The Six Major Cyber Risks of 2019

Cyber Risks

What are the six major cyber risks of 2019 that businesses will need to guard against in the perpetual war against cyber criminals.

The cyberthreat landscape is constantly changing with hackers using ever more sophisticated means to gain unauthorised access to computer systems.This coupled with some of the more established tools utilised by hackers produces a cocktail of cyber attacks vectors that provide the ultimate test to cyber risk management of a busines.

Cyber risks come in many shapes and forms and it is likely that we will see the following featuring throughout the world in the coming days and months.

Supply Chain Vulnerbilities

This is proving to be a very real vulnerability with businesses heavily reliant on their suppliers and contractors for services whether this be for the provision of technology services that are fundamental to the effective functioning of the business.

If one of the suppliers systems are compromised this is likely to result if a significant businesses interruption loss where income will be lost and reputation damaged.

http://cyberbrokers.co.uk/how-secure-is-your-supply-chain/

Mobile Applications

We are are all reliant on our smart phones and laptops and end to end encryption of these is therefore of paramount importance. Confidential information and personal data is in abundance on these devices and a hacker will no doubt target such devices that do not have the appropriate security in place.

With the emergence of 5G this it will become increasingly harder to protect mobile applications.

Phishing Attacks

These are well established methods that hackers use to overcome human vulnerabilities.

This is carried out by e-mail compromise where uses click on a link that leads to malware being spread resulting in crippling the computer system or falsely changing a clients bank details to one set up by a hacker which leads to a loss of funds.

Ransomware Attacks

There have been a number of high profile ransomware attacks namely WannaCry and Non-Petya that impacted many countries around the world. Business affected by these include WPP, Maerck and the National Health Serice in the U.K.

A ransomware attack can be very cleverly disguised with many means available to gain access to a computer network. Over the past twelve months ransomware attacks have declined but they still remain a very real threat with different strains of malware emerging. This will only increase and make detection harder awareness of new methods and defense of these will therefore be vitally important to mitigate this on-going threat.

The Morrison’s Effect

As a result of a Morrison’s employee stealing salary details and distributing these to a number of newspapers Morrisons were sued for damages by a number of the affected individuals.

As a result of this it was found after appeal that Morrison’s were vicariously liable for the employees’ actions. The court also stated that the affected individuals could claim for financial loss and emotional distress. It is therefore conceivable that this could open the flood gates for class actions against other such businesses in similar circumstances.

https://www.bbc.co.uk/news/business-45943735

Artificial Intelligence and Internet of Things

Artificial Intelligence (AI) is now developing at an alarming pace as businesses recognized the benefits that machine learning can bring such as increased efficiency in manufacturing and data analysis. this however brings increased cyber risks. It is possible for inter-connectivity to take place which leads to communication with other devices called the Internet of Things (IOT) the result of which can lead to a compromise of systems , loss of data or even physical damage.

Cyber attacks backed by AI would be far greater than a conventional human lead cyber attack causing more damage for longer periods. This is a new emerging cyber threat but it could be one of the most dangerous and damaging as cyber security has not kept pace with the ensuing risks.

Cyber attacks will undoubtably become more sophisticated with the cyber risk landscape becoming more unpredictable and difficult to assess the threat vectors that develop.

Image : Shutterstock

The Challenges Facing Cyber Security

Cyber Security

What are the challenges facing cyber security in 2018?

These will involve the development of existing threat vectors and the emergence of new ones, keeping up with the evolving capabilities of hackers will never be more difficult to repel and prevent.

General Data Protection Regulations (GDPR)

This presents a major challenge to all organisations with time marching towards the 25th May deadline. Many businesses in the SME space are behind the curve in their preparations for this and will do well to meet this deadline. If missed they will face the wrath of the ICO and possible fines for non-compliance.

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

Artificial Intelligence (AI) 

AI and machine learning is now available to hackers to conduct cyber attacks providing a challenging new cyber threat landscape that will need to be navigated. Machine learning will also be used for the good as it can assist the cyber security sector in analysing and monitoring new and existing threats.

Internet of Things (IoT)

The IoT theat is likely to develop further with possible focus on critical infrastructures and home devices. With it now being possible to purchase botnet kits on the dark web it is becoming easier to set up DDoS attacks.

State Sponsored Cyber Attacks

These do not look they will be alleviating any time soon and are likely to grow eminating from countries that look to install government instalibility or to carry out cyber espionage.

Ransomware

Ransomware will continue to be a major cyber security threat with new strains being developed by hackers focusing on businesses that have immature cyber risk management.

Mobile Breaches

The threat of mobile breaches is still very much with us and this could be the year that a substantial breach occurs. This could happen via a vulnerability in an app which may itself contain considerable amounts of data that a hacker could gain access to for ill gains.

Bitcoin and Blockchain

Bitcoin, the leading cryptocurrency made the headlines at the end of last year with its value increasing by leaps and bounds before coming back down to a more sensible valuation. Blockchain is not very well understood , but is now recognized as method in which fraud can be prevented and will gain in popularity as it becomes more mainstream.

Trust

Trust is emerging as a side issue in the development of cyber security. Trust that business are safe to trade with and that in the event of a data breach they will act in an honorable fashion and in the best interests of their employees and shareholders. This will impact on future trading and the reputation of a business.

What Will Cyber Criminals focus on?

  • Supply Chain

Cyber threats are being targeted on supply chains as their computer systems do not always have the same standard of cyber security as the main contractor this presenting oportinuties for hackers to exploit inferior systems as a gateway to compromising the main contractors systems. This is likely to continue.

  • The Healthcare Sector

This sector has always been a principal focus for hackers as the stolen data can be used for a number of things.With the standard of cyber security not being considered the most robust this presents this sector as being vulnerable to hackers.

SME businesses

The general immaturity of SME’s computer systems and lack of cyber risk management makes them a prime target for hackers . The mentality of “ it won’t happen to us “ does not hold true and is a dangerous game to play.

Adequate levels of cyber security risk management and the emergence of cyber insurance will play an important part in managing a cyber attack on a businesses’s computer systems. The challenges that lay ahead in the coming year will be huge and defending a business against such a varied threat landscape will be demanding.

Image : Shutterstock

The Human Factor in Cyber Risk

Cyber Risk

The Human Factor in Cyber Risk is the biggest cyber threat that businesses face today……

Businesses recognize the cyber risk created by the outside threat of a hacker but the human factor or insider threat is the greater threat . By virtue of human nature, people are susceptible to making mistakes and it is this unpredictability that offers most businesses most concern and the ability in which to manage this.

The Facts

  • The Kroll Annual Global Fraud and Risk Report identified that 56% of businesses advised that insiders were the key perpetrators of cyber security incidents , with former employees being a high percentage of these at 23%.

http://www.kroll.com/en-us/intelligence-center/press-releases/building-resilience-in-a-volatile-world

  • The Mimecast study last year showed that 45% of businesses felt that they were not prepared against insider attacks.

https://www.mimecast.com/resources/press-releases/Dates/2016/8/malicious-insiders/

A PWc report prepared last year also found that current employees are the top insider cyber risk to UK businesses, so what are the main forms of cyber risk that are bought about by human factors…..

1.Malicious 

Motivated by a user wishing to cause a businesses harm, possibly for revenge or spite due to frustration at work, reward by an outside organisation or competitor.

As an insider they do not need to get around firewalls and can avoid detection and are normally in a position of trust where their actions are not questioned.

The attacks consist of deliberate acts such as :-

Infection of Computer Systems with Malware  

An employee could deliberately inject a malicious software in the businesses computer system which would cause disruption.

Selling of Passwords

This could lead to corporate data being being stolen and passed to a competitor

Abuse of Internal Logins

The Ponemon Institutes’study on the Insecurity of Privileged users last year identified that 21% of the respondents felt that privileged access was not actually necessary. The report highlighted that users with access to the most sensitive information are the most likely to be an insider risk.

https://www.ponemon.org/

2. Accidental

These are caused by carelessness and lack of awareness perhaps during a busy period at work, at a certain time during the day after lunch or a Friday afternoon when thoughts could be on the weekend.

Negligence 

An inadvertent transmission of a virus via an e-mail that could corrupt a third parties computer system

The leaving of a laptop   on a train or in shop

Uploading of sensitive information that may be sent out into the public domain.

Social Engineering

An employee may open an innocent looking attachment to an e-mail which contains a virus that compromises the business computer systems. This is known as a phishing attack and could lead to the system being locked down from a ransomware virus attack.

Phishing attacks can be targeted i.e Spear Phishing or ciculated non discrimently.

Poor Password Housekeeping

An employee may keep their password by writing it on a postit note on their computer screen or have this written on their desk note pad, this provides an opportunity for another employee to access their computer profile.

Examples of Insider Attacks in the UK 

Tesco

40,000 customer accounts of Tesco bank out of a total of 136,000 were subject to suspicious transactions, 9,000 of these had money stolen from their accounts. The sums taken were relatively small varying up to amounts of £600 but eventually totaled £2,500,000. It is suspected that the compromise of the customer accounts were as a result of an insider.

Sage

The accounting and HR software firm suffered a data breach, which appeared to be an insider attack. Employee data of 280 UK customers was accessed and possibly compromised. It is understood that an internal login was used to gain unauthorized access to the data.

Morrisons

An insider published details of the entire Morrison 100,000 employee database which appeared to be motivated as a revenge attack. The employee was likely to have taken advantage of his privileged rights. A number of employees have now launched legal action against Morrison’s

Ten ways to help manage the Human Factor  

1.Ensure that cyber security policies and procedures are in place

2.Introduce staff awareness of current cyber security threats

3.Robust training of staff on all aspects of cyber security

4.Employee conduct review prior to joining company

5.Monitoring of employees that are leaving the company in terms of their on-line activity

6.Monitoring of internal network activity and review of unusual activity

7.Assessment of large amounts of data being accessed or moved

8.Sharing of best practices

9.Restriction of  administrator login

10.Purchase of cyber insurance to help mitigate losses

The Human Factor can also be one of the best defences against cyber attacks if employees are appropriately trained and aware of the changing threat landscape that businesses face.

Image : Shutterstock

Cyber Insurance – The Moody Teenager

cyber insurance

Cyber Insurance in its current format can be likened to a “moody teenager” – it is going through some growing pains , searching for an identity and not yet attractive to the opposite sex !  In insurance terms , cyber insurance is still evolving, the policy coverage is still developing and it is still not recognized as an essential insurance policy that a business should purchase. So why is this…. ?

The cyber insurance market has seen it’s profile increased significantly over the last few months. A number of factors have contributed  to this such as the TalkTalk breach, together with a number of other high profile data breaches and the increase in social engineering cyber crime. The Information Security Breaches carried out by pwc last year indicated that security breaches were on the increase. 90% ( 80% 2014) of large organisations and 74% ( 60% 2014) of small businesses suffered a security breach.

This “moody teenager ” however does not seem to be ready for the big wide world and is being held back by a number of factors :-

1.Knowledge

Businesses do still not possess the knowledge to have the confidence to purchase this form of policy due to a lack of education by the insurance industry and associated professions. Some businesses are under the impression that they already have adequate cyber coverage within their professional  indemnity or property insurance policies.This is also not helped by the lack of consistence terminology and of coverage within the policy wordings provided by insurers and makes assessment of the purchase difficult , even with the guidance of an insurance broker.

2. Policy Coverage

The cyber insurance policy in the UK is still very much at an embryonic stage , the policy coverage offered is still developing and not yet fully responding to certain areas such as reputational damage , property and bodily injury cyber related incidents. There is however the availability of “gap policies” provided by certain insurers , but no “one stop” solution.

3. Cost Prohibitive

The cost of cyber insurance in many quarters is still considered expensive to a business and if a business does not consider it “fit for purpose ” then they will be reluctant to take out this form of insurance. Insurers are however attempting to reduce premiums to attract policyholders but this tends to be where perceived exposures are much lower.

4. IT Reluctance

The IT team within a business is a stakeholder in the purchase of cyber insurance and it can be seen on many occasions that they are a reluctant purchaser of this form of insurance, as they feel that the business has the required technology and security to combat a cyber attack. This is borne out by the Wallix.com survey carried out last year with IT professionals whereby 47% of the profession thought that there was ‘insufficient need’ to invest in cyber insurance.

5. Data & Privacy Laws

There is no compulsory data notification laws in the UK and therefore businesses do not feel that there is a need to purchase cyber insurance . This is a common misconception as cyber is a modular policy and offers a number of other areas of coverage such as business interruption , cyber extortion and website damage.

6.Maturity of Market

The UK cyber insurance market is behind the US equivalent by a number of years which is due to the fact that compulsory data notification laws has been in existence in many states for some time and also the US has a much more mature claims experience in a highly litigious climate. The UK cyber insurance will therefore always be at a different stage of development that its US counterpart, this could however in the long term could be to their advantage with advanced analysis and technological advancements available to insurers to develop this specialized insurance product.

Increased collaboration between insurers, insurance brokers and the cyber security sector is a way forward and there are definitive signs that this is happening which will improve the current dynamics of cyber insurance , after all cyber insurance is only part of risk management armory that a business should have in place to combat cyber security threats.

 

Data Breach – is the Healthcare Sector next?

Data Breach

Is the healthcare sector the next target in the UK for hackers to bring about a major data breach?

In the US over the past year there have been a number of high profile and costly data breaches, the largest of which was suffered by the health insurer , Anthem Inc where 80 million personal records were stolen, in addition to this there were four other known multi-million record data breaches in this sector. In the UK the number of data breaches so far have been small in comparison and have been limited to loss of laptops and USB’s causing minor data breaches.

According to the 2015 Global Ponemon Institute Study on data breaches there are signs of a significant increase in cyber attacks in the healthcare industry . The study identified that 91% of healthcare organizations have been subject to one data breach. Cyber attacks in this sector were also up by 125% from 2010 to 2015.

The healthcare sector in the UK data extends to many establishments , the foremost being hospitals , clinics, health insurers , care & retirement homes , universities and colleges.

So what types of data are stored by these bodies that would make them attractive to a hacker ?

Patient Information

  • Medical records
  • Test Records
  • Appointment information
  • Medical insurance details
  • Credit card and bank card details

Employee Information

  • National Insurance records
  • Salary details
  • Bank details
  • e-mail addresses
  • telephone numbers

In addition to this these bodies are likely to be dependent on third parties who may provide or store some of this data.

Where would a possible threat come from that might cause a data breach ?

Insider Threats

Employee negligence where as a  result of an error causes a security failure or they carelessly leave a lap top on a train

Employee  ignorance where inadvertent disposal of personal data occurs or perhaps a lack of training and awareness

A malicious employee who may be unhappy and wishes to cause disruption

Outsider Threats 

Hacker attack which can take the form of many methods such as by the injection of malware into a computer system or the bringing a phishing attack.

Theft being caused as a result of social engineering tool to disguise e-mails that may lead to an extortion threat in an effort to release data.

Third party vendors who may have been breached themselves and caused a subsequent data breach to the primary entity.

Why are healthcare records being targeted by hackers?

  • Healthcare records are worth 5 times more than the value of credit cards
  • Credit cards can be cancelled
  • The value of healthcare data can be utilized for a wider variety of purposes

What are the end use for healthcare records?

  • Personal Identity Theft
  • Financial Identity Theft
  • Various forms of insurance fraud
  • The falsifying of prescriptions

The Healthcare sector in general has a number of challenges including the management of on-going conversion from paper records to digital files and maintaining of computer security that constantly require updating to keep pace with the technology that hackers now possess.

Aside the threat of a data breach is the threat that more medical devices are connected to the network and the ensuing connection to IP networks which exposes devices to more cyber attacks. The “Internet of Things” is also a real threat to this sector and more so to patients where there is an ability to hack medical devices like insulin pumps or pacemakers.

Cyber liability insurance can play an important role to help mitigate a serious data breach and should be a important consideration by organizations in this industry. This sector is perceived to be in a high risk category by the insurance market and it is therefore an area that cyber security consultants can add considerable value here to help insurers assess the relative exposures and offer commensurate premium and terms.

Cyber Insurance – 2016

Cyber Insurance

2015 was a pivotable year for cyber insurance , with a number of high profile incidents involving cyber crime and data breaches occurring around the world. This tested policy wordings and provided a perspective of how such claims will be managed by insurers.

The topic of cyber insurance is now firmly on the agenda’s of many businesses and rates high on risk registers , how this exposure is managed is very much down to the individual approach of a business and how their perceive a cyber threat would impact.

The need for cyber insurance will be determined by the risk landscape which operates in a dynamic technological environment.

Some of the factors that may influence the growth of this specialist form of insurance  are likely to be the following :-

  • A cyber security breach is almost inevitable and more emphasis will be placed on CEO’s and CISO’s to become responsible for data breaches and how they are able to mitigate such cyber risks within a business.
  • The threat of cyber attacks to critical infrastructure , whether this be of a political or criminal nature.
  • The “Internet of Things” , as electronic devices become inter connected , this increases the opportunity for cyber crime and data breaches to take place.
  • Cyber security businesses will be in increasing demand as insurers will depend more and more on their expertise in the assessment and management of cyber risks.
  • The increase in ransomware gangs as they utilise more sophisticated malware which businesses may fail to recognise should they not maintain the latest cyber security methodology .
  • Cloud security is perceived as a larger than life threat as many businesses now rely to a certain extent on this form of developing technology for storing data. How safe this technology has not yet really been been subject to hackers focus and presents a real threat to the safeguard of data.
  • Certain businesses sectors remain a high risk, such as health , finance and on-line retailers. This are the sectors where there is the highest take up of cyber insurance and it is conceivable that this will continue.
  • The growing threat of cyber terrorism will remain with terrorist groups targeting government, military and critical infrastructures.

It will be fascinating to see how these factors do influence the rise of cyber insurance , in the course of events insurers will need to develop their products to respond to the evolving cyber risks that will unfold this year.

Read moreCyber Insurance – 2016