By Michael Campbell

 

Brace yourself for a shockingly outlandish statement.

A cyber breach can happen to any business, regardless of revenue or size.  Wait a minute. Let’s back up. Not only is that statement likely been written and spoken a thousand times this past year at conferences, seminars, in classrooms and meetings, but the most frequent, most popular articles published on insurance-based news websites, blogs, and social media feeds everywhere are about…what? The Big Bad Wolf of 2015 (and beyond), AKA Cyber Risk.

If the fire is already burning, why throw on more gasoline? Aside from the fact that this writing is published on a blog for an insurance company that sells a cyber breach product, statistics reveal that Canadian businesses still aren’t convinced they actually need cyber insurance.

A Canadian Underwriter article published on October 28th, 2015 indicates that 42% of Canadian businesses do not have cyber insurance coverage. However, 87% have experienced at least one hacking incident. What do the 42% think? An insurance product relating to cyber breaches logically fits under the category of “last resort”.  A solid chunk of businesses don’t want to think the consequences of a cyber breach are really that dire.

What’s holding Canadian businesses back?

The issue is that recent publications tend to focus on preventative tactics and statistics, rather than clear “next steps” following a breach. Let’s face the music. No amount of preventative measures can immunize a company against a cyber attack. Businesses need a prevention strategy as well as a post-attack strategy. Which brings us to the title and theme of this article. Have you ever eaten macaroni without the cheese sauce? Have you ever experienced a Canadian winter without snow? Ever seen a Steven Segal movie where he isn’t holding a gun on the cover? Still effective, but it’s just not the full package. In other words, you aren’t getting the best bang for your buck.

Employee education and keeping software updated are some essential methods in mitigating risk. However, they won’t hold up against the vigilance of a motivated hacker. The number 1 priority of a hacker is to manipulate and deceive. A good examples to prove it is this live feed from Norse Corporation.

http://map.norsecorp.com/

Mesmerizing isn’t it? It’s also a bit terrifying. Those are live cyber attacks you’re seeing. If you didn’t realize the frequency and ferocity at which hackers operate, I hope the reality is more clear now.

Does this matter to Canadians?

The devil’s advocate will be quick to point out that few lines on this map appear to target Canada. As a Canadian, why bother with insurance coverage? It would be naive to think that this map detects 100% of attacks. Furthermore, our status as a world power is inherently tied to the United States. The U.S attracts the most hacker attention. Therefore, the only rebuttal needed is a statement of truth. It only takes one good attack to bring a multinational, multi-billion dollar corporation to its knees (read about the MyDoom virus, here).

Businesses neglect to purchase cyber insurance due in part to a mentality that “middle-class” status or having employees in a lower tax bracket makes them less of a target. Incorrect. Email phishing hackers target information, not income. If a business is exposed to a breach like a spear-phishing campaign, for example (accounts for 91% of successful attacks), the strength of defense is equally reliant upon the lowest-paid employee as the highest paid employee. Money doesn’t enter the equation until it’s already been stolen. The reverse scenario also applies. Small to medium sized businesses are at risk of becoming a target if they experience rapid financial growth. But once again, the target isn’t company funds. It’s company information.

Next Steps

Complete protection means taking out an insurance policy that covers the needs of a company’s unique risk. Even the most proactive victims still experience  difficulty when attempting to resolve issues on their own. When one hacking attempt is thwarted, another is just around the corner. For this reason, the value of outside consultancy cannot be understated. Policies often provide breach consulting services. Such services are absolutely essential in providing clear “next-steps” after a breach occurs. This feature is especially necessary if a company does not have a full-time IT security professional on staff.

No profession or business is immune to the efforts of hackers and fraudsters to steal private information. Even the best virus software and employee training is not a sure thing to prevent an attack. The only way to ensure that a business is adequately prepared for an incoming cyber breach is to combine defensive efforts with an insurance policy that will help mitigate loss.

If you take one thing away from this article, let it boil down to this. Don’t eat your macaroni without the cheese sauce. Combine defensive efforts with an insurance policy that will help mitigate loss.