Emerging Risks for Technology Small Businesses How communicators, electronics manufacturers, media professionals, and software and IT specialists can position themselves as industry leaders in the Digital Age.

www.cna.com

SMALL BUSINESS

Table of contents Introduction.........................................................................................2 Cybersecurity: What Does It Really Mean?......................................3 Risk Management: How Can You Best Secure Your Data? ............6 Tech Reps on the Move....................................................................11 Trends to Take Seriously...................................................................13 Success Stories.................................................................................17 Four Key Takeaways..........................................................................20

INTRODUCTION Whether you’re a communicator, electronics manufacturer, media professional, or software/IT specialist, you’re working in an industry where threats and innovations alike can change within a matter of months. Success depends on staying ahead of the digital risks as well as industry trends. This white paper serves to assist you in recognizing your areas of vulnerability, helping protect your and your clients’ data and expanding your knowledge of emerging trends.

Emerging Risks for Technology Small Businesses

2

SMALL BUSINESS

Cybersecurity: What Does It Really Mean? You’ve likely heard of the importance of “protecting your data.” But what does that exactly entail? How do you go about it? What data should be protected? And furthermore, if your business is unable to protect its own data, how can your customers be expected to trust you with theirs? When you’re a technology company, your reputation relies on your ability to not only keep your systems safe, but to provide that same capability to your clients. In the building blocks of best practices for tech companies, cybersecurity is your foundation.

SECURING CLIENT AND CUSTOMER DATA – IT’S THE LAW State privacy laws are setting a higher minimum standard for businesses that have custody of confidential client information. Now is the time to ensure that your customer data is protected, because the legal consequences of non-compliance are only going to become more painful. This section provides an overview of evolving privacy laws and the costs to protect confidential client data.

Understanding the New Wave of Privacy Laws Until recently, the landscape of privacy laws included two types. First, there were breach notification laws at the state level. These laws set forth requirements for notifying clients and mitigating damages in connection with disclosure of personal private information. Second, there were federal “duty to safeguard” laws that generally applied only to certain industries. Now, a new wave of laws is raising the stakes. Several states, including Massachusetts1, Nevada2 and Texas3, now require businesses to proactively employ certain minimum safeguards. What’s more, the rapid spread of breach notification laws – now on the books in 45 states – suggests that other states will soon adopt the higher standards. It’s worth noting that while the federal “duty to safeguard” laws apply to specific industries, these new laws apply broadly. Any business that has custody of any individual’s personal private information is subject to these laws. What comprises personal private information? Generally, this refers to an individual’s name in conjunction with a social security number, driver’s license

1 2 3

number, state-issued ID number, financial account number, credit or debit card number, or personal ID or password (i.e., for accessing a network containing sensitive information). Don’t forget: Along with client information, businesses are required to protect the personal private information of employees.

Paying for Protection Generally speaking, safeguarding client data doesn’t have to be expensive. Advice on establishing data security policies and procedures is widely available, and there are many free tools and services for protecting confidential information. For small businesses using one or more standalone personal computers, off-the-shelf software is available providing firewalls, anti-virus and spam/spyware protection and encryption. Encryption is the process of making data unreadable on a device except to those who possess the appropriate key to decode and read the data. Many of the state breach notification laws do not mandate notification of affected parties if the device and its data involved is encrypted. The cost per computer to install and maintain this software is typically a few hundred dollars. The cost of installing and maintaining this protection in a small computer network is rapidly declining. Unified threat management appliances, for instance, are firewall routers designed to provide these protections across a small network, typically at a cost of $1,000 or less.

201 CMR 17.0, Mass general Laws Ch 93 H NRS 597 Sec. 970 Business and Commerce Code Sec. 48.102

Emerging Risks for Technology Small Businesses

3

SMALL BUSINESS

IDENTIFYING YOUR RISKS The complexity of information systems in today’s business world – even for small businesses – can be just as daunting as the risks to the data handled by these systems. However, common causes of loss are being identified, making it easier to take preventive control measures. This section will review the broad categories of information risk as well as the leading causes of breaches.

Classifying “Information Risk” Information risk includes threats to IT systems, the intangible property handled by them and consequences of failure of these systems. These risks include first-party losses that would be sustained by an organization or third-party losses related to liability to others. Some examples of these risks include:

FIRST-PARTY RISKS

THIRD-PARTY RISKS

Loss of data

Theft/disclosure of or damage to someone else’s data

Loss of business income Privacy injury liability Denial of service Network security liability

In general, these events may compromise the confidentiality, integrity or availability of electronic data – or otherwise cause a loss of system resources. These same events may create liability to others, such as clients, in regard to data that is stored, handled or processed by an organization. When it comes to breaches of non-public information, according to data available from the Privacy Rights Clearinghouse, physical theft, systems hacks and accidental release are the leading causes of breaches of sensitive or non-public information.

Physical Theft and Lost Media Physical theft of desktop PCs, laptops, tapes, disks, USB drives, or other devices and media create significant risks to the information stored on these devices. In fact, physical theft is the most frequent cause of privacy breaches and ranks second in terms of number of records exposed. The expanding use of portable devices and rapid increases in storage capacity warrant significant attention to how these devices and the data they contain are secured. For example, if the laptops used by employees at a company are poorly tracked, and laptop No. 3 goes missing, it would be extremely difficult to pinpoint who last had access to the laptop and find out where that lost media could be located. Additionally, all data should be consistently backed up on a separate device or at an off-site location, and all devices should be encrypted. Encryption mitigates most of the liability when a device is lost.

Virus/hacker/sabotage Content liability Theft of system resources Extortion

Spread of viruses or malicious code to someone else’s system

Emerging Risks for Technology Small Businesses

4

SMALL BUSINESS

Hacking

Accidental Release

Unauthorized access to networks by hackers represents nearly half of all records breached. Hacking ranks second in terms of frequency of occurrence, just behind physical theft. In addition to theft of information that can create privacy concerns, once unauthorized access is gained to a system, a hacker can perform a variety of malicious activities. These activities may include theft of your intellectual property, destruction of data, sabotage and theft of system resources.

Accidental release of confidential information occurs in a variety of ways – via the Internet, a website, an employee’s email, or even misplacing information into postal mail or mailing information to the wrong recipient.

Knowing the risks you face will make it easier to develop your risk management strategy. The unfortunate fact is not all breaches can be blocked. However, there are many ways you can lessen your risk of getting hacked.

Other releases are related to discarding equipment or media that was not properly sanitized to remove all traces of non-public information. Loose editorial and content controls can allow these types of breaches to occur and can also create other types of liability related to content published electronically. This includes liability related to claims of libel, slander and intellectual property rights infringement. Additionally, while some releases involve rogue employees who gained unauthorized access to private information, many employees simply misuse authorized access privileges. Social engineering techniques, for instance, manipulate employees into performing acts that facilitate a breach or divulge confidential information.

Emerging Risks for Technology Small Businesses

5

SMALL BUSINESS

Risk Management: How Can You Best Secure Your Data? While general tips and practices can help safeguard your data, knowing exactly what you’re up against and how to address those specific types of attacks will take you and your clients to the next level of protection. This section addresses different types of cyberattacks and what you can do to fight them off.

BEWARE OF MALWARE The greatest strength of the Internet is also its greatest weakness. Sitting at a keyboard, you can reach out to the world and bring many valuable resources onto your computer. But unless you are very careful, you can also unwittingly allow many types of malicious software, generically known as malware, to tag along for the ride. In this section, we'll take a look at the various types of malware, the warning signs that you have it and ways of avoiding it.

3 Trojans

Trojans take their name from the Trojan Horse of legend. On the outside, they're useful programs or data files. Inside them, however, are digital soldiers ready to attack your computer. For example, free downloads have been known to contain Trojans.

What is Malware? Sometimes it's difficult to classify malware, and different kinds will overlap, but there are generally four main types:

1 Viruses

A virus in your body survives by inserting itself into your body's cells and using those cells to multiply. A computer virus inserts itself into a program on your computer and uses that program's resources to reproduce and spread itself.

2 Worms

Worms got their name from their ability to "crawl" through networks. They reproduce themselves without embedding themselves in other programs, and they use your network connection to look for vulnerable machines to infect. In 1988, the Morris Worm became so widespread that it managed to slow the entire Internet to a crawl.

4 Spyware

Spyware is a special kind of malware. Its main function is to track what you are doing on your computer, on or off the Web, and send that information to a third party without your knowledge. In some cases, this data harvesting is purely for marketing purposes. In other cases, the intent is more sinister. To be safe and secure, you will have to install, enable and update an anti-spyware program. But be careful and do the necessary research to make sure you are getting a reputable product. Some anti-spyware programs advertised in Web banners and pop-ups are, themselves, spyware.

5 Ransomware

Ransomware locks victims out of their files, then demands payment in order to restore their access. The ransom is to be paid in Bitcoin or a similar digital currency, which is untraceable. There is a typical time limit of three to four days for payment to be made before the encryption key is destroyed, rendering the files unreadable forever.

Emerging Risks for Technology Small Businesses

6

SMALL BUSINESS

How Do You Know You Have Malware?

How Do You Prevent Malware?

Sometimes, you can intuit the presence of malware once your computer starts running very slowly. Unfortunately, your computer could be running very slowly for any number of reasons.

For your part, don't open suspicious emails. Don’t reply to these emails, even to unsubscribe, and don't click on any links or attachments within them. Most importantly, do not install or download any software from the Web before confirming that you’re working with a trusted source. You can do this by finding the organization’s official contact number or email address (i.e., name@ company.com rather than name@company!%.com), or by hovering over the download link to see where it would actually take you.

Malware may only manifest itself when it's too late to do anything about it. At a date predetermined by a virus, you may see a message on your screen telling you that your computer has been infected. That could be the best-case scenario. If the person who wrote the malware is more interested in being destructive than in being merely obnoxious, you may find, for instance, that your sensitive data, like confidential documents, is gone.

As there’s no certain way to tell if you have malware before it’s too late, the best course of action is active prevention.

If you or any of your employees work from home or on a personal device, follow the steps described above in addition to more extensive measures such as the ones listed below: • Invest in a firewall and anti-virus program and keep them running at all times, and enable automatic updates. • Install security patches as soon as they become available. Again, enable automatic updates. • Back up files regularly and keep at least one copy “offline” or at a separate location to prevent that backup from being affected by the malware. • Train employees on safeguarding against the different types of malware. Whereas malware is a type of malicious software, there are various methods of releasing malicious software into your system.

Emerging Risks for Technology Small Businesses

7

SMALL BUSINESS

DON’T BE FOOLED BY SOCIAL ENGINEERING Social engineering attacks are one of the most difficult avenues to protect against, because only one mistake can expose an entire enterprise to a breach. As cited in the Verizon Data Breach Investigations Report of 2015, single-credential losses are far more prevalent than high-volume credential breaches due to credentials being stolen – one at a time – by social engineering.4 And work-related credentials aren’t the only targets; personal credentials fall victim to social engineering attacks as well. In October 2015, social engineering was the reason the director of the CIA, John Brennan, lost access to his personal email account, which contained many government-related documents. More recently, the director of National Intelligence, James Clapper, lost access to some of his accounts, and hackers even redirected his phone calls. These individuals are high-ranking officials. If it can happen to them, what can you do to safeguard your business and your clients? Most commonly, social engineering attempts come in the form of phishing. If you haven’t already, one day you’ll likely receive an email – at work or at home – that you think is from your bank or other familiar entity, but is actually a phishing email from someone else trying to access your information. The message says something along the lines of: “Your account has been frozen due to suspicious activity,” and instructs you to “click the link below” where you’ll provide your personal information to clear up the issue. The site you click through looks convincingly like your bank’s website, but beware; entering your personal information can lead to stolen identity and credit fraud. Although phishing is commonly done through email, that’s not the only method of attack. A skilled con artist can call random numbers within a company and collect a valuable trove of network passwords and other information. Phishing doesn’t always involve stealing your private information, either. An email offering a free screensaver may actually provide you with a free screensaver. What you don’t know is that installing the screensaver will also install malware that can track your Web surfing, steal your passwords and credit card numbers or even turn your machine into a “zombie,” sending out more phishing emails to other unsuspecting victims.

The good news is you can avoid social engineering attempts by being cautious and remembering some simple do’s and dont's:

Don't • Give out your personal information simply because someone, no matter how convincing, asks for it. There could be a time when your bank or credit card company might need to get some information from you, but never respond to an email or phone call asking for it. Tell them you will call them back and then use a published, credible phone number to reach them. • Click on links in an email if you have any doubt about the sender. Sometimes just opening a Web page from a link sent in an email can infect your computer. • Respond to an email, even to question the sender’s credibility, if you have any doubt about the sender. Doing so will confirm to the sender that they had reached a live and active email account. • Open an attachment to an email if you have any doubt about the sender. File attachments are the easiest method of infecting a computer. • Give out a password—ever. IT personnel never call and ask for a password. Anyone who does is either a scam artist or not acquainted with company policy.

Do • Install security software on all devices – mobile and desktop. Keep it active and update it regularly. Make sure you have reputable anti-virus and anti-spyware programs installed and activate the auto-update feature. • Report the email as phishing to your IT department.

When a suspicious email arrives or a suspicious call comes through, take a moment to think about its origin before acting on it. A little vigilance can prevent a big headache.

4

2015 Data Breach Investigations Report. Verizon.

Emerging Risks for Technology Small Businesses

8

SMALL BUSINESS

WATCH OUT FOR DDoS ATTACKS According to security research organizations, Distributed Denial of Service (DDoS) attacks are becoming more frequent today than they've ever been – reaching thousands a day. In the final quarter of 2015, DDoS attacks globally rose by 85 percent compared to 2014, and up to one-third of all downtime incidents are attributed to DDoS attacks. Not only are they becoming more prevalent, they are getting more dangerous as they have grown in magnitude and are increasingly being combined with extortion schemes. A DDoS attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources. DDoS attacks succeed by disabling your website by flooding your bandwidth or server resources so that customers cannot access your website, Web services or Web applications. DDoS is becoming a preferred attack of choice for hackers because they require less effort by threat actors compared to writing advanced malware and conducting long-term network penetration campaigns. The attacker profile is also expanding rapidly as nationstates, criminal organizations and hacker activist groups (called hacktivists) are also utilizing DDoS attacks against selected targets. While DDoS attacks were initially the work of amateurs and were looked at as more of an operational or business continuity issue, an increasing number of criminal organizations are launching these attacks as a smokescreen for a more sinister cyberattack or for ransom. There have been increasing incidents where an organization will receive an email that says something like this:

We are [Criminal Group] All your servers will be DDoS-ed starting Friday if you don't pay XX Bitcoins @Bitcoinaddress When we say all – and we mean all – users and

This ransomware email is followed by a small-scale DDoS attack that can last from 30 to 60 minutes. After 24 hours, if the ransom is not paid, the attacks increase and can last many hours (or days). When it comes to defending against DDoS attacks, there are common tactics to make your network less vulnerable to disruption: • Work with your ISP/Internet hosting provider on investigating the use of a Managed DDoS Service Provider so they can be ready to provide traffic filtering/packet scrubbing services, IP blocking and additional bandwidth to help mitigate any disruption. • Divide your network into discrete segments and separate public and internal systems from each other, each protected by a separate firewall, to maintain internal services, even during a full-blown attack targeted at public systems. • Manage load balancing and bandwidth – most often used to manage legitimate traffic volumes during busy periods, but can also be a powerful weapon against DDoS attacks. • Use next-generation firewalls that can use geographic IP (GeoIP) blocking to quickly identify any unnatural traffic patterns that could signal the start of a DDoS attack. For example, if an organization that has no trading relationships in North Korea suddenly receives volumes of traffic originating from the country, it's likely to be malicious activity. So IP addresses from this and similar countries can be blocked, using GeoIP capability to act as a "border control." While this white paper thus far has sectioned off different types and methods of cyberattacks, it’s important to understand that they don’t necessarily work independently. A phishing email can release a malware. A ransomware attack can be enforced by a DDoS attack. That’s why it’s important to implement all of the risk control techniques described in these sections. And while these techniques make up a huge part in your wall of cybersecurity, we’d like to examine one last safeguard that should be taken seriously: the strength of your passwords.

customers will not be able to access your sites at all. Right now we will start 30 minutes of attack on your site's IP [email protected]. It will not be hard; we will not crash it at the moment to try to minimize eventual damage, which we want to avoid at this moment. It's just to prove that this is not a hoax. Check your logs!

Emerging Risks for Technology Small Businesses

9

SMALL BUSINESS

RETHINK YOUR PASSWORDS AND SECURITY QUESTIONS If you think your passwords are impervious, consider this: If a hacker can’t determine your password, they can readily go in and reset it. What is your mother’s maiden name? What is the name of the street you grew up on? We’ve all read these questions logging into dozens of websites we access on a daily basis. They’re in place to secure our accounts in case we forget a password, so we can reset it to something easily remembered—and easily discovered. In this connected age, privacy questions offer very little security. Hackers simply have to look at your LinkedIn profile, Instagram or Facebook page, website or blog. If you’re counting on privacy settings to keep the name of your favorite pet out of a criminal’s reach, you might want to think again. Using these legal sources, it only takes a hacker minutes to discover your maiden name, family members, pets, current and former addresses, high school and its mascot, as well as current and past employment. And with a few more minutes and some not-so-legal research, the hacker can retrieve personal information exposed by any past data breaches (the phishing technique should come to mind here).

Thankfully, there are some steps you can take to protect yourself and your business. You need to reconsider how you choose passwords and the answers to security questions. In short, make it up. When the bank wants to know your mother’s maiden name, use a false answer that you’ll remember. Does your mother have a nickname? Who’s a TV character that reminds you of your mom? The next time you log into your credit card account, go into your settings and switch the name of the street you grew up on. Choose answers you’ll remember, but that are distant enough from your life and online presence that they won’t be apparent. And for the password itself, instead of picking a word, experts recommend picking a phrase. This can be a line of poetry, the title of a story or a song lyric. In addition to the dissociation from typical password sources, the length alone makes it exponentially more difficult to decipher. And if you’re absolutely unable to remember a different passphrase for each account, consider using a password manager. This will keep your passwords secure and you’ll only have to remember the passphrase to the manager itself to gain access to the others. Alter egos aren’t just for superheroes anymore. Let your secret identity choose your passphrases and answer the recovery questions, and keep them just that: secret. As methods of hacking become more sophisticated, shouldn’t your passwords, too?

One of CNA’s Risk Control Consultants asked a colleague, a certified white-hat hacker, to do a cursory search of his online information. The white-hat hacker had access to all of the above personal information belonging to our consultant in less than 30 minutes.

Emerging Risks for Technology Small Businesses

10

SMALL BUSINESS

Tech Reps on the Move IS YOUR MOBILE DATA PROTECTED?

On Your Laptop

With our increasing dependency on mobile devices, protecting your network in the office and on the go are equally important.

Potential losses associated with exposure of sensitive data stored on stolen laptop and desktop computers can be much greater than the cost associated with replacing the stolen equipment. A key finding of the Ponemon Institute’s The Cost of a Lost Laptop study conducted in 2009 was that the average value of a lost laptop was $49,246. This value is based on seven cost components: replacement cost, detection, forensics, data breach, lost intellectual property costs, lost productivity, and legal, consulting and regulatory expenses. Occurrence of a data breach represents 80 percent of the cost.

On Your Mobile Phone Start by enabling a pin or biometric (fingerprint) screen lock. This lock will prevent a casual user from accessing the contents should you lose your phone. Apple iOS 9 now defaults to a six-digit pin instead of four digits. Adding two extra digits make guessing the pin much harder; that’s 1,000,000 possible combinations versus 10,000 with a four digit pin. For additional security, you may also opt to use a longer alphanumeric passphrase. Many new phones also give the option for biometric authentication. Another crucial step is to ensure you are using full disk encryption. Consumers will sometimes confuse having a pin or password on their phone and encrypting their phone – they are not the same. While an encrypted phone requires a pin or password, it is possible to have a pin screen lock on an unencrypted phone. An unauthorized user may be able to access information stored on an unencrypted phone (plugging the phone into a computer with specialized software) without knowing the pin or password. Encrypting your phone and using a strong password prevents this type of attack. Apple began encrypting their software by default in iOS 8, and Android in 6.0 Marshmallow.

When Using Wi-Fi Be careful using your mobile device in public Wi-Fi hotspots. While users may opt to use a public Wi-Fi hotspot to reduce data usage on their mobile plan, they should be aware public Wi-Fi is inherently insecure. If you choose to use such a connection, attempt to verify the hotspot is legitimate. Ask the owner of the business for the network name. Be mindful that it is trivial for a malicious user to create a wireless network with the exact same name, making it difficult to verify the authenticity. Use a virtual private network (VPN) to protect your data from an attack on this local network.

Emerging Risks for Technology Small Businesses

11

SMALL BUSINESS

When Traveling Travel procedures should address common high-risk situations: • Avoid storage in automobiles. • Do not leave devices unattended in hotel rooms. • Take extra precaution in airport security areas, check-in counters, baggage claim, restrooms, food courts and curbside pick-up areas, as these are all high-risk areas for theft of portable devices. Additional steps are recommended to prevent losses related to data breaches associated with the theft of data storage devices and media. First, carefully evaluate the need for storage of sensitive information on any type of portable device or removable media. In many cases, it will be determined that the need for storing information on these difficult-to-secure devices is not worth the benefit given today’s threat environment. Where possible, prohibit such storage in an information security policy, but also evaluate technical means of preventing this data leakage – disabling or monitoring usage of USB ports, content filtering and other methods are possible.

DO YOU NEED INTERNATIONAL COVERAGE? We know that in today’s expanding global marketplace, the needs of your technology company are expanding just as quickly. To accommodate these evolving requirements, you should assess your international risks at least annually.

How Do You Know If You Need International Coverage? If you answer “yes” to any of the questions below, international coverage for overseas property and liability exposures may be necessary: • Does your company have any foreign sales, imports or exports? • Does your company sell products/services over the Internet? • Do any company employees travel outside the U.S. on business? • Does your company attend trade fairs or exhibitions outside the U.S.? • Does your company have any international facilities, licensing, subcontracting or joint ventures? • Does your company have any foreign suppliers? • Does your company have any payroll outside the U.S.?

If it is determined that storage on portable devices or removable media is absolutely necessary, this data must be protected and encrypted.

If your business spans borders in any capacity, it’s important to assess these risks, as well. To best address your specific risks, speak with your risk control consultant. Now that you’re armed with both the knowledge of current and emerging threats and ways to combat these threats, you’re well on your way to protecting your and your clients’ data to your best ability. But in today’s marketplace, data protection is just a basic requirement of customers. As mentioned earlier, it is the foundation for you to build on. The next layer of your tech company is to be trend-savvy. Customers want to work with a company that knows and understands trends in the industry—a company that is a true thought leader.

Emerging Risks for Technology Small Businesses

12

SMALL BUSINESS

Trends to Take Seriously THE CLOUD Cloud computing is a growing trend in IT as organizations look for ways to save money and an appealing alternative to the way they interface with data and applications, such as email and customer databases. But what exactly is “The Cloud”? Cloud computing, while still an evolving service, provides on-demand network access to a shared pool of computing resources such as networks, servers, storage and applications. The service is typically provided through a large data center. Cloud computing can be divided into three types: Software as Service, Platform as Service and Infrastructure as Service. This section will help you understand what the cloud is and the benefits of working in the cloud, and provide you with some insight about risks associated with cloud computing.

Characteristics of the Cloud • On-demand/self-service: Consumer-driven provisioning of computing capabilities. • Broad network access: Capabilities are available over the network and accessed through standard services (e.g., mobile phones). • Resource pooling: The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model. • Rapid elasticity: Capabilities can be rapidly and elastically provisioned, in some cases automatically, to quickly scale to requirements. • Measured service: Cloud systems automatically control and optimize resource usage by leveraging a metering capability providing transparency for both the provider and consumer of the service.

Cloud computing provides on-demand network access to a shared pool of computing resources such as networks, servers, storage and applications. Cloud Services • Software as a Service (SaaS): Provides ready-for-use, Web-based applications, such as email, that are maintained centrally by a provider (e.g., Gmail, Salesforce.com). • Platform as a Service (PaaS): Provides programming languages and tools that can be used by application developers to create and deploy applications on the Web. • Infrastructure as a Service (IaaS): Provides computing resources, such as virtualized servers and storage, whose usage is rented from a provider (e.g., Amazon EC2, Windows Azure).

What are the Benefits of the Cloud? By using a cloud provider, your company and clients can access information, files, or data, anytime, anywhere and from virtually any device with an Internet connection. The pooling of resources allows rapid scaling to meet your company’s changing needs. In contrast to buying and installing software onto your existing hardware or having to procure new hardware or servers, cloud computing can provide a cost-efficient alternative. Companies have gained tremendous flexibility and agility in rapidly scaling their resources up or down on an “as needed” basis. Beyond the heightened accessibility and ease of collaboration, the potential cost reductions can be significant. In short, the cloud is an instrument that can vastly simplify, optimize and streamline the way your organization’s IT operates.

Emerging Risks for Technology Small Businesses

13

SMALL BUSINESS

Different Clouds for Different Crowds. There are four basic types of cloud services that may be available to your organization: • Public Cloud: The cloud infrastructure is made available to the general public, owned by an organization selling cloud services. • Private Cloud: Cloud infrastructure is operated solely for a single organization, and may exist on or off the premises. • Hybrid Cloud: The cloud infrastructure is a composition of two or more clouds (private, community or public) that remain unique entities but are bound together by standardized or proprietary technology. • Community Cloud: The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns.

Storing Data in the Cloud? Know the Risks on the Ground.

Data Loss/Disruption: Damage from storms, natural disasters or an electrical failure can potentially cripple a data center. Other incidents like fire or a water leak can pose damage to servers. And even if your provider has a recovery process, there’s the chance that your data may still be irretrievable. It’s important to have a contingency plan in place should a disruption or loss occur. You need to know how easily your critical data can be retrieved and identify a new provider or non-cloud space in which to transfer data. Inappropriate Access: Data that rests in the cloud should be accessible only by those with distinct authorization. The vast amount of data and users makes the cloud environment extremely alluring to hackers. And you can’t rule out a former employee who can still gain access. Stringent user authentication can help block inappropriate users from infiltrating your cloud space and accessing data. Companies should consider viewing access logs and audit trails for added user verification.

As with all emerging technology solutions, companies must make sure they address potential risks when operating in the cloud. Cloud solutions are complex networked systems, which are affected by traditional computer and network security issues such as the data confidentiality, data integrity and system availability. Due to the unprecedented quantity and variety of customer data in cloud data centers, there is a higher degree of potential vulnerabilities requiring a higher degree of confidence and additional transparency that cloud providers keep customer data isolated and protected. Furthermore, cloud users and administrators rely heavily on Web browsers and open Internet connections; browser security failures can lead to cloud security breaches. Some of the key risks that your company should examine include: Data Protection: A data breach can devastate a company, which can make placing sensitive data in the hands of a third party unsettling. Ensuring that your data remains secure and protected while at rest and in transit is paramount. Encryption is one way to safeguard your company’s data. To further safeguard confidentiality, encryption keys should be owned and managed solely by the cloud customer.

Emerging Risks for Technology Small Businesses

14

SMALL BUSINESS

THE INTERNET OF THINGS (IoT) IoT is likely much larger today than anyone would have predicted when the first ATM went online in 1974. Now, IoT includes thermostats, cars, light bulbs, clothing, pills and, yes, even toilets. In 2006, there were 2 billion objects connected to the Internet, and some estimates project that there will be 200 billion by 2020, with an estimated market cap of $1 trillion. Nearly $6 trillion is expected to be spent on IoT solutions over the next five years.5

Nearly $6 trillion is expected to be spent on IoT solutions over the next five years.

The growth of this segment has been spurred by decreasing processor costs, an increase in bandwidth for transmitting data and our desire to capture data. The increase of connected devices is creating advantages for the businesses that can capture, analyze and act on the data being collected.

IoT devices are being used in DDoS attacks. One of the challenges that arises in a world of connectivity is that IoT devices lack protection. A chief strategy officer at ForeScout reported that 70 percent of their customers’ devices are unseen and unmanaged by IT.7

Businesses will be the top adopter of IoT solutions because they will use IoT to 1) lower operating costs; 2) increase productivity; and 3) expand to new markets or develop new product offerings.6 The important role IoT will soon play in the marketplace does not come without risks.

Even the devices you think are safe from cyberattacks – DVRs, IP-enabled cameras, cable boxes, surveillance cameras – if it’s running a small, embedded computer connected to the Internet, it’s at risk.8 These devices need to be treated like any other computing device. They should be patched regularly and the appropriate personnel should know what information they contain, provide access to or control.

5 6 7 8

Business Intelligence. The Internet of Things: Examining How The IoT Will Affect The World. Nov. 2015. Ibid. IoT botnets are the new normal of DDoS attacks. Oct. 5, 2016. Ibid.

Emerging Risks for Technology Small Businesses

15

SMALL BUSINESS

BITCOIN You may have seen the headlines, but what exactly is Bitcoin? In a nutshell, Bitcoin is an electronic cash system that works directly person to person. There is no central bank authority that governs Bitcoin, making transactions anonymous. The history of Bitcoin is somewhat mysterious. In 2008, a white paper was published under the name Santoshi Nakamoto (which is believed to be a pseudonym for multiple people behind the project). This paper described the currency and addresses the problem of double spending.9 While a few people have claimed to be Santoshi, there is still much speculation as to who actually created Bitcoin.10 You’ll hear Bitcoin referred to as a “cryptocurrency” as it utilizes encryption to verify the authenticity of transactions and to control the creation of additional Bitcoins.11 (You may have heard of less popular cryptocurrencies, including Dogecoin, Litecoin and Peercoin.) So how much are Bitcoins worth and what can you do with them? The value of a Bitcoin has fluctuated like a commodity since its beginning. When first introduced, a single U.S. dollar could buy you 1,309.03 Bitcoins. Today, a single Bitcoin costs north of $600 U.S. dollars (value has gone as high as $1,100 in November of 2013).

In addition to having a value that can fluctuate greatly, Bitcoins have also been the subject of attack. Hackers have crafted malware specifically designed to steal cryptocurriencies owned by the target.12 Malware has also been designed to utilize victim computer resources to “mine” Bitcoins for the attacker. Furthermore, attackers have targeted the Digital Currency Exchanges themselves. In 2014, a large exchange, Mt. Gox had to file for bankruptcy after revealing that it had lost $500 million dollars in Bitcoins, 90 percent of which were owned by users who had kept them on deposit at the exchange.13 Unlike a regulated bank, there is no FDIC insurance for Bitcoin deposits. Many users may have also heard of Bitcoin in relation to ransomware, as most attackers will demand ransom payments in Bitcoins due to the anonymity it affords them. Bitcoin may also get a bad reputation due to the amount of transactions for drugs, guns and other illicit items in which Bitcoins are used. However, Bitcoin is being used—at an increasing amount—for legitimate transactions. Both Microsoft and Dell Computers accept Bitcoin, as well as Overstock.com, among others.14 A number of gift card businesses also accept Bitcoins that can be used at major retailers like Walmart, Amazon, Target and Nike.15 If you or one of your clients chooses to use Bitcoin, it’s important to look at the big picture: Why am I using Bitcoin? What are the risks? Do the benefits outweigh the risks at this time? Again, your risk control consultant can help with your specific risk assessment.

Unlike a regulated bank, there is no FDIC insurance for Bitcoin deposits. Many users may have also heard of Bitcoin in relation to ransomware, as most attackers will demand ransom payments in Bitcoins due to the anonymity it affords them.

Bitcoin: A Peer-to-Peer Electronic Cash System. Satoshi Nakamoto. Wikipedia: Satoshi Nakamoto. Forbes. Crytpo Currency. Andy Greenberg. April 2011. 12 Brave New Coin: Bitcoin stealing malware evolves again. Luke Parker. February 2016. 13 Mt. Gox Bitcoin Meltdown: What Went Wrong. Mathew J. Schwartz. March 2014. 14 Coindesk. What Can You Buy with Bitcoin? 15 Ibid. 9

10 11

Emerging Risks for Technology Small Businesses

16

SMALL BUSINESS

Success Stories To give you a clear idea of how CNA helps a variety of technology companies, here are a few of our successes.

Understanding Exposures and Needs

Stepping In When It Counts

DATA CENTER COMPANY

GOVERNMENT CONTRACTOR

A state-of-the-art data center company recognized as best-inclass for uptime performance formed two new entities – facilities management and construction services companies – to leverage their expertise in data centers. The incumbent carrier did not have the expertise to consider the two new entities, so the agent brought the account to CNA. CNA’s technology and construction underwriters were able to understand the exposures of the two new entities and build insurance programs to win the business. Once the data center’s policy term expired from their incumbent carrier, they also chose CNA because of our ability to truly understand their varied business insurance needs and coordinate tailored risk control services across all three entities.

A government contractor was providing analytical and logistics work, installation of communication systems in military vehicles, fault testing, isolation, replacement of component pieces in missile systems and a small warehousing operation. The CNA agent was not the incumbent agent on the account. The technology underwriter worked with the agent and the insured to understand the unique operations and controls for the exposure. She identified a previously unaddressed international exposure and worked with the agent to come up with a business income coverage structure that met the client’s needs given its growth trend. By demonstrating knowledge of the customer’s business, CNA was able to deliver a comprehensive proposal. At the end of the day, these efforts resulted in a good new business win for one of our key technology agent partners.

Delivering Quick Responses TECHNOLOGY PRODUCER

When a private equity deal comes together, stakeholders need immediate access to relevant insurance coverages. Our technology team got “the call” from one of our technology producers and sprang into action. Even before the submission arrived, the technology underwriter had already coordinated and lined up our key internal business partners to get the deal done. Within a day and a half, they quoted and bound workers’ compensation, umbrella, international and professional liability lines of business. The account fit our underwriting appetite as a provider of scanning devices, consulting, software and outsourcing services to their customers. As a result of this deal, the producer was able to land the remainder of the private equity group’s technology portfolio.

Providing Solutions Beyond Borders IT SOLUTIONS COMPANY

This was a dual opportunity and a win of two related, but separate, IT companies. The first entity was a value-added reseller of IT products and services, including consulting and leasing. The other delivered IT life cycle support, managed services and infrastructure management. With operations in all major U.S. metropolises and a large global presence, the insured was able to supply products and services to medium and large, domestic and multinational enterprises. The technology underwriting executive was able to put together a comprehensive international solution for both accounts. In doing so, she reinforced a strong broker relationship that helped to build new business production momentum. The broker leveraged CNA’s broad coverage terms, valuable underwriting expertise, and superior risk control and claim services to bring consistent value to themselves and their clients, and make CNA their go-to carrier.

Emerging Risks for Technology Small Businesses

17

SMALL BUSINESS

Collaborating for the Win

Addressing the Gaps

TELECOMMUNICATION SERVICES PROVIDER

INSTRUMENT MANUFACTURER — TESTING EQUIPMENT

A mobile phone and communications services company needed all-lines coverage for their operation. CNA’s technology underwriter worked with the agent and client to prepare a proposal that included broad coverage with technology-specific endorsements on the GL and Property, including specific tower coverage and terms.

An agent reached out to CNA to help the manufacturer of a wide range of instruments and systems that replicate accelerated environmental parameters for sunlight, temperature, moisture, corrosion and flammability. These sophisticated technology chambers are sold to independent laboratories and manufacturers. The client also performs equipment recalibration, as well as some laboratory and testing services.

Audit, Claim and Risk Control played an important part in the process. Audit advised regarding the appropriate general liability classifications and, by their early involvement, assured the client that there would be no surprises at the end of the policy term. Claim offered customized services and reporting programs. Risk Control offered support services regarding fire controls and free infrared testing. The collaborative, holistic approach, including broad, technologyspecific coverage terms, competitive pricing and hands-on services presented by CNA was an attractive alternative for the client and allowed both the agent and CNA to win the business.

There were three key differentiators in writing this new business account. The agent was not satisfied with the level of service by the current carrier. CNA was able to demonstrate quick risk control and quote turnaround capabilities. And international coverage gaps provided under the current program were pointed out and resolved. CNA provided a complete solution, including significant foreign and ocean marine coverages. The CNA technology underwriter worked closely with the agent to develop a relationship and understanding of the account, which enabled this total solution result.

Emerging Risks for Technology Small Businesses

18

SMALL BUSINESS

Snapshots of Success DESCRIPTION

PREMIUM

COVERAGES WRITTEN

COMPETITIVE ADVANTAGE

Data Center

$324,000

Property, General Liability, Equipment Breakdown, Auto, Umbrella

Broad Property capacity and ability to coordinate coverage for newly-formed entities

Online Survey Cloud-based Software

$176,000

Property, General Liability, Auto Workers' Comp, Umbrella, Tech E&O (non-admitted), International

Broader E&O and Property coverage, new International package, consistency in market

Electronics System Manufacturer

$155,000

Technology E&O (non-admitted)

Third-party Product Recall, Cyber Data Breach vendor choice

Digital Media & Marketing for Loyal Programs

$26,000

Property, General Liability, Auto Workers' Comp, Umbrella

Manuscripted a unique coverage for Property and Crime exposures

Software as a Service Provider for Non-for-Profit Companies

$620,000

Property, General Liability, Auto Workers' Comp, Umbrella, International

Consolidation from three carriers into a one-carrier solution with Workers' Comp dividend program

Digital Media Planning Platforms for Healthcare

$53,000

Property, General Liability, Auto Workers' Comp, Umbrella, Media Liability

Educated agent and customer on Media Liability coverage gaps

IT Software & Services in Data Analytics, Consulting, System Integration

$128,000

Property, General Liability, Auto Workers' Comp, Umbrella

Property CAT capacity

Communications Vendor & Value-added Reseller

$133,000

Property, General Liability, Auto Workers' Comp, Umbrella

Collaborated with customer and agent to craft a tailored service plan

Developer of Mixed Reality Virtual Vision Technology

$316,000

Workers' Comp, International

Established relationship as a startup, and able to grow with client

Digital Design Studio for Branding

$18,000

CNA Connect®, Auto, Umbrella

Broad coverage of CNA Connect® and Tech Super Choice Endorsement

Cloud-based Software for Property Managers

$43,000

Property, General Liability, Auto Workers' Comp, Umbrella, Tech E&O (admitted), International

Broader E&O, Property and International coverages to respond to rapidly growing firm needs

Emerging Risks for Technology Small Businesses

19

SMALL BUSINESS

Four Key Takeaways

1

Recognize the legal implications of protecting your data as well as your clients’ data.

3

Take action to protect your and your clients’ data through methodologies such as encryption, patching and antimalware software.

2

Be aware of all the outlets – internal, external, first party and third party – at which your data is at risk.

4

Consider industry trends as you move forward with your professional and personal endeavors.

While reading this resource is a huge step toward positioning yourself and your company as a tech leader, we encourage you to subscribe to industry newsletters, set a reminder to regularly check new state laws regarding cyber issues, join and engage in LinkedIn groups, and regularly communicate with your risk control consultant, especially as new technologies and threats emerge.

To learn more, contact your independent agent. Need an agent? Match with one today at www.cna.com. One or more of the CNA companies provide the products and/or services described. The information is intended to present a general overview for illustrative purposes only. It is not intended to constitute a binding contract. Please remember that only the relevant insurance policy can provide the actual terms, coverages, amounts, conditions and exclusions for an insured. All products and services may not be available in all states and may be subject to change without notice. “CNA" is a service mark registered by CNA Financial Corporation with the United States Patent and Trademark Office. Certain CNA Financial Corporation subsidiaries use the "CNA" service mark in connection with insurance underwriting and claims activities. Copyright © 2016 CNA. All rights reserved. SB315M