A data breach creates all sorts of havoc, including significant financial costs.  That’s hardly new information.  But what those costs actually total does make news, as captured in the 2020 “Cost of a Data Breach” report, compiled by the Ponemon Institute and IBM Security.

The information from 2020 (the most current results available) provides a detailed glimpse the financial impacts security incidents can have on organizations, with historical data revealing trends in data breach causes and consequences.  The report shows some consistencies with past research.Here are the major highlights:

• The average cost of a breach in 2020 was $3.86 million per breach. This is actually good news, in a way, representing a 1.5 percent reduction from the 2019 cost per breach of $3.92 million.
• The average time to identify and contain a breach in 2020 was 280 days, virtually identical with the 279 days it took on average in 2019.
• Regarding prevention against breaches, 59 percent of organizations now have security automation deployed, up from 52 percent in 2019.

If one takeaway leaps out from these high-level results, it is that time is money.  While a higher percentage of businesses have security automation in place, it still takes nearly 10 months to discover and contain a major breach.  And the financial ramifications, even if slightly lower, remain substantial at nearly $4 million per breach.The need for robust cybersecurity practices and protections continue to grow in importance and relevance.  For more information, contact the professionals at The Reschini Group today.

Working in IT today is like running a marathon sprint.

Not only do the digital professionals need to keep their systems and users running smoothly at a baseline level, they also need to stay up-to-date on new applications and software packages and how they could be used to advance the growth of their organizations.

And then there’s the ever-present specter of cybercrime – an unending and constantly expanding web of innovative and malicious attempts to steal information, hold data for ransom, and generally take control of the digital identity of companies.  What’s worse, no industry is immune to these dark forces, who can wreak havoc and extort enormous financial damages.According to the Pittsburgh Technology Council, most CEO surveys rank cybersecurity threats as a top-five risk, regardless of industry type.  CEOs care about data breaches and ransomware attacks because those attacks have become so common, regardless of organizational size or IT staff experience.  Furthermore, CEOs know that a ransomware infection or a data breach can put the very life of their organizations at risk.IT teams have trouble keeping a current and standardized set of security best practices, because to do so – with proper patches and policies amid a continuously changing environment – is time consuming, expensive, and downright difficult.  One solution comes in the form of enterprise cloud infrastructure platforms, which offer a secure-by-default cloud experience with best-in-class security features incorporated from the start.Using advanced tools like this can free internal IT staffs, since they only need to work with the cloud infrastructure provider to select and configure features most relevant to the organization’s needs and vulnerabilities.  Those IT professionals can then spend their time more efficiently, working on strategic projects while reducing exposure to cybersecurity issues.Keeping the bad guys at bay online doesn’t have to be a marathon sprint, where the best efforts simply can’t keep running at full capacity.  You can bring your cybersecurity exposure under better control, thereby improving your insurance coverage against losses.The experts at The Reschini Group can provide specific guidance in this area.  Contact us today to learn more.

The market for cybersecurity coverage remains competitive, and more business owners have decided to invest in insurance policies to protect from hackers and malware.  That’s the good news.

But the risk still outweighs the precautions taken, according to insurance industry watchers – and that’s the bad news.  Not enough clients are adopting the coverage, especially when proof continues to pile up that no organization is safe from a cyber event.

A 2019 Cyber Readiness Report from specialty provider Hiscox found that 53% of U.S. businesses reported a cyber attack in the previous 12 months, from 38% the previous year.  In all, 45% of those companies experienced three or more attacks in the past year.  Yet 27% of firms have no plans to adopt cyber insurance, according to the report.Considering the potentially devastating cost of recovering from a cyber attack, that statistic becomes especially alarming.  According to McAfee’s 2018 Economic Impact of Cybercrime Report, the global cost of cybercrimes is estimated to be between $445 billion and $600 billion.  But less than 20% of all businesses have purchased cyber insurance.  That rate continues to increase, but not nearly to the degree to guard against harm to the level of exposure that remains.Adopting a line of thinking that “It won’t happen to me” may be the biggest mistake of all, according to industry experts.  Business owners who only think of cyber attacks in terms of data breaches miss the other risks that exist, including extortion and business interruption – all of which represent serious and costly issues that need to be addressed through coverage.The team at The Reschini Group can help put together the best package of cyber protection coverage for your business, regardless of size, scope, or industry.  Contact us to learn more.

The Software Engineering Institute (SEI) at Carnegie Mellon University defines insider cyber threats as “the potential for an individual who has or had authorized access to an organization’s assets to use that access, either maliciously or unintentionally, to act in a way that could negatively affect the organization.”

As such, a team from SEI recently issued the sixth edition of its Common Sense Guide to Mitigating Insider Threats, where it lists the following 21 recommendations for businesses to deploy:

• Know and protect your critical assets.
• Develop a formalized insider threat program.
• Clearly document and consistently enforce policies and controls.
• Beginning with the hiring process, monitor and respond to suspicious or disruptive behavior.
• Anticipate and manage negative issues in the work environment.
• Consider threats from insiders and business partners in enterprise-wide risk assessments.
• Be especially vigilant regarding social media.
• Structure management and tasks to minimize insider stress and mistakes.
• Incorporate malicious insider threat awareness into periodic security training for all employees.
• Implement strict password and account management policies and practices.
• Institute strict access controls and monitoring policies on privileged users.
• Deploy solutions for monitoring employee actions and correlating information from multiple data sources.
• Monitor and control remote access from all end points, including mobile devices.
• Establish a baseline of normal behavior for both networks and employees.
• Enforce separation of duties and least privilege.
• Define explicit security agreements for any cloud services, especially access restrictions and monitoring capabilities.
• Institutionalize system change controls.
• Implement secure backup and recovery processes.
• Close the doors to unauthorized data exfiltration.
• Develop a comprehensive employee termination procedure.
• Adopt positive incentives to align the workforce with the organization.

Many of these guidelines appear to be just common sense business practices, but establishing them firmly, communicating them clearly, and enforcing them consistently makes the difference.  Insuring against internal cyber threats carries its own set of parameters and requirements, as well.The professionals at The Reschini Group can help your organization protect your organization against losses from internal cyber fraud.  Contact us to talk more about this important consideration.* https://resources.sei.cmu.edu/asset_files/TechnicalReport/2019_005_001_540647.pdf

The major data breaches may get all the press – 150 million accounts exposed at Under Armour, 92 million at genealogy firm MyHeritage, 87 million at Facebook, and 145 million at Equifax, the largest U.S. credit bureau, revealing even Social Security numbers.

But that doesn’t mean small businesses are immune to cyber crime.

According to the Insurance Information Institute’s (III) 2017 report, Protecting against #cyberfail: Small business and cyber insurance, insurers foresee substantial increase in coverage among the small business segment, as these companies become aware of the possibilities of liability, especially due to a breach and the resulting response costs arising out of the possession of private data.According to the III, 10 percent of small businesses have suffered one or more cyber incidents in the prior year, with the average cost of cyber-related losses totaling $188,400. Only about one-third of firms surveyed had cyber insurance, nearly 60 percent of respondents said their company is very concerned about cyber incidents, and 70 percent think that the risk of being victimized by a cyberattack is growing at an alarming rate.Cyber insurance evolved as a product in the United States in the mid- to late-1990s as insurers have had to expand coverage for a risk that continues to rapidly shift in scope and nature. According to the National Association of Insurance Commissioners, 140 U.S. insurers reported writing some cyber insurance premiums in 2016.Online criminals keep adapting their techniques and level of sophistication just as quickly as technology evolves.  Convincing oneself that cybersecurity – and the attendant insurance coverage – is not necessary, just because a business isn’t “big enough” represents a bet that could be incredibly costly if lost.  Just because a danger may be hidden in the shadows doesn’t mean it’s not there.The cyber insurance experts at The Reschini Group can help you fashion a coverage package that makes sense for your business and your budget. Read more and download cybersecurity resources by clicking here or contact us to talk more about this important consideration.

It shocks absolutely no one that cybersecurity remains a growing threat to businesses, large and small, and that breaches of that security have increased both in number and in the resulting financial impact.  What may be surprising, however, are statistics compiled by various governmental and industry sources surrounding cybersecurity, including the following:

• Cybersecurity remains a priority risk concern among all businesses.
• The three largest areas of concern within the scope of cybersecurity are: falling victim to a security breach, discovering unauthorized access to financial accounts, and suffering an internal system glitch.
• Concerns on the rise among businesses include: outsiders hacking into systems used for business operations, cyber extortion, and questions about having sufficient resources to recover from a cyber event.
• One in five businesses have suffered a data breach or cyber attack over the past year, double the number recorded in 2015.
• 52% of businesses say becoming a cyber victim is inevitable.
• Only 36% of businesses worry about their employees being tricked into transferring funds, despite a 2,370% increase in losses from such scams over the past two years.
• 95% of businesses say their operations depend on computer systems running flawlessly.
• 23% of businesses report that they are unfamiliar with their cyber insurance options.
• 55% of businesses have not done a cyber risk assessment, 62% do not have a business continuity plan, and 63% have not assessed the cyber security of vendors with access to their data – but 91% of these same businesses say they are prepared to weather a cybersecurity event.
• 50% of businesses have not purchased cyber insurance.

 The professionals at The Reschini Group can help businesses across all categories and sizes get a true, accurate, realistic picture of their cyber exposure and fashion an insurance approach to safeguard against attack or malfunction.  Contact us to talk more about your cybersecurity situation.

As defenses and insurance coverages against cybercrime improve, so do the methods and the frequency of cybercriminals, it seems.  That only makes the battle more important than ever.

The Insurance Information Institute reports that, according to 2018 Identity Fraud: Fraud Enters a New Era of Complexity from Javelin Strategy & Research, 2017 saw 16.7 million victims of identity fraud, a record high that followed a previous record the year before. Criminals are engaging in complex identity fraud schemes that are leaving record numbers of victims of cybercrime in their wake. The amount stolen hit $16.8 billion last year as 30 percent of U.S. consumers were notified of a data breach last year, an increase of 12 percent from 2016. For the first time, more Social Security numbers were exposed than credit card numbers.Cyberattacks and breaches have grown in frequency, and losses are on the rise. Breaches again hit a new record in 2017, with 1,579 breaches tracked, up 44.7 percent from 1,091 in 2016, as business and government entities move toward timely reporting, according to the Identity Theft Resource Center (ITRC). The number of records exposed rose to about 179 million, compared with 37 million in 2016. The majority of the data breaches in 2017 affected the business sector, with 870 breaches or 55 percent of the total.The business category has suffered the most breaches for the third year in a row. Medical/healthcare organizations were affected by 374 breaches (23.7 percent of total breaches). The banking/credit/financial sector ranked third as it sustained 134 breaches (8.5 percent of all breaches). These figures do not include the many attacks that go unreported and undetected.In 2018 the ITRC tracked 522 breaches through the month of May. The number of records exposed totaled 17.6 million. The business category continues to be the most affected sector, with 228 breaches, or 44 percent of all breaches detected. The business sector breaches affected 10.9 million records, or 62 percent of all records affected. The ITRC noted that in May 2018, hacking was the most commonly used method for breaching organizations, accounting for 37 percent of all breaches in that month.The team of professionals at The Reschini Group can help you create a cybersecurity insurance package to protect your assets, even amid these complex and serious trends.

The greatest deception is the one we play on ourselves.  That could never happen here, right?  I’m too small for anyone to bother hassling with me, don’t you think?  But that same self-deception opens the door to individuals and organizations that, in fact, look for ways to steal, cheat, and do harm.

And the area of cybersecurity – especially for small businesses – has emerged as the place where so much of this harm is being done, and on a regular basis.

Recent surveys sponsored in part by the National Cybersecurity Authority found that most U.S. small businesses lack a formal Internet security policy, only about half have rudimentary cybersecurity measures in place, roughly one-quarter have outside experts test their systems for hacker-resistance, and an alarming 40 percent do not back up data in more than one location.  Yet 85 percent of small business owners believe their organizations are safe from hackers, viruses, malware, and data breaches.The harsh truth, however, remains that hackers look for the path of least resistance.  The massive credit card information theft affecting Target department stores began by a single hacker getting into a small subcontractor’s computer systems.  Small businesses – and those that neglect cybersecurity threats – represent a path to much larger targets, and therefore exist as attractive targets themselves.Cost concerns do not have to preclude taking some sensible, cost-effective precautions.  The Federal Communications Commission recommends the following steps be taken among small business owners:

• Train employees in cybersecurity principles.
• Install and update anti-virus and anti-spyware on every computer.
• Use a firewall for your Internet connection.
• Download software updates as they become available.
• Make backup copies of important data.
• Control access to computers and network components.
• Secure your wi-fi networks.
• Require individual user accounts for each employee.
• Limit employee access to data and limit authority to install software.
• Regularly change passwords.

Don’t fool yourself that it can’t happen to you, because it can.  Cybersecurity must rise to the top of your priority list, to safeguard your company’s critical information.  The Reschini Group can work with you to determine a proper protection strategy, and our experts are here to help.Here are some additional resources that may be beneficial:More About CybersecurityRead The Reschini Blog: Protecting Yourself from Online Data BreachesRead The Reschini Blog: Guiding Parameters for Preparedness in CybersecurityGet: Cyber Risk Exposure scorecardGet: Cybersecurity for Small BusinessGet: Cybersecurity for Healthcare Organizations

 Periodically, The Reschini Group will focus on a particular topic related to Risk Management or Property and Casualty issues. This month, we focus on Cybersecurity. Read on, and be sure to check out the resources available through the links.

Worth the Investment: Defining Cybersecurity Insurance

Insurance coverage is meant to protect one’s assets in the event of theft, damage, or disruption.  When your online information gets hacked, all three factors come into play.  So why not carry insurance to protect yourself from this potential disaster?

Cybersecurity insurance does just that.  The U.S. Department of Homeland Security defines it as follows:“Cybersecurity insurance is designed to mitigate losses from a variety of cyber incidents, including data breaches, business interruption, and network damage. A robust cybersecurity insurance market could help reduce the number of successful cyber attacks by: (1) promoting the adoption of preventative measures in return for more coverage; and (2) encouraging the implementation of best practices by basing premiums on an insured’s level of self-protection. Many companies forego available policies, however, citing as rationales the perceived high cost of those policies, confusion about what they cover, and uncertainty that their organizations will suffer a cyber attack. In recent years, the Department of Homeland Security National Protection and Programs Directorate (NPPD) has engaged key stakeholders to address this emerging cyber risk area.”The 2017 Cost of Data Breach Study, conducted by the Identity Theft Resource Center, has stated that:

• The overall cost per data breach worldwide decreased from $4 million to $3.62 million over the past year, but those same costs increased in the U.S. by 5 percent, to $7.35 million per data breach.
• Having an incident response team reduced the cost of a data breach by nearly $1 million.
• Health care is the most costly industry for data breaches, costing organizations $380 per compromised record.

Having a cybersecurity protocol, backed by the proper level of insurance coverage, is not only smart business – it could keep your business from disappearing altogether.  The National Cybersecurity Alliance reported that nearly 60 percent of small businesses victimized by cyber attack closed permanently within six months.  Putting the right protection in place is not difficult, and can be achieved more cost-effectively than might be assumed.Fitch Ratings said that cybersecurity insurance policies in the U.S. have risen by 35 percent, reflecting a growing awareness and appreciation of the risks and how to reduce them.  The cybersecurity insurance specialists at The Reschini Group can work with you to help safeguard your organization in the same way.

More About Cybersecurity

Read The Reschini Blog: Protecting Yourself from Online Data Breaches

Read The Reschini Blog: Guiding Parameters for Preparedness in Cybersecurity

Get: Cyber Risk Exposure scorecard

Get: Cybersecurity for Small Business

Get: Cybersecurity for Healthcare Organizations

By The Reschini Group

National Cyber Security Awareness Month reminds us that the need for constant vigilance and action against hackers and data breaches continues – in fact, it not only never ends, but it must be continuously updated as the threats keep changing in shape and scope.  The nationwide hack of major web-based systems like Amazon, Netflix, and even The New York Times proves this on one of the largest scales to date.

The federal Department of Homeland Security recently issued a brief report explaining three of the more prolific cyber threats currently faced by American businesses:Ransomware – A type of malware that infects computers and restricts users’ access to their files or threatens the permanent destruction of their information unless a ransom is paid (www.fbi.gov/news/stories/incidents-of-ransomware-on-the-rise).Business E-Mail Compromise (BEC) – A type of payment fraud that involves the compromise of legitimate business e-mail accounts (often belonging to the CEO or CFO) for the purpose of conducting unauthorized wire transfers (www.fbi.gov/news/stories/business-e-mail-comporomise).Intellectual Property Theft – This entails robbery of individuals or companies of their ideas, inventions, trade secrets, proprietary products, and creative expressions, often stolen when computers and networks are accessed by hackers or unscrupulous competitors (www.fbi.gov/news/stories/countering-the-growing-intellectual-property-theft-threat).A helpful list of Dos and Don’ts related to security breaches can be found here: (https://iapp.org/resources/article/introduction-to-data-security-breach-preparedness-with-model-data-security-breach-preparedness-guide/).Do not assume, if your business is not a major national presence, that you are immune to cyber security threats.  They occur at all levels of business.  The professionals at The Reschini Group can help you get a handle on your exposure to, and protection in the event of, a cybersecurity issue affecting your organization.  Contact us at 724-349-1300 to set up a time to discuss this important topic.The ways and means of being hacked continue to expand.  So should your safeguards against them.

Protecting Yourself From Online Data Breaches

By The Reschini Group

Attacks can come from unexpected directions. A right-handed football quarterback, for instance, had better hope that the left side of his offensive line can block the onrushing defense; otherwise he’s sure to be hit on his blind side.

The same rules apply when it comes to managing the risk regarding online data breaches. Most businesses realize this and have taken some steps to prevent damage, but there’s always a new “blind side” coming around the bend.Managing the data breach risk posed by cyberattack only promises to become more difficult and challenging, as rapid and unending changes – that can make conducting business more efficient in many ways – can also open fresh doors for those with malicious intent. What’s worse, a cybersecurity breach could result from simply misplacing a laptop or smartphone containing sensitive data.In a dramatic example of the need for diligence in HIPAA data protection policies, a provider of diagnostic imaging services discovered that one of its folders containing patient information was accessible to the public via the Internet. As a result, more than 300,000 patients’ billing information may have been exposed for months before the provider realized its error and removed the folder from public view.The oil and gas industry faces potential exposure to data breach risks, in one example, from subcontractor personnel working onsite, with the possibility of sensitive information on customers and financial data being accessed and shared. Yet the unwanted release of private information – while damaging enough – may not represent the worst part of a data breach. That comes with the cost to repair the damage after a breach has occurred, in most cases.Addressing cyberattacks varies by state, but in Pennsylvania, every data breach requires notification of every individual potentially affected, representing enormous costs in communication, credit repair, and image restoration. According to the 2015 Cost of Data Breach study*, conducted by IBM, the average recovery cost per lost or stolen record ranged between $145 and $154. The same study found the average consolidated total cost of a data breach is $3.8 million, a 23% increase since 2013.Let the experts at The Reschini Group help to ensure that all of your cyber flanks are covered properly. Don’t take an unnecessary and expensive hit from the blind side.Copyright 2016 The Reschini Group* http://www-03.ibm.com/security/data-breach/The Reschini Group provides these updates for information only. To make decisions regarding insurance matters, please consult directly with a licensed insurance professional or firm.