Cybersecurity starts at the workplace

According to the recently released 11th annual Allianz Risk Barometer, insureds and brokers participating in the survey ranked cyber risk as the top business risk in 2022.   

While cyber risk had appeared on previous surveys, this is only the second time it has topped the Risk Barometer. The key driver, according to the survey, is a surge in ransomware attacks with 57% of respondents naming it as the leading cyberthreat going forward into 2023.   

Companies’ growing reliance on digitalization and effects from the Work from Home movement have also raised concerns regarding cyberthreats.  

In addition, recent attacks have revealed troubling trends including double extortion tactics pairing the encryption of systems with data breaches, the exploitation of companies’ software vulnerabilities and the targeting of critical infrastructure.  

In acknowledging growing cyber risks, US companies are dedicating massive resources to keep their companies safe. Research and advisory company Gartner has forecasted spending on information security and risk management products and services will grow 11.3% to total more than $188 billion by year’s end.   

To a certain degree, fear is driving this financial commitment. No management team wants to face the unhappy prospect of reporting a data breach to shareholders, strategic partners and customers.   

Of course, the damage caused by a cyberattack can extend far beyond a tarnished reputation. According to the U.S. Department of Defense Science Board’s “Resilient Military Systems” report, as interpreted by Flashpoint, regarding a catastrophic Tier 6 cyber attack: “Kinetic and cyber attacks conducted by threat actor(s) have the potential to cause complete paralysis and/or destruction of critical systems and infrastructure. Under such circumstances, regular business operations and/or government functions cease and data confidentiality, integrity, and availability are completely compromised for extended periods.”  

While much of the nearly $200 billion in cyber security spending will be devoted to effective defenses against cybercriminals, companies are advised to also invest in critical low- to no-cost common sense actions to anticipate cyber intrusions from bad actors.   

Although external actors are responsible for much cyber harm, company insiders are responsible for 60% of cyberattacks according to a report published by IBM.  Let’s consider the question: who is a company insider? The answer extends far beyond company employees to include anyone who possesses credentials enabling physical or remote access to a company’s digital assets.    

The beginning of a solution can be found in your selection screen.  Award credentials to access sensitive digital assets only to individuals who have earned your confidence. What’s more, award credentials only to those individuals who absolutely need to have them. If an employee or contractor is fired from or chooses to leave your firm, block access to digital assets immediately.  

Portable drives, as a rule, should be treated with the same level of distrust accorded a rattlesnake. An employee or contractor who copies digital assets onto a portable drive and later slips it into his or her pocket can do as much damage as a hacker who infiltrates your IT system from a remote location.  Even an otherwise well-intentioned employee or contractor could unknowingly introduce a virus into your IT system by inserting an infected portable drive into a port.  

Individuals perpetrating ransomware cannot restrict access to your company’s computer system without the agency of employees and contractors.  Frustrate these criminal efforts to hold your company’s digital assets hostage by following these rules of thumb: 

• Train contractors and personnel to recognize bogus e-mails and advertisements. 
• Stay current on all IT protection systems, including anti-virus software. 
• Instruct all individuals logged into your IT system to not click on unknown e-mails or attachments.

Employees and contractors should exercise caution before accessing your company IT system via a public hotspot, since 95 % of Wi-Fi traffic is unencrypted. Your company’s digital assets will become vulnerable if the hacker working at the next table or across the lobby penetrates your corporate server. Following are a few rules of thumb to manage this risk: 

• Don’t join “Free Wi-Fi” networks. Refuse this particular act of charity and create your own personal hotspot with your wireless device. 
• Before logging in, set all websites to “HTTP secure.” 
• Use a VPN before logging into a company network. 
• Do not access personal financial accounts via a Wi-Fi hotspot. In fact, anytime a user name and password are required to gain access to a website, put the time to better use by stretching your legs and walking to the counter to order a cup of coffee and nice piece of cake.

Finally, hopeful optimism is not a positive personal attribute when it comes to cyber attacks. Since there is every chance your company will someday be targeted by a cybercriminal, all individuals with access to your company IT system should be instructed regarding proper cyber hygiene. 

Bob Dietzel is the co-founder and principal of KMRD Partners, Inc., a risk and human capital management consulting and insurance brokerage firm located in the Philadelphia region serving clients worldwide. KMRD works to protect clients’ assets by reducing their cost of risk. Bob can be reached at [email protected]