Pandemic Cyber Security

PAndemic Cyber Security

One thing this pandemic is certain to do is change the way we do things going forward. We have seen companies from all industries and sizes adapt the way their employees work to ensure they can stay afloat through this crisis. Perhaps your office employees are working from home with a laptop, or maybe you’ve cut all face to face interactions with clients. Either way, the exposure for cyber risk has already skyrocketed.

We’ve been talking about cyber exposures for a number of years now. Whether it be misinformation, a phishing email coming from your businesses email, or a hacker locking up your network and holding it for ransom, the number of attacks on businesses has grown exponentially.

Below are five quick tips on how you can limit your business’ risk of being victim to an attack:

1) Passwords:
First of all, don’t make your password something along the lines of SeasonYear!, as even I could guess that. Make it something more difficult like best NFL team (Packers), year, exclamation point. That is what I do and it works great (only kidding). In all seriousness, you need to make sure you, and your employees, are using complex passwords for any login that may have personal, company, or client information on it that could be valuable. I suggest using password savers like Roboform or Dashline to make sure passwords are updated and not forgotten. Also try to enable two factor identification as often as possible.

2) Out-Bound Emails
Emails are common places, if not the most common, for an attack to occur. Especially for a business like a tree service. For example, my dad received an email from a tree service in his area whose G-mail account had been hacked. It mentioned the job, which was actually just finished at my dad’s house, and where to send money. The only reason my dad caught it was because the amount was different from what they had originally discussed. Imagine if your email was hacked and clients sent you personal information, banking info, etc. You’d be on the hook for any damages, defense costs, credit monitoring for the client, and much more. Make sure your email is secure and that clients have a clear understanding of what type of things you would or would not ask for via email. And check with your insurance agent to see if you have cyber coverage. If not, I’d strongly recommend it as it is not very expensive and offers high limits!

3) In-Bound Emails
Are your office staff members and employees trained on what to be aware of when receiving emails? Follow these tips to be safe:

A. Make sure you have a good filter for blocking out spam emails. We work closely with an IT security company and we still see some slip through every once in a while.
B. Verify the sender before opening the email, and definitely before opening any attachments!
C. Hover over hyperlinks and make sure the URL matches the source. Look closely for any typos or odd spellings.

4) VPN
If you have employees working from home or working remotely, I encourage you to look into Virtual Private Networks (VPN’s). This would often come into play for anyone working out in the field that may connect to a public network. Employees could stop at a restaurant and connect to their wifi, or go to a conference and work from the hotel. When connecting to a public wifi spot, employees are at risk of connecting to a fraudulent network that imitates the network they think they are connecting to. Employees could also connect to the original network which may have been breached, allowing attackers to obtain information during your employee’s use. Check out VPN’s like ExpressVPN or Surfshark and make sure to consider the number of devices and frequency of use before purchasing.

5)Watch Out for Spoofs
People are desperate for new information right now. We want to know what updates there are regarding COVID19 and how it impacts us and our business. Consider that times like these mean we are most vulnerable to attacks and misinformation. Try to be conscious of where you’re gathering information and make sure it is from credible resources like the World Health Organization (WHO) or the Centers for Disease Control(CDC). Consider that emails, pop-ups, etc. for “COVID19 Update!” may be click bait and encourage those in your company not to jump to conclusions.

The World Health Organization recently stated they were also in the middle of an ‘Info-demic’ due to the large spread of misinformation regarding COVID19. As the employer, it is your responsibility to provide your employees with the correct information. Utilize resources such as WHO, CDC, TCIA, and ISA, to get relevant information throughout the pandemic. As always, feel free to reach out with any questions and we’ll see what we can do!

Written by: Malcolm Jeffris, CTSP

3 Critical Cyber Security Measures

3 Critical Cyber Security Measures

“Cyber Security? Only mega corporations like Target and Home Depot have to worry about that. I’m just a small tree service. I don’t have anything that hackers would want.”

Be honest, have you ever found yourself saying that? Chances are you have and, naturally, this article will tell you why you need to pay attention to what is going on in the cyber security world. Last year, I attended a Cyber Risk Seminar and learned that 69% of data breaches occur from a negligent insider (or former insider). That means someone inside your company either clicked a bad link, emailed a virus or unknowingly allowed a hacker into your computer system.

Before discussing the ways to minimize your cyber liability, I want to highlight a few areas of exposure that every tree service has. As with any exposure to loss, there are internal and external risks that a business faces.

External Cyber Risks

1. Transmitting a Virus to a Customer/Vendor – Tree care companies rely on email to communicate with their customers and vendors. Email is the most efficient method of communication and also presents the easiest way for your company to be liable for a cyber breach. If one of your employees sends an email that contains a virus to a customer or, worse, your entire customer database, you could be facing a huge unexpected expense. It costs anywhere between $100 – $350 to remove a virus from an infected computer and that cost does not include if any personal data was compromised or any business shutdown occurred because of it.
2. Customer’s Personal Data – Every tree service has some personal information from their customers. Names, addresses, phone numbers, email addresses and credit card numbers are all considered Personally Identifiable Information (PII) and is therefore information that must be protected from a data breach. If a hacker gets into your computer system and gains access to this basic customer information, you will be responsible for notifying the customer of the breach and providing credit monitoring for one year.
In 2016 the average cost for a data breach was $158 per record – How much would a breach cost your business at that price point?

Internal Cyber Risks

1. Employee’s Personal Data – When hiring someone onto your team, there is a lot of personal information that you gather – Social Security numbers, birthdays and driver’s license numbers, to name a few. Do you have a direct deposit payroll system set up? If so, your employee’s bank information is in your system. As the business owner, you clearly have a responsibility to protect your employee’s data. What would happen to your employee loyalty if you failed at keeping their information safe?
2. Business’ Computer System – Interruptions seem to happen fairly often when using technology for your business. Sometimes the internet goes out due to a cut wire down the street. Your phone system may suffer a break in service due to something on the provider’s end. Those are out of your control, however, what you can do something about is your internal business system. Is your computer network backed up in the cloud or off-site? What would happen if your system got hacked and held for ransom from a cyber-attack?

Now that you know the common cyber exposures that all tree services face, here are three areas to focus on to reduce the chance of a cyber liability event. Implementing these changes can reduce your chances of a breach by almost 70%!

1. Inbox Security – Studies have shown that 93% of all computer hacks begins with email phishing. Email phishing is a tactic that hackers use to get the email user to click an infected link embedded in an email to gain access to their system. These can be specific to an individual and look VERY similar to an email that you would get. I’m sure you have received these before but may not have even realized it – an email from UPS about a package delivery or that your Amazon order needs more information. They look very real and ask you to take action by clicking the link included in the email to resolve the issue. Once you click the link, your system is compromised. Working with a proactive IT company will help you get the proper email controls in place to limit the phishing attempts on your employees.
2. Browser Security – The next part of cyber security is enabling the proper security features on your internet browsers. This can again be controlled by your IT firm and will help you restrict access to potentially damaging websites. We’ve all heard stories of how one employee used a work computer to search for something that wasn’t work related and the shady website that was viewed infected the computer and it spread to the other networked computers. Tighten up what sites can be opened and this exposure disappears.
3. Employee Behavior – Training employees on what to look for from a phishing attack or questionable website is the best way to limit the accidental “oops, I shouldn’t have opened that email.” In our agency, we signed our employees up for a six part training on email phishing. As the owner of my company, I need to do whatever I can to make sure my team understands how these schemes work so we don’t cause a data breach.

The world of cyber security can be overwhelming, however, if you focus on these three simple areas, you will drastically limit your exposure to a crippling data breach.

For more information on how to properly protect your business against a cyber event, contact our agency.

Written by: Eric Petersen