Insurance questions? Click here to ask
Insurance Bureau of Canada/nb/Business/Risk Management

Cyber risk management

When insuring assets, many organizations still prioritize bricks and mortar over informational assets and data. Many medium and small businesses that protect their data with a cyber insurance policy are underinsured.

Cyber losses are extremely costly. Research by Ponemon Institute reveals that just one stolen laptop that contains personal and confidential data can cost a business an average of US $39,000. This cost includes the stored data, as well as damage related to the criminal use of the stolen data.

Data breaches are widespread and can happen in a variety of ways, including through lost or stolen hardware. According to research from International Data Corporation, 91% of U.S. companies deal with tablet and laptop thefts and/or losses.

As data leaks and cyber attacks become more common, Canadian insurers are developing coverage options to help businesses manage critical risks. Hidden vulnerabilities typically come to light only after a successful attack, which means standard best practices for cyber risk management are constantly evolving.

Cyber crime stats:

  • Every year, cyber crime costs as much as $600 billion or .8% of the global gross domestic product (GDP).
  • In Canada, cyber crime losses tally more than $3 billion a year or .17% of our GDP.
  • In 2018, the average cost of a data breach in Canada was almost $5 million.
  • The average cost to detect and contain a breach (through investigations, assessments, audits and crisis management) is $1.78 million.

Did you know?

  • According to a 2017 study, two-thirds of Canadian corporations have a cyber risk policy.
  • Poor cyber protection of small firms can put larger organizations along the supply chain at risk. Cyber criminals have been known to target small organizations to gain access to larger organizations.

Considerations for mitigating cyber risks

Recognizing the damaging consequences of cyber-related threats, Public Safety Canada has outlined several measures that small businesses should take to protect themselves against cyber attacks.

While identifying and mitigating cyber risk is an evolving process, the following actions may be helpful when defending your organization, customers and your reputations.

  • Know the threats. Email scams, phishing attacks, botnets, viruses and Trojans are just a few of the electronic tools hackers use. Knowing where they come from and what they look like is the first step to keeping them at bay.
  • Watch out for fake software. Cyber criminals develop schemes to trick employees into downloading and installing malware on their computers, mobile devices and networks. Learning to spot the tricks can keep your customer and financial information protected.
  • Protect your social networks. Employees may share personal information on social media sites that can be used to build a profile of their responsibilities and activities. This information is then used to develop a convincing scam, tailored to them specifically. It is important to educate your employees about safe social media practices.
  • Watch out for phishers. Cyber criminals use fake emails, text messages and websites to trick employees into giving up their important information. It’s called phishing. Passwords, usernames and credit card numbers can be are taken, sold and used. Criminals may even impersonate your business to try to scam your customers. Employees should never respond to emails requesting private information or click on links from unknown sources. Encourage them identify email scams; typically, the message is alarmist, has spelling mistakes, offers a deal that’s too good to be true or requests sensitive information.
  • Know how to spot risky URLs. By taking the URLs of recognized sites and tweaking them slightly, cyber criminals can catch unsuspecting people in a scam. Signs that a URL is untrustworthy include hyphens, numbers, spelling mistakes and the “@” symbol in place of a regular character. Encourage employees to manually type URLs in the address bar, rather than clicking on email links. This can help ensure that they are going to a legitimate site and not a malicious or spoofed site.
  • Don't write down passwords. Encourage employees not to write down their passwords on scraps of paper in their workstations. The passwords can be nabbed by a person passing by and used to access their accounts.
  • Require employees to create unique passwords. If a password is strong, complex and random, it will help make it as secure as possible.
  • Lock computer screens. Advise employees to lock their screens when they’re away from their desks to help secure their computers.
  • Protect laptops in public. If cyber criminals get a hold of an employee’s computer or mobile device, they can mine it for the important information you’ve worked so hard to keep secure. Remind employees to be mindful of where and how they keep their devices.
  • Contact IT in an emergency. In the case of a potential breach or theft, instruct employees to immediately contact security or the IT department to limit damage.
  • Plan ahead for departing employees. When an employee leaves your company, make sure his or her system access is terminatedy. If not, hackers can exploit the open account.