Are You Prepared For The Next Cyber Attack?
Cybercrime has dominated news headlines this year, from a phishing scam at Snapchat to the WannaCry ransomware that crippled computers across the globe in May.
Cybercrime has become so prevalent that there is an online publication dedicated to it called DataBreach Today.
Online crime is one of the fastest-growing threats to business operations, potentially resulting in expensive claims and lawsuits. Self-storage businesses are not immune to cyber hacking, especially with more customers paying online. Self-storage operations store sensitive customer data that must be protected from hacking.
Unfortunately, as the number of high-value transactions exchanged through electronic channels continues to grow, online criminals are devising new ways to intercept communications or deceive computer users. As cybercrime technologies evolve, it is becoming increasingly more difficult to protect data and defend business privacy.
The Cost Of Cybercrime
The global cost of cybercrime is expected to reach $2 trillion by 2019, a threefold increase from an estimated $500 billion in 2015, according to Security Intelligence, an IBM publication.
According to the Identity Theft Resource Center, more than 29 million records were exposed in 858 publicized breaches in 2015 across sectors including financial, government, health care, and education. International Data Group detected 38 percent more cybersecurity incidents than the previous year.
The cost per record stolen averages $158 globally, but exceeds $220 in the U.S., according to Ponemon Institute.
Small- and mid-sized organizations (SMBs), defined as those with 100 to 1,000 employees, are increasingly targeted by cybercriminals. According to Keeper Security’s “The State of SMB Cybersecurity” report, half of small- and mid-sized organizations reported suffering at least one cyber attack over a 12-month period.
While these businesses are themselves victims, they may still have to incur an immense cost to reconstruct data, conduct required notifications, and face the prospect of customer defection.
Keeper Security estimated the average cost of a data breach involving theft of assets totaled $879,582 for SMBs, which spent another $955,429 to restore normal business in the wake of cyber attacks.
Data Breach Notification Laws
Self-storage owners need to protect their businesses and customers from hacking and other cybercrime. Preparation should include prevention techniques to protect against hacking as well as insurance coverage in case preventive measures fail.
In addition to the major inconvenience, cybercrime can cause self-storage owners and their customers, operators can be subject to fines and other financial losses. Plus, customers whose confidential information has been divulged may sue the self-storage business for negligence.
Businesses usually are required to notify affected customers when a security breach occurs. Plus, there are additional expenses and possible litigation involved if identity theft occurs, including offering customers one or two years of free credit monitoring.
In April, New Mexico became the 48th state, along with the District of Columbia, to enact legislation requiring notification of security breaches involving personal information. Alabama and South Dakota remain the only states without a data breach notification law.
“Data breach notification laws exist at the state level—each having their own breach notification law,” says Scott Zucker, an attorney with Weissmann Zucker Euster Morochnik P.C. in Atlanta. “Companies storing the personal information of residents of multiple states—an increasingly common situation thanks to Internet commerce—may need to comply with dozens of separate breach notification standards in the event of a security incident.”
Self-storage employees handle an assortment of sensitive personally identifiable information (PII) not only for customers but also vendors, investors, partners, and employees.
PII includes the full name of the individual, home address, email address, driver’s license number, credit or debit card number, telephone number, date of birth, and social security number. This personal information is put into the facility’s system and stored on a local server, on a cloud server, or maintained by a management software vendor.
According to Mike Gong, area vice president of Arthur J Gallagher, who is based in Fresno, Calif., self-storage data breaches can take several forms, physical and electronic. “If a business owner or supervisory employee had a laptop in a car and the laptop got stolen, that could be a data breach,” Wong says. “There’s a lot of information on there that could be compromised.”
Some self-storage employees write personal information on paper and later toss it into the garbage without shredding it. A dumpster diver could conceivably create a data breach for the facility.
An employee could go on a suspicious website and click on a link or open an email attachment that installs a virus or ransomware on the company’s network.
Disgruntled employees increasingly cause cyber problems by downloading personal information and planting viruses on company networks before leaving their companies.
Gong relates a recent incident where a multilocation Texas operator had ransomware installed on the company network, which locked out users for an entire week. “You can imagine that created havoc and slowed down their efficiency for the business,” Gong says.
The self-storage industry luckily hasn’t experienced a major data breach from an outside hacker source, according to Zucker. None of the real estate investment trusts (REITs) apparently have been affected, otherwise they would have to disclose the information in their public filings.
“Certainly, there have been internal data breaches that have occurred by managers taking tenant information and using it for their own benefit,” Zucker says. “I haven’t seen a situation where an employee has taken information and sold it to a third party.”
The Role Of Insurance
Cyber risks increasingly are appearing on the radar of insurance companies, which now offer various forms of liability protection that cover data breaches and identity theft. Cyber liability protection is designed to reimburse owners for expenses resulting from a notification and also liability coverage if a customer lodges a lawsuit as a result of a data breach.
Whether the insurance is called cyber liability, data compromise, or privacy and network security liability, this coverage protects against electronic or physical theft of sensitive information. These policies typically cover first party expenses for breach response, legal expenses, forensic investigation, notification, credit monitoring, loss of business income, fines and penalties, cyber extortion, and network security liability.
MiniCo Insurance Agency’s business owner’s policy offers a data compromise option providing a variety of assistance pertaining to a wide range of data breaches such as electronic theft or hacking and covers certain costs related to notifying customers of a breach, restoration of lost data, and credit monitoring.
MiniCo also offers identity recovery coverage as part of its business owner’s policy. This coverage offers services of an identity recovery case manager as needed to respond to identity theft, including a step-by-step resource guide and reimbursement of reasonable identity recovery expenses incurred to correct credit or identity records as a result of identity theft. Coverage also includes the insured’s lost wages (subject to limits), cost of up to 12 credit reports, postage, phone, shipping, and certain legal fees.
Gong advocates carrying limits of no less that $1 million for most cyber liability policies. That’s because of the cumulative costs involved in meeting notification requirements.
“For the first-party expenses typically the business owner is going to incur, it ranges between $200 and $300 per record,” Gong notes. “One single facility can have 800 units and over time you have turnover on those units; you could have several thousand records that you’re responsible for maintaining.”
In this scenario, Gong estimates a facility owner could be looking at $400,000 in out-of-pocket expenses if 2,000 customer records were involved.
“I’m a big proponent of operators having cyber liability insurance protection,” Zucker says. “The amount of coverage all depends on the size of the facility and the financial ability of the facility to insure itself. I always advocate for as much insurance as you can afford.”
More storage operators are adding cyber liability coverage to their insurance policies as a result of the growing concern over cyber theft. “In the last few years we’ve sold a lot more of it,” Gong says. “There’s more knowledge and a need for it.”
He notes that several years ago insurance companies that provided this product didn’t have a streamlined way for a customer to apply for the coverage. “A lot of them would have an eight-page application that was mind-bending to any layman who was not tech savvy. You’d have to have IT (information technology) or a vendor to fill it out. It’s a lot easier to get a quote than it was five or six years ago. I’ve seen an uptick because of that as well as people realize there’s an exposure out there,” Gong says.
Industry Misconception
Some owners, however, don’t look into this insurance because of what Gong says is a misconception about credit card processing in the storage industry.
“Most people believe credit card processors will protect you from fines or violations, but also first-party expenses where you’ve got to notify
,” Gong says. “If you look at the contracts of most credit card processing companies, they indemnify themselves from that. As a merchant, you have to take that on because customers don’t care who the storage operator has chosen as their vendors to process credit cards. All they care about is they did a transaction with you as a merchant or business owner.”
While card processors might seek liability protection, Zucker says one reason there has not been a major cyber event in the industry is because of the work of these processors and management software providers.
“A lot of that is a credit to management software providers and merchant services providers who work hard to make sure their systems are PCI (Payment Card Industry) compliant and they require their customers to install proper firewalls for access prevention,” Zucker says. “There’s a lot of good education going on with respect to structural needs of the operator to prevent a data breach.”
Operators who take automatic credit card and debit card payments regularly can put their customers’ personal information at risk. Should a breach occur and customer data ends up in the wrong hands, owners and operators face a multitude of costly legal rules with specific requirements.
Visa and MasterCard mandate that their merchants are PCI compliant, and management software providers such as Raleigh, N.C.-based SiteLink are helping operators to achieve that status by adhering to PCI best practices. The consequences of non-compliance can threaten the business itself.
“In the event you experience a breach, you could face steep fines for PCI non-compliance along with the possible costs associated with forensics and card reinsurance,” says SiteLink Merchant Services COO Sheryl Scott. “So, the merchant account holder must complete PCI compliance, proving they have followed the best practices in protecting their business. For additional protection, check with your insurance provider to verify you have the proper coverage to protect against unauthorized attacks.”
Gong recommends using chip readers at the store when accepting credit or debit cards for added security. Plus, it can reduce the operator’s liability if a fraudulent or stolen card were to be used. Financial institutions can push liability back to the merchant if a chip card is not processed through a proper card reader.
“You want to try to encrypt as much data as possible that has private information,” Gong says. “People send emails all the time that have a lot of information that could be intercepted. Most people don’t have a form of encryption software on their email system to hide that information.”
It’s always a good idea to keep antivirus and antimalware software updated, as well as firewall security (see accompanying sidebar). Passwords should be strong and changed frequently. In addition, operators should have policies and procedures on how to avoid phishing scams and establish obligations for using social media.
“That’s probably the biggest exposure most storage operators have today in terms of getting a data breach is because of something an employee has done inadvertently by going online,” Gong says.
In a toxic online environment, where worldwide hackers are continually searching for new victims, self-storage owners must use all available tools—including insurance—to protect their businesses and customers from online criminal activity.
David Lucas is a freelance writer based in Phoenix, Arizona. He is a frequent contributor to all of MiniCo’s publications.
Taking Preventive Measures To Avoid Online Crime
Self-storage owners must remain aware and proactive in order to help reduce the threat of cybercrime. Technology experts recommend business owners take a number of preventive measures to lower the risk of a data breach:
- All software should also be kept current, including the Windows or Mac operating system, the browser (Internet Explorer, Firefox, Safari, etc.), and other programs such as Adobe Reader and Adobe Flash. Operating systems are periodically updated to keep technology current and to fix security holes.
- Be sure to have antivirus and antimalware protection on all computers; also consider protection for smartphones and other mobile devices. Antivirus software is designed to prevent malicious software programs from embedding on your computer.
- Install or update spyware blocking technology. Spyware is software that is surreptitiously installed on a computer to allow outsiders to observe your computer activities. Some spyware collects sensitive information about computer users or produces pop-up ads on the web browser.
- Ensure compliance with Payment Card Industry Data Security Standards (PCI DSS). PCI compliant organizations are better prepared to protect their data and have less of a chance of getting breached when compared to organizations that are out of compliance.
- Encrypt all your customer files and store them in a secure location. Stay current on established protection protocols such as encryption and newer technologies.
- Be on constant alert for phishing scams. Always check the email address before clicking on any links, especially from financial institutions. Clicking on these malicious links will allow bank usernames and passwords to be shared with criminals.
- Create “air gaps” by leaving some information on computers that are not connected to the Internet or leave some of the most sensitive information offline entirely.
- Keep your firewall defense up to help protect your computer from hackers who might try to gain access to steal passwords or confidential information. Software firewalls are recommended for single computers while hardware routers typically provide firewall protection for networked computers.
- Be careful of downloads. Carelessly downloading email attachments can circumvent antivirus software. Never open an email attachment from someone you don’t know, and beware of forwarded attachments from unknown senders.
- Turn off your computer. With the growth of high-speed Internet connections, many users leave their computers on; however, “always on” computers are more susceptible to attacks. Turning off the computer cuts off an attacker’s access.