Scott Augenbaum, is a retired FBI Special Supervisory Agent, author, and keynote speaker specializing in cybercrime investigations. Scott shared his experiences this week of working with the victims of cybercrime over the past 20+ years, from huge multinational businesses to mom-and-pop retail shops. These are the four things that cybercrime victims have in common.

•  No victim ever expected it to happen.

• Once the bad guys break in and steal your data, the chances of Law Enforcement fixing it are about ZERO.

• The bad guys won’t go to jail.

• Most victims could have prevented the attack.

NO ONE EVER EXPECTS IT TO HAPPEN

Quite common and really, who expects to become a victim of crime anyway? In the online world, you are a target, usually of opportunity. We all receive phishing emails, sometimes dozens a day, so logically we’re all aware of this attack vector. Everyone should realize that a cyber event that causes data loss and service interruptions, regardless of how large or small our companies are is probable depending on your industry. While we only hear about the big guys getting breached like Target, Colonial Pipeline, Maersk, Experian, Sony, etc., understand that for every one of these headline grabbers, there are hundreds or thousands of small businesses getting successfully breached that we never hear about. If we understand that the bad guys are always looking for victims, we should admit that it’s at least a possibility and take positive steps to reduce our risks. 

LAW ENFORCEMENT CANNOT FIX IT

Law enforcement cannot fix it after it happens. It’s the nature of cybercrime – most people/businesses don’t know they have become a victim until after it’s happened. No one can turn the clock back on an attack unless you planned ahead with solid, tested backups and recovery processes, practiced how your business would respond to various cyber events, and took steps to reduce the likelihood of a successful attack. This doesn’t mean don’t notify law enforcement, there are financial crimes that need to be reported immediately in order to have a chance of recovering a fraudulent transfer, for example, but that is outside the scope of this article. Your IR (Incident Response Plans) should outline your plans based on the type of cyber security event experienced.

 THE BAD GUYS WILL NOT GO TO JAIL

Due to the international nature of cybercrime, it’s very rare for someone to be held accountable for a crime. Even if they do get caught, the likelihood of you being made whole because of this is next to zero.

MOST VICTIMS COULD HAVE PREVENTED THE ATTACK

With simple preventative measures, you can reduce the likelihood of becoming a victim.

ABOUT SCOTT AUGENBAUM
After joining the Federal Bureau of Investigation (FBI) in the New York Field Office in 1988 as a support employee, Scott Augenbaum became a Special Agent in 1994 and was assigned to the Syracuse, New York Office, where he worked domestic terrorism, white collar and hate crimes, and all computer crime investigations. Author of the Book: The Secret to Cybersecurity: A Simple Plan to Protect Your Family and Business From Cybercrime

Interested in Five Simple Steps to Prevent a Cyberattack? Read our tips now.

EXAMPLES OF QUESTIONS ON A CYBER INSURANCE APPLICATION

By Todd Swartzman, RealTime CISO

The questionnaire(s) you fill-out may have some definitive questions that want Yes or No answer. Not all applications will have the same questions as each insurer and even many insurance brokers have their own questionnaires that they use as part of the application process. 

You can ask the broker to help you better understand what these questions are really asking, and you can even add an addendum to better explain the answer to any questions that aren’t really a Yes or No given the question.  

That policy questionnaire is an excellent (free) way to measure how your business is positioned as far as your basic cybersecurity, your controls, policies, your compliance status, etc. If you find yourself answering “No” to many of the questions, this is your opportunity to improve your security to better protect your business, and maybe help you get better cyber insurance premiums. 

The questions being asked are proven steps businesses should already be taking to reduce their risks of a breach or ransomware event. 

Here I’ve listed some sample questions that insurers may use to help them qualify your business (aka, how risky are YOU to the insurer) for cyber coverage; having these things in place will  make it less likely you’ll need to use that shiny new cyber insurance policy: 

Email Security 

1. Do you filter emails for malicious attachments or links? 

2. Do you strictly enforce SPF on incoming emails? 

3. Do you train your email users to recognize phishing and other email based threats? 

4. Do you use Office 365 in your organization 

5. If yes, do you enforce MultiFactor Authentication for all Office 365 accounts? 

Internal Security 

1. Do you use Endpoint protection products across your enterprise? There may be choices or a listing of common products to help answer. 

2. Do you use multi factor authentication? 

3. For remote access? 

4. Do you have a process to apply critical security patches rapidly? 

5. Do you use web content filters to block potentially malicious content? 

6. Do you use protective DNS services (Open DNS, Quad9, etc.?) 

7. Do you provide your users with a password manager software? 

8. Do you have a firewall with active security services such as Intrusion Prevention Services, malware scanning, or similar? 

Backup and Recovery Policies 

1. Are your backups kept separate from your network (offline) or in a cloud service designed for this purpose? 

2. Do you use a cloud syncing service (e.g. Dropbox, OneDrive, Sharepoint, Google Drive) for backups? 

3. Have you tested the successful restoration and recovery of key server configurations and data from backup in the last 6 months? 

Other Ransomware Preventative Measures 

1. Please describe any additional steps that your org takes to detect and prevent ransomware attacks. 

Once you purchase a policy, you still have some work to do in order to get the most out of the policy and further reduce your business risks. Every reputable underwriter has resources that their policy holders can use to shore up defenses, create policies, and help train staff. Use them, after all, you are paying for it. Many have resources like policy samples, virtual CISO services, Incident Response Planning guides, courses on HIPAA and PCI, awareness training content, just to name a few. 

Why does my business need cyber insurance?

By Todd Swartzman, RealTime CISO

Your business is a target, whether you care to admit that fact or not. 

Having a good cyber insurance policy that helps mitigate some of your business risks is a safety net for your business in case of a breach, data loss event, business interruption due to a cyber event, assistance in a ransomware event, etc. Each policy is worded differently, and some policies won’t cover all things, or with the same limits. 

[Contact your insurance broker to get the process started. If your agent doesn’t seem to be very conversant on this subject, a good agent will loop in a cyber expert from the underwriter.]

FILLING OUT THE CYBER INSURANCE APPLICATION

WHAT SHOULD MY MINDSET BE WHEN FILLING OUT THE APPLICATION?

Think liability. Your job isn’t to make your business look good to the broker or underwriter. Be 100% forthright with your answers and be sure to answer accurately.  Ask the broker or underwriter to define their terms. What we commonly understand a term to mean isn’t necessarily what the insurer says that these policy terms mean, so be sure to get clarification. One policy I was working on included a 28-page document explaining the terms of their one-page proposal. Remember, what you think a term means may be quite different than what the insurer says that term means for their policy – go with the insurers version.

WHAT IF I DON’T KNOW THE ANSWER TO SOME QUESTIONS?

If you don’t know the answers to some of the questions, just tell the broker; or if you’ve been asked to answer the questions on behalf of a client, let the client know you don’t know the answer. This is especially important if the question is a legal or compliance type question. Your goal is to answer accurately, and it is critically important that you do so.

Here is why:

Cottage Health Systems got sued by their insurance company for failure to follow “Minimum Required Practices”. This is an example of what can happen if you have to make a claim and you answered inaccurately during your application. Cottage Health said they were doing something preventative relevant to the event, but they actually were not. READ MORE HERE…

TYPES OF QUESTIONS

The questionnaire(s) you fill-out may have some definitive questions that want a Yes or No answer. Not all applications will have the same questions as each insurer and even many insurance brokers have their own questionnaires that they use as part of the application process. Ask the broker to help you better understand what these questions are really asking. You can include an addendum with your responses to better explain any answers where a Yes or No isn’t the best answer.

That policy questionnaire is an excellent way to measure how your business is positioned as far as your cybersecurity, your controls, policies, your compliance status, etc. If you find yourself answering “No” to many of the questions, this is your opportunity to improve your security to better protect your business, and maybe help get better cyber insurance premiums. 

The questions being asked are some basic, proven mitigations that businesses should already be taking to reduce their risks of a cyber event such as a breach or ransomware. Here is a list of some sample questions that not only will help you qualify for insurance; having these things in place will  make it less likely you’ll need to use that shiny new cyber insurance policy.