With an ever-increasing amount of available data, fueled by technology, comes an increased risk of data theft. Data, in the form of financials, intellectual property, and even personally identifiable information (PII) and personal health information (PHI), has become portable in multiple formats. A single USB flash drive can store millions of records. Those records may also be transferred from a laptop over a Wi-Fi connection to cloud-hosted storage in just a few moments. These constant innovations and advancements in web-facilitated business tools also often yield more vulnerabilities for internal negligence and external hacking.
What should companies consider when shoring their defenses against cybercrime? CPO Magazine sat down with Prashant Pai, Vice President of Cyber Offerings at Verisk, and Scott Stransky, Assistant Vice President at AIR Worldwide, a Verisk business, to understand the strategies that could help businesses prevent, or recover from, an increasing volume of attempted hacks.
Q: What are typical methods of attack (for example, phishing) that businesses can prepare for?
Pai: Businesses would be wise to prepare for data and privacy breaches, ransomware, and Denial of Service (DoS) attacks. One of the most common methods by which intruders get in is phishing, especially spear phishing (that is, targeted phishing) through e-mail attachments. Regularly training your staff is key so that they know better than to automatically click on links or open attachments in e-mails from unrecognized senders. One of the best cyber defenses an organization can erect is a trained and aware staff.
Stransky: I agree. One of the most critical things a business can do to prepare for cyberattacks is employee training. Many attacks can be prevented if employees are vigilant and always have some degree of suspicion when they receive an unexpected e-mail.
Q: Describe how ransomware and other malicious software (for example, WannaCry) work and what the best defense is.
Stransky: In a ransomware attack, cyber criminals encrypt the contents of your computer. A ransom is required—usually around $300 to $500, payable in an online currency like BitCoin—to recover the contents. Most will help get you your data back if you do pay. The ransom paid is sometimes insurable, with many cyber policies including coverage for it. With WannaCry, although many companies suffered business interruption while their systems were down, very few companies ended up paying the ransom. WannaCry encrypted those computers that were not up to date on their Windows updates. Companies also should be aware that those with current off-line backups of their files could restore their systems without paying a ransom.
Pai: Sometimes the most basic defense is best: software patching and upgrades, for example. The largest software manufacturers have gotten much better at releasing new patches as soon as they’re aware of existing vulnerabilities. If left unpatched, ransomware such as WannaCry and Petya/NotPetya spreads from one computer to the next when it finds another device on the network with a vulnerability. Running virus scans and not connecting to any open public Wi-Fi networks is another pragmatic piece of advice. Cyber pandemics are somewhat analogous to human health emergencies. We can’t stress basic computer health and hygiene habits enough.
Q: What kinds of issues and costs might a company expect following a high-profile breach?
Pai: Following a headline-grabbing breach, there are incident response costs to contain the breach, evict the intruders, and recover operations quickly. After that, breach responders and breach coaches are needed to implement a course of action to support affected consumers and/or employees. Actions can include determining which consumers were affected, notifying them, providing them with credit monitoring costs, and covering the fraudulent transactions. There may be potential liability issues coming from consumers, their card issuers, and so forth. This event may also cause substantial business interruption or disruption. And often, we’ve seen reputational impact and the public relations expense required to repair brand and image.
Stransky: There are also “fuzzier” costs to consider. C-level executives tend to be ousted or resign after a major incident. A company’s cyber insurers may likely charge more to renew cyber insurance policies after such an incident. As for cyber insurance, most of today’s policies have limits that are not really high enough to deal with a major incident. In the Target breach, the company had an insurance tower with a total limit of $100 million, but the direct costs of the breach were several times greater than that.
Q: Should companies be as concerned about their privacy and intellectual property as they are regarding exposures for physical property and equipment? If so, why?
Stransky: Yes, particularly as laws around the world evolve, purchasing cyber insurance will become even more essential. Today, breach notification is required in all 50 states, and the associated costs of notification (forensics, credit monitoring, setting up a call center, and so forth) are insurable. In May 2018, the European Union’s General Data Protection Regulation (GDPR) took effect and requires even stricter notification if data on European citizens is lost or stolen. If a small business suffers a breach and doesn’t have cyber insurance, it’s very likely that the company will go out of business due to the costs associated with the breach.
Pai: If a company doesn’t have a policy already, I would highly encourage every business out there to consider cyber insurance coverage. Our society has become dependent on computers. Even a smartphone today has more storage and compute resources than the most powerful supercomputers of only 20 years ago. It’s difficult to imagine an industry not dependent on its IT resources. Small businesses are particularly vulnerable because they lack the staff and expertise to prevent and recover from cyber incidents.
Q: Is there such a thing as “cyber organized crime,” or are hackers mainly “lone wolf’ individuals?
Pai: Absolutely, from my perspective, organized cybercrime exists. Social engineering and technical hacking go completely hand in hand for cybercrime. Petty criminals and gangs that have dealt in drugs, kidnappings, and have very likely realized they could take their talents to the cyber world for greater reward with less risk of getting caught. It appears to be quickly becoming the hottest crime industry.
Stransky: Sure, there are likely individuals sitting in their basements who hack for the glory and pride. We have seen reports that nations are involved in state-sponsored hacking. And yes, organized crime groups are also quite prevalent.
Q: Are hacking and/or data breaches covered by conventional property/casualty policies?
Stransky: Many in the industry refer to “silent cyber”—the possibility of having to pay out cyber-related losses under non-cyber policies. As we sometimes see in a non-cyber context, in the aftermath of an event, if an insured has a loss they may try to “find” coverage under various policies, even where not expressly addressed. In the cyber context, they may try to “find” coverage for cyber losses under their traditional non-cyber policies, such as (but not limited to) Errors & Omissions (E&O), Directors & Officers (D&O), Commercial Crime, or Commercial General Liability (CGL).
Pai: Many conventional P&C policies were designed before the advent of cyber risk. Just as Verisk/ISO does, insurers need to go back and evaluate how cyber risk may affect the provisions in policies they have out there.
Q: How serious should companies be concerned about the exposure of their business partners?
Pai: Very seriously. From a cyber perspective, organizations should consider vendors part of their extended ecosystem. It’s key to provide incentives to your vendors to ensure good cyber posture. The Target hack showed us how cyber criminals first hacked into an HVAC vendor and then, when the vendor connected into the Target firewall, moved laterally through to the point-of-sale infrastructure from where they stole millions of records.
Q: Many businesses are moving their computing to the cloud. How vulnerable is the cloud to hacking?
Stransky: The big or most likely issue for the cloud isn’t about being hacked. Of greater concern is the potential business interruption that could occur if the cloud goes down. We saw Amazon Web Services’ multi-hour failure in February 2017 from a simple typo that an AWS employee made when trying to resolve a billing problem. Think about what a coordinated group of attackers could achieve. A failure by any one of several major cloud providers with large enough market share could lead to severe economic and insurance losses.