Tag Archives: cyber risk

Increased Threats for Manufacturers

Let’s be honest: Operational motivations are about speed and efficiency, not security. For manufacturing organizations to effectively manage cyber risk, they first need to understand that the global digital transformation making businesses run smarter and more efficiently is also creating a widening security gap that must be addressed. 

Creating Industry 4.0

In manufacturing, investments are largely motivated by the pursuit of increased operational effectiveness and efficiency: doing more for a lower per-unit cost. Often, these investments manifest as new operational technology (OT), for instance to enable higher degrees of automation, accelerated assembly timelines and improved real-time insights. New OT gets added to a large information technology (IT) stack, which has often been built over several decades; in that time, the IT stack has become a complex mix of legacy, aging and modern solutions held together by vulnerable protocols and a “don’t touch what isn’t broken” stability strategy.

Industry 4.0, driven by the pursuit of OT, is the connection of industrial equipment that accesses and analyzes centralized operational data. In essence, this is the next industrial revolution in advanced manufacturing and smart, connected, collaborative factories. This new paradigm is characterized by the action of the physical world becoming a type of information system through sensors and actuators embedded in objects and linked through networks. Beyond having the potential to completely change material and manufacturing processes, Industry 4.0 is expected to contribute to more efficient operations by aggregating data across all facilities, letting companies monitor, measure and improve performance. 

This digital transformation introduces new generations of intelligent solutions and integrates these solutions into existing manufacturing processes and technologies including SCADA/ICS and PLCs. In many cases, this collection is controlled by a manufacturing execution system (MES), which is tightly integrated into the manufacturing organization’s ERP system.

See also: The Rules of Digital Transformation

The Threats Grow

Unfortunately, this pursuit of improved operations comes with an unintended consequence: a widening security gap. As manufacturing has become more connected, the threat surface—the collection of points an attacker can use to try to gain access—has increased substantially and now extends from endpoints and networks into cloud services. In fact, the entire manufacturing process (and, by extension, the company that depends on that process running effectively) is more vulnerable to cyberattacks. From opportunistic attacks using commodity malware as a service, to sophisticated hands-on-keyboard attacks that surgically evade defenses, to advanced persistent threats that can operate for years undetected, to industrial espionage using legitimate credentials harvested from phishing campaigns—the list is long, and the consequences can be devastating. 

Modern threats can readily bypass legacy antivirus solutions and take advantage of vulnerability windows. Organizations need solutions that can harden endpoints, prevent polymorphic malware and fileless attacks, mitigate malicious code execution and provide investigation and remediation capabilities with dynamic response to security incidents. 

As the knowledge of the growing threat landscape solidifies, tension develops between two core factions: OT and IT. Security was a distant priority when vendors created their new OT solutions, yet IT understands the security risks and best practices and wants to take the time to do things as safely as possible. OT is under pressure to hit targets and can feel like IT is slowing them down by unnecessarily overstating the risks. Plus, manufacturers must grapple with systemic vulnerabilities in operating systems and control systems. For instance, it’s important to recognize that many industrial communication standards don’t even consider security because they are based on the old firewall model of complete trust within the network. 

But from the shadows comes a third party: attackers. These bad actors see highly connected, unprotected systems built by vendors that know very little about system security and that are content to pass risk to their customer—the manufacturing organization. 

Additionally, the supply chain is vulnerable. As trusted partners, third-party vendors often become the overlooked or unwitting accomplice in criminal activities. A Spiceworks survey of 600 IT and security decision-makers that asked about supply chains highlights this risk. 

While the majority of respondents felt confident in their vendors to keep data safe, nearly half (44%) of firms had experienced a significant, business-altering data breach caused by a vendor. Human error and stolen passwords accounted for 26% of the breaches, while malware played a key role in half of the attacks. 

While past attacks against major manufacturers and industrial facilities were espionage believed to be sponsored by nation states and based on ideology, many of the latest attacks are the work of cyber criminals motivated purely by profit. Of course, criminals don’t need to shut down a facility to extract payment. In many cases they exfiltrate sensitive information (trade secrets, proprietary data and intellectual property, financial details, private emails, account credentials) and then threaten to release it publicly if a ransom isn’t paid. In some cases, attackers have even weaponized regulations like GDPR, which impose fines when breaches compromise personal information. 

See also: Will COVID-19 Be Digital Tipping Point?

As operation and information technologies converge following an almost predictable path of profit-driven natural selection, the leaders of each group have yet to attain a similar level of integration. The operational groups lack the security expertise of their IT counterparts, and IT experts are often excluded from operational decisions, creating an inherent vulnerability that reaches to the top of the organization.

Cybersecurity is not an IT problem to solve; it’s a business risk to manage. Until manufacturers realize that OT and IT are not in competition with each other, they will remain easy prey for cybercriminals who recognize this philosophical flaw and are willing to exploit it.

Cyber Risk Impact of Working From Home

The novel coronavirus (COVID-19) and the resultant move to widespread homeworking has created vulnerabilities for criminals to exploit. Homeworking has exposed new access points for cyber criminals to gain entry to corporate systems, including domestic PCs, laptops and Wi-Fi routers. Homeworking has also led to a diminution in employees’ distinction between work and personal emails, to increasing usage of devices with insecure passwords and to use of online applications that would be prohibited in the corporate environment due to security concerns.

Criminals have also exploited the public’s need for information on COVID-19 to create a range of social media and text message attacks, particularly in those countries worst affected by the virus. In addition, the rapid rise of online shopping due to lockdown has exposed the public to a higher level of well-established cyber scams such as form-jacking and spoofing.

Any organization that rapidly deployed new technology, applications, services or systems at the onset of the pandemic should now be focused on taking a look back and ensuring that the organization has implemented best practices in security configuration and architecture. Many organizations are discovering that their rapid deployments, while necessary, may have introduced undesirable security vulnerabilities.

In a new report, Darren Thomson, Head of Cyber Security Strategy at CyberCube; Jon Laux, Head of Cyber Analytics, Reinsurance Solutions, at Aon; and Rebecca Bole, Head of Industry Engagement at CyberCube; explore the changes to our digital landscape and lay out ways to head off problems.

video featuring Jon and Darren discussing some of the report’s key findings can be found on CyberCube’s YouTube channel. Here is a press release.

Coronavirus Boosts Cyber Risk

Concern about the spread of the coronavirus has triggered the largest “work-from-home” mobilization in history. Here are practical steps that organizations can take to remain cyber resilient amid the crisis.

The outbreak of COVID-19 has caused significant disruption to businesses and a degree of panic within the employee community. Companies across Asia have activated contingency and business continuity plans and have allowed or instructed employees to work from home to limit the spread of the virus. In a new reality where millions of people are working remotely, secure networks are now more critical than ever. To remain operational and secure, Aon recommends that companies take the following steps:

Defend Against the Phishing Wave

Malicious actors will leverage the intense focus placed on the virus and the fear and panic it creates. Security researchers have already observed phishing emails posing as alerts regarding COVID-19. These emails will typically contain attachments that purport to offer information about the outbreak or updates on how recipients may stay safe. In an environment where people are stressed and hungry for more information, there is a lack of commitment to security best practices.

This is the time for organizations to remind employees of the need for vigilance and the dangers of opening attachments and links from untrusted sources. Running a simulated spear phishing campaign can also demonstrate the level of resilience to these attacks. At a more technical level, up-to-date antivirus and monitoring tools can limit the effectiveness of successful spear phishing attacks.

Test System Preparedness

Organizations will be experiencing an unprecedent amount of traffic accessing the network remotely. Companies with an agile workforce have been preparing for this contingency for some time and will be well-equipped to maintain network integrity through the use of sophisticated virtual private networks (VPNs) and multi-factor authentication. Enterprise security teams are recommended to increase monitoring for attacker activities deriving from work-from-home users, as employees’ personal computers are a weak point that attackers will leverage to gain access to corporate resources.

For those less prepared, COVID-19 presents a challenge. There is a risk that the increased volume of network traffic will strain IT systems and personnel and that employees will be accessing sensitive data and systems via unsecure networks or devices. We recommend that these organizations migrate as quickly as possible to remote working and bring-your-own-device (BYOD) standards. Virtual private networks (VPNs) should be patched regularly (for example, a vulnerability in the Pulse Secure VPN was patched in April 2019, but companies that failed to update were falling victim to ransomware in December), and networks should be load-tested to ensure that the increased traffic can be handled.

See also: Coronavirus: What Should Insurers Do?  

Brace for Disruption

A remote workforce can make it more difficult for IT staff to monitor and contain threats to network security. In an office environment, when a threat is detected, IT can immediately quarantine the device, disconnecting the endpoint (i.e., the compromised computer) from the corporate network while conducting investigations. Where users are working remotely, organizations should ensure that, to the extent possible, IT and security colleagues are readily contactable and ideally able to physically address a compromise at its source. Sophisticated endpoint detection and response (EDR) software can also be used to quarantine workstations remotely, limiting the potential for malicious actors to move through the network.

As this risk moves beyond the technical, companies should adopt
an enterprise risk approach. This can include rehearsing business continuity plans (BCP) and senior management response through tabletop crisis simulations that focus on cyber scenarios as well as how pandemics and other similarly disruptive events are likely to affect automation, connectivity and cyber resilience.

Companies can also safeguard against the increased risk of disruption through a robust cyber insurance policy that, in the event of a digital disruption to systems, can provide cover for business interruption losses, as well as the costs of engaging forensic experts to investigate and remediate a breach.

COVID-19 presents a range of challenges to businesses across Asia, but developments in technology since the SARS outbreak mean companies can remain operational and nimble in the face of uncertainty. Keeping one eye on the pervasive cyber threat in the midst of this crisis is critical to ensuring continuing success.

4 Ways to Boost Cybersecurity

Cybersecurity threats faced by insurance companies are growing and evolving at an alarming rate. This has been spurred by many factors, including the internet of things (IoT). While the IoT presents opportunities for insurers, it also exposes security gaps. The severity and frequency of cyber-attacks are likely to increase.

Insurers must commit to protecting sensitive customer information in a compliant and reliable way. The cybersecurity threat is huge. It is time for insurance companies to reboot their approaches to cybersecurity.

Common cybersecurity threats facing the insurance industry

Cyber-extortion

Cyber extortion is increasingly becoming a common problem. Some types of ransomware attacks are so effective that victims may be forced to meet the attacker’s demands and pay a hefty bribe to get their systems running again.

Automated threats

Credential cracking, vulnerability scanning, bad bots, credential stuffing and denial of service can potentially shut down a company’s systems quickly.

Identity theft and loss of confidential data

Identity theft may result from system vulnerabilities to data breaches. For instance, files stored on a firm’s local servers may not be protected adequately. Insurers collect and store sensitive personal client information. This information can be particularly valuable for attackers to sell in black markets. They can use it as a tool for fraud, extortion, unauthorized borrowing and many other financial crimes.

Business disruption and reputation damage

Cyber-attacks can seriously disrupt business. For instance, a cyber-attack on Sony Pictures erased its computer infrastructure, including telephone directories, emails, voicemails and business records like contract templates. A malicious attack like this on an insurer could disrupt operations for months.

See also: Cybersecurity for the Insurance Industry

The foundation of any insurance business is policyholder trust. If an insurance company were to suffer a data breach exposing policyholder information or a cyber-attack that renders it unable to conduct normal operations, that trust would be shaken. This, in turn, can lead to reputation damage that may hurt the confidence of investors, consumers, policyholders and rating agencies.

Four tips for boosting security

1. Assess your defense capabilities realistically

Pressure-testing the company’s defenses can determine whether they can repel targeted, high-impact attacks, whether external or internal. The testing includes vulnerability assessment, testing programs, penetration tests and scenario-based testing. Consider hiring a cyber-security firm to test your defenses.

2. Invest in early detection

Insurers need to continually invest and innovate to thwart potential attackers. Early detection is crucial. Otherwise, a cyber-attack can sit undetected for weeks.

Efficient and quick detection and response will help determine the source of the attack, the systems targeted, extent and cause. Then, the threat can be neutralized before damage is done. Insurers need to invest in technology. There is a wide range of software solutions that provide near-real-time threat detection.

3. Making cybersecurity everyone’s job

While implementing sophisticated systems will reduce external threats, insurers tend to neglect internal threats such as human error, which could include revealing customer data in response to a convincing phishing email. Cybersecurity awareness among employees can significantly decrease the risk of cyber-attacks resulting from human error.

Alert employees can provide early detection. An Accenture survey found that up to 98% of security breaches that are not detected by a firm’s security team are discovered by employees.

4. Learn from the past and evolve

Effective cybersecurity requires insurers to learn from previous cyber incidents and use the learning to improve planning and technology investments. Solutions include:

  • Upgrading systems: Using last-generation or unpatched security software provides easy fodder for cyber attackers. Speak to your IT consultant about upgrading your systems.
  • Migrating systems to the cloud: The cloud provides users a wide range of compliant and secure storage solutions. Choose a cloud provider that offers the highest possible security.
  • Implementing appropriate security software, protocols, and appliances: This will effectively shield data and systems from automated threats.
  • Establishing a disaster recovery plan: Despite all efforts, systems can be breached. Have a detailed up-to-date plan so that you can respond effectively to any problem, major or minor.

See also: Global Trend Map No. 12: Cybersecurity  

Cyber-crooks are relentless and determined. Security is an continuing battle. You can’t afford to let down your guard a second. Staying one step ahead of hackers takes constant effort.

Clarity of History Can Reduce Cyber Risk

Indemnity, through the use of insurance, has a long pedigree. However, insurance as we know it today did not really start until the end of the 17th century. It was at that point that insurance companies started to be formed to combat one of the oldest enemies of civilization: untamed fire. Moreover, fire insurance companies understood their enemy well and worked swiftly to combat it; those efforts ultimately gave rise to our present day in which millions of people around the world live largely free from the threat of a fire destroying a neighborhood or city. That pedigree sired all the forms of insurance that we know today, whether it be general liability or cyber liability. However, the landscape, as it relates to cyber liability and technology E&O, does not show the responsible insurance traits that such thorough breeding would be expected to produce, and we need to review three prominent examples of where cyber liability and technology E&O insurers are not only giving their enemy, hackers, the upper hand but are also endangering their own existence.

Perhaps one of the most recent blatant examples of how insurers are failing their lineal forebearers occurred toward the end of 2018 when an insurer created a partnership with one of the world’s largest e-commerce merchants to provide physical cyber tools to policyholders to help “protect” homes. All the available evidence suggests that the cyber tools were championed by the insurer without the organization having done considerable research on, and testing, the physical devices to ensure that they were highly resistant to being hacked. None of the products the insurer recommended were rated as “secure” by any respected independent testing lab. In fact, none of the products were rated “secure” on the manufacturer’s website. For a cyber liability insurer that also offers homeowners and renters insurance, the championing of such products directly undermined the insurer’s cybersecurity credibility and sullied its pedigree, all for marginally increasing its bottom line.

See also: Breaking Down Silos on Cyber Risk  

Another timely and alarming example of an unfortunate mistake of cyber liability insurers is the recent creation of the Global Cyber Alliance and the Cybersecurity Tech Accord. The effort of both is to create a cooperative atmosphere in the private sector to combat cybersecurity threats while also working to provide responsible cyber products. There are many respectable companies that belong to each organization, but not one cyber liability or technology E&O insurer can be found among the members of either organization. When we read in the news that company ABC suffered a $40 million data breach, that means, assuming the organization had a cyber liability policy, that millions of dollars are being lost by the cyber liability insurer. Due to the current and highly competitive cyber market, the premiums of cyber liability policies are not typically commensurate with the amount of risk and financial loss to appropriately offset the millions of dollars the insurers pay out in such a breach. Thus, insurers mistakenly are not advocating or supporting the very organizations, like the Cyber Tech Accord, that are indirectly trying to help them reduce their losses and those of their clients.

Illustrative of a mistake by cyber liability insurers in this matter is something that insurers say. It is not uncommon to read in a cyber liability brochure that the insurer is not going to restore a client to a better state than the one the policyholder had prior to a cyber breach. On its face, the logic is reasonable and even is in the pedigree of fire insurance companies. After all, fire insurance companies would not build a person a five-bedroom, four-bath home with a four-car garage when a person’s two-bedroom, one-bath home with no garage burned down.

However, fire insurance also followed the principle of indemnity, and that principle clearly states that an insured is to be restored to her original condition after a fire. Cyber liability insurance policies DO NOT FOLLOW the principle of indemnity, and that distinction matters considerably.

There is no reasonable way to calculate how much a cyber liability breach will cost an insured or her cyber liability insurer. After all, laws across the U.S., let alone the world, vary in their intent and letter as to what needs to be done after a cyber breach. Not only that, but the size of a company, how a company was breached, when it was breached, what was stolen, if anything, what was done with what was stolen and a number of other important factors inextricably but subjectively determine the impact a breach will have on a client. That those factors are subjective in their cost means that all insurers have no accurate way of determining the cost of a breach. When a $500,000 home burned down, an insurer could reasonably expect the cost of replacing that home to be within a certain percentage of $500,000. When a major retailer suffered a cyber breach in 2013, the annual report the following year specifically stated that it did not know what the true cost of the breach would be, but it was expecting the cost to increase beyond the initial amount. If such a policyholder was unable to determine the true cost of the breach, then how could the insurers of its cyber liability policy know, either?

One of the major tools that fire insurance companies used in the past to combat fires was to understand how susceptible a building material was to being damaged by fires. However, to this date cyber liability insurers have not founded an institute funded by themselves and created for the express purpose of determining the quality of products that have a direct impact on policyholders’ ability to resist attack. This in turn creates an inextricable link to a policyholder’s sense of cyber security safety. Cyber liability organizations sometimes use the services of a cybersecurity firm to determine, prior to underwriting a policy, if an applicant’s network exhibits any signs of unusual network activity that could be suggestive of a cyber breach. However, that is an inadequate way of providing a policyholder with any meaningful comfort, let alone allowing an insurer to have a solid basis to believe a risk is worth underwriting. In fact, the closest organizations that exist for the express purpose of determining a product’s cybersecurity strength is Cyber ITL (Independent Testing Lab) and the NIST (National Institute of Standards and Technology). However, neither of those firms was created by insurance companies, and neither has the vested interest that insurers have in protecting their policyholders and guaranteeing cyber liability remains profitable to underwrite. Therefore, it is time for all cyber liability insurers to either join with an organization like Cyber ITL or to create their own like-kind organization. The browser application, the version number of a browser application, what operating system is used, what kind of router a computer is connected to, what kind of firewall is in place and numerous other factors all play a part in increasing or decreasing the strength of users’ cybersecurity. However, until cyber liability insurers measure and rate everything that pertains to cybersecurity, they and a vast majority of their clients will be allowing hackers to gain an undeserved advantage.

Beyond the need for an independent testing lab there are other measures that insurers need to take, and these measures have been previously proposed. However, it is extremely unfortunate that insurers have yet to rally to the cause of their clientele by implementing the following strategies.

In the April 2016 edition of the PLUS Journal, it was argued that insurers need to work with other companies involved in technology, marketing, lending and other parts of the private sector to create an international competition. This competition would give students a creative outlet to display their skills, whether they be in coding, design or writing. By establishing such a competition and working with educators, worldwide insurers and other companies can give pre-college students the ability to demonstrate, on a world stage, the ingenuity and adaptive reasoning that bright young people often possess. However, the benefit of the competition is not only for the students; it absolutely benefits the corporate sponsors of the international competition. For insurers, it allows them to persuade students that the insurance realm is a viable and worthwhile place in which to work. It also allows insurers to gain the opportunity to create a list of candidates from which to recruit when the winners of the international competition graduate from university. The same list of students that insurers create can also be used for their clients when they need to hire a software engineer or a laureate. If insurers have some of the brightest and most talented young people working for them, they can create more efficient internal systems and more advanced lines of insurance coverage, and they can also provide better methods for ensuring that their policyholders have the right tools with which to mitigate cybersecurity risk.

Additionally, it is not profitable or reasonable to believe that cyber liability follows the principle of indemnity, because believing that hurts the insurer and, to a greater extent, the insured. If an insured uses the same computer, router, browser and other items after a breach has been fixed that were used prior to the breach, then there is nothing to stop another breach from occurring. In the near term, to reduce the number of clients suffering recurring breaches, an insurer should pay for one year of monitoring by a respectable cybersecurity firm. It would also be useful to conduct an on-site visit by an auditor three to six months after the original breach has been fixed to see what steps the insured has taken to prevent future ones. In time, if an independent testing lab is established, an insurer could even offer a policyholder an improved router and firewall to further protect the client. The less susceptible any client is to an attack, the less likely a claim will arise, and fewer claims means more underwriting profit.

See also: How Insurtech Boosts Cyber Risk  

However, technology E&O insurers also bear a responsibility for helping to prevent cyber breaches. After all, how well a software engineer or an electrical engineer professional writes software code or builds physical products is the basic element that will later determine, to a high degree, whether a breach occurs or not. Technology E&O insurers need to work with universities to establish teaching standards that are uniform across the globe and engineering standards in the work place that establish the highest minimum standard possible. In the January 2016 edition of the PLUS Journal, it was also demonstrated that technology E&O policies can be written to encourage more responsible software engineering practices to further minimize claims. If the above practices are put into place, then perhaps lives lost to faulty software, like those in the recent two plane crashes of a U.S.-based commercial jet manufacturer, need not happen in the future.

The closest fire insurance companies had to a dynamic enemy were arsonists who were few and far between. Despite the general absence of an active enemy, those organizations spent about 200 years directly influencing the development of urban landscapes whether through building codes or the layout of a city. Today, their efforts have largely paid off because they acknowledged the challenges they faced and met them with courage and creativity. They did not accept that they could do nothing to make their clients safe or secure their profitability. However, today beyond a few web portals that insurers or third parties have created that can provide minor tools to a policyholder, and beyond creating semi-close relationships with some members of the cybersecurity community, cyber liability and technology E&O insurers have spent a significant part of the 21st century accepting losses, writing checks and never acknowledging that hackers and poorly crafted technology products are their mortal enemies. Hackers are costing the global economy tens of billions of dollars, if not more, every year, and
businesses are closing or suffering severe financial loss because of cyber breaches. How many more people must die and how much insecurity must exist in this world before insurers acknowledge that the war is here, and the enemy is at the doors of organized civilized societies? When will insurers take the prudent course and glean from history and their forebearers all the lessons they offer, and in so doing prove that they are worthy of their trust?