And the survey says…

September 22, 2021

A recent survey cited by one of our insurance markets found that 95% of people are unable to recognize email or text scams.  How does that statement make you feel?  Is it believable?

Who is doing all of this surveying and polling?  Who are they asking? When’s the last time you answered a survey or poll?  I may have gotten a call but didn’t answer it because I didn’t recognize the caller-ID.  Do all of these poll respondents not have caller-ID?!

Where is that 5th dentist from the “Four out of five dentists surveyed recommend sugarless gum for their patients who chew gum?”  My mother probably hunted her down and gave her a good smack with a wooden spoon.

Hold on a moment.  Let me yell out of my office door, “Hey Paul, are there too many surveys?”  According to a recent poll, there are too many surveys…

What can we even believe any more?  In school, we had to cite references in papers.  Some articles you read will mention the source of the information they have compiled.  So you could plausibly check up on them.  But when is the last time any of us have done that?  And how many stories do you read that don’t bother to cite any source for what they are reporting?!

Back to the email about 95% of people being very susceptible to email or text scams:  Do I think that number is a little high?  Maybe.  But do I think the number is fewer than 90% of people?  Nope.  You know why?  I read the survey because it was properly cited in the article.  The survey is a little stale, having been done in July of 2020.  But it was performed in a scientific method by a reputable company in Great Britain that deals with disposing of technology assets that have data to be protected.  It’s a legitimate number.

Why should we care?  Because this is where the virus or malware gets a toehold into your computer system.  And then you are done.  You were tricked into clicking on something that looked legitimate, but it actually loaded something dangerous onto your computer.  Now the hackers have their way into your computer or worse, maybe your entire office network.  Will they download confidential client data and prepare to release it on the web, or will they just encrypt your hard drive and demand a ransom to unlock your computer?

It took one stolen password by hackers to cause the Colonial Pipeline shut-down in May of this year.  It was big news at the time.  But the way our news cycle works, it is a distant memory.  The lines at gas stations are gone.  The media has moved on to other issues.  But that doesn’t mean that the hackers are not still at it.

Since the Colonial Pipeline shutdown incident, there have been multiple incidents that got nominal press by comparison:

  • a company that processes roughly one-fifth of the nation’s meat supply paid an $11 million ransom to hackers to be able to keep operating;
  • McDonald’s announced that hackers stole data from it’s systems in the U.S., South Korea, and Taiwan;
  • ransomware was unknowingly distributed by managed service providers that were updating their clients’ computer systems to keep them protected, but were using software that hackers had compromised and was actually distributing the ransomware;
  • French Insurer AXA announced that they would stop paying ransomware claims and the next week they fell prey to a ransomware attack in one of their offices;
  • CNA Financial, one of the largest insurers in the U.S., announced that they paid $40 million to regain control of it’s network after a ransomware attack.

Just because cyber attacks have fallen out of the news cycle, does not mean that they are not happening.  And if huge corporations with well-staffed IT departments and the resources to keep their systems protected are falling prey, what makes a small business think that we can do any better?

One of the first big data breach cases to make news was the Target data breach in 2013.  The cause of that breach was not a direct hack into Target’s systems.  The breach occurred when cyber-criminals hacked into the computer of an HVAC contractor who worked for Target.  The hacked computer contained a password the contractor used to log into Target’s network to submit invoices for services.  Once the cyber-criminals had that password, they were able to infiltrate Target’s system.

I have read theories that it’s not a matter of “if” a business is going to have a data breach, but “when” it is going to have a data breach.  Yet despite that almost certainty, the insurance industry is still willing to provide insurance to protect companies from damage related to cyber crimes.  How you deal with the cyber intrusion has everything to do with prior planning.

Managing the risk of being connected to the internet is very simple if you can continue to do business by disconnecting from the internet!  You can reach us by phone and fax and the US Postal service and we can handle your insurance via those media.  But if you send or receive email, bank online, use social media or have a website to connect with clients, or heaven forbid sell your product online, you have a cyber risk that requires a multi-pronged approach to manage.

Have an IT consultant or managed service provider evaluate your defenses.  Take their advice regarding spam filters and firewalls.  Those are efficient and effective risk management tools to implement.  But even those defenses cannot provide 100% protection from a well-crafted spam e-mail that tricks an employee into clicking on something they shouldn’t.  It is that human risk that you should transfer to an insurer through the purchase of cyber insurance.  It’s that 95% of people that don’t realize they are clicking a link in a scam email. It is too big of a risk to retain.

That’s when you need to talk with us.  We deal with multiple insurers offering different types of cyber coverages for different types and sizes of business.  We read articles about this stuff.  We sit through continuing education webinars about this stuff.  I know, it’s not very exciting.  But we need to know how to manage your risk.  And knowing how to efficiently transfer your risk to an insurer involves knowing how the insurers can handle that risk and at what cost.  You will be surprised how low the cost is.

If we handle your business insurance, we will be speaking with you about this when your coverage renews.  If we don’t handle your business insurance or this article has upset your stomach, give me a call or send me an email!  I will do my best to help you not lose sleep about this.