Tag Archives: Business Security

Cyber is a risk that cannot be insured unless the insured takes on more risk

Posted on by

Cybersecurity is a hot topic in today’s digital age.

With the increasing reliance on technology and the internet, businesses and individuals are at risk of cyber-attacks and data breaches.

Unfortunately, many people assume that their insurance policies will cover them in case of a cyber incident.

However, the reality is that traditional insurance policies may not provide adequate protection against cyber risks.

The main reason for this is that cyber risks are constantly evolving and new threats are constantly emerging. As a result, insurance companies are often unable to keep up with the latest developments in the field.

Furthermore, many insurance policies have exclusions or limitations when it comes to coverage for cyber incidents.

This means that even if you have insurance, you may not be fully protected against a cyber attack.

So, what can you do to protect yourself against cyber risks?

One option is to purchase a standalone cyber insurance policy.

These policies are specifically designed to provide coverage for cyber incidents and typically include coverage for things like data breaches, cyber extortion, and business interruption.

However, purchasing a standalone cyber insurance policy also means taking on more risk.

Many standalone policies have high deductibles and exclusions, which means that you may still be on the hook for a significant portion of the loss in the event of a cyber incident.

Another option is to take a proactive approach to cybersecurity.

This can include implementing strict security protocols, regularly updating software, and training employees on how to recognize and prevent cyber attacks.

By taking steps to reduce your risk, you may be able to negotiate more favorable terms on your insurance policy.

In short, cyber risks are a reality that cannot be ignored.

While insurance can provide some protection, it is not a silver bullet.

Businesses and individuals need to take a holistic approach to cybersecurity, including both insurance and risk management measures.

And remember, just like a good lock on your front door, being proactive can keep cybercriminals at bay.

3 reasons that cybersecurity is in the state it is!

Posted on by

Cybersecurity is at a low level for several reasons.

One reason is that organizations, governments and individuals are not investing enough in cybersecurity measures.

This can include not allocating sufficient budget or resources for cybersecurity training, hiring, and technology.

Another reason is that many organizations and individuals do not have a clear understanding of the cyber threats they face, and as a result, do not prioritize cybersecurity.

Additionally, many companies and individuals are still using outdated software, hardware and systems that are vulnerable to cyber-attacks which could have been prevented if they were updated.

Furthermore, the sophistication and complexity of cyber attacks are increasing at a faster rate than organizations and individuals can keep up with.

All these factors combined have led to the current low level of cybersecurity.

Lowest entry-level ever

Today, the entry-level for cybercrime is at an all-time low.

This is due in part to the increasing availability of easy-to-use tools and resources that allow individuals with little technical expertise to engage in cybercrime.

For example, there are now numerous online forums, tutorials, and hacking tools that can be easily accessed and used by anyone with an internet connection.

Additionally, the rise of the dark web has made it easier for individuals to purchase and use malicious software, such as malware and ransomware, for criminal activities.

Furthermore, the increasing use of automation and AI in cybercrime has made it easier for cybercriminals to launch large-scale attacks and target a wide range of victims.

All these factors have led to the lowering of the entry-level and increase of cybercrime which is a major concern for organizations, governments and individuals.

Education and training from the wrong direction

Education and training that is delivered in a top-down manner, where the information and knowledge is passed down from the top level of an organization to the bottom, can fail for several reasons.

One of the main reasons is that it does not take into account the unique needs and perspectives of the individuals or groups who are being trained.

The information may not be tailored to their specific role or level of understanding, making it difficult for them to apply it effectively in their work.

Additionally, top-down education and training can lead to a lack of engagement and buy-in from the individuals or groups who are receiving the training.

Without their active participation and interest, the training may not be as effective in achieving its goals.

A bottom-up approach, on the other hand, is more inclusive and empowering, and it starts with the needs and perspectives of the individuals or groups who are being trained, ensuring that the training is more relevant and meaningful to them.

Software was written for the first to market, not as a secure platform

Software that is written with the primary goal of being the first to market may not prioritize security.

This means that the software may have vulnerabilities or weaknesses that can be exploited by cybercriminals or hackers.

These security flaws can lead to data breaches, loss of sensitive information, and other types of cyber attacks. Additionally, software that is not designed with security in mind may not comply with industry regulations or standards, which can lead to legal and financial repercussions for the company that developed the software.

To avoid these issues, it is important for companies to balance the need for speed to market with the need for a secure and compliant software platform.

Additional

AI

Artificial intelligence (AI) will have a significant impact on both cybersecurity and cybercrime.

On the cybersecurity side, AI can help organizations and individuals detect and respond to cyber threats in real time, by using advanced machine learning algorithms to analyze large amounts of data, identify patterns, and make predictions about potential attacks.

Additionally, AI-based systems can also be used to automate many security processes, such as patch management and incident response, which can help organizations and individuals become more efficient and effective in defending against cyber attacks.

On the other hand, AI can also be used by cybercriminals to launch more sophisticated and automated attacks, such as spear-phishing, social engineering, and malware campaigns.

AI-based malware can also be designed to evade detection by traditional security systems and can spread quickly across networks.

Additionally, AI can also be used to enable new forms of cybercrime, such as deepfake generation, which can be used to impersonate individuals or organizations in order to steal sensitive information or money.

Therefore, AI can have a significant impact on both cybersecurity and cybercrime and it’s important for organizations and individuals to stay aware and adapt to the new technology.

The risks associated with online shopping and banking

Posted on by

Online shopping and banking have become an integral part of our daily lives, but with the convenience of these services comes the risk of cyber threats.

cybercriminals and scammers can target your personal and financial information in order to steal your identity, money, or both.

That’s why it’s so important to practice good cybersecurity habits when shopping and banking online.

Here are some best practices to keep in mind:

🔰 Use a password manager to create and store strong, unique passwords for each of your online accounts.

It can be tempting to use the same password for multiple accounts, but if a hacker gains access to one of your accounts, they will have the key to all of them.

🔰 Enable two-factor authentication (2FA) on your online accounts whenever possible.

This adds an extra layer of security by requiring you to enter a one-time code in addition to your password when logging in.

🔰 Make sure that the websites you shop on and use for banking are secure.

Look for a URL that starts with “https” and a padlock icon in the address bar.

This indicates that the website is using a secure connection to encrypt your data.

🔰 Use a credit card rather than a debit card for online purchases, as credit card companies generally have stronger fraud protection policies.

If your credit card information is stolen, you can typically dispute the charges and get your money back.,

🔰 Avoid using public Wi-Fi networks for sensitive transactions, as they may not be secure.

Cybercriminals can easily set up fake public Wi-Fi networks in order to steal your information.

🔰 Regularly check your bank and credit card statements for any unauthorized charges or activity.

🔰 Be wary of phishing emails or texts that try to trick you into entering your login or financial information on fake websites.

These scams often use fake logos and branding to make them look legitimate, so it’s important to be on the lookout for red flags.

If you receive an email or text from a company that you don’t recognize, do not click on any links or enter any information.

🔰 Keep your computer and other devices up to date with the latest security patches and software updates.

These updates often include important security fixes.

🔰 Use a firewall and antivirus software to protect your computer from malware and other threats.

These tools can help to prevent malware from infiltrating your system and can also detect and remove any malware that does get through.

🔰 Consider using a virtual private network (VPN) when connecting to the internet, as it can help to encrypt your data and protect your online activity from being monitored.

By following these best practices, you can help to protect yourself and your personal and financial information while shopping and banking online.

Remember, it’s always better to safe than sorry.

No one waits for a car accident before investing in insurance why would cyber insurance be any different

Posted on by

The use of technology has become an integral part of our daily lives.

From the way we communicate with others to the way we conduct business, technology has transformed nearly every aspect of modern society.

As a result, the risk of cyber-attacks and data breaches has also increased significantly.

Unlike car accidents, which are typically one-time events, cyber attacks can have long-term consequences.

They can result in the theft of sensitive personal and financial information, damage to a company’s reputation, and even legal action.

The costs associated with these types of attacks can be substantial.

This is where cyber insurance comes in.

We invest in car insurance to protect ourselves in the event of an accident, cyber insurance can provide protection against the financial consequences of a cyber-attack.

It can help cover the costs of recovering from an attack, such as legal fees, data restoration, and public relations efforts.

There are several reasons why people and businesses should consider investing in cyber insurance.

It provides financial protection in the event of a cyber attack.

It’s impossible to completely eliminate the risk of a cyber-attack, but having insurance can help alleviate some of the financial burdens that comes with dealing with the aftermath.

Another reason to consider cyber insurance is the increasing frequency of cyber attacks. It’s not a matter of if a company will be attacked, but when.

There are potential legal consequences to consider.

A company may be held liable for a data breach if it fails to adequately protect customer data.

Cyber insurance can help cover the costs of legal action and settlements, which can be substantial.

Despite the clear benefits of cyber insurance, many people and businesses still don’t invest in it.

This may be due to a lack of awareness about the risks of cyber-attacks and the potential consequences.

Others may believe that their company is too small to be a target or that they have sufficient in-house security measures in place.

It’s important to remember that cyber attacks can happen to anyone, regardless of size or industry.

Small businesses and non-profits are often targeted because they may have fewer resources to devote to cybersecurity.

Cyber insurance can provide an extra layer of protection against the unexpected.

No one waits for a car accident before investing in insurance, it’s important not to wait for a cyber attack before considering cyber insurance.

The risks of a cyber attack are real and the consequences can be severe.

Don’t wait until it’s too late – consider cyber insurance for your business today.

It is the responsibility of the board of directors to carefully consider and manage these risks.

Posted on by

Business risk is an inherent part of any enterprise, and it is the responsibility of the board of directors to carefully consider and manage these risks.

When it comes to cybersecurity, there are several factors that the board of a small, medium or non-profit enterprise should consider in order to determine what is an acceptable business risk.

First and foremost, it is important for the board to understand the potential consequences of a cybersecurity breach.

This includes not only the financial costs of responding to the breach and repairing any damage but also the impact on the company’s reputation and customer trust.

The board should also consider the likelihood of a cybersecurity breach occurs, as well as the potential severity of the consequences.

One way to manage cybersecurity risk is through the implementation of robust security protocols and technologies.

This includes ensuring that all software and systems are regularly updated and patched, using strong passwords and implementing two-factor authentication, and regularly training employees on cybersecurity best practices.

The board should also consider investing in cybersecurity insurance, which can help to mitigate the financial impact of a breach.

Another aspect of managing cybersecurity risk is having a robust incident response plan in place.

This should outline the steps to be taken in the event of a breach, including how to communicate with employees, customers, and the media, as well as how to restore systems and recover from the incident.

It is important for the board to consider the potential for external threats, such as cybercriminals.

This includes considering the use of security tools such as firewalls and intrusion detection systems, as well as implementing processes for monitoring and detecting potential threats.

In addition to these technical measures, the board should consider the role of company culture in managing cybersecurity risk.

This includes promoting a culture of cybersecurity awareness and education among employees, as well as setting expectations for responsible behavior online.

Ultimately, the acceptable level of business risk when it comes to cybersecurity will depend on the specific circumstances and needs of the enterprise.

The board should carefully consider the potential consequences of a breach, the likelihood of such an incident occurring, and the measures in place to mitigate and manage these risks.

By taking a proactive approach to cybersecurity, the board can help to protect the company’s assets and reputation, and ensure the long-term success of the enterprise.

Cybercrime – You can’t win a fight if you don’t know the rules

Posted on by

Cybercrime – You can’t win a fight if you don’t know the rules

Most of us do not know the rules when it comes to the digital space.

We assume that what applies in the real world is what we should live by in the digital space.

This is an assumption that will get you into a lot of trouble.

Here are four areas everyone needs to keep in mind when using a digital device.

Who you are!

You know who you are.

In the digital space you do not want to talk about who you are to people you have never met.

We assume that most people are like us, in the digital world that assumption will cause irrefutable damage.

In the digital world only talk in generalities, not specifics.

What you talk about!

To connect to people you are told that you have to talk about feelings and personal attitudes.

For some that can be difficult.

If you need to talk to that personal level learn to hide the information behind other things.

Why you can lie!

We have been programmed to tell the truth, some people can and some people cannot.

Some people have major issues with lying.

I work on the principle, in the digital world, to lie where possible.

In your profile you cannot lie on government websites, medical websites and other sites where the real information is required.

When faced with the request for information learn to lie.

Make up a date of birth, license number, passport number.

If you think that the site does not need that information or the information is never going to be checked against real data – just lie.

Trust/verify

Just like fight club, do not talk about fight club, when it comes to the digital world, lying is a necessary evil.

It is a matter of trust and to tell you the truth, from someone working in the the industry, I trust no one on the internet.

I have people that I know who I trust implicitly, I know they would do anything just like I would do anything for them.

In the digital world I do not trust their avatar.

Even if I have verified them I still do not trust them.

Why we need to rethink Business Security

Posted on by

Security is an IT problem.

How many managers, owners, C Level Executives and board members agree with this statement?

More than 50% of small and medium businesses and not-for-profit organisations think that the ICT department is the go-to people when it comes to protecting your business’s crown jewels.

There has been a significant push in the last 5 to 10 years to get SMEs away from this thinking and to think about business risk, compliance, governance and business security.

Yes there is still a significant place for the ICT management of security around technology.   They are the ones who have to work with limited resources, doing more and more with less and less, and producing the same level of protection year in and year out.

When it comes to a cyber event, the problem in today’s business world is that not everything can be secured with technology.

At a basic level, there are 6 areas that create a secure business environment, technology and frameworks is one of them.   The others are risk management, people and education, policy and governance, resilience and finally continuous improvement.

As you can see, technology is only a small part of the solution.

The normal situation for SMEs and Charities is to think that ICT department knows it all.   We have had similar situations ever since computers have become an integral part of the business.

People who “know computers” were called on to fix the business infrastructure simply because of the know computers.   So a web designer was asked to fix a printer or a programmer was asked to set up an internet connection.   Yes, they could do it but in today’s world it is so much more complicated and complex.

Business security needs to be addressed by someone who knows security.   Someone who understands risk!   Someone who understands the fundamental security practices required to protect the organisation.

You would never go to an unqualified accountant to do your tax return, or an unqualified electrician to rewire your house, or even an unendorsed mechanic to repair you new BMW.

When it comes to protecting the business, especially from a cyber event, we rely on people who have minimal understanding of what needs to be done to create a secure business environment.

Where to start your Business Security / Cybersecurity Journey

Posted on by

Start

Time

3-hour program

What is done

Audit on assets and risk management.

What you get

  • Report on where your organisation is in relation to business security
  • Roadmap to implement basic changes to your business organisation
  • A number of process, procedure and policy templates
  • A number of Plans templates

Tools we use

  • Care-app diagnostic tool
  • Questionnaire similar to basic SWOT
  • Proprietary diagnostic tools
  • Open-source intelligence gathering tools

What do you need to do

  • Implement changes
  • Discuss with management
  • Implement proactive responses to cybersecurity

 

Threshold

Time

8-hour program

What is done

 

What you get

  • Implementation of Internet policy
  • Implementation of online security awareness program
  • In depth Risk analysis
  • In depth Risk mitigation process
  • Full blown digital SWOT

Tools we use

 

What do you need to do

 

 

Baseline

What is done

 

What you get

 

What do you need to do

 

 

Beyond

What is done

 

What you get

 

What do you need to do

 

 

Cybersecurity – Too much Cheese, not enough whiskers!

Posted on by
Cybersecurity is a touchy subject.
Everyone wants the government and those in politics to do something about it.
When it comes to cybercrime the solution is not that easy.
We all think that cybersecurity (Digital Security) is unimportant!
That’s an IT problem/issue!
Its someone else’s problem!
Someone else will look after it.
The anonymity of the digital world makes anything and everything possible.   We can no longer be sure of who we are communicating with, and even the friends we know could have been compromised making any conversation insecure.
“Why should I protect myself in the digital world” is a question we hear daily in the industry.   I have done enough, I have anti virus!    This attitude comes from C level Execs, Board members, managers in all level of industry and commerce as well as people at the coal face.
The announcement from the government shows, once again, that we are not looking at a solution to the problem but another way to endorse the attitudes of the big business and government departments.
The attack surface in the digital world is huge.   The introduction of IoT will compound the issues associated with protection 100 fold.
Think of a beach and each grain of sand is an application, website, IoT device, Operating system or smart device.   The problem is visibility, how do we know what is happening below the surface, behind the scenes?  We don’t!   No one on the planet can!
I have friends who can hack a smartphone (yes any smartphone) record where you are and what you are saying and you would not even know it was happening.   Nothing on the screen, no flashing apps, nothing!
Attitudes need to change!
Cybersecurity has to be holistic!   It has to include any and all components of a business in the protection of that business.
There is no silver bullet that will put down the Cybercrime werewolf.   Anyone that sells you a silver bullet is exposing your organisation to untold problems.   Not just because you have bought into the hype, but you have also forgotten that there are other ways to compromise a system that what they are protecting you against.
Trust no one, if you are connected to the digital world no matter the device or the reason.   Trust No One!

The best way to find out how vulnerable to a cyber event your organisation is.   Use the CareMIT Digital Diagnostic Tool or come to one of our regular quarterly “Security Board Meetings

If you have been exposed to a ransomware attack “turn it all off” is exactly what happens.

Posted on by

If you have been exposed to a ransomware attack “turn it all off” is exactly what happens.

You can no longer “work”!

You may no longer have access to data.

You may no longer have access to systems.

You may no longer have access to the greatest communication system ever invented – the internet!

It is better to be in a controlled situation where you have the power and the ability to learn than to be in a situation where it has happened and you no longer have control.

Yes, it is a huge decision for management and boards but you DO realise that all of this technology that every business relies on can disappear in a heartbeat.

So much can be learned especially when you have the ability to turn it all back on again.

A 1-hour test will give you an insight into how your business will survive.

That is the most important part of the test.

The amount of information that can be gathered in a “turn it all off” scenario is substantial.

  • How do you recover?
  • How long will it take?
  • What are the priority systems?
  • How can you function without the systems?
  • How long can you function without the systems?
  • What manual systems can be used?
  • How can those manual systems be added to recovered systems?
  • What contingencies do you have in place?
  • How do you communicate with customers, suppliers, and vendors?

How many perceived ideas went into your #businesscontinuity and #disasterrecovery plans?

If you thought – “we will worry about that when it happens” – then you are already in trouble!

Do I have your attention yet?

An understanding of the true impact of a “turn it all off” scenario can be hinted at by role-playing.

With so many organisations thinking “it will not happen to us” or “we are too small to be targeted” that role-played scenario will open everyone’s eyes.

Need help with writing, implementing and/or proving your BC and DR Plans PM me ASAP