Cyber threats to startups are like UV rays to northerners: Neither realizes they’re overexposed until they’re burned.
Case in point: Recent global ransomware attacks, like the global attack in May, stung many companies into heightened awareness.
“Clients have been asking me how they can protect their electronic and customer data,” said Charlie Phillips, vice president of the brokerage Phillips Bros. Insurance. “They are concerned about not just the financial risks posed by a data breach, but also damage to reputation.”
CNA offers cyber liability insurance that can be tailored to a company’s size, industry and customer base, said Katherine Drengler, assistant vice president of technology and e-business markets for CNA.
CNA NetProtect® products offer first- and third-party coverage associated with e-business, the Internet, networks and other electronic assets and information, Drengler said.
“It’s not just large companies that are vulnerable to hackers,” Drengler said. “Even for smaller or less well-known companies, the right protection from an insurer that has been in the business for over a century can help them and their customers sleep better at night.”
In addition to offering insurance, CNA works with certified ethical hacker Nick Graf to help companies conduct penetration tests and guard against attacks.
Graf, CNA’s consulting director for information security, shared a few steps every startup should take to fend off invaders.
1. Ensure full disk encryption on all computers, mobile devices and external storage. The good news: Most modern operating systems have built-in encryption. The bad news: “Whether it’s turned on is another matter,” Graf said.
Even for employee-owned devices used for work, a startup can implement a mobile device management software package that ensures you can remotely wipe a phone if it gets tossed with the left-over salad from lunch.
2. Use multi-factor authentication for remote log-ins. Use two of the following three factors of authentication: something you have, something you are or something you know, Graf said. Remote log-in should require a password plus the code from a security token, with numbers that change every 30 seconds, or a biometric factor, such as a fingerprint scan on an iPhone. It may add a few seconds to the process.
“But it’s highly worthwhile,” Graf said. “If you get malware on your machine or a bad guy is sniffing your Wi-Fi connection, he could view your password when typed in, and now he can log in and pretend he’s you.”
3. Extend internal security controls to embedded devices. These could include internet-connected web cameras, as well as HVAC and door badge access systems. Hackers are exploiting newer devices under the IoT umbrella as a new attack point.
“These often have no security built in whatsoever,” Graf said. “Employees will plug them in for good purposes, but many IoT devices can be infected with malware, attached to botnets, and the end user may have no clue that they are doing something nefarious.”
Ensure you have a communication mechanism with the vendor of your devices so if a security-enhancing patch is released, you’re prompted to install it.
4. Document and test incident response plans. This looks different from company to company. The basics are to identify individuals in a company who are prepared to respond to a data breach or infestation on a server, what steps need to be taken to contain and eradicate it, and then also document the lessons learned.
Practice the plan at least annually, Graf said, so the whole team understands how the communication works. A third party can help you conduct annual penetration tests and remediate identified issues.
5. Establish a formal data retention policy. Spell out how to securely delete data. Many tech startups that Graf speaks with don’t have parameters for this.
“Data is valuable and storage is getting increasingly inexpensive, so they want to hold onto data,” he said. But is there a business purpose or regulatory requirement for keeping it? Otherwise, businesses should view data as potential liability.
When you “empty” the Windows recycle bin, it doesn’t actually delete the data. You can buy software suites to help you securely delete. If software isn’t an option, drill a hole in the hard drive or take other steps to erase company data.
“That’s far less expensive than suffering a data breach,” Graf said.
6. Ensure physical security of hardware. Servers, routers and switches that a company may have on the premises need to be physically secure.
“Keep it in a locked closet with a badge access system,” he said. “If anyone can walk in and access it, it’s game over.”
Photo via Shutterstock
CNA is the country’s eighth largest commercial insurance writer and the 14th largest property and casualty company. Learn how they can help you meet your insurance needs, including by connecting you to the right brokers, like those at Phillips Bros. Insurance.