Tag Archives: hack

Why Small Firms Need Cyber Coverage

There’s barely a week that goes by without some sort of cyber security incident — a system hack, a data breach, putting thousands if not millions of people’s personal information at risk. Although big corporations generate the most headlines, the reality is that small and mid-sized businesses are equally, if not more, vulnerable to cyber attacks.

Smaller organizations don’t have the resources to put up firewalls or deploy high-powered system monitoring software that larger firms can afford. Like the house on the block with an open window and no burglar alarm installed, these businesses are easy prey for hackers, and they’re getting hacked more often than you think.

According to IBM, small and mid-sized businesses are hit by 62% of all cyber attacks, at a rate of 4,000 per day. A more sobering statistic? Sixty percent of small businesses go out of business within six months of a breach.

As insurance professionals, we have the opportunity to change that outcome. Although we can’t deter the cyber thieves from striking, we can help our business customers protect themselves by effectively educating them on their risks and providing the cyber liability coverage they need.

See also: Why Buy Cyber and Privacy Liability. . .  

A Quick 411 on Cyber Liability Coverage

The good news is, there are 20 or more cyber liability carriers in the marketplace today, which keeps pricing low for budget-conscious business owners. Typically, every million dollars of protection, for a company that has never been hacked, runs about $2,500 per year. That’s well within most businesses’ budgets.

However, not all policies are created equal.

It’s critical for insurance professionals to spend time educating themselves on the details of what each policy offers before heading off to sell. This ensures that you offer the best solution to each of your customers and can adequately review any coverage they currently have for gaps.

Cyber liability policies should always include coverage for the following:

Notification Costs and Credit Monitoring

Most states require companies to inform anyone affected by the breach of personally identifiable information in a timely manner, and offer credit monitoring for the 12 months following the incident. Typically, businesses have to set up call centers to answer frequently asked questions, as well. A good cyber policy should cover all of these costs.

Cyber Extortion

According to the FBI, the incidence of ransomware attacks is on the rise. This attack typically begins when an employee clicks on a legitimate-looking email attachment. That one click releases malware that locks digital files until the company pays a ransom to release them. Unless the company pays the tens of thousands of dollars that hackers demand, businesses could lose proprietary information, product schematics, customer orders and other sensitive information. The right policy will help cover the cost of payments to extortionists, as that’s typically the only way to get the data back.

Business Interruption

If the company’s systems are compromised, hackers encrypt company software or overload Web servers to block legitimate orders, and business comes to a screeching halt. Think about the financial impact a day or a week down could have on a small e-commerce company, a CPA firm or manufacturing operation if they’re not adequately covered for the loss.

Public Relations

One hack can ruin a local business’s reputation in a heartbeat. If a breach occurs, that company has to hire an experienced public relations team to explain what they’re doing to protect the affected individuals and mitigate reputational risk associated with the breach.

Forensics Costs

Finally, and perhaps most significantly, a cyber liability policy should cover forensics — hiring computer technologists to come in and identify where and how the breach occurred, and how big the impact was. It’s important to note that this is typically the biggest cost associated with a breach, and the most frequently exhausted limit in cyber liability policies. So, it’s important to make sure the policy you recommend provides adequate coverage in this area.

Explaining Cyber Insurance to Your Customers

The most effective way to talk to your customers about cyber liability insurance is to show them their exposures. Typically, small and mid-sized businesses don’t think of themselves as being at risk. For example, a restaurant owner might believe that, by using a third-party payment card processor, her business is protected. The reality is: Her patrons don’t care who processes her transactions. They come to her restaurant, eat her food and hand her servers their credit cards. The place where people do business is going to get the blame — and be the one liable for the costs.

It’s not just retailers and restaurants that are at risk. Any company with personally identifiable information – Social Security numbers, health records or employee data – is exposed. With the average cost-per-compromised record averaging $221, the more records a company has, the more exposure it has. When you explain that one incident could cost a smaller business $50,000 or $100,000 to rectify, the value of paying a few thousand dollars a year for cyber liability insurance becomes very clear.

See also: Cyber Attacks Shift to Small Businesses  

In addition to being affordable, cyber policies are quick and easy to get — if the business hasn’t been hacked before. For most carriers, it’s a one-page application that asks basic questions to find out if the company has a firewall, antivirus software and encryption, as well as its use of mobile devices. Typically, you can get a quote in an hour or less, issue the policy and be on your way. Just as important, your customers will know that you’re looking out for their best interests.

If I can leave you with one thought, it’s this: In this technology-reliant world, every business has a target on its proverbial back. If some form of cyber-attack hasn’t affected your customers yet, there’s a high probability that they’ll get hit in the near future. No business is too small, and no one is immune.

With the right cyber liability coverage, your business customers will be prepared for the inevitable breach — and have the protection they need to survive it.

When Hackers Take the Wheel

Operator errors, driving under the influence, and product defects have long been blamed for catastrophic accidents in the transportation industry. However, recent headlines revealed how cyber risk has emerged as a new and disturbing threat to airlines, railways, auto manufacturers and ocean cargo carriers.

Those in the transportation sector have embraced the “Internet of Things” and transformed what were once far-reaching concepts into some of the most common components of the cars they manufacture and the planes they fly. They often rely on a secure internet connection to function safely and efficiently. Recent headlines, however, raised concern and started a debate: Can the transportation sector be hacked? If so, what are the consequences?

Automobiles

In July 2015, Fiat Chrysler announced a recall of 1.4 million vehicles after white hat hackers demonstrated that they could take control of a Jeep Cherokee’s braking systems, change vehicle speed and affect operation of the transmission, air conditioning and radio controls. Hackers gained remote access by exploiting a software vulnerability in the vehicle’s Uconnect entertainment system.

The stakes have been raised even higher with recent advances made in the development of driverless cars, as more vehicles will become completely reliant on secure technology. Safety concerns were raised after a series of crashes allegedly caused by the failures of Tesla’s Autopilot technology, resulting in the death of a passenger. This prompted Tesla to announce efforts to improve its Autopilot software, including “advanced processing of radar signals.”

See also: How to Measure ‘Vital Signs’ for Cyber Risk  

The Department of Transportation has also recognized the risks associated with technology. In January 2016, the department entered into an agreement with 17 major automakers to enhance driver safety, including information sharing to prevent cyberattacks on vehicles. According to the agreement, the National Highway Traffic Safety Administration will propose industry guidance for safe operation for fully autonomous vehicles.

Planes

Boeing recently became the subject of a hacker demonstration when a security researcher accessed the entertainment systems of one of the company’s planes in mid-flight. Boeing was adamant that the hacker could not have gained access to the aircraft’s critical functions due to segregation of the two networks. However, the incident raised concerns throughout the airline industry, and an FBI investigation followed.

Railway Systems

German security researchers SCADA Strangelove demonstrated, without naming the rail systems in question, that they, too, are vulnerable. Their December 2015 report highlighted vulnerabilities related to outdated software, default passwords and lack of authentication. Moreover, entertainment and engineering systems were operating on the same network, leading to speculation that if one system is compromised hackers could gain access to the other. Because rail switches are automated and dependent on properly operating networks, the theory of a system compromise leading to a head-on collision with another train was explored in the report.

Marine Shipping

An investigation by Verizon Risk concluded that modern-day pirates are increasingly relying on network intrusions as a means to carry out crimes on the high seas. Verizon concluded that an unidentified shipping company’s networks were penetrated by hackers, giving them precise information on which ships were carrying the most valuable contents. Hackers then targeted their attacks on specific vessels, using bar codes to focus on individual shipping containers.

As of this writing, we have not seen any incidents of bodily injury or loss of life in the transportation sector directly attributed to a deliberate network compromise. Yet the findings of various researchers across multiple transportation sectors lead to some alarming conclusions. Law enforcement and transportation safety regulators have taken these findings seriously and conducted investigations of their own.

We can therefore expect with some degree of certainty that the transportation sector may be held to higher cybersecurity standards and will see increased regulatory scrutiny that has been witnessed in other industries, such as healthcare and financial services. When networks containing sensitive data may be compromised, regulators that oversee that industry often propose protection standards that ultimately become mandates. Failure to comply often leads to lawsuits, settlements, fines and significant reputational harm.

See also: Protecting Institutions From Cyber Risks  

Until then, the transportation sector can start by following the best practices as outlined in the National Highway Traffic Safety Administration’s “A Summary of Cybersecurity Best Practices,” published in October 2014 . Key observations and recommendations include:

  • Cybersecurity is a life-cycle process that includes elements of assessment, design, implementation and operations as well as an effective testing and certification program.
  • The aviation industry has many parallels to the automotive industry in the area of cybersecurity.
  • Strong leadership from the federal government could help the development of industry-specific cybersecurity standards, guidelines and best practices.
  • Sharing learning with other federal agencies is beneficial.
  • Use of the NIST cybersecurity standards as a baseline is a way to accelerate development of industry-specific cybersecurity guidelines.
  • International cybersecurity efforts are a key source of information.
  • Consider developing a cybersecurity simulator. It could facilitate identification of vulnerabilities and risk mitigation strategies and can be used for collaborative learning (government, academia, private sector, international).
  • Cybersecurity standards for the entire supply chain are important.
  • Foster industry cybersecurity groups for exchange of cybersecurity information.
  • Use professional capacity building to address and develop cybersecurity skill sets, system designers and engineers.
  • Connected vehicle security should be end-to-end; vehicles, infrastructure and V2X communication should all be secure.

The transportation sector is yet another industry that must learn to adapt to the systemic nature of cyber risk. Because of ever-increasing reliance on evolving technology, cyber risk will certainly begin to move toward the top of the list of transportation safety concerns. The captains of this industry can no longer claim ignorance to cybersecurity issues or completely delegate responsibility. They owe a duty to safeguard the flow of information that effectively keeps our planes airborne and our cars on the road. Failure to do so could be catastrophic.

Ransomware: Your Money or Your Data!

Your client, ABC Corp. is going about its business and then gets this message:

police

The above is a typical ransomware message, according to a recent Symantec Security Response report. What’s next? Pay the “ransom” and move on? Ransomware is a type of malware or malicious software that is designed to block access to a computer or computer system until a sum of money is paid. After executing ransomware, cyber criminals will lock down a specific computer or an entire system and then demand a ransom to unlock the system or release the data. This type of cyber crime is becoming more and more common for two reasons:

1. Cyber criminals are become increasingly organized and well-funded.

2. A novice hacker can easily purchase ransomware on the black market.

According to the FBI, this type of cyber crime is increasingly targeting companies and government agencies, as well as individuals. The most common way that criminals execute their evil mission is by sending attachments to an individual or various personnel at a company. The busy executive opens the file, sees nothing and continues with his work day. However, once the file has been opened, the malware has been executed, and Pandora has been unleashed from the box!

Now that the malware has been unleashed, a hacker can take over the company’s computer system or decide to steal or lock up key information. The criminals then make a “ransom”demand on the company. The ransom is usually requested in bitcoins, a digital currency also referred to as crypto-currency that is not backed by any bank or government but can be used on the Internet to trade for goods or services worldwide. One bitcoin is worth about $298 at the moment. Surprisingly, the amounts are generally not exorbitant (sometimes as nominal as $500 to $5,000 dollars). The company then has the choice to pay the sum or to hire a forensics expert to attempt to unlock the system.

The best way companies can attempt to guard against such cyber crime attacks is by educating employees on the prevalence and purpose of malware and the danger of opening suspicious attachments. Employees should be advised not to click on unfamiliar attachments and to advise IT in the event they have opened something that they suspect could have contained malware. Organizations should also consider backing up their data OFF the main network so that, if critical data is held hostage, they have a way to access most of what was kidnapped. Best practices also dictate that company systems (as well as individual personal devices) be patched and updated as soon as upgrades are available.

Finally, in the event you are a victim of a ransom attack, you would need to evaluate it constitutes a data breach incident. If the data hijacked is encrypted, notification is likely not necessary (as the data would be unreadable by the hacker). However, if the data was not encrypted, or you cannot prove to the authorities that it was, notification to clients or individuals is likely necessary.

Takeaway

Cyber extortion is more prevalent than most people realize because such events are not generally publicly reported. To protect against this risk, we recommend that companies employ best practices with respect to cyber security and that they consider purchasing a well-tailored cyber policy that contains cyber extortion coverage. Such coverage would provide assistance in the event a cyber extortion threat is made against the company, as well as finance the ransom amount in the event a payment is made.

Surveillance Cams: A Hacker’s Delight

It didn’t take much tech savvy for the creator of the website insecam.com to aggregate web links to more than 73,000 live surveillance cameras in 256 countries. The result: Anyone can use insecam.com to tap into any of these webcams and see what they’re pointed at, mostly in commercial properties.

Each of these webcams uses the default password that shipped with the unit. And so now each is accessible by anyone via insecam.com.

The Internet of Things (IoT) is on the verge of explosive growth. Research firm IDC projects the market for Internet-connected webcams, cars, electricity meters, gaming consoles, TVs, refrigerators and other household items will grow at 9% a year for the next few years. Global spending on technology and services to expand IoT will climb from $4.8 trillion in 2012 to $7.3 trillion by 2017, IDC predicts.

Insecam.com’s unique search service highlights the fact that wide swaths of the IoT are being implemented without so much as a nod toward the sudden creation of profound privacy and security exposures.

More: 3 steps for figuring out if your business is secure

ThirdCertainty asked Hagai Bar-El, CTO of Sansa Security, to outline what’s at stake for consumers and businesses.

3C: How did we get to a point where thousands of webcams are essentially wide open on the Internet?

Bar-El: Webcams today are incredibly inexpensive and practically commoditized. Unfortunately, most consumer-grade webcams do not offer much in terms of added security. Consumers who are unaware of the importance of security measures typically rely on the default username and password that shipped with the webcam. Or their passwords are so weak that they are easily guessed, thus leading to new websites that enable voyeurs to peer into people’s personal lives in real time.

3C: Is it just security cams in commercial buildings? How exposed are the home surveillance cams that are being widely marketed to consumers?

Bar-El: Most surveillance cams that are sold to households have three shortcomings: First, they lack strong security features. Some cameras do not encrypt traffic, some do not encrypt user passwords, and many do not support user authentication by any mechanism other than passwords. Second, many cameras are designed and distributed without any security engineered into the hardware or software layer of the product.

The Insecam project creators were able to feature real-time personal video-streaming data because the only security measure implemented on the affected cameras was a default administrative log-in. Lastly, most webcams have limited and hard-to-use update capabilities, so even as flaws are discovered, it is practically impossible to update them on a large scale.

U.S. Security Cameras

3C: Besides webcams, what are one or two other aspects of IoT that folks should be most concerned about?

Bar-El: In the industrial enterprise space, people should be concerned with situations where IoT touches physical security and/or money, such as SCADA, automotive, financial and medical devices. In the home automation space, we are concerned about hackable IoT devices that control door locks and alarm systems.

3C: The mobile banking and mobile wallet industries are moving to take passwords out of the equation. Are any consensus solutions gaining traction?

Bar-El: The trend we are seeing is the adoption of secure cryptographic authentication between an IoT device and the service with biometric or PIN authentication between the human user and the IoT device. This type of two-factor authentication will make future IoT devices both user-friendly and more secure.

hagai-bar-el150px

3C: It seems like IoT is going to spread faster than good security and privacy practices. Agree or disagree?

Bar-El: Agree. IoT manufacturers today want to sell as many devices as they can to quickly establish market share. Security takes time and requires skills that many manufacturers currently do not have. By providing security solutions starting at the chip level and allowing developers to provision security updates to their devices from the cloud, we believe we can make the security around next-generation IoT devices future-proof.

3C: How do you see the fundamental situation playing out in 2015?

Bar-El: In 2015, IoT manufacturers will recognize the “build now, fix later” model is not sustainable and that important security features must be baked in when products ship. Considering that the IoT devices currently entering the market are smart-home-focused, the security mechanisms manufacturers introduce in 2015 must be future-proof for at least a decade, and they need to include mechanisms that enable that device to be updated in real time in the event a critical vulnerability is ever discovered in the product.

How the Sony Hack Should Affect You

In the past two years have revealed anything, it’s that every conceivable mode of communication comes with its share of serious privacy and security issues. Email can be hijacked, mail servers can be breached and malware can turn your smartphone into a peepshow. Wikileaks revealed that even our phone conversations are at risk.

That said, don’t panic! It’s highly unlikely anyone is listening to your phone calls. (OK, it’s possible, but you’d have to be incredibly sloppy or unlucky enough to download call-intercepting malware, or targeted by folks who can handle a price tag that hovers north of the $1 million mark.) The more relevant point here is that the big data mills at the NSA that may or may not be crunching your calls don’t care if you’re negotiating the sale of Ford to General Motors, much less if you’ve been naughty or nice – unless you’re a world leader or someone perceived as a threat to America.

So what about the other, more likely ways you may be exposed? There are man-in-the-middle attacks that are fairly affordable for a hacker. There’s malware from friend (hard to spot) and foe (you can’t be alert to every danger every second of the day). It almost seems like the only way to be completely safe from intrusion is to have nothing you wouldn’t want broadcast or skywritten on your smartphone, nothing you wouldn’t want the world to know about in your browser history, not a single text message you want to keep private and no phone calls made or received that you don’t want to share with Dr. Phil and his audience.

Recent news has been nothing less than terrifying. JPMorgan Chase and Home Depot joined the ever-growing list of mega-breach victims. Sony Pictures was gutted, with career-killing emails sent hither and yon, servers erased and trade secrets and intellectual property joyously tossed like flower petals from a float in the Rose Bowl parade. The hack initially stopped the release of “The Interview,” costing the studio millions, and that’s not taking into account future losses associated with class-action lawsuits brought by current and former employees whose personally identifiable information was stolen and published for the world to see, or enforcement actions by various and sundry state and federal regulators. It’s major stuff. And then there were all those other cybercrimes. It all makes for a really uneasy feeling at the workplace.

The trend here is simply too clear: Nothing is sacrosanct, and nothing is beyond reach. And while there may be no way to keep prying eyes out of our email, there is a way to keep the most sensitive information pertaining to your business out of reach. With that thought foremost in my mind, it is, indeed, time to make some serious changes.

Call me old-fashioned, but I think I’d rather take my chances with the government listening to my phone calls. How about you? When I say, “phone call,” I mean literally, like, on the phone-and I say this because, of all the ways we communicate, a landline affords the better shot at privacy and a more secure mode of communication.

The act of getting out of a chair and walking down the corridor to talk to a colleague helps to burn off holiday excesses, builds inter-office rapport and can’t be hacked. Email and text have supplanted the collegial walk-by. There are those who will say that it’s not efficient to pick up the phone. I’m not sure I buy that. Email and text streamline workflow only in theory. Each is just a swipe or click away from the major time-sucks provided by social media. And the interaction that happens without the interference of keystrokes or thumbing a screen provides sparks that just don’t happen in the dynamic-free zone of tit-for-tat correspondence. And again, a face-to-face or headset-to-headset conversation is probably the most secure mode of communication in the post-Sony hack world.

I’m sure it will take some getting used to, but if anyone at my office needs a fast answer from me, I’m going to ask that whenever possible they tap my doorframe or give me a call. Beyond the security considerations, the truth is that I actually like talking to people, and I ultimately learn more about whatever it is we’re talking about. For all their convenience, emails and texts are far from perfect modes of communication. Much meaning is lost when communicating by keystroke. Anyone who’s emailed a sarcastic quip that was taken literally will confirm this.

There are other options. Sony Pictures had to revert to communication via fax during the days following the hack, but faxes leave too much to chance because you never know who’s waiting on the other end of your transmission, and there’s the added possibility that you might dial a wrong number.

If smoke signals weren’t so easy to spot, I’d suggest that route. And while it’s true that you never know when a fake cell tower’s going to roll into your neighborhood, using the phone and having more face-to-face discussions at the office are perhaps the better ways to engage in team building through a group commitment to data security.