Search

Brian Pennington

A blog about Cyber Security & Compliance

Month

August 2015

Cyber insurance: trying to quantify risks

Bloomberg Intelligence August 24, 2015

This analysis is by Bloomberg Intelligence analysts Charles Graham and Edmond Christou.  It originally appeared on the Bloomberg Professional Service.

Personal data theft, cyber-attacks whet appetite for insurers

The value of personal data stored on corporate databases is rapidly increasing. For EU citizens it is set to reach 1 trillion euros ($1.4 trillion) by 2020, according to Boston Consulting Group. This is raising the need for greater protection. The increased incidence of data breaches and misuses as hackers become more sophisticated has also imposed greater regulatory requirements on businesses. Companies are seeking new products from insurers to limit the cost of interruption, reputational damage and penalties.

Companies Impacted: While cyber risk potentially affects many classes of business, there are a number of providers including AIG, Allianz, Munich Re, Swiss Re and Zurich Insurance Group, as well as specialist insurers like Beazley and Hiscox, which have developed specific cyber products.

Photographer: Craig Warga/Bloomberg

Insurers view industry as ill-prepared for risk of cyber theft

Cyber theft is top of the list of risks for which businesses are least prepared, according to Allianz’s 2015 Risk Barometer Survey. Companies need to understand the potential effect of a cyber-attack on their supply chain, the liability they could face if they can’t deliver products on time and the legal penalties if they lose customer data. While computer systems can be improved, it is impossible to make them entirely secure. This is creating opportunities for insurers.

Companies Impacted: Allianz’s 4th Risk Barometer Survey was conducted among global businesses and risk consultants, underwriters, senior managers and claims experts within Allianz in October and November 2014. Insurers offering cyber-risk cover include AIG, Allianz, Zurich, Beazley and Hiscox.

Swelling cyber-attack costs are driving wider insurance coverage

The average cost of a data breach has increased to $3.79 million, according to a study by the Ponemon Institute based on a survey of 350 companies in 11 countries. This cost has increased by 23% since 2013. The average cost for each lost or stolen record containing sensitive information rose to $154 this year from $145 in 2014. Concerns about data breaches and privacy have led to legal reforms in the U.S. and Europe, which may help drive demand for cyber-insurance.

Companies Impacted: Increasing cyber-attacks have driven insurers such as AIG, Allianz, Beazley, Hiscox and Zurich Insurance, to expand their product offerings to include first- and third-party coverage for cyber-risk.

Retailers face biggest threat from cyber theft, data breaches

Retailers face the biggest threat from data breaches, according to figures compiled by Zurich Insurance. The food and beverage industry is second in line for hackers followed by hospitality, finance and professional services. Carphone Warehouse discovered on Aug. 5 that personal data of 2.4 million of its customers and encrypted credit card details for 90,000 clients may have been accessed in a data breach. Insurers are tailoring products to meet different industries cyber risks.

Companies Impacted: Insurers work with companies to identify best practices in data privacy and security to help to minimize the financial cost should a breach occur. AIG, Allianz, Beazley, Hiscox, Zurich Insurance are among the companies to have developed cyber-insurance coverage.

Die hard 4.0 cyber scenario could cost more than $1 trillion

A cyber-attack on the U.S. power grid could cost $243 billion rising to more than $1 trillion in the most extreme scenario, according to a study by Lloyd’s of London and the University of Cambridge. The report examines the insurance implications of a major cyber-attack. It depicts a scenario where hackers shut parts of the grid, plunging 15 U.S. states and Washington DC into darkness, leaving 93 million people without power. Insurers are just starting to wake up to the scale of potential losses.

Companies Impacted: Cyber-insurance risks are widely underwritten at Lloyd’s with 47 managing agents offering cover, including quoted groups Beazley, Hiscox and Novae. Lloyd’s introduced new risk codes for data and privacy breaches and cyber-related property damage in 2015.

Swiss re joins forces with IBM to fight cyber threat

Munich Re has partnered with Hewlett-Packard and Swiss Re with IBM to develop solutions that offer clients cyber protection and provide support in the event of a security breach. IBM will assess clients’ external and internal vulnerability to cyber-attacks and offer options for mitigating these risks. IBM’s security platform provides intelligence to help organizations protect their clients’ data, applications and infrastructure.

Peer Comparison: Swiss Re’s Corporate Solutions business is one of a number of insurers offering cyber coverage. Other companies include AIG, Allianz and Zurich Insurance.

2015 Best & Worst Tourist Attractions for Mobile Security

Skycure collects data lakes of threat intelligence about the multiple layers of mobility, including device-level, app-level and network-level intelligence, which is beyond the reach of traditional mobile security tools.

Types of Attacks

The most frequent threat that we identified at the Top 15 Danger Destinations was a WiFi-based attack called SSL decryption, which allows cyber criminals to capture personal and work information (such as mobile banking logins/passwords and corporate credentials). SSL Stripping was the other common attack that allows attackers to downgrade HTTPS URLs to non-secure HTTP URLs. These attacks are generally hard for users to detect as the attackers keep them believing that her or his session is secure.

iOS vs. Android

In a separate analysis that reviewed worldwide Skycure Threat Intelligence data, researchers found that on average, mobile devices are more than 25% likely to expose personal and corporate data to a network attack on a monthly basis. The research also found that while iOS devices/users connect to many more WiFi network access points (probably because of automated hotspot connections, usability and being used more often in work environments than Android devices), Android devices/users connect to more malicious ones. This was a little surprising to us as well and we have a few theories on why that might be the case:

  1. User Behavior: Android users are generally more tech-savvy and their comfort level to connect to “never-seen-before” networks is a bit higher than iOS users.
  2. Data Plans: Android users tend to choose from a greater range of carrier plans that are more economical but may have smaller data limits. Not wanting to incur fees for going over their data plans, Android users may be more likely to voluntarily connect to “Free” WiFi hotspots.

The study found that a massive 8% of the total reported threats originated from a WiFi network with “Free” in its name.

Safety Tips for Travelers: Here are a few quick tips for mobile users traveling to high-risk destinations:

  1. Avoid “Free WiFi” networks.
  2. Update your device to the most current operating system.
  3. Read the warnings on your device and don’t click “Continue” if you don’t understand the exposure.
  4. Disconnect from the network if your phone behaves strangely (e.g. frequent crashes) or you receive a warning notification.
  5. Protect your device with a mobile security app like Skycure.

Skycure_MapInfographic-v15

Personal data in leaked datasets is still personal data – ICO

By Simon Rice, Group Manager for Technology at the Information Commissioners Office (ICO).

Personal data in leaked datasets is still personal dataThey say ‘no publicity is bad publicity’, but after spending most of the week trending on Twitter, I wonder if the users of the Ashley Madison site might disagree.

Having already prompted a flurry of news stories when the online attack of the Ashley Madison servers was first revealed, this week we’ve seen another wave of coverage as the personal data was published online.

Wherever your sympathies might lie in relation to the people identified in the published data set, the fact remains that such details are personal information, with certain protections in law.

Like many online attacks, the data protection response is international. In this case, we’re liaising with our counterparts in Canada, where the company is based.

But with cases like this, there is still a domestic aspect to consider.

Anyone in the UK who might download, collect or otherwise process the leaked data needs to be aware they could be taking on data protection responsibilities defined in the UK’s Data Protection Act.

Similarly, seeking to identify an individual from a leaked dataset will be an intrusion into their private life and could also lead to a breach of the DPA.

Individuals will have a range of personal reasons for having created an account with particular online services (or even had an account created without their knowledge) and any publication of further personal data without their consent can cause them significant damage or distress.

It’s worth noting too that any individual or organisation seeking to rely on the journalism exemption should be reminded that this is not a blanket exemption to the DPA and be encouraged to read our detailed guide on how the DPA applies to journalism.

This is not the first time an online service has suffered such an attack and unfortunately it’s unlikely to be the last. But it’s important people don’t assume that the law and the protections it affords to UK individuals don’t apply online.

Have your details been published in a dataset?

If you find your personal data being published online then you have a right to go to that publisher and request that the information is removed. This applies equally to information being shared on social media. If the publisher is based in the UK and fails to remove your information you can complain to the ICO.

64% of Organizations are Potential Targets for Nation-State Cyberattacks

According to a recent survey conducted at this year’s Black Hat USA security conference, nearly two-thirds of organizations are potential targets for nation-state cyberattacks.

The survey conducted by Tripwire, which includes responses from 215 conference attendees, also found that 86% of those questioned have seen an increase in these targeted attacks directed at their network over the last year.

Even more alarming, however, was that despite the noticeable increase in attacks, less than half of the respondents (47%) said confidence in their organizations’ ability to detect and respond to a cyberattack grew in the last 12 months.

Screen Shot 2015-08-17 at 1.29.05 PM

Organizations know they are being actively targeted and that their current capabilities aren’t enough to consistently detect and defend against these attacks,” said Tim Erlin, director of IT security and risk strategy for Tripwire.

“While new defensive technologies are constantly being developed, organizations are hard-pressed to deploy these new tools effectively,” he said.

Erlin noted that in many cases, these organizations would do well to evaluate their investment in foundational security controls.

Additional findings from the Black Hat USA 2015 survey include:

  • 64% of respondents said targeted attacks against their networks have increased over the last year by 20% or more.
  • 53% of respondents said they do not have the visibility necessary for accurate tracking of all the threats targeting their networks.
  • 41% of respondents said they have seen a significant increase in the number of successful cyberattacks in the last 12 months.

Cybersecurity: The Looming And Growing Threat

Corporate legal spending on cybersecurity issues hit $1 billion last year, according to the BTI Legal Spending Outlook. It’s easy to see where this money is going: By 2018, more than 50% of organizations will use outsourced providers for security, Gartner predicts.

Here are seven trends expected to impact CIOs, law firms, and their clients in the year ahead:

1. Banking on IT and law firms vulnerability

In the wake of last year’s cyberattack that affected 80 million J.P. Morgan Chase customers, several banks asked their law firms to implement stronger security measures. Today, several banks and major U.S. law firms are collaborating to create a formal group by year end where they can share best practices with each other and government agencies.

“Law firms increasingly are seen as potential weak links,” the Wall Street Journal reported. “Clients often entrust them with everything from valuable trade secrets to market-moving details on mergers and acquisitions.”

2. Data breaches growing more common

More than one-quarter (27%) of chief legal officers reported a data breach within the past 24 months, according to the Association of Corporate Counsel‘s recently released 2015 CLO Survey. Healthcare CLOs were most vulnerable: almost half reported a breach in the last two years, compared with approximately one-fourth among CLOs in other lines of business, the report found.

4. Changing Regulatory Landscape

This year, the European Union is expected to unroll more stringent disclosure and liability requirements that it will start enforcing in 2016. This could lead to a business boom for law firms, will likely also necessitate educational outreach: 77% of European companies surveyed by security developer Sophos did not know whether or not they were compliant with current standards.

Across the pond, President Barack Obama also has called for changes to the Computer Fraud and Abuse Act, the federal anti-hacking statute.

5. Crashing Mobile

Today, 96% of lawyers at firms with 100 or more attorneys use a smartphone, according to the American Bar Association’s annual Legal Technology Survey. And 49% of all lawyers surveyed use a tablet, the report found.

This makes attorneys vulnerable to a growing number of viruses, spam, and attacks specifically targeting mobile devices. If unprotected by even a basic password or biometric safeguard, lost devices leave a firm vulnerable to stolen data. Across industries, only 54% of respondents implemented a mobile security strategy in 2014 compared with 42% the prior year, a PricewaterhouseCoopers study reported. In addition, 47% now use mobile device management (MDM) or mobile application management (MAM), versus 39% in 2014, PwC said.

Across all industries, 46% of IT decision makers plan to increase security spending for mobile this year, Ernst & Young determined.

Advances in wearables and future decisions in how and whether healthcare can incorporate data from devices such as fitness monitors will further complicate mobile security for firms involved in these areas and the CIOs who support them.

5. Insurance at a Premium

Organizations increasingly invest in cybersecurity insurance, to lessen the potential impact of a breach, network damage, or business interruption. Once offered by only a handful of specialized firms, these plans now are available from a wide array of insurers.

To attain cybersecurity insurance, organizations typically must undergo audits and other processes to assure the insurer of the firm’s viability. CIOs, in partnership with governance, risk-mitigation, or the COO, are then assured both of the caliber of the firm’s existing security set-up and of financial coverage should the unwanted occur. Cybersecurity insurers include: AIG; Chubb Group of Insurance Companies; Marsh USA; Philadelphia Insurance Companies, and Travelers Indemnity Co., among many.

6. Ignore Social Niceties

Many law firms hire outside experts to conduct vulnerability assessments and craft strategies to combat Many experts advise staff to frequently reset passwords that contain symbols, capital letters, and numbers. And best practices must address common phishing scams, especially those targeting corporate or client contact information or employee data. Fake apps, fraudulent social media contacts, and hackers masquerading as maintenance staff are all favorite guises for social engineers.

7. All for One, One for All

Security is not exclusively the CIO or CSO’s responsibility. Rather, security must be weaved throughout a law firm so every employee, partner, and attorney cares and acts with security in mind. Communication between departments to ensure security procedures are effective but not onerous help develop a security conscious environment.

Frequent reminders, via screensavers, automated systems, brief self-paced videos, or occasional webinars – remind everyone about security measures. Quickly responding to users’ needs to avoid rogue setups further eliminates vulnerable areas.

Author:

UK-Avast-for-Business-INFOGRAPHIC

Blog at WordPress.com.

Up ↑

%d bloggers like this: