Cyber Risks and Liabilities - Fourth Quarter 2019

3 Risks Associated With Removable Media Devices

Portable hard drives, USB flash drives, memory cards and other types of removable media are vital for the quick storage and transportation of data. For many businesses, removable media can be used as backup storage for critical digital files or even free up additional storage space for work computers.

While removable media is easy to use and has many business applications, it isn’t without its share of risks. The following are some considerations to keep in mind when using removable media at your organization:

  • Data security—Because removeable media devices are typically small and easy to transport, they can easily be lost or stolen. In fact, every time you allow an employee to use a USB flash drive or other small storage device, your organization’s critical or sensitive information could fall into the wrong hands. What’s more, even if you encrypt your removable storage devices, you will not be able to recover lost files once the USB flash drive or other device is lost.
  • Malware—Simply put, when employees use removable media devices, they can unknowingly spread malware between devices. This is because malicious software can easily be installed on USB flash drives and other storage devices. In addition, it just takes one infected device to infiltrate your company’s entire network.
  • Media failure—Despite its low cost and convenience, removable media is inherently risky. This is because many devices have short life spans and can fail without warning. As such, if a device fails and your organization doesn’t have the files backed up, you could lose key files and data.

Thankfully, there are ways to mitigate risks associated with removable media. To use these devices effectively while maintaining data security, consider doing the following:

  • Develop a policy for related to removable media use.
  • Install anti-virus software that scans removable media devices.
  • Ensure all removable media devices are encrypted. Passwords to these devices should never be shared.
  • Instruct employees to never use unapproved removable media in a computer.
  • Have employees keep personal and business data separate.
  • Establish a process for wiping all portable media devices when they are no longer needed.

Cloud Computing 101

There are many benefits to adopting cloud computing at your organization, such as reduced IT costs and increased scalability. However, it’s important to note that there are different cloud service and deployment models, each with their own benefits and risks. There is no single type of cloud computing that will work best for everyone, so it’s important to conduct research to determine the right fit for your organization.

Types of Cloud Computing Service Models

There are three distinct cloud computing service models: Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS).

The SaaS distribution model provides you with an application that is managed by the service provider and accessible through the internet. As such, SaaS applications need not be installed or updated on individual computers.

The PaaS model allows organizations to safely develop, test and deploy applications without needing to manage the underlying infrastructure. This provides flexibility that allows deployments to scale quickly.

The IaaS model provides organizations with a specified amount of cloud storage space to do with whatever they want. This allows the greatest amount of flexibility, as the organization is responsible for accessing, monitoring and managing their data that is stored in the cloud. In this case, the service provider typically only manages hardware, storage and networking, though other services may be provided at additional costs.

Types of Cloud Deployment Models

Just like with service models, there are various different ways that a cloud can be deployed. This includes a public cloud, which is cost-effective and efficient but means that your data may be stored on the same server as others’. A private cloud, however, allows your organization greater control over infrastructure and computational resources by having them located on private networks.

Lastly, a hybrid cloud combines on-site infrastructure with a cloud environment. This allows organizations to utilize different types of service providers based on what is ideal for each business requirement.

Best Practices for Contracting With Managed Service Providers (MSPs)

While working with a managed service provider (MSP) can be efficient and cost-effective, it’s important to carefully consider the organization that you plan on working with and get a holistic view of its operations and security. Because an MSP has direct access to sensitive systems and information, working with one is not to be taken lightly. While doing so puts your IT infrastructure in the hands of experts, it also comes with its own risks. For example, MSPs may be a target for cyber criminals, as compromising one MSP potentially compromises every organization that it works with.

To help keep your organization’s digital information and resources secure, there are a number of best practices and security considerations to keep in mind when contracting with managed service providers:

  • Perform a detailed risk assessment and enforce associated mitigations before working with a managed service provider. Some considerations include:
    • How a cloud service (if used) is implemented and managed
    • Who has access to data and how it is secured
    • The intended purpose of engaging with the managed service provider
    • Potential challenges that may arise during incident detection and response, such as the managed service provider’s availability during off hours

  • Keep operating systems and software up to date.
  • Ensure that an MSP follows organizational security, privacy and legislative requirements.
  • Find out how closely the MSP adheres to an IT security management framework.
  • Use secure computers with multifactor authentication, strong passwords, few access privileges and encrypted network traffic to administer the cloud service.
  • Do not provide the MSP with account credentials or access to systems outside of their responsibility.
  • Use cryptographic controls to protect data in transit to and from the MSP.
  • Consider full data encryption for critical information while at rest and while maintaining control of encryption keys.
  • Employ full hard-drive encryption to ensure data at rest on storage media is not recoverable should the MSP replace or upgrade physical hard drives.

For more risk management strategies related to cyber exposures, contact Hierl Insurance Inc. today.

Portable hard drives, USB flash drives, memory cards and other types of removable media are vital for the quick storage and transportation of data.

Download the Newsletter

A monthly safety newsletter from


How to Save Your Business with Cyber Liability Insurance

In recent years, the risk of cyberattacks has become a common, high-level threat to organizations. This means that both time and money need to be invested in order to take precautionary measures and implement damage control before and after an attack happens. As a result, cyber liability insurance is now the recommended measure for risk management.

According to our expert, Cathleen C. Christenson, VP of Property & Casualty at Hierl Insurance, there are two main reasons why Cyber Liability Insurance is the best way to protect your company’s cyber assets: the all-in costs of a data breach and the protection of customers and employees. Since the world will never be free of cyber risks, the right thing to do is to protect your business with Cyber Liability Insurance.

Why Cyber Liability Insurance?

When cyberattacks occur, they often result in devastating damage to an organization’s important data. This results in business disruptions related to lost revenue, restorative actions and public relations. Not being able to accurately measure business costs of cyber risk means organizations are unable to make decisions about resource allocation, technology investments and threat prioritization. According to research published by Ponemon Institute, the cost of a data breach has increased to around $150 per document lost.

While the average breach involves around 25,000 files, this could round up to nearly $3.9 million dollars. It is important to remember no organization is immune to the impact of cybercrime. Insurance will help protect your organization’s information, facilitate timely recovery of business functions, and minimize loss of revenue, customers and data.

Coverage Options

If the worst should happen and your company suffers a data breach or similar attack, you should have a business continuity plan in place. Data is generally worth more than physical assets and keeping your data safe from cyber risks requires constant attention to ensure an attack never happens. Hierl Insurance has the resources and know-how to help you identify potential risks and keep your business running smoothly in the event of an attack. Cyber liability insurance policies are tailored to meet your company’s specific needs Benefits include data breach coverage, business interruption loss reimbursement, cyber extortion defense, forensic and legal support.

Why Hierl?

At Hierl Insurance, we love what we do, and this includes a partnership with you in mind. We understand the demands of each client are unique, so we craft your options to fit your business perfectly, creating a different story for each client. We stand by waiting to greet you with a warm welcome to devise a blueprint to turn your company’s dreams into reality. Supplementing your insurance with cyber coverage can provide peace of mind that your organization’s financial and reputational well-being is protected.

To speak with Cathleen, contact her today at 920.921.5921 or by email at cchristensen@hierl.com.


4 FAQs about W-2 business email compromise attacks during tax season

Did you know: Tax season is the most popular time of the year for W-2 related cyber attacks. Phishing emails will often request employees to provide W-2s by return email. Continue reading this blog post for four FAQs about W-2 business email compromise attacks.


The most likely cyber attack a company will face will come in the form of an email. One of the most common forms of email attack is the business email compromise (BEC), and the most popular time of the year for the W-2 version of BEC is right now — tax season.

A BEC attack involves attackers sending emails disguised as coming from high-level executives within a company, such as the CEO, to lower level personnel. During tax season, the spoof email will often request that W-2s for employees be provided by return email.

While the email looks identical to the executive’s email, it is coming from — and then returned to — the criminal, not the executive, along with the W-2s and the personal information associated with the documents.

If an employee falls for the scam, the company now has experienced a serious data breach and must comply with certain legal requirements. Worse yet, the company’s employees’ sensitive personal information has been given to the attackers and they have this problem to worry about instead of performing their job. The disruption is substantial in their personal lives and for the company’s operations.

How do attackers use W-2 information?

In most cases, once the attackers have that W-2 information, they use it to attempt to file fraudulent tax returns for those employees and have their tax refunds sent to them instead of the employee. They also use it for traditional identity theft.

The attackers act very quickly once the information is obtained. In some cases, they have begun to fraudulently use the information on the same day they obtained the W-2 information from the company. Time is truly of the essence in responding to these attacks and legal assistance is necessary for properly responding to these data breach events.

Why do so many attacks happen during tax season?

Law enforcement officers and cybersecurity professionals report a drastic increase in these types of attacks during the beginning of each year because of tax season. This is consistent with what is seen in helping companies with these cases in past years, as well. The reason this type of attack is so common during tax season is because of the tax-related fraud aspect of this type of attack. That is, the attackers monetize their attacks by using the fraudulently obtained information to file fraudulent tax returns and obtain refunds from innocent victims.

And the sooner they can do this, the better their chances are of getting the refund before the taxpayer files and receives their tax refund.

If a company has not yet been targeted, it is likely that it will be very soon so it is important to be prepared.

What can you do to protect your company?

Educating employees is critical because they will be the ones who receive the emails from the attackers.

  • Make them aware of this issue by sharing the information in this article with them so that they understand the threat, how it works and how it could affect them personally.
  • Train them by having appropriate personnel discuss this threat with them and help them understand that they should be very suspicious of any requests to email out anything of this nature (or make payments, such as with the very similar wire transfer version of the BEC).

Have appropriate internal controls in place to protect against these types of attacks. These controls can include:

  • Limit who has access to your company’s W-2s and other sensitive information as well as who has the authority to submit or approve wire payments.
  • Have established procedures in place for sending W-2 information or other sensitive information as well as for submitting or approving wire payments so that dual approvals are required for these activities.
  • Require employees to use an alternative means of confirming the identity of the person making the request. If the request is by email, the employee should talk to the requestor in-person or call and speak to the requestor using a known telephone number to get verbal confirmation. If the request is by telephone or fax (many times they are), then use email to confirm by using an email address known to be correct to confirm with the purported requestor. Never reply to one of these emails or call using a telephone number that is provided in one of these emails, faxes, or telephone calls.

What to do if your company is hit by an attack

  • Immediately contact experienced legal counsel who understands how to guide a company through these incidents and, ideally, has appropriate contacts with law enforcement and the IRS to assist in reporting this incident quickly.
  • Report the incident to the FBI or Secret Service and appropriate IRS investigators so that the IRS can implement appropriate procedures to protect the employees whose information was exposed in the W-2s.
  • Prepare appropriate notifications to the people whose information was exposed and comply with all legal and regulatory reporting requirements. This should be a part of an existing incident response plan. Companies should have such a procedure in place to be better prepared if and when a security breach occurs.
  • Inform employees that the IRS will never contact them directly, for the first time, via email, telephone, text message, social media or any way other than through a written “snail mail” letter.

SOURCE: Tuma, S. (19 February 2019) "4 FAQs about W-2 business email compromise attacks during tax season" (Web Blog Post). Retrieved from https://www.benefitspro.com/2019/02/19/4-faqs-about-w-2-business-email-compromise-attacks-during-tax-season/


5 Ways to Spot a Phishing Email

Has your organization been affected by phishing attacks? One of the most common types of online threats are phishing emails. Read this blog post to learn five ways to spot a phishing email.


A phishing attack is a form of social engineering by which cybercriminals attempt to trick individuals by creating and sending fake emails that appear to be from an authentic source, such as a business or colleague. The email might ask you to confirm personal account information such as a password or prompt you to open a malicious attachment that infects your computer with a virus or malware.

Phishing emails are one of the most common online threats, so it is important to be aware of the tell-tale signs and know what to do when you encounter them. Here are five ways to spot phishing attacks.

1. The email asks you to confirm personal information

Often an email will arrive in your inbox that looks very authentic. Whether this email matches the style used by your company or that of an external business such as a bank, hackers can go to painstaking lengths to ensure that it imitates the real thing. However, when this authentic-looking email makes requests that you wouldn’t normally expect, it’s often a strong giveaway that it’s not from a trusted source after all.

Keep an eye out for emails requesting you to confirm personal information that you would never usually provide, such as banking details or login credentials. Do not reply or click any links and if you think there’s a possibility that the email is genuine, you should search online and contact the organization directly  – do not use any communication method provided in the email.

2. The web and email addresses do not look genuine

It is often the case that a phishing email will come from an address that appears to be genuine. Criminals aim to trick recipients by including the name of a legitimate company within the structure of email and web addresses. If you only glance at these details they can look very real but if you take a moment to actually examine the email address you may find that it’s a bogus variation intended to appear authentic ‒ for example: @mail.airbnb.work as opposed to @Airbnb.com

Malicious links can also be concealed with the body of email text, often alongside genuine ones.  Before clicking on links, hover over and inspect each one first.

3. It’s poorly written

It is amazing how often you can spot a phishing email simply by the poor language used in the body of the message. Read the email and check for spelling and grammatical mistakes, as well as strange turns of phrase. Emails from legitimate companies will have been constructed by professional writers and exhaustively checked for spelling, grammar and legality errors. If you have received an unexpected email from a company, and it is riddled with mistakes, this can be a strong indicator it is actually a phish.

Interestingly, there is even the suggestion that scam emails are deliberately poorly written to ensure that they only trick the most gullible targets.

4. There’s a suspicious attachment

Alarm bells should be ringing if you receive an email from a company out of the blue that contains an attachment, especially if it relates to something unexpected. The attachment could contain a malicious URL or trojan, leading to the installation of a virus or malware on your PC or network. Even if you think an attachment is genuine, it’s good practice to always scan it first using antivirus software.

5. The message is designed to make you panic

It is common for phishing emails to instill panic in the recipient. The email may claim that your account may have been compromised and the only way to verify it is to enter your login details. Alternatively, the email might state that your account will be closed if you do not act immediately. Ensure that you take the time to really think about whether an email is asking something reasonable of you. If you’re unsure, contact the company through other methods.

Ultimately, being cautious with emails can’t hurt. Always remember this top STOP. THINK. CONNECT.™ tip:

When in doubt, throw it out: Links in emails, social media posts and online advertising are often how cybercriminals try to steal your personal information. Even if you know the source, if something looks suspicious, delete it.

SOURCE: James, M. (22 August 2018) "5 Ways to Spot a Phishing Email" (Web Blog Post). Retrieved from https://staysafeonline.org/blog/5-ways-spot-phishing-emails/


What's in a Password?

What's in a Password?

Most websites and services encrypt passwords before storing them on their servers. As a result, even if hackers were to gain access to the password, they wouldn’t have access to the actual text that makes up your password.

Once criminals gain access to an encrypted password, they can use sophisticated programs to quickly guess every combination of letters, numbers and symbols until your password is cracked. As a result, longer passwords and those that contain a large variety of characters will be very difficult for programs to guess.

However, just because effective passwords should be complex, doesn’t mean that they should be difficult to remember.

The next time you need to think of a unique password, try using a favorite song lyric or quote. This will make a password that’s long and difficult for hackers to crack, and has the added benefit of being very memorable.

Turning a simple phrase like “your guess is as good as mine” into “yourguessisasgoodasmine” actually makes for a strong, and in this case ironic, password! However, be sure to add a capital letter or special character as well to make your password that much stronger.

A Balancing Act Between Memorable and Complex

Thinking of a new password can be frustrating—every service and website seems to have different requirements about length, complexity and special characters. In order to secure yourself against hackers, it’s important to think of a password that’s both memorable and complex.

Helpful Hints

Your password will only remain secure if you take steps to protect it. Be sure to never write your password down and leave it where someone can see it. Instead, consider using a password management tool. These online services will store all of your login IDs and passwords for you, but you should do some research and make sure that the service you use is reputable.

Provided by: Hierl's Property & Casualty Experts

Download the PDF.

What are the 25 most commonly stolen passwords?

Download the PDF.

Cyber Risks & Liabilities: September/October 2018

In this Issue

Who’s to Blame if a Security Breach Affects Your Organization?

A recent survey found that 70 percent of consumers expect businesses to take responsibility in the event of a data breach. But who within your organization should take the heat?

Acronyms All Businesses Need to Know

As cyber security evolves, it’s easy to become overwhelmed with all the terms and acronyms used. This article lists some of the most common acronyms in cyber security.

Increase in Attacks Against 911 Call Centers Highlight Need for New System

There have been 184 cyber attacks on public safety agencies and local governments since 2016, and 42 of those attacks targeted 911 call centers

Who’s to Blame if a Security Breach Affects Your Organization?

If a security breach affects your organization, your main focus may be to solve the problem as quickly as you can, not point the finger in blame. But your customers want to know why it happened and who was responsible, even if the breach occurred because of their own lax security measures (e.g., sharing passwords or opening suspicious emails). In fact, a recent survey found that 70 percent of consumers expect businesses to take responsibility in the event of a data breach. But who within your organization should take the heat?

The CEO

If an organization doesn’t budget enough for security solutions, the fault will likely be placed on whoever makes the financial decisions, stemming from the CEO. In fact, 29 percent of IT decision-makers who took part in a recent VMware survey thought that the CEO should be held responsible in the event of a large-scale data breach.

The CISO

If a data breach occurs even after your company adequately budgets for cyber security solutions, 21 percent of IT security professionals surveyed would still hold your CISO accountable in the event of a data breach.

IT Personnel

According to a 2014 report, 95 percent of cyber security incidents are due to human error. That’s why personnel who manage IT security on a regular basis are easy targets for blame.

Other Employees

While accountability may start with the CEO and board of directors, everyone in your organization should take responsibility for cyber security. Even if you have the most modern cyber security technology, its return on investment will be nonexistent without full employee participation

Increase in Attacks Against 911 Call Centers Highlight Need for New System

There have been 184 cyber attacks on public safety agencies and local governments since 2016, and 42 of those attacks targeted 911 call centers, according to cyber security firm SecuLore Solutions.

Over half of the attacks involved ransomware, in which hackers used a virus to control the emergency systems and hold them hostage for payment. Most of the remaining attacks were denial-of-service attacks, which involved a flood of fake calls that prevented call centers from addressing valid emergency calls.

Due to the vulnerabilities in the current 911 system and the fact that it doesn’t address the ways people communicate in the modern world—such as through texts—the emergency response industry is encouraging state and local governments to adopt a system called Next Generation 911.

The Next Generation 911 system will have advanced security and be able to seamlessly move incoming calls to other centers when needed. The new system also gives callers the choice of calling from a phone line or sending data through approved telecommunications carriers and internet service providers.

Next Generation 911 is expensive, however, and governments have been slow to adopt it. Plus, its increased connectivity also opens new potential means of attack, according to industry experts. Sophisticated defense systems run by in-house cyber security teams will be vital as the emergency response industry adopts any new technology.

Acronyms All Businesses Need to Know

Newsletter Provided by: Hierl's Property & Casualty Experts

Download the Newsletter

Meeting cybersecurity risks head-on: A guide to breach preparedness

How would you manage a data breach? No company is immune to cyberattacks and data breaches. Read on to learn how you can prepare your business.


Gauging a company’s true data breach risk from the outside is a difficult endeavor for insurers, with challenges both technical and informational. But even less attention has been paid to how companies would manage a breach if it happened, which has an enormous impact on the toll of the final damage.

See also: Analyze Your Risks with Hierl's Cyber Security Advisors

No organization is immune to breach. If the National Security Agency can lose data, anyone can lose data, yet the scope of the current issue is still astounding.

According to another insurance company's 2017 cyber readiness report, 72% of large U.S. businesses — nearly three out of four — and 68% of small- and mid-sized businesses — about seven in ten — reported cyber incidents in the previous year. Among these, close to half (47%) experienced two or more cyber incidents during that same time.

The largest breaches, affecting big-name companies like Equifax, Target, Home Depot and many others, drew substantial headlines because of the huge number of identities involved. But almost every business holds some sensitive information, either regarding its customers or its own intellectual property, finances or employees. In fact, smaller organizations often lack the internal resources to dedicate towards preparedness, making them very attractive targets for hackers.

Assessing the threats to your business

The first challenge with measuring a company’s risk exposure relates to the industrywide problem of tying compliance and policy to actual security. A company may have checked all the right boxes on paper, but doing so guarantees little about their actual cyber risk position.

The second issue is that people often matter much more than technology.

The public conversation focuses on high-profile hacking events, but data breaches are even more likely to be the result of internal issues, including breakdowns in training, procedure or plain old mistakes.

The overwhelming majority of all cyber attacks are successfully executed with information stolen from employees who unwittingly give away their system ID and access credentials to hackers or provide a gateway via a malware link embedded in some form of communication.

One of the most important components of an effective data breach readiness program is mandatory and frequent training to remind employees about the importance of security awareness.

See also: Your Cyber Liability Policy & Handling Data Breaches Like A Pro

Education information security best practices can help arm a team against threats such as phishing, man-in-the-middle attacks, malware, and ransomware, substantially lowering the long-term risk.

An accurate understanding of a company’s sector-specific risks is another important point of departure in corporate cybersecurity. Healthcare employees, for instance, need to be especially on guard for EHR-related attacks and RDP server breaches, like the ones instigated by the SamSam virus (which took down Allscripts last month).

Other industries are more vulnerable to loopholes in common business apps; still, others are more frequently victims of point-of-sale malware or e-mail phishing scams. Once businesses understand where and how they are most likely to be targeted, they can begin providing training that takes into account the need for added vigilance in these specific areas.

The final challenge in correctly identifying breach risk involves understanding the extent to which recovery costs can vary. Discrepancies in cost depend not only on the severity of the breach, but also on how well the organization responds. Globally, the average cost to recover from a security breach is $158 per impacted individual, but that varies from of $60 to $400 per person.

While more companies than ever before are now either considering or have taken out some form of cyber insurance, this should not be considered an unloadable risk. Smart organizations are increasingly focusing on proactively identifying data breaches and preparing to efficiently react to them in advance of a data breach crisis.

Proper preparation means more education

The most devastating impacts of a data breach can only be avoided by coupling breach awareness and prevention efforts with readiness and response planning ahead of a cybersecurity incident.

Comprehensive breach readiness plans break down both pre-emptive and retrospective action steps by department: it’s sensible, for example, to task IT personnel with monitoring cloud connectivity and identifying network loopholes while entrusting financial staff with detecting suspicious activity along company bank and credit accounts.

Customer relations experts and account managers, on the other hand, are likely the best resources for overseeing client communications during and after a data breach, helping to re-establish trust and informing their consumer-facing workforce.

Here, inter-departmental communication is paramount: all workers should understand how and to whom they are to report possible breaches or scams, and when such breaches occur, the entire company should know what to expect employees in every department to do next.

Even for the most cyber-savvy corporations, however, internal resources alone are not enough these days. Outside resources are often critical to mitigating the threat of cyber attacks; Stop them once they start and restore company functions in a breach’s aftermath.

Establishing relationships and negotiating agreements with external subject matter experts is better done far in advance of an actual data breach. Contractual terms can be negotiated without the chaos and urgency of a crisis situation. The same is true for interfacing with law enforcement and regulatory agencies.

Knowing whom to contact and having an established communication chain can pay off when trying to execute an urgent data breach response.

See also: 5 Ways to Spot a Phishing Email

Both internally and externally, the human element of cybersecurity remains a business’s best defense across an ever-widening threat landscape. With the right planning and a rapid response team, companies should be able to withstand a breach with the least damage possible, limiting losses – and claims.

SOURCE: Thompson, J. (2 March 2018) "Meeting cybersecurity risks head-on: A guide to breach preparedness" (Web Blog Post). Retrieved from https://www.propertycasualty360.com/2018/03/02/meeting-cybersecurity-risks-head-on-a-guide-to-bre/