As a business owner, it is essential that you have written policies and procedures regarding providing confidential private information, such as payroll information in response to a request (which usually is submitted via e-mail), even in what appears to be from an internal e-mail. For example, cyber criminals now are masking themselves as the firm’s owner/CEO and sending an e-mail to payroll asking for a copy of W-2s for everyone for an audit. Replying to that e-mail with the W-2s just compromised all of your employees’ information. So, you need to establish “checks and balances” before sending out confidential or financial information in response to any request, even if it appears valid.
In years past, it was obvious that you were being targeted by a cybercriminal. There were spelling errors, the grammar was rudimentary, and you knew that you did not have a rich relative who left you a large estate in Africa (most often in pounds, which was another clue). Now, cybercriminals have gotten extremely sophisticated. The e-mails or letters look like they are coming from a legitimate source, the grammar is perfect, there are no typographical errors, and the request appears authentic. As a result, it is important that you have established “checks and balances,” and have trained your employees as to the policies and procedures in responding to these type of requests.
Moreover, it is imperative that you have consulted with your commercial insurance agent regarding cyber liability coverage. Most general business policies do not cover cyber liability. Therefore, you will want to speak with an experienced commercial insurance agent and explore your options, and determine what type of coverage best suits your business and industry. You will want to discuss and understand the limits of liability and the notification limit. Furthermore, you will most likely want coverage for information security and privacy liability, regulatory defense and penalties, PCI fines and penalties, website media content, cyber extortion, legal and forensics, publication relations and fraud resolution. A cybercrime incident could financially destroy your business. So, while avoiding taking action may seem “easy,” it is necessary and prudent that you immediately implement checks and balances and have the proper insurance coverage in place.