Cyber Security Awareness Tips

Find an Agent

An independent insurance agent can help you make the choices that are right for you.

April/May 2014

BYOD: How to Protect Your Company While Giving Employees Mobile Flexibility

The “Bring Your Own Device” trend isn’t one that will be going away any time soon. More and more, companies are adopting the practice of allowing employees to use their own mobile devices – from laptops and mobile phones to tablets – for business purposes. This can reduce expenses for the company while giving employees freedom to work from the road or use their preferred interface. However, the BYOD practice also exposes companies to significant risk. Mobile devices, after all, are more likely to be stolen than a desktop securely tucked away in an office. Not to mention, a major information security vendor identified 14,000 new kinds of software designed to compromise mobile devices and data in a three-month period.

When approached the right way, including utilizing risk management best practices, some companies can benefit from BYOD both financially and when it comes to employee morale. For companies that allow employees to use their own mobile devices, there are three main risks to address: theft, loss and cyber crime. To help reduce the risk of these exposures, employers should institute seven simple best practices:

Tips for Managing BYOD Exposures

  • Be Overprotective - Employers should encourage their employees to protect their mobile devices like they would their wallet or credit card. Mobile devices contain valuable items such as email, file attachments, calendars, contact information, pictures and more.
  • Search for Security Features - Security features are important for employers to consider when their employees want to bring their own devices. Encourage them to choose a mobile device with password protection, encryption and the capability to disable the device if it is lost or stolen.
  • Utilize Password Protection - Mobile devices that are used in corporate settings should be required to enable the password protection function and create hard-to-guess passwords that are different from those used on other accounts. This will help employees curb cyber crime and hacking of their devices. Devices should be set to lock after 15 minutes of inactivity.
  • Avoid Sensitive Information - It should be a mandate that employees not store sensitive information on the mobile device. Mobile devices that are lost, stolen or misplaced may be easily compromised if they fall into the wrong hands.
  • Research Apps - Some apps collect data such as an employee’s address book, photos and even internet activity. Employers should encourage employees to use caution when installing applications by reading app reviews and researching what the app intends to do.  
  • Stick with Original Software - Despite temptation, employees should not modify their device’s operating software. Often referred to as ‘jailbreaking’ or ‘rooting,’ replacing the manufacturer’s software will degrade the security integrity of the device.
  • Be Wary of Wifi Networks - Mobile devices are used on the go, which means secure, private wifi might not always be available. Employers should suggest that employees using their own devices for work be wary of free or public wifi, as wifi providers may monitor their communications and internet activity.

While developing, sharing and enforcing best practices for employees is an important risk management step, it is still possible that a mobile device used for business purposes can be stolen, lost or hacked. Employees should have a clear set of instructions for reporting and handling these situations. From notifying the police and the company’s technology department to understanding what information is more important to share, having a clear plan in place can help expedite the process of addressing the loss or cyber incident.

Risk management professionals like insurance agents and brokers, along with a company’s technology department, can help develop a response plan for employees. Agents and brokers can also provide solutions such as cyber insurance to help protect against financial losses, support data recovery and address other key issues associated with a breach or lost or stolen device.

March 2014

Protecting Against Cyber Risks: It takes a variety of tools
It is hard to go online or pick up a paper lately and not read about another cyber breach. These constant reminders have caused many businesses, both large and small, to step back and consider how best to use the internet safely and securely.

In fact, cyber risk has become so prevalent that the President issued an executive order in February 2013 that directed the National Institute of Standards and Technology to work with various stakeholders to develop a voluntary framework – based on existing standards, guidelines, and practices - for reducing cyber risks to critical infrastructure. On February 12, 2014 the Framework for Improving Critical Infrastructure Cybersecurity was released.

As businesses consider protecting themselves against cyber-attacks, it is important that they utilize a variety of tools and resources to build out their cyber plan in order to be as prepared as possible. Travelers is extremely committed to helping to educate about cyber risks and we offer numerous online resources and insurance coverages to help business owners navigate the growing threat of cyber risk and keep their assets and their customers’ assets safe. Some examples of our online resources include:

  • Travelers Cyber  Security—a public online portal that provides insights on the threats associated with cyber risks and how to effectively manage them.
  • Travelers’ e-Risk Hub powered by NetDiligence®—a private, client-only web resource, contains additional information and technical resources to help customers prevent and respond to cyber events.

At the same time, as a leading expert in cyber exposures, we know that data breaches and other cyber-crimes are often inevitable. With this in mind, we offers specialized cyber coverages to address a wide range of risks associated with different sizes and types of businesses.

All of Travelers’ cyber solutions are designed to provide an option to include coverage for forensic investigations and litigation expenses associated with breaches. Many coverages also go so far as to include regulatory defense expenses, crisis management expenses, business interruption support and cyber extortion.

Businesses that are educated about cyber risk and have a plan in place to protect against them will be the best prepared to tackle this increasingly growing problem.

February 2014

Bring Your Own Device: Benefits and Risks of Employees Using Personal Mobile Devices in the Workforce

Cybercrime continues to be among the world’s fastest growing criminal threats. This poses a challenging decision for companies considering adoption of the “bring your own device” (BYOD) trend, where employees use their personal mobile devices such as tablets, phones, and laptops to conduct company business.

Allowing employees to use personal devices has both benefits and drawbacks, particularly in industries such as insurance where many employees are traveling, out in the field and have sensitive information. On the one hand, allowing the use of personal devices for work can be cost effective, efficient and streamline employees’ access to information. On the other, it may create several potential challenges and risks.

However, putting a smart risk management strategy in place can help protect against the exposures associated with the BYOD trend.

BYOD Driving the Bottom Line
There are a variety of benefits to companies that allow employees to use their own devices for work purposes – each of which can help impact the bottom line. First, allowing employees to use their personal phones, laptops and tablets eliminates a potential cost to the company. The organization does not need to provide these items to employees who are traveling, regularly in meetings, or working remotely.

The ability to stay connected creates higher productivity and makes it easy to stay on top of work and important issues despite being away from the office.

Being able to use personal devices also supports better customer service. Employees will be able to respond to client needs in real time.

BYOD Escalating Risks & Challenges
The threat of cybercrime is a reality all companies face today – regardless of whether or not an organization has embraced BYOD. Cyber criminals can get through a company’s firewalls, send viruses and hack into company-wide or individual accounts. However, organizations can put certain protections in place to minimize the likelihood of breach – and monitor those protections closely. With personal devices, companies have much less control over how or where the device is used and lack the oversight that exists with in-office technology.

The lack of oversight can translate into increased likelihood of personal mobile devices being hacked. Typically, companies will require employees to use sophisticated passwords and will ensure any confidential information is also kept secure by password protection and limited access.

Employees today are also commonly storing information in their personal cloud to access it from their mobile device. According to data from network security firm Fortinet, 89 percent of young workers have personal cloud storage. Seventy percent of those individuals use that storage for work-related files, and 33 percent store customer data on their personal cloud, allowing them to gain access to it from their mobile devices1.

Hacking and viruses aside, an equally damaging threat is simple theft. Roughly one-in-three robberies in the U.S. involve mobile phones, according to the FCC2. Laptops and tablets are also frequent targets for criminals. Once a criminal has a physical device, any information contained within it – or available through it – is at risk of exposure.

When criminals secure confidential information, it puts the company at risk for not only corporate data and information being exposed, but also for clients’ personal information to be comprised or stolen, allowing criminals to potentially commit identity theft.

Managing BYOD Risk
Providing best practices for employees who choose to use their own devices can be one way to help manage exposures. Simple steps, such as enabling auto-lock on devices, adopting passwords that combine letters, numbers and symbols and ensuring employees keep the devices in a safe place at all times can go a long way in minimizing risks for hacking and theft. In addition, requiring employees to engage with the corporate IT department can help them not only understand the exposures their mobile devices present, but will also give them the resources they need to put the best possible protections in place.

In the event a laptop is stolen, a phone misplaced, or an account hacked, cyber risk insurance policies can serve as a safety net. From providing the resources needed to stop and investigate an incident to delivering necessary financial support, cyber risk coverage can help companies minimize both their financial and reputational risks.

As BYOD becomes more prevalent, organizations will have to take a stance on the use of personal devices for work-related activities. While BYOD provides both benefits and challenges, businesses should also keep in mind the power of smart, strategic risk management through best practices and relevant insurance solutions.

1)    Fortinet global survey shows generation y’s hardening stance against corporate byod/bring-your-own-cloud policies as emerging technologies enter the workplace. (2013, October 21). Retrieved from http://www.fortinet.com/press_releases/2013/fortinet-global-survey-shows-employees-against-byod-policies.html

2)    Terry, C. (2013, June 05). U.S. officials to meet over cellphone thefts. Retrieved from http://www.usatoday.com/story/money/business/2013/06/05/us-officials-to-meet-over-cellphone-thefts/2393617/

January 2014

New Year, New Risks: Cyber Issues to Consider in 2014

The New Year represents a time for many companies to evaluate their successes, business goals, operations and risks. While businesses may not be able to anticipate every risk that they will face this year, one thing is for sure: cyber security should be a concern for businesses large and small. Undoubtedly, the cyber landscape is continuing to evolve as cyber criminals become smarter and more creative about their tactics to steal information from companies. 

Technology and the sharing of information are central parts of both business operations and our everyday lives, which is why it is imperative that businesses understand the many forms cyber risks take, so that they can protect, their data, their bottom line, their customers and their reputations.

In fact, according to the Travelers’ Consumer Risk Index, 64 percent of individuals cite personal privacy loss or identity theft as a significant concern. And, according to the Verizon 2013 Data Breach Report, there were more than 47,000 reported security incidents and 621 confirmed data breaches from the past year. Over the entire nine-year range of this study, that tally now exceeds 2,500 data breaches and 1.1 billion compromised records. And, those represent only reported incidents

So, what should businesses be concerned about when it comes to cyber security in the New Year?

  • Protect Secure Customer Information. The greatest risk exposure is the loss of personal information. This can happen if an employee loses a laptop or when a hacker obtains sensitive personal information from the insured’s computer system, which can include laptops, mobile devices, tablets etc. As a result, a customer or number of customers may be able to bring claims against the insured for allowing access to their information.
  • Secure Passwords. Another common way for hackers to penetrate a company’s system is through breach of passwords. Employees with relatively common passwords leave their computers and accounts open to attack. A best practice is to require employees to use more complicated passwords and to change passwords on a regular basis.
  • Extortion Events. Hackers also are getting more sophisticated, sometimes forming syndicates of like-minded criminals to share information and new techniques, including extortion events.  Cyberextortion is a crime involving an attack or threat of attack against an organization, coupled with a demand for money to prevent or stop the attack.

    While extortion is not new, the emergence of cyber extortionist has recently began to rise. Today, new malware and hackers are tapping into systems for financial gains and to create disruption. But, whether intentionally or not, if they gain access to personal information, a data breach occurs.
  • “Hacktivism.” Another one of the biggest eye-openers is so-called “hacktivism.” Hacktivism is the act of breaking into a computer system, for a politically or socially motivated purpose. There have been dozens of cases reported where commercial websites have been altered or disabled, sensitive information has been stolen and even government systems have been breached. This trend is interesting because the perpetrators are not doing it for monetary gain, but rather to raise awareness of an issue.

As more and more businesses are faced with these issues and risks, it is important to proactively protect against them. A great first step is talking to an independent agent who can help educate them on their businesses’ cyber risk exposures.

12/2/13 Is your business ready to protect against cyber attacks this holiday season?

Despite the shortest shopping season since 2002, Adobe Systems predicts this year will see the highest-ever online spending during the U.S. holiday season.  While record numbers of shoppers are expected to jump online to purchase their holiday gifts, there is also strong concern over cyber security. According to the Travelers Consumer Risk Index, 64% of Americans worry regularly that their bank or other online accounts may be hacked into.  Source: http://www.adobe.com/solutions/digital-marketing/digital-index.html

With this in mind, it is more important than ever that businesses protect themselves against cyber attacks this holiday season and Tim Francis, Enterprise Cyber Lead at Travelers, which offers cyber insurance solutions to protect a business’ assets against cyber threats, suggests the following:

  • Train employees to protect sensitive information. All employees should learn the importance of protecting the information they regularly handle to help reduce exposure to the business. This includes everything from locking up customer records to keeping passwords strong and confidential. Employees should also be taught how to handle a breach if one occurs.
  • Ensure systems have appropriate firewall and antivirus technology and that security software patches are updated in a timely fashion. After the appropriate software is in place, evaluate the security settings on software, browser and email programs. In doing so, select system options that will meet your business needs without increasing risk. Regularly maintaining security protections on your operating system is vital to them being effective over time.
  • Monitor use of mobile devices and public Wi-Fi access for employees. Establish usage standards and be sure they are clearly communicated. For example, to avoid security breaches, employees should be instructed to use public Wi-Fi only in very limited circumstances. Hackers can easily intercept public Wi-Fi, so it is imperative that employees cautiously use the Internet and transmit information. To reiterate, any data that shouldn’t be made public, such as proprietary business or customer information or credit card numbers should not be transmitted or accessed through public Wi-Fi.
  • Insure your season is protected. Insurance coverage typically includes liability protection for when customers or other individuals who have been affected hold a company responsible for information stolen during data breaches or other network intrusions. A cyber policy can also include coverage for a forensic investigation, litigation and remediation expenses associated with the breach. In addition, a cyber program may include coverage for business interruption, which is critical during the holiday season.
  • Have a plan in place to manage a data breach. If a breach occurs, there should be a clear protocol for which employee is managing the situation, and what action should be taken, such as informing the insurance provider, etc.
     

10/28/13 Secure computer networks and data to prevent cyber-attacks.

All organizations from large to small are susceptible to cyber threats because every organization stores a variety of data – some critical to how your company is run, and other sensitive information about your employees and customers. Either can be vulnerable to cyber-attacks that could jeopardize your operation and your firm’s reputation if it’s stolen, lost or infected. It is recommended that organizations adopt firewall and antivirus technology and for IT managers to ensure that browser and email programs have default security settings that limit access point for cyber hacks.

Some other data security best practices include:

  • Keep your systems patched 
  • Use care when reading emails with attachments
  • Make backups for important files and folders
  • Use strong passwords
  • Never install unapproved, unsupported programs on their own
  • Use access control

Since all organizations can be vulnerable to cyber-attacks, it is recommended they create an incident response plan. Learn more

10/22/13 Require employees to have strong passwords

A data breach can cost your business time, money and your reputation. In fact, a recent study revealed that the cost of a data breach per record is $188, which can add up quickly. For example, a breach involving 10,000 records could cost nearly $2 million—Ponemon Institute© Research Report: “U.S. Cost of a Data Breach Study, 2013”

Breach of passwords is one of the top cyber risks. Hackers can penetrate a system and access passwords. Employees with relatively common passwords leave their computers and accounts open to attack. A best practice is to require employees to use more complicated passwords and to change passwords on a regular basis. Also, consider a policy that requires employees to use passwords that include numbers and letters in different sequencing patterns.

  • Create passwords that are a combination of letters and numbers and even symbols.
  • Make sure your password does not contain the last four digits of your Social Security number, mother's maiden name, your birth date, middle name, pet's name, your company name, consecutive numbers or anything else that could easily be discovered.
  • If asked to create a reminder question, do not use one that is easily answered by others.
  • Memorize all your passwords or store them in a secure location. Don’t record them on anything you carry with you—including your cell phone.
  • Change passwords regularly

 Learn more about strong passwords here.

10/15/13 Think before you click

According to the U.S. Federal Trade Commission, phishing takes place "when internet fraudsters impersonate a business to trick you into giving out personal information."

Today, organizations depend heavily on technology, and most take advantage of social networking, BYOD, and cloud computing to run more efficiently and increase productivity. However, these activities make organizations susceptible to cyber-attacks. Don’t let your organization become phishing bait, as cybercriminals become smart about luring users into divulging sensitive corporate data.

Learn how you can avoid such attacks; here are some tips from www.onguardonline.gov:

  • Make sure that you use trusted security software and set it to update automatically.
  • Do not click on links or open email attachments unless you know who the sender is and what the attachments are.
  • Personal and financial information should only be provided if you typed in the recipient's web address yourself and the site is secure (i.e., the URL begins with https where the "s" stands for secure).
  • Make sure you set your browser security settings high enough to detect unauthorized downloads.
  • Always use a pop-up blocker and never click on links within pop-ups.
  • Never purchase software in response to pop-up messages or emails claiming your computer has malware.
  • Avoid downloading "free" programs and/or games.
  • Do not open chain emails.
  • Back up all data regularly.

Learn more about cyber security here.

10/8/13 Communicate with your employees

Business owners should make it a priority to communicate clearly and consistently to employees about their organization’s cyber risk management strategies. When each employee is made aware of their role in the company’s cyber security efforts, it often empowers them to take a more active role in managing cyber risks. Even small initiatives like establishing employee usage policies for social media platforms, public Wi-Fi access and how to handle proprietary information like Social Security numbers and credit card information helps make employees’ individual security responsibilities clear.

Learn more about providing cyber security training for employees here.

10/1/13 Plan ahead

Every business should plan for a cyber-threat, including a data breach - the potential loss or theft of company and customer data.

There were more than 47,000 reported security incidents and 621 confirmed data breaches from the past year according to the Verizon 2013 Data Breach Report. Over the entire nine-year range of this study, that tally now exceeds 2,500 data breaches and 1.1 billion compromised records.

A data breach can hurt your brand, customer confidence, reputation and, ultimately, your business. The importance of data to your company’s daily operations cannot be overstated. Knowing what data security regulations affect your business and assessing your company data security gaps can help you develop a plan for keeping your data secure.

Learn more about keeping your business cyber safe here.

Travelers Casualty and Surety Company of America and its property casualty affiliates.
One Tower Square Hartford, CT 06183

This material does not amend, or otherwise affect, the provisions or coverages of any insurance policy or bond issued by Travelers. It is not a representation that coverage does or does not exist for any particular claim or loss under any such policy or bond. Coverage depends on the facts and circumstances involved in the claim or loss, all applicable policy or bond provisions, and any applicable law. Availability of coverage referenced in this document can depend on underwriting qualifications and state regulations.

©  The Travelers Indemnity Company. All rights reserved.
Connect with usFacebook Twitter YouTube Linkedin