Remember that old commercial where the actor said, “I’m not a doctor, but I do play one on TV,” well I’m not a lawyer, but I play one almost every day in our business.
Due Diligence and Due Care
Today the topic of conversation was the legalese terms “due diligence” and “due care”.
As a business owner, due diligence and due care can be a really big deal to you, especially when it comes to your company’s cybersecurity and insurance protection.
Simply put, really simply put, due diligence is doing your homework when it comes to your information security. You need to read and understand your policies and make sure your staff does too.
Due care means that you need to have ongoing maintenance in place to make sure your policies are in force and you are abiding by them. Due care is where it fails in most companies, or at a minimum, it becomes a reason for your insurance company to turn down your cybersecurity coverage.
For example, let say your policy states that terminated employee’s computer accounts need to be disabled within 30 days and deleted within the year. If you neglect to do this and a hacker breaches one of these accounts, you have not exercised due care, and your insurance company may deny your cybersecurity claim.
The way we are helping our clients with this potential problem is helping them prove that they have met the terms of their policies. We do this by:
- Identifying all insurer security policy terms
- Establishing IT security configurations that address these terms
- Running regular compliance audits
- Addressing issues and anomalies as they arise
- And documenting everything so there is proof in the event of a claim
As a managed IT provider in the Philadelphia area, we can even help your company secure cybersecurity insurance from one of the nation's largest insurance brokers. Contact Us Today for more information and cybersecurity services in the Philadelphia area.
Failure to Maintain
Your policy exclusions may not mention “due care” but instead have a “Failure to Maintain” or “Failure to Follow” exclusions. The language looks like this,
“Failure to ensure that the computer system is reasonably protected by security practices and systems maintenance procedures that are equal or greater to those disclosed in the proposal”
“Failure to continuously implement the procedures and risk controls identified in the insured’s application.”
Social Engineering Schemes
I’ll be writing about this in an upcoming book I am co-authoring called “On Thin Ice,” but phishing campaigns are becoming more and more successful. A phishing campaign is when a cybercriminal sends a fake email to a user, and the user mistakenly gives up their username and password to the bad guys. Once this occurs, the bad actor can strike in one of many ways. The FBI recently documented how prevalent these attacks are:
|Breach||Cost to Business|
|Business Email Compromise||3 Billion|
|Corporate Data Breach||95 Million|
|Personal Data Breach||59 Million|
|Vishing, Phishing etc.||31 Million|
|Denial of Service / DDOS Attacks||11 Million|
User Security Awareness Training
The way we are helping our clients with this potential problem is by providing them with ongoing monitoring, user training, and testing. User security awareness training provides employees with the ongoing training they need to understand the dangers of social engineering, detect potential attacks, and take the appropriate actions to protect your business with security best practices. The training consists of self-paced computer-based training along with simulated phishing emails to test the users.
Additional training is provided for credit card security, CEO fraud, mobile device security, and many other topics to keep your company safe. If you want to run a one-time test of your users, we offer a free phishing security test.
Dark Web Monitoring
The dark web is another hot topic these days. The dark web is no single place but a bunch of sites on the internet, only accessible with special software that is used by cybercriminals. They maintain websites and forums in the Dark Web to enable their criminal activities such as purchasing drugs or selling hacked data—all anonymously and securely. For example, when a cybercriminal business, they steal as much information as they can, then sell that information to other cybercriminals on sites in the Dark Web. Often the real danger to small business is that the employees will use their business email address on other sites, often with the same password, and those sites will be exposed in a hack.
For example, let's say I use my business email on Facebook, and because I’m lazy, I use the same password I use on another 100 different sites. The same password I use for my work PC. Then if Facebook gets compromised, and my username and password are on the dark web, my business username and password are also exposed. Next thing you know, because of my laziness my company is hacked and potentially held at ransom.
The way we are helping our clients with this potential problem is by not only providing them with IT Support but also providing them with ongoing monitoring for their business domain on the dark web. We maintain very expensive access to databases of breached credentials. If you want to see if your business is exposed we can do a free one-time check to see if your credentials are on the dark web.
Who is looking out for your business?
Keeping your IT up to date and your company safe is a full-time job. In most cases, business IT is better served by a team of IT professionals that knows your companies needs. PICS ITech works with companies in the Philadelphia area to provide IT services, IT Support, Cloud Services, Cybersecurity and Business Continuity Planning Philadelphia,
If you are looking for a team to work with your company to manage your IT and protect your company with cyber-security, we will welcome the opportunity to speak to you about how we can provide your company with worry-free IT so you can focus on what you do best. Contact us today for a free IT and cybersecurity audit and introductory meeting.