Since cyber-attacks have emerged as a business risk, cyber protection has focused on keeping digital perimeters protected by negating and mitigating direct attacks. Traditionally, this meant having the right technical solutions, such as firewalls or patch management governance, in place to keep malicious code out of a network.
But in today’s environment, this focus is too narrow It is clear that now the weakest link in a chain of cyber defense is usually not technological. It’s people.
This human risk manifests in two primary ways:
- The more sensational of these is a disgruntled employee who steals data or disrupts systems.
- The much more common threat, however, is the employee who unknowingly divulges inside information or accidentally grants a malicious party access to protected systems.
Both actions are the crux of what we mean when we talk about social engineering as a cyber risk.
An underappreciated threat
Historically, many companies and security advisors have failed fully to appreciate or prepare for the social engineering threat. Willis recently found that over 65% of cyber breaches were caused by employee negligence, with nearly 90% caused by human error.
Since social engineering involves the unwitting cooperation of authorized users, attackers can bypass technical controls rather than having to devise technical means to defeat them. Consider the recent Google Docs phishing attacks to be a prime example of this type of attack.
Insurers must play a key role in educating their clients about such perils.
Typically, cyber security is seen as a challenge most relevant for the biggest companies and brands. This is a mistake as it is often smaller companies that are most at risk from this type of attack. Small businesses tend to focus on technical measures and may lack clear data protection oversight. It follows that these are the products now being marketed to them.
Such companies also are likely to be aware of the need to educate employees about their responsibility in preventing cyber intrusion. Larger companies are likely to have programs that reinforce strategies for managing private data and recognizing attacks that exploit human error. Unfortunately, these measure are often missing in smaller businesses.
Compounding this situation is the fact that until recently, smaller businesses had experienced limited cyber claims. In the last 18 months, however, the frequency of small business cyber claims has dramatically increased due to the increase in social engineering and the explosive growth of ransomware.
The critical role of insurers
Against this backdrop, the role of insurers is critical. Security providers are focused on technical solutions, which creates a gap when it comes to equipping businesses to deal with a cyber-attack driven by social engineering. Insurance providers can fill this gap by helping clients understand and mitigate their risks from such attacks.
Traditional lines of insurance have always had a risk management advisory element: for example, workers compensation insurers may give advice to employers on safe lifting techniques to reduce the frequency of back injury claims. This practice should be translated into the cyber realm.
Insurers can help companies educate employees about:
— The safe handling of private information;
— How to spot potential attacks; and
— How to manage data.
Such training can be reinforced throughout the year in the form of:
— Training bulletins and webinars;
— Other communications that keep data privacy and security concerns top of mind.
Currently, the level of this kind of education and support offered by cyber insurers varies tremendously.
Insurers are pivotal when it comes to educating clients about the perils of lax cybersecurity. (Photo: iStock)
Positioning the proper defense
There are a number of measures businesses can implement to strengthen their resilience to social-engineering style attacks. These might include:
— Helping employees understand that they will be constantly under attack, not just through code, but with falsified email and phone communication. Policies requiring a call back before transferring funds or releasing confidential information to verify the identity of the requester can prevent a lot of cost and grief.
— Making staff members alert to what information they present in the public domain and on social media profiles. If a malicious party can work out who at a company can cut checks, and from a scan of their online footprint determine birthday and, for example, a pet’s name, it will make it easier for them to either impersonate that person, or approach them in such a way that they’ll be trusting and more likely to reveal information.
— Creating clear policies that demand strong passwords and security measures. Encourage staff not to use work logins elsewhere, such as on their personal accounts. In the Ashley Madison breach, a number of those using the site set up profiles using work emails, and as a consequence when the site was compromised this in turn compromised that professional data.
— Performing regular backups so you can recover when data is lost or corrupted by accidental or malicious activity. For example, many ransomware victims have been able to restore their data from uninfected backups without paying the attackers.
— Keeping only what you need when it comes to using and storing confidential information. Records containing social security numbers for customers or employees, that do not need to be retained, should start to be disposed of (with, of course, correct legal advice). Attackers can’t steal data you don’t store.
The increased frequency of attacks
Today, such cyber-attacks are hitting companies of all sizes. Many of the methods used can be automated. For example, an email is sent to a firm’s customers with the right fonts, logos and the like, but includes malicious links or attachments.
A low profile is no protection, and no company should consider itself too obscure or small to suffer an attack. It is essential that company leaders sit down with their insurers, brokers and other risk management providers to understand their exposures and how they can defend themselves.
This means having a real understanding of the data they have — and legal responsibilities regarding it — especially knowing if they could suffer regulatory fines or penalties as a result of a breach. There is also the question of what would happen to that business if a network went down. Many companies today can’t function at all when they suffer an outage, since workflows are paperless, while manufacturers and industrial companies rely heavily on automated process controls and supply chains.
Exacerbating these perils is the growth of internet-linked devices. Today the attack surface is expanding, with everything from office printers to fridges online, so the point of entry for attacks is no longer just laptops and desktop PCs. It’s important to keep in mind that while today’s weakest link might be people, tomorrow’s could be toasters.
All of these factors taken together highlight the role that insurance, as an industry, needs to be playing. Not just risk transfer for these exposures, but helping to minimize the exposures themselves. Cyber is still a new class of insurance, and it is crucial that the market is playing its role in creating clearer and better solutions as it evolves. Furthermore, this evolution is twofold, with the risks and attackers constantly changing and increasing in sophistication.
It is obvious that there has been a democratization of attacks and techniques. Computer crime has become a business. Attack kits are developed and then sold on the dark web, where anyone can buy them. The bar to initiate an attack is lower than ever before. Again, this will only amplify the increase in frequency of attacks we are seeing. In this environment, having access to the right expertise, and the right advice, is paramount. Within this, the insurance sector has an absolutely fundamental role to play in educating, advising and protecting businesses small and large from this always present and increasing threat.
Michael Carr is senior vice president, Cyber & Technology, at Brit Insurance.
Brit offers an online learning system that enables clients to assign online training modules to their staff members. The courses are organized into easily manageable sessions, with most under 15 minutes. The company reinforces training material with regular email updates, posters to use in the workplace, and webinars on key exposures and emerging risks. Brit also provides unlimited, confidential phone and email consultation services on both privacy and security issues.
To reach this author, send email to Michael.Carr@britinsurance.com.