This year’s cybersecurity awareness theme is – DO YOUR PART. #BECYBERSMART
October is National Cyber Security Awareness Month. This year, more than ever with remote working and learning, it is important for both individuals and businesses to practice good cybersecurity. Now in its 17th year, the National CyberSecurity Alliance has created a campaign to help promote better cybersecurity practices throughout the month.
As part of that effort, this year’s campaign theme is ‘DO YOUR PART. #BECYBERSMART.’ According to the Alliance, this year’s theme is highlighting ‘the role individuals place in keeping all of us safe online.’
As for Massachusetts, the Commonwealth also has designated the month of October as Cybersecurity Awareness Month. In commenting on the occasion in 2015, Governor Baker said,
This month is a great opportunity to raise awareness about the importance of cybersecurity for the people of Massachusetts, our businesses, and state government. The cybersecurity field also represents a great opportunity for Massachusetts to utilize the multidisciplinary collection of assets and capacities in our universities, our industries, and our government to be a leader globally in cybersecurity services.”Massachusetts Governor Charlie Baker
The decision to dedicate the whole month to cybersecurity awareness was in response to the growing importance of cybersecurity for financial services. This need is only growing.
The NAIC believes cybersecurity has become one of the most important issues for the insurance industry
In response to the growing importance of Cyber Insurance, the National Association of Insurance Commissioners also has begun to publish an Annual Supplement on the line of insurance. Now in its third year, it takes a look at the size and make-up of the U.S. Cyber Insurance marketplace.
The following are just a few of the more sobering statistics about the growing cyber threat.
Massachusetts was one of the top 10 states in 2020 with the largest losses due to cybercrimes
Ransomware is a malicious type of software used to block access to a computer system until money is paid. According to the FBI’s latest data, there are roughly 4,000 daily ransomware attacks in the U.S., with that number on the rise. While businesses are typically a popular target of ransomware, any individual or entity is at risk of becoming a target.
Ransomware attacks can wreak havoc on businesses large and small as seen in the disclosure this week that the global insurance broker Arthur J. Gallagher had suffered a ransomware attack.
According to 2019 data from the Internet Crime Center, or IC3, reported cybercrime losses totaled more than $3.5 billion. Overall, during the last five years, the IC3 estimates Cyber losses to be roughly $10.2 billion, with over 1,707,618 total complaints made since 2015.
For 2019, the following states suffered the highest losses from cybercrime. As it did in 2018, California again suffered the largest losses in 2019, with losses totaling $573.62 million. Florida came in second with $293.45 million, followed by Ohio with $264.66 million in losses.
For the second year in a row, Massachusetts was again in the tenth position with cybercrime losses totaling approximately $84.17 million, up from $68,242,216 million in 2018.
There were 1,909 Data Breaches in Massachusetts in 2019
Data breaches occur when malware has been installed into a computer allowing cybercriminals to illegally harvest data from an individual or company. This is what occurred in the 2014 Data Breach involving Anthem Insurance which was finally settled by the Attorney General in 2020. As a result of this breach, over 79 million residents and more than one million Massachusetts residents were affected. Insurance professionals handling large amounts of sensitive data on a daily basis are at a heightened risk of loss due to a potential cyberattack.
How businesses can better protect and prevent a potential cyber attack
Typically ransomware infiltrates via an email phishing scam. The following are a few of the recommendations from the FBI’s Cyber Division center with respect to helping business prevent a ransomware attack:
- Implement an awareness and training program. Since many cyberattacks target end-users, employees and other individuals should be made aware of the threat of ransomware and how it is delivered.
- Patch operating systems, software, and firmware on all devices used for business purposes.
- Back-up all data regularly as well as verifying the integrity of those backups.
- Secure your backups. Ensure that backups are not connected to computers and networks they are backing up. Instead, choose to back-up in the cloud or an external hard drive. The FBI says that backups are critical in a ransomware situation as it may result in the best way in which to recover any critical data compromised.
- Set all anti-virus and anti-malware programs to their “automatically update” setting.
- Make sure that both anti-virus and anti-malware scans are done on a regular basis.
- Create and manage a hierarchy of privileged accounts. Implement the principle of “least privilege” this means users should never be assigned administrative access to operating systems unless absolutely needed.
- Configure all access controls, including a company’s file, directory, and network share permissions with the “least privilege” principle in mind.
How individual insurance professionals can help make the workplace more cyber secure
Independent agencies and insurance companies alike hold a wealth of highly sensitive data. As such, it is important that companies, large or small, take a look at cybersecurity, not only as another line of insurance to offer to their insureds but as a security measure to ensure the safety and protection of their clients’ data.
With that in mind, the following are some tips that the MassIT Enterprise Security Office has offered in the past as a way to ensure better cybersecurity. Agency Checklists is reprinting them again this year as they are tips that can be shared both in your office as well as with your insureds:
- Make all passwords complex and be sure to implement a policy in which they are changed regularly; Better yet, look into the industry initiative SignOn Once;
- Be sure to create and implement a protocol to handle passwords from departing employees;
- Only open emails or attachments from people you know;
- In the case of a suspicious email – do not respond to emails or text messages asking for confidential information. Also, never open attachments or links within a suspicious email.
- Limit the details disclosed in an “out of office” message.
- Keep an up-to-date computer, meaning that all computer programs and software are updated in a timely fashion;
- Use a screen saver on your office computer that activates within a maximum of 15 minutes after no keyboard or mouse activity; this helps avoid a vulnerable work station resulting from an impromptu absence from your office due to a meeting, etc.
- Lock your computer each evening by pressing “CTRL+ALT+DELETE then select “Lock this computer”
Resources in the unlikely event a cyber attack occurs
The FBI encourages organizations to contact a local FBI Field Office in the event of a ransomware attack or other cyber attack. The Federal Trade Commission also has various resources on cybersecurity measures for small businesses that can be accessed on their website here.