If a client experiences an online security breach, they may blame and sue their IT consultant. That's why third-party Cyber Liability Insurance is important for your line of work. If you're sued over a client's data breach, your policy can help pay your legal expenses. Cyber Insurance can also cover the cost of:
- Customer notifications.
- Security incident investigations.
- Cyber extortion.
Though insurance can help you out of a financial bind, it should be a last resort. Your first line of defense? Educate your clients so they have less risk of a breach in the first place. Let's take a look at some common mistakes your customers make and how you can educate them about cyber security best practices.
The Most Common Mistakes Your Customers Make
We talked to a few IT consultants to learn some of the more frequent cyber security issues they see when they're in the field.
Alex Rayter (@alexrayter),
managing principal of the IT managed services and staffing firm
(@p20inc), says these are the top problems he's spotted at client sites:
- Not having a cyber security awareness program.
- Not having contingency plans in place in the event of an incident.
- Not conducting a risk assessment to understand where and how they are vulnerable.
founder of the syncing software company
(@akruto), says these are the most common mistakes he's seen:
- Believing a firewall and anti-virus are enough.
- Neglecting updates on equipment and software.
- Lack of password management.
- Connecting IoT devices to the same network as computers and mobile devices.
Author and former IT consultant
(@DGregScott) adds that phishing scams still trick many business owners he's worked with into downloading viruses or ransomware.
"By now, everybody is pretty much immune to the Nigerian prince who wants to deposit a million dollars into their bank account," says Scott. "But there are other scams."
Scott says businesses should be wary of emails that ask the recipient to update an attached "invoice." He says the emails are designed to seem as boring as possible so that overworked business owners will open them without thinking. Then next thing they know, boom, virus.
That's why it's important to spend some time educating your clients when you onboard them. For more tips on subjects to tackle, check out "Big Opportunity for IT Businesses: Talk about Underused Security Software" and read on for more ideas.
Arm Your Customers against Ransomware Attacks
Ransomware is a growing headache for many business owners, and most don't have a game plan for dealing with it.
"This threat [ransomware] was one of the big cyber security trends of the last year, and it would definitely stay on this list in 2017," says Tatar.
Teaching moment: Tatar recommends educating customers about the importance of backing up data. That way if they are hit by ransomware, they can quickly restore any affected data so they can get back to work.
But what do you tell a customer infected with ransomware when they ask you whether they should pay the ransom?
"Paying the ransom should be a last resort," says Rayter. "You may consider paying the ransom if the data is worth more than the amount they are asking for."
Scott says in his experience, clients who pay up usually do get their data back. That's because if hackers never fixed the scrambled data, people would stop paying.
Teach Your Clients about HIPAA
Businesses that work with medical information need to make sure they comply with HIPAA laws governing security measures and data privacy. While doctors' offices are pretty used to dealing with the rules around HIPAA, many other business owners are not.
Even if a business doesn't directly handle patient data, they could still be required to adhere to HIPAA guidelines if they come into contact with medical information in some way, such as transcribing it or storing it.
"If you do not directly interact or come into contact within patient data, but work directly with other organizations that do, you may by extension be a 'business associate of a covered entity' and will also need to have the requisite precautions in place," says Rayter.
Teaching moment: Because of the compliance issues that go hand-in-hand with HIPAA, it's important your clients understand the consequences of a data breach involving patient information. Otherwise, if a breach does happen, both your client and your IT consulting firm could get sued. For more on that, read "When Data Is Compromised, Who Is Responsible?"
Make Sure Employees Are Cyber Savvy, Too
It's not enough to make sure you clients understand cyber security protocol. Even if just one employee clicks on something they shouldn't, it could compromise an entire company's computer system. Talk to your client about the importance of training staff on online security.
"Educating staff to follow basic cybersecurity rules and practices is one of the biggest cybersecurity challenges of all times," says Tatar. "Even using the cutting-edge security solutions might still not be a bulletproof protection against social engineering and hacking when employees don't follow basic cybersecurity rules."
Teaching moment: Tatar recommends helping your clients develop a list of guidelines for all employees based on their position and data access level. Just don't make it too complicated.
"You could write a 100-page manual with all the rules and regulations, but nobody's going to read that, and nobody's going to care," says Scott.
Instead, focus on the basics. Rayter recommends:
- Training users to spot phishing emails.
- Having antimalware software deployed on PCs.
- Establishing a protocol for users to safely report suspicious emails.
IT security is second nature to you, but your clients may take a while to catch on. If you want to reinforce the information with clients, we recommend you direct them to our eBook Small Business Guide to Identity Theft Prevention and Data Security. It's written with the small-business owner in mind and gives them concrete, actionable tips for protecting their data.
About the Contributors
Alex Rayter is the managing principal of Phoenix 2.0, a premier full-service IT consulting and management firm operating in the Bay Area since 2001. Phoenix 2.0 manages all day-to-day IT support functions for SMB and middle market Bay Area companies. It helps companies attract and retain top technical talent and was one of the first to offer DevOps staffing and consulting services.
Greg Scott is a veteran of the IT industry. He founded Scott Consulting in 1994, and ran it until a larger firm purchased it in 1999. Scott then went on to found Infrasupport Corporation, this time with a laser-focus on infrastructure and security. Scott is also the author of Bullseye Breach, and currently works for Red Hat, Inc., an enterprise software company.
George Tatar founded Akruto in 2010 to help customers keep their private information safe and readily available wherever they go. Prior to founding Akruto, George managed teams of engineers at large companies and successful startups. Akruto's main product, AkrutoSync, is designed for secure synchronization of Outlook data with any smartphone or tablet available on the market.