October marks the beginning of Cyber Security Awareness Month once again both here in Massachusetts and across the nation. As the news and reports demonstrate with each passing year, now more than every cyber insurance is becoming an indispensable coverage to have both in Personal and Commercial Lines.
“Secure Our World” New Enduring Cybersecurity Awareness Month theme
For the past 20 years, the President of the United States has designated this month as Cybersecurity Awareness Month. This year marks the 21st edition of the National campaign which often debuted with a specific theme.
In 2023, however, the Cybersecurity and Infrastructure Agency or “CISA” designated the tagline “Secure Our World” as its enduring theme for this month. The agency states that “This theme recognizes the importance of taking daily action to reduce risks when online and using connected devices.”
In Massachusetts, the Commonwealth first designated the month of October as Cybersecurity Awareness Month in 2015. In commenting on the occasion, then Governor Baker said,
This month is a great opportunity to raise awareness about the importance of cybersecurity for the people of Massachusetts, our businesses, and state government. The cybersecurity field also represents a great opportunity for Massachusetts to utilize the multidisciplinary collection of assets and capacities in our universities, our industries, and our government to be a leader globally in cybersecurity services.”
– Former Massachusetts Governor Charlie Baker
A focus on the Four Easy Ways to Stay Safe Online
The main goal of this initiative is to remind individuals and companies alike of the importance of practicing safe cyber habits while online. The following are the four main actions that CISA recommends everyone do to help protect themselves from online threats:
- Use strong passwords and a password manager
- Turn on multi-factor authentication
- Recognize and report phishing
- Update software
Massachusetts had 9,915 complaints to Ic3 in 2023
The Internet Crime Complaint Center, or IC3, is a division of the Federal Bureau of Investigation that acts as the hub for reporting cybercrime. Each year, the department issues an annual report commenting on the number and types of cybercrimes occurring both nationally and by state. While in 2019, it listed Massachusetts as one of the top 10 states for Cyber Crimes, this year the Commonwealth only logged 9,915 complaints ranking it as the 17th state for complaints. In comparison, California, Texas, Florida, and New York took the top four spots, with California logging 77,271 complaints last year.
California also took the top spot for losses due to cybercrime, reporting a total of $2,159,454,513 losses in 2023. With $235,890,173 in losses, Massachusetts was listed as the state with the 12th most losses due to cybercrime last year.
New England cyber crime statistics
| New England State | # of Cyber Crime Complaints | 2023 Losses Reported |
|---|---|---|
| Massachusetts | 9,915 | $235,890,173 |
| Connecticut | 5,216 | $120,767,349 |
| Maine | 1,626 | $18,968,567 |
| New Hampshire | 1,650 | $27,178,268 |
| Rhode Island | 1,425 | $30,102,231 |
| Vermont | 698 | $ 8,818,181 |
There were 2,429 Data Breaches in Massachusetts in 2024
Data breaches occur when malware has been installed into a computer allowing cybercriminals to illegally harvest data from an individual or company. Since 2007, Massachusetts has been tracking the number of data breaches reported in the Commonwealth. From the 32 breaches reported in 2007 that affected approximately 17,503 residents, the chart shows that there were 2,429 breaches which affected approximately 6,936,499 citizens in 2023.
The following is a complete list of breaches reported to the Commonwealth:
| Year | Total # of breaches | # of MA Residents Affected |
|---|---|---|
| 2007 (Nov-Dec) | 32 | 17,503 |
| 2008 | 428 | 692,736 |
| 2009 | 441 | 357,900 |
| 2010 | 474 | 1,018,497 |
| 2011 | 624 | 1,167,160 |
| 2012 | 1,130 | 325,867 |
| 2013 | 1,947 | 1,193,970 |
| 2014 | 1,659 | 360,793 |
| 2015 | 1,837 | 1,345,430 |
| 2016 | 2,002 | 195,052 |
| 2017 | 1,889 | 3,377,646 |
| 2018 | 1,835 | 442,941 |
| 2019 | 1,909 | 609,006 |
| 2020 | 2,188 | 1,087,591 |
| 2021 | 2,488 | 1,861,422 |
| 2022 | 1,936 | 1,899,465 |
| 2023 | 2,429 | 6,936,499 |
| 2024 | 1,736 | 1,784,453 |
How businesses can better protect and prevent a potential cyber attack
Typically ransomware infiltrates via an email phishing scam. The following are a few of the recommendations from the FBI’s Cyber Division center with respect to helping business prevent a ransomware attack:
- Implement an awareness and training program. Since many cyberattacks target end-users, employees and other individuals should be made aware of the threat of ransomware and how it is delivered.
- Patch operating systems, software, and firmware on all devices used for business purposes.
- Back-up all data regularly as well as verifying the integrity of those backups.
- Secure your backups. Ensure that backups are not connected to computers and networks they are backing up. Instead, choose to back-up in the cloud or an external hard drive. The FBI says that backups are critical in a ransomware situation as it may result in the best way in which to recover any critical data compromised.
- Set all anti-virus and anti-malware programs to their “automatically update” setting.
- Make sure that both anti-virus and anti-malware scans are done on a regular basis.
- Create and manage a hierarchy of privileged accounts. Implement the principle of “least privilege” this means users should never be assigned administrative access to operating systems unless absolutely needed.
- Configure all access controls, including a company’s file, directory, and network share permissions with the “least privilege” principle in mind.
How individual insurance professionals can help make the workplace more cyber secure
Independent agencies and insurance companies alike hold a wealth of highly sensitive data. As such, it is important that companies, large or small, take a look at cybersecurity, not only as another line of insurance to offer to their insureds but as a security measure to ensure the safety and protection of their clients’ data.
With that in mind, the following are some tips that the MassIT Enterprise Security Office has offered in the past as a way to ensure better cybersecurity. Agency Checklists is reprinting them again this year as they are tips that can be shared both in your office as well as with your insureds:
- Make all passwords complex and be sure to implement a policy in which they are changed regularly; Better yet, look into the industry initiative SignOn Once;
- Be sure to create and implement a protocol to handle passwords from departing employees;
- Only open emails or attachments from people you know;
- In the case of a suspicious email – do not respond to emails or text messages asking for confidential information. Also, never open attachments or links within a suspicious email.
- Limit the details disclosed in an “out of office” message.
- Keep an up-to-date computer, meaning that all computer programs and software are updated in a timely fashion;
- Use a screen saver on your office computer that activates within a maximum of 15 minutes after no keyboard or mouse activity; this helps avoid a vulnerable work station resulting from an impromptu absence from your office due to a meeting, etc.
- Lock your computer each evening by pressing “CTRL+ALT+DELETE then select “Lock this computer”
Resources in the unlikely event a cyber attack occurs
The FBI encourages organizations to contact a local FBI Field Office in the event of a ransomware attack or other cyber-attack. The Federal Trade Commission also has various resources on cybersecurity measures for small businesses that can be accessed on their website here.
