Cyber Security

The Human Factor in Cyber Risk

by
Deep Fake

The Human Factor in Cyber Risk is the biggest cyber threat that businesses face today……

Businesses recognize the cyber risk created by the outside threat of a hacker but the human factor or insider threat is the greater threat . By virtue of human nature, people are susceptible to making mistakes and it is this unpredictability that offers most businesses most concern and the ability in which to manage this.

The Facts

  • The Kroll Annual Global Fraud and Risk Report identified that 56% of businesses advised that insiders were the key perpetrators of cyber security incidents , with former employees being a high percentage of these at 23%.

http://www.kroll.com/en-us/intelligence-center/press-releases/building-resilience-in-a-volatile-world

  • The Mimecast study last year showed that 45% of businesses felt that they were not prepared against insider attacks.

https://www.mimecast.com/resources/press-releases/Dates/2016/8/malicious-insiders/

A PWc report prepared last year also found that current employees are the top insider cyber risk to UK businesses, so what are the main forms of cyber risk that are bought about by human factors…..

1.Malicious 

Motivated by a user wishing to cause a businesses harm, possibly for revenge or spite due to frustration at work, reward by an outside organisation or competitor.

As an insider they do not need to get around firewalls and can avoid detection and are normally in a position of trust where their actions are not questioned.

The attacks consist of deliberate acts such as :-

Infection of Computer Systems with Malware  

An employee could deliberately inject a malicious software in the businesses computer system which would cause disruption.

Selling of Passwords

This could lead to corporate data being being stolen and passed to a competitor

Abuse of Internal Logins

The Ponemon Institutes’study on the Insecurity of Privileged users last year identified that 21% of the respondents felt that privileged access was not actually necessary. The report highlighted that users with access to the most sensitive information are the most likely to be an insider risk.

https://www.ponemon.org/

2. Accidental

These are caused by carelessness and lack of awareness perhaps during a busy period at work, at a certain time during the day after lunch or a Friday afternoon when thoughts could be on the weekend.

Negligence 

An inadvertent transmission of a virus via an e-mail that could corrupt a third parties computer system

The leaving of a laptop   on a train or in shop

Uploading of sensitive information that may be sent out into the public domain.

Social Engineering

An employee may open an innocent looking attachment to an e-mail which contains a virus that compromises the business computer systems. This is known as a phishing attack and could lead to the system being locked down from a ransomware virus attack.

Phishing attacks can be targeted i.e Spear Phishing or ciculated non discrimently.

Poor Password Housekeeping

An employee may keep their password by writing it on a postit note on their computer screen or have this written on their desk note pad, this provides an opportunity for another employee to access their computer profile.

Examples of Insider Attacks in the UK 

Tesco

40,000 customer accounts of Tesco bank out of a total of 136,000 were subject to suspicious transactions, 9,000 of these had money stolen from their accounts. The sums taken were relatively small varying up to amounts of £600 but eventually totaled £2,500,000. It is suspected that the compromise of the customer accounts were as a result of an insider.

Sage

The accounting and HR software firm suffered a data breach, which appeared to be an insider attack. Employee data of 280 UK customers was accessed and possibly compromised. It is understood that an internal login was used to gain unauthorized access to the data.

Morrisons

An insider published details of the entire Morrison 100,000 employee database which appeared to be motivated as a revenge attack. The employee was likely to have taken advantage of his privileged rights. A number of employees have now launched legal action against Morrison’s

Ten ways to help manage the Human Factor  

1.Ensure that cyber security policies and procedures are in place

2.Introduce staff awareness of current cyber security threats

3.Robust training of staff on all aspects of cyber security

4.Employee conduct review prior to joining company

5.Monitoring of employees that are leaving the company in terms of their on-line activity

6.Monitoring of internal network activity and review of unusual activity

7.Assessment of large amounts of data being accessed or moved

8.Sharing of best practices

9.Restriction of  administrator login

10.Purchase of cyber insurance to help mitigate losses

The Human Factor can also be one of the best defences against cyber attacks if employees are appropriately trained and aware of the changing threat landscape that businesses face.

Image : Shutterstock

Rio 2016 – The Cyber Threats

by
Rio 2016

Rio 2016 is here …..expectations are high for another GB medal haul,  but this major sporting event is inevitably going to be a target for cyber attacks

Some facts that will make Rio 2016 a draw for hackers  …

  • Brazil is already recognized as hub for cybercrime ranking 10th in the Symantec 2015 Internet Security Threat Report
  • London 2012 experienced 165 million attempts to breach cyber security , at Rio 2016 it is anticipated that this could be 4 times this….
  • 5th August to 21st August presents a significant window for hackers to exploit
  • 37 Venues
  • 306 Events
  • 10,500 Athletes
  • 206 Countries participating
  • 7.50M Tickets available for the events
  • 500,000 overseas travelers expected in Rio de Janeiro

Why The Olympics?

Major sporting events grab the attention of the entire world but unfortunately this also attracts elements of the population who perceive this as an opportunity to be exploited  ….. the world of cyber crime.

The threat that cyber crime poses to an event such as this is similar to that which exists for any other business but on a much larger scale and with more dramatic consequences due its high profile and the many threat vectors that exist.

The Cyber Threat Landscape

Some of the targets for cyber criminals are likely to be the following :-

1.The Official Rio 2016 Website

Distributed denial of service (DDoS) attacks preventing access to website by fans.

The accessing of the website by hackers, altering the data such as falsifying the results and interfering with medal tables.

Defacement of the website by a hacktivist.

Spectators and visitors will no doubt access the website via Wi-Fi and vulnerability will exist if they inadvertently log in through a rogue Wi-Fi connection which could lead to the stealing of their personal data.

2.Event Tickets

Ticket fraud with the setting up of bogus websites taking fans money and issuing counterfeit tickets.

Website scamming offering last minute match day tickets for the big events with no ticket actually being produced.

3.The Venues

Technology will be pivotal in all aspects of the running of the 37 venues being used in Rio 2016. Entry to the venues, ticketing processing, management of lighting and associated infrastructure would all be impacted in the event of a cyber attack.

4. Competitors Data 

The event will involve a huge amount of data ranging from credit card data of spectators, athletes confidential information or the database of the organizers which is likely to be targeted by hackers. This could occur through phishing attacks in order to steal personal private information (PPI)and then lead to possible bank fraud of individuals. Brazil does have an established reputation for on-line banking fraud.

5.E-mail Transmission

E-mail scamming could be caused by bogus e-mails set up to obtain athletes and officials personal information that could be disseminated over the internet. The endless sending and exchanging of e-mails also presents an opportunity or spamming.

6.Media Coverage

World wide coverage will be provided to this event by television companies who will be reliant on technology and the service could be interrupted or even blacked out by a hacker wishing to cause transmission downtime. For example a video re-run of the 200 m final could be disrupted by a ransomware attack.

7. Computer Network 

The spreading of a malware attack within the internal computer network and third party providers could cause enormous interruption to the running of the numerous events taking place. The reliance on technology reaches far and wide ranging from the transportation network to close circuit TV surveillance systems.

8. Mobile Applications 

Fake mobile apps devised by developers to give the impression of the official Olympics app. Smartphones area also at risk if stolen and personal data is sourced.

9.Cyber Terrorism

Cyber terrorism could occur in a number of forms. A ransomware attack would limit or entirely restrict the use of computer systems affecting the running of Rio 2016.

There may be political motivation from countries that want to disrupt the Olympics. This could be to make a political stand on an issue or perhaps a country that failed to win an event or perhaps a competitor that was disqualified and the country that was represented takes retaliation.

The threat of remotely controlled drones by cyber terrorist entering an event causing disruption and delay to matches.

10.Social Media

Infiltration of social media websites by hackers of the tournament and personal accounts pose a threat to fans , players and officials privacy.

Cyber Risk Management Program

The International Olympic Committee will no doubt have in place a comprehensive cyber risk management program to manage the programs of events which is likely to be broken down into the following :-

  • Identification of cyber risk vectors
  • The mitigation of cyber risk within the tournament
  • The transfer of residual cyber risks that they are unwilling or unable to manage.

Cyber Insurance

Cyber Insurance can assist with the transfer of cyber risks associated with sporting events by providing the following insurance modules :-

  • Network Security Liability
  • Data Privacy Liability
  • Multimedia Liability
  • Network Business Interruption
  • Data Asset Protection
  • Cyber Extortion
  • Crisis Management

A cyber insurance policy also provides post breach vendor assistance helping with data breach notification , forensic investigation and public relations.

Rio 2016 is global event that is reliant on technology which does make it especially vulnerable to cyber security threats, it is therefore important that these are recognized and measures are put in place to mitigate the potentially severe consequences that could impact on the games.

Image Credit: rvlsoft / Shutterstock.com

EU-US Privacy Shield – En Garde !

by
EU-US Privacy Shield

EU-US Privacy Shield will come into force on the 1st August and this now replaces the defunct Safe Harbour.

What has caused the delay?

Finally getting this over the line has been frustrating as it has met the resistance of the European Commission whose fault finding Article 29 Working Parties Opinion on this was delaying the final agreement.

This has now been given approval by the Article 31 Committee on 8th July and on 12th July the European Commission issued an “implementing decision” which ratifies that the Privacy Shield will be adopted.

Despite criticism from certain quarters during the negotiation phase this does now provide some certainty on how businesses can legally transfer personal data between the EU and US.

The Background

In February we covered the announcement of the  hotly awaited replacement to the Safe Harbour in our post

EU-US Privacy Shield – Is data safe again?

The main obligations imposed on firms handling Europeans personal data are as follows:-

  • Individual Notification

Businesses must inform individuals of their rights under the US-EU Privacy Shield and what rights they have including specific reference to how their particular data is processed

  • Opt Out

Individuals can object to the disclosure of their personal data to third parties or for specific purposes.

  • Responsibility for movement of personal data

This should be limited and made clear for what purpose this is going to be utilised. The level of protection of the data in this process must be no lesser to that set out under the Privacy Shield.

  • Security Measures

These must be in place commensurate with the type and sensitivity of the data and how this will be processed.

  • Access to Data

This must be possible and if amendments are required to the data then this must be carried out promptly.

  • ƒData Integrity

Data must be set out in accordance to its’ relevance and end use, this must be up to date and accurate in all respects.

  • Consequences of non adherence

Processes to be put in place to ensure that compliance is achieved and a system of redress with options for legal remedies.

A copy of the Framework Principles as issued by the US Department of Commerce is available at the link below

EU-US Privacy Shield Framework Principles

What will the impact of Brexit?

This is going to be one of the many issues that will need to be negotiated with the U.K. leaving the EU. The protection of personal data is a foremost consideration all around the world today and this geographical location is no exception.

Would the UK now need to negotiate a separate Privacy Shield with the US – will we therefore see a US-UK Privacy Shield?

How does this interact with the General Data Protection Regulations that come info force on 25th May 2017? The UK will need to implement similar data protection regulations when dealing with the EU and the personal data of individuals within these European States. Data from the EU may also circulate via the UK to the US which is a further dilemma that will need to be addressed.

Can Cyber Insurance Help?

This form of policy provides protection for loss of personal data for such scenarios as a result of a hacker attack , the inadvertent loss of data by an employee or the destruction of data by a malicious act. The post breach response vendors provided by insurers also provides a significant benefit to businesses.

Cyber Insurance can therefore play a role in mitigating the impact of a data loss irrespective of the changing legal landscape that is evolving.

The underlying message to the business environment is that they must have heighten awareness and be very much ” En Garde” as to the dynamic changes on how data is processed and protected and the pitfalls of non-compliance.

 

Euro 2016 – The Cyber Threat Landscape

by
Euro 2016-

Euro 2016……whether you agree with the final England squad going to France for the 15th UEFA European Championships or not, we should all be in agreement that this major sporting event is inevitably going to be a target for cyber criminals.

Some Facts…

24 countries will be represented at Euro 2016 each with 23 players in the squad which totals 552 players in all

2.50 million fans are expected in the 10 stadiums

Overall spend is expected to be E1billion

The event is being broadcast to 230 countries worldwide with 150 million spectators expected to follow each match

650 employees and 6,500 volunteers

Information : Courtesy of Press Kit dated 2nd March 2016

Why Euro 2016?

Major sporting events grab the attention of the entire world but unfortunately this also attracts elements of the population who perceive this as an opportunity to be exploited  ….. the world of cyber crime.

The threat that cyber crime poses to an event such as this is similar to that which exists for any other business but on a much larger scale and with more dramatic consequences due its high profile and the many threat vectors that may exist.

The Cyber Threat Landscape

Some of the targets for cyber criminals are likely to be the following :-

1.The Official Euro 2016 Website

Distributed denial of service (DDoS) attacks preventing access to website by fans.

The accessing of the website by hackers and altering the data such as falsifying the results and tables and providing incorrect information to the public.

Defacement of the website by a hacktivist.

Fans will no doubt access the website via Wi-Fi and vulnerability will exist if they inadvertently log in through a rogue Wi-Fi connection which could lead to the stealing of their personal data.

2.Match Day Tickets

Ticket fraud with the setting up of bogus websites taking fans money and issuing counterfeit tickets.

Website scamming offering last minute match day tickets for the big games with no ticket actually being produced.

3.The Stadiums

Technology will be pivotal in all aspects of the running of the ten stadiums being used in the tournament. Stadium entry, ticketing processing, management of floodlights and associated infrastructure would all be impacted in the event of a cyber attack.

4. Tournament Data 

The event will involve a huge amount of data ranging from credit card data of fans, players confidential information or the database of the organizers which is likely to be targeted by hackers. This could occur through phishing attacks in order to steal personal private information (PPI)and then lead to possible bank fraud of individuals.

5.E-mail Transmission

E-mail scamming could be caused by bogus e-mails set up to obtain players and officials personal information that is disseminated over the internet. The numerous sending and exchanging of e-mails also presents an opportunity or spamming.

6.Media Coverage

World wide coverage will be provided to this event by television companies who will be reliant on technology and the service could be interrupted or even blacked out by a hacker wishing to cause transmission downtime.

7. Computer Network 

The spreading of a malware attack within the internal computer network and third party providers could cause enormous interruption to the running of the tournament. The reliance on technology reaches far and wide ranging from the transportation network to close circuit TV surveillance systems.

8. Mobile Applications 

Fake mobile apps devised by developers to give the impression of the official FIFA app. These have already been discovered by Avast Software’s Jan Piskacek with adware with viruses appearing on mobile phones.

Fake FIFA Apps on Google Play

9.Cyber Terrorism

Cyber terrorism could occur in a number of forms. A ransomware attack would limit or entirely restrict the use of computer systems affecting many aspects of the tournament.

There may be political motivation from countries that want to disrupt the tournament. This could be to make a political stand on an issue or perhaps a country that failed to reach the finals or a country that has controversially been knocked out of the competition.

The threat of remotely controlled drones by cyber terrorist entering a stadium causing disruption and delay to matches.

10.Social Media

Infiltration of social media websites by hackers of the tournament and personal accounts pose a threat to fans , players and officials privacy.

Cyber Risk Management Program

FIFA will no doubt have in place a comprehensive cyber risk management program to manage Euro 2016 which is likely to be broken down into the following :-

  • Identification of cyber risk vectors
  • The mitigation of cyber risk within the tournament
  • The transfer of residual cyber risks that they are unwilling or unable to manage.

Cyber Insurance

Cyber Insurance can assist with the transfer of cyber risks by the following insurance modules :-

  • Network Security Liability
  • Data Privacy Liability
  • Multimedia Liability
  • Network Business Interruption
  • Data Asset Protection
  • Cyber Extortion
  • Crisis Management

A cyber insurance policy also provides post breach vendor assistance helping with data breach notification , forensic investigation and public relations.

Lets hope England’s destiny will not again be determined by a penalty shoot out – if so the team will be need to be prepared, well practiced and above all have the right players taking the penalties …. this can be applied to the cyber security team that is in place to manage and mitigate cyber risks of any sporting event or to that fact any commercial enterprise.

Image Credit – Evan Lorne / Shutterstock

Cyber Security risks face education sector

by
cyber security risks

Is the education sector facing cyber security risks?

In the US last week a hacker broke into the University of California’s computer system which contained 80,000 students. This apparently occurred in December whilst the university was in the process of patching a security flaw in their financial management system.

University of California

This followed a similar breach earlier this year at the University of Florida where private information of current and former employees were accessed going back to 1980. A lawsuit has been issued which is seeking a class action status. There was also criticism on how the breach was managed.

On this side of the Atlantic in December university students were unable to submit work as a result of the academic computer network called “Janet” coming up against a distributed denial of service (DDOS) attack causing reduced connectivity and disruption. The University of Manchester was one of the universities impacted by the DDOS attack.

Earlier, last year the University of London Computer Centre (ULCC) was hit by a cyber attack which again left millions of students unable to access the organisation’s IT services. The centre provides services to over 300 UK institutions and supports over two million higher education and further education students on its open-source learning platform Moodle.

The education sector accounted for nearly 10 per cent of all breaches in the past year, according to cyber security company Symantec.

Symantic Internet Threat Report 2015

Personal Data

Universities and colleges contain an abundance of personal data which makes them attractive to hackers, such as credit card details, medical information of current and former students and employees. This also becomes complicate to manage as students come from many different parts of the world bringing with them wide ranging data protection regulations.

Multiple Entry Points

The education sector traditionally provides multiple entry points with a huge spectrum of users having access to its networks. The access is also available 24/7 365 days a year via many devices that may not be secure such as laptops logging in from remote wi-fi locations.

Social Media

Within the education framework social media features prominently and in the absence of social media policies with specific standards in place this can leave a university vulnerable in terms of the inadvertent sharing of information that may not be meant for the public domain.

Separate Networks

A college or polytechnic may consist of a number of separate networks which may not contain a high level cyber security and therefore present a number of cyber security risks.

Intellectual Property

Certain establishments contain highly sensitive research information in the fields of science, health , defense  and aerospace. This could make them a target for hackers and terrorist organisations.

Cyber Security Research

Cyber security research itself could also be a target with the Global Centre for Cyber Security Capacity building  in Oxford University’s Martin School. A number of universities have been awarded Academic Centres for Excellence in Cyber Security Research, such as the Bristol and Kent Universities which means that they will work more closely with the Government Communications Headquarters (GCHQ).

Cyber liability insurance can play a very important role in supplying an extra layer of comfort in the event of a cyber attack to education establishments, providing coverage for a significant number of the potential cyber security risks that exist in this sector.

 

Should we share Cyber Security information ?

by
cyber security

Should we share cyber security information ?

Is this a good idea… there are very good reasons why we should share cyber security information and there are also reasons that perhaps it may not be such a good idea.

The current landscape seems to be moving towards the sharing of this confidential and sensitive information with regulation being imposed on both sides of the Atlantic in recent months to promote and encourage the sharing of cyber security information.

At the end of last year  the EEC announced The Network and Information Security Directive (NIS) which is a security and reporting directive for companies in critical business sectors , namely transport , energy , health and finance. This is also applicable to the businesses such as Google and Amazon.

This Directive includes a requirement to report cyber security breaches which is aimed to encourage greater visibility of cyber crime and data breaches within companies and for companies to address their own cyber security.

It is anticipated that this will be ratified in the Spring, with implementation anticipated within the next two years.

In the US , also at the end of last year, the Cybersecurity Information Sharing Act (CISA) was passed by the Senate which allows companies to share cybersecurity threat data with the Department of Homeland Security (DHS) and other federal agencies. A number of bodies that already exist in the US which include the sharing of cybersecurity information . These include Enhanced Cybersecurity Services (ECS) which is a  voluntary information sharing program and whose aim is to help better protect busineses customers and the National Cybersecurity and Communications Integration Centre (NCCIC) which shares  information with public and private sector partners.

In the UK the Cyber-security Information Sharing Partnership (CiSP) exists which is part of CERT-UK . This is a joint industry government initiative set up to share cyber threat and vulnerability information in order to increase overall awareness of cyber threats and help mitigate the impact this may have on UK businesses.

The British Insurance Brokers Association ( BIBA) have recently endorsed (CiSP) to encourage insurance brokers to join CiSP to share the knowledge of over 4000 cyber-security professionals from over 1500 organisations. The government is also very keen that the insurance industry works closer with cyber security professionals and it is likely that we will see evidence of this in the future via associations and collaborations.

Let’s now review the positives and negatives of sharing cyber security information :-

Positives

  • It provides information to business on the latest forms of malware, spear phishing campaigns, and known malicious domains
  • Improvement in technology to combat the latest forms of security threats
  • Information derived from claims that insurers can assess / rate and improve the coverage under cyber insurance policies.
  • Assessment of insurers aggregation
  • Information to help insurers analyse cyber catastrophe models
  • Provision of knowledge to help anticipate future terrorists lead cyber attacks

Negatives

  • Possible release of confidential information of cyber attacks and data breaches to third parties
  • The information provided may impact on a company to carry out businesses with existing customers being concerned with poor cyber security measures.
  • Collateral damage to reputation of a business and impact on stock market share price
  • Hackers gain access to extremely sensitive data bases
  • Perceived by some that “big brother” is spying and will encourage surveillance of businesses
  • Inadvertent sharing of personally identifiable information

The cyber security industry also has an important role to play as they are arguably possess the greatest amount of cyber security data, this is no doubt considered valuable intellectual property and there would be a reluctance to readily share this to a wider audience without distribution to secure destinations.

The sharing of cyber security information is more advanced in the US than the EEC / Rest of the World and is reflective of two very differing cyber landscapes , with the US being more mature in terms of number and size of cyber security breaches and the existing litigation that helps drives notification.

The sharing of cybersecurity information definitely has a role to play in the development of the improvement of cyber security and the defence of cyber attacks that can threaten a business……  how it is shared is perhaps the current dilemma facing governments and regulators.