Tag Archives: cyber risk

New Picture of Total Digital Health

As the CEO of an identity security company, I share a perspective with many cyber insurers: Cybercrime is frequent and widespread and can happen to anyone. With cyber risk increasing with every data breach, phishing scam and identity threat, it’s time that digital health is taken as seriously as physical health. 

So, what does it mean to stay digitally healthy today? The world is just too complicated for a silver bullet strategy. Digital health is a set of offensive and defensive actions that, layered together, form a new picture of safety. 

Cyber insurance is a critical piece of the puzzle, and one we think is becoming increasingly important for both small businesses and individuals – often underserved markets. Complacency is no longer an option.

A Complex New Landscape 

In just a few short years, we went from using our smartphones to primarily stay caught up on email and social media to now managing almost every aspect of our increasingly digital personal and professional lives on our phones. As the technology landscape has evolved, so too has the threat landscape. At the same time, individuals and small business’ ability to manage all the risk hasn’t kept up.

A global pandemic has driven digital transactions even higher, and more organizations than ever are storing personal information and using technology providers to help manage and deliver the digital services people need and expect. Most people nowadays have no idea which, and how many, technology providers have their personal information. Even consumers with excellent digital literacy and hygiene simply don’t know what they don’t know when it comes to how their sensitive personal information is being exposed and potentially misused.

Cyber threats can come from anywhere and are fueled by forces that are difficult to control. Cyber attacks and the resulting data breaches happen with alarming regularity, but remaining vigilant and knowing what to do is an extremely difficult task when there are no universal best practices around data breach notifications.

Most people do not realize how vulnerable they are, and, despite the evidence to the contrary, think a cyber attack won’t happen to them. In today’s complex and rapidly evolving landscape, more insurers will need to act as educators and ensure that the cyber policies they are selling reflect the myriad of modern risks. In the interest of both the client and the insurer, cyber insurance should be combined with other solutions for a comprehensive approach.

See also: Does Cyber Insurance Add to Ransomware?

Personal and Organizational Security Risks Are Linked

The online risk that each person carries follows them through life. It doesn’t just threaten their personal financial accounts – which is bad enough – but the businesses and organizations they work for, too. More sophisticated cyber attacks now target individuals with convincing email and phishing scams that are used to gain access to enterprise systems, or to trick them into becoming unwilling accomplices in fraud. Cyber risks flow in all directions: from organization to individuals, who introduce it back into stakeholder organizations.

So even when a small business has robust cybersecurity defenses in place, each individual introduces their own set of vulnerabilities to the organization. And, for the complicated reasons mentioned above, these risks go largely unaddressed. 

It’s time to understand and accept that the problem of online security has grown too complex for most to manage alone. Individual security and organizational security are inextricably linked, so it’s in everyone’s interest to combat the modern challenges with robust protections.

Cyber insurers can help stem the tide of cybercrime – and protect their own interests in the process – by helping more organizations play a role keeping individuals protected. This involves looking at all audiences that could be affected by a cyber attack on the organization, from prospects to customers to employees and vendor partners. If insurers help educate organizational customers on the complex and related cyber risks, they can move the needle of protection forward meaningfully with appropriate cyber coverages

The question of total digital health is constantly evolving, and the solutions must be as dynamic as the problem. Cyber insurance has an important part to play in helping people manage – and master – the risks introduced daily by the technology that plays a starring role in life today.

Increased Threats for Manufacturers

Let’s be honest: Operational motivations are about speed and efficiency, not security. For manufacturing organizations to effectively manage cyber risk, they first need to understand that the global digital transformation making businesses run smarter and more efficiently is also creating a widening security gap that must be addressed. 

Creating Industry 4.0

In manufacturing, investments are largely motivated by the pursuit of increased operational effectiveness and efficiency: doing more for a lower per-unit cost. Often, these investments manifest as new operational technology (OT), for instance to enable higher degrees of automation, accelerated assembly timelines and improved real-time insights. New OT gets added to a large information technology (IT) stack, which has often been built over several decades; in that time, the IT stack has become a complex mix of legacy, aging and modern solutions held together by vulnerable protocols and a “don’t touch what isn’t broken” stability strategy.

Industry 4.0, driven by the pursuit of OT, is the connection of industrial equipment that accesses and analyzes centralized operational data. In essence, this is the next industrial revolution in advanced manufacturing and smart, connected, collaborative factories. This new paradigm is characterized by the action of the physical world becoming a type of information system through sensors and actuators embedded in objects and linked through networks. Beyond having the potential to completely change material and manufacturing processes, Industry 4.0 is expected to contribute to more efficient operations by aggregating data across all facilities, letting companies monitor, measure and improve performance. 

This digital transformation introduces new generations of intelligent solutions and integrates these solutions into existing manufacturing processes and technologies including SCADA/ICS and PLCs. In many cases, this collection is controlled by a manufacturing execution system (MES), which is tightly integrated into the manufacturing organization’s ERP system.

See also: The Rules of Digital Transformation

The Threats Grow

Unfortunately, this pursuit of improved operations comes with an unintended consequence: a widening security gap. As manufacturing has become more connected, the threat surface—the collection of points an attacker can use to try to gain access—has increased substantially and now extends from endpoints and networks into cloud services. In fact, the entire manufacturing process (and, by extension, the company that depends on that process running effectively) is more vulnerable to cyberattacks. From opportunistic attacks using commodity malware as a service, to sophisticated hands-on-keyboard attacks that surgically evade defenses, to advanced persistent threats that can operate for years undetected, to industrial espionage using legitimate credentials harvested from phishing campaigns—the list is long, and the consequences can be devastating. 

Modern threats can readily bypass legacy antivirus solutions and take advantage of vulnerability windows. Organizations need solutions that can harden endpoints, prevent polymorphic malware and fileless attacks, mitigate malicious code execution and provide investigation and remediation capabilities with dynamic response to security incidents. 

As the knowledge of the growing threat landscape solidifies, tension develops between two core factions: OT and IT. Security was a distant priority when vendors created their new OT solutions, yet IT understands the security risks and best practices and wants to take the time to do things as safely as possible. OT is under pressure to hit targets and can feel like IT is slowing them down by unnecessarily overstating the risks. Plus, manufacturers must grapple with systemic vulnerabilities in operating systems and control systems. For instance, it’s important to recognize that many industrial communication standards don’t even consider security because they are based on the old firewall model of complete trust within the network. 

But from the shadows comes a third party: attackers. These bad actors see highly connected, unprotected systems built by vendors that know very little about system security and that are content to pass risk to their customer—the manufacturing organization. 

Additionally, the supply chain is vulnerable. As trusted partners, third-party vendors often become the overlooked or unwitting accomplice in criminal activities. A Spiceworks survey of 600 IT and security decision-makers that asked about supply chains highlights this risk. 

While the majority of respondents felt confident in their vendors to keep data safe, nearly half (44%) of firms had experienced a significant, business-altering data breach caused by a vendor. Human error and stolen passwords accounted for 26% of the breaches, while malware played a key role in half of the attacks. 

While past attacks against major manufacturers and industrial facilities were espionage believed to be sponsored by nation states and based on ideology, many of the latest attacks are the work of cyber criminals motivated purely by profit. Of course, criminals don’t need to shut down a facility to extract payment. In many cases they exfiltrate sensitive information (trade secrets, proprietary data and intellectual property, financial details, private emails, account credentials) and then threaten to release it publicly if a ransom isn’t paid. In some cases, attackers have even weaponized regulations like GDPR, which impose fines when breaches compromise personal information. 

See also: Will COVID-19 Be Digital Tipping Point?

As operation and information technologies converge following an almost predictable path of profit-driven natural selection, the leaders of each group have yet to attain a similar level of integration. The operational groups lack the security expertise of their IT counterparts, and IT experts are often excluded from operational decisions, creating an inherent vulnerability that reaches to the top of the organization.

Cybersecurity is not an IT problem to solve; it’s a business risk to manage. Until manufacturers realize that OT and IT are not in competition with each other, they will remain easy prey for cybercriminals who recognize this philosophical flaw and are willing to exploit it.

Cyber Risk Impact of Working From Home

The novel coronavirus (COVID-19) and the resultant move to widespread homeworking has created vulnerabilities for criminals to exploit. Homeworking has exposed new access points for cyber criminals to gain entry to corporate systems, including domestic PCs, laptops and Wi-Fi routers. Homeworking has also led to a diminution in employees’ distinction between work and personal emails, to increasing usage of devices with insecure passwords and to use of online applications that would be prohibited in the corporate environment due to security concerns.

Criminals have also exploited the public’s need for information on COVID-19 to create a range of social media and text message attacks, particularly in those countries worst affected by the virus. In addition, the rapid rise of online shopping due to lockdown has exposed the public to a higher level of well-established cyber scams such as form-jacking and spoofing.

Any organization that rapidly deployed new technology, applications, services or systems at the onset of the pandemic should now be focused on taking a look back and ensuring that the organization has implemented best practices in security configuration and architecture. Many organizations are discovering that their rapid deployments, while necessary, may have introduced undesirable security vulnerabilities.

In a new report, Darren Thomson, Head of Cyber Security Strategy at CyberCube; Jon Laux, Head of Cyber Analytics, Reinsurance Solutions, at Aon; and Rebecca Bole, Head of Industry Engagement at CyberCube; explore the changes to our digital landscape and lay out ways to head off problems.

video featuring Jon and Darren discussing some of the report’s key findings can be found on CyberCube’s YouTube channel. Here is a press release.

Coronavirus Boosts Cyber Risk

Concern about the spread of the coronavirus has triggered the largest “work-from-home” mobilization in history. Here are practical steps that organizations can take to remain cyber resilient amid the crisis.

The outbreak of COVID-19 has caused significant disruption to businesses and a degree of panic within the employee community. Companies across Asia have activated contingency and business continuity plans and have allowed or instructed employees to work from home to limit the spread of the virus. In a new reality where millions of people are working remotely, secure networks are now more critical than ever. To remain operational and secure, Aon recommends that companies take the following steps:

Defend Against the Phishing Wave

Malicious actors will leverage the intense focus placed on the virus and the fear and panic it creates. Security researchers have already observed phishing emails posing as alerts regarding COVID-19. These emails will typically contain attachments that purport to offer information about the outbreak or updates on how recipients may stay safe. In an environment where people are stressed and hungry for more information, there is a lack of commitment to security best practices.

This is the time for organizations to remind employees of the need for vigilance and the dangers of opening attachments and links from untrusted sources. Running a simulated spear phishing campaign can also demonstrate the level of resilience to these attacks. At a more technical level, up-to-date antivirus and monitoring tools can limit the effectiveness of successful spear phishing attacks.

Test System Preparedness

Organizations will be experiencing an unprecedent amount of traffic accessing the network remotely. Companies with an agile workforce have been preparing for this contingency for some time and will be well-equipped to maintain network integrity through the use of sophisticated virtual private networks (VPNs) and multi-factor authentication. Enterprise security teams are recommended to increase monitoring for attacker activities deriving from work-from-home users, as employees’ personal computers are a weak point that attackers will leverage to gain access to corporate resources.

For those less prepared, COVID-19 presents a challenge. There is a risk that the increased volume of network traffic will strain IT systems and personnel and that employees will be accessing sensitive data and systems via unsecure networks or devices. We recommend that these organizations migrate as quickly as possible to remote working and bring-your-own-device (BYOD) standards. Virtual private networks (VPNs) should be patched regularly (for example, a vulnerability in the Pulse Secure VPN was patched in April 2019, but companies that failed to update were falling victim to ransomware in December), and networks should be load-tested to ensure that the increased traffic can be handled.

See also: Coronavirus: What Should Insurers Do?  

Brace for Disruption

A remote workforce can make it more difficult for IT staff to monitor and contain threats to network security. In an office environment, when a threat is detected, IT can immediately quarantine the device, disconnecting the endpoint (i.e., the compromised computer) from the corporate network while conducting investigations. Where users are working remotely, organizations should ensure that, to the extent possible, IT and security colleagues are readily contactable and ideally able to physically address a compromise at its source. Sophisticated endpoint detection and response (EDR) software can also be used to quarantine workstations remotely, limiting the potential for malicious actors to move through the network.

As this risk moves beyond the technical, companies should adopt
an enterprise risk approach. This can include rehearsing business continuity plans (BCP) and senior management response through tabletop crisis simulations that focus on cyber scenarios as well as how pandemics and other similarly disruptive events are likely to affect automation, connectivity and cyber resilience.

Companies can also safeguard against the increased risk of disruption through a robust cyber insurance policy that, in the event of a digital disruption to systems, can provide cover for business interruption losses, as well as the costs of engaging forensic experts to investigate and remediate a breach.

COVID-19 presents a range of challenges to businesses across Asia, but developments in technology since the SARS outbreak mean companies can remain operational and nimble in the face of uncertainty. Keeping one eye on the pervasive cyber threat in the midst of this crisis is critical to ensuring continuing success.

4 Ways to Boost Cybersecurity

Cybersecurity threats faced by insurance companies are growing and evolving at an alarming rate. This has been spurred by many factors, including the internet of things (IoT). While the IoT presents opportunities for insurers, it also exposes security gaps. The severity and frequency of cyber-attacks are likely to increase.

Insurers must commit to protecting sensitive customer information in a compliant and reliable way. The cybersecurity threat is huge. It is time for insurance companies to reboot their approaches to cybersecurity.

Common cybersecurity threats facing the insurance industry

Cyber-extortion

Cyber extortion is increasingly becoming a common problem. Some types of ransomware attacks are so effective that victims may be forced to meet the attacker’s demands and pay a hefty bribe to get their systems running again.

Automated threats

Credential cracking, vulnerability scanning, bad bots, credential stuffing and denial of service can potentially shut down a company’s systems quickly.

Identity theft and loss of confidential data

Identity theft may result from system vulnerabilities to data breaches. For instance, files stored on a firm’s local servers may not be protected adequately. Insurers collect and store sensitive personal client information. This information can be particularly valuable for attackers to sell in black markets. They can use it as a tool for fraud, extortion, unauthorized borrowing and many other financial crimes.

Business disruption and reputation damage

Cyber-attacks can seriously disrupt business. For instance, a cyber-attack on Sony Pictures erased its computer infrastructure, including telephone directories, emails, voicemails and business records like contract templates. A malicious attack like this on an insurer could disrupt operations for months.

See also: Cybersecurity for the Insurance Industry

The foundation of any insurance business is policyholder trust. If an insurance company were to suffer a data breach exposing policyholder information or a cyber-attack that renders it unable to conduct normal operations, that trust would be shaken. This, in turn, can lead to reputation damage that may hurt the confidence of investors, consumers, policyholders and rating agencies.

Four tips for boosting security

1. Assess your defense capabilities realistically

Pressure-testing the company’s defenses can determine whether they can repel targeted, high-impact attacks, whether external or internal. The testing includes vulnerability assessment, testing programs, penetration tests and scenario-based testing. Consider hiring a cyber-security firm to test your defenses.

2. Invest in early detection

Insurers need to continually invest and innovate to thwart potential attackers. Early detection is crucial. Otherwise, a cyber-attack can sit undetected for weeks.

Efficient and quick detection and response will help determine the source of the attack, the systems targeted, extent and cause. Then, the threat can be neutralized before damage is done. Insurers need to invest in technology. There is a wide range of software solutions that provide near-real-time threat detection.

3. Making cybersecurity everyone’s job

While implementing sophisticated systems will reduce external threats, insurers tend to neglect internal threats such as human error, which could include revealing customer data in response to a convincing phishing email. Cybersecurity awareness among employees can significantly decrease the risk of cyber-attacks resulting from human error.

Alert employees can provide early detection. An Accenture survey found that up to 98% of security breaches that are not detected by a firm’s security team are discovered by employees.

4. Learn from the past and evolve

Effective cybersecurity requires insurers to learn from previous cyber incidents and use the learning to improve planning and technology investments. Solutions include:

  • Upgrading systems: Using last-generation or unpatched security software provides easy fodder for cyber attackers. Speak to your IT consultant about upgrading your systems.
  • Migrating systems to the cloud: The cloud provides users a wide range of compliant and secure storage solutions. Choose a cloud provider that offers the highest possible security.
  • Implementing appropriate security software, protocols, and appliances: This will effectively shield data and systems from automated threats.
  • Establishing a disaster recovery plan: Despite all efforts, systems can be breached. Have a detailed up-to-date plan so that you can respond effectively to any problem, major or minor.

See also: Global Trend Map No. 12: Cybersecurity  

Cyber-crooks are relentless and determined. Security is an continuing battle. You can’t afford to let down your guard a second. Staying one step ahead of hackers takes constant effort.