You can expect data breaches: Here are four steps to limit the losses to your business

By Christian Deputy

If it hadn’t been for an overachieving banker, my client would have lost $2.1 million to cyber thieves. 

It happened like this: My client was working on an acquisition and was instructed to wire the $2.1 million payment on a Friday afternoon. He sent the payment as requested and it hit the bank Saturday morning where it was intercepted by a banker who thought it seemed odd.

The banker was right. Cyber criminals had hacked the company’s email server and had been monitoring emails associated with the transaction for months. When the time was right, the thieves sent an email from the CEO to the CFO declaring that the deal was done and the funds needed to be wired. Then the criminals kicked back and waited for the $2.1 million to roll in.

My client was lucky. He lost only a small fraction of what should have been a crippling expenditure (and the company was insured, which helped, too). It was the wake-up call my client needed to adopt stronger measures and ensure nothing like this would happen again.

Common traits of corporate data breaches

For the rest of the world, this is proof that no business is immune to cyberattacks. For every big-name breach — Facebook, Equifax, Target, Home Depot — there are thousands of smaller ones that hurt just as much and have the power to put a company out of business. Some are low-cost: hackers with nothing more than malicious intent or who ask for a small-potatoes ransom so the incident gets paid quickly and stays unreported. Others are low-tech, like when a beaten-up flash drive housing malicious code is strategically “dropped” in a parking garage, waiting for that well-meaning employee to plug it in to find the real owner.

Almost every one of these data breaches has common traits:

                • The data breach can cripple or even ruin a business. When money isn’t involved, loss of reputation and customers and the cost to repair the problem can skyrocket.

                • No business, regardless of how large or small, is immune. Sole practitioners, 10-person teams — I’m also talking to you. In March 2018, there were 90 reported breaches, some with less than 200 records affected. And last year, the Verizon Data Breach Investigation Report noted that 61 percent of data breaches hit small businesses, not large.

                • Most breach claims (90 percent) result from employee error — and not just low-level employees. The $2.1 million, "almost error" that my client experienced targeted the company’s CFO.

                • Any department could be a target. Your customer data is incredibly valuable but so is your human resources data, your email system and everything else.

Four ways to limit the impact of a data breach on business

So, if you know that a data breach is inevitable, you have one real recourse: Prevent it from destroying your company in the process. After watching these things unfold through the years, I advise my clients to adopt the following best practices to keep damages as small as possible.

                1. Train employees. Start with the simple stuff like “no link clicking” and “put that flash drive down!” Then bring in an outside firm to train (and test) employees so they’re not putting data at risk. You can opt for custom, face-to-face training or online video courses to teach your employees, or something in-between. Whatever you choose, know that the team will need a refresher course annually. Cyber criminals are always finding new tactics.

                2. Check your insurance policy limits and coverage. You’re looking for management breach remediation, extortion coverage as well as coverage to mitigate a potential loss of reputation and revenue. Before you decide that you’re already covered, read the news — will your policy cover all of the damages you might incur? Sit down and discuss your policy with a cyber specialist to ensure it will respond to your needs. As of 2015, The Guardian reported that the average cost of a cyberattack at a small business is between $84,000 and $148,000 — and that number has no doubt increased in the past three years. Also find out what happens if your data isn’t damaged but you happen to harm third parties, like employees, vendors or customers as a result of a data breach.

                3. Insure for extortion, social engineering/phishing. You need a separate policy here — either a cyber or a crime policy — and check the exclusions and conditions. They often exclude coverage if certain conditions or procedures aren’t followed.

                4. Don’t wire funds without a verbal confirmation. Yes, this should be part of your employee training but it’s worth repeating. If you receive wire instructions, hop on a call with the person you think you’re sending money to and verify everything, including where the money should be sent and the dollar amount you’re sending. If something seems fishy (or “phishy,” in this case), STOP! Call your cyber insurance agent and your bank and enlist their help ASAP.

So far, I’ve only seen one client that was lucky enough to have a banker intercept a criminal transaction. Usually I hear about these things after the damage is done. That’s why it makes sense to carefully go through your policy with an agent who specializes in cyber. Talk to them, think everything through, find out what happens in every situation imaginable and question policy sub-limits, too. If your coverage isn’t sufficient, start shopping around. While it might sound cliché, it’s still true: it’s not a matter of how your data will be breached; it’s a matter of when.

Christian Deputy is the chief sales officer at Buckner Co., an insurance agency in Salt Lake City.