Insureon, a small business insurance broker based in Chicago, recently carried out a survey of 2,500 small businesses and the results show a staggering level of complacency.

When asked if they feel at risk of a cyber data breach, 82 percent of respondents said no.

Why the lack of concern? Maybe its because 58% of the respondents said, when asked who looks after IT security said “I DO”; OR perhaps its that 85% have not suffered a cyber attack; OR maybe it’s because 82% simply don’t feel threatened from a Cyber Attack.

Should we as insurance professionals be worried? Maybe not – only 26% have cyber insurance!

Most professional security professionals agree that 100% of companies are at risk and, when pushed, would also agree that 100% of these same companies are vulnerable in some way to cyber attacks. Just look at the big name companies who spend millions on security yet still become the subject of headline news. Saying “It’s Me” who looks after cyber security suddenly may not be such a good answer when you have to answer to your customers.

The survey by Insureon of some 2,500 small businesses – the results:

Q1. Do you feel you are at risk of experiencing a cyber attack or breach?

• Yes: 18%
• No: 82%

Q2.Do you have controls in place to protect yourself from a data breach?

• Yes: 77%
• No: 23%

Q2a. If so, what?

• Anti-malware software: 80%
• Anti-virus software: 89%
• Automated data backups: 66%
• Firewalls: 81%
• Employee IT training: 54%
• Spam filters: 76%
• Automated software updates: 70%
• Regular vulnerability scans: 71%

Q3. Have you experienced a data breach in the past?

• Yes: 15%
• No: 85%

Q4. Do you have cyber liability insurance?

• Yes: 26%
• No: 74%

Q5. Do you have customer data that would be susceptible to an attack on your business network?

• Yes: 24%
• No: 76%

Q6. Who manages your company’s IT needs?

• A contracted IT worker: 13%
• A third-party IT firm: 12%
• I have a full-time IT employee: 17%
• I do: 58%

At MIC Global we are focused on changing the way insurance is developed and processed. We are insurance with an API.We care about security and making sure people are able to look after their own data and assets.

We are in the forefront of that change; developing policies by the season, job, by the hour, by the day and by the Km, thus fitting our model to that of the platforms and the way small and micro businesses see risk. We are unbundling policies so that the cover offered fits with the actual job or process being undertaken.

Going on holiday? Here are few things to do (or not do) before you go and while you are there!

Before you Go….

Lock Down Your Computer and Clear Your Desk

Everyone needs to think about computer security these days and the day you go on holiday do this. In your office, before leaving shut down and remove all devices, and put away any sensitive papers. At your home office, shut down and disconnect any computers and remote storage devices to prevent hackers from gaining access. Think about changing the homes modem Pre Set Password!

Update and Secure All Devices

While you have ‘unlimited bandwidth’ at home, run the security patches on all your devices and update all the apps. Now is the time to get that promised off line back up done – back up all your devices and data. Check that you have the data and documents that you’re reasonably sure you’ll need while away. Unless really needed best to leave it behind. Think before you pack – do you really need all those devices? Pack only what you’ll need.

Extra cautious? Add two-factor authentication on all your devices, and have a remote wipe mobile device management feature on your smartphone. Change the passwords on sensitive accounts when you get home. Virus scan your devices for any malware or security vulnerability when you get back.

Make Use of a VPN

When on holiday or away its easy to use public networks at the airport, hotel lobby or Starbucks. This can be risky. So before you go it’s a good idea to add a virtual private network (VPN) connection to your laptop. This is an extension of a private network that includes links across shared or public networks, such as the Internet.

Basically, only access a public network with a VPN. When you are not using the network, turn off Wi-Fi, Bluetooth, and any auto-connect. Make sure you check all devices.

Don’t Use Thumb Drives

Don’t be tempted to just take a thumb drive – better to add to DropBox. Before you leave, decide what documents and data you’ll need for your trip and add to computer or add to Drop Box or similar.

When You Are On The Beach…

Think About Physical Security

Many users forget about simple physical security, there is a need to become more aware of appearance. For starters, don’t use the ‘laptop bag’ to transport your device – put in a more discreet bag or carrier. When leaving your room or bar or restaurant or taxi have an awareness of where your devices are located. Hotels have room safes – this is better than nothing! It better left in the safe than in the desk draw or on by the pool.

Be Smart, Be Discreet

Never flaunt expensive tech – it’s easy to steal and easy to sell. It make more sense not to take devices on holiday. Use your phone or iPad for browsing the web for directions and keeping tabs on the news. You don’t need all your devices to do that! Resist the temptation to take it.

If you do take it then use it discreetly and carefully. People are looking out for nice phones, iPads and computers to steal. Its not all espionage and data theft, mostly its about getting $50 for your iPhoneX.

Social Media and Telling Everyone Where You Are

Posting photos while away to social media platforms, such as Instagram and Facebook, is just telling everyone you are not in. The world knows that it’s the perfect time to launch attacks on your digital assets or break into your house.

Try and take a break from Social Media too – post your photos and tell people what a great time you had when you’re back home.

Using Wifi and Internet Café

Be careful using local WiFi, public computers and printers at a hotel’s business centre and or local internet cafes. These should be used only in emergency or to print out local directions or restaurant details. Never access your bank account or a sensitive financial or medical site on a public computer or network.

Scammers don’t just target big companies, it’s small business too! In the press you hear all the big numbers from big events – WannaCry – 250,000 computers globally and parts of the UK’s NHS, HBO’s Game of Hacks – HBO lost data and new releases, NotPetya – Maersk was one of the biggest headlines, Facebook and Google fall for Targeted $100 million Phishing attack, THE Equifax Breach, 3,000,000,000 Yahoo’s and this is just a few from 2017.

Behind these large headline grabbing events are the many micro and small businesses that are also being attacked. Its not true that hackers only go after large businesses. Scammers and Hackers throw a wide net and small businesses are falling into their traps.

For small business security is often not a high priority and many companies don’t have the skills to avoid scammers. For this reason they are often caught up in the scams and attacks and are vulnerable to loosing data, suffering financial loss or worse reputation damage.

Most cyber-attacks start with phishing, this is a technique where a hacker will try to trick you into giving away sensitive information that will allow them to break into your accounts.

Phishing attacks usually come via email, often disguised as something legitimate – the use of the Tax office is a common attack or, recently, mass attack where hackers sent out fake Uber receipts, with a link at the bottom to a bogus complaints website. These emails looked genuine, the hacker is trying to get you to click on something and when you do….. you give the hackers access to your system.

So how can you tell the fake emails from the real ones? The first thing is to be aware, know that it can happen to you and your company. It can be tricky to see, but these are the top tips.

1. Don’t click links blindly – think before you click. Use your mouse to hover over the link, this will show you the URL. If that doesn’t match up to the URL you’re expecting, then delete the email.
2. Treat emails with attachments with suspicion. Attachments are used to down load packets on to your machine. If you receive an attachment that you’re not expecting and you don’t recognise the sender, it could well be a phishing attempt. Delete.
3. Again on attachments – sometimes you can be asked to “enable macros” when you open it. Don’t, unless you know the person and it is from their business email.
4. If you’re in any doubt about the legitimacy of an email, don’t open any attachments from it or click any links. Always check with the person – using a NEW clean email or phone – replying to dodgy emails might be playing right into the phisher’s hands.

Recently, well for the past 3 years or so, there has been an increasing focus on the insurance industry to change and for users to have simplified processes. This focus is even more apparent to enable shared economy insurance and Gig worker or freelancer insurance to work. The pressure has been put on the existing players in the industry to shake up and start to work out how to build tailored insurance policies that are fit for purpose in this new shared and gig world of work. Progress? Right now, it’s just hard!

This difficulty is starting to allow new companies to come in and threaten the existing players. This is a good thing and we are seeing the industry embracing these new companies and accepting them.

This was all looking like an interesting play for the likes of Google and Facebook. That is until you hear that Facebook now have said that most of its 2 billion users could have had their data accessed improperly, giving fresh evidence of the ways the social-media giant failed to protect people’s privacy while generating billions of dollars in revenue from the information.

These companies want to do everything (books, to travel; insurance to home cleaning) and use their power over the data to exploit their users. But now we see the cost.

“What we didn’t do until recently and what we are doing now is just take a broader view looking to be more restrictive in ways data could be misused. We also didn’t build our operations fast enough — and that’s on me.”

Sheryl Sandberg, COO Facebook

Their focus is on ‘customer experience’ and sucking every business income stream into their machine. Google and Facebook use AI and machine learning to read data and monitor your usage of their technology to serve you up what they think you need and what’s profitable for them. This data usage has been abused to drive revenue to match their huge future focused valuations.

The new InsurTech / FinTech start-ups are focused on ‘customer experience’ too. This is defined by cutting down questions to a minimum, using ‘social’ data to fill in the blanks to give you a quote for insurance or a loan. These companies use customers social media, third party apps and other accounts to gain information to provide quotes and service with minimum input from the user. But what data is being used and who checks this? And do we ever read the small print?

Is this acceptable? Is complying with new data protection rules enough? Or is it time to take back your data?

When I ask data professionals about taking back your data they shrug and say it’s out there already, so what’s the point. I disagree with this and think now is the time to take a stand and we should stop accepting that companies have a free flow use to your data and just scrape and access data for on the back of providing customer experience.

For example, Facebook’s search tool to find other people, now disabled, has been used to scrape public profile information, and now Facebook have said “Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way.” They just noticed this? This was a feature built into Facebook for customer experience.

It’s interesting that Facebooks main defence from Mark Zuckerburg is:

“We didn’t take a broad enough view of what our responsibility was and that was a huge mistake.”

These new young, keen, naïve, start-up companies who want to take over the world live in their own created bubbles – thinking everyone is like them, that they know what an ‘experience’ is and that everyone wants to know who joined, who could be a friend, who’s got a new job, who your friend is dating, etc and allowing this free use of data to create value, not for the user, but the company. This practice is in DNA of these companies, exploiting date is a core theme. It’s the route to their value.

Having worked in the very often slow and frustratingly compliant world of insurance I can say exploiting data is not at its core, risk management is. Hence the customer experience is very very poor for most insurance interaction. It is no wonder that the Insurtech focus has been on ‘experience’ as their main ‘disruption tool’. But at what cost, and shouldn’t the user want to know what data is being consumed to give their quote?

There needs to be a balance between using ‘social’ data and re-modelling the insurance. Real work needs to be done on the very fabric of the way insurance works for the shared economy and gig economy insurance to make the whole experience work. Not just the buying of insurance but the whole process – end to end. Even where the policy lasts only one night or one hour. It’s not about scraping data and using social accounts its about real work dismantling the policies and the process to give insurance focused processes and to show the customer what data is used and how this impacts risk management in the event of a claim.