By Stephen Hicks
Pennsylvania Lumbermens Mutual Insurance Company
When it comes to managing risks in the LBM industry, issues like workplace safety, fleet management, and safe driving tend to be the first things that come to mind for many people. Yet technology has become an essential part of running any business, bringing with it the threat of new risks. Now, business leaders are responsible for managing data privacy, ensuring network security and protecting from cyber-attacks alongside more familiar duties like keeping inventory stocked and good employees on the floor.
Understanding cyber risks
LBM dealers and small businesses are not immune to cyberattacks. No matter the size or focus of a business, it stores confidential information on employees, customers and/or vendors. Every business has a responsibility to safeguard sensitive information, including employee social security numbers and customer credit card numbers.
As you likely know from the frequent news stories on data breaches and cyberattacks affecting large and well-known companies, even with safeguards in place, a company can fall victim to cyber theft. Such an attack can threaten a business’ future as it struggles with downtime, recovery costs and reputational damage. Small-to-medium sized businesses tend to have a very high level of risk, often because they believe cyber criminals are going after larger businesses. As a result, they neglect to invest the necessary time and money in precautions that protect against cyberattacks—and criminals know this.
What many business owners don’t realize is that cyber thieves are not attacking businesses based on size or the products they offer; they are primarily looking for victims with weak protection that allow for easy access to networks and servers. How do they do it? Surprisingly, hackers can find vulnerabilities by using publicly available software that allows them to scan for public servers or private databases that are not well protected. Again, this way they are not focusing on any one business or industry in particular; they are seeking easy targets.
Phishing emails are another way cyber criminals seek to target businesses. These emails are designed to trick employees into providing information, sending money or opening links that allow ransomware to be installed. We’ve seen several cases where phishing criminals copy the e-mail formatting of a repeat customer. They then place an authentic looking order for goods to a place where the criminal can pick them up with no intention of sending payment later.
Point-of-sale intrusions from outdated credit card terminals are also a concern, because hardware and software must be up-to-date to protect against any recently discovered security vulnerabilities. Today, many businesses in the wood industry also have other devices they use that are connected over the internet, such as smart phones, tablets and more. While these allow for easy remote management, they also increase the security risk if a business owners’ network is not properly protected from hackers.
Not only does a cyberattack mean a business owner’s data may be stolen or made visible to those outside the company, but it can also result in reputational damage. Customers and employees lose trust in the business’ ability to protect sensitive information or manage critical information technology infrastructure. Additionally, the time it takes to recover from a cyberattack can create significant downtime that interrupts business-as-usual. This is particularly likely if the business was not prepared for the eventuality of a cyberattack.
Because cyberattacks and data breaches have become a regular part of today’s business world, it has become increasingly important to proactively manage these risks. To do this, business owners can start by adopting best practices and implementing policies to protect data and digital assets. This includes disposing of sensitive data once it is no longer needed, monitoring payment terminals and not storing any sensitive information on the web. Business owners should also keep anti-virus software and servers updated and work with vendors who also take cybersecurity seriously.
It is important to create a plan in case a cyberattack does happen. If a business is attacked and management has no steps in place to recover from the incident, the downtime can wreak havoc on the business’ finances. Business leaders should:
· Categorize data by levels of confidentiality (e.g., public, private, confidential)
· Determine how to respond to a breach of each level of data
· Asses the cyber risks the company faces
· Create an incident response plan with steps to take immediately after an attack
· Decide how to ensure business continuity if data is leaked or stolen
Another important step in protecting a business from a cyberattack is to educate employees on cyber security. Just like they would for safe driving or workplace safety, business owners can go over their business’ policies and teach basic techniques for keeping data secure. For instance, teaching employees the tactics used by hackers and to use strong passwords and encryption can go a long way to protect data. Remember that employee email accounts are one of the most vulnerable points of entry for a cyber thief, so keeping employees on the lookout for phishing messages is a great step in preventing an attack from occurring.
Finally, it is important to remember that even implementing effective cybersecurity policies and practices for a business will not remove human error, like the loss of a laptop. Plus, cyber criminals know how to adapt to security measures as technology continues to develop and change. Business owners should consider supplementing security practices with cyber liability insurance. This coverage can help a business respond to digital incidents like data breaches, intrusions, cyberattacks and damage to data or systems. Insurance should not be your first defense against cyber criminals, but it will help a business get back on its feet after an attack has happened.
A specialty insurer who knows the LBM industry, like Pennsylvania Lumbermens Mutual Insurance Company, can be a valuable resource in understanding your risks related to cybersecurity. For more information, ask your insurance agent or broker about PLM, find a PLM representative at http://www.plmins.com/ or call 1-800-752-1895. More details on loss control are also available on our website at http://www.plmins.com/loss-control/.