wendy’s locations. If you’re not storing or using personal information for customers or clients, you still have it on file for your employees. And hackers aren’t just looking to steal personal information; they’ve evolved locking up your computer system and files, literally holding them hostage in exchange for a “ransom” so you have pay to get your own data back. This evolution of cyber-attacks is known as ransomware. The FBI went so far as to publish tips on dealing with ransomware for personal and business purposes. Typically, malware is embedded in an email that is sent to someone within your organization. It may look suspicious, or it may look legitimate from a colleague or client. These emails contain a link or attachment that once clicked unleashes the malware into your system. You can have an outstanding firewall and IT Department, but if your staff isn’t trained to recognize a phishing email, personal error can thwart efforts in a flash.
- Medical devices can create a “back door” for hackers to find their way into healthcare computer systems. TrapX, a deception based cybersecurity firm released a report and case studies in 2015 and an update in 2016 on medical devices being hijacked, creating a weak link in hospital cybersecurity infrastructures. Many of these devices such as X-ray equipment, blood gas analyzers, PET scanners, and the list goes on, are operating on older software systems such as Windows 2000 or XP that hasn’t been updated. The standard firewall is in place for the internet within the hospital system and protects against external attacks, but there usually isn’t a firewall between an X-ray machine and the computer it’s connected to. There’s a great graphic here that illustrates the access points. The FDA has now provided guidance for device manufacturers for the post market management of cybersecurity in medical devices but it will take more efforts to close the gaps.
- Your current insurance coverage may not be sufficient if you suffer a cyber incident. You might have general liability, directors and officers, and a handful of additional insurance policies your agent recommended and you agreed are worth the investment. Some of the policies may even have a sort of “cyber” coverage, or a sub-limit for a cyber claim. What happens if the FBI notifies you that a breach has occurred because they figured it out before you did, and now you have to hire a forensic accountant to determine when and how the breach occurred? That could easily cost tens of thousands of dollars. That alone can blow through the sub-limit of your existing policy. If you have notification costs, needs to provide credit monitoring services or enlist a Public Relations specialist to help manage brand and reputational damage, the costs will continue to mount. It’s here where specific cyber liability policies become important for businesses. Some policies even provide coverage for ransomware attacks.
With the constant increase of reported data incidents and cyber-attacks, it’s practically a question of when, not if, it may occur in your business. Look beneath the surface of the cyber security hype to identify the many risks to you and your business.
Note: This communication is for informational purposes only. Although every reasonable effort is made to present current and accurate information, Oswald makes no guarantees of any kind and cannot be held liable for any outdated or incorrect information.