All posts tagged hacking

How to Avoid Having Your Cyber Claim Denied

You no doubt have seen our admonitions about the need for businesses to secure cyber insurance policies that can help defray the costs of an attack on your network or a theft of your employees’ or clients’ personally identifiable information.

Businesses are faced with increasing threats and cyber criminals are constantly working to devise new ways to infiltrate organizations’ databases and extract information or find some way to monetize their hacks.

Cyber insurance can help your business recover from these events, but as with all insurance, there are risks that are covered and those that aren’t – and you often will have a certain amount of time to file a claim once you’ve incurred damage.

Your claim may be denied if you file too late, don’t understand your coverage, don’t understand your exclusions or don’t get the insurance company involved early enough, according to the insurance news website PropertyCasualty 360.

In order to best ensure that your claim gets paid, you should do the following:

 

  1. File your claim on time

Most cyber policies are written on a “claims made” basis, meaning they will only cover claims that are made when the policy is in effect. If someone files a claim against your company after the policy expiration, it would likely be rejected.

Some policies may include language that allows claims to be made for a few months after the policy expires, but not all policies contain this language.

Also, if your organization experiences a cyber event that may eventually lead to a claim, it’s important that you notify your insurer during the policy period. This is really important because if you fail to alert the insurer about it early in the process, they may deny the claim.

You need to communicate to your staff (particularly any information technology personnel) that they need to alert management about any suspicious activity on your networks. Make sure that you create a policy for staff to report all suspicious activity so that it can be investigated further to see if it merits reporting it.

 

  1. Understand the depth of your coverage

Because cyber policies are a relatively new phenomenon and continuously evolving, coverage will often vary from insurer to insurer.

It’s important that when purchasing a policy that you sit down with us to discuss your exposures (such as if you store client credit card information on your servers). This can help us find the right coverage for your organization.

Coverage will vary depending on the type of business you are running, the technology you are using and what data or company intellectual property you want to protect.

Some policies will also require that you have specific protocols and software in place to reduce the chances of your data being hacked. For example, policies will require that the policyholder applies security patches, uses encryption technology and has a secure-socket layer to protect credit card data.

If you fail to have this in place when your policy is in effect, the insurer may reject your claim if your systems are breached.

Other areas that cyber policies will often differ on include:

  • Paying for any potential legal costs after a breach.
  • Paying for tools to remediate any exposure.

 

  1. Understand what’s not covered

All insurance policies have exclusions, and cyber policies are no different. There are many exclusions in cyber policies, but again, they vary from insurer to insurer. Examples of exclusions include:

  • If your data is compromised when sharing it with a vendor, such as a payroll provider.
  • If you have a system pipeline into a client’s network and the network is hacked.
  • Fraudulent entry into certain parts of your network systems.
  • Patent or copyright infringement.

 

Again, it’s crucial that you read your policy before signing and that you evaluate whether any existing or future contracts with vendors or clients fall outside the policy’s coverage area.

 

Two of the major areas of coverage you may want to look for in exclusions are:

  • Will the policy cover data that is stored outside of your network, either on the cloud or on a vendor’s network?
  • Will externally generated data be covered if a breach occurs within your system?

 

  1. Get the insurer involved early

When in doubt, reach out to us or the insurance carrier if you think you’ve had a breach. Even if it’s just asking questions or trying to clear up your uncertainty, it’s better to contact the insurance company so that the event rises to its radar.

It’s better to reach out early because it will give the insurer a chance to investigate the matter and determine if there has been any exposure.

This will give you peace of mind that you will be protected should the matter rise to the level of a genuine claim.

The worst thing you can do is to wait until after you’ve started receiving complaints from customers, vendors or regulators. At that point your insurer will have a much more difficult task on its hands.

Getting the insurer involved early will let it get ahead of the claim, which makes managing it easier – and it can limit the amount of fallout.

Study Finds Almost All Businesses Hit by Cyber Attacks

A new study has found that the majority of American businesses were victims of cyber attacks in the past year, greatly increasing the security stakes for companies of all sizes.

Risk managers are aware of the increasing threat of cyber attack, but despite that, a majority of them said that they are not doing enough to thwart such an event, according to the study by The Hartford Steam Boiler Inspection and Insurance Company.

The results are eye-opening and a wake-up call for all companies, especially firms that do not have a risk manager on staff.

Worse yet, while in the past the majority of cyber attacks were directed at large businesses and corporations, in the last two years, hackers and cyber criminals have increasingly targeted smaller firms that often do not have the same security measures in place as their larger counterparts.

The biggest concerns facing the businesses whose risk managers were surveyed are protecting the privacy of their employees, customers and vendors, as well as risks associated with cloud computing.

 

Some of the more significant findings are:

  • Nearly 70% of all businesses surveyed experienced at least one hacking incident in 2014.

QUESTION: How many hacking scares/incidents have you experienced in the last year?

  • 1-5 (37%)
  • 6-10 (10%)
  • 11-15 (4%)
  • More than 15 (18%)
  • None (31%)

 

  • More than half (55%) of the risk managers don’t believe their company is dedicating enough money or trained and experienced personnel to combat the latest hacking techniques.
  • Most risk managers are concerned about cloud security.

QUESTION: What do you think is the biggest risk when it comes to cloud technology?

  • Loss of confidentiality of information (76%)
  • Service Interruption (16%)
  • Government intrusion (5%)
  • Negative impact on employee satisfaction (e.g. perception of down-time risk) (2%)
  • Lack of service standardization (1%)

 

  • Personal information is the biggest concern for businesses.

QUESTION: What type of information are you most concerned about being breached?

  • Personally identifiable information (53%)
  • Sensitive corporate information, such as business plans, M&A plans, product development information, marketing (33%)
  • Financial information, banking credentials (14%)

 

The insurer surveyed risk managers at small, mid-sized and large companies in manufacturing/industrial; retail; financial services; government/military; medical/health care; and education, among others.

 

Cyber Insurance

As the cyber threat continues to evolve, so do the insurance options available for businesses.

Some trends are starting to become evident in the market, though: rates for retailers, financial and health care-related firms are on the increase, and so are deductibles.

Coverage varies from insurer to insurer, but most policies cover at least the following costs:

  • Forensic investigations.
  • Credit monitoring for affected individuals.
  • Legal fees and settlements.
  • Fines or penalties levied by government agencies.

 

Pricing will vary depending on your industry as well as the strength of your internal security measures.

Retailers shopping for cyber insurance are coming under pressure to secure their payment systems, just as homeowners are encouraged to install locks on doors and windows.

Insurers are also promoting newer technologies for securing payment card transactions that exceed credit card companies’ requirements, such as tokenization and end-to-end encryption.

 

cyberriskkeyhole

Mobile Threat Booms: Revisit Your BYOD Policies

With the amount of new malware that targets mobile devices growing exponentially, if you have not set down rules for employees who use their own smart phones for company business, you should do so now.

Network security firm PandaLabs has reported that in the second quarter of 2015, it saw an average of 230,000 new types of malware every day and a total 21 million new threats. Those figures are up an astounding 43% from the second quarter of 2014.

Worse, the report noted that a large number of the new types are variants or mutations of previously known malware, and cyber-criminals are multiplying the types of malware to evade detection by antivirus software and apps.

Attacks on mobile devices also increased, says the report, with not only an increase in malware for the Android mobile platform, but more and more ransomware being developed for the iPhone platform.

Don’t think it’s a threat? In 2014, for the first time, Android devices were infected at the same rate as computers running the Microsoft Windows operating system.

It’s estimated in the “Motive Security Labs Malware Report”, by Alcatel-Lucent, that some 16 million devices are infected by malware.

With mobile device malware infections at an all-time high, your IT decision-makers may need to re-evaluate your company’s bring-your-own-device (BYOD) policies and the way security standards address personal phones, tablets and other Internet-connected machines in the workplace.

Mobile device malware will hit small and midsize businesses harder because of the popularity of BYOD in companies with smaller budgets and IT staffs.

Up until now, most company’s BYOD security policies have focused on lost devices, password protection and the use of public Wi-Fi when transmitting sensitive data. Even policies that include the installation of anti-malware software to the device do not completely address the mobile malware problem, according to the IBM-operated technology news website PivotPoint.

A number of developers are working hard to devise new apps that detect malware threats, but some of them are not ready for prime time. And also, because the amount of new malware continues to grow, it will be difficult for app developers to keep up and catch everything.

 

Here are some tips for your BYOD policy, care of Information Age magazine:

  • No unauthorized downloads – It should warn against downloading apps from unauthorized sources. Unfortunately, this can’t guard against malware that is embedded into mobile sites or distributed through e-mails and text messages. That’s because mobile devices don’t have the same set of malware checks that a desktop computer has, such as verifying a link or attachment.
  • Use with care – Inform your BYOD users that they need to be more cognizant of their online behavior. You will need to be creative in how you educate your employees about the risks of mobile malware.
  • Keep a register of connected devices – As the IT team connects personal devices to the company network, they should also keep a record of the user and their device details. By maintaining a detailed register, companies can audit their company network regularly to detect unauthorized connections and resource usage.
  • Enforce on-device security – All smart phones and tablets come with passcode controls that restrict access. As part of an employer’s default BYOD agreement, staff should be expected to have the passcode enabled before they are granted access to corporate resources.
  • Use existing network tools more intelligently – Many common network tools and services have functions that make it easier to manage mobile devices. Microsoft Exchange can be used to perform remote data wipes on stolen devices, for example. Companies can make full use of these tools to automate common mobile device management tasks and to manage network logons, for instance.
  • Force VPN use – All devices now support VPN connectivity in the same way that laptops do. To ensure that data transferred to and from devices is secure in transit, make VPN set-up one of the initial tasks to carry out when adding a new device.
  • Mobile device management (MDM) platform – For the best security, you may want to consider an MDM system. This platform allows you to enroll devices, specify and enforce network access rights and even apply content filtering to keep staff focused on work-related activities.

 

Insurance

Finally, your firm should look into cyber liability insurance that can cover costs related to a cyber breach.

cellphonegremlin

Five Reasons You Need a Cyber Liability Policy

The hacking threat is growing with each passing year. There are crooks out to steal data from companies, sometimes to turn around and sell personally identifiable information or credit card numbers to identity thieves and scammers.

Other cyber criminals are just out to create mayhem, shutting down websites and creating denial-of-service attacks that grind business operations to a halt.

The problem for your business is that if hackers walk away with your employees’ social security numbers, they can do serious damage to their credit lines – and in some cases even sell their identities.

The likelihood of any of the above scenarios affecting your company is growing year by year.

In any of the above cases, cyber liability insurance would pay for the costs of responding to an attack. And while you might think that insurance that protects you in case of a cyber attack is for only large companies, in recent years hackers have started targeting smaller companies in greater numbers than large ones.

If you haven’t thought about buying a policy, here are some reasons you should:

  1. It’s affordable  – Premiums for most small companies are usually $1,000 to $2,000, depending on your exposure. You can get coverage as high as $30 million and deductibles as low as $10,000, depending on your needs and what you’re willing to pay. Cyber liability insurance is still fairly new, and that means policies will vary from one to the other. In some cases you can even negotiate some parts of the coverage.
  2. Broad coverage – Most policies will pay for business interruption, the cost of notifying customers of a breach, and even the expense of hiring a public relations firm to repair any damage done to your image as a result of a cyber attack. Policies will also cover any penalties you may incur from government agencies. Having such broad coverage will help you weather the storm and keep your business viable.
    Business interruption coverage can be especially important for a small business. That’s because they are typically not as diversified as larger companies and lack the same financial resources.
  3. You likely don’t have a risk manager on staff  – While most big companies have a department dedicated to reducing risks, most small and mid-sized firms don’t have that same luxury.  If you are buying a cyber liability policy, you can sometimes receive assistance like analysis of your firewalls as well as making sure you have social media policies in place to reduce the chances of being hacked.
    Your insurer may be willing to help with these areas because the better protected you are, the less likely you are to have a breach that could result in a claim.
  4. Outsourcing data hosting won’t save you – Even if you don’t host your data yourself, you’re still responsible for that data. So even if you are using a cloud storage solution for your data, you need to read the fine print of your contracts.
    The problem is that you can’t control how a cloud provider handles your data, but an insurance policy can protect you if your cloud provider errs.
  5.  Your business liability policy won’t cover you – Typically, a general liability policy specifically excludes losses incurred via the Internet. In other words, the cyber liability policy gives you protection you won’t have in other policies.

    Make sure your cyber policy covers laptops and mobile devices as well, to give yourself coverage in as many situations as you can.
    Finally, we can help. You can work with us to integrate cyber liability with your general policy and employment liability policy. Talk to us and we can help you achieve seamless coverage.

cyberpirate

Improve Your Cyber Defense: Trim Your Data

As companies spend more money on cyber defense, they are often protecting vast amounts of data that is of little or no business use and some information which, if exposed, could be potentially embarrassing.

And if you are like most companies, you have a certain amount of “zombie data” – or information that you may not even realize you had, but that could be harmful if discovered and abused by an outside party.

One of the biggest challenges today is to keep intruders away from your most sensitive files, as well as from files that could be potentially embarrassing if they were leaked.

Worse, if your business is hacked, you will have to sift through troves of data, much of it information that’s never accessed, to find out what the hackers may have breached.

Think about all of the files you have that are of little value to your business: drafts of reports, duplicates, personal communications, and more. What’s important and what’s not? You’ll have to look through it all to find out if sensitive information was compromised.

This is why businesses should manage and cull their data regularly – or at least remove data not integral to their operations from their main database. That way, your business can reduce its “cyber perimeter” to reduce the infrastructure that you have to focus on securing and protecting.

A recent blog post by the law firm of Pillsbury Winthrop Shaw Pittman recommends taking the shears to your electronic data. It reasons that the less data you have to secure, the more you will be able to manage and protect the information that is the most important to your company.

Doing this will also make it easier to monitor who has accessed which data.

Trimming the amount of data you store reduces the chances of information being exposed that may not be high value or protected personal information, but communications that might be embarrassing to your company.

Think you don’t have that kind of content? Just think back to the Sony Pictures breach when its president’s e-mails criticizing certain movie stars were leaked and exposed to the public. What if you or one of your staff made flippant, derogatory comments about a customer in an e-mail? That could be there.

As to the issue of zombie data – the enormous amount of data most organizations keep that lacks both purpose and insight – this information, which usually originates from former employees, has no business value or valid reason to be retained but is still being preserved, backed up and maintained on corporate networks.

It’s zombie in that the user no longer exists, and the data is inactive.

Most zombie data comes from files and file shares which IT organizations routinely dump off of devices when employees leave companies.

Zombie data poses two problems. It takes up storage space, which costs money, and you would have to try to retrieve it if you are embroiled in a lawsuit and the opposing lawyer files for discovery.

So now zombie files would need to be queried, which is not an easy process like reading a directory, for the appropriate employee or user. The process is tedious and may turn up significantly more information than the company needs to review and potentially produce. In short, it’s expensive to do this.

To avoid this scenario, you may want to consider culling your records, but make sure you comply with your preservation obligations as well as applicable regulations and laws.

 

The brass tacks

Obviously the less harmful the information is that exists on your servers, the better off a company is.

One other benefit from trimming the amount of data you store is that it allows you to better focus your current cyber defense efforts on the information that matters most.

It may also free up some of your budget, which you could use to encrypt the data so that hackers might not able to use it, or on other techniques designed to make it more likely that hackers will gain access to wrong or useless information.

data cut

Business Lessons from the Sony Pictures Attack

ON THE hacking scale, the attack on Sony Pictures’ computer systems is pretty much the worst-case scenario for any business.
The amount of data breached is shocking: scripts were leaked and as-yet unreleased movies were also stolen and loaded up to pirate movie download sites.
Social Security numbers and details for a trove of big stars, including superstars like Sylvester Stallone, were also published online, in addition to Social Security numbers of 47,000 current and former Sony Pictures employees.

Furthermore, many employees’ computers were compromised, with all of the data stolen before the malicious software the hackers installed wiped entire hard drives clean.
The financial damage could easily reach into the hundreds of millions of dollars. And while it’s surmised that the North Korean government was behind the hack, the attack illustrates what could become the future of corporate warfare.

Imagine companies hiring overseas gangs to infiltrate a competitor’s data bases.

Sound far-fetched? You shouldn’t bet on it. The Sony hack has set a new bar for cyber espionage and sabotage.

Anyone who runs a business – whether it’s a mom-and-pop shop or a multinational behemoth like Sony – needs to pay close attention to what happened, and begin to take data security seriously.

Though even the FBI has said that few companies – as little as 10% – could have prevented an attack like the one that targeted Sony, much of the damage could perhaps have been avoided had the company had better data-security protocols in place.

Claiming helplessness in the face of a big hack is not a good strategy.  A breach is often an enterprise-level problem.
Sony’s teachable moment is that security has to start at the top and must be part of a company’s corporate culture.

Mindful culture
Any time a hack is perpetrated, company leaders can wind up in the spotlight, whether their personal e-mails were leaked or not. Management must learn to demonstrate a level of sophistication, nuance, sensitivity and respect when communicating internally.

Also, the Sony hack shows that many managers are too flippant in their e-mail exchanges, which can often including harsh criticisms of others. It could even be argued that the lack of respect exhibited in e-mails shows up elsewhere in companies – such as a lackadaisical attitude towards data security that puts personally identifiable information of employees at risk.

To be sure, few companies put under the microscope like Sony would come out looking clean. Is it unreasonable to ask for spotless behavior throughout your organization? Of course it is. Given the reality, however, it’s wise to assume you’ll eventually be hacked. So be good… or at the very least consider picking up the phone if you have something to say that you wouldn’t want to be broadcast on the evening news.

Take care of your assets
In the case of Sony, films were stolen, as were a lot of other assets, including scripts, budgets and even contract negotiations. How can this be prevented?

The first step for companies is to truly take ownership of their assets. Ownership is a state of mind that requires upkeep and vigilance to protect what’s yours. Ownership creates security. Ultimately, this starts with corporate leadership, since fostering a sense of ownership among employees is a trickle-down process.

Maintain a strong culture
A strong corporate culture is constantly evolving. It stays ahead of the curve through clear leadership and a culture where employees feel invested in their work, i.e., they take ownership of the tasks assigned to them. A state of readiness through a culture that puts security first is the only way an attack can be properly contained and managed.

The reality is that any company – whether it’s the size of Sony Pictures or a local online retailer – can be put out of commission in such a spectacular and specific way.

Other tips:
Back up your data – The backup should include the operating system, application software, and data on a machine. Multiple backups should exist in different locations.

Network monitoring – The annual “Verizion Data Breach Investigations Report” consistently points out the need for organizations to monitor security systems. It recommends the use of software that can identify suspicious patterns that could signal an attack in progress.

Antivirus not good enough – The group behind the Sony attack reportedly used destructive malware, wiping the hard drive and the boot loader, making systems virtually unrecoverable. A new class of advanced threat detection and breach detection solutions is available and can inspect both network traffic and endpoint systems for subtle signs of an infection.

Password management – Employees should be trained to use strong passwords. Passwords for different accounts should be different. When possible, single sign-on should be implemented to avoid password fatigue. IT policies should dictate how often employees change passwords and enforce stronger password creation.

hackers

Rising Danger of Hacks Spurs Need for Comprehensive Strategies

The “root cause” of the credit and debit card data breach at Target Corp. last year was the company’s lack of a chief information security officer (CISO).

That’s according to a former Target manager who made the comment during a talk at the “Work-Bench Enterprise Security Summit,” according to press reports.

The news came in the same week that the Ponemon Institute released a new study, which found that 43% of enterprises experienced a data breach in 2013 – up from 33% in 2012.

The study also found that the cost incurred for each lost or stolen record containing sensitive and confidential information increased to an average of $201 per record – or $5.9 million per breach. Those costs are up from $188 per record in 2012, and $5.4 million per breach.

The lesson from these two news items is that no business can afford a lackadaisical attitude towards cyber security, as hackers and other cyber threats are targeting small and large businesses alike. And while CISOs are out of reach for most companies because of the cost, there are outside consultants in the market who can review your plans and develop a strong security plan for your organization.

The primary reason for the increase in the cost of a breach is the loss customers incur following the data breach due to the additional expenses required to preserve the organization’s brand and reputation. In fact, the average rate of customer turnover or churn increased by 15% since the previous year in Ponemon’s study.

 

The study found that data losses were mainly caused by:

  • Malicious or criminal attacks (44% of companies reported this as the reason for their breach). These were the most expensive breaches, at $246 per record.
  • Employee negligence (31% of organizations). This factor typically cost the organization $160 per record.
  • System glitches (25% of organizations). This factor cost organizations an average of $171 per record.

 

Fighting the threat

While most companies are not the size of Target and cannot afford to have a CISO on staff, you can still learn from Target’s mistakes. Karl Mattson, who worked at Target from 2008 until 2013 – most recently as manager of cyber and global intelligence – said that the lack of a security culture was Target’s undoing.

Besides not having a solid infrastructure in place to prevent the breach, Target also responded poorly. When the company’s intrusion-detection software discovered the suspicious activity and alerted Target’s IT staff, the company did not take immediate action, he said.

However, many companies are turning to virtual CISO engagements. These are security executives for hire, and they will help develop a security roadmap for their clients.

They will typically conduct reviews of your information security, breach response plans, sensitive data, database, and more.

After the reviews, they will usually produce a report with recommendations for improvements in your policies, security framework, security culture, and more. They will also help you implement the recommended strategies – and they are typically on call in case of a breach.

Finally, whatever route you take to protect your data, you need the final backstop: A cyber liability policy. This will help cover the costs of a myriad of expenses such as data recovery, breach notification, remediation and more.

 

cyber thief