Tag Archives: target

The Threat From ‘Security Fatigue’

There is no mistaking that, by now, most consumers have at least a passing awareness of cyber threats.

Two other things also are true: too many people fail to take simple steps to stay safer online; and individuals who become a victim of identity theft, in whatever form, tend to be baffled about what to do about it.

A new survey by the nonprofit Identity Theft Resource Center reinforces these notions. ITRC surveyed 317 people who used the organization’s services in 2017 and had experienced identity theft. The study was sponsored by CyberScout, which also sponsors ThirdCertainty. A few highlights:

  • Nearly half (48%) of data breach victims were confused about what to do.
  • Only 56% took advantage of identity theft protection services offered after a breach.
  • Some 61% declined identity theft services because of lack of understanding or confusion.
  • Some 32% didn’t know where to turn for help in event of a financial loss because of identify theft.

Keep your guard up

These psychological shock waves, no doubt, are coming into play yet again for 143 million consumers who lost sensitive information in the Equifax breach. The ITRC findings suggest that many Equifax victims are likely to be frightened, confused and frustrated — to the point of acquiescence. That’s because the digital lives we lead come with risks no one foresaw at the start of this century. And the reality is that consumers need to be constantly vigilant about their digital life. However, cyber attacks have become so ubiquitous that they’ve become white noise for many people.

See also: Quest for Reliable Cyber Security  

The ITRC study is the second major report showing this to be true. Last fall, a majority of computer users polled by the National Institute of Standards and Technology said they experienced “security fatigue” that often correlates to risky computing behavior they engage in at work and in their personal lives.

The NIST report defines “security fatigue” as a weariness or reluctance to deal with computer security. As one of the study’s research subjects said about computer security, “I don’t pay any attention to those things anymore. … People get weary from being bombarded by ‘watch out for this or watch out for that.’”

Cognitive psychologist, Brian Stanton, who co-wrote the NIST study, observed that “security fatigue … has implications in the workplace and in peoples’ everyday life. It is critical because so many people bank online, and since health care and other valuable information is being moved to the internet.”

Make no mistake, identity theft is a huge and growing problem. Some 41 million Americans have already had their identity stolen — and 50 million reported being aware of someone else who was victimized, according to a Bankrate.com survey.

Attacks are multiplying

With sensitive personal data for the clear majority of Americans circulating in the cyber underground, it should come as no surprise that identity fraud is on a rising curve. Between January 2016 and June 2016, identity theft accounted for 64% of all data breaches, according to Breach Level Index. One reason for the rise was a huge jump in internet fraud. Card not present (CNP) fraud leaped by 40% in 2016, while point of sale (POS) fraud remained unchanged.

It’s not just weak passwords and individual errors that are fueling the rise in online fraud. Organizations we all trust with our personal information are being attacked every single day. The massive breach of financial and personal history data for 143 million people from credit bureau Equifax is just the latest example.

Over the past four years, there have been a steady drumbeat of major data breaches: Target, Home Depot, Kmart, Staples, Sony, Yahoo, Anthem, the U.S. Office of Personnel Management and the Republican National Committee, just to name a few. The hundreds of millions of records stolen never perish; they will continue in circulation in the cyber underground, available for sale and/or to be used in the next innovative fraud campaign.

Be safe, not sorry

Protecting yourself online doesn’t have to be difficult or complicated. Here are seven ways to better protect your privacy and your identity today:

  • Freeze your credit rating at the big three rating agencies so scammers can’t use your identity to take out loans or credit cards
  • Add a website grader to your browser to avoid malware
  • Enroll in ID theft coverage with your bank, insurer or employer —it could be free or surprisingly inexpensive
  • Get and use a password vault so you can create and use hard-to-guess passwords
  • Be knowledgeable about common cyber scams
  • Add a verbal password to your bank account login and set up text alerts to unusual activity
  • Come up with a consistent way to decide whether it’s safe to click on something.

There is a bigger implication of losing sensitive information as an individual: it almost certainly will have a negative ripple effect on your family, friends and colleagues. There is a burden on consumers to be more active about cybersecurity, just as there is a burden on companies to make it easier for individuals to do so.

See also: Cybersecurity: Firms Are Just Sloppy  

NIST researcher Stanton describes it this way: “If people can’t use security, they are not going to, and then we and our nation won’t be secure.”

Melanie Grano contributed to this story.

How to Determine Your Cyber Coverage

Public agencies and organizations around the world are making cyber risk their top priority. North American policyholders dominate the market, but Europe and Asia are expected to grow rapidly over the next five years due to new laws and significant increases in targeted attacks, such as ransomware. Various experts predict the $3 billion global cyber insurance market will grow two-, three- or even four-fold by 2020.

Deciding how much cyber insurance to buy is no inconsequential matter, and the responsibility rests squarely with the board of directors (BoD). Directors and executives should have the highest-level view of cyber risk across the organization and are best-positioned to align insurance coverage with business objectives, asset vulnerability, third-party risk exposure and external factors.

See also: New Approach to Cyber Insurance  

So, how much does your organization stand to lose from a supply chain shut down, a web site outage or service downtime?

Recent data points from breach investigations help frame the discussion around risks and associated costs. Following a variety of high-profile breaches helps ensure that your projected coverage requirements match up with reality. Be sure to follow older cases for deeper insight into the full expense compared with insurance payout; related costs and losses are often incurred for years afterward due to customer and market response as well as legal and regulatory enforcement actions.

In 2013, Target suffered a very public breach that resulted in the resignation of the CEO, a 35-year employee. Target had purchased $100 million in cyber insurance, with a $10 million deductible. At last count, Target reported that the breach costs totaled $252 million, with some lawsuits still open.

Home Depot announced in 2014 that between April and September of that year cyber criminals stole an estimated 56 million debit and credit card numbers – the largest such breach to date. The company had procured $105 million in cyber insurance and reported breach-related expenses of $161 million, including a consumer-driven class action settlement of $20 million.

These cases illustrate the need for thoughtful discussion when deciding how much breach insurance to buy. Breach fallout costs depend on multiple factors, are not entirely predictable and can rise quickly due to cascading effects. Cases in point: the bizarre events surrounding Sony’s breach and the post-breach evisceration of Yahoo’s pending deal with Verizon.

Organizations need to review their security posture and threat environment on a regular basis and implement mechanisms for incessant improvement. The technology behind cyber security threats and countermeasures is on a sharp growth curve; targets, motives and schemes shift unpredictably. Directors may find it useful to assess risk levels and projected costs for multiple potential scenarios before cyber insurance amounts are decided upon.

Most policy premiums are currently based on self-assessments. The more accurate the information provided in your application, the more protected the organization will be. Most policies stipulate obligations the insured must meet to qualify for full coverage; be sure to read the fine print and seek expert advisement.

A professional security assessment can pinpoint areas in need of improvement. If you claim to be following specific protocols, but a post-breach investigation finds they were poorly implemented, circumvented or insufficiently monitored, the insurer may deny or reduce coverage. Notify your insurance provider immediately about significant changes to your security program.

Review policy details regularly to ensure they match prevailing threats and reflect the evolution of crimeware and dark web exploits. Cyber insurance carriers continually adjust their offerings based on risk exposure and litigation outcomes.

See also: Promise, Pitfalls of Cyber Insurance  

As the industry matures, cyber insurance policies will become more standardized. For now, it’s an evolving product in a dynamic market; boards and executives need to keep an eye on developments. Simultaneously, they must maintain a high degree of visibility across their security program. Checking off compliance requirements, writing policies and purchasing security software isn’t sufficient.

My advice is to lead from the top. Organizations need to ensure risk assessments are thorough and up-to-date, policies are communicated and enforced and security technology is properly configured, patched and monitored.

Turning a blind eye to cyber threats and organizational vulnerabilities can have disastrous consequences. Cyber insurance may soften the financial blows, but it only works in conjunction with an enterprise-wide commitment to security fundamentals and risk management.

The Cyber Threat in Manufacturing

A friend of mine asked me if the cyber-risk threat was a bit of flimflam designed to sell more insurance policies. He compared cyber-risk to the Red Scare of the 1950s, when families scrambled to build bomb shelters to protect them from a war that never came. The only ones who got rich back then were the contractors, he concluded.

I found his question incredible. But I realized that he didn’t work in the commerce stream, per se, which quelled my impulse to slap him around.

See also: 3 Things on Cyber All Firms Must Know  

I shared with him some statistics that sobered him up quickly. I explained that cyber-crime costs the global economy more than $400 billion per year, according to estimates by the Center for Strategic and International Studies. Each year, more than 3,000 companies in the U.S. have their systems compromised by criminals. IBM reports more than 91 million security events per year. Worse yet, the Global Risks 2015 report, published in January by the World Economic Forum (WEF), included this rather stark warning: “90% of companies worldwide recognize they are insufficiently prepared to protect themselves against cyber-attacks.”

Cyber protection is not just about deploying advanced cyber threat technology to manage risk; you also have to educate your employees to not fall victim to unassuming scams like “phishing,” which is stealing private information via e-mail or text messages. It remains the most popular con as far as stealing company data because it’s so painfully simple. Just pretend to be someone else and hope a few people fall for it.

While most people understand the threat to data privacy for retailers, hospitals and banks and other financial institutions, few realize that manufacturers are also vulnerable in terms of property damage and downtime. In 2014, a steel manufacturing facility in Germany lost control of its blast furnace, causing massive damage to the plant. The cause of the loss was not employee error, but rather a cyber-attack. While property damage resulting from a cyber-attack is rare, the event was a wake-up call for manufacturers worldwide.

According to The Manufacturer newsletter, “the rise of digital manufacturing means many control systems use open or standardized technologies to reduce costs and improve performance, employing direct communications between control and business systems.” This exposes vulnerabilities previously thought to affect only office computers. In essence, according to The Manufacturer, cyber attacks can now come from both inside and outside of the industrial control system network.

See also: Now Is the Time for Cyber to Take Off  

Manufacturers also need to be concerned about cyber attacks that would: a) interrupt their physical supply chain or, b) allow access to their system via the third-party vendor. Manufacturers must then take steps to mitigate those risks. When Target and Home Depot were hacked several years ago, it wasn’t a direct attack on them but an attack on one of their third-party vendors. By breaching the vendors’ weak cyber security, the criminals were able to access the larger prize.

To circle back to my friend’s weird fallout-shelter theory, it’s certainly a good idea to have a backup plan in case one is hit by a proverbial “cyber-bomb.” But rather than hunker down and wait for the attack to occur, it’s critical to educate employees, vet vendors’ cyber-security and adopt — and continuously optimize — a formal cybersecurity program.

New Approach to Cyber Insurance

The most active players in the fledgling but fast-growing cyber insurance market are hustling to differentiate themselves.

The early adopters and innovators are doing so by accelerating the promotion of value-added services—tools and systems that can help companies improve their security postures and thus reduce the likelihood of ever filing a cyber damages claim.

As more businesses look to purchase cyber liability policies, insurance sellers are striving to dial up the right mix of such services, a blend that can help them profitably meet this pent-up demand without taking on too much risk.

The incentive is compelling: Consultancy PricewaterhouseCoopers estimates that the cyber insurance market will grow from about $2.5 billion in 2014 to $7.5 billion by 2020. European financial services giant Allianz goes a step further with its prediction that cyber insurance sales will top $20 billion by 2025.

This anticipated growth in demand for cyber liability coverage—coupled with the comparatively low level of loss claims—has created strong competition in this nascent market.

The Insurance Information Institute estimated last year that about 60 companies offered standalone cyber liability policies. In total, more than 500 insurers provide some form of cyber risk coverage, according to a recent analysis by the National Association of Insurance Commissioners.

“There are quite a few players, so they are looking for ways to differentiate themselves and find competitive edges,” says David K. Bradford, co-founder and chief strategy officer for Advisen, an insurance research and analysis company.

Insurance companies make adjustments

Insurance carriers hot after a piece of this burgeoning market are beginning to offer value-added services to make their cyber offerings stand out.

See also: 8 Points to Consider on Cyber Insurance  

Rather than growing these services in-house, most are partnering with vendors and consultants that specialize in awareness training, network security and data protection. Services that boost the value of cyber policies are being supplied for free, or offered at a discount.  Typical cyber insurance valued-added services include:

  • Phishing and cyber hygiene awareness training
  • Incidence response planning
  • Security risk assessments
  • Best practices web portals and software-as-a-service tools
  • Threat detection services
  • Employee and customer identity theft coverage
  • Breach response services

One measure of value-added services gaining traction comes from the Betterley Report, which recently surveyed 31 carriers that offer cyber policies. Betterley found that about half offered “active avoidance services,” while nearly all offered some sort of pre-breach planning tools.

Rick Betterley, president of Betterley Risk Consultants, which publishes the Betterley Report, says there is still a long way to go. “There’s much more that can be done to help the insureds be better protected,” he says.

Betterley is a big proponent of adding risk-management services to cyber policies. He calls the approach Cyber 3.0, adding that it’s akin to the notion of insuring a highly protected risk in a property insurance policy. Cyber value-added services, he says, are the equivalent of fire insurance companies requiring sprinklers.

“It’s not required that insurance companies provide the services, but it’s required that they help insureds identify what services are likely to generate a reduction in premiums,” Betterley says.

Sector faces new challenges

That said, the cyber insurance sector is still finding its way. With auto crashes, fire or natural disasters, losses are well defined and fully understood. Cyber exposures, by contrast, are hard to pin down. Network vulnerabilities are extremely complex and continually evolving. And historic data on insurance claims related to data breaches remains, at least for the moment, in short supply.

An added challenge, Betterley says, is that insurance companies are unable to satisfactorily measure the effectiveness of security technologies and services in preventing a data breach.

Advisen’s Bradford agrees. “It’s a rapidly evolving area that changes day to day, and underwriters are definitely wary of recommending a particular vendor or approach,” he says.

Eventually, the insurance industry will figure out how to make meaningful correlations and separate the wheat from the chaff.

“In bringing in these value-added services, we can help shore up some of those areas where we’re seeing human error,” observes Dave Wasson, cyber liability practice leader at Hays Cos., a commercial insurance brokerage and risk management consultancy. “We’ll be at a point where we’ll know what makes a difference, and we can put our money, time and efforts into those solutions.”

Eric Hodge, director of consulting at IDT911 Consulting, part of IDT911, which underwrites ThirdCertainty.com, concurs. One ironic result of the recent spike of ransomware attacks aimed at businesses, Hodge says, is that more hard data is getting generated that is useful for calculating loss profiles.

See also: Another Reason to Consider Cyber Insurance  

Along the same lines, settlements of class-action lawsuits related to breaches of high-profile retailers, such as Target and Sony, is helping amass data that will help the industry flesh out evolving actuarial tables.

“Losses from cyber attacks and data breaches are becoming easier to quantify,” Hodge says. “And market forces are absolutely lining up to reward the wider use of these activities. It’s harder to ignore the fiscal argument for an insurer to go the extra mile in helping the insured organizations make sure that a costly breach doesn’t occur.”

AIG blazes trail

One notable proponent leading the way is multinational insurance giant AIG, which is nurturing partnerships with about a half-dozen cybersecurity vendors.

AIG services—some of which are offered to policyholders at no cost—range from threat intelligence and cyber risk maturity assessments to active detection and vulnerabilities assessments.

RiskAnalytics, one of AIG’s partner vendors, provides threat intelligence services, including a service that detects and shuns blacklisted IP addresses. Any AIG insured with a minimum $5,000 policy can participate at no additional cost.

The company’s partnership is exclusive to AIG, and appears to be very popular.

“We’re bringing in multiyear contracts, and the average sales price is on an impressive trajectory,” says RiskAnalytics Chief Operative Officer Kurt Lee. “It’s all born out of (customers) using that (introductory) service through the policy.”

Recognizing the trend, more vendors are seizing the opportunity to market their services to insurance carriers.

Vendors are willing to jump through the many hoops because a partnership with an insurance company is an opportunity to get a soft introduction to a potential client, says Mike Patterson, vice president of strategy at Rook Security, a managed security services provider (MSSP) that is reaching out to carriers.

Dismantling roadblocks

As with any new approach, broad adoption of cyber insurance value-added services isn’t without hurdles. One major obstacle is the “’this-isn’t-how-we’ve-always-done-it’ way of thinking,” says IDT911’s Hodge. “It’s like trying to change our election processes—people resist altering a system that has been in place for a couple hundred years.”

Another barrier is cost. Insurance companies tend to reserve free or discounted added services for heavyweight clients that spend small fortunes on annual premiums, says John Farley, vice president and cyber risk practice leader at insurance brokerage HUB International.

“Carriers can’t give away a lot of resources, so the smaller premium payers are not getting a lot of these services,” Farley says. “But if they can streamline and automate resources and figure out how to get customizable, usable information to the insurance buyer, that insurance carrier will probably stand out.”

Brian Branner, RiskAnalytics’ executive vice president, says that’s exactly one of the benefits that AIG derives from their partnership.

“If we can get the insureds to use the services we provide, we should lower AIG’s loss ratio because they’ll be safer organizations, and AIG should receive less claims,” he says.

Hidden costs of a breach can affect a large enterprise for years, and prove catastrophic to a small business. So insurance companies in the vanguard are looking to find business clients that are taking information security seriously.

See also: The State of Cyber Insurance  

As more companies buy cyber policies, and use any attendant services, the result could be a halo effect, says IDT911’s Hodge.

“This is certainly something that the insurers are counting on,” Hodge says. “A more secure buyer is a lower actuarial risk to the insurer.”

Meanwhile, policyholders should steadily become better equipped to securely do business in an internet-centric economy riddled with evolving exposures.

Hodge says: “In my experience, the buyer is often pleasantly surprised by the improvement that can come about quickly in terms of knowing their risk, being compliant with their industry standards and being able to indicate to the marketplace that they are taking good care of their customer’s information.”

This post originally appeared on ThirdCertainty. It was written by Rodika Tollefson.