Does my Legal Malpractice Insurance Cover my Cyber Exposures?

Does my professional liability insurance policy Cover me for cyber risk?

The short answer is, sometimes. This is a great question. There are some policies out on the marketplace that do advertise that they cover both professional liability insurance and cyber. But if you’re really serious about covering yourself in the event of a cyber breach, you need to look into what is called a standalone policy, not any kind of combo cyber professional liability policy.

If you do look into that type of coverage, you’ll notice a few things. One, the cyber coverage is usually ancillary to the primary coverage of professional liability insurance and the limits that are available for the cyber are usually very, very small, somewhere between $15,000 and $25,000. Last year the average cost of a cyber breach for a small to mid sized firm was about $250,000. The other important note is that 50% of those that did have the breach, were out of business within six months of the breach.

Contact us at INtegrity First Corporation with any questions you may have regarding cyber liability insurance.

What is Privacy Regulatory Claims Coverage and Why is it Important?

What is privacy regulatory claims coverage in a cyber liability policy?

Wow. That’s a mouthful.

The regulatory coverage in a cyber liability policy actually pays for and protects you against the fines and sanctions that may be levied against you from state, local and federal governments for not properly ensuring the data that you’re responsible for.

Don’t get caught, make sure this coverage is in your cyber liability policy.

‘Tis the Season for Cyber Security

02J68283

As the holiday season draws near, so do cyber criminals.  With more and more people shopping online, the number of potential cyber breach victims increases every day.  In fact, Adobe is predicting that Black Friday 2017 will see the highest sales ever on record.

So, without completely withdrawing from the online world, how can you protect yourself and your business online?  Try applying the following tips:

Make sure that you are on the website that you think that you are on

One of the most common ways to scam your username and password or credit card information from you is to send you to a fake website that looks very similar to the website that you are expecting.  An example of this is paypal.com versus paypa1.com.  Note that the only difference is the “L” at the end of the first one and there is a “1” at the end of the second one.

To get you to these fake sites, scammers will send you an email that directs you with a bogus link.  One way to see where the link is taking you is to hover over it with your mouse.  The website address will popup.  If the link is bad, block the email sender and move the email to your “SPAM” folder to prevent receiving emails from that person in the future.

One way to confirm that you are visiting the website that you want is for you to type the website into the address bar.  This way, you know that you are not following any false links and you arrive at the correct website.

Don’t fall for holiday phishing schemes

On Black Friday 2017, retailers sent over 3 BILLION emails to consumers, advertising their best deals and sales.  This day was also filled with scammers sending out tons of emails, pretending to be a retailer.  They were taking advantage of the fact that consumers were expecting to receive these emails and may not have questioned them as much.  This is known as phishing and its main purpose is to collect as much personal information about you as possible.

Commonly, phishing emails will try to direct you to a login page or a payment page.  They want to get your information as quickly as possible without you questioning the validity of the site.

A few ways to identify phishing schemes:

  • The “From” field display name is a store or bank.  However, when you click into it to reveal the full email address, it’s an address not related to that entity.
  • The email has graphics that look “off” or “fuzzy”.  Sometimes, to make the fake email look more legitimate, a scammer will copy the graphics from a store or bank from their website, which are not a high resolution.  As a result, when they are placed into an email, they look wrong.
  • When you hover over the link that the email wants you to visit, it is not pointing to the website that it claims to be sending you to.
  • Check for spelling mistakes and bad grammar.  Legitimate companies are sticklers when it comes to spelling and grammar.  If the email sounds poorly written, there is a good chance that the email is not legitimate

Check for an SSL certificate upon checkout

When you check out online, you want to make sure that there is an SSL certificate in the address bar.  You should see that the web address starts with “https://”.  Normally, there will be a lock image next to the address or the whole bar will turn green.

An SSL is important any time that you are entering financial information or passwords.  This encrypts that information and keeps it private from anyone that may be watching your transaction.

Create a strong password (and don’t use the same one) for your customer (and business) accounts

Your customer accounts for stores and banks should be protected by a strong password.  The company can have the best security measures and encryption in place, but if your account has an easily guessed password, none of that matters.

A strong password is 12 characters or more and contains at least one of each of the following:

  • Uppercase letter
  • Lowercase letter
  • Number
  • Symbol

You also do not want to use the same password for all of your accounts.  This is because if one of the accounts is hacked, the hacker now has the login information for all of your other accounts and they WILL check this immediately.

The average American has over 60 online accounts that they have to remember, so look into a good password manager to help you maintain the information.  Not only will the password manager help you remember all of your login information, but it will help you create secure passwords.

Some highly rated password managers include KeePass, Dashlane and LastPass.  Check out this article from PC mag for more information on the top password managers of 2017: https://www.pcmag.com/article2/0,2817,2407168,00.asp

BONUS: Turn on two factor authentication where possible

Two factor authentication (TFA) is becoming more prevalent as hackers become more savvy and have access to greater computing power.  TFA uses not only your username/password, but one other means of verification before you have access to your account.

This is now commonly available with banking and credit card websites.  When you turn this on, after you sign in with your username and password, they will ask if you want to receive a text or email for secondary verification of the account.  Once you make your selection, they will send a one-time only code to the phone number or email associated with that account, which you then have to enter to gain access.

This is helpful because even if someone had your password, they would still need access to your email or phone to be able to access your account.  If TFA is available to you, INF recommends turning it on to better protect yourself.

Have a safe and secure holiday season from INF!

Why Does My Company Need Cyber Liability Insurance?

Gadgets-In-Business-Vacation-Shopping-Banners-[Converted]Today’s businesses are more reliant than ever on technology.  Whether it’s an app, a device, or a piece of software, a business can save time and money.  However, this technology may expose them to multiple cyber risks that need to be addressed.  An unhappy ex-employee, a lost cell phone, an insecure password, an out-of-date computer system – these may all be a possible source of a data breach.

What is a data breach?
According to the Ponemon Institute, a breach is defined as an event in which an individual’s name and a medical record and/or a financial record or debit card is potentially put at risk—either in electronic or paper format.

Verizon found in their 2015 Data Breach Investigations report that about 50% of all security incidents are caused by people within your organization!  The other 50% are caused by hackers, viruses, malware, etc.  The people in your organization may not have caused the breach maliciously, but through human error or some other negligence.

Amazing Data Breach Facts

According to Ofcom’s “Adults’ Media Use and Attitudes Report 2013”, 55% of adults use the same password for everything.  Therefore, when one data breach occurs, about 55% of the passwords and information recovered can possibly lead to another breach, which can lead to another, etc. It’s easy to see how you can have a secure system, but if it’s not protected by secure employees, a data breach could easily occur.

login with email and password

The average cost per lost or stolen record in a data breach is $141 dollars according to the 2017 Ponemon Institute Data Breach study.

How many records is your company responsible for?  

When there is a breach in Pennsylvania, you are responsible for notifying each owner of those records that their data has been compromised.  Not only have you lost or diminished the trust of your clients, but you will spend a large amount of money informing them of this fact.

Because your clients can reasonably expect that you will protect their data, failing to do so can also result in federal and/or state fines.  Make sure that you are taking all reasonable steps to protect your data.

How can you protect your company from a data breach?

The first step that you can take is to purchase a cyber liability insurance policy. This allows you to transfer the risk to the insurance company and know that you are covered in the event of a data breach.  For the cost of a nice laptop (under $1500), you can purchase a standalone cyber liability policy.

This policy will help with a number of things when it comes to a data breach.  Most policies will cover the cost of notification, finding the breach source, fixing the source, restoring your clients’ trust, fines and more.  Before you purchase a policy, review the coverage available and ensure that you are fully covered.

The second step that you can take is to train your employees well and make sure that you have office procedures in place to ensure your security.

Keeping Your Information Safe In the Digital Age – Part 3

With the onslaught of data breaches that happened in 2015 (about 65,000 according to the Verizon Data Breach Investigations Report), INF presents this multi-part blog series about keeping your data safe in the digital age.

Accessing Your Password Database on Different Devices

The last blog post of this series covered setting up a password database in KeePass and accessing it on your personal computer.  This blog post will cover accessing your passwords on multiple devices.

Storing your Password Database in an Accessible Place

If you only want access to your passwords on your laptop or desktop, storing the database file (*.kdbx file) locally is fine.  However, if you want to be able to retrieve your passwords from your phone, tablet, etc., the file needs to be stored in a cloud.  If you already have a cloud account, you can store it there.  If you do not have a cloud account and you won’t be using it for large files, Dropbox is great free option to consider (https://www.dropbox.com/).  It takes about 3 minutes to sign up and you get 2GB of space for free.  Your *.kdbx file won’t even use 1% of that amount.

Once you have your Cloud account set up, move your password database file to the cloud.  This benefits you in multiple ways.  First of all, you can access your passwords from all of your devices.  Secondly, your password database will now be backed up on a regular basis.  In fact, Dropbox keeps all deleted and updated versions of your files from the last thirty days.  So, if you accidently delete your file from anywhere, you can restore it from dropbox.com.

Retrieving Passwords on your iPhone or iPad

If you want to access passwords on your iPhone, you need to download the app for the cloud that you are using onto your device. In the case of Dropbox, you will download the Dropbox app from the app store and use your account information to sign in.  You will then need to download the app “MiniKeePass”.

To load your password database into MiniKeePass, open the Dropbox app (or your Cloud app) and click on your *.kdbx file.  The cloud app will not be able to show a preview of the file, which is expected.  Click on the icon of the square with an arrow pointing up, which should give you a menu with multiple options.  Click the “Open in…” option and select “Copy to MiniKeePass”.  This has now stored a copy of the password database in your MiniKeePass app.  This is important to note as it is just a copy.  If you make changes to the file on another device, you will have to go through the process of loading your password database again.

The actions above will open MiniKeePass and display the database file. To open it, click on the filename.  The app will ask for the database password.  Enter your password and your database will display.  You can browse by folder or you can use the “Search” box.  To use the passwords, click on an entry and click on the username or password.  This copies that text to the clipboard.  You can then paste it wherever you would like.

Retrieving Passwords on your Android 

If you want to access passwords on your Android, you need to download the app for the cloud that you are using. In the case of Dropbox, you will download the Dropbox app from the app store and use your account information to sign in.  You will then need to download the app KeePass2Android from the app store.  Launch the newly downloaded app and click the “Open File” button.  You can browse to your password database file in your cloud and open it with your password.  You will then be able to search for the password that you want and copy/paste it any location.

Retrieving Passwords on your Chromebook

If you are using a Chromebook, there is a strong possibility that the cloud that you are utilizing is Google Drive.  Place your *.kdbx file in your Google Drive cloud and install the KeePass Chrome app.  Open your new app and select “Open File”.  Browse to your KeePass Database and enter the password.  KeePass Chrome will open the file and you can use the passwords as needed.

Should you use free Wifi…the answer is resoundingly “No!”

High resolution mobile phone graphic with Wifi Icon

It all starts out innocently enough.  You decide to stop into your favorite coffee place.  You order a drink, sit down, and pull out your laptop or other mobile device.  You don’t want to use your precious data from your wireless plan, so you think “No worries, they offer free wifi here.”  You connect to the free wifi and start browsing.  You check your email, your bank account and then online shop while you finish your drink.  A perfectly innocuous afternoon…or so you thought.  Little did you know that the person sitting across from you, seemingly having a day similar to yours, was capturing all of your online movements and information.  They were then able to check your email, access your bank account and shop online using your PayPal and Amazon accounts.

They were able to gather all of your information using a fairly simple program called a packet sniffer (or packet analyzer).  These programs are easy to install and use, but best of all, some of them are free, or so a hacker would say.  Because it is so simple, this exploit is used all of the time with free wifi.

When you go online using a wireless connection, you communicate via packets with the router.  Packets contain all of the information for the web page that you are using, including any text that you may type, such as your credit card information or passwords.  One web page can consist of multiple packets.  A packet sniffer can connect to the same wireless network and collect copies of these packets.  It then will put the packets together like you would piece together a puzzle.  Once the sniffer has put the pieces back together, the person implementing the sniffer has the information of everyone on the network for the entire time that they were there.

The reason that packet sniffers work with free wifi is because there is no encryption algorithm in place.  If the wireless router employs an encryption technique, the packets become encrypted, and thus, unreadable to the sniffer.  They can still collect your packets, but they can’t do anything with them.  It would be like someone having a puzzle where none of the pieces fit together.  With encryption, the router knows how to decrypt your packets, but no one else can.

If you are required to enter a password for the wireless network, that normally means that it is encrypted.  However, if the password is known to everyone, then the packet sniffer knows as well, and you are back where you started.  Therefore, you want to connect to a network that has a protected key.

Before connecting to a network, look to see the encryption type.  You want to make sure that it is WPA2.  Two types of networks that you want to stay away from are WPA and WEP.  These are easily hacked and thus, should never be used.  If you are on a WIndows machine, to see the encryption type, click on the wireless indicator and select your network.  The encryption type will be displayed under “Security Type”.

But wait, I still want to be able to use free wifi…is that even possible?

It is possible to save your data plan and still make use of the free wifi when you employ a virtual private network, or a VPN.  When you use a VPN, it encrypts the packets for you only, thus making your packet puzzle impossible for a packet sniffer to solve.  Using a VPN is easy, as you just sign up for a VPN account with one of the many VPN providers.  The cost is normally less than $50 per year.

You can use your VPN account with all of your devices.  Generally, tablets come with the functionality for a VPN connection built into the settings.  You will need to consult the VPN service that you signed up with for specifics.  If you want to use the VPN on a laptop or desktop, you will generally need to download an executable program from the VPN service and install it.  Then, every time you want to connect to a free wifi network, you will launch the VPN program first, sign in, and then feel free to safely browse the internet in obscurity.

I don’t want to sign up for a VPN and I don’t mind using my data.

If you don’t mind using your data in your phone plan, then connecting to your phone or tablet’s personal hotspot is the most secure option.  Simply turn on your hotspot and connect your device.  You may be using your data plan, but you can do so knowing that your data is safe.

Keeping Your Information Safe In the Digital Age – Part 2

With the onslaught of data breaches that happened in 2015 (about 65,000 according to the Verizon Data Breach Investigations Report), INF presents this multi-part blog series about keeping your data safe in the digital age.

Password Management Programs

As promised in Part 1 of this series, this blog entry will cover setting up and using a password management program.  There are many good password management programs available, such as LastPass, KeePass and 1Password, and the cost of the program varies anywhere from free to around $100.  If you are like most users, you need a password management program to:

  • Create unique, strong passwords for all accounts, new and old
  • Be an easily searchable repository for all passwords
  • Remind you when to change your password
  • Keep track of the security question answers that you created

Fortunately, there are multiple free programs that fit the above criteria.  KeePass does all of the above and more.  It is free and open source, which means that there is no chance of a security issue, because there are thousands of developers that have reviewed the code.  In this article, we will cover the installation, setup and a few highlights of this program.

How to Set Up KeePass 

To download the latest version of KeePass, go to: http://keepass.info/download.html.  We recommend downloading the most recent version of the “Professional Edition”.  The download link will take you to Sourceforge, which is where the download is stored.  Save the setup file and then run it.  Select your language and accept the agreement.  Most people allow the program to be installed on the C drive.  Install the program, keep “Launch KeePass” checked and click “Finish”.

KeePass will launch, as shown below:

Image1KeePassBlank

The first thing to be done is to create a new database file that will store all of your passwords.  Go to File > New.  This will bring up a dialog box, asking you the location to save your password file.  We recommend saving it in a cloud, such as Dropbox or Microsoft OneDrive.  This way, you will be able to access your database from any device that has access to your cloud account.  Take note, the file extension will be “.kdbx”.  Name your file, then click “Save”.

This will bring up the dialog box to create the master key:

Image2MasterPassword

The master key is simply the password that you need to open the database file.  This will be the only password that you need to remember from now on, so you need to make it secure.  See Part 1 of this blog series for tips on creating a secure password.  Enter your master password twice and click “OK”.

This brings up the next dialog box, which specifies the settings for the password database:

Image3DatabaseSettings

The default settings are adequate, so no need to change them.  Press “OK” and you are done with the setup.  KeePass will be opened to your new database.

Image4EntriesInKeePass

Creating a New Entry in KeePass

To create an entry in KeePass, click the “Add Entry” button (the yellow key) or press Ctrl + I.  The “Add New Entry” dialog box will appear:

Image5AddEntry

The title field should be a description of the username and password that you are going to enter, such as “Susan’s PNC Bank Account” or “Andrew’s Chase Visa Credit Card”.  The username field should be your username, which is normally an email address.  By default, KeePass provides a 20-character alphanumeric password.  To display this password, click on the button with three dots to the right of the password field.  If you would like to change the character set or length, click on the “Generate a Password” button (it looks like a key with an orange burst) and select “Open Password Generator”.

This will open the Password Generator window:

Image6PasswordGenerator

Select the character set checkboxes that you would like the password generator to use.  You can also change the length of the password.  Once you have the settings to your liking, select “OK”.  The password will now use the settings that you selected.

The other option is to enter your own password.  You can delete the one that is generated and enter your own.  Fill in the URL field with the web address of the sign-in page that corresponds to the username and password.  You may choose to put in an expiration date for the password as well as set a reminder alarm.  Finally, if you have any notes that go with this entry, such as a security question/answer combo, you can enter it in the “Notes” section.  Once the password entry is to your liking, select “OK”.  You will now see your entry in the main right-hand window pane.

Image7TestEntries

To edit the entry, double-click on the title and the “Edit Entry” dialog box will pop up:

Image8EditEntry

Make any necessary changes and press “OK”.  To save your database, click on the “Save” button, which looks like a blue disk.  You will want to create an entry for every password that you have.

To help you organize your passwords, KeePass provides categories on the left-hand side of the main window.  Simply drag and drop your entries into the categories that they belong to.  You can also add categories, if the existing ones do not fit your needs.

Image9LefthandWindow

Using your KeePass Database

Now that you have populated your database, the next step is using it!  To open your browser to the sign in page of an entry, double-click on the “URL” field in the right-hand window pane or highlight the entry that you want to use and press Ctrl+U.

Image10URL

Your browser window should automatically open to the sign-in page corresponding to that username and password.  If the page has both the username and password fields on it, put your cursor in the username field and then go back to KeePass.  Make sure that entry is highlighted and press Ctrl+V.  This will automatically fill in the username and password in the browser.

Alternatively, if you want to enter the username and password yourself or if they are on separate pages, you may do the following:

  • Double click on the “URL” field in KeePass to open a browser to the sign-in page
  • Go back to KeePass and double click on the “Username”
  • Go back to the browser, put your cursor in the “Username” field and press Ctrl+V to paste the username
  • Go back to KeePass and double click on the “Password” field
  • Go back to the browser, put your cursor in the “Password” field and press Ctrl+V to paste the password

Please keep in mind that KeePass only keeps the fields copied for 12 seconds, so you must do the steps above fairly quickly.

Part 3 of this series will cover accessing your password database on different devices.

Keeping Your Information Safe In the Digital Age – Part 1

With the onslaught of data breaches that have been in the news lately (think Target or Sony), INF presents this multi-part blog series about keeping your data safe in the digital age.

Passwords

Do you pick a password and then use that for all of your accounts or do you choose short passwords that are easy to remember?  Is your password “Password” or the name of your pet?  Do you keep a word document or piece of paper with all of your passwords written down?  If so, your digital information could be in trouble.  More than 60% of people use the same password on multiple accounts.  In the digital world, this means that if I can break into one account, then I can have access to all of your accounts.  This is why when a data breach happens with one retailer, fraudulent activity among other retailers goes up as well due to usernames and passwords being the same.

Most people choose their passwords from a finite set of words, phrases and numbers (or some variant of this), which makes guessing your password a trivial task for most hackers.  They use a “Dictionary Attack” on an account, which takes commonly used words from the dictionary and puts them together with numbers and other words to create a password to try.  Bear in mind, this is not a human being doing this, so multiple attempts to guess your password can be made by the second and whole attacks can last less than one minute.  Additionally, software that does this is commercially available and thus, is very easy to implement.  Once a hacker has cracked one of your accounts, they immediately target others.  In doing this, they will touch as many accounts as they can before you are alerted that anything is wrong.

How To Choose a Strong Password

In order to combat this and become a smarter user, you must create a strong, non-trivial password for each account that you have.

Choosing a strong password becomes simple once you learn the following four rules:

  1. Choose a password that is 13+ characters long
  2. Choose a password that does not contain any words in the dictionary
  3. Choose a password that has an uppercase letter, a lowercase letter, a symbol, and a number
  4. Choose a password that does not use all obvious substitutions of symbols/numbers for letters (i.e. 5 for “S” or @ for “a”)

One recommended way to create a password is to think of a phrase from a book or song that you like and turn it into a password.  As an example, if you are a fan of “Hitchhiker’s Guide to the Galaxy” by Douglas Adams, you may turn the phrase “So long and thanks for all the fish!” into the password “S81ng&Tks4@!!f!$h!”.  Notice that none of the actual words were used and not all of the substitutions were obvious, such as “8” for ‘o’.  A simple trick to remember is – the longer the password, the stronger the password.

You may be asking, “How in the world am I going to remember all of these passwords?  I must have over 90+ accounts online, like the average American!”  There is no need to remember all of the passwords that you create.  In fact, if you can remember one very strong password, you can access all of your others by using a password management program such as KeePass, 1Password or Dashlane.

Part 2 of this series will cover setting up and using a password management program.