“More than 74 million credit cards numbers stolen from TJ Maxx computers.” Not only was this 2007 story one of the earliest massive cases of cyber liability, it helped build awareness for one of the great threats of the information age: thieves who touch nothing but a keyboard and mouse, and who take nothing but bytes of data.
As a business owner you may feel that you are immune to cybercrime, that only large multinational businesses are at risk; the unfortunate reality is, virtually all businesses are susceptible to a cyber liability loss. And while your business may not have the same public relations risks as TJ Maxx faced, this type of negative publicity can ruin the reputation of a business and destroy the trust of its customers.
What is “cyber liability”?
Cyber liability refers to the risks presented by conducting business in the digital age, including e-commerce, computers, networks, or other informational assets. As it’s almost impossible to conduct business without a computer, it’s important to protect yourself from criminals who are looking to tap into your business’ sensitive information.
In fact, cybercrime is one of the fastest growing areas of criminal activity. As it would be almost impossible to cover them all here, the focus of this article is on cybercrimes that take information without authorization from, or cause damage to, a computer or computer network.
How does cybercrime hurt your business?
The impact of cybercrime on your business can include:
- Computer viruses damaging your software and data.
- Online hackers looking to steal intellectual property or confidential information.
- Website hijacking, where your website information is replaced with false or bogus information.
But cybercrime doesn’t just hurt you; it can affect your employees, your customers or anyone else you do business with. For example, a laptop is lost or stolen containing personal information on your employees and/or customers, including information such as addresses, birth dates, social insurance numbers, credit card information, etc. If this information falls into the wrong hands, it could put these individuals at risk for identity theft.
How can you protect your business?
The following are 12 tips that can reduce the chance of a cybercrime affecting your business:
- Establish your information security policies. Write down briefly what you expect of your business and employees when it comes to technology and information. . Make sure your expectations are simple and available, and that employees understand them as well as the dangers of computer intrusions.
- Use firewalls and antivirus programs to help prevent an unwanted computer intrusion. Consider using an Intrusion Detection System that can assist in detecting network breaches when they do occur.
- Update systems and software on a regular basis to ensure you’re using the most current version available.
- Use password protection. Consider using a password which has (8) or more characters and includes a combination of upper and/or lowercase letters, punctuation, symbols, and numbers. Avoid recycling passwords.
- Lock your computer when you leave your desk.
- Encrypt your data, especially data that contains confidential or business critical information and data that is stored on portable devices. After all, today’s smartphones can hold eleven filing cabinets’ worth of information or more.
- Restrict the use of portable devices to those employees who need them to perform their jobs. Assess whether sensitive information really needs to be stored on these devices, and ensure that the appropriate security safeguards restrict access to them. Even when a laptop is in use, consider using a cord and lock to secure it to the employees’ desks.
- Ensure that remote access to your network is secure. Ask your network administrator “If remote access is allowed, is it restricted to Virtual Private Networks?” and “Are wireless transmissions protected using WPA/WPA2, IPSEC or SSL?”
- Backup computer data on a regular basis and keep the copy in a secure off-site location.
- Lock and secure sensitive data, especially those for customers and employees, using safeguards appropriate to the sensitivity of the data. Ensure you only keep data for as long as you need it and, once you don’t, that the data’s destruction is handled securely.
- Do your due diligence of outside service providers. Your security practices are only as good as the people who implement them. Before outsourcing functions like payroll, web hosting, data processing, etc., compare the provider’s data security practices and standards to yours. Document the service provider’s commitments to you in a written contract.
- Control access to your system by insiders. Don’t just prevent hackers from accessing your computer network; employees should only have access to systems on a need-to-know basis. Should an employee leave your company, immediately deactivate their access to systems and collect their company-issued electronic devices.
Finally, don’t hesitate to get help. Cyber liability is a complex topic, and there may be value in hiring a third-party expert to evaluate your cyber risk and the potential financial impact of a breach.