The Human Factor in Cyber Risk

Deep Fake

The Human Factor in Cyber Risk is the biggest cyber threat that businesses face today……

Businesses recognize the cyber risk created by the outside threat of a hacker but the human factor or insider threat is the greater threat . By virtue of human nature, people are susceptible to making mistakes and it is this unpredictability that offers most businesses most concern and the ability in which to manage this.

The Facts

  • The Kroll Annual Global Fraud and Risk Report identified that 56% of businesses advised that insiders were the key perpetrators of cyber security incidents , with former employees being a high percentage of these at 23%.

http://www.kroll.com/en-us/intelligence-center/press-releases/building-resilience-in-a-volatile-world

  • The Mimecast study last year showed that 45% of businesses felt that they were not prepared against insider attacks.

https://www.mimecast.com/resources/press-releases/Dates/2016/8/malicious-insiders/

A PWc report prepared last year also found that current employees are the top insider cyber risk to UK businesses, so what are the main forms of cyber risk that are bought about by human factors…..

1.Malicious 

Motivated by a user wishing to cause a businesses harm, possibly for revenge or spite due to frustration at work, reward by an outside organisation or competitor.

As an insider they do not need to get around firewalls and can avoid detection and are normally in a position of trust where their actions are not questioned.

The attacks consist of deliberate acts such as :-

Infection of Computer Systems with Malware  

An employee could deliberately inject a malicious software in the businesses computer system which would cause disruption.

Selling of Passwords

This could lead to corporate data being being stolen and passed to a competitor

Abuse of Internal Logins

The Ponemon Institutes’study on the Insecurity of Privileged users last year identified that 21% of the respondents felt that privileged access was not actually necessary. The report highlighted that users with access to the most sensitive information are the most likely to be an insider risk.

https://www.ponemon.org/

2. Accidental

These are caused by carelessness and lack of awareness perhaps during a busy period at work, at a certain time during the day after lunch or a Friday afternoon when thoughts could be on the weekend.

Negligence 

An inadvertent transmission of a virus via an e-mail that could corrupt a third parties computer system

The leaving of a laptop   on a train or in shop

Uploading of sensitive information that may be sent out into the public domain.

Social Engineering

An employee may open an innocent looking attachment to an e-mail which contains a virus that compromises the business computer systems. This is known as a phishing attack and could lead to the system being locked down from a ransomware virus attack.

Phishing attacks can be targeted i.e Spear Phishing or ciculated non discrimently.

Poor Password Housekeeping

An employee may keep their password by writing it on a postit note on their computer screen or have this written on their desk note pad, this provides an opportunity for another employee to access their computer profile.

Examples of Insider Attacks in the UK 

Tesco

40,000 customer accounts of Tesco bank out of a total of 136,000 were subject to suspicious transactions, 9,000 of these had money stolen from their accounts. The sums taken were relatively small varying up to amounts of £600 but eventually totaled £2,500,000. It is suspected that the compromise of the customer accounts were as a result of an insider.

Sage

The accounting and HR software firm suffered a data breach, which appeared to be an insider attack. Employee data of 280 UK customers was accessed and possibly compromised. It is understood that an internal login was used to gain unauthorized access to the data.

Morrisons

An insider published details of the entire Morrison 100,000 employee database which appeared to be motivated as a revenge attack. The employee was likely to have taken advantage of his privileged rights. A number of employees have now launched legal action against Morrison’s

Ten ways to help manage the Human Factor  

1.Ensure that cyber security policies and procedures are in place

2.Introduce staff awareness of current cyber security threats

3.Robust training of staff on all aspects of cyber security

4.Employee conduct review prior to joining company

5.Monitoring of employees that are leaving the company in terms of their on-line activity

6.Monitoring of internal network activity and review of unusual activity

7.Assessment of large amounts of data being accessed or moved

8.Sharing of best practices

9.Restriction of  administrator login

10.Purchase of cyber insurance to help mitigate losses

The Human Factor can also be one of the best defences against cyber attacks if employees are appropriately trained and aware of the changing threat landscape that businesses face.

Image : Shutterstock

10 Reasons to buy Cyber Insurance

cyber insurance

10 reasons to purchase Cyber Insurance – Here are some reasons why businesses should consider this form of insurance.

In arriving at the decision to purchase cyber insurance a business will need to carry out a full cyber risk management analysis detailing vulnerabilities and how the businesses wishes to manage their cyber exposures which may impact on its day to day trading activities.

Once this has been determined the outcome to purchase cyber insurance could be driven by the following factors :-

1.Balance Sheet Protection

Helping to help mitigate a catastrophic compromise of computer systems and network that may endanger the livelihood of a business.

2.Risk Transfer Mechanism

To cover cyber security risks that cannot be managed within the business or where the businesses chooses to insure these rather than to retain.

3.Management “Sleep Easy”

Due diligence assurance for the Board of Directors and members of staff that there is a “layer” of coverage outside of the cyber security measures that are already in place.

4. Contractual Requirements

Coverage may be required by clients being part of contractual obligations to trade with a business. Businesses entering into government contracts are required in some instances to purchase cyber insurance. This requirement is likely to increase within the business community.

5.The Regulatory Environment

The forthcoming General Data Protection Regulation will impose compulsory notification of all data breaches and regulatory scrutiny.

6. Own Experience of a Cyber Attack

A business who has already suffered from a cyber attack my require comfort going forward from the coverage provided by this specialist form of insurance.

7. Substitute for further Security Spend

Cyber insurance could be seen as a lower cost alternative rather than investing further in cyber security within the business.

8 Competitive Advantage

The purchase of this form of insurance should sit alongside Cyber Essentials and ISO 27001 accreditation and a sign to other businesses that cyber exposures are taken seriously to its clients.

9. Business Continuity

Help to get a business up and running again post breach to cover increased cost of working and loss of profits so that they maintain their trading position in their business sector.

10. Vendor Proposition

The vendor proposition included under a cyber insurance policy provides post breach legal services , forensic investigation and public relations consultancy.

Cyber insurance is an evolving form of insurance with policy coverage developing on a regular basis. The coverage provided by the insurance market does vary considerably, with over 30 insurers to choose from , it is important that you utilize the services of an insurance broker who possess the requisite knowledge and expertise to guide a business through the coverage options and has the influence within the market to negotiate bespoke policy wordings.

Euro 2016 – The Cyber Threat Landscape

Euro 2016-

Euro 2016……whether you agree with the final England squad going to France for the 15th UEFA European Championships or not, we should all be in agreement that this major sporting event is inevitably going to be a target for cyber criminals.

Some Facts…

24 countries will be represented at Euro 2016 each with 23 players in the squad which totals 552 players in all

2.50 million fans are expected in the 10 stadiums

Overall spend is expected to be E1billion

The event is being broadcast to 230 countries worldwide with 150 million spectators expected to follow each match

650 employees and 6,500 volunteers

Information : Courtesy of Press Kit dated 2nd March 2016

Why Euro 2016?

Major sporting events grab the attention of the entire world but unfortunately this also attracts elements of the population who perceive this as an opportunity to be exploited  ….. the world of cyber crime.

The threat that cyber crime poses to an event such as this is similar to that which exists for any other business but on a much larger scale and with more dramatic consequences due its high profile and the many threat vectors that may exist.

The Cyber Threat Landscape

Some of the targets for cyber criminals are likely to be the following :-

1.The Official Euro 2016 Website

Distributed denial of service (DDoS) attacks preventing access to website by fans.

The accessing of the website by hackers and altering the data such as falsifying the results and tables and providing incorrect information to the public.

Defacement of the website by a hacktivist.

Fans will no doubt access the website via Wi-Fi and vulnerability will exist if they inadvertently log in through a rogue Wi-Fi connection which could lead to the stealing of their personal data.

2.Match Day Tickets

Ticket fraud with the setting up of bogus websites taking fans money and issuing counterfeit tickets.

Website scamming offering last minute match day tickets for the big games with no ticket actually being produced.

3.The Stadiums

Technology will be pivotal in all aspects of the running of the ten stadiums being used in the tournament. Stadium entry, ticketing processing, management of floodlights and associated infrastructure would all be impacted in the event of a cyber attack.

4. Tournament Data 

The event will involve a huge amount of data ranging from credit card data of fans, players confidential information or the database of the organizers which is likely to be targeted by hackers. This could occur through phishing attacks in order to steal personal private information (PPI)and then lead to possible bank fraud of individuals.

5.E-mail Transmission

E-mail scamming could be caused by bogus e-mails set up to obtain players and officials personal information that is disseminated over the internet. The numerous sending and exchanging of e-mails also presents an opportunity or spamming.

6.Media Coverage

World wide coverage will be provided to this event by television companies who will be reliant on technology and the service could be interrupted or even blacked out by a hacker wishing to cause transmission downtime.

7. Computer Network 

The spreading of a malware attack within the internal computer network and third party providers could cause enormous interruption to the running of the tournament. The reliance on technology reaches far and wide ranging from the transportation network to close circuit TV surveillance systems.

8. Mobile Applications 

Fake mobile apps devised by developers to give the impression of the official FIFA app. These have already been discovered by Avast Software’s Jan Piskacek with adware with viruses appearing on mobile phones.

Fake FIFA Apps on Google Play

9.Cyber Terrorism

Cyber terrorism could occur in a number of forms. A ransomware attack would limit or entirely restrict the use of computer systems affecting many aspects of the tournament.

There may be political motivation from countries that want to disrupt the tournament. This could be to make a political stand on an issue or perhaps a country that failed to reach the finals or a country that has controversially been knocked out of the competition.

The threat of remotely controlled drones by cyber terrorist entering a stadium causing disruption and delay to matches.

10.Social Media

Infiltration of social media websites by hackers of the tournament and personal accounts pose a threat to fans , players and officials privacy.

Cyber Risk Management Program

FIFA will no doubt have in place a comprehensive cyber risk management program to manage Euro 2016 which is likely to be broken down into the following :-

  • Identification of cyber risk vectors
  • The mitigation of cyber risk within the tournament
  • The transfer of residual cyber risks that they are unwilling or unable to manage.

Cyber Insurance

Cyber Insurance can assist with the transfer of cyber risks by the following insurance modules :-

  • Network Security Liability
  • Data Privacy Liability
  • Multimedia Liability
  • Network Business Interruption
  • Data Asset Protection
  • Cyber Extortion
  • Crisis Management

A cyber insurance policy also provides post breach vendor assistance helping with data breach notification , forensic investigation and public relations.

Lets hope England’s destiny will not again be determined by a penalty shoot out – if so the team will be need to be prepared, well practiced and above all have the right players taking the penalties …. this can be applied to the cyber security team that is in place to manage and mitigate cyber risks of any sporting event or to that fact any commercial enterprise.

Image Credit – Evan Lorne / Shutterstock

Cyber breaches hit UK businesses

Ransomware

Cyber breaches are hitting UK businesses according to a recently released commissioned report by the UK Government.

Two thirds of large businesses UK hit by cyber attack in past year

Following the high profile targeting of  TalkTalk , Vodafone , Weatherspoons it is no surprise that large businesses are still the focus of cyber breaches …… the underlying message to these businesses is that they need to improve their cyber security programs in order to combat these threats.

Main Report Findings

  1. 1 in 4 large businesses encountered a breach once a month
  2. Only one-third of all firms had a written security policy
  3. Only 10% of all businesses had an incident response plan in place should a cyber attack occur
  4. 13% of all businesses set cyber security minimum standards for their suppliers
  5. Only 20% of firms validate the providers of cloud computing services.
  6. 7 out of 10 of the attacks involved compromises by viruses, spyware or malware

Why has this happened ?

The report also highlighted the fact that many firms do not have cyber security programs in place that are in accordance with government guidance such as the Cyber Essentials Scheme and the “10 Steps Guide to Cyber Security”. This is must be a major concern to the Government as these two measures alone would install a good level of cyber security.

Cyber Essentials is generally more difficult to achieve for larger businesses as their systems tend to involve the use of bespoke software and its management. This certification is geared more to standardized systems which is more akin to SME’s . There is therefore a question here whether Cyber Essentials needs to be adapted to larger businesses?

Cyber Insurance

The report also makes reference to 37% of firms having in place some form of cyber insurance , this is either in the form of extensions to professional indemnity insurance policies or stand alone policy specific cyber insurance policies.

A concern raised by the report is that there is a lack of knowledge about what was covered under a cyber insurance policy and the insurance industry therefore has a role to play in helping businesses understand this form of insurance.

Cyber breaches will continue to impact on businesses unless they have a formal cyber security program in place to protect them from the increasingly sophisticated cyber attacks that can compromise a businesses.

Panama : The Cigar is Still Smouldering…

Panama

Up until recently Panama was associated with a canal , hats and cigars…..it is now known for one of the biggest data breaches ever known – the Panama Papers.

What are the Panama Papers?

These are a leaked set of 11.50 million confidential documents that provide details of approximately 214,000 offshore companies listed by Panamanian law firm Mossack Fonseca. This information contained identities of shareholders and directors of these companies and showed the wealth of high profile individuals , including the assets that were hidden from the public. Individuals included past and current heads of states, government officials and celebrities from over 40 countries. Investigations have now determined some of the companies may have been utilized for various illegal purposes.

The Panama Papers far exceeds the previous highest data breach record previously held by Wikileaks by 1500 times.

How did this happen?

An anonymous source know as “John Doe” passed the documents to German newspaper Suddeutsche Zeitung which it is understood commenced at the beginning of 2015. The quantum of data involved was 2.6 terabytes which is a vast amount of data In view of the amount of data involved the newspaper recruited the assistance of the International Consortium of Investigative Journalists (ICIJ) which distributed all the documents so that they could be investigated by various journalists and media organizations around the world. The first documents were published on 3rd April. The ICIJ will issue a full list in May of all the companies involved.

What was the cause of this huge data leak ? 

There are a number of different schools of thought as to whether this was due to an insider or outsider hacker attack , but one thing that is certain is that Mossack Fonseca did appear to have very poor cyber security procedures in place.

This has been evidenced by some of the following cyber security flaws that have since been discovered:-

  • The Outlook Web Access login had been utilized since 2009 with the client login not being updated since 2013
  • The computer systems included a high risk SQL injection vulnerability that allows anyone to remotely execute arbitrary instructions.
  • The main computer system included a version of WordPress that was three months out of date.
  • Configuration of the website was not recognized as best practice.
  • Mossack Fonseca’s e-mails were not encrypted
  • The systems were vulnerable to external scanning and possible exploitation

With the amount of data involved it is believed that it took about one year for the data to arrive at its destination. It is a wonder that no one noticed this amount of data leaving the company ? Interestingly enough very few US citizens were listed in the papers , which may be due to the fact that the US does have different corporate tax structures which negates the need for offshore tax arrangements.

www.wired.co.uk   The security flaws at the heart of the Panama papers

Why was Mossack Fonseca targeted ?

Legal firms hold a great deal of data on their clients including copies of personal data , confidential documents and legal transactions which does make them a prominent target for hackers. A high profile legal practice such as Mossack Fonseca involved in the areas that they practiced in therefore represents an ideal victim to a hacker.

With the poor cyber security procedures in place it does perhaps suggest that this data compromise may have come from an insider hacker who knew the computer systems and perhaps an employee with a point  to make or an overarching grudge.

Reputational damage is also a consequence of a breach of this nature , another possible reason for the this attack. which sometimes causes irreversible damage to a firm.

What could have prevented this data breach? 

In the current climate no one business or individual is 100% secure from a cyber security breach but certain procedures seemed to be absent from what would be expected to be standard cyber security risk management procedures:-

  • Prioritising  of cyber security
  • Regular patching of software
  • Updating of software
  • Regular login updating
  • Encryption of all sensitive documents
  • Website security

How Cyber Insurance could have helped ? 

A cyber insurance policy can provide the following coverage.

  1. Data breach costs incurred including notification costs to the appropriate regulatory bodies
  2. Regulatory costs and investigations that may arise as a result of the breach
  3. Post breach costs including investigation and forensics costs incurred to monitor and analyse the data breach which would help identify the cause of the incident.

The proposal for cyber insurance also requires certain minimum security measures to be in place at the onset prior to the policy incepting , the purchase of a cyber insurance policy therefore may have help Mossack Fonseca focus on certain areas of cyber security that may have prevented the hacker to penetrate their computer systems.

From the wider perspective the insurance market is assessing its exposure by gathering data from insurers and reinsurers in order to ascertain the consequences of this loss to the industry. One thing for sure is that insurance coverage would not respond to any illegal activities.

General Data Protection Regulations

Despite being passed the GDPR are not yet in force , but what would have been the ramifications of this on Mossack Fonseca.. ? These rules will apply to entities that carry out business with companies based in the EEC , whether the complicated legal structures put in place by Mossack Fonseca would have implicated by this is difficult to tell , but fines of 4% of annual global turnover or E20,000,000 , which ever is the less would apply if this was the case.

Lessons to be learned 

  • Robust cyber security measures and procedures are paramount to a business armoury in protecting their mere existence.
  • Law firms will be alerted to this data breach and with recent attacks in the US , this sector is clearly currently a target for hackers
  • Cyber Insurance can help improve cyber security and mitigate the effects of a data breach

The biggest data breach ever experienced is still being uncovered, further revelations will no doubt come to light in the coming months… the cigar is still smoudering.

 

Data Breach – is the Healthcare Sector next?

Data Breach

Is the healthcare sector the next target in the UK for hackers to bring about a major data breach?

In the US over the past year there have been a number of high profile and costly data breaches, the largest of which was suffered by the health insurer , Anthem Inc where 80 million personal records were stolen, in addition to this there were four other known multi-million record data breaches in this sector. In the UK the number of data breaches so far have been small in comparison and have been limited to loss of laptops and USB’s causing minor data breaches.

According to the 2015 Global Ponemon Institute Study on data breaches there are signs of a significant increase in cyber attacks in the healthcare industry . The study identified that 91% of healthcare organizations have been subject to one data breach. Cyber attacks in this sector were also up by 125% from 2010 to 2015.

The healthcare sector in the UK data extends to many establishments , the foremost being hospitals , clinics, health insurers , care & retirement homes , universities and colleges.

So what types of data are stored by these bodies that would make them attractive to a hacker ?

Patient Information

  • Medical records
  • Test Records
  • Appointment information
  • Medical insurance details
  • Credit card and bank card details

Employee Information

  • National Insurance records
  • Salary details
  • Bank details
  • e-mail addresses
  • telephone numbers

In addition to this these bodies are likely to be dependent on third parties who may provide or store some of this data.

Where would a possible threat come from that might cause a data breach ?

Insider Threats

Employee negligence where as a  result of an error causes a security failure or they carelessly leave a lap top on a train

Employee  ignorance where inadvertent disposal of personal data occurs or perhaps a lack of training and awareness

A malicious employee who may be unhappy and wishes to cause disruption

Outsider Threats 

Hacker attack which can take the form of many methods such as by the injection of malware into a computer system or the bringing a phishing attack.

Theft being caused as a result of social engineering tool to disguise e-mails that may lead to an extortion threat in an effort to release data.

Third party vendors who may have been breached themselves and caused a subsequent data breach to the primary entity.

Why are healthcare records being targeted by hackers?

  • Healthcare records are worth 5 times more than the value of credit cards
  • Credit cards can be cancelled
  • The value of healthcare data can be utilized for a wider variety of purposes

What are the end use for healthcare records?

  • Personal Identity Theft
  • Financial Identity Theft
  • Various forms of insurance fraud
  • The falsifying of prescriptions

The Healthcare sector in general has a number of challenges including the management of on-going conversion from paper records to digital files and maintaining of computer security that constantly require updating to keep pace with the technology that hackers now possess.

Aside the threat of a data breach is the threat that more medical devices are connected to the network and the ensuing connection to IP networks which exposes devices to more cyber attacks. The “Internet of Things” is also a real threat to this sector and more so to patients where there is an ability to hack medical devices like insulin pumps or pacemakers.

Cyber liability insurance can play an important role to help mitigate a serious data breach and should be a important consideration by organizations in this industry. This sector is perceived to be in a high risk category by the insurance market and it is therefore an area that cyber security consultants can add considerable value here to help insurers assess the relative exposures and offer commensurate premium and terms.