Top Cybersecurity FAQs: Startups and Emerging Businesses
Q: Does my business need cybersecurity insurance? Due to the high level of cyber risk in today’s business environment and exclusions for cyber events in other types of insurance policies, most businesses need cyber liability insurance coverage. However, the terms and exclusions contained within cyber insurance policies vary widely, so businesses should select and review cyber policies carefully. Obtaining legal assistance in assessing policy terms is recommended to ensure the policy adequately addresses risks unique to the business. Furthermore, startups and emerging businesses should pay attention to exclusions, such as coverage exclusions for failure to obtain minimum security standards, to ensure that they do not fail to adopt necessary cybersecurity measures and thereby undermine the coverage they have purchased. Q: How do I put a cybersecurity policy in place? A cybersecurity policy should be specific to your business and may vary depending on your industry and the information your business collects. It is important to first assess your overall compliance and conduct a security audit of your IT assets and practices, as well as develop a thorough understanding of the data your business collects and stores. A cybersecurity policy should inform company employees and contractors of their requirements in protecting the IT assets of the company and identifying the primary threats to those assets. A policy will outline acceptable use of the company’s IT assets, including protocols related to password management, secure file transfers, software updates, malware scans, use of social media and privacy settings, and other security guidelines designed to protect your business from cyberattacks. Q: What are the best methods for protecting my business against ransomware attacks? Ransomware attacks are often delivered through phishing emails that appear as if they were sent from legitimate sources. Such phishing schemes are growing more sophisticated, and it is more important than ever to routinely train your employees and independent contractors on how to spot these and other cybersecurity threats. Businesses should implement mandatory trainings throughout the year (or on an annual basis at minimum) and follow such trainings with phishing simulations to test real-world response. Businesses can protect against the impact of interruption from a ransomware attack by regularly performing backups of their systems and important files. Backups should be stored separately so they cannot be accessed on the main system network. Q: What are some best practices to share with our team? There are several best practices that can be used as preventative measures when it comes to cybersecurity and attacks. The tactics below could make a huge difference. Install internal and external firewalls to protect your network systems, invest in antivirus and malware software, and regularly backup all data. Educate your employees on security protocols and how to recognize phishing emails and suspicious or unknown links. Require strong passwords for network access and mandate that employees change their passwords on a regular basis. Use multi-factor authentication for accessing sensitive networks or systems. Q: What is an incident response plan and tabletop exercise? An incident response plan is a game plan created to guide your organization in detecting, responding to, and recovering from cyber incidents. An incident response plan is necessary to help businesses quickly identify the individuals who need to be involved in incident evaluation and response, the issues they need to consider, and the steps that they need to take. The goal, of course, is to avoid lost time and critical missteps while making an organization’s recovery as smooth as possible. A tabletop exercise is an attempt to test the incident response plan and readiness by walking through a cyber event hypothetical. An organization’s team will consider...
Read MoreCybersecurity 101 for Startups
Every business, including startups, has data to protect. So, it’s not really a matter of if, but when an organization will experience cyber and data privacy threats. This post will provide tips on how to proactively protect data related to employees, customers, vendors, operations, and intellectual property. From creating password strategies to setting up incident response plans, there are many things organizations can do to potentially save a ton of stress, cash, and even reputation. Prepare: Designate a person or team to handle information security and preparedness. A designated internal team member may be an executive or someone in legal, HR, or marketing. Someone designated outside the company may be an attorney, public relations representative, or an insurance contact. Make a plan to address cyber incidents. Prevent: Train your employees regularly. Most breaches result from human error. Hacks can be caused by phishing, ransomware, identity theft, and email compromise. Use strong passwords. Change them regularly and don’t share them with anyone. Password tip: a strong, smart password is private, unique, and is changed every 90 days. A good rule of thumb is to create an acronym from a sentence. Use symbols for some of the letters and include both upper and lowercase letters. For instance, you can use capital letters for proper nouns. Be sure it includes numbers, too. Example: I<32soSicfBR! / I love two scoops of Snickers ice cream from Baskin Robbins! Some password security tools we recommend include multi-factor authentication (2FA), biometric authentication (finger print, voice print, facial recognition), and password managers. Avoid public Wi-Fi. Use only secure internet connections for business matters. Protect computers by using firewalls, updating software, installing antivirus and antimalware, encrypting sensitive information, and regularly backing up files. Work with trusted business partners and know how to contact them. Dispose of data and media safely and securely. Respond: Mobilize your entire team, both internal and external. Examples of internal team members include information security officer, executive-level officer, in-house legal, marketing, and human resources. External examples include outside counsel, public relations, and insurance. Stop the breach – determine the cause of the breach and take necessary steps to stop it. IT professionals and/or forensic experts may get involved at this point. Notify all appropriate parties including affected customers, insurers, and law enforcement. Make any and all appropriate reparations including discounts, damages, free credit freezes, and credit monitoring. Seek any and all appropriate remediation. Hopefully this provides a solid foundation for where to start with cybersecurity. Threats and solutions are constantly changing, and it’s important to remain up-to-date with all operating system, antivirus, and antimalware updates. While there are many things that can be done to hardware and software to protect information, perhaps the most important action to take is educating and training employees and service vendors who access company data. Remember, human error is almost always the cause for a breach. Brief Case Study Following Target’s 2013 holiday season hack of over 41 million credit and debit card accounts, Target was required to employ “an executive or officer with appropriate background or experience in information security” to implement and maintain its information security program through implementing a new IS program, changing network system policies, executing data encryption guidelines, and ensuring vendor compliance. If you have any questions regarding cybersecurity for your startup, please reach out to Paul, or another member of our...
Read More