Understanding actual cyber incidents that others have experienced can help businesses identify where they may also be at risk. Each of these scenarios is an actual incident with identifiable details removed.
Unauthorized access risk: Suspicious email activity was noticed in June 2020, and the business calls in reactive incident response to investigate. The investigation shows that the unauthorized access began two months prior and that data of a major client had been exposed. The business was forced to notify their client, provide credit monitoring, and set up a breach hotline for their customers whose data was exposed.
Key takeaway: Who else has access to your data? They should be aligned to a known cyber framework to provide reasonable protections, including monitoring to detect unauthorized access and multi-factor authentication to prevent stolen credentials from allowing access.
3rd party vendor risk: A file transfer service used by many businesses, including many major law firms, had a vulnerability that allowed hackers to gain access to their customer’s files. Client data related to a lawsuit was put up for sale on the Dark Web and exposed publicly. Since then, at least two other firms have reported data breaches related to this service provider.
Key takeaway: Data that you store in the cloud or transmit through 3rd parties is still your responsibility. Even if your own network is not breached, your business will need to report the breach to the affected parties (your customers, staff and/or prospects). You will have notification costs, credit monitoring and loss of reputation.
Outdated solutions risk: A very popular firewall used in many SMBs had a vulnerability that hackers figured out how to exploit. Patches were not immediately available, so the manufacturer recommended some configuration changes and IP access restrictions to the management console to prevent unauthorized access. Businesses that were not notified of these steps remain at great risk.
Key takeaway: Your security solutions (firewalls, switches, routers, antivirus software, etc.) need to be patched on an ongoing basis to ensure they are protected when new vulnerabilities are discovered. Solutions that are not properly implemented may provide little or no protection that you should get from your investment.
Insurance coverage denial risk: An employee clicked on a malicious link in an email and exposed the business to ransomware. The business could not restore their data from backups and chose to pay the hackers for the decryption tool. After paying over $25,000, they were able to recover most of their data but also had to pay to have some documents recreated and lost weeks of billing while they did not have access to their client files. They submitted a claim to their commercial insurer for more than $700,000 of total expenses and lost income.
Key takeaway: Make sure your insurance is aligned to your cyber risk. Generic cyber insurance riders have very limited coverage, especially for ransomware, wire transfers, or other types of social engineering fraud where your staff is tricked into sending funds to hackers. Other commonly excluded claims include regulatory fines or legal judgments, and some policies may not even cover cyber forensic costs to determine the cause and extent of a breach.