Tag Archives: cyber-attack

Why Cyber Strategies Need Personalization

Personalization has taken a variety of industries by storm. Retailers base marketing campaigns on individual customer preferences; financial institutions are revamping their user experiences to cater to specific demographics; and healthcare organizations are offering services based on patient needs and family history. Without the ever-helpful “you may also like” features and individually customized dashboards, companies like Amazon and Netflix would be nearly unrecognizable, and certainly less appealing.

There’s one critical aspect of business — something that affects every industry — that’s woefully behind on personalization, however: cyber protection. With media outlets constantly reporting on the latest large-scale data breach like this summer’s Quest Diagnostic attack or the First American Financial leak, it’s easy to get swept up in all the fear-mongering and reactively incorporate as many cybersecurity tools and services as possible, no matter their relevance. For small and medium-sized businesses (SMBs), in particular, it’s especially tempting to blindly emulate larger organizations’ defense strategies, as most SMBs are understandably short on knowledge and resources when it comes to cybersecurity and cyber insurance.

Devising Cyber Protection Strategies Isn’t One-Size-Fits-All

One could argue that any efforts toward cyber protection should be applauded. Data breaches have become an inevitable part of doing business today, so wouldn’t even a misguided attempt at making an organization more secure be beneficial? Unfortunately, no.

Devising cyber protection strategies isn’t a generic, one-size-fits-all process. Rather, it’s akin to prescribing medicine. Just as physicians base their treatment plan on an individual’s specific symptoms, companies need to institute an approach to cybersecurity that incorporates their organization’s unique characteristics and needs.

See also: Where to Turn for Cyber Assistance?  

Consider the cyber protection needs of, say, a bakery. While a bakery may need to consider implementing defense mechanisms for its business email account(s), CRM solution and digital document storage, its cybersecurity requirements are fairly straightforward. A basic cyber insurance policy could prepare a bakery for any worst-case scenarios in which customer payment records are exposed, for instance, or sales temporarily dip due to a damaged brand reputation post-breach.

Now look at an urgent care clinic, for which cyber protection can literally be a matter of life and death. Any internet-connected healthcare device, such as a heart monitor or IV, needs to be thoroughly secured to prevent patients from undergoing serious harm. Email, phone and text communications between physicians, nurses, specialists and patients should be encrypted. With healthcare organizations required to retain patients’ medical records for anywhere between two and 30 years (depending on the state), secure digital storage and back-up services must also be considered. In addition to all the tactical cybersecurity considerations that an urgent care clinic needs to take into account, it also has various regulations and audits it must comply with, such as HIPAA and HITECH. Steep fines and severe reputational damage await any healthcare organization that fails to comply.

Evolving and Future Business Needs Must Also be Considered

Not only do organizations need to personalize their cyber protection strategies by prioritizing their businesses’ unique needs, they also need to consider how those needs may change. A new law office may not have much client data to secure in its first six months of business, for example, but, once it’s amassed a few years of cases, the firm’s data security and storage requirements will drastically change. The type of data that a growing law office collects could change, as well. After a decade in business, if the firm decides to branch out to handle personal injury cases, for instance, it will have to adjust its data security strategy to accommodate patient health information.

See also: Cyber: No Protection Against Complacency  

Prioritize Personalization to Secure Critical Assets

Rather than getting distracted by what Target or Facebook is doing to protect their digital assets, take the time to assess your business. Conduct a comprehensive evaluation of your current cyber protection efforts to determine what’s working and what’s not. Look for any major vulnerabilities such as insecure websites or lax Bring Your Own Device or Shadow IT practices, and map out how your cybersecurity requirements stand to change over the next one to five years.

Any organization — no matter its size, industry or available resources — can establish a custom cybersecurity and cyber insurance plan and leverage it to more effectively plan for and prevent devastating cyber attacks.

Cyber and Physical Threats Are Colliding

Overview

A quarter of a century after the Worldwide Web began to transform the Internet into the indispensable tool we all rely on today, we’re entering a new digital revolution. Over the next four years, the number of connected devices is expected to grow to as many as 50 billion, according to the 2015 Ponemon Global Cyber Impact Report sponsored by Aon. Business is expected to make up a far larger percentage of Internet of Things (IoT) usage than the consumer — IoT is more about smart factories and computer-controlled office systems than shiny gadgets like smart watches and fitness trackers.

The risks are becoming physical. Some of these new devices could cause serious real-world damage. We’ve already seen manufacturing plants seriously damaged by cyber attacks and electricity grids and automobiles shut down by hackers. It’s only a matter of time before such threats become more common and more physically dangerous to both people and property.

With the rise of new technology comes fresh opportunity for business — but also new risk. In the workplace, every new connected device represents a new link in the IT chain. With the age of the Internet of Things upon us, what are the new risks and what do business leaders need to know to be prepared?

Projected growth of Internet-connected devices, 2013-2020

Source: 2015 Ponemon Global Cyber Impact Report, sponsored by Aon

In-Depth

New Technology, Big Opportunities 

The benefits of Internet connections are hard to overstate. For businesses, the Internet of Things offers the promise of quantified everything. Employers will be able to track productivity and leverage metrics to uncover new efficiencies. With connected sensors underpinning every square inch of an organization’s footprint — once-siloed data sets can be integrated, correlated and cross-referenced — it will become easier to identify new efficiencies and deliver new value.

See Also: Cyber Threats to Watch This Year

The benefits are immense – but so, potentially, are the risks.

“As we move into having smart workplaces and offices, you’re really talking about a technology backbone that’s driving an organization,” says Stephanie Snyder Tomlinson, a cyber insurance expert at Aon. “What impact can that have on a business? What are the potential losses to an organization if you have a network security breach that results in property damage or bodily injury?”

Digital Threats Turn Physical

An unfortunate side effect to some of the highest-profile recent cyber breaches is that many people have come to regard cybercrime as solely a privacy issue. It can be far more complex than that.

“If there is a failure of network security or systems,” Snyder Tomlinson warns, “there could be a resultant business income loss. It could be intangible loss in terms of loss of data information assets or, especially as we move into relying more heavily on technology and the Internet of Things, it could be tangible loss, as well.”

You don’t need to look very far to get a sense of the potential risks to property and other physical assets when the Internet of Things begins to help run a workplace. As organizations grow increasingly dependent on technology to run their businesses and offices, the attack surface for cybercriminals increases dramatically. Each new device represents an additional access point for hackers.

The scenarios that could result can sound like something out of a science fiction film:

  • Does your building have computerized entry or elevator systems, with smartcard keys for access? Hackers could take control and lock down your building, trapping employees and visitors inside.
  • Computer-controlled electricity or water supplies can be shut down, rendering working impossible.
  • Connected thermostats are becoming increasingly common and could be taken over — shutting off heating in winter or air conditioning in summer, driving temperatures to unbearable levels and making your office unusable.
  • Logistics servers managing orders and deliveries could be hacked, with real orders canceled, false orders placed or essential supplies redirected to the wrong locations, disrupting your supply chain.
  • Factory robots could be set to destroy rather than create your products.
  • HVAC systems in a company data center could be overridden, causing a rise in temperature that could render network servers inoperable.
  • Fire alarm systems could be turned off just as real-world arsonists attack.

These may sound far-fetched, but are already reality. A cyber attack on a German steel mill in late 2014 caused immense physical damage after hackers installed malware on the network.

“It caused the blast furnace to be unable to be shut down, leading to massive property loss,” Snyder Tomlinson says. “The property loss arose from a network security breach. It’s a perfect example of the potential risks when you have companies that are relying on technology to run their business.”

Understanding the level of risk

“There’s always going to be some type of access point into a network, in one way, shape or form,” Snyder Tomlinson says. “You can have the best network security possible, but as everybody says, ‘It’s not if, it’s when.’”

Consequently, many companies are revisiting their approach to cyber security. Organizations previously concerned only with safeguarding client privacy and personally identifiable information are suddenly contemplating a broader loss spectrum.

“We’re seeing more interest in cyber insurance from manufacturers and critical infrastructure companies, because they recognize that their exposure isn’t necessarily just about private information or the liability arising out of a breach,” Snyder Tomlinson says. “We’re going to continue to see growth in the breadth of cyber coverage over the next several years, where we’re getting into the true property space, because there is the potential to have a property loss arising out of a network security breach or a systems failure.”

Snyder Tomlinson says this is why businesses need to take a holistic view of their cyber vulnerability — “Cyber risk flows through an entire organization.” A good cyber risk management framework has three key elements, she says:

  1. Preparation – Identify and quantify your cyber risk exposures. Develop a breach response plan and business continuity plan. Consider taking out a cyber insurance policy, which can assist with the potential balance sheet impact of a breach.
  1. Practice – Speed of response can be vital to limit damage in the event of a breach. Identify the key stakeholders within the organization and perform a tabletop scenario exercise to ensure everyone knows the role they need to play should an incident occur.
  1. Execution – Engaging with appropriate vendors is critical to successful execution. An organization should have relationships with defense lawyers, a public relations firm and a computer forensics firm so that a firm can work with it to mitigate loss in the event of a breach.

With the rise of the Internet of Things, cyber crime is no longer simply about loss of information. Increasingly, you need to consider the possibility that cyber could be just as physically disruptive to your business as a natural disaster or a terrorist incident. This is no longer simply a data issue — today, property and, potentially, lives could be at stake.

Are You Prepared for Cyber Attacks?

It’s no secret that cyber attacks have the potential to cause massive business disruption – affecting both financial performance and corporate reputations. But when it comes to C-suite preparedness for cyber attacks, organizational silos are preventing businesses from taking a comprehensive approach. Cybersecurity is a threat that affects the entire C-suite, and managing this emerging risk requires an integrated mindset.

Many senior executives lack full knowledge about how cyber attacks could affect their organization and how to make cybersecurity a C-suite priority. Moreover, across organizations different leaders are addressing different parts of the cybersecurity challenge: where the chief  information officer (CIO) and chief information security officer (CISO) are focused on physical and virtual data security, the CFO is concerned about ensuring financial stability in case of an attack. The chief legal officer may be concerned with the potential litigation effect, while the chief marketing officer (CMO) is responsible for mitigating bad PR and preserving the brand. In sophisticated organizations, the chief human resources officer (CHRO) is developing cyber training and awareness programs for employees to address threats that can originate within the company. Cybersecurity is clearly a distributed problem that requires integration across the entire C-suite.

Aon’s latest findings reveal that more than half of companies do not plan to buy cyber insurance even though there is an increased threat of attack. This disconnect exists primarily at the board level — the C-suite knows cybersecurity is an issue, but struggles to define its effect on financial performance. As cyber attacks become more prevalent, organizations will need to take an integrated approach toward preparedness.

AON_cyber_attacks_V6_4_effective_cyber_response

How Safe Is Your Data — Really?

The number and the potential severity of cyber breaches is increasing. A recent PwC survey found that nearly 90% of large organizations suffered a cyber security breach in 2015, up from 81% in 2014. And the average cost of these breaches more than doubled year-on-year. With more connected devices than ever before—and a total expected to reach 50 billion by 2020 —there are more potential targets for attackers, and there is more potential for accidental breaches.

What’s more, as of late 2015, companies are, for the first time, listing their information assets as nearly as valuable as their physical assets, according to the 2015 Ponemon Global Cyber Impact Report survey, sponsored by Aon.

So, how do you keep your organization’s data—and that of your clients and customers—safe?

It’s not just a matter of investing in better technology and more robust systems, according to Aon cyber insurance expert Stephanie Snyder Tomlinson, who says, “A lot of companies find that the weakest link is their employees. You need to train employees to make sure that if they get a phishing email, they’re not going to click on the link; that they don’t have a Post-It note right next to their monitor with all of their passwords on it. It’s the human error factor that companies really need to take a good hard look at.”

From intern to CEO: Simple steps everyone can take

It’s easy for individuals to become complacent about data security, says Aon’s global chief privacy officer, Brad Bryant. But, with cyber threats increasing, it’s more important than ever to be aware of seemingly innocent individual actions that can potentially lead to serious cost and reputational consequences for your organization.

According to Bryant, there are four key things that everyone can do to help protect themselves and their organizations from the rising cyber threat:

  • Be alert to impersonators. Hackers are becoming increasingly sophisticated at tricking people into giving away sensitive information, from phishing to social engineering fraud. You need to be more vigilant than ever when transmitting information. Are you certain they are who they say they are?
  • Don’t overshare. If you give out details about your personal life, hackers may be able to use them to build a profile to access your or your company’s information. From birthdays to addresses, small details build up.
  • Safely dispose of personal information. A surprising amount of information can be retained by devices, even after wiping hard drives or performing factory resets. To be certain that your information is destroyed, you may need to seek expert advice or device-specific instructions.
  • Encrypt your data. Keeping your software up to date and password-protecting your devices may not be enough to stop hackers, should your devices fall into the wrong hands. The more security, the better, and, with the growing threat, encryption should be regarded as essential.

Key approaches for organizations to better protect data

To protect your, your customers’ and your and clients’ information, investing in better cyber security is one element. But data breaches don’t just happen through hacks, or even employee errors. At least 35% of cyber breaches happen because of system or business process failures, so it’s vital to get the basics right.

Prevention is key, says Tom Fitzgerald, CEO of Aon Risk Solutions’ U.S. retail operations. There are four key strategies he recommends all organizations pursue to limit the risk and make sure they’re getting the basics right:

  • Build awareness. Educate employees on what social engineering fraud is, especially those in your financial department. Remind employees to be careful about what they post on social media and to be discreet at all times with respect to business-related information.
  • Be cautious. Always verify the authenticity of requests for changes in money-related instructions, and double-check with the client or customer. Do not click on random hyperlinks without confirming their origin and destination.
  • Be organized. Develop a list of pre-approved vendors and ensure employees are aware. Review and customize crime insurance—when it comes to coverage or denial, the devil is in the details.
  • Develop a system. Institute a password procedure to verify the authenticity of any wire transfer requests, and always verify the validity of an incoming email or phone call from a purported senior officer. Consider sending sample phishing emails to employees to test their awareness and measure improvements over time.

Much of this advice is not new, but the scale of the threat is increasing, making following this advice more important than ever. Fitzgerald warns, “Social engineering fraud is one of the greatest security threats companies can encounter today. … This is when hackers trick an employee into breaking an organization’s normal digital and physical security procedures to access money or sensitive information. It can take many forms, from phishing for passwords with deceptive emails or websites, to impersonating an IT engineer, to baiting with a USB drive.”

How governments are driving data protection

The potential consequences of inadequate data security are becoming more serious, and courts and regulators are focusing on this issue globally.

The European Union is considering a Data Protection Directive to replace previous regulations implemented in 1995. The expected result will be a measure that focuses on the protection of customers data. Similarly, an October 2015 ruling by the European Court of Justice highlighted the transfer of customer data between the E.U. and U.S.

Bryant warns: “Regardless of where a company is located, the provision of services to E.U. customers and the collection or mere receipt of personal data from European citizens may potentially subject companies to E.U. jurisdiction. … Failure to comply could present unprecedented risk for companies, including fines of up to 4% of a company’s total global income.”

Changing E.U. rules aren’t the only thing that could affect your business. Internet jurisdictions and organizational operations are increasingly becoming cross-border. This global patchwork of Internet rules and regulations is why only 24% of cyber and enterprise risk professionals are fully aware of the possible consequences of a data breach or security exploit in countries outside their home base of operations.

Why getting the basics right is critical

As the Internet of Things continues to grow, the number and range of potential targets for cyber attack is only going to increase. While eliminating all cyber risk may be impossible, getting the basics right is becoming more important than ever.

Bryant says, “Given the large scope and impact of the various changes in data protection law—coupled with the drastic increase in fines—becoming educated on how to protect our data is more business-critical now than ever before.”

cyber

Cyber Threats and the Impact to M&A

As investment bankers and their lawyers pore over the details of a potential corporate merger, a new and troubling issue has emerged that could affect the terms of the deal, or even derail it. Cyber risk is now a top agenda item, not only for deal makers but for shareholders, regulators and insurance companies.

While assumption of risk is nothing new when acquiring a company, assuming cyber risk raises a whole new set of concerns that must be addressed early in the M&A process. Specific industries, such as healthcare, financial services and retail might require detailed attention to data risk as it applies to HIPAA (Health Insurance Portability and Accountability Act) standards, financial regulation and PCI (payment card industry) compliance. A thorough analysis of the target company’s network systems needs to be part of the due diligence process and may require the services of a network assessment vendor. Insufficient cyber security and the need for significant remediation of these networks could lead to unforeseen expense and may be a consideration in final negotiations of the target price.

Understanding the evolving face of hackers should also be a consideration. Hackers have traditionally been motivated solely by financial gain. However, as evidenced by recent cyber attacks against Sony, Ashley Madison and the Office of Personnel Management, hackers may be driven by political agendas or moral outrage or may be part of state-sponsored cyber espionage. If the acquired company comes with intellectual property or produces controversial products or services, it could be at higher risk of attack.

Regulatory Issues Affecting M&A

Increased regulatory risk for the acquiring company should also be of concern. Regulators in the U.S. and around the world have had a laser focus on privacy matters and have made their authority known in two recent court decisions.

  • On Aug. 24, 2015, a decision was made that will have profound impact on how the CIO, compliance officers, cyber security officials and others view what is an acceptable level of cyber security. In Federal Trade Commission v. Wyndham Worldwide Corp. et al. No. 14-3514, slip op. at 47 (3rd Cir. Aug. 24, 2015), the FTC alleged Wyndham failed to secure customers’ sensitive data in three separate incidents. As a result, 619,000 customer records were exposed, leading to $10.6 million in fraudulent charges. The Third Circuit Appeals Court affirmed the FTC’s authority to regulate cyber security standards under the “unfair practices” of the Federal Trade Commission Act. Therefore, key stakeholders in the acquiring and target companies need to come to terms regarding acceptable levels of cyber security before the deal is closed.
  • On Oct. 5, 2015, the European Union’s Court of Justice declared the U.S. and E.U. Safe Harbor framework invalid. The ruling abolishes an agreement that once allowed U.S. companies to move E.U. residents’ digital data from the E.U. to the U.S., and it will affect approximately 4,000 companies. For some companies, the ruling could drastically alter their business models. Therefore, an acquisition of any of these companies will require careful consideration as to how the company collects and uses the online information of the residents in the 28 countries that make up the E.U. An acquiring company could face regulatory scrutiny and costly litigation for noncompliance of their newly acquired entity.

Transferring Your Cyber Risk

One method to provide protection for the acquiring company would be to enter into a cyber security indemnity agreement with the targeted company. The agreement can exist for a period after closing, but there should be an expectation that—after a specified length of time long enough to remediate and integrate the target company’s IT networks—the agreement will expire. The liability protections should be as broad as possible and should include all directors and officers, who are often named in derivative lawsuits in the aftermath of a data breach. The agreement should address the many different actions that might be required after an unauthorized network intrusion of the target company. Costs related to defense attorneys, IT forensics firms, credit monitoring vendors, call centers, public relations companies and settlements should be anticipated. The firms to be hired, the rates they will charge and the terms of reimbursement to the acquiring company should be outlined in the agreement.

Many businesses have also turned to cyber insurance as a means to transfer cyber risk. In fact, the cyber insurance industry has grown to $2 billion in written premiums, with some expecting it to double by 2020. Cyber policies typically cover a named insured and any subsidiaries at the time of policy inception. Parties in a merger should be aware that M&A activity will likely have an impact on existing cyber insurance policies and often require engagement with insurance companies. When an insured makes an acquisition during the policy term, the insurance carrier often requires notification of the transaction pursuant to policy terms specifically outlined in the policy. Because cyber insurance policies are written on manuscript forms, there is no one standard notification requirement, and compliance terms will vary from insurance company to insurance company. If the target company has revenue or assets over a certain threshold, the named insured may be required to:

  • ƒProvide written notice to the insurance carrier before closing;
  • Include detailed information of the newly acquired entity;
  • Obtain the insurer’s written consent for coverage under the policy;
  • Agree to pay additional premium;
  • Be subject to additional policy terms.

Cyber risk can have a huge impact on any M&A activity. Legal liability and the means to transfer it should be a top priority during the transaction. There likely will be a big impact on existing insurance coverage. All parties need to focus on their rights and responsibilities and must engage the right experts to maximize protections in the process.