Know your IT risks

Whether you have your in-house IT team, or have outsourced your IT needs to be taken care of by a Managed Services Provider, you need to know what are the possible risks to your business from the IT perspective. Having an IT risk checklist can help you be better prepared for an IT emergency.

Getting started

In order to assess your IT risks, you need to first know your IT landscape. Answer questions like

• What role is IT going to play in the success of your business
• What areas is IT supporting your business in, currently
• What new roles can you foresee for IT in improving your business efficiency
• Do you have any new technology in mind that you want to implement in the next year
• If you have your in-house IT team, what kind of staff structure do you see in the next year
• If you are planning to expand your in-house IT team, how many team members will you need to bring onboard and what will be the cost associated with this decision
• Would it be more effective and efficient to hire an MSP instead to supplement your in-house IT department
• What is your IT budget for the year

The checklist for your IT risks

The next step would be to create a checklist of your IT risks. At this stage, you should be answering questions like

• What IT risks are most relevant to you? For example, data privacy is a serious concern for a business operating in healthcare, while phishing can be a bigger concern for an accounting firm. Another angle to look into are environmental risks. For example, do you operate in a hurricane-prone area, or someplace prone to wildfires? Make a list of risks most relevant to you and assess the possibility of them happening to you. Such assessments will help you arrive at the key safety measures that you need to take, as a business, to keep your data safe.
• In the worst case scenario, if your IT infrastructure were to fail, how long can you survive before it will be difficult for you to bounce back? Can your business operate without your key IT systems working? If not, how long can you afford to keep it shut?

Whether you have your in-house IT team or rely on an MSP for your IT maintenance, this exercise will help you understand your key IT goals and the possible impediments to them, and help you survive in the event of an IT emergency.

What to consider when investing in cyber insurance

As a business, you are probably aware of the term, cyber insurance. With the cybercrime rates rising consistently, cyber insurance is increasingly becoming a necessity for survival. Here are a few things to consider before you sign up with a cyber insurance service provider.

Risk analysis

First, perform an internal risk analysis. Research to understand what kind of cybercrimes are most rampant in your industry and ensure your insurance policy covers those for sure. Like we discussed before, the most basic of cyber insurance covers data breach and associated costs, but you definitely want more than just that.

What is the scope of your policy

Be clear about the scope of your policy before you sign the dotted line. Remember that cyber insurance functions on the same principles and policies as like any other insurance, which means there will be deductibles, waiting periods and exclusions. Be sure to ask your insurance service provider about them. You don’t want to find out you weren’t covered by insurance until after the attack, at the time of claim. Here are a few things to ask your insurance company in this regard.

1. Does the policy cover you if a breach happens via your sub-contractor or vendor and makes you liable to your clients? If your cyber insurance doesn’t cover those, then make sure your vendors and sub-contractors have cyber insurance to cover you or sign some kind of an indemnity contract with them so you are covered in the event of such incidents.
2. In case of an action byyour employee causing the breach, such as clicking on a fraudulent link or sharing data accidentally to a dubious email ID, will you still be covered?
3. Ask your insurance provider to clearly spell out any deductibles, exclusions and window periods that may exist
4. Check with your insurance provider on what would be your liabilities as the insured. For example, there may be rules regarding anti-virus measures, data safety and security measures, IT training, timely data backups and IT audits, etc., that you may have to follow in order to be eligible to be covered under the insurance in the event of a breach

Before you sign up, do your research thoroughly, get proposals from multiple insurance service providers and opt for a policy that covers your needs the most and the best. Sometimes, service providers may be willing to make additions or modifications to an existing policy to meet your exact requirements, which may work best for you.

Cyber insurance: What’s the cost and what does it cover

Cyber insurance covers a range of elements, the most basic being the legal expenses incurred as a result of falling victim to cybercrime. This includes legal fees, expenses, and even any fines that you may have to pay or financial settlements that have to make with your customers or third parties who have been affected as a result of the incident. Apart from this, depending on the coverage you opt for, your cyber insurance may cover the following.

Notification costs

In the event of a data breach, the business is required to inform all affected parties of the breach. This involves reaching out to them individually and also through the press. Cyber insurance may cover the costs related to this process.

Restoration costs

After a cybercriminal attacks your IT infrastructure, you will have to spend money restoring it. There will be considerable expense in terms of recovering the lost data and repairing or replacing affected IT systems.

Analysis costs

In the event of a data breach, you will have to conduct a forensic analysis to identify the root cause of the breach and figure out how to prevent further occurrences. Cyber insurance may cover the costs of such an investigation.

Downtime costs

When your business operations shut down, even temporarily, due to IT issues, you lose revenue. You could get a cyber insurance policy to cover such downtime costs.

Extortion money

In some cases of data theft like a ransomware attack, cybercriminals usually demand a certain amount of money as ransom or extortion to let you access it again. Considering how rampant ransomware attacks are these days, it may make sense to opt for a policy that covers this angle as well.

How much does cyber insurance typically cost

Depending on the coverage and risk, annual cyber insurance costs range anywhere from $1000 a month to about a million dollars. But, what you need to ask yourself is, how much can it cost you if you ignored cyber insurance? The answer is, it could cost you your business, your customers and your brand reputation. With cybercrimes rising at alarming rates, cyber insurance is not a luxury that only the big players should invest in. It is the need of the hour for any business, irrespective of its industry or size.

Cyber insurance 101

What is cyber insurance

With cybercrime becoming a major threat to businesses across the world, irrespective of their size, cyber insurance is fast becoming a necessity more of a necessity than a choice. However, the concept of cyber insurance is still fairly new and not many SMBs are aware of its benefits. Cyber insurance is an insurance that covers your liability in the event of your business becoming a victim of cybercrime. For example, a data breach puts you at risk of lawsuits, makes you liable to your customers/other parties whose data has been compromised because of/via your organization. Cyber insurance covers the financial aspect of such liabilities, making it easier for you to deal with them.

Why do you need cyber insurance

Many organizations think of cyber insurance as an added cost. They believe they don’t need it for various reasons.

Bigger organizations think their IT security measures are watertight and they won’t fall victim to cybercrime, and they also tend to believe that even if they are affected in a one-off case of cybercrime, they are solid enough to discharge their liabilities and come out of the incident with their brand value intact.

SMBs, on the other hand, think cybercriminals are most likely to target the bigger players and they don’t need cyber insurance. But, in reality, it is the smaller businesses that are at a greater threat–primarily, because

1. They lack the resources to strengthen their IT infrastructure and their staff is less likely to be trained in identifying cyber threats, making them more vulnerable
2. They are less likely to recover from the damage to their financial and brand health as a result of falling victim to cybercrime

The bottom line is, every organization–big or small, needs cyber insurance today. Cyber insurance, however, is not a replacement for cybersecurity. Having cyber insurance doesn’t mean you can be lax about cybersecurity. It is meant as a buffer, to help.your business survive when something slips through the cracks. An MSP can help you tighten your cybersecurity and prevent data breaches and other untoward incidents. Also, being well versed with the IT industry, your MSP can help you understand the IT risks that you need to get covered for. They can also help you pick out the right cyber insurance policies, in some cases, some of them even being insurance advisors or agents.

Website cloning: Don’t fall for that trap!

Have you watched one of those horror movies where the something impersonates the protagonist only to wreak havoc later? Well, website cloning does the same thing–to your business–in real life. Website cloning is one of the most popular methods among scammers to fleece you of your money.

As the name suggests, the cybercriminal first creates a ‘clone’ site of the original one. There can be a clone of any website, though retail shopping sites, travel booking sites and banks are the favorites of cybercriminals. The clone site looks exactly like the original one, barring a very miniscule change in the url.

Next, they will create a trap intended to get unsuspecting victims to visit the clone site. This is usually done via links shared through emails, SMS messages or social media posts asking them to click on a link to the clone site. The message urges the recipient to take an action. For example, a message that presents itself as though it is from the IRS, asking the recipient to pay pending taxes by clicking on a specific link to avoid a fine or business shutdown, or an SMS about a time-bound discount on iPads. Sometimes, they go straight for the target and masquerade as a message from your bank asking you to authenticate your credentials by logging into your banking portal–the only glitch, the banking portal will be a clone.

Staying safe

So, how do you identify a clone website and a dubious message?

• Does the email sound too good to be true? Well, then it probably is. Nike giving away free shoes? Emirates Airlines giving you free tickets to Europe? Apple iPhone X for just $20? All of these scream SCAM!
• Even if the message sounds genuine, such as an email from your bank asking you to authenticate your login credentials, check the email header to see if the sender’s email domain matches your bank’s. For example, if your bank is Bank of America, the sender’s email ID should have that in the domain. Something like [email protected] could be genuine, whereas, [email protected] is suspicious.
• Check the final URL before you enter any information to make sure it is the actual one. Most shopping/banking websites, where payments are made and other personal details are shared are secure (HTTPS)and will have a lock symbol at the beginning of the URL. Also, check the domain. For example, something like- www.customerauthentication.com/bankofamerica is not

Identifying a cloned website is tricky, but it is not something you can afford to ignore.Giving away your personal and financial information to a fraudster can cause a lot of harm to you and your business.