Cyber & Privacy Risks for Small and Medium Businesses

Part 1

A photo of a screen showing what is apparently the skull splash page that appeared on Sony company computers when the attack started, posted by someone who said he was a former Sony employee who was sent the image by current Sony employees. The image was first posted on Reddit.

A photo of a screen showing what is apparently the skull splash page that appeared on Sony company computers when the attack started, posted by someone who said he was a former Sony employee who was sent the image by current Sony employees. The image was first posted on Reddit.

By now everyone has learned about the details of the Sony hack, and if you have anything to do with business security or IT infrastructure, this event has probably got you thinking or even worried.  In the next several posts I want to address how the Sony breach differs from many of the other cyber events of late, and how this interprets to the small and medium sized business owner or decision maker.

First, if you own, operate or manage a Small or Medium Enterprise (SME) which we consider to be companies with 25 to 1,000 employees or $10 to $100 million in annual sales, you likely have had conversations with your information technology folks about your network’s security in light of all the different types of hacks and network intrusions you’re read about in the news.  Hopefully your IT people have indicated that everything is under control.  What I want you to consider is that the IT personnel at all of the Fortune 100 type companies that have made the news of late over cyber breaches have probably also told their CEOs and Boards that “everything is under control”, only to find that in fact, everything is not under control.  The other thing to consider is that major corporate entities like Target, JP Morgan, and Home Depot have hundreds (if not thousands) of people working in IT security and infrastructure protecting their networks.  The budgets they have for information security are well into the seven figures, because these firms have the resources and need to spend that sort of coin on protection.  Yet, they were hacked.

So, the first question is “how do you know?”  How do you know that everything is under control?  How do you know if your resources are being spent wisely?  How do you know that your employees understand the importance of security protocols?  How do you know that someone isn’t accessing the internet on an unsecured network to send important files or emails?  How do you know that every employee’s laptop is encrypted and won’t be stolen from the backseat of their locked car?

The questions can go on and on, but in today’s world, you must be asking: How can I be certain?  Or how do I know that our security is bullet-proof?


Well, let’s go back to the Sony breach for a moment.  Up to now, most business leaders have considered PII (Personally Identifiable Information) to be their biggest privacy issue to deal with and information needing the highest level of security.  If your firm transacts business through credit cards, then PCI data (Payment Card Information) is also on the top of your list.  And, while PII and PCI data is critically important to be secured, what did Sony lose in this breach that could be as valuable?  Their own digital assets in the form of unreleased movies, which are now available for download on dark sites and file sharing sites.  Within a week of the hack, five unreleased movies had been downloaded over two million times!  While Sony has moved to shut down those sites and downloads; serious economic damages have been done.  How much damage?  We may never know, but the real point here is to consider what would happen if your company’s digital assets were stolen?

What is a digital asset?  A digital asset can be anything you value which resides on electronic media.  It could be a patent file for a client of a law firm, it could be the secret recipe of a food products manufacturer, it could be the notes to your marketing strategy, the code to your website,  details of an M&A deal, the investment strategy for a hedge fund, a client list, a prospect list, etc.  It can be anything that has value to you or value to others which you are a custodian of.  If that information is released to the public domain there are two possible damages that result.  The first, like in the case of Sony is the potential loss of revenue because your private information is no longer private and can be used or consumed by others for free.  The other risk is that if you have the digital assets of others (private information of others in digital form) and the release of that info will trigger a lawsuit.  Take the first example from above – an IP law firm is working on a patent filing for a client.  The digital asset is the contents of that filing: drawings, schematics, formulas, spreadsheets, etc. that belong to the client but which you are a custodian of.  Until the patent is granted that information is highly confidential, if released through a data breach, the client’s work may now be lost forever, and that can trigger a costly lawsuit against the law firm.

When the “secret sauce” leaves your hands; whether it’s your “sauce” or your customer’s, there’s going to be economic damages.  Either direct first party damages or third party damages which result in  expensive lawsuits.  Whether the damages are first or third party, standard business insurance policies are not going to cover those claims.  That’s why SMEs need a carefully tailored Cyber and Privacy Liability Policy to protect these exposures, among many others.

The Coyle Group is not only expert at tailoring Cyber protection, but also has the resources to help you answer the basic question of “how do you know” your systems are secure. We believe that understanding and managing risk is as important as transferring risk through insurance.  For more information on our resources and coverage options, give us a call so we can discuss it further with you and help you answer those “what if” questions.

In our next post, we’ll continue to dig into the Sony breach and what lessons SMEs can learn from it.