Category Archives: Cyber Liability Insurance

Cyber Liability Insurance, Risk Management

CyberSecurity: Advice for Prevention

There is no such thing as infallible cybersecurity. No matter how many millions of dollars an organization spends on online security, some hacker, somewhere, at some time, may successfully break-in. A common example is JPMorgan Chase, who spent close to $100 million to shore up their systems only find their systems hacked and sensitive data at risk. Just because hackers may have the ability to continuously overcome firewalls does not mean that individuals and organizations should just sit around and wait for the inevitable. There are steps to minimize risk and thus potentially circumvent a data breach.

Below you will find current methods hackers utilize, along with best-practice preventive measures to protect your systems from such hacks. In addition, a case study illustrates both the risk and lessons learned, stressing the importance of education and developing a culture of security surrounding your organization.

Prevention Is the Best Defense with Cybersecurity

While it is the optimal solution, preventing a data breach is neither simple nor easy (when sufficient safeguards are enabled). In being proactive organization find themselves addressing the difficult situation of having to be prepared for something that has not yet happened; they have to forecast the future risks of cyber and privacy threats. Doing so often entails poring through mountains of data to find a needle in the haystack – a piece of malware or a threat that can compromise critical data.

Sometimes, as is clearly evidenced by the recent breaches made public, these threats can get lost in the noise. Furthermore, the tech industry’s greatest advantage is also its Achilles heel – their rapid updates. Product cycles move fast, but tech mainstays like software updates and patches move even faster. It takes dedicated personnel for organizations to keep up.

Nowadays, security is not just a locked shop door. Digital breaches are robberies that happen at any hour, without any warning, and with little to no immediate evidence, which is why you need a good cybersecurity system. If network configuration and employee education program is lacking, exposure to serious risk and liability is heightened. The potential loss of valuable digital assets, especially client information, can result. This thought may scare you, but do not despair! Being informed of these issues is the greatest defense an organization can have.

I. Conduct a CyberSecurity Assessment

The prevention and detection stages of security (those before a breach occurs) are typically informed by a digital security assessment, which goes beyond simply testing an organization’s network for vulnerabilities. An assessment allows for a more complete picture of an organization’s security posture focusing on policy, controls and procedures, as well as the effectiveness of their implementation.

Tech infrastructure is often a “set-it-and-forget-it” affair. How often do you click “remember me” while logging into a commonly visited site so save yourself the hassle of the sign-in process next time? Essentially, digital infrastructure is installed, configured, and then never touched again. To maintain a secure digital environment, it’s imperative to test, test, and test some more.

II. Assess the Human Element in Cybersecurity 

When it comes to issues of information cybersecurity, the human element is just as important as the technology itself. Perhaps even more so. Hardware and software require regular human input to make sure the devices have the latest updates, security patches, etc. Therefore, the human element of cybersecurity is the single most important aspect of an organization’s security posture. It can only be achieved by fostering a culture of security achieved through education and implementation of a written digital use policy.

Consider the psychology of a hacker when assessing the role of human vulnerabilities in determining the viability of an organization’s cybersecurity practices. The term “hacker” is interesting in its ability to conjure up a vague, though widely held notion, of the cyber-criminal. The vision is fairly common: a scruffy socially challenged individual, slouched in a swivel chair, speedily typing on a keyboard as indecipherable streams of digits race down the computer screen. Cue The Matrix.

Compared to other criminals, the hacker largely remains an unknown, impersonal entity, tied intrinsically to a modern era of technological advancement. However, what is often forgotten is that although hackers are primarily recognized for their abilities to manipulate technology, they can be equally adept at manipulating people. Cybersecurity procedures rely heavily on human participation and interactions. The first step of a hacking scheme, the crucial point at which the probability of a data breach is determined, can (and often does) start at the human level. Unsuspecting personnel may encounter a hacker without even realizing it, giving them access to sensitive data simply by offering a Wi-Fi password or log-in credentials.

It is important to recognize that, similar to technology, individuals can be prone to trusting disreputable sources. A hacker is willing to take advantage of the breadth of an organization’s vulnerabilities; consequently, employees are just as vulnerable to attack as technological data sources.

On the flip side, employees can download malware without realizing it, such as through illegal downloads or torrents of movies and applications. These unsafe browsing habits can and often do lead to a malware infection. Don’t trust an e-mail scanning application or spam folder to stop the messages from getting to the inbox. A hacker’s job goes beyond exploiting strictly digital vulnerabilities; the successful ones look for human vulnerabilities.

III. Watch Out for Phishing Aggression

To assess and react to the danger humans pose to digital security, it is important to know what the “bad guys” are doing. While external hackers have a diverse arsenal of techniques there are a few that are more pertinent considering they can affect any employee within an organization. Hackers are often referred to as “social engineers,” as they try to manipulate and trick their targets to give them access.

One of the most prominent hacking examples is “phishing.” Phishing is the process by which cyber thieves are able to lure unsuspecting victims to a malicious link that then executes malware. These malicious links present themselves to a user through an e-mail message. This is when a user unknowingly initiates the malware by accessing the malicious web server.

Even more unsettling, though similar, is a “spear-phishing” attack. Unlike a phishing attack, spear-phishing is a directed attack. Cybercriminals gather information about a victim, which is then used to construct a fraudulent e-mail intended to trick the victim. Rather than being obviously nefarious, these e-mails are very realistic and tailored to the person hackers are trying to trick.

For example, in the banking industry, a hacker may use an e-mail message cloaked as a communication from the Federal Deposit Insurance Corporation (FDIC). Due to their nature, phishing attacks are not problematic unless a user physically clicks the link to the malicious web server. To prevent this within an organization, personnel need to be trained to identify false links. Before clicking the link, “hover” over it to see the true URL or, even better, train employees to manually type in the Web address they need to access in a Web browser.

IV. Provide the IT Department with Useful Tools

While a universal training program aimed at informing all employees of their role in the security posture is critical, it is also important to ensure that the information technology (IT) team is staying on top of current advancements in security and has the resources to minimize vulnerabilities. Often IT people are more concerned with making sure technology is being implemented for productivity, not necessarily for security. Digital assets vary for every organization, making specific preventive measures hard to define. In general, the prevention of attacks and threats should be consistently audited so that a specific information security policy can be created and carried out within the specific context of an organization.

As one general example, outdated and unpatched software applications pose a serious risk. Cybercriminals often target older outdated software because of its longevity. That is, the longer a piece of software is around, the more time cybercriminals have to develop malware based on an established exploit that will not be, or has not yet been, fixed by the developer.

In many industries, including healthcare, legacy technology is becoming a serious problem as an avenue for data theft. Furthermore, preventive measures can become expensive. An organization’s IT team or information security team, however, has a serious leg up on outside threats – they know where the valuable data is. Thorough knowledge of an organization’s infrastructure is a considerable advantage against outside threats. Consequently, it is worth investing in the people who know most about it. The avenues by which data can fall victim to a remote attack are as innumerable as the unique software and hardware contexts of companies all over the world. Keeping a team well equipped is key to a strong security posture.

V. Limit Access to Critical Information

An often under-analyzed piece of the preventive data security puzzle is data access controls. More simply put, not every employee of an organization should have full access to all data. Even in the case of IT, many recommend that members of the team use non-privileged credentials for daily activities. This is a central step to minimizing risk as it inherently reduces the number of access points for data to leave the confines of an organization’s network. More privileged credentials mean more credentials that elevate the threat of external hacking.

In line with this, it is also crucial to consider internal threats. For example, a disgruntled employee gains access to sensitive data, steals it, and posts its publicly online. Limiting access to critical data on an as-needed basis can, in some cases, preemptively eliminate this risk altogether. People are a company’s biggest asset but also the biggest liability as respects information security. Awareness and implementation of policy is key to maintaining that “culture of security.”

VI. Recognize the Risks of BYOD

Practicing and applying security and data access controls is crucial outside as well as inside of an office. Mobile computing revolutionized everything, from the maintenance of cybersecurity to reasonable policies. It is becoming increasingly common for employees to take sensitive data home with them (on thumb drives, laptops, phones, e-mails, cloud services, etc.).

With respect to policy, many organizations and their agents alike favor the cost benefits and choice of bring-your-own-device (BYOD) permission, which allows employees to use their personal devices, particularly mobile devices, to store and access company data. Unfortunately, in most instances, this policy relinquishes some defined, universal security strategy and inherently gives an organization less in the way of data control. Standard mobile device management tools are not typically applied and installed on employees’ personal devices.

BYOD can also invite unauthorized connections from an organization to the Internet. Many smartphones offer device tethering, whereby other devices share the phone’s cellular data connection. This type of network activity is not part of an organization’s network, and thus cannot be monitored for suspicious connections.

Before simply accepting BYOD as a cost-effective and desired approach, ensure that the organization understands the rules, risks, and rewards of the new policy. If the organization implements BYOD, do so in such a way that the organization maintains a modicum of control. Also, take legal ramifications under consideration and determine whether there are special regulatory concerns particular to a certain industry that need to be worked into BYOD and mobile computing policies. In some industries, such as health care, a lack of central data security policy and control opens up serious liability risks.

VII. Look Beyond Your Employees

Data control goes beyond just employees. Rather, it extends to include any entity that can store, access, or use a company’s sensitive data, including third-party vendors. Develop contracts that protect the organization, particularly those that use third-party vendors. Third-party vendors can introduce security lapses and vulnerabilities, but not hold themselves to the proper and necessary digital risk standards. Not doing so can result in a digital catastrophe.

This is best evidenced by the example of the devastating credit card breach Target experienced in late 2013. Target seemed to have the appropriate controls in place with dedicated IT and security appliances. Thinking that everything was fine with its security practices, management overlooked one critical issue. Target allowed outside heating, ventilation, and air-conditioning (HVAC) service vendor to connect to the same network responsible for point-of-sale device Internet traffic. This is an example of where the lapses in human execution renders good technical security measures ineffective.

Like Target, there have been other breaches where larger companies fail to audit third-party vendors, such as the Boston Medical Center and Goodwill. Often, smaller third-party vendors are a sort of hacking “stepping-stone” – compromise their information to get to their larger clients that have more valuable data. This is especially true today, as even the smallest companies have a digital presence. Once again, a company can have all the proper controls in its own offices, but sensitive information with its vendors could be compromised.

To mitigate third-party risk, ensure that appropriate parties, especially legal departments, communicate with the outside vendor hiring process and that contracts guarantee and protect audit rights. That means including audit clauses to contracts that allow the organization to regularly monitor and check that vendors are in compliance with any generally accepted or necessary standards. Including cybersecurity in the outside contracting process is now imperative.

VIII. Don’t Overlook the Importance of Data Backups

In addition to the risk of compromising data, loss of data entirely can be even more devastating. While most large corporations can afford to keep their sensitive data in multiple locations, others cannot. Irrespective of the size of an organization, individual workstations can contain important client data that should be regularly backed up. No matter how many backups an organization maintains, it is important to not get bogged down by the sheer volume and prepare for the absolute worst—a hurricane, tornado, or some other natural disaster that could destroy an entire organization’s data in one fell swoop.

Data loss can happen in other ways most people don’t expect.

A couple of months ago, I got a call from a local government agency that had horrible “ransomware. ” Ransomware is malware that seeks to exploit victims by encrypting their files. Clicking a link in a pop-up accidentally downloads it; or through a “phishing” e-mail. Once executed, the hacker notifies the user that they locked the files because they committed a crime, and that they must send money for the decryption key within a certain amount of time or their files will forever be inaccessible.

Unfortunately, paying the “ransom” usually will not unlock the files, but only serves to line the pockets of the extortionists. In this particular case, the local agency did not consistently keep a backup of its data, and lost months of work. This new ransomware infection prompts reflection on something overlooked as a serious risk to daily business activity—data backups, off site or otherwise.

IX. Develop a Security Culture

It is important to audit all controls to prevent attacks incurred from external and internal threats. Make sure that these controls are in place, effective, and attempt to penetrate your organization’s digital infrastructure. There should be a layered approach to information security. In other words, organizations should not only have a digital fence, but also a locked front door. In addition to simply having “locks” and “fences,” make sure there is a policy information session. This session should effectively teach people how to keep the gate closed and the door locked.

Incorporating these provisions into policy and executing that policy through employee training programs, moves organizations to a stronger security posture. Creating an atmosphere for effective security is just as important as the security practices themselves.

“Hope for the Best, Prepare for the Worst.”

The key balance between costs and preparation is something to consider and is much cheaper than the fallout of a breach. When it comes to security, prevention certainly is the first choice.

What happens if an organization takes all the preventive measures, but they still lose data? Technology constantly updates with new security measures, yet cybercriminals stay one step ahead of the latest preventive security measures. One of the primary reasons for their persistence is because a targeted organization’s data is exceedingly valuable. In recent history, credit cards have been an obvious target for the clear monetary value they carry. These breaches have dominated the headlines and are an unfortunate side effect of our increased reliance on credit technology’s conveniences.

X. Recognize the Value of Data

Not dissimilar from the recent credit card breaches, hackers consistently and target health data because health data is valuable—either to gather intel about specific people or as a tool for identity theft. It has also historically not been the most secure. Patient names, birth dates, billing information, and health histories have the potential for complex identity theft and medical fraud schemes.

More importantly, though, this data has a market on the “Dark Web” outside of those who are responsible for stealing it. To illustrate the Dark Web, Google indexes approximately 17 percent of websites where most people typically dwell online and do their browsing, shopping, and other online activities. But, below the Internet’s surface lurks the Dark Web, where criminals market a variety of different goods and services, from passports and drugs to “rent-a-hacker” services for the purposes of messing up someone’s life. Thanks to the Dark Web, stolen client data of all kinds has a market, therefore increasing its appeal.

Even if an organization conducts an audit of all security controls and policies, a new exploit could be found the next day, rendering a clean bill of security health void.

Case Study Illustrates the Risk of Not Participating in Cybersecurity 

The following case study illustrates the point that employee education is key. About a year ago, a large corporation contacted me claiming they had compromised systems. They mentioned that an unauthorized $1 million wire transfer to Russia. Management suspected an inside job carried out by one of their employees. They had spent hundreds of thousands of dollars on security appliances, thinking this could not possibly happen to them. However, a review of their infrastructure revealed a lapse. They adopted a “set-it-and-forget-it” attitude. There was no “culture of security.”

Thinking their appliances would not allow such a thing, spam e-mail got to an employee’s workstation. That individual clicked a link and initiated “Zeus” malware. While the hacker’s toolbox is expansive and variable, there are certain tools worth mentioning, one being Zeus. Zeus, when executed, monitors an infected computer for certain types of user activity, including online banking. In some cases, it often remains dormant until a user accesses a financial service or banking website.

Once Zeus identifies the targeted activity (such as banking), it will then collect confidential data to include a log of all keystrokes and screenshots. This transmits the compromised data to the hacker. In this case, someone inadvertently left a security token plugged in. Hackers had everything they needed and set the software to wait for banking credentials. After that, all they had to do was log in and initiate the transfer.

This story teaches us that these lapses do happen, even when the victims think they have a great security posture. Fortunately, that company made the right choices in handling its breach of security. Management acted quickly, hired professionals, and assembled the narrative to recoup their money. They carried out reasonable steps for the safety of their customers’ information.

Lessons Learned about Cybersecurity

More often than not, though, incidents come unexpectedly and organizations have little preparation for the worst. Officers and employees often don’t have a clear picture of the chain of command, nor the roles and responsibilities in the face of a breach. This can lead to increased exposure to media and public relations fallout and executive meltdown.

While designing a preventive policy, try to design a policy or incident response manual. This should effectively prevent an operational shutdown in the case of a breach and allows for quick, decisive action. And be sure you have the right contacts to respond to such an incident. Be ready for the inevitable, even if it seems impossible.

Specialists can assemble the narrative, from the initial exploit, threat elevation, and context of data that was ultimately compromised. An organization is better able to prevent a similar attack from happening in the future and have a clear picture of how to handle other tasks related to the breach, such as client notification.

Breach Notification

Breach notification often goes undisclosed. The responsibility of organizations to notify their clients, partners and other parties about a breach varies from different situations. In certain industries, federal and state regulations are the rule, but others are solely up to the discretion of executives. In responding to the public, or proactively notifying clients, it’s best to wait until a full investigation is complete. It is important to know there is a huge difference between an infection (abnormal Web traffic) and a data breach. Evidence of a possibly data breach attempt does not mean these people were successful. Moreover, even if hackers steal data, the type of data is central to the notification procedure.

Oftentimes, organizations that suspect a breach will jump the gun and notify their clients before an investigation is complete. In the end, sometimes nothing serious happened—no confidential data was lost or stolen. Notifying clients before knowing there is a legitimate problem is, in and of itself, a huge risk. Understand that some clients might not be comfortable continuing business with a company that disclosed a breach. Organizations need to do themselves a favor and rule out the possibility of a false alarm first. That said, it is important to incorporate client notification as part of the defined incident response plan. It is always best to be proactive but don’t inform clients or authorities until a serious breach definitively happened.

Complete a Thorough Investigation

In the unfortunate case that personally identifiable information was stolen, it is important to work closely with legal professionals. Cybersecurity is very much a legal issue, with unique legal considerations. As previously alluded to, there are regulatory considerations that vary greatly between industries and states—for now. Until there is an overarching federal regulation that applies the same requirements of all industries and defines the type of data that must be stolen to report, the current compliance and digital security laws remain the law, and it is a patchwork.

Similarly, after an incident, education is still the most important aspect of preventing another breach. Take an incident or a breach and use it as a valuable learning opportunity. After a security breach investigation, walk employees through every detail of what happened. Pinpoint what the failures were and most importantly learn from the event and prevent the same thing from happening again. Hold the entire team responsible for a breach in security; not just one employee.

Conclusion & Takeaways of Cybersecurity

Preparation is key in any prevention strategy, and optimal security always starts at the human level, especially with cybersecurity. Best cybersecurity practices are just that—practices. Cybersecurity measures are always a work in progress and reflect the constant stream of new technology. It takes time to discover, learn, and implement the best methods. Ongoing education within this “culture of security” is imperative in trying to implement the best possible procedures. In this case, knowledge truly is power.

 

Download Our Cybersecurity Considerations Checklist

For More Information on Cyber Security Risk click here or call one of our Risk Advisors at (914) 357-8444.

Cyber Liability Insurance, General Liability Insurance, HR Challenges, Line of Insurance, Loss Control, Risk Management

Secure Your Organization Using Multi-Factor Authentication

In a time where most organizations have transitioned to remote work, cybercriminals have doubled down on network attacks. The FBI recently released a statement saying that cybercrime attacks are up over 300% since 2019. Cyberattacks range from ransomware baked into spam emails to phishing emails posing as trustworthy entities, to gain access to account information. One way organizations can better protect their business from these attacks is to mandate policies that direct every employee to utilize multi-factor authentication on every business account.

 

Password authenticators vary between digital & physical authenticators, as well as options that are a combination of both. Below we have listed  a few of the most commonly used authenticators:

Digital Authenticators

One of the benefits of digital verification is that users do not need an additional physical token or device for authentication.   

Email authentication

Email verification is when a user needs to click a link or obtain a code sent to their email address to verify ownership of the account they are logging into. One of the biggest problems with email authentication is a majority of people will reuse the same password for all of their important accounts.

Using email as a second method of authentication looks like this: 

  • A user logs in to a website with their username & password
  • A unique code or link is then sent to the users’ email address linked to the account
  • The user logs in to their email account, they find the code, and enter the code into the application or website or clicks the link into the email
  • If the code is valid, the user is authenticated and granted access to the account.

Cellphone authentication (SMS)

The most common authentication method is through SMS messaging on a cellular phone. This method is considered more secure than email authentication because email authentication includes the risk of the email account also being compromised.  The downside of SMS authentication is SIM-hacking can render the cellphone number useless.  

SMS Authentication will look like this for a standard user:

  • A user logs in to a website with their username & password
  • A unique code is sent to the cellular phone number linked to the users’ account
  • The user takes the 4-6 digit code off of their device and enters the code into the application or website
  • If the code is valid, the user is authenticated and granted access to the account. 

Physical  Authenticators 

A physical authenticator is more secure than digital because there is a real device that is needed to authenticate an account. This means that the user has a tangible key or an application downloaded to a physical device that is in their presence. These physical objects make it harder for cybercriminals to hack accounts.

Application-based authentication

Applications like Google Authenticator and other verification apps use a token/code to determine ownership of the account. These applications are linked to the device, not the phone number. Application-based authenticators can be as simple as a push notification going to the phone or the application, delivering a 4-6 digit code for users to enter on the website or application of the account they are attempting to access. 

  • A user logs in to a website with their user name & password
  • The website they are attempting to access will send the user credentials to the authorization server.
  • The authorization server will authenticate the user credentials and generate a token.
  • The access token is sent to the user via an application downloaded to the users’ device
  • The user inputs the time-sensitive access token into the website they are attempting to gain access to.
  • If the token is valid, the user will gain access to the website.

Physical authentication device

At Metropolitan Risk, we supply our staff with the hardware authentication device YubiKey. This ensures that our staff is using one of the safest methods of authentication. These keys are simple to deploy to everyone in your organization. These devices help promote digital security health within an organization.  

This physical device plugs into the USB port of a computer and requires a human touch to unlock the device. 

The process of using a physical authentication device looks like:

  • Launch the authenticators’ device 
  • On the account that the user wants to log into, enter the username and password as normal
  • Find the authenticator code needed in the authenticator
  • Insert the physical authenticator key into the desktop to show the credentials needed to log into the account
  • Enter the code on the website
  • If the code is valid, the user is authenticated and granted access to the account.

Developing An Organization-Wide Plan To Implement Multi-Factor Authentication 

Once you’ve decided on a method of multi-factor authentication, your next step is execution. The size of your organization will determine how you implement this plan. While working on a plan, consult your IT department, your HR department, and various managers throughout your organization. Having your entire management staff on board with a plan helps convey the agenda to lower-level employees. 

  • Have a meeting with your supervisors, managers, and IT team about your organization’s cybersecurity efforts. 
    • Discuss how you feel you’re currently doing as an organization with cybersecurity to determine weak spots in your plans. 
  • If your organization is not currently using any method of multifactor authentication, determine which method would be best for your organization. At Metropolitan Risk we always suggest a physical key device.
    • Create a list of pros and cons for each authentication method and determine which is the best fit for your organization.
  • If you’ve decided to use a physical authentication device, determine which physical device is best for your organization.
  • Distribute the authentication devices and instructions to your employees
    • Make sure all employees are on the same page with how to manage this new software. 
    • Include additional information on how to install the authentication devices and how to better manage passwords and other important digital assets
  • Provide additional training to any employees who are struggling with updating their accounts with the new cybersecurity measures. 

Remember, cybersecurity only works if the entire organization is working towards the same goals. 

Metropolitan Risk is here to help your organization overcome obstacles that can affect your organizations’ operations. Contact A Risk Advisor to book a meeting to discuss cybersecurity challenges that may be affecting your business’s insurance coverage or Call 914-357-8444.

Claims Management, Cyber Liability Insurance, Loss Control, Practice Groups, Risk Management

Disturbing Hacking Trends

Security experts commonly say that there are only two types of companies these days. There’s companies that have been hacked, and those that don’t yet know that they’ve been hacked. Here are some important hacking trends given by a statistical study.

Verizon’s 2020 Data Breach Investigations Report counted 3,950 CONFIRMED data breaches last year in addition to more than 32,000 “security incidents.”

Victims spanned a wide range of 16 industries with these 4 having the largest number of cases:

  • Professional Services – 7,500 incidents, 325 breaches
  • Public Administration – 6,850 incidents, 350 breaches
  • Information – 5,500 incidents, 360 breaches
  • Financial/Insurance – 1,500 incidents, 450 breaches

*Totals slightly off due to rounding

 

Any business that operates online is at potential risk of suffering a data breach. Doesn’t matter how small your business is either.

According to Verizon’s report more than 3 out of 4 breaches are done by profit-minded criminals for financial gain. 

Other alarming stats:

  • Only 30% of data breaches were the work of insiders.
  • 86% of data breaches occur due to financial profit of hackers
  • Also, 58% of victims had personal information compromised
  • In 17% Verizon said the attackers installed malicious software on the victim’s systems, whereas the more common tools are spear phishing, ransomware, or business email compromise.
  • In 22 percent of breaches, the attackers leveraged social tactics, such as spear phishing, in which a tailored e-mail to the victim purports to come from a friend or business contact. The e-mails contain malicious links or attachments that, when clicked, give the attacker a foothold in the victim’s computer network. See below image for an example of what NOT to click.

Photo from Wikimedia Commons

The good news? The Verizon report highlighted the lag between the breach and the time of breach realization. This year, companies and external third-party software experts were able to improve that time. 81% of the time, it takes only days to contain a breach. Compare this to years past, where it is months, maybe even a year. In previous yearly reports, Verizon sates things like “The compromise-to-discovery timeline continues to show in months and even years, as opposed to hours and days.” No longer is this trend true. Don’t be another cog in one of the larger hacking trends currently ongoing. Click the link below or call 914-357-8444 today.

Click here for advice on preventing hacking theft or if you are still interested in a crime policy to protect your assets.

Cyber Liability Insurance, Line of Insurance, Loss Control, Practice Groups, Risk Management

Business Interruption and Ransomware

Ransomware is a type of malware designed to deny access to a person’s computer unless they pay the hacker ransom. The NY Times reports that these attacks have grown over the past year with a 41 percent increase in 2019. Ransomware attacks are a growing problem, not only in the severity of the attack but the duration of time an organization is under attack. Also, the time lost from the point of the attack to the backup security.

 

Cybercrime continues to evolve with the changes in technology. Ransomware attacks have always targeted organizations with lax cybersecurity. Today cyber criminals can embed ransomware onto an organization’s server or website and the ransomware can lay dormant on a machine/server for months while collecting data on the organization.  

 

Business owners should take the time to understand their coverage in their business interruption policies. Since ransomware attacks are becoming easier for cybercriminals to execute, business owners should look into fortifying their digital assets and make sure that they have Business Interruption Coverage in the event their business is attacked. It is scary to think that nothing can be done when faced with a cyberattack, but being prepared for the potential loss revenue/income during downtime due to an attack is just as important as preemptively assessing what cybersecurity measures your organization has in place. 

 

Business Interruption Coverage

Business interruption coverage is only going to help your organization regain some of the financial loss that will occur with a security breach. It is a response to an incident that has occurred, not a proactive approach to stopping a breach from occurring.  Without business interruption coverage your organization would not be able to report a claim to help rebuild your business’s lost data. Business interruption insurance covers any income lost due to a disaster, in this case, a disaster would be a ransomware attack or any other type of cyber attack. 

A Proactive Approach

Recognizing weak spots in your organization’s cybersecurity is one way to proactively protect your organization from cyber-attacks. Digital has become the new normal. Taking a few extra steps will protect your business assets and save your organization by avoiding a cyber-attack. A few things for your organization to consider are:

  • Select trusted and reputable telecommunication & telework software for your organization. With more organizations moving to remote work, there has been an uptick in fake telework companies.
  • Keep an eye out for Business Email Compromise (BEC). This type of compromise can be associated with fake new clients & phishing schemes targeting your employee’s personal data like business logins and banking information.
  • Use multi-factor authentication when accessing organization sites, resources and files. We previously released an article with our suggestions to prevent SIM-Hacking. Click here to read the guide and learn more about multi-factor authentification.
  • Ensure all computers & mobile devices have up to date antivirus software installed. Keep all software up to date, including website plugins, browsers, and document readers.
  • Don’t open attachments or click links within emails received from unknown senders.

 

Cybersecurity Measures To Take

Another thing an organization does is make sure your employees have the training to recognize ways that criminals attack. Ransomware doesn’t just end up on a server. They place it there through downloaded files or phishing websites.

Train your employees to recognize the signs of a phishing attack. Regularly schedule phishing tests to test whether your employees are practicing safe internet behavior. 

 

Still have questions? Still want more info? Take the proactive approach and contact a risk advisor or call 914-357-8444 to discuss how your organization can protect itself from a ransomware attack and ensure that your organization has business interruption coverage to protect yourself if an attack occurs. 

Cyber Liability Insurance

Phishing Attacks: Know the Signs!

Beware of Phishing!!!

Hackers will start with low-level employees first, making their way to executives’ accounts.

Hackers are constantly trying to find ways to hack into company accounts. They start off by sending trust-worthy emails to their employees, directing them to a scam website where they ask for them to input their username or password. Once the hacker is able to access the employee’s account, they are able to move towards sending phishing emails to higher-positioned employees, which can potentially compromise the company. 

With this access, they are able to leverage the company’s domain and send emails to others. Scammers compile phishing attacks by jeopardizing small, vulnerable businesses and compromising their trust with business partners that they work with. 

 

In phishing, it’s all about gaining the trust of the recipient, so that they click on it. 

 

There is another phishing scheme that resurfaced called “typosquatting”, or URL hijacking. With this, attackers buy domains that are slightly misspelled of popular websites, like goggle.com or yuube.com. “Spear phishers”, another term for hackers, can sometimes put in various amounts of effort into targeting a specific person. Hackers try a number of different things like creating multiple misleading webpages/websites, create fake social media pages, or fake personal blogs to trick their targets. They create these fake sites that mimic the login screens of trusted services, to get information like email addresses & passwords. 

Sophisticated hackers are willing to sell their services to specific organizations, individuals, or nation-state entities who want to steal information from someone. Some phishing providers offer networks of bots that produce fake websites, while others sell phishing toolkits to clients. 

 

Signs you’ve received phishing emails and how to Spread Awareness:

Check the Web address! Just because the address looks OK, don’t assume you’re on a legitimate site. Look in your browser’s URL bar for these signs that you may be on a phishing site: 

  • Always confirm the sender’s email. Sometimes the sender email will look legitimate until you actually click on it. When clicking on the email, you will see if the sender is actually coming from the website stated as shown. 
  • Incorrect company name. Often the web address of a phishing site looks correct but actually contains a common misspelling of the company name or a character or symbol before or after the company name. Look for tricks such as substituting the number “1” for the letter “l” in a Web address (for example, www.paypa1.com instead of www.paypal.com).
  • “http://” vs. “https://”  at the start of the address on Yahoo sign-in pages. A legitimate Yahoo sign-in page address starts with “https://” ― the letter “s” must be included. So check the website address for any Yahoo sign-in page.
  • Be leery of pop-ups. Be careful if you’re sent to a website that immediately displays a pop-up window asking you to enter your username and password. Phishing scams may direct you to a legitimate website and then use a pop-up to gain your account information.
  • Give a fake password. If you are not sure if a site is authentic, don’t use your real password to sign in. If you enter a fake password and appear to sign in, you’re likely on a phishing site. Do not enter any more information; close your browser. Keep in mind, though, that some phishing sites automatically display an error message regardless of the password you enter. So, just because the website rejected your fake password, don’t assume the site as legitimate.
  • Use a Web browser with anti-phishing detection. Internet Explorer, Google Chrome, & Web browsers other have free add-ons (or “plug-ins”) that can help you detect phishing sites.

 

For more information about Phishing & preventing a cyber-attack contact a Risk Advisor or call (914)-357-8444

 

Cyber Liability Insurance, General Liability Insurance, HR Challenges, Risk Management, Vlogs

Our SIM-Hacking Prevention Guide

We recently wrote a piece about what SIM-Hacking or SIM-Swapping is. Click this link here to read it. We’re following up on that article with a quick guide to preventing SIM-hacking. We’re not here to re-explain what SIM-hacking is, we’re here to talk about how to protect yourself from risk.


If you agree with us that SIM-Swapping is a potential problem & you want to protect yourself from cybercriminals, then this guide can help you protect your accounts from cybercriminals.

 

1. Make a list of the important stuff that would pain you if you were hacked.

Here are a few accounts to start with.  Your list of accounts to protect may grow longer but these accounts would be the most problematic.

  • Work Email/ Work Google Account
  • Bank Account for Work or Personal
  • Organizational/Workplace Databases
  • Social Media Accounts (Facebook, Linkedin & Vimeo)

2. Understand how each account lets you recover/reset your password.

In this case, each one uses 2-step verification. The first factor is typically the primary email address you used to set up the account. The second factor is your mobile phone number (text messaging). I suggest testing each account above to have them bring you through the steps of a password reset. The ones that send a text message to your mobile phone are the ones that are most vulnerable to SIM-HACKING as that is the purpose.

These are the accounts we are going to lock down in the next few steps.

 


How To Protect Yourself From SIM-Hackers

At Metropolitan Risk, we purchased a YUBIKEY, which is a small piece of hardware that replaces the text message/cellphone as a second level authenticator. Google offers a similar product known as the Titan Security KeyWe opted to use a security key because you must have the key in your physical possession and you must confirm to the hardware that you are a human being. These security keys require human touch to confirm and cycle the key on. If you don’t like the idea of a separate piece of software, there are some apps on your cellphone called Authenticators that can do similar things.

We opted for a separate piece of hardware to the cellphone as a 2nd step in the 2-Step Verification. We do use an authenticator as a 3rd level authentication process in the event we lost the YUBIKEY hardware. 

 

1. If you’ve purchased a YUBIKEY, your next task is to log into the accounts you are concerned about & research the multi-step authentication process for password recovery.

    • This is the most time-consuming part of the process as each account can have different methods & steps to execute this piece.
      For Example,  you are telling Google not to send a text message to your cellular phone. Instead, you are telling Google to look for your YUBIKEY as the primary authentication.

NOTE: that if your organization manages your email account, that you speak with your admin. As our google account administrator, I’ve turned on 2-step verification to allow my staff to use yubikey. My staff would not have been able to set this up without admin approval. CLICK HERE for a quick guide for Google as an example on how to execute 2 step authentication as an example.

2. Once you follow the instructions for linking your account with the YubiKey you can select “trust this device”. This way you won’t need to use the YubiKey every time you log into an account because the software recognizes your device AND it has been properly authenticated.

What Happens if I lose my YubiKey?

 In all the accounts you set up with the Yubikey make sure there is a 3rd way to authenticate in case the YubiKey isn’t available for some reason. This gives you an additional way to access your account and prevents you from getting locked out of say your google account. In our case, we use Google Authenticator as the 3rd option in case the Yubikey is damaged or otherwise unavailable. 

Call me paranoid, or maybe just a Risk Advisor… same thing. I purchased a TILE which is essentially a very small chip that allows me to always locate whatever the chip is attached to. I have one for my wallet, one for my keys and one for my backpack. You download an app onto your cell phone. The cell phone app communicates with the tile which is attached to your keychain/YubiKey and voilà, keys found. It can also reverse and help you find your cellphone by making it ring if you press a button, even when the sound is on mute for the phone.

Help and More

At this point, I’m feeling better about my personal situation.

The 2-step verification ensures that the person accessing your account on a new device is you. Remember, once a hacker obtains your user name and password, they try to access your account from devices that are not recognized by the site or software. The software is trying to figure out if it is really you on a completely different account or a hacker. If the hacker has some way to authenticate their device to trick your software that it is you behind the device, they aren’t getting in.

Last point, just like in the physical world. If they really want to steal your car…gone. By locking down your digital life and making it a bit more difficult, the hackers usually move on to easier prey. Then, there is no shortage of easy prey out there. 

We hope you found this helpful. There are a ton of resources online to execute this tactic to lock down your accounts and your life. Our goal was simply to make you aware of the SIM-Hacking. At least get you to start the process of locking down your very vulnerable digital life. 

Still have questions? Still want more info? Contact a risk advisor today OR visit our website here.

Construction Practice Group Content, Cyber Liability Insurance, Food & Beverage Practice Group Content, General Liability Insurance, Human Services Practice Group Content, Line of Insurance, Loss Control, Practice Groups, Risk Management, Transportation Practice Group Content

The 21st Century Solution for Business Protection: Cyber insurance

Ordering a pizza, listening to music, getting a mortgage. All are examples of normal activities that have adapted with the emergence of computers. It is no wonder that insurance has also taken part in this advancement into the new era. However, this new, innovative idea that combines insurance with computers holds a name that the average person may find overwhelming and hard to understand: cyber insurance. On the surface, cyber insurance is very similar to most other insurance. Carriers take on your risk for a price in order to limit your losses in a case regarding cyberspace. However, since this is new, there are a lot of questions about coverage and how to purchase a plan.

Cyber Policies

Cyber attacks can cripple a company as so much of a business is done through computers these days. For that reason, it is imperative that companies become acquainted with cyber insurance, as it will  cover against these devastating hits. Cyber insurance mitigates the risk involved with doing online business which allows for companies to take part in a new growth area while still being protected against the heightened risks involved with doing business online. It is also important to understand what each policy covers as there are some pretty complex rules that carriers follow when determining their exposure to certain events.

With a whole new category of insurance in place, it is important for businesses to understand what exactly is incorporated into their cost of insurance premiums, so they can take the resulting steps to reduce these costs as much as possible. A few factors that affect a cyber insurance premium are annual revenue, industry, and network security. So although cyber insurance will be an additional cost incurred for a company, there are ways to reduce this cost while still reaping the benefits of diminished risk surrounding cyberspace. Even with this additional cost, it still makes sense to take advantage of this new insurance. Hacking can disrupt business dramatically while causing costs to skyrockets and the company’s reputation to plummet.

FAQs

What needs to be covered?

It is important to understand what the biggest risk areas are. After determining the largest risk areas based on potential reputation damage, restoration costs, and reimbursement from regulatory fines, it would be logical to cover as much as possible starting with the largest risk areas.

What are the different types of cyber liability insurance?

Cyber liability insurance falls into two main categories: first-party and third-party. First-party insurance covers the holder’s direct losses from cyberattacks while third-party insurance covers companies that allowed a client network to experience a data breach. Some things that first-party insurance would cover include data theft, compensation for lost income, costs of notifying customers, and the cost of repairing a company’s reputation. An example of third-party coverage would be the following. A company made a website for another company and hacker took over the website. The creating company might receive legal fees and compensation for settlements or damages in court cases.

Exclusions of cyber incidents from coverage?

There are a few issues that most providers don’t include in coverage. Some of these include cyber issues resulting from failure to maintain a minimum level of cybersecurity, the careless mishandling of sensitive information, and malicious acts by employees. All of these examples should be avoidable through careful management and decision making.

In the case that it’s the company’s fault, do insurers still pay?

The short answer is that it depends on the situation and policy. Depending on what the coverage agreement is, insurers may still cover issues that are the company’s fault.

How long does a company have to report the breach?

Insurance companies like for companies to report the breach when practical. They understand it might take time as a company’s first priority may be to fix the problem. They also know they may need to provide clarity to all affected. However, the insurance company might become concerned if the issue is reported a long time after it is discovered as that might come off as fishy and affect the settlement deal.

Pricing of cyber insurance?

The main factor in pricing cyber insurance is the company’s annual revenue, as more revenue correlates to higher risk exposure. In addition to revenue, insurance companies also look at industry type. It is important how much network security there is in order to price insurance premiums.

For more information book time with
Risk Advisors or call 914-357-8444

Cyber Liability Insurance

Data Privacy: Is my Data Safe?

Intro

In today’s advanced, analytical society, data rules the world. With such an emphasis on data to optimize business, there are plenty of sources to access tons of public data. However, most companies acquire a competitive edge based on their data privacy that should be for the company’s eyes only. Unfortunately for the company, complex supply chains provide opportunities for error in software framework to arise, either intended or unintentional. These mishaps in the supply chain can have drastic consequences for a company.

Through unintentional errors or on purpose, issues in software can be detrimental to a company’s data, and thus their operations. Misrepresentations in data have a large impact, hitting almost all facets of a business including marketing, accounting, sales, and finances. In addition, faulty data may affect customers which may be an even bigger concern than internal issues.

The Problems With Data Privacy

These problems will result in high costs for a company in order to fix the current supply chain and to make up for all those affected by the initial issue. Finally, some software issues stem from others trying to steal private information which opens a plethora of other problems like losing a competitive advantage which results in even more costs.

For example, consider a situation where a milk supplier delivers 1,000 gallons of milk every week to a grocery store. Through a faulty piece of software, a zero might be dropped resulting in a delivery of 100 gallons. This screws up the accounting as 900 extra gallons were accounted for and leaves normal customers without milk, weakening the reputation of the supplier. Also, the grocer will be unhappy, as they are missing out on 900 potential sales.

Real-Life Context

Now imagine an error like this occurring on a grander scale due to bad data and a bad supply chain. The consequences could be catastrophic! Just one erroneous piece in a huge chain can tarnish customers and other businesses’ views, invalidate the accounting records, and cause marketing to stray to the wrong demographic. Although it may seem like a minor detail, it is vital for companies to invest in high-quality equipment and software with routine maintenance in order to prevent mishaps that result in data impairment.

For more information on data privacy contact one of our Risk Advisors or call 914-357-8444.

 

Source