Although news headlines highlight data breaches involving large corporations industry studies show that the majority of data breaches, including ransomware incidents, involve much smaller firms. Large corporations have extensive resources to devote to cyber defense and security; smaller firms, such as small insurance agencies generally do not, making them easier targets for cyber criminals.
The average agency handles relatively large amounts of confidential client and employee data, making them attractive targets for cyber criminals. At least 47 states have breach notification laws mandating actions which much be taken by firms that sustain a loss of personally identifiable employee/client information. Even if a cyber attack does not physically disrupt an agency's operations the costs associated with a forensic investigation and breach notification can have a catastrophic impact on the firm's balance sheet. Other less tangible impacts include loss of clients and damage to a firm's reputation.
As agencies rely more and more heavily on electronic communication and the use of mobile data devices, the potential for cyber attack grows exponentially. If an employee with access to the agency's system clicks on a malicious website, one that's been hacked or downloads software containing malicious code the system can be compromised. A study of 1200 data breaches within the US Government determined that 95% were related to employee human error. Accordingly, properly managing the human element is any firm’s first line of defense against cyber threats.
Employee awareness and education are key to preventing attacks. Security industry studies indicate that most breaches involve some level of employee involvement, whether through clicking on a phishing e-mail, downloading a questionable document or app, or simply failing to employ effective passwords. Firms should educate staff on risks related to use of personal devices on the job, what to do if one is lost or stolen, and risks associated with traveling and/or accessing sensitive data through unsecured connections such as coffee shop free Wi-Fi and hotel business centers. Cyber awareness education should be mandatory for all employees, with periodic testing. Additional mandatory training should be required for staff that fails such tests. Special emphasis should be placed on staff training in key departments that are particularly vulnerable to a cyber attack such as finance and human resources. Mandatory mobile and employee-owned device policies should be established to ensure that employees don't create unguarded network access points. Protect passwords and use encryption software on all devices used to access the firm network, including employee-owned devices.
Properly assessing your firm's cyber risk, developing effective cyber security measures, employee education and proactive planning can all help your firm manage cybersecurity risks while protecting its reputation and profitability.