Tag Archives: cyber security

Why Cyber Strategies Need Personalization

Personalization has taken a variety of industries by storm. Retailers base marketing campaigns on individual customer preferences; financial institutions are revamping their user experiences to cater to specific demographics; and healthcare organizations are offering services based on patient needs and family history. Without the ever-helpful “you may also like” features and individually customized dashboards, companies like Amazon and Netflix would be nearly unrecognizable, and certainly less appealing.

There’s one critical aspect of business — something that affects every industry — that’s woefully behind on personalization, however: cyber protection. With media outlets constantly reporting on the latest large-scale data breach like this summer’s Quest Diagnostic attack or the First American Financial leak, it’s easy to get swept up in all the fear-mongering and reactively incorporate as many cybersecurity tools and services as possible, no matter their relevance. For small and medium-sized businesses (SMBs), in particular, it’s especially tempting to blindly emulate larger organizations’ defense strategies, as most SMBs are understandably short on knowledge and resources when it comes to cybersecurity and cyber insurance.

Devising Cyber Protection Strategies Isn’t One-Size-Fits-All

One could argue that any efforts toward cyber protection should be applauded. Data breaches have become an inevitable part of doing business today, so wouldn’t even a misguided attempt at making an organization more secure be beneficial? Unfortunately, no.

Devising cyber protection strategies isn’t a generic, one-size-fits-all process. Rather, it’s akin to prescribing medicine. Just as physicians base their treatment plan on an individual’s specific symptoms, companies need to institute an approach to cybersecurity that incorporates their organization’s unique characteristics and needs.

See also: Where to Turn for Cyber Assistance?  

Consider the cyber protection needs of, say, a bakery. While a bakery may need to consider implementing defense mechanisms for its business email account(s), CRM solution and digital document storage, its cybersecurity requirements are fairly straightforward. A basic cyber insurance policy could prepare a bakery for any worst-case scenarios in which customer payment records are exposed, for instance, or sales temporarily dip due to a damaged brand reputation post-breach.

Now look at an urgent care clinic, for which cyber protection can literally be a matter of life and death. Any internet-connected healthcare device, such as a heart monitor or IV, needs to be thoroughly secured to prevent patients from undergoing serious harm. Email, phone and text communications between physicians, nurses, specialists and patients should be encrypted. With healthcare organizations required to retain patients’ medical records for anywhere between two and 30 years (depending on the state), secure digital storage and back-up services must also be considered. In addition to all the tactical cybersecurity considerations that an urgent care clinic needs to take into account, it also has various regulations and audits it must comply with, such as HIPAA and HITECH. Steep fines and severe reputational damage await any healthcare organization that fails to comply.

Evolving and Future Business Needs Must Also be Considered

Not only do organizations need to personalize their cyber protection strategies by prioritizing their businesses’ unique needs, they also need to consider how those needs may change. A new law office may not have much client data to secure in its first six months of business, for example, but, once it’s amassed a few years of cases, the firm’s data security and storage requirements will drastically change. The type of data that a growing law office collects could change, as well. After a decade in business, if the firm decides to branch out to handle personal injury cases, for instance, it will have to adjust its data security strategy to accommodate patient health information.

See also: Cyber: No Protection Against Complacency  

Prioritize Personalization to Secure Critical Assets

Rather than getting distracted by what Target or Facebook is doing to protect their digital assets, take the time to assess your business. Conduct a comprehensive evaluation of your current cyber protection efforts to determine what’s working and what’s not. Look for any major vulnerabilities such as insecure websites or lax Bring Your Own Device or Shadow IT practices, and map out how your cybersecurity requirements stand to change over the next one to five years.

Any organization — no matter its size, industry or available resources — can establish a custom cybersecurity and cyber insurance plan and leverage it to more effectively plan for and prevent devastating cyber attacks.

TokenEx’s Alex Pezold

Alex Pezold, CEO and Co-Founder of TokenEx, talks with ITL Editor in Chief Paul Carroll about how the 10-year old company, which has been active in providing a cyber solution to the banking and payments industries, is now exploring ways to bring its data protection solution to the insurance industry. TokenEx assigns a token for sensitive data, such as a customer’s personally identifiable information, so that a company is not storing actual consumer information that is at risk in a data breach. Learn more about TokenEx.


View more Innovation Executive videos

Learn more about Innovator’s Edge

Addressing Evolving Cyber Threats

In 2015, an accountant looking at the balance sheets of a U.S. tech company noticed a $39 million hole in the figures. The accountant would have been even more dismayed to know where it had gone – a member of the financial team in an overseas subsidiary had transferred it directly to the thief. All the thief had to do was pretend to be a CEO.

It’s a kind of attack known as a CEO email attack, and just one of a broad range of hostile tactics known as social engineering attacks. These are attacks that exploit the natural weaknesses of human beings – our credulity, our naiveté, our propensity to help strangers and, sometimes, in the case of phishing attacks, just our greed – to get around security systems.

To put it in the language of 21st century cyber security: Social engineering operates on the idea that, just like any computer system, human beings can be hacked. In fact, a lot of the time they’re much easier to hack than computers. Understanding this fact, and the forms that social engineering can take, is essential to formulating a robust defense strategy. These strategies are even more important now, as the lines between the physical and digital worlds continue to blur and the assets at risk continue to multiply, thanks to the proliferation of connected technologies.

In Depth

From the serpent in the Garden of Eden, to the fake phishing emails that promise fortunes if only you’d just part with your bank details and Social Security number, social engineers have been with us for a while. But few epitomize their arcane arts quite like Frank Abagnale, whose exploits between the ages of 15 and 21 were immortalized in the Steven Spielberg film Catch Me If You Can. During those years, Abagnale posed as a doctor, a lawyer and an airline pilot and has become one of recent history’s most legendary social engineers. He now runs a consultancy, Abagnale and Associates, that aims to educate others – including government agencies such as the FBI, and numerous businesses – on how to catch people like him, as social engineering methods shift.

Abagnale asserts: “Some people used to say that I’m the father of social engineering. That’s because, when I was 16 years old, I found out everything I needed to know – I knew who to call, and I knew the right questions to ask – but I only had the use of a phone. People are doing the same things today 50 years later, only they’re using the phone, they’re using the mail system, they’re using the internet, email, cloud. There’s all this other stuff, but they’re still just doing social engineering.”

We live in an overwhelmingly digital world, and the projected 50 billion Internet of Things (IoT) devices due to be hooked up to the internet by 2020 means the already broad frontier of digital risk will only continue to grow. “I taught at the FBI for decades. There is no technology today that cannot be defeated by social engineering,,”Abagnale says. Making sure the human links that sit between this expanding set of digital nodes remain secure lies at the heart of securing the whole system; one increasingly tied up with physical as well as digital assets.

New Risks

In 2010, the Stuxnet worm, a virus believed to have been developed jointly by the U.S. and Israeli military, managed to cause substantial damage to centrifuge generators being used by the Iranian nuclear program. The virus was designed to attack the computer systems that controlled the speed that components operated in industrial machinery. By alternately speeding up and slowly down the centrifuges, the virus generated vibrations that caused irreparable mechanical damage. It was a new breed of digital weapon: one designed to not only attack digital systems, but physical systems as well.

It was physical in another way. To target this system, the virus had to be physically introduced via an infected USB flash drive. Getting that flash drive into a port, or into the hands of someone who could, required human beings to intervene. In this case, anonymous USB devices were left unattended around a facility and were then accidentally inserted by unwitting technicians.

See also: It’s Time for the Cyber 101 Discussion  

The Stuxnet worm highlights the extreme end of the dangers that lie at the overlap between digital technology, physical assets and human beings, but the risks extend well beyond that. More prosaic, for instance, are email scams that work by tricking the receiver into sharing vital information – remember the notorious “Nigerian prince” emails, where a fraudster would promise a willing helper untold riches in return for money to be released from jail?

Some of these scammers have elaborate networks that crossed countries and continents and can be worth more than $60 million. Move the concept into the organization now: Imagine receiving an email from someone purporting to be your boss, asking in an official and insistent tone for a crucial keyword or a transfer of funds. Could a typical employee be relied on to deny that request? What about a phone call? This was hacker Kevin Mitnick’s strategy. In a way, a Frank Abagnale of the digital age, Mitnick managed to make a range of high-profile attacks on key digital assets by just phoning up and asking for passwords.

IoT: The Convergence of the Physical and Cyber Worlds

“Humans are the weakest link in any security program,” says Dennis Distler, director, cyber resilience, Stroz Friedberg, an Aon company. In fact, it’s us, rather than computer systems’ weaknesses or failures, that lie at the heart of around 90% of cyber breaches. Social engineering attacks can come in various forms, and the risk from them will never be fully mitigated. But while full mitigation is impossible, you can limit your exposure – that strategy begins at the individual level. Humans are the targets, so the first line of defense has to be from humans. “You certainly remind people that you have to be smarter, whether you’re a consumer or CEO. You have to think a little smarter, be proactive, not reactive,” Abagnale says.

While social engineering has a focus on financial loss, the focus of cyber risk is shifting to tangible loss with the potential for property damage or bodily injury arising out of IoT devices. Historically, cyber risk has been associated with breaches of private information, such as credit cards, healthcare and personally identifiable information (PII). More and more, however, the IoT – the web of connected devices and individuals – will pose an increased risk to physical property as breaches in network security begin to affect the physical world. Having a better understanding of vulnerabilities and entry points – both at the individual as well as device level – will be critical for organizations in 2017 and beyond.

Organizational Mitigation

While security awareness training and, to a lesser extent, technology can prevent successful attacks – whether IoT-related, human error or stemming from actual social engineering – the risk from them will never be fully mitigated. Organizations can take a number of steps to protect themselves. Distler of Stroz Friedberg, highlights a number of key steps a company can take to minimize exposure to social engineering risk:

  • Identify what and where your organization’s crown jewels are. A better understanding of your most valuable and vulnerable assets is an essential first step in their protection.
  • Create a threat model to understand the types of attacks your organization will face and the likelihood of them being exploited. From email phishing to physical breaches, the threat model can help teams prioritize and prepare how to best respond.
  • Create organization-specific security awareness training addressing what types of attacks individual employees could expect, how to detect them and what the protocols for managing and reporting them are. Consider instituting a rewards program for reporting suspected attacks to further encourage vigilance.
  • Provide longer and more detailed training for high-valued or vulnerable targets, such as members of the C-suite and their executive support staff, or members of IT, finance, HR or any other employee with access to particularly sensitive information. This training could vary from account managers to mechanical engineers working on major operational projects. These enhanced training procedures could include red-teaming exercises, which test the ability of selected staff to respond to these breaches in real time.
  • Create well-defined procedures for handling sensitive information and provide routine training on these procedures for employees who handle sensitive information.
  • Conduct routine tests (recommended quarterly at a minimum) for the most likely social engineering attacks.

Preparing for Tomorrow’s Breaches

The term “cyber threat” is becoming more and more complex. No longer is it a threat posed to digital assets by viruses and malware or a financial threat posed to individuals and financial institutions. Now, cyber risk encompasses a broad range of risks with the potential to harm assets, from property to brand and reputation.

And at the center of all of these interactions are people. Almost every breach begins with a human being. By understanding how such threats can manifest, and how to deal with them when they do, risks can be mitigated ahead of time. Bringing together various functional groups within an organization will be crucial as teams prepare for the more multifaceted risks of our increasingly connected future.

2016 Latin America Insurance Outlook

Despite sluggish economic growth and troubling inflation in key markets, the 2016 insurance market outlook for Latin America remains relatively bright. The rollout of new insurance products and distribution approaches at a time of low market penetration should drive strong growth for insurers. Insurance premium growth is expected to rise by around 6% to 7% in 2016 and possibly beyond should the economic environment improve as expected. At the same time, the emergence of end-to-end digital capabilities is transforming the Latin American insurance market. This digital market disruption will force insurers to make rapid revisions to existing business models to stay competitive and build market share.

Customer expectations rising

Commercial customers will continue to require more sophisticated insurance solutions in 2016, including coverage for business interruption, cyber security, civil unrest and errors and omissions. Latin American consumers, many of whom are young, cosmopolitan and tech-savvy, will continue to push for new insurance channels and services that fit their lifestyle. To respond, insurers will need to simplify and adapt products for Millennials and sharpen their focus on mobile and social media interactions. Evolving customer needs throughout the region are compelling insurance companies to rethink their strategies, processes and services. The rise of financial technology, or fintech, companies is causing insurers, particularly in the consumer insurance sector, to reconsider their business models and increase their investment in new digital technologies. Despite a desire to avoid conflicts with legacy models, insurers realize that flexibility, efficiency and innovation are critical for success in a more demanding marketplace

Competition heating up

The liberalization of industry regulation across Latin America has opened insurance markets to wider competition. The abundance of insurance capital has intensified competition from various directions: from global insurers seeking a foothold in the region to local insurers looking to expand cross country to entrenched insurers defending their turf. These competitive trends are keeping insurance rates flat through much of the region and, in some cases, pushing them lower. The most substantial rate decreases have been in non-catastrophe property.

Pockets of premium increases can be found in areas of instability, such as Venezuela. However, insurance capacity is very limited for Venezuelan political risk, with most risks dependent on the international reinsurance market.

As markets develop in Latin America, commercial demand is increasing for new forms of insurance coverage, such as environmental liability. The opening of the oil industry to the private sector in Mexico, for example, is exposing new oil exploration and production entrants to potential losses from environmental damages. But market capacity is still restrained in key markets, such as Brazil, where only a few insurers offer such liability coverage.

Read our Market Outlook for LATAM Insurance in 2016 to understand more about the dynamics facing the South America Market here.

Scammers Taking Advantage of Google

Some 500 million people use Gmail and Google Drive. I’m one of them.

Gmail and Google Drive are wonderful for communicating and collaborating. But it turns out they’re also ideal tools for hacking into your computing device.

Bad guys on the cutting edge have discovered this. And their success so far indicates attacks manipulating Google’s productivity platform-and similarly exploiting other popular cloud-based business tools-are destined to progress.

This development should not come as a big surprise. Cyber criminals are quick to recognize fresh opportunities created by our headlong rush to use cloud services and mobile devices without giving due consideration to security and privacy.

Intelligence about the latest iteration of hacking comes courtesy of security startup Elastica.

Flying under the radar

Researchers at Elastica this summer discovered scammers using Gmail accounts to send messages crafted to fool recipients into downloading corrupted PowerPoint presentations stored on Google Drive. Scammerswere thus able to slip the malicious PowerPoint file past malware detection filters.

Video: Viral Gmail, YouTube alerts spreading via email

Another tactic discovered by Elastica involved scammers opening free Gmail accounts from which they sent out spoofed messages tricking recipients into visiting a website they controlled that was hosted on Google’s own servers. Because the bad guys’ website was hosted on Google servers, it was deemed trustworthy, making it easier for them to trick visitors into divulging account logons.

Any hacker can tell you that once you get someone to download a corrupted file, or get them to navigate to a website you control, the rest is comparatively easy. At that point, the target is a half-step away from being owned.

Keys to the (data) kingdom

“In the cloud environment, the username and password become all-powerful; almost all these applications use some sort of username and password as a way to get in,” says Eric Andrews, Elastica’s marketing vice president. “Once you have that, you can do anything you want. You can get all the data. You can get all the files. So a lot of these attacks that are going at the cloud apps are all about trying to get somebody’s username and password.”

These fresh hacking opportunities are being presented not just by Google but by each and every one of the most popular cloud-based email, productivity tools, file-sharing and customer-relationship tools.

“Office365, Dropbox, Salesforce, all of these apps are very, very convenient and have a lot of great business utility,” Andrews says. “But there is this kind of lurking concern. You don’t really know if your company’s data is safe. You don’t know if other people can get to it. This move to the cloud really has a fundamental ripple effect through all security functions.”

Gmail more widely used

In abusing Google’s services, cyber criminals are taking advantage of the fact that Gmail has become a de-facto backup email throughout the business world. It is widely used by well-intentioned workers, in companies of all sizes, who are hustling to work more productively.

No one is surprised anymore to receive an email from the private Gmail account of a supervisor, colleague, partner or customer-or even an administrative message from Google. A trust exists. And this creates a perfect environment for spoofing.

Likewise, free or cheap Google Drive file storage makes for a perfect repository to set up phishing attacks and distribute malicious web links.

In a case recently dissected by Elastica, the bad guys sent phishing emails out to victims who they guessed would have an interest in controversies surrounding Tibet’s Dalai Lama. The enticement: Click to a link to a corrupted PowerPoint presentation hosted on Google Drive.

Aditya Sood, chief architect at Elastica’s Cloud Threat Labs, describes how the social engineering aspect of the attack then unfolds:

“There are no attachments in the email. Basically, it’s just a direct link to the Google cloud service, which hosts the PowerPoint presentation. When the user retrieves that link, the user won’t be able to view this PowerPoint presentation. So the user then is going to download that file onto the local machine. Once the user opens it on his local machine, the PowerPoint presentation actually extracts two files. One, the INF file, contains a launch code for the second, a GIF file. The GIF file downloads malware to the end user system.”

Gmail and Google Drive are powerful, flexible, reliable, easy-to-use and free. Yet, it turns out that these are the very characteristics that make them ideal tools for cyber criminals to infect computers. In essence, the bad guys are simply adopting infection-techniques that proved highly effective in the desktop environment to new opportunities presenting themselves in the cloud environment.

These bad guys no longer have to trouble themselves with creating malicious email attachments, nor do they have to worry as much about spreading tainted Web links that can be quickly detected and blacklisted. And as long as the trust remains high in Gmail, Google Drive, Office 365, Salesforce and other top cloud services, social engine trickery remains easier than it really ought to be.

“Attackers don’t have to invest too much time or money in gaining credentials or compromising servers to attack people,” Sood says. “They simply create one Gmail account and then, basically, abuse the Google publishing functionality.”