CyberMax Protects

Menu

Cyber Ed

Keeping yourself informed
could save you from a costly breach. 

What is Cybersecurity?

Data breaches can occur on a large and small scale, but most people are probably familiar with the more prominent incidents. Every employer faces the reality that they could be the target of a network security breach. A cybersecurity breach can jeopardize credibility and cost small businesses without cyber insurance thousands of dollars (or more) in damages and impact customer service, productivity and reputation.

A data breach occurs when sensitive information is accessed by cybercriminals who find the means to bypass network security from a remote location. They may steal personal and sensitive information like:

  • User names
  • Addresses
  • Phone numbers
  • Credit card records
  • Social security numbers
 

Cybersecurity, or information security, refers to the measures taken to protect a computer or computer system against unauthorized access from a hacker. A robust cybersecurity policy protects secure, critical or sensitive data and prevents it from falling into the hands of malicious third parties.

Every October since 2004 is designated as National Cybersecurity Awareness Month. Cybersecurity awareness has continued to grow, reaching consumers, small and mid-sized businesses, large corporations, educational institutions and young people across the United States.

Cybersecurity Risks

Below are cybersecurity risks that can wreak havoc on a business:

  • Deepfakes: Developed from artificial intelligence technology, deepfakes can take an image of one person and replace it with another person’s likeness. In 2020, there were nearly 15,000 deepfake videos online. As the technology is easier to use, more people are making these types of videos, and their impact could be felt across the business, political and media worlds.
  • Ransomware Attacks: Ransomware is a type of malicious software designed to block access to a computer system until a sum of money (or ransom) is paid or some other action is completed. Sometimes, a ransomware attack is as simple as forcing the user to complete a survey. The most common types are lock screen and encryption ransomware. The lock screen shows a full-screen message that prevents the user from accessing their PC or files. Encryption modifies files so they can’t be opened.
  • Data Privacy: The use of personal data must be explained to consumers simply and transparently, and in most cases, consumers must give their consent before their personal information is provided. As big data grows, privacy concerns are also increasing. The possibility of data breaches can put your business’s sensitive information in the hands of identity thieves.
  • Spear Phishing: Phishing, a type of social engineering scam, attempts to fraudulently obtain sensitive information using email. The email appears to come from someone that you know or have done business with. However, the message might include poor grammar, syntax errors, broken links, and the email address might be slightly different from the familiar one. The email could be written with a sense of urgency, demanding an immediate response. Spear phishing is a type of scam that targets a particular person in an organization directly.
  • Human Mistakes: In the past few years, there has been a rash of well-known cyberattacks on businesses, including British Airways, Marriot Starwood and Citrix. The 2018 Verizon Data Breach Investigations Report found that human mistakes caused 21% of data breaches.
  • Business Travelers: Business travelers can be more vulnerable to a cyberattack than those traveling for pleasure, mainly because they often carry laptops, cell phones and tablets with sensitive data on them. Those who travel internationally can be even more at risk due to strict customs regulations that allow officials to inspect electronic devices, including asking for passwords to access hard drives.
  • Interns: Hiring interns can be highly beneficial to small businesses to recruit and train future employees. Generation Z is one of the most enthusiastic groups of social media users to enter the workforce. And, while sharing their excitement for their new position can help positively promote a small business, the information they post daily can also be a veritable treasure trove for hackers.
  • Nonprofits: The perceived large coffers of nonprofit organizations and the inherent risks involved with daily business can put these organizations at risk for a cyberattack. There are several ways that nonprofits are prime targets for cyberattacks, including online donations, phishing scams, ransomware and potentially “bad” volunteers.
 
 

What is a Cyber Attack?

Cyber attacks threaten businesses every day, often resulting in damages up to hundreds of thousands of dollars or more. A cyber attack is a deliberate assault on a computer system or network that uses malicious code to make unwanted modifications or steal data. Some of the most common examples of cyber attacks include the following:

Social Engineering Scams

Cybercriminals commit their crimes through social engineering scams – the act of deceiving or manipulating someone into divulging confidential or personal information to use for fraudulent purposes. Social engineering scams come in many forms, including phishing scams sent via email to collect sensitive data, baiting scams that infect a computer with malware after the user downloads free music or movies, caller ID spoofing and more.

Malware

Malware, or “malicious software,” is a type of cyber attack that installs dangerous software on a user’s computer after clicking a harmful link or opening an email attachment. The malware essentially locks down the computer, blocking access to files and other vital components of the network, and obtains sensitive information.

One common form of malware is ransomware, which blocks access to the system until a sum of money is paid or another action is completed. Other types of malware include Trojan horses, malicious programs designed to look like typical software that tricks users into installing it. A malicious script is planted into an insecure website that will redirect the user to a site controller by the hacker.

SQL Injections and Other Web Application Attacks

A Structured Query Language (SQL) injection is a cyber attack that involves a hacker “injecting” malicious code into a service that uses SQL, forcing it to expose information it would normally not display, including customer details, user lists and other confidential company data.

Denial-of-Service

A denial-of-service (DoS) attack occurs when hackers overload a system’s resources and cause it to become unresponsive to service requests. In other words, these attacks can shut down the system and make it inaccessible to authorized users. A distributed denial-of-service (DDoS) attack also targets the system’s resources, but the source comes from a larger amount of host machines, all infected and under the control of the cybercriminal. DoS and DDoS attacks can completely debilitate a website, especially when working in partnership with botnets.

Botnets

A botnet uses bots, or robots, and exists across a network of devices comprising personal computers and other devices. Botnets drive various types of cyber attacks that can be used to steal personal information and passwords, spread spam and deliver viruses. They’re cheap and effective for cybercriminals to utilize, and as mentioned above, can also facilitate a DoS attack, flooding a webpage with traffic to ensure the site goes offline.

How Can a Data Breach Be Prevented?

A data breach can also occur due to simple mistakes by employees. The Identity Theft Resource Center found that in 2019, 705 million non-sensitive records were compromised due to a data breach, while cyber attacks exposed over 164 million sensitive records. Non-sensitive data such as usernames or passwords could lead to additional exposure.

Warning Signs of a Data Breach

There are warning signs for a data breach that you can watch out for, including:

  • Unusual Software Behavior: Check your system for hardware and software irregularities.
  • Suspicious Files: If malware is detected or a user reports opening a suspicious file, assume that the malware has infected something.
  • Compromised System Communications: Regularly review communication patterns on the network.
  • Outdated Security Programs: Keep anti-virus and anti-malware programs up-to-date.
  • Changes in Credit Ratings: Customer information isn’t the only confidential data on the server. Changes in your credit rating could be an indication of fraud and a sign of a data breach.
Data Breach Prevention

Regardless of how big or small your business is, if your data, important documents or customer information is exposed, recovering from the aftermath could be difficult. In addition to knowing the warning signs, there are ways that businesses can prevent data breaches or cyber attacks.

Data Breach Prevention Tips

It’s more important than ever that all businesses understand how to recognize the early warning signs of a data breach, the steps they can take to help prevent them, and how to protect themselves from certain losses incurred from a cyberattack. Below are some data breach prevention tips to keep in mind:

  • Scan Your IP & Domain Address for Vulnerability: An External Domain or IP Address is a unique identifier assigned to your website or to your business’ network by your internet service provider (ISP) that allows your devices to communicate with the internet. All devices in your business’ share the same external IP when accessing the internet. Our scanner will check for common ports tied to that external IP and exposed to the internet that threat actors look for to gain access to a network. This vulnerability scan should be run from your business network to obtain the correct external IP address for the business.
  • Obtain Network Security Posture Report: Have an expert review with actionable recommendations to help your organization(s) address security challenges and goals.
  • Review Your Office 365 or Google Workspace Security: Balance security and operational efficiency while safeguarding against identity or business email compromise. 
  • Implement Managed Detection and Response (MDR) Software: To proactively defend your business against cyber threats, implement MDR software. MDR provides continuous monitoring, real-time threat detection, and rapid incident response, minimizing the risk of financial loss, data breaches, and operational disruptions. By leveraging expert analysis, threat intelligence, and automation, MDR strengthens your security posture, ensures compliance, and enhances resilience against evolving cyber risks.
  • Implement Cyber Security Awareness Training for Employees: A well-educated team is the first defense against a breach. Equip employees with the knowledge and skills to identify and prevent cyber threats. Regular training enhances security awareness, reduces the risk of data breaches, and ensures compliance with industry regulations. By educating employees on phishing, password security, and safe online practices, your business can build a strong cybersecurity culture and protect sensitive information.
  • Implement a Phishing & Wire Fraud Training Program & Policy: Educate employees on recognizing phishing attempts, fraudulent wire transfer requests, and best practices for handling sensitive information. Regular training reinforces cybersecurity awareness, reduces the risk of costly mistakes, and strengthens your company’s defenses. Take proactive steps now to safeguard your business, employees, and customers from evolving fraud tactics.
  • Set Security Protocols on Company Premises: Businesses should clearly understand the data that could become compromised to mitigate the risk of a cybersecurity attack.
  • Understand How to Classify Data: Classifying data within an organization helps businesses understand what level of protection it requires.
  • Keep Data Safeguarded: Many data breaches result from employee error, so ensure all employees are well-trained on how to keep sensitive information protected. Employees should only have access to the information vital to their particular roles within the company.
  • Implement Password Protection: One of the best things a small business can do to stay protected from a data breach is to utilize strong passwords for every site accessed daily. Additionally, passwords should never be shared amongst employees or kept written down where others can see them.
  • Update Security Software Regularly: Companies should utilize firewalls, anti-virus software and anti-spyware programs to ensure that hackers cannot easily access sensitive data and should be updated regularly.
 

Additionally, businesses should prepare for a cybersecurity attack by creating a comprehensive data breach response plan. A data breach response plan, also known as a security breach response plan or a cyber incident response plan, helps businesses appropriately respond to a cybersecurity attack by providing the necessary steps to respond in a straightforward, documented manner. While the details can and should be customized to the organization, there are certain things every security breach response plan generally includes.

What is Data Privacy?

On its most basic level, data privacy is the consumers’ understanding of their rights as to how their personal information is collected, used, stored and shared. The use of personal identifiable information (PII) must be explained to consumers simply and transparently, and in most cases, consumers must give their consent before their personal information is provided.

What is Personal Identifiable Information?

Personal identifiable information is data relating to an identified or identifiable natural person, such as an ID number, location data, online identifier (like an IP or MAC address) or other specific factors. It also includes unique identifying data such as a Social Security number, driver’s license number, financial accounts, email addresses, login credentials and passwords, addresses, phone numbers and birth date.

Laws Protecting PII

The European Union enacted the General Data Protection Regulation (GDPR), a comprehensive data privacy protection program, in 2018. The GDPR has been a model for privacy laws in the United States.

GDPR

The protection of PII is the core of the European Union’s (EU) General Data Protection Regulation (GDPR). The GDPR, enacted in 2018, explicitly directs organizations to protect the personal information of all “data subjects” of the European Union. The protection of the PII data (and penalties associated with a data breach of it) are rights held by the data subject and enforceable inside and outside the European Union.

Any small business which processes the personal data of individuals within the EU is subject to the GDPR, no matter where the company has its headquarters. The GDPR provisions state that the laws apply to people within the EU, but not necessarily to EU citizens. This means that any company using the data of EU subjects, even if this company is stationed outside the EU, will need to comply with new ways of protecting data related to identifying information, IP address, cookies, health, genetic or biometric data, racial or ethnic data and sexual orientation.

California Consumer Privacy Act (CCPA)

The U.S. does not yet have an extensive federal data privacy law similar to the GDPR. Currently, it is up to individual states to develop personal data legislation. California was the first state to implement a law in January 2020, known as the California Consumer Privacy Act (CCPA).
The CCPA gives California residents an assortment of new privacy rights, starting with the right to be informed about what kinds of personal data companies have collected and why it is being used. The law stipulates that consumers have the right to:

  • Request the deletion of personal information
  • Opt-out of the sale of personal information
  • Access the personal information in a “readily useable format” that enables the easy transfer of the data to third parties
 

The CCPA excludes publicly available information via federal state or local government records and medical or health information collected by an organization governed by California’s Confidentiality of Medical Information Act or HIPAA.

Remote Workers Cybersecurity Risks

Remote work is growing, especially since many workers switched to remote work during the pandemic, with some workers retaining a hybrid schedule moving forward. Remote employees can present a higher and ongoing cyber risk to their businesses for the following reasons:

Lack of Cybersecurity Training and Established Best Practices

According to Small Business Trends, 48% of cyber attacks were due to a negligent employee or contractor. Cybersecurity training for employees should be an ongoing process. It is vitally important that everyone in the company, especially those who work outside the office, is up-to-date on all security policies. Businesses should consider doing more to ensure all employees are consistently updated about any potential security vulnerabilities – and how to recognize and avoid them.

Using Unsecured Wi-Fi Networks

Employees often access company networks using Wi-Fi from popular or public locations (such as a coffee shop), making them more susceptible to the risk of an online attack. Most public Wi-Fi networks do not require authentication, which means the connections are not encrypted. Unencrypted networks could make it easy for malicious actors to steal data or access credentials.

A VPN (Virtual Private Network) is an essential tool for securing your network, offering several key benefits:

  • Encryption of Data: A VPN encrypts your internet traffic, making it unreadable to anyone who intercepts it, such as hackers or anyone on a public Wi-Fi network. This protects sensitive information like passwords, credit card numbers, and personal data.
  • Anonymous Browsing: It masks your IP address, making your online activities harder to trace back to you. This helps protect your privacy and ensures that your browsing history isn’t tracked by third parties.
  • Secure Remote Access: If you’re working remotely or accessing a network from an external location, a VPN provides secure access to your company’s internal network. It creates a secure “tunnel” to ensure that sensitive data isn’t exposed to threats over the internet.
  • Bypass Geo-Restrictions: A VPN can allow you to access websites and services that may be restricted or blocked in certain regions. This is particularly useful when accessing content or services that are only available in specific countries.
  • Protection on Public Wi-Fi: Public Wi-Fi networks, such as those in coffee shops or airports, are often insecure. A VPN protects you by encrypting your data, making it much more difficult for anyone to eavesdrop on your activity.
  • Prevention of Tracking: By hiding your IP address, VPNs prevent websites from tracking your online behavior. This can stop companies from gathering personal data for advertising purposes or other tracking activities.
  • Reduced Risk of Man-in-the-Middle Attacks: A VPN makes it significantly more difficult for attackers to intercept and alter the communication between you and the server you’re communicating with. This helps prevent man-in-the-middle attacks.

Overall, a VPN provides a strong layer of security, privacy, and freedom for both personal and professional network usage.

Personal Use of Laptops or Lack of Physical Security

Using work devices to visit social media pages, answer personal emails or shop online are examples of a remote worker’s risky behavior. Allowing non-employees like friends or family members to borrow devices for personal use is another example. This presents a risk of not monitoring the websites or files they access, potentially putting your company data at stake.

Physical Security of Company-issued Devices

Physical security of company-issued devices can also be a cybersecurity risk. This could be as simple as leaving a device out in the open at home or in an unlocked car.

What is Cyber Insurance?

Cyber insurance, also knowns as cyber liability insurance, provides coverage for certain losses incurred from data breaches and can help protect your company from a range of cyber attacks. The extent of cyber coverage will vary depending on the industry, the type of business and their specific needs. At a minimum, cyber insurance helps companies comply with state regulations that require a business to notify customers of a data breach involving personally identifiable information.

Many businesses may not realize they need cyber insurance, or may not understand it. From large corporations to school districts, organizations are hit by cyber attacks on a daily basis. Agents can help educate their insured about known risks, how cyber losses are compensated and what coverages are available. Businesses may think their other policies – property, liability, business interruption – cover cyber-related incidents, but often policies do not explicitly include or exclude cyber coverage, leaving it in a grey area. The best way a business can protect itself is to have a cyber liability insurance policy.