All posts tagged cyber security

Despite Cyber Threat, Few Firms Train Staff in Security

cyberyai

Even the most up-to-date firewall and virus protection will not protect you against the biggest threat to your organization’s cyber security – your employees themselves.

Despite this only 45% of companies train their workers in how to prevent breaches, according to a new report released by the Ponemon Institute, even though 55% of organizations surveyed said they believe they had had a security breach caused by a malicious or negligent employee. And, 66% of respondents said employees are the weakest link in their efforts to create a strong security environment.

The report says also even when there is training, there are “critical areas that are often ignored.” According to the report:

  • 49% said training included phishing and social engineering attacks.
  • 36% said training included mobile device security
  • 29% said the course included how to use cloud services securely.
  • 67% said their organizations do not provide incentives to employees for being proactive in protecting sensitive information or reporting potential cyber threats.

 

With the obvious disconnect between employee training and the very real constant threat to any organization with a database, many companies are not doing enough on the personnel side to reduce the threat of cyber attacks, like hacking, malware and other malicious code.

Experian Data Breach Resolution, which sponsored the “Managing Insider Risk through Training & Culture” report, had the following recommendations of what employee training should cover to protect a business from cyber attack.

 

Basic courses should typically cover these topics:

  • Protecting paper documents
  • Securing protected data
  • Password security
  • Privacy laws and regulations
  • Data classification
  • Safe e-mail practices

 

Advanced courses should typically cover these topics:

  • Phishing and social engineering,
  • Responding to a data loss or theft
  • Mobile device security
  • E-mail hygiene.

 

Gamify training to make learning about potential security and privacy threats fun. Interactive games that illustrate threats for employees can make the educational experience enjoyable and the content easier to retain. There are new training technologies that simulate real phishing e-mails and provide simple ways to report potentially fraudulent messages.

Experian also recommends that employers provide incentives to employees for being proactive in protecting sensitive information or reporting potential issues. This could include a cash reward or gift card at a local coffee shop.

Another approach to changing behavior is to have clear consequences for negligent behavior, such as inclusion in the next performance review or a mandatory one-on-one meeting with a superior.

In addition to training, you should send regular messages to employees about security and privacy practices.

If you have had a data breach, you should require your staff to retake cyber security training. A breach provides the opportunity for you to train your staff about the importance of carefully handling sensitive and confidential information.

 

The stuff of cyber nightmares

Negligent and malicious behaviors that keep security professionals up at night:

  • Unleashing malware from an insecure website or mobile device (70%)
  • Violating access rights (60%)
  • Using unapproved mobile devices in the workplace (55%)
  • Using unapproved cloud or mobile apps in the workplace (54%)
  • Accessing company applications from an insecure public network (49%)
  • Succumbing to targeted phishing attacks (47%).

 

Insured protection

While you may have strong firewalls and a solid employee training program, if you do incur a breach, the fallout can cost you. A cyber liability insurance policy can pay for recovery costs, the cost of litigation and fines and notification costs you may incur.

Call us to see if a cyber liability insurance policy is right for your organization. The chances are extremely high that at some point, your systems will be breached.

Exclusions: What Your Cyber Policy Does Not Cover

cyber security

As the threat of hacking and cyber attacks on the databases of all organizations grows, so has the uptake of cyber insurance policies. But when buying a policy and anticipating a claim, it’s important to know exactly what’s covered.

All insurance policies have exclusions for what’s not covered but, since cyber insurance is new to most companies, you may not know what isn’t covered by them.

This article will look at the most common exclusions of these policies, which –because they are still in their infancy – will vary from insurer to insurer. But for the most part, these are the typical exclusions that cut across all insurance companies.

The International Risk Management Institute in a recent blog post noted that cyber insurance buyers should be aware of the following exclusions:

 

Bodily injury and property damage – This coverage, standard under a commercial general liability policy, is excluded in cyber insurance as a person cannot be physically injured by having their data exposed when your business’s database is infiltrated.

However, the gray area is if someone whose data has been exposed sues you for a claim of mental anguish or emotional distress, which are often claimed by plaintiffs in data breach lawsuits. Some policies will cover this and others won’t.

 

Employment-related claimsThese are mostly covered by an employment practices liability insurance policy, and are thus excluded from a cyber liability policy. However, if your employees’ personal information was compromised, your policy would likely cover employment-related privacy violations.

 

War, invasion and insurrection – Most commercial property and liability policies exclude damage resulting from these events, as well as terrorism. But, as the IRMI points out, many cyber attacks could be construed as an act of terrorism.

Talk to us about working with the insurer to include coverage for “electronic terrorism,” so that this area is a little less questionable. “Wording of this kind would preserve coverage for hacking/intrusion-driven losses,” the IRMI wrote recently.

 

Patent, software and copyright infringement – This is typically covered by intellectual property insurance forms, and not by a cyber policy.

However, some broadly written cyber policies will cover defense costs associated with copyright infringement claims if they are the result of actions by a non-management employee or an outside third party.

 

Failure to take required security measures – When applying for a cyber policy, the application will include a number of questions regarding the steps you’ve taken to safeguard your data. If an insurer can later show that you failed to implement these security measures, a claim may be denied.

If you have a policy that has this type of exclusion, you need to be vigilant about keeping up your security measures. Not all policies have this exclusion, so if you are in the market for a cyber policy, we may be able to help you find one that doesn’t have it.

 

Loss of electronic devices – This is sometimes referred to as the “laptop exclusion.” Some insurers exclude coverage for data breaches that were the result of an employee losing a company-issued portable electronic device. A study by the Ponemon Institute in 2015 found that nearly 30% of all data breaches were the result of a laptop or smart phone loss.

The above are the main exclusions that a typical policy will include, but because these policies are relatively new, there is often room for negotiation with the insurance company about them.

Regardless, if you think any of these areas could create a liability for your company, talk to us and we may be able to find a policy that best suits your needs.

 

Watch Out for the Newest Cyber Threat: Ransomware

ransom

The cyber-security stakes have gotten higher for enterprises with the recent news that a hospital in Los Angeles had to fork out $17,000 to pay cyber criminals after they crippled its network.

The ransomware that infected Hollywood Presbyterian Medical Center and the ransom they had to pay the hackers to unlock their system reflect the newest danger facing any organization that has a computer network.

The hospital’s case is not an isolated one, and experts are warning that cyber criminals have increasingly switched their targets from big companies to small and mid-sized businesses as their networks are easier to infiltrate, largely because they cannot afford the same sophisticated network security as large companies can.

The “Symantec 2015 Internet Security Threat Report” found that more than half of all cyber attacks were directed at small and mid-sized business, with hackers using an array of attack methods.

The “2015 U.K. Government Security Breaches Survey” found that 74% of small organizations had reported a security breach in the last year.

According to the Symantec report, 52% of spear phishing attacks – which are carried out using fake e-mails that contain links to malicious code – were targeted against SMEs.

The issue of cyber security for small businesses is made even more pressing by state laws that can result in fines for organizations that fail to notify authorities and anybody whose personal data or credit card information may have been breached in an attack.

The most common types of attacks on SMEs include:

  • Ransomware – This is a piece of malicious software, typically received via a phishing e-mail, that encrypts all of the data on a company’s network, with the perpetrators requesting a ransom (typically $1,000 to $2,000) in order to provide the decryption key.
  • Hack attack – A hacker manages to gain access to a company’s network, typically by exploiting an unpatched vulnerability within the software, allowing them access to the company data. The target will generally be personally identifiable information on a company’s customers, especially credit card information, or employees whose Social Security numbers and other identifiable information may be exposed for the purposes of identity theft.
  • Denial of Service attack – This is when a company’s website is overwhelmed by a volume of data pushed to its servers in a malicious manner. These attacks are increasingly easy and cheap to carry out, with some online tools costing as little as $30 per hour.
  • Human error – People are generally the weakest link in any security chain, and many breaches are the result of information being lost, or distributed to the wrong person. Even the seemingly mundane can have far-reaching consequences, particularly where sensitive personally identifiable information is involved.
  • CEO fraud – This is where a criminal poses as a senior person within a firm, either by hacking or “spoofing” their e-mail account, and convinces someone with financial authority to make a payment.

 

What you can do

There are several simple steps you can take to reduce your chances of being attacked:

  • Use secure passwords that contain a combination of lower- and upper-case letters, digits and other symbols.
  • Install antivirus and malware software on all company devices, including any mobile devices. You should also install such apps on any of your employees’ mobile devices if they are using them for company business, particularly if they connect to your VPN or access your network.
  • Conduct regular software updates that contain vital security upgrades and educating staff on cyber risks. If you have software and are notified that it needs to be updated, don’t hesitate to do so.
  • Develop and implement e-mail, Internet and social media policies for your employees to follow. The policy should include the requirement that your employees don’t click on suspicious links and that they report any suspicious e-mails.

 

 

Cyber Threat Mounts with Human Error and Ransomware

Two new reports show two significant trends in the increasingly busy area of cyber security: Careless employees are a prime reason many companies’ databases are getting “phished” for data; and the rising tide of ransomware, where hackers freeze up a computer and demand payment to release it.

And in a majority of cases, it is small and mid-sized firms that are being targeted.

Don’t think you need to worry? Think again.

When these malicious code-bearing e-mails (phishing and ransomware alike) are sent, there is an 11% chance that an employee will click on the link that will let the phishing program gain entry into your database. If 10 employees receive such an e-mail, there is greater than a 90% chance that one of them will click on it.

Even worse, nearly 50% of users open e-mails and click on phishing links within the first hour. The median time to first click is just one minute, 22 seconds. You can see how the odds are stacked against you, since it’s so difficult to control the human factor.

In a more disturbing trend, Symantec Corp. noted in its “Internet Security Threat Report” that 60% of all targeted attacks strike small- and medium-sized organizations.

“These organizations often have fewer resources to invest in security, and many are still not adopting basic best practices like blocking executable files and screensaver e-mail attachments. This puts not only the businesses, but also their business partners, at higher risk,” Symantec wrote in its report.

It’s important you understand these growing threats to your organization, and that you take steps to minimize the chances of your firm being hit.

 

Phishing

Phishing is an attempt to gain access to a database by masquerading as a trustworthy entity in an electronic communication. Phishing campaigns have evolved in recent years to incorporate installation of malware as the second stage of the attack.

In phishing, tainted e-mails, disguised as coming from a trustworthy source, are sent to employees and if just one person clicks on the link, it allows hackers to gain entry into the company’s database. At that point, they can write code to camouflage the presence of the malicious software, which will allow the hackers to root through the database to acquire sensitive information such as user names, passwords, and credit card details (and sometimes, indirectly, money).

While phishing seemed to be fading in 2013, Verizon Communications Inc., in its annual “Data Breach Investigation Report”, notes that the practice made a resurgence in 2014 largely thanks to employees clicking on links in bogus e-mails.

This human-error dynamic is a significant frustration for businesses that erect firewalls and use other cyber security methods to protect their company data.

 

Ransomware

The other growing threat is ransomware (also often the result of employees clicking on tainted e-mails). Once someone clicks on a link, malware infects the computer system and freezes some or all of its main functions.

After the system is rendered unusable (completely or to some degree), the company will receive a ransom e-mail telling it to pay a certain amount to unlock its computers.

Ransomware attacks more than doubled in 2014 to 8.8 million, from 4.1 million the previous year, according to Symantec. Put another way, there were 24,000 attacks per day, compared with 11,000 in 2013.

But Symantec notes that there is a worse threat in the ransomware category: crypto-ransomware. This threat grew 45 times, from 8,274 incidents in 2013 to 373,342 in 2014.

There are several different crypto-ransomware families, but their method of exploitation is the same. Rather than locking your desktop behind a ransom wall, crypto-ransomware encrypts your personal files and holds the private keys to their decryption for ransom at a remote site. This is a much more vicious attack than traditional ransomware.

Methods of infection vary, but commonly it’s via a malicious e-mail attachment purporting to be an invoice, energy bill, or image. The delivery often forms part of a service actually provided by different criminals from those executing the crypto-ransomware.

 

What you can do

The bigger question for companies is how to reduce the likelihood of infection. You can’t hire robots to open your e-mails, so you have to find ways to bird-dog those malicious e-mails before they reach your employees’ in-boxes.

The general areas that will give you the most bang for your buck are:

  • Better e-mail filtering before messages arrive in user in-boxes.
  • Developing and implementing a thorough security awareness program from the top to the bottom of your organization. That means including training on how to spot suspicious e-mails, quarantining them and resisting the urge to open e-mails from familiar-sounding names of people you don’t know.
  • Improved detection and response capabilities.

 

The preferred method is to take measures to block, filter and alert on phishing e-mails at the gateway.

That said, no technological defense is foolproof, so your people are really your last line of defense.

One of the most effective ways you can minimize the phishing threat is through effective awareness and training.

One idea is to teach all staff to be your scouts and if one of them detects a suspicious e-mail, they can send it to your head of IT or a manager, who can decide to send out a warning to all the staff.

In other words, you create a network of human sensors that are more effective at detecting phishing attacks than almost any technology.

 

A note about insurance

A cyber insurance policy would cover many of the costs associated with a breach. Call us to learn more!

cyber security man secret

Rising Danger of Hacks Spurs Need for Comprehensive Strategies

The “root cause” of the credit and debit card data breach at Target Corp. last year was the company’s lack of a chief information security officer (CISO).

That’s according to a former Target manager who made the comment during a talk at the “Work-Bench Enterprise Security Summit,” according to press reports.

The news came in the same week that the Ponemon Institute released a new study, which found that 43% of enterprises experienced a data breach in 2013 – up from 33% in 2012.

The study also found that the cost incurred for each lost or stolen record containing sensitive and confidential information increased to an average of $201 per record – or $5.9 million per breach. Those costs are up from $188 per record in 2012, and $5.4 million per breach.

The lesson from these two news items is that no business can afford a lackadaisical attitude towards cyber security, as hackers and other cyber threats are targeting small and large businesses alike. And while CISOs are out of reach for most companies because of the cost, there are outside consultants in the market who can review your plans and develop a strong security plan for your organization.

The primary reason for the increase in the cost of a breach is the loss customers incur following the data breach due to the additional expenses required to preserve the organization’s brand and reputation. In fact, the average rate of customer turnover or churn increased by 15% since the previous year in Ponemon’s study.

 

The study found that data losses were mainly caused by:

  • Malicious or criminal attacks (44% of companies reported this as the reason for their breach). These were the most expensive breaches, at $246 per record.
  • Employee negligence (31% of organizations). This factor typically cost the organization $160 per record.
  • System glitches (25% of organizations). This factor cost organizations an average of $171 per record.

 

Fighting the threat

While most companies are not the size of Target and cannot afford to have a CISO on staff, you can still learn from Target’s mistakes. Karl Mattson, who worked at Target from 2008 until 2013 – most recently as manager of cyber and global intelligence – said that the lack of a security culture was Target’s undoing.

Besides not having a solid infrastructure in place to prevent the breach, Target also responded poorly. When the company’s intrusion-detection software discovered the suspicious activity and alerted Target’s IT staff, the company did not take immediate action, he said.

However, many companies are turning to virtual CISO engagements. These are security executives for hire, and they will help develop a security roadmap for their clients.

They will typically conduct reviews of your information security, breach response plans, sensitive data, database, and more.

After the reviews, they will usually produce a report with recommendations for improvements in your policies, security framework, security culture, and more. They will also help you implement the recommended strategies – and they are typically on call in case of a breach.

Finally, whatever route you take to protect your data, you need the final backstop: A cyber liability policy. This will help cover the costs of a myriad of expenses such as data recovery, breach notification, remediation and more.

 

cyber thief