Tag Archives: WI-FI

How to Start Managing Cyber Risk

Hardly a day goes by without a news flash about another cyber breach. Since security breaches have become a daily occurrence, I sat down with Jeremy Henley at ID Experts to discuss the most common ways that companies are being breached and how companies can start to assess their cyber risk profile.

Question: Jeremy, what are the most common ways that you are seeing small to mid-size companies being breached?

Answer: One of the common ways that companies are being breached by hackers is that the hackers exploit vulnerabilities in the company’s security network. This includes the company’s failure to update software or upgrade their systems, as well as the failure to have the appropriate checks and balances in place. Small to mid-sized businesses are particularly vulnerable as they often don’t have the IT staff or budget to continually upgrade and update their systems as their organizations change and grow.

The second most common way companies are breached is through simple employee negligence. This would include a company’s failure to train and educate their employees on basic cyber security. For example, the failure to educate employees on the risks of downloading private data onto a portable device that is not encrypted as well as the failure to educate employees as to how to identify scams that ask them to open suspect emails or attachments. Companies need to educate their employees about the dangers of connecting to unsecured Wi-Fi connections at the airport or Starbucks when they are doing work that includes logging in to sensitive company systems. If someone is spoofing the airport Wi-Fi, you are essentially sharing everything you are doing online with that attacker.

Question: Once clients realize the security risks they face in today’s world, clients often ask where they should start with respect to updating their network security. Do you have any guidance for them?

Answer: I advise our clients to start by asking themselves three questions: 1) What data are we collecting? This is important as it will help them determine what regulations they may need to comply with (HIPAA /HITECH, PCI and 47 state breach notification laws, etc.), 2) How are they managing the data that they have? This includes examining what technology the company is using, if it is creating multiple layers to its security with firewalls and antivirus and if it is creating policies and procedures and training employees as to security safeguards and 3) I would ask the company to examine who they are sharing the data with. Specifically, which vendors or clients have access to its systems, and ask those vendors what security and privacy policies they have in place (if any)? You might consider requiring your vendors to provide proof of a security audit or insurance in the event they are the cause of a breach of info that you were trusted with.

Question: What role does cyber insurance play with your clients?

Answer: Cyber insurance has been invaluable to many of our clients, as most cyber policies include pre-breach education tools and employee training information as well as sample security policies or an incident response plan. Some carriers also work with us to provide risk assessment and penetration testing so that weaknesses can be identified and corrected prior to a breach incident. In my experience, the most valuable part that insurance plays is that the insured is able to fund an appropriate response in the wake of a breach. Clients that do not have cyber insurance usually do not have a budget set aside to deal with this unfortunate event, and after a breach do not have the funding to adequately fund the most appropriate response, therefore limiting their ability to respond to the significant reputational, financial and legal ramifications that such an incident can cause to their organization.

Thought Leader in Action: At Google

Loren Nickel, who has a major role in our profession as the director of business risk and insurance at Google, got his start without even doing a job interview.

That story begins when his mother researched careers and suggested that in college he study to become an actuary. Nickel pursued statistics and actuarial science at the University of California, Santa Barbara (UCSB), and became president of the Actuary Club – with its maybe 10 members, he says.

He wanted to build interest, partly to get more prospective employers to come to UCSB, so he decided to set up a website – this was in 1994 and 1995, before Netscape exploded on the scene through its initial public offering and introduced the Internet to the public consciousness. Nickel wrote the software for the website himself and paid $35 of his own money to get the UC system to host the site. He then used his e-mail address to answer questions from students and others about the actuary program at UCSB.

The word got out, at least to one UCSB alumnus who played an important role in Nickel’s career. John Alltop, who was in charge of the actuarial services division of Fireman’s Fund, asked Nickel if he knew of anyone who would be interested in an internship. Nickel raised his hand. Alltop, who is now president of Actuarial & Risk Management at Bickmore Risk Services, asked him to visit. At his own expense, Nickel drove 365 miles up the coast to Novato, north of San Francisco, and paid for a night in a hotel. He says that the second he walked in the door he was given the internship even though “I told them I hadn’t even done anything for them yet.” Shortly thereafter, Fireman’s Fund hired Nickel full-time.

He worked on various national accounts, and Fireman’s Fund rotated Nickel every 18 to 24 months to different operating divisions, ranging from workers’ comp and property risks to general liability, enabling him to learn different facets of the insurance business. Nickel learned the “big picture” by seeing how Fireman’s Fund used the actuarial component in its underwriting of client risks. Then he became the underwriting manager.

In that capacity, Nickel was able to work with brokers and sales teams to see how actuarial projections fit in. He developed his communication, sales and people skills. That experience launched Nickel into his next career move, working for AON, a leading brokerage firm. This included an assignment in London to work with the operational risk team, designated as a center of expertise. Returning to the U.S., Nickel led AON’s actuarial division in the Western region, which included providing actuarial consulting services for Google for nearly three years.

He joined Google in the spring of 2015. Nickel, who is 41 years old, lives in Marin County, north of San Francisco, so he commutes perhaps an hour and a half each way on one of the famous Google buses, to his office a few minutes from headquarters well down the peninsula in Mountain View. The bus is comfortable enough and the Wi-Fi so good that the ride is basically an extension of his office.

Nickel says his consulting experience at AON is a good fit at Google, where his risk management responsibilities could be best described as “advisory work.” He works in consultation with various Google teams to help keep them more informed and able to make better decisions from a risk viewpoint. Perhaps the biggest change is that he’s now on the buyer’s side of transactions. This, of course, includes multiple brokers and insurers.

Google’s stated mission is to organize the world’s data and make it usable by everyone on the globe, and all new products or services relate to that vision, but Google’s renowned “moonshot program” searches for disruptive innovations – which, by changing how people do things, can change the nature of risk. Google has fewer boundaries than most business ventures, to stimulate innovative thinking, so a traditional risk management program, with all of its financial constraints, doesn’t fit the Google model of business development. (Nickel is quick to point out that Google does employ a vast number of risk management best practices to protect its employees, property, users and the general public.)

Nickel leads a risk management team of four direct reports, with an additional five Googlers who work within the risk management structure. He says Google is much less about the function where someone works (i.e., risk management) than about the right mix of individual skills. For instance, on his team, some have an insurance background while others have skills in legal, actuarial science, project management, accounting, etc. “It’s a very different mix of personnel than what you would find in a traditional corporate risk management department,” Nickel says.

Asked how he gets in tune with and integrates risk management concepts with Google’s diverse divisions around the world, he says that making strong relationships is No. 1 – knowing the right people. This ensures that Googlers are aware of the advisory and outreach team in risk management. Risk management does not serve as a policing authority but serves more as an information source. Other corporate teams, such as legal, partner with risk management as issues arise. Responsibilities are clearly assigned and managed exclusively by organizational silos, as in most organizations. Nickel says everyone is very receptive about the information that the risk management team shares – in previous jobs, he often saw posturing.

Nickel says a guiding principle at Google is that “Googlers take care of other Googlers,” so risk management is in the culture, and safety is paramount. Even the food choices are healthy. Google provides its more than 60,000 Googlers with free, very nutritional and delicious food and snacks as well as a wide variety of campus features that promote health and well-being. Google even provides onsite medical providers at its larger locations. Without sharing statistics, Nickel makes it clear that Google has “phenomenal” workers’ comp claim experience that is far better than companies of its size. He added that Googlers feel respected and appreciate how well they are treated.

Asked if Google has any official opinion about the ownership or operation of driverless cars, where its pioneering work has sparked extraordinary interest, he said the risk department does not provide opinions on the products that Google creates. He did say the department is focused on making any new Google technology safer, getting it to market faster and winning support from regulators. “We do not determine how autonomous vehicles are used,” he says. “Instead, the goal is to facilitate the creation of great technology that could improve the world.”

When asked what advice he would give to newcomers in risk management, Nickel suggests that they try to experience different roles from different perspectives – from both the insurance and user sides — with respect to the implications of risk in organizations.

“These diverse experiences provide a deeper context to the bigger picture of risk,” Loren says. “Risk managers have to have more than one style, approach or understanding of risk to truly be impactful.”

From an educational standpoint, Loren adds that a “good grounding and understanding of mathematics and statistics is extremely helpful….For me, risk management success is much less a factor of knowledge than it is to gain perspective and practical experience. You need to learn to take nebulous concepts and to organize information that can be put into a plan that other people can understand and act upon.”

How to Protect Your Mobile Data

Beware of “Free Wi-Fi” or “Totally Free Internet,” as this offer probably is too good to be true. These offers are likely set up by thieves to trick you into getting on a malicious website.

AT&T and Xfinity have provided many hotspots for travelers to get free Wi-Fi all over the country. Sounds great, right? However, these services make it a piece of cake for thieves to gain access to your online activities and snatch private information.

AT&T sets mobile devices to automatically connect to “attwifi” hotspots. The iPhone can switch this feature off. However, some Androids lack this option.

Cyber thugs can set up fake hotspots called “evil twins,” which they can call “attwifi,” that your smartphone may automatically connect to.

For Xfinity’s wireless hotspot, you log into a web page and input your account ID and password. Once you’ve connected to a particular hotspot, it will remember you if you want to connect again later in that day, at any “xfinitywifi” hotspot and automatically get you back on.

If someone creates a phony Wi-Fi hotspot and calls it “xfinitywifi,” smartphones that have previously connected to the real Xfinity network could connect automatically to the phony hotspot—without the user’s knowing, without requiring a password.

None of this means that security is absent or weak with AT&T’s and Xfinity’s networks. There’s no intrinsic flaw. It’s just that they’re so common that they’ve become vehicles for crooks.

Smartphones and Wi-Fi generate probe requests. When you turn on the device’s Wi-Fi adapter, it will search for any network that you’ve ever been connected to—as long as you never “told” your device to disregard it. The hacker can set the attack access point to respond to every probe request.

Your device will then try to connect to every single Wi-Fi network it was ever connected to, at least for that year. This raises privacy concerns because the SSIDs that are tied with these probe requests can be used to track the user’s movements.

An assault can occur at any public Wi-Fi network. These attacks can force users to lose their connections from their existing Wi-Fi and then get connected to the attacker’s network.

Two ways to protect yourself:

#1 Turn off “Automatically connect to WiFi” in your mobile device, if you have that option.

#2 Use Hotspot Shields software to encrypt all your data on your laptop, tablet or mobile device.