6 Myths and Misunderstandings about Cyber Insurance (for Non-Profits)
Information Superhighway Robbery? It Pays to be Prepared.
The Internet may be the Wild West, but these days criminals don’t arrive on horseback and tell you to stick ‘em up; it’s more likely that your vulnerable systems containing customer payment data or money will be their target. Why? Because for criminals, they’re easier to hit, the risk of detection is lower, and potential profits are much higher.
Thieves can grab your money or customer data and ride off into the sunset before anyone even knows anything’s happened. What’s worse, a data breach or cyber attack can potentially have ramifications that extend far beyond simple economic loss: loss of reputation, inability to continue operations, and identity theft.
As a non-profit, you may feel that your organization is not a target for cyber crime, but charitable institutions are no less exposed to these most modern of risks than any other type of organization. Here are some things to consider.
COMMON CYBER INSURANCE OBJECTIONS DEBUNKED:
- “Our website is not commercial.” Even if you’re not set up to take donations or collect membership dues online, you may still have exposures to risk. For example, many organizations do their own web design or have it done by volunteers. Images and music inadvertently used without permission can give rise to claims of copyright infringement. Due to their often unsupervised nature, discussions on chat rooms and message boards can result in controversy which can result in claims for personal injury and defamation of character. Typical general liability policies available from commercial insurers do not cover these sorts of risks, so even if your organization already has a commercial policy, you may not be protected.
- “We don’t keep sensitive client data.” In fact, organizations often fail to recognize what data truly qualifies as sensitive (it’s broader than you think). Identity thieves are very interested in gaining access to client information such as phone numbers, email addresses, driver’s license information—in short, much of the same data that charitable organizations have on file.
- “We only store our data in paper files.” Obviously, paper files can still be stolen. While there is specialized coverage available out there, most commonly available insurance policies don’t automatically cover data loss or loss of important papers.
- “Our computers are only used for email.” Generally, what hackers are looking for when assessing a potential target is twofold: the vulnerability of the target and the potential payoff of a successful attack. Any point of entry into the organization’s computer system is a potential vulnerability, and one of the easiest points of entry is email. These “phishing” attacks attempt to gain access to secure systems by impersonating trusted third parties in email messages and tricking employees into divulging passwords or other sensitive data in their reply. Phishing attacks have a high rate of success because the target, the front-line employee, may not have had cybersecurity training, may not recognize a specific communication as a phishing attack even when it is, and may not know how to adequately deal with the threat in time even in the event that they are able to recognize it. Municipalities are often targeted by these sorts of attacks.
- “We have no website or social media.” Even if your organization has no digital footprint, there are still vulnerabilities. An employee or volunteer might open a malicious email attachment, or visit an infected website accidentally. It’s not unusual for organizations to be hit with “ransomware” attacks which lock down affected computers. Thieves then demand a specific sum in exchange for unlocking them, or threaten to release damaging information if the money is not paid.
- “We’re too small. They wouldn’t be interested in us.” In fact, hackers tend to have an array of potential targets in mind, which they choose based on a number of factors—for example, the target’s level of preparedness, size, potential payoff, and geographic location. Large, well-known organizations may promise a bigger potential score, but as they also tend to train employees better and have more sophisticated systems in place to protect themselves, they pose a harder target. A hacker might want to add a string of low-risk, reliable scores from smaller organizations such as yours to diversify their "portfolio" (so to speak).
As we’ve attempted to show, all organizations which use digital technology or handle customer data can be vulnerable to cyber crime.
Our Hackinsure policy offers protection against emerging cyber threats, with a basic policy starting at $300 CAD.