The DFS has reported from several regulated entities of successful or attempted data theft from websites that provide instant quotes to the end-user. All entities using instant quote software on their public-facing websites are vulnerable to this type of data theft attack. These attackers appear to be using the stolen data to apply for pandemic and unemployment benefits.
According to this alert, all regulated entities with instant quote websites should immediately review their websites for evidence of hacking. Reports have shown that even when consumer data is redacted, cybercriminals have proven they can easily recover the full unredacted information.
Reports have confirmed several methods that criminals successfully (or attempted) to use to steal consumer data from auto quote websites:
Taking unredacted information from the Auto Quote Websites’ HTML (Hypertext Markup Language) that was not displayed on the rendered page, but was visible in the code.
Using developer debug tools to intercept & decode unredacted consumer information.
Manipulating the technology to access parts of a public-facing website to view where the unredacted data is stored.
Purchasing a policy, after requesting a quote, using fraudulent payment methods in order to view the policy owner’s information, including his or her driver’s license number.
Requesting a quote and receiving an agent’s contact information to usesocial engineering to elicit information from the agent.
The DFS has requested prompt reporting of any attempts to steal consumer information from public-facing websites. Reports of unsuccessful attacks have previously been used to identify the techniques used by attackers. This helps the DFS respond quickly to new threats and continue to help protect consumers and the financial services industry.
Any DFS-regulated entity with a website that uses this type of technology should immediately review the following indicators:
Data analytics and website traffic metrics for spikes of quote requests. An unusual spike in abandoned quotes occurring in a short time frame was one of the key indicators of this type of attack. On a broader scope, regulated entities should look for an increase in consumer submissions that terminate as soon as consumer data is revealed.
Server logs for evidence of unauthorized access to private information. After your IT team has reviewed your web traffic, have them review your server logs for that period. When examining the logs of customer sessions, security teams should check to see if there has been any site manipulation using web developer tools.
These are just two suggestions by the DFS. There are a number of other ways cybercriminals can access information. Regulated entities should also follow their usual procedures for detecting and responding to cyber incidents.
The DFS has suggested the following steps for entities that are using Instant Quote websites to collect information:
Conduct a thorough review of website security controls, including but not limited to a review of its Secure Sockets Layer (SSL), Transport Layer Security (TLS) and HTTP Strict Transport Security (HSTS), and Hypertext Markup Language (HTML) configurations.
Review public-facing websites for browser web developer tool functionalities. Verify and limit the access so that users cannot adjust, deface or manipulate the website content using web developer tools.
Review and confirm that its redaction software for consumer information is properly implemented throughout the entire transmission of the data.
Ensure that privacy protections are up to date and effectively protect the data by reviewing which applications use the data, who has the authorization to view the data, and most importantly where is the data stored
Search and scrub public code repositories for proprietary code.
Block any IP addresses of suspected unauthorized users and consider a Quote limit per user session or IP address.
Any questions regarding the alert from the NY Department of Financial Service should contact their department directly, at CyberAlert@dfs.ny.gov
If you have any questions regarding your own cybersecurity. Contact one of our Risk Advisors at 914-357-8444 or visit ourContact Us page to schedule a 10-minute meeting.
Social Engineering is the means of deception to extract sensitive, personal information that can then be used for further purposes, such as bank fraud, account takeovers, or identity theft. Cyber hackers primarily use social engineering when attempting to steal information of online users unaware of a hack currently happening. The main type will include phishing which fraudulently fishing for people’s information online through malicious contact.
Importance of Social Engineering
So why is cyber engineering important? Well, it can impact any of us at any time. Think about this. Currently, hackers have software applications designed to override firewalls and cybersecurity worth millions of dollars. However, hackers know technology is strict; a firewall will not listen give up information easily, but humans will. However, in a world of technology and hacking, hackers use human emotion and volatility as its main weapon. Hackers can sue the main target or those who directly know them to get any sliver of personal information that can help them in their quest. This is why every cyber user (which is most to all of us) needs to be aware of social engineering and its extreme dangers.
/p>
Impact of Social Engineering
Every day, cyber-attacks occur on users without them ever having the proper protection against the attack. Then, they lose precious financial or personal information to hackers. Social engineering will continue to happen and impact us as long as certain things remain constant. If users are still inputting too much personal info into websites that can be hacked at any time. If people remain unaware of releasing personal info of themselves or others to a hacker. Or if their cyber liability coverage does not protect themselves or their company against social engineering.
An Example
The scariest part of social engineering is sometimes the hackers never need to come in contact with the targeted account’s user. Once you give your personal information to a website like Facebook or Twitter, the social media company and all its employees with high-level access can access your data and sell it for profit.
In late July 2020, there was an aggressive twitter hack, According to a WSJ article, a user named “Kirk” on a hacking forum claimed he was a twitter employee who had gained access to many twitter accounts and was selling them from $500-$10,000 an account, including Joe Biden, Elon Musk, and others.
The problem with these social media companies is due to the employees’ level of cyber knowledge they will give everyday employees who make normal amounts of money way too much access to the internal networks of its website. These employees can take this information used for large-scheme hacks like that seen a week ago. Or, they can give bits and information to hackers of different user’s accounts, without the user ever knowing.
Social Engineering is a component of cyber liability coverage that is often overlooked by businesses in any ndustry. However, it should be a crucial component of any written policy regarding cyber liability protection, individually or company-wide. For more information, click here.
Every so often, whether it be for a company software program like MOZ, a school database like blackboard, or even a personal social media account on twitter, you get one of the two ominous messages.
The Unwanted Messages
You get the “time to reset your password” right after you slowly got used to your new password. Now you have to create a new password that’s memorable but is also hard to crack. Yes, it is a measure of security and caution from the website that is admirable. It is a pain at best for the user.
Then there’s the other message: “oops, you forgot your password too many times. Let’s reset it!” This one is arguably worse because of two things. One, you have to create a whole new password just like the mandatory reset times. But, you have to make it easier to remember than your last one, since you just forgot it. That makes hacking for these passwords so easy.
Where we are with Passwords
While there are some awesome dual-factor authentication apps and tricks as well as new biometric security measures, hacking password details could not be easier right now. Soon, we’ll be strictly using biometric passwords like eye scanning and finger pad touch. Or just using dual-factor using an app like duomobile. But for now, passwords are becoming ever so easy to hack for cyber criminals. They have more advanced technology that can run dictionary hacks and algorithm checks at 1,000,000,000 searches a second. And the only thing standing between your account with credit card info and their supercomputer is the password “qwerty12345.” All jokes aside, that password is extremely common, and there’s simpler derivatives of that password that make the 25 most common passwords of 2020.
Passphrases
While waiting for that futuristic physical password technology, allow me to introduce you to a better password type: pass-phrases. Pass-phrases are exactly what it sounds like. It’s not a word with numbers and symbols, it is a whole phrase that may include further numbers and symbols. While some say it is only a small step of improvement over passwords, let me tell you why they are much more protected.
Benefits of Passphrases
First, the guideline check is simple. They’re just as protected against password guidelines on the vast majority of sites. They are also supported by many sites as well, meaning you will be able to use these wherever you can use your normal pass-word.
They’re more secure. It’s that simple. The more characters and difference in the change of characters, the better. As in, if your password is football10!, that is a password a hacker can crack manually, it’s so straightforward. Now imagine it being “Mile High Miracle 512!” That’s 21 characters compared to 11, which makes the computers check for 10 factorial more possibilities. Simply, that means “football10!” Is a mid-sized fish in a river, “Mile High Miracle 512!” Is a krill in the Pacific.
Example of good Passphrases
Also, football is too simple, and there’s no change after football. Being as specific as possible is best. Take Mile High Miracle 512! Mile High Miracle is a nickname for a specific famous game that my favorite team, the Baltimore Ravens won (it’s a reference to them beating the Denver Broncos in Denver). Next, the 512 part. The game is mostly famous because of one play. The Baltimore quarterback, number 5, threw a last-gasp touchdown to Baltimore wide receiver number 12, to tie the game. 512 is incredibly more random than 10, yet feels more memorable. See how easy that was?
Concluding Thoughts
My point is that passphrases are easier to remember than those one word and 2 number passwords. Especially if they’re close to your heart and mean something. That could mean a song lyric/title/album, or a movie phrase, or a famous sports moment. So if you are a big music fan, next time you are resetting your Chase account, take a minute before you rush to put “RockFan12345.” Think about passphrases, and try something more along the lines of “St41rway 2 Heav3n” instead. Trust me, the time it’ll take to remember which e becomes a 3 is the difference between a bank account compromise and having your financial records safe.
Still confused? Want to learn more about passphrase protection? Or just about cyber security in general? Contact a risk advisor today at 914-357-8444 or visit our website here.
Due to the increasing concern about the security of personal information, many states feel the need to implement data and cybersecurity laws to protect private information utilized by these malicious hackers. On July 26th, the governor of New York signed the SHIELD Act to protect the state’s resident’s data and broaden New York’s security breach notification requirements. The SHIELD ACT or Stop Hacks and Improve Electronic Data Security Act requires in the state of New York that any person, business owner’s computerized data which includes the private information of a resident of New York (“Covered Business”) to not only implement but maintain reasonable safeguards to protect the confidentiality, security, and integrity of the private information but to have proper breach notification requirements.
Every NY business owner must comply with the SHIELD Act because “private information” includes a lot of sensitive data. It is imperative to understand what the definition of private information means as it includes, but is not limited to a username or email address in combination with a password, a name, phone number, driver’s license number, CC number, etc. This does NOT include publicly available information that is lawfully available. This act also expands the definition of Breach, as Breach now includes unauthorized access, rather than solely unauthorized acquisition.
To be compliant with the SHIELD Act’s data security requirements, a business must implement a data/cybersecurity program that has reasonable administration safeguards, reasonable technical safeguards, and reasonable physical safeguards. These reasonable safeguards must be appropriate and align with the size/complexity of a business. This act highlights the importance of HR professionals and in-house employment involvement in their organization’s information security. This act adds an important aspect that requires there to be breach notification requirements.
For example, if an HR Professional accidentally emails private information to the wrong employee containing “private information” the employer must document this as inadvertent disclosure which won’t result in misuse and maintain this documentation for 5 years. If the information contained more than 500 New York residents the employer would have to submit documentation to the attorney general within 10 days. If you fail to comply and notify the attorney general, there are $20 fines per notification with a maximum penalty of $250,000 (Effective Oct. 23,2019.)
This is extremely important for employers to understand in order to comply with the law. The responsibility employers, HR professionals, and employees have regarding properly handling data can impact a business tremendously. The fines associated with mishandling data can lead to millions of $$$ in losses. Make sure you understand the laws, make sure you protect your data, and make sure if your company experiences a data breach you have proper risk management strategies in place to pay for the losses.
Online transactions have become commonplace for many companies across all lines of industry. With the rapid growth in acceptance of online payments, many companies underestimate or are not even aware of requirements to maintain Payment Card Information (PCI) Data Security Standard (DSS) compliance.
What is PCI-DSS?
Payment Card Information (PCI) Data Security Standard (DSS) is a security standard developed and maintained by the PCI Council. The PCI Security Standards Council (PCI SSC) is a global forum. Payment industry stakeholders develop and drive the adoption of data security standards and resources for safe payments worldwide. The primary purpose of PCI-DSS is the assist in securing the payment card network.
Photo courtesy of pcisecuritystandards.org
Having one’s own data stored is a necessity, but risky. Having third party data stored brings on a whole new aspect of risk which requires its own assessment and treatment. Data breaches are a regular occurrence to which we have become desensitized. Recognizing this, the need for PCI compliance has never been more paramount.
What are the 12 requirements of PCI DSS?
We know, hearing there are 12 requirements sounds daunting. First, dive into the list and you will find the company is complying with some of these without knowing it. Additionally, the tips below can serve as a starting point for a self-assessment.
Install and maintain a firewall configuration to protect cardholder data
Configure unique passwords and settings. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect stored cardholder data
Encrypt transmission of cardholder data across open, public networks
Use of anti-virus software or programs
Develop and maintain secure systems and applications
Restrict access to cardholder data by business need to know
Assign a unique ID to each person with computer access
Restrict physical access to cardholder data
Track all access to network resources and cardholder data
Test security systems and processes. Conduct vulnerability scans and penetration tests
Maintain a policy that addresses information security for all personnel. Constant documentation and risk assessment are a must!
What if Our Organization is Non-Compliant?
If your organization is in non-compliance with the PCI-DSS standards, you could be looking for trouble. Non-Compliance will be directed by your Payment Card Agreement (PCA) in force with the credit card company. Additionally, non-Compliance can result in penalties. Fines are imposed ranging from $5,000 to $100,000 per month by the Credit Card companies.
Next Steps
Meeting these requirements ensures your compliance. And also protects the company and its client base. Separate yourself from the competition. Give your clients peace of mind with the ability to stand behind PCI Compliant Practices. Contact one of our Risk Advisors to begin taking steps towards PCI DSS compliance and peace of mind.
Buying Cyber Insurance Does Not Protect Your Organization From Hackers
Understand that purchasing Cyber Insurance does not protect your organization from hacking. It simply finances pieces of the loss. A recent report by cybersecurity company Barracuda reported that Google-branded Spear Phishing attacks are up significantly since the start of 2020. These attacks only accounted for 4% of the total cyber attacks in 2020 so far. Barracuda reported over 100,000 form based attacks since Jan 1. 2020, 65% of them were branded to look like a Google form. These Google-branded attacks are significantly more prevalent than other branded competitor attacks. Microsoft was the 2nd most impersonated account at 13% of the total spear-phishing attacks (1).
With 43% of all cyberattacks targeting small businesses (2), and the attacks increasing by 73% since the pandemic we encourage your company to build out a cybersecurity plan. At Metropolitan Risk we called our initiative “Operation Lockdown” after we read a Wall Street Journal article on how cybercriminals are increasingly attacking small businesses and holding their work files for ransom. Cybercriminals understand that many small and medium-sized businesses haven’t the focus, the budgets, and the staffing to defend against these cyber attacks. They are in effect low hanging fruit and easy prey.
How is your Company Vulnerable?
Further many businesses now are even more vulnerable due to the recent mobilization of the workforce from the physical office. This is because home networks aren’t secure, the data doesn’t sit behind a firewall or is not encrypted like in the office. While newly remote employees were struggling to create routines, employers focusing on this new shift in workflows, cybercriminals know the back door is unlocked.
Here are two really important concepts to understand assuming we have your rapt attention with respect to the soft underbelly of your org. Understand that locking down your company from a cyberattack doesn’t guarantee that you won’t be hacked and won’t suffer damage. What it does do is significantly lower the probability that such an attack will be successful or cause much damage. A friend of my Nick Lagalante from Tenable Cyber Security explains it this way. “Your goal is not to outrun the bear, your goal should be to outrun the slowest runners”. In essence, by making it more difficult to penetrate your systems and employees, cybercriminals should in effect move on quickly.
Here’s the second big picture item to understand; Cyber Insurance is NOT cyber risk management. Cyber insurance functions as a way to finance the loss you incurred from the hack. It’s a safety net when plan A (Operation Lockdown) fails. Cyber Insurance should NEVER BE PLAN A. Here’s more good news. If you’ve been hacked, the chances of you being hacked again are exponentially higher. Insurance carriers know this which is why the Cyber Insurance policies increase significantly in cost once you have been hacked as the carriers’ exposure to loss increases if they decide to insure you!
This is why we built this case study on how at Metropolitan Risk took this challenge on for ourselves. It’s not the holy grail of cybersecurity prevention, and we don’t want to lead you to believe it is. What our case study does do is make you a bit faster than most of your competitors who will suffer a hack and the corresponding costs that go with it. At Metropolitan Risk our goal is to keep you cost-efficient and cost consistent. When you read our Case Study it gives you an idea of how to organize the challenge, and address each item incrementally.
The last point, this is a big one. You don’t have to figure all this out on your own. As a reminder, we built a full-on Cyber Assessment built for small to medium-sized businesses that assess your current systems, protocols, and security measures. Upon completion, you get a report that gives you a green light for things you have done well, yellow for items that need to be tweaked, and red for let’s jump on this ASAP.
Then we suggest we get you a really solid cyber insurance policy as a Plan B just in case. Our cyber polices are 25% less expensive IF you execute our assessment and tackle the items in red.
How do you eat an Elephant? Piece by piece. CLICK HERE to take the Cyber Assessment.
There is no such thing as infallible cybersecurity. No matter how many millions of dollars an organization spends on online security, some hacker, somewhere, at some time, may successfully break-in. A common example is JPMorgan Chase, who spent close to $100 million to shore up their systems only find their systems hacked and sensitive data at risk. Just because hackers may have the ability to continuously overcome firewalls does not mean that individuals and organizations should just sit around and wait for the inevitable. There are steps to minimize risk and thus potentially circumvent a data breach.
Below you will find current methods hackers utilize, along with best-practice preventive measures to protect your systems from such hacks. In addition, a case study illustrates both the risk and lessons learned, stressing the importance of education and developing a culture of security surrounding your organization.
Prevention Is the Best Defense with Cybersecurity
While it is the optimal solution, preventing a data breach is neither simple nor easy (when sufficient safeguards are enabled). In being proactive organization find themselves addressing the difficult situation of having to be prepared for something that has not yet happened; they have to forecast the future risks of cyber and privacy threats. Doing so often entails poring through mountains of data to find a needle in the haystack – a piece of malware or a threat that can compromise critical data.
Sometimes, as is clearly evidenced by the recent breaches made public, these threats can get lost in the noise. Furthermore, the tech industry’s greatest advantage is also its Achilles heel – their rapid updates. Product cycles move fast, but tech mainstays like software updates and patches move even faster. It takes dedicated personnel for organizations to keep up.
Nowadays, security is not just a locked shop door. Digital breaches are robberies that happen at any hour, without any warning, and with little to no immediate evidence, which is why you need a good cybersecurity system. If network configuration and employee education program is lacking, exposure to serious risk and liability is heightened. The potential loss of valuable digital assets, especially client information, can result. This thought may scare you, but do not despair! Being informed of these issues is the greatest defense an organization can have.
I. Conduct a CyberSecurity Assessment
The prevention and detection stages of security (those before a breach occurs) are typically informed by a digital security assessment, which goes beyond simply testing an organization’s network for vulnerabilities. An assessment allows for a more complete picture of an organization’s security posture focusing on policy, controls and procedures, as well as the effectiveness of their implementation.
Tech infrastructure is often a “set-it-and-forget-it” affair. How often do you click “remember me” while logging into a commonly visited site so save yourself the hassle of the sign-in process next time? Essentially, digital infrastructure is installed, configured, and then never touched again. To maintain a secure digital environment, it’s imperative to test, test, and test some more.
II. Assess the Human Element in Cybersecurity
When it comes to issues of information cybersecurity, the human element is just as important as the technology itself. Perhaps even more so. Hardware and software require regular human input to make sure the devices have the latest updates, security patches, etc. Therefore, the human element of cybersecurity is the single most important aspect of an organization’s security posture. It can only be achieved by fostering a culture of security achieved through education and implementation of a written digital use policy.
Consider the psychology of a hacker when assessing the role of human vulnerabilities in determining the viability of an organization’s cybersecurity practices. The term “hacker” is interesting in its ability to conjure up a vague, though widely held notion, of the cyber-criminal. The vision is fairly common: a scruffy socially challenged individual, slouched in a swivel chair, speedily typing on a keyboard as indecipherable streams of digits race down the computer screen. Cue The Matrix.
Compared to other criminals, the hacker largely remains an unknown, impersonal entity, tied intrinsically to a modern era of technological advancement. However, what is often forgotten is that although hackers are primarily recognized for their abilities to manipulate technology, they can be equally adept at manipulating people. Cybersecurity procedures rely heavily on human participation and interactions. The first step of a hacking scheme, the crucial point at which the probability of a data breach is determined, can (and often does) start at the human level. Unsuspecting personnel may encounter a hacker without even realizing it, giving them access to sensitive data simply by offering a Wi-Fi password or log-in credentials.
It is important to recognize that, similar to technology, individuals can be prone to trusting disreputable sources. A hacker is willing to take advantage of the breadth of an organization’s vulnerabilities; consequently, employees are just as vulnerable to attack as technological data sources.
On the flip side, employees can download malware without realizing it, such as through illegal downloads or torrents of movies and applications. These unsafe browsing habits can and often do lead to a malware infection. Don’t trust an e-mail scanning application or spam folder to stop the messages from getting to the inbox. A hacker’s job goes beyond exploiting strictly digital vulnerabilities; the successful ones look for human vulnerabilities.
III. Watch Out for Phishing Aggression
To assess and react to the danger humans pose to digital security, it is important to know what the “bad guys” are doing. While external hackers have a diverse arsenal of techniques there are a few that are more pertinent considering they can affect any employee within an organization. Hackers are often referred to as “social engineers,” as they try to manipulate and trick their targets to give them access.
One of the most prominent hacking examples is “phishing.” Phishing is the process by which cyber thieves are able to lure unsuspecting victims to a malicious link that then executes malware. These malicious links present themselves to a user through an e-mail message. This is when a user unknowingly initiates the malware by accessing the malicious web server.
Even more unsettling, though similar, is a “spear-phishing” attack. Unlike a phishing attack, spear-phishing is a directed attack. Cybercriminals gather information about a victim, which is then used to construct a fraudulent e-mail intended to trick the victim. Rather than being obviously nefarious, these e-mails are very realistic and tailored to the person hackers are trying to trick.
For example, in the banking industry, a hacker may use an e-mail message cloaked as a communication from the Federal Deposit Insurance Corporation (FDIC). Due to their nature, phishing attacks are not problematic unless a user physically clicks the link to the malicious web server. To prevent this within an organization, personnel need to be trained to identify false links. Before clicking the link, “hover” over it to see the true URL or, even better, train employees to manually type in the Web address they need to access in a Web browser.
IV. Provide the IT Department with Useful Tools
While a universal training program aimed at informing all employees of their role in the security posture is critical, it is also important to ensure that the information technology (IT) team is staying on top of current advancements in security and has the resources to minimize vulnerabilities. Often IT people are more concerned with making sure technology is being implemented for productivity, not necessarily for security. Digital assets vary for every organization, making specific preventive measures hard to define. In general, the prevention of attacks and threats should be consistently audited so that a specific information security policy can be created and carried out within the specific context of an organization.
As one general example, outdated and unpatched software applications pose a serious risk. Cybercriminals often target older outdated software because of its longevity. That is, the longer a piece of software is around, the more time cybercriminals have to develop malware based on an established exploit that will not be, or has not yet been, fixed by the developer.
In many industries, including healthcare, legacy technology is becoming a serious problem as an avenue for data theft. Furthermore, preventive measures can become expensive. An organization’s IT team or information security team, however, has a serious leg up on outside threats – they know where the valuable data is. Thorough knowledge of an organization’s infrastructure is a considerable advantage against outside threats. Consequently, it is worth investing in the people who know most about it. The avenues by which data can fall victim to a remote attack are as innumerable as the unique software and hardware contexts of companies all over the world. Keeping a team well equipped is key to a strong security posture.
V. Limit Access to Critical Information
An often under-analyzed piece of the preventive data security puzzle is data access controls. More simply put, not every employee of an organization should have full access to all data. Even in the case of IT, many recommend that members of the team use non-privileged credentials for daily activities. This is a central step to minimizing risk as it inherently reduces the number of access points for data to leave the confines of an organization’s network. More privileged credentials mean more credentials that elevate the threat of external hacking.
In line with this, it is also crucial to consider internal threats. For example, a disgruntled employee gains access to sensitive data, steals it, and posts its publicly online. Limiting access to critical data on an as-needed basis can, in some cases, preemptively eliminate this risk altogether. People are a company’s biggest asset but also the biggest liability as respects information security. Awareness and implementation of policy is key to maintaining that “culture of security.”
VI. Recognize the Risks of BYOD
Practicing and applying security and data access controls is crucial outside as well as inside of an office. Mobile computing revolutionized everything, from the maintenance of cybersecurity to reasonable policies. It is becoming increasingly common for employees to take sensitive data home with them (on thumb drives, laptops, phones, e-mails, cloud services, etc.).
With respect to policy, many organizations and their agents alike favor the cost benefits and choice of bring-your-own-device (BYOD) permission, which allows employees to use their personal devices, particularly mobile devices, to store and access company data. Unfortunately, in most instances, this policy relinquishes some defined, universal security strategy and inherently gives an organization less in the way of data control. Standard mobile device management tools are not typically applied and installed on employees’ personal devices.
BYOD can also invite unauthorized connections from an organization to the Internet. Many smartphones offer device tethering, whereby other devices share the phone’s cellular data connection. This type of network activity is not part of an organization’s network, and thus cannot be monitored for suspicious connections.
Before simply accepting BYOD as a cost-effective and desired approach, ensure that the organization understands the rules, risks, and rewards of the new policy. If the organization implements BYOD, do so in such a way that the organization maintains a modicum of control. Also, take legal ramifications under consideration and determine whether there are special regulatory concerns particular to a certain industry that need to be worked into BYOD and mobile computing policies. In some industries, such as health care, a lack of central data security policy and control opens up serious liability risks.
VII. Look Beyond Your Employees
Data control goes beyond just employees. Rather, it extends to include any entity that can store, access, or use a company’s sensitive data, including third-party vendors. Develop contracts that protect the organization, particularly those that use third-party vendors. Third-party vendors can introduce security lapses and vulnerabilities, but not hold themselves to the proper and necessary digital risk standards. Not doing so can result in a digital catastrophe.
This is best evidenced by the example of the devastating credit card breach Target experienced in late 2013. Target seemed to have the appropriate controls in place with dedicated IT and security appliances. Thinking that everything was fine with its security practices, management overlooked one critical issue. Target allowed outside heating, ventilation, and air-conditioning (HVAC) service vendor to connect to the same network responsible for point-of-sale device Internet traffic. This is an example of where the lapses in human execution renders good technical security measures ineffective.
Like Target, there have been other breaches where larger companies fail to audit third-party vendors, such as the Boston Medical Center and Goodwill. Often, smaller third-party vendors are a sort of hacking “stepping-stone” – compromise their information to get to their larger clients that have more valuable data. This is especially true today, as even the smallest companies have a digital presence. Once again, a company can have all the proper controls in its own offices, but sensitive information with its vendors could be compromised.
To mitigate third-party risk, ensure that appropriate parties, especially legal departments, communicate with the outside vendor hiring process and that contracts guarantee and protect audit rights. That means including audit clauses to contracts that allow the organization to regularly monitor and check that vendors are in compliance with any generally accepted or necessary standards. Including cybersecurity in the outside contracting process is now imperative.
VIII. Don’t Overlook the Importance of Data Backups
In addition to the risk of compromising data, loss of data entirely can be even more devastating. While most large corporations can afford to keep their sensitive data in multiple locations, others cannot. Irrespective of the size of an organization, individual workstations can contain important client data that should be regularly backed up. No matter how many backups an organization maintains, it is important to not get bogged down by the sheer volume and prepare for the absolute worst—a hurricane, tornado, or some other natural disaster that could destroy an entire organization’s data in one fell swoop.
Data loss can happen in other ways most people don’t expect.
A couple of months ago, I got a call from a local government agency that had horrible “ransomware. ” Ransomware is malware that seeks to exploit victims by encrypting their files. Clicking a link in a pop-up accidentally downloads it; or through a “phishing” e-mail. Once executed, the hacker notifies the user that they locked the files because they committed a crime, and that they must send money for the decryption key within a certain amount of time or their files will forever be inaccessible.
Unfortunately, paying the “ransom” usually will not unlock the files, but only serves to line the pockets of the extortionists. In this particular case, the local agency did not consistently keep a backup of its data, and lost months of work. This new ransomware infection prompts reflection on something overlooked as a serious risk to daily business activity—data backups, off site or otherwise.
IX. Develop a Security Culture
It is important to audit all controls to prevent attacks incurred from external and internal threats. Make sure that these controls are in place, effective, and attempt to penetrate your organization’s digital infrastructure. There should be a layered approach to information security. In other words, organizations should not only have a digital fence, but also a locked front door. In addition to simply having “locks” and “fences,” make sure there is a policy information session. This session should effectively teach people how to keep the gate closed and the door locked.
Incorporating these provisions into policy and executing that policy through employee training programs, moves organizations to a stronger security posture. Creating an atmosphere for effective security is just as important as the security practices themselves.
“Hope for the Best, Prepare for the Worst.”
The key balance between costs and preparation is something to consider and is much cheaper than the fallout of a breach. When it comes to security, prevention certainly is the first choice.
What happens if an organization takes all the preventive measures, but they still lose data? Technology constantly updates with new security measures, yet cybercriminals stay one step ahead of the latest preventive security measures. One of the primary reasons for their persistence is because a targeted organization’s data is exceedingly valuable. In recent history, credit cards have been an obvious target for the clear monetary value they carry. These breaches have dominated the headlines and are an unfortunate side effect of our increased reliance on credit technology’s conveniences.
X. Recognize the Value of Data
Not dissimilar from the recent credit card breaches, hackers consistently and target health data because health data is valuable—either to gather intel about specific people or as a tool for identity theft. It has also historically not been the most secure. Patient names, birth dates, billing information, and health histories have the potential for complex identity theft and medical fraud schemes.
More importantly, though, this data has a market on the “Dark Web” outside of those who are responsible for stealing it. To illustrate the Dark Web, Google indexes approximately 17 percent of websites where most people typically dwell online and do their browsing, shopping, and other online activities. But, below the Internet’s surface lurks the Dark Web, where criminals market a variety of different goods and services, from passports and drugs to “rent-a-hacker” services for the purposes of messing up someone’s life. Thanks to the Dark Web, stolen client data of all kinds has a market, therefore increasing its appeal.
Even if an organization conducts an audit of all security controls and policies, a new exploit could be found the next day, rendering a clean bill of security health void.
Case Study Illustrates the Risk of Not Participating in Cybersecurity
The following case study illustrates the point that employee education is key. About a year ago, a large corporation contacted me claiming they had compromised systems. They mentioned that an unauthorized $1 million wire transfer to Russia. Management suspected an inside job carried out by one of their employees. They had spent hundreds of thousands of dollars on security appliances, thinking this could not possibly happen to them. However, a review of their infrastructure revealed a lapse. They adopted a “set-it-and-forget-it” attitude. There was no “culture of security.”
Thinking their appliances would not allow such a thing, spam e-mail got to an employee’s workstation. That individual clicked a link and initiated “Zeus” malware. While the hacker’s toolbox is expansive and variable, there are certain tools worth mentioning, one being Zeus. Zeus, when executed, monitors an infected computer for certain types of user activity, including online banking. In some cases, it often remains dormant until a user accesses a financial service or banking website.
Once Zeus identifies the targeted activity (such as banking), it will then collect confidential data to include a log of all keystrokes and screenshots. This transmits the compromised data to the hacker. In this case, someone inadvertently left a security token plugged in. Hackers had everything they needed and set the software to wait for banking credentials. After that, all they had to do was log in and initiate the transfer.
This story teaches us that these lapses do happen, even when the victims think they have a great security posture. Fortunately, that company made the right choices in handling its breach of security. Management acted quickly, hired professionals, and assembled the narrative to recoup their money. They carried out reasonable steps for the safety of their customers’ information.
Lessons Learned about Cybersecurity
More often than not, though, incidents come unexpectedly and organizations have little preparation for the worst. Officers and employees often don’t have a clear picture of the chain of command, nor the roles and responsibilities in the face of a breach. This can lead to increased exposure to media and public relations fallout and executive meltdown.
While designing a preventive policy, try to design a policy or incident response manual. This should effectively prevent an operational shutdown in the case of a breach and allows for quick, decisive action. And be sure you have the right contacts to respond to such an incident. Be ready for the inevitable, even if it seems impossible.
Specialists can assemble the narrative, from the initial exploit, threat elevation, and context of data that was ultimately compromised. An organization is better able to prevent a similar attack from happening in the future and have a clear picture of how to handle other tasks related to the breach, such as client notification.
Breach Notification
Breach notification often goes undisclosed. The responsibility of organizations to notify their clients, partners and other parties about a breach varies from different situations. In certain industries, federal and state regulations are the rule, but others are solely up to the discretion of executives. In responding to the public, or proactively notifying clients, it’s best to wait until a full investigation is complete. It is important to know there is a huge difference between an infection (abnormal Web traffic) and a data breach. Evidence of a possibly data breach attempt does not mean these people were successful. Moreover, even if hackers steal data, the type of data is central to the notification procedure.
Oftentimes, organizations that suspect a breach will jump the gun and notify their clients before an investigation is complete. In the end, sometimes nothing serious happened—no confidential data was lost or stolen. Notifying clients before knowing there is a legitimate problem is, in and of itself, a huge risk. Understand that some clients might not be comfortable continuing business with a company that disclosed a breach. Organizations need to do themselves a favor and rule out the possibility of a false alarm first. That said, it is important to incorporate client notification as part of the defined incident response plan. It is always best to be proactive but don’t inform clients or authorities until a serious breach definitively happened.
Complete a Thorough Investigation
In the unfortunate case that personally identifiable information was stolen, it is important to work closely with legal professionals. Cybersecurity is very much a legal issue, with unique legal considerations. As previously alluded to, there are regulatory considerations that vary greatly between industries and states—for now. Until there is an overarching federal regulation that applies the same requirements of all industries and defines the type of data that must be stolen to report, the current compliance and digital security laws remain the law, and it is a patchwork.
Similarly, after an incident, education is still the most important aspect of preventing another breach. Take an incident or a breach and use it as a valuable learning opportunity. After a security breach investigation, walk employees through every detail of what happened. Pinpoint what the failures were and most importantly learn from the event and prevent the same thing from happening again. Hold the entire team responsible for a breach in security; not just one employee.
Conclusion & Takeaways of Cybersecurity
Preparation is key in any prevention strategy, and optimal security always starts at the human level, especially with cybersecurity. Best cybersecurity practices are just that—practices. Cybersecurity measures are always a work in progress and reflect the constant stream of new technology. It takes time to discover, learn, and implement the best methods. Ongoing education within this “culture of security” is imperative in trying to implement the best possible procedures. In this case, knowledge truly is power.
In a time where most organizations have transitioned to remote work, cybercriminals have doubled down on network attacks. The FBI recently released a statement saying that cybercrime attacks are up over 300% since 2019. Cyberattacks range fromransomware baked into spam emails tophishing emails posing as trustworthy entities, to gain access to account information. One way organizations can better protect their business from these attacks is to mandate policies that direct every employee to utilize multi-factor authentication on every business account.
Password authenticators vary between digital & physical authenticators, as well as options that are a combination of both. Below we have listed a few of the most commonly used authenticators:
Digital Authenticators
One of the benefits of digital verification is that users do not need an additional physical token or device for authentication.
Email authentication
Email verification is when a user needs to click a link or obtain a code sent to their email address to verify ownership of the account they are logging into. One of the biggest problems with email authentication is a majority of people will reuse the same password for all of their important accounts.
Using email as a second method of authentication looks like this:
A user logs in to a website with their username & password
A unique code or link is then sent to the users’ email address linked to the account
The user logs in to their email account, they find the code, and enter the code into the application or website or clicks the link into the email
If the code is valid, the user is authenticated and granted access to the account.
Cellphone authentication (SMS)
The most common authentication method is through SMS messaging on a cellular phone. This method is considered more secure than email authentication because email authentication includes the risk of the email account also being compromised. The downside of SMS authentication is SIM-hacking can render the cellphone number useless.
SMS Authentication will look like this for a standard user:
A user logs in to a website with their username & password
A unique code is sent to the cellular phone number linked to the users’ account
The user takes the 4-6 digit code off of their device and enters the code into the application or website
If the code is valid, the user is authenticated and granted access to the account.
Physical Authenticators
A physical authenticator is more secure than digital because there is a real device that is needed to authenticate an account. This means that the user has a tangible key or an application downloaded to a physical device that is in their presence. These physical objects make it harder for cybercriminals to hack accounts.
Application-based authentication
Applications likeGoogle Authenticatorand other verification apps use a token/code to determine ownership of the account. These applications are linked to the device, not the phone number. Application-based authenticators can be as simple as a push notification going to the phone or the application, delivering a 4-6 digit code for users to enter on the website or application of the account they are attempting to access.
A user logs in to a website with their user name & password
The website they are attempting to access will send the user credentials to the authorization server.
The authorization server will authenticate the user credentials and generate a token.
The access token is sent to the user via an application downloaded to the users’ device
The user inputs the time-sensitive access token into the website they are attempting to gain access to.
If the token is valid, the user will gain access to the website.
Physical authentication device
At Metropolitan Risk, we supply our staff with the hardware authentication deviceYubiKey. This ensures that our staff is using one of the safest methods of authentication. These keys are simple to deploy to everyone in your organization. These devices help promote digital security health within an organization.
This physical device plugs into the USB port of a computer and requires a human touch to unlock the device.
The process of using a physical authentication device looks like:
Launch the authenticators’ device
On the account that the user wants to log into, enter the username and password as normal
Find the authenticator code needed in the authenticator
Insert the physical authenticator key into the desktop to show the credentials needed to log into the account
Enter the code on the website
If the code is valid, the user is authenticated and granted access to the account.
Developing An Organization-Wide Plan To Implement Multi-Factor Authentication
Once you’ve decided on a method of multi-factor authentication, your next step is execution. The size of your organization will determine how you implement this plan. While working on a plan, consult your IT department, your HR department, and various managers throughout your organization. Having your entire management staff on board with a plan helps convey the agenda to lower-level employees.
Have a meeting with your supervisors, managers, and IT team about your organization’s cybersecurity efforts.
Discuss how you feel you’re currently doing as an organization with cybersecurity to determine weak spots in your plans.
If your organization is not currently using any method of multifactor authentication, determine which method would be best for your organization. At Metropolitan Risk we always suggest a physical key device.
Create a list of pros and cons for each authentication method and determine which is the best fit for your organization.
If you’ve decided to use a physical authentication device, determine which physical device is best for your organization.
Distribute the authentication devices and instructions to your employees
Make sure all employees are on the same page with how to manage this new software.
Include additional information on how to install the authentication devices and how to better manage passwords and other important digital assets
Provide additional training to any employees who are struggling with updating their accounts with the new cybersecurity measures.
Remember, cybersecurity only works if the entire organization is working towards the same goals.
Metropolitan Risk is here to help your organization overcome obstacles that can affect your organizations’ operations.Contact A Risk Advisorto book a meeting to discuss cybersecurity challenges that may be affecting your business’s insurance coverage or Call 914-357-8444.
Remote operation of your business means that protections your office building had, your employees’ homes may not. Cybercriminals are taking advantage of this situation by phishing out your employees’ data. Take the time to educate your employees on cyber safety. This safety training needs to expand beyond just email safety but also include cyber safety within the office.
How To Conduct An Organization-Wide Phishing Test:
Notify and train your employees on what phishing is:
If you don’t notify your employees how are they going to know what is going on? Let your employees know that you will be conducting an organization-wide phishing test. Teach your employees about the risks of phishing and how they can be better at recognizing the signs and stuff.
Employees need to know that phishing is more than a link asking for login credentials. Phishing scams can an email sent company-wide from an unknown sender containing an attachment that is actually malware. 94% of malware was delivered via email in 2018.
During this initial training session, define your organization’s cybersecurity expectations. Your employees can’t read your mind. Communication from management and the IT staff can help with educating your employees on cybersecurity best practices.
Engage all relevant departments and managers on why phishing is a threat to your organization
Work closely among staff members such as managers, HR, and IT to develop and engage an organization-wide cybersecurity plan. If customer service is leaving the door open at the end of the day, your engineering department might be at risk for a cyber attack.
Create an alias email account for your employees to report potential phishing scams.
An alias email allows for your organization to streamline your phishing reporting. The alias email address can be as simple as “Phishing@yourcompanysite.com”. This email address can redirect to the IT department or whoever is in charge of the network.
This email address will allow your employees to forward the scam email right to an internal IT log specific for Phishing instead of going to the IT team and getting lost among other technical issues like website problems or a lost password.
Plan to test your entire organization to see if there are any weak links in your cybersecurity. This means including senior management in your phishing test. To plan your phishing test, you can hire a 3rd party contractor to run the test and then measure things like link clicks, which employees leaked information, the number of employees who reported a phishing email.
Analyze important key metrics
After running a phishing test, work with IT staff members and team managers to analyze key metrics.
Key Metrics to keep track:
The number of employees who click the link in the testing email
Number of employees who download a file from the unknown email address
The number of employees who report a phishing email to your IT staff or their manager.
Take Action With Employees Who Failed The Test
Is there a portion of your staff who have continuously failed cybersecurity tests? Sit down with HR and IT to see what measures you can take to further educate and protect your business. Work with HR to develop a plan for employee failure on every level. A breach in security is not a joke, but a high-level employee releasing admin information is a more serious offense than a low-level employee who only has access to email.
Provide Your Entire Organization With Additional Information on Cybersecurity
All of your employees can benefit from additional information on cybersecurity. Educate your employees on best practices to keep both business information and private information safe from hackers. This can include resources on different types of anti-viral software, best practices for end of day
Test, test, and then test again to make that your organization understands what is at risk with their unsafe digital activity. Every 6-months to 1 year, a random phishing test should be sent out throughout your organization. This consistent retesting keeps employees on their toes and helps employers determine which employees may be at risk of falling prey to an outside phishing attempt.
Still want more info on how your organization can better protect itself from cybercriminals? Contact one of our risk advisors at 914-357-8444.
