Best Practices to Buy Cyber Insurance for Business Security

Cyber attacks are certainly well-documented. Security has become problematic in all sectors – business, nonprofits, government, politics and individuals.

The aggregate financial losses are so staggering, 69 percent of consumers worry about security at major companies, according to a study.

Consumers probably wouldn’t be surprised to learn that most small businesses make them vulnerable to credit card fraud and identity theft.

id-100445570The cybercrime trend has become so inescapable, cyber-security threats have cost chief executive officers their jobs and now CEOs and boards now fear cyber-security threats.

Hence, there’s a need to buy cyber insurance. You’re not convinced? Here’s an unfortunate case study.

Despite the ever-mounting awareness of data breaches, buying the right protection and being able to buy any insurance from cyber attacks can be daunting.

Many insurance companies are excluding coverage and courts have not been uniform in their rulings regarding insurance policies. Yet cyber insurance is paramount, and you likely need expert cyber-legal advice.

As a starting point, here are five best practices in buying cyber insurance:

1. Understand the big picture of cyber insurance

Unlike typical casualty or life insurance, there isn’t uniformity in cyber insurance. Insurance companies label their policies and their coverages in a myriad of ways.

It’s important to carefully examine coverage terms and the fine print.

There are differences between first-party and third-party coverages. Threats occur in both.

First-party coverage pertains to your business. Third-party coverage refers to your customers, vendors and other stakeholders.

Yet insurance companies often lump the two together along with professional insurance coverage, media and tech coverage, errors and omission policies, and general liability policies.

So you need to fully understand your risks and the available options. This means you must have a competent insurance advisor and legal counsel to prevent gaps in protection.

2. Assess your risks

It’s important you learn the risks you face. Cyber criminals use a wide variety of exploitation methods and have a myriad of motives.

For instance, some might want to damage or shut down your system. Others might want to steal your business data for their financial benefit.

Criminals might go after your customers’ credit card and financial-institution data – for which you’re also legally and morally liable.

There are extortionists who might want install ransomware – software shutting down your IT system until you make a ransome payment to them.

“Privacy is not for the passive.”

-Jeffrey Rosen

So your risks emanate from these possible vulnerabilities:

— You depend on e-commerce for revenue.

— You maintain your customers’ financial information.

— You host Web sites or provide tech services for customers.

— You provide services to customers or the public at-large.

— Your company’s information technology depends on another company or network.

–A breach will be a hit on your reputation and decrease your future income.

So conduct stress tests and risk scenarios.

3. Quantify in dollars the risk from a breach

You should inventory or anticipate the costs to your business if your system is breached and otherwise disrupted.

Not only does this involve direct losses from disruption of your technology to your bottom-line, but damage to your reputation and indirect losses involving third parties, too. All such financial losses would be significant.

Moreover, you are required to notify your customers in the event of a breach.

You must also provide them with credit monitoring, ascertain identity theft-protection services, deal with regulators, cope with penalties from investigations, and contend with lawsuits.

4. Understand your coverage options

Once you know your risks, you must learn what you need in cyber insurance so you can make a determination.

But note the available policies vary widely. For example, as mentioned earlier, coverages for first and third-party losses are combined into one policy.

5. Choose the coverage that’s right for your business

Again, after you anticipate your vulnerabilities by conducting risk scenarios, study all your available options.

Then, with further due diligence pick the insurance company and coverages that will best protect your company.

To select your ideal coverages, involve all your key talent – from your finance and marketing to customer service and IT employees. If you determine coverage is not available for certain risks, do your best to eliminate those risks.

From the Coach’s Corner, here related articles:

Are You Up-to-Date in Managing Cyber Risk? Here’s How — A strange development is taking place. Businesspeople are increasingly concerned about risk management and data loss, but many are implementing the wrong solutions. Here’s what you can do.

Protect Your Financials, Systems and Technology – 15 Tips — Cybercrime has skyrocketed and is projected to get much worse. At risk is the health of your company as well as the welfare of anyone with whom you do business. Here’s how to protect your customers and your reputation.

10 Strategies for Internal Controls of IT and Financial Systems — Obviously, the welfare of your company depends on having an up-to-date information-technology system. IT now impacts every facet of your business. So it follows that you should invest in IT controls to protect and enhance your financial system.

Key Measures to Prevent, Recover from Ransomware — Published reports indicate ransomware cost businesses $350 million in 2015. The FBI considers ransomware attacks one of the three worst cyber threats.

9 Tips to Train Employees to Protect You from Cybercrime — It takes a team approach to protect your organization against the skyrocketing rate of cybercrime. Here are nine training precautions necessary to make sure your employees help you guard against security threats.

“Privacy is not for the passive.”

-Jeffrey Rosen


Author Terry Corbell has written innumerable online business-enhancement articles, and is a business-performance consultant and profit professional. Click here to see his management services. For a complimentary chat about your business situation or to schedule him as a speaker, consultant or author, please contact Terry.

Photo courtesy Stuart Miles at

Key Measures to Prevent, Recover from Ransomware

July 10, 2016 –

Ransomware is, of course, malicious software that can do terrible harm your company.

Published reports indicate ransomware cost businesses $350 million in 2015. The FBI considers ransomware attacks one of the three worst cyber threats.

“Ransomware encrypts the files on your computer or network with an ‘encryption key’ known only to the cybercriminal,” writes Kimberly Pease, vice president of Citadel Information Group (

“The cybercriminal then offers to sell you the key to decrypt your files. Ransomware, like other forms of malware [malicious software], often gets on a computer through phishing,” she explains.

“Other ‘delivery vectors’ include visiting a booby-trapped website and infected USB-drives,” she adds.

Kimberly Pease

 Kimberly Pease


Citadel is the No. 1 information-security management consulting firm, which is based in Los Angeles.

(Note: The firm’s president, Stan Stahl, Ph.D., is also a widely recognized expert, and is a trusted longtime friend and he’s been quoted in numerous articles.)

Unnerving developments

From media articles listed in her Weekend Vulnerability and Patch Report, consider a sample of unnerving headlines:

Updated CryptXXX Ransomware becomes more dangerous as it now steals credentials CryptXXX ransomware has received a major overhaul by its authors, putting it on the fast track to unseat Locky as top moneymaker for criminals. ThreatPost, June 3, 2015

Ransomware-as-a-Service business model emerges in Russia; cybercriminals easily earn $90,000 / yr: Ransomware as a business is maturing and nowhere is that better illustrated than in Russia, according to Flashpoint researchers. The security firm released two reports on Thursday, one on a burgeoning ransomware-as-a-service business model (PDF) in Russia and the second on new developments in Russian ransomware kingpins targeting hospitals (PDF). ThreatPost, June 3, 2016

AMAZON USERS TARGETS OF MASSIVE LOCKY SPEAR-PHISHING CAMPAIGN: Amazon customers were targeted in a massive spear phishing campaign where recipients received Microsoft Word documents with a macro that triggered downloads of the Locky ransomware. Researchers at Comodo Threat Research Labs say it is one of the largest spam ransomware campaigns this year.ThreatPost, May 26, 2016

But here’s some good news: It’s possible to defend against ransomware, according to Ms. Pease.

“Citadel urges all organizations to review their information security management practices to ensure they are taking appropriate steps to guard against a ransomware infection and to test their backup / recovery capabilities to ensure their ability to fully recover from a ransomware attack,” she writes.

“Happiness has many roots, but none more important than security.”
-E. R. Stettinius

To keep from being infected, from her newsletter Ms. Pease offers valuable strategies:

Train Users

  1. Provide all users cybersecurity awareness training so they can be vigilant against phishing attacks. [Citadel provides awareness training, including simulated phishing attacks. Contact us for more information.]
  2. Teach users the phishing danger signals.
  3. Teach users to not click on links or attachments in emails unless they know the email is legitimate and its contents are safe.

Make sure IT does their part

  1. Keep operating system and applications patched with the latest updates. [Sign up for Citadel’s Free Weekly Cybersecurity Newsletter, including our Weekend Vulnerability and Patch Report]
  2. Maintain up-to-date anti-virus software, and scan all software downloaded from the internet prior to executing.
  3. Set all user accounts with limited — non-administrative — privileges.
  4. To the extent IT can manage it, they should use application whitelisting to identify the programs that are allowed to run.

Recover from ransomware

“Good backups are the only way to recover from ransomware. With backups, you can restore the files that have been encrypted. Without these backups, you’re stuck without your valuable files until you pay the ransom,” explains Ms. Pease.

“It is critical that IT verifies its ability to fully recover from a ransomware attack. It’s not enough for them to test their ability to recover a file or a folder. IT needs to test their ability to fully restore all working files from backup,” she concludes.

Lest I forget, I strongly urge you to subscribe to Citadel’s highly informative complimentary blog, which is published each week.

Read the bios of Citadel’s principals here.

From the Coach’s Corner, here are more articles on information security:

BYOD, Mobile-Banking Warnings about Security Prove Prophetic — Not to be gauche, but in 2009 you saw the Internet security warning here first – mobile banking is so risky an IT security guru said don’t do it. The warning was prophetic.

Protect Your Bank Accounts So You Can Sleep at Night — Imagine for a moment — you’re sitting at your desk enjoying a second cup of morning coffee. Then, your phone rings. It’s a call from your bank to discuss possible fraud. Your bank is concerned about possible suspicious activity with your accounts, and wants to make sure you’re not a victim.

Most Small Businesses Make You Vulnerable to Credit Card Fraud, ID Theft – Study — A whopping 79 percent of companies in the U.S. and U.K. experienced Web-borne attacks, according to data released in 2013. These incidents continue to represent a significant threat to corporate brands.

Don’t Wait for Cyber Security Legislation that Affects Your Business — Not likely to pass, a data-breach bill has been re-introduced in the U.S. Senate that would regulate how businesses behave – informing customers when their personal information has been stolen. Passage or not, businesses should act on their own. It’s the right thing to do. Here are four precautions to take for your business.

Using Starbucks’ WIFI? Expert Issues Warning, Security Checklist — The WIFI offering by Starbucks has prompted a security warning and checklist from a go-to Internet security guru, Dr. Stan Stahl.

Security Expert Warns about Using App that Emails Money — A service by a company called Square Inc. will allow you to e-mail money to your friends free-of-charge. But an IT security expert issues a warning.

“Happiness has many roots, but none more important than security.”
-E. R. Stettinius


Author Terry Corbell has written innumerable online business-enhancement articles, and is a business-performance consultant and profit professional. Click here to see his management services. For a complimentary chat about your business situation or to schedule him as a speaker, consultant or author, please contact Terry.

Most Small Businesses Make You Vulnerable to Credit Card Fraud, ID Theft

A whopping 79 percent of companies in the U.S. and U.K. experienced Web-borne attacks. These incidents continue to represent a significant threat to corporate brands.

Results from a Web security study in 2013 show that almost all of the Web security administrators agreed that Web browsing is a serious malware risk to their companies.

Despite the obvious awareness of the risks, only 56 percent of participants said they had implemented Web security protection and more than half of companies without Web security had Web sites compromised.

ID-100162777 stockimagesAnother study discloses a disturbing trend – nearly four out of five small companies are storing unsecured data about their customers.

That’s an indictment of such businesses, and is alarming news for consumers about their vulnerability to credit card fraud and identity theft.

The 2011 study was conducted by the National Cyber Security Alliance (NCSA).

“How can this be,” you ask?

Nationally known security expert Stan Stahl, Ph.D., of Citadel Information Group in Los Angeles, knows why.

“Citadel works with small business leaders every day and – based on our experience – the reason small businesses don’t take cybercrime seriously is that they see it primarily as something their IT people are managing, not yet realizing the critical importance of their own leadership,” says Dr. Stahl.

“This includes establishing clear policies and standards for information use, explicitly assigning cyber security management responsibility to a member of the senior management team, providing cyber security awareness training and education to all information users, and ensuring that IT personnel are effectively managing the security of the IT infrastructure,” he adds.

The alarming results in the study first came to my attention after reading Small Businesses Don’t Take Cybersecurity Seriously, which was mentioned in Dr. Stahl’s security blog.

Hopefully, your business is not one of the businesses cited in the study. Cybercrime has become a global nightmare. My question for companies about Cyber Security: Is Your Business Prepared with Precautions and Response Philosophy? 

For NCSA’s tips for small business security, read this post. 

“Seventy-nine percent of businesses are storing consumer information when they don’t need it. It’s not protected. It’s not secure,” Verizon spokesperson Andrea Woroch was quoted in a published report.

For consumers, Verizon offers these tips:

Watch the people swiping your credit or debit card.

“You don’t want to blame or suspect everyone’s trying to steal your information, but there are people who will and are trying to copy your credit card information with extra swipes,” says Ms. Woroch.

Take extra care when you buy on the Internet.

“Don’t mark that little check box that says ‘to store for future purchases.’ you don’t want that organization, that business, that Internet website to hold any of that information,” explains Ms. Woroch.

Consider alternatives to using your credit card, such as gift cards.

Carefully study your billing statements.

“Lots of consumers overlook little charges that are being made on their statement and that’s how people are continually able to trick them and deceive them and steal them and take extra money out of their accounts,” adds Ms. Woroch.

Resource link: Dr. Stahl’s Web site.

From the Coach’s Corner, here are additional cybersecurity tips:

Secure Your Android from Viruses and Malware with 5 Tips — Hopefully, you haven’t had the nightmarish inconvenience on your Android from viruses and malware, which have plagued many users. Countless headlines detail the cyber dangers associated with Android-based devices. Don’t for a second assume you’d be safer with an iPhone.

Security Precautions to Take Following Citibank’s Second Reported Online Breach — Citibank’s admission that private information of 360,083 North American Citigroup credit card accounts was stolen by hackers in 2011, which affected 210,000 customers, serves as a warning for all businesses and consumers to take precautionary steps. The bank’s security breach wasn’t reported until weeks later. Originally, Citibank said 200,000 accounts were affected.

BYOD, Mobile-Banking Warnings about Security Prove Prophetic — Not to be gauche, but in 2009 you saw the Internet security warning here first – mobile banking is so risky an IT security guru said don’t do it. The warning was prophetic.

Tips to Prevent Hacking of Your Bluetooth — Bluetooth technology, of course, allows you freedom when talking on your cell phone. But you’ll lose other freedoms if you don’t prevent scammers from exploiting your system via a trend called “bluebugging.” Beware, cybercriminals using software, are able to intercept your Bluetooth signal to hack into your phone.

Surprise — Cyber Criminals Chew up Apple Products, too — For years in terms of security, Windows has been considered inferior to Macs. But no longer thanks to malware security epidemics.If you’ve got an iPhone, get busy. Apple continues to have bugs and security issues. Apple was forced to release an update just a few days after the rollout of its iOS 8 in late Sept. 2014 (Apple issues iOS 8.0.1 for bug fixes, knocks out cell service and Touch ID for some).

“Being good is good business.”

-Anita Roddick


Author Terry Corbell has written innumerable online business-enhancement articles, and is a business-performance consultant and profit professional. Click here to see his management services. For a complimentary chat about your business situation or to schedule him as a speaker, consultant or author, please contact Terry.

Photo courtesy of stockimages at

Antivirus Company Names Most-Perilous Internet Cities

In cyber-crime, Seattle has earned a distinction it’d rather not have – the No.1 riskiest online city in 2010. That’s according to Norton from Symantec.

The antivirus company teamed up with research firm, Sperling’s BestPlaces, to determine the locales the deem the most-susceptible to Internet crime. But tech-savvy Seattle atop the list of the most-perilous cities?

Maybe the list is accurate and maybe it isn’t. A leading cyber-security expert, Stan Stahl, Ph.D., questions the data.

“While some of the factors used in assessing ‘risk’ would seem to appropriate, my bottom line was expressed best by G.K. Chesterton: ‘It’s not that they don’t know the answer. It’s that they don’t even know the question’,” says Dr. Stahl, a noted Internet security expert in Los Angeles (

A Norton press release states its list of cities was developed as a result of the cyber-attack data compiled by Norton and other factors. The top five: Seattle, Boston, Washington, D.C., San Francisco, and Raleigh.

The Norton data criterion includes these six categories:

1. The cyber-crimes data from Symantec Security Response:

  • Number of malicious attacks
  • Number of potential malware infections
  • Number of spam zombies
  • Number of bot infected computers
  • Level of Internet access

2. Expenditures on computer hardware and software

3. Wireless hotspots

4. Broadband connectivity

5. Internet usage

6. Online purchases

Missing from this list, Dr. Stahl says, are things that would serve to mitigate risk, such as:

  • Number of information systems security professionals in the city
  • Average number of information security professionals per 1,000 computers and per company
  • Percentage of computers who connect to hotspots using a VPN (virtual private network).
  • Percentage of companies ISO27001 certified (ISO refers to international organization standardization)
  • Numbers of CISSPs (certified information systems security professionals), CISMs (Certified Information Security Managers), etc.
  • Percentage of businesses/homes with professionally managed firewalls

“By itself, expenditures may mean little or nothing since one large supercomputer can cost the same as zillions of P and actually lower risk,” explains Dr. Stahl. “There’s also the question of what ‘risk’ means when applied to a city, as opposed to an individual or an organization.”

So, it’s a question of what he calls “meaningful mathematics,” – everything is relative.

“My risk goes up or down as the total number of bot infected or spam zombie computers goes up or down; it doesn’t really matter if they happen to be in my own town or somewhere else [more or less true, but not quite since a bot net or spam zombie in Africa poses less of a risk than a bot net in America],” he adds. “In this situation, my risk is my risk; it doesn’t meaningfully transfer to my city.”

Norton’s list of the alleged most-vulnerable cities:

1. Seattle

2. Boston

3. Washington, D.C

4. San Francisco

5. Raleigh

6. Atlanta

7. Minneapolis

8. Denver

9. Austin

10. Portland

11. Honolulu

12. Charlotte

13. Las Vegas

14. San Diego

15. Colorado Springs

16. Sacramento

17. Pittsburg

18. Oakland

19. Nashville-Davidson

20. San Jose

21. Columbus

22. Dallas

23. Kansas City

24. New York

25. Indianapolis

26. Albuquerque

27. Miami

28. Omaha

29. Virginia Beach

30. Los Angeles

31. Cincinnati

32. Houston

33. St. Louis

34. Phoenix

35. Chicago

36. Baltimore

37. Oklahoma City

38. Philadelphia

39. Jacksonville

40. Tulsa

41. San Antonio

42. Milwaukee

43. Cleveland

44. Tucson

45. Long Beach

46. Fort Worth

47. Fresno

48. Memphis

49. El Paso

50. Detroit

Again, based on the expertise of Dr. Stahl, if you live in one of the listed cities, you don’t necessarily have to worry. My thanks to him – he’s been very gracious with his analysis for many years.

From the Coach’s Corner, here are recent Biz Coach articles featuring his expert opinions:

His security blog:

Seattle business consultant Terry Corbell provides high-performance management services and strategies.