I recently participated as a panelist for CLE for the NY Bar Association and in that discussion which focused on Cyber Security a few ideas came up that I thought were worth sharing with our clients.
The first is that if your company has cyber insurance – that’s great –
But I recommend taking the policy you likely get from us in the form of a PDF via email and printing it out, for two reasons.
The first is that in the event of an event – like a ransomware attack that policy may be locked in your network and un-retrievable so you’ll want to know who your insurer is and their breach response 800# so you can reach them 24/7.
The second reason which is new to me, is that you’ll want to scrub any details of your cyber insurance from your network and your email. Should you be hacked or breached, cyber criminals will search your network and emails for the keyword: “Cyber Insurance”.
If they find it they will know how much insurance coverage you have and then gauge their ransom or threat demands based on those insurance limits. You don’t want to give hackers this information.
If you don’t have cyber insurance yet – we should talk. The risks are very serious and the cost of cyber insurance is still very affordable.
The next idea is similar.
This is about the WISP (Written Information Security Plan) or a BCP (Business Continuity Plan)
We recommend that if your company has a WISP (Written Information Security Plan) or a BCP (Business Continuity Plan) that these are also scrubbed from your network and any reference to them as well as any draft copies exchanged by employees and outside consultants and attorneys are also scrubbed from your email server.
Again, if your network is compromised chances are that cyber criminals will search for these documents so they can thwart your recovery plans to maximize the harm they do to your company for their own benefit.
Leaving your WISP or BCP on your network gives hackers the roadmap to your recovery.
Finally I want to mention something about passwords.
I have learned that it’s not uncommon for employees to have a word or excel document on their computer or in the cloud, named “passwords” which will have all their work and possibly personal passwords in this document.
Again, hackers will scan all drives of computers they either have infiltrated or seized in a ransomware attack for a saved document containing the word “Passwords”.
This is a jackpot scenario for hackers if they discover it, since they may be able to access all websites that are password protected, including personal banking, credit cards, and investment accounts of employees, and your company.
Two issues to resolve here:
First, Passwords should be in a password vault or manager such as Last Pass, Keeper, Dashlane and many others. Check with your MSP for further details.
Never store passwords on a document on your network or even printed on your desk.
Second, access to financial and other sensitive websites should be deploying MFA – Multi-Factor authentication where a pin or code is used to confirm access.
This way if an unauthorized third party gains access to your password they cannot open a website without a secondary means of authentication such as a PIN or code texted to your cell phone.
I hope you found that info helpful – I’d love to hear you comments on this and other cyber security risk controls on your mind.
Thanks!
