Since cyber-attacks have emerged as a business risk, cyberprotection has focused on keeping digital perimeters protected bynegating and mitigating direct attacks. Traditionally, this meanthaving the right technical solutions, such as firewalls or patchmanagement governance, in place to keep malicious code out of anetwork.
|But in today's environment, this focus is too narrow It is clearthat now the weakest link in a chain of cyber defense is usuallynot technological. It's people.
|Related: Humans: The weakest link in social engineering andcyber attacks
|This human risk manifests in two primary ways:
- |
- |
- |
- |
- The more sensational of these is a disgruntled employee whosteals data or disrupts systems.
- The much more common threat, however, is the employee whounknowingly divulges inside information or accidentally grants amalicious party access to protected systems.
- |
- |
- |
Both actions are the crux of what we mean when we talk aboutsocial engineering as a cyber risk.
|Related: No business is totally safe from cyberattacks
|||An underappreciated threat
Historically, many companies and security advisors have failedfully to appreciate or prepare for the social engineering threat.Willis recently found that over 65% of cyber breaches were caused by employeenegligence, with nearly 90% caused by human error.
|Since social engineering involves the unwitting cooperation ofauthorized users, attackers can bypass technical controls ratherthan having to devise technical means to defeat them. Consider therecent Google Docs phishing attacks to be a prime example of thistype of attack.
|Insurers must play a key role in educatingtheir clients about such perils.
|Typically, cyber security is seen as a challenge most relevantfor the biggest companies and brands. This is amistake as it is often smaller companies that are most at risk fromthis type of attack. Small businesses tend to focus on technicalmeasures and may lack clear data protection oversight. It followsthat these are the products now being marketed to them.
|Such companies also are likely to be aware of the need toeducate employees about their responsibility in preventing cyberintrusion. Larger companies are likely to have programs thatreinforce strategies for managing private data and recognizingattacks that exploit human error. Unfortunately, these measure areoften missing in smaller businesses.
|Compounding this situation is the fact that until recently,smaller businesses had experienced limited cyber claims. In thelast 18 months, however, the frequency of small business cyberclaims has dramatically increased due to the increase in socialengineering and the explosive growth of ransomware.
|Related: Insurance experts: WannaCry calls for tougher cybersecurity
|||The critical role of insurers
Against this backdrop, the role of insurers is critical.Security providers are focused on technical solutions, whichcreates a gap when it comes to equipping businesses to deal with acyber-attack driven by social engineering. Insurance providers canfill this gap by helping clients understand and mitigate theirrisks from such attacks.
|Traditional lines of insurance have always had a risk managementadvisory element: for example, workers compensation insurers maygive advice to employers on safe lifting techniques to reduce thefrequency of back injury claims. This practice should be translatedinto the cyber realm.
|Insurers can help companies educate employees about:
|— The safe handling of private information;
|— How to spot potential attacks; and
|— How to manage data.
|Such training can be reinforced throughout the year in the formof:
|— Training bulletins and webinars;
|— Other communications that keep data privacy and securityconcerns top of mind.
|Currently, the level of this kind of education and supportoffered by cyber insurers varies tremendously.
|Related: Cyber-breach communications plans: What insuranceprofessionals need to know
||
Insurers are pivotal when it comes to educatingclients about the perils of lax cybersecurity. (Photo:iStock)
|Positioning the proper defense
There are a number of measures businesses can implement tostrengthen their resilience to social-engineering style attacks.These might include:
|— Helping employees understand that they willbe constantly under attack, not just through code, but withfalsified email and phone communication. Policiesrequiring a call back before transferring funds or releasing confidential information to verifythe identity of the requester can prevent a lot of cost andgrief.
|— Making staff members alert to whatinformation they present in the public domain and on social media profiles. If a malicious party canwork out who at a company can cut checks, and from a scan of theironline footprint determine birthday and, for example, a pet's name,it will make it easier for them to either impersonate that person,or approach them in such a way that they'll be trusting and morelikely to reveal information.
|— Creating clear policies that demand strong passwords and security measures.Encourage staff not to use work logins elsewhere, such as on theirpersonal accounts. In the Ashley Madison breach, a number of thoseusing the site set up profiles using work emails, and as aconsequence when the site was compromised this in turn compromisedthat professional data.
|— Performing regular backups so you can recoverwhen data is lost or corrupted by accidental or maliciousactivity. For example, many ransomware victims have beenable to restore their data from uninfected backups without payingthe attackers.
|— Keeping only what you need when it comes tousing and storing confidential information. Records containingsocial security numbers for customers or employees, that do notneed to be retained, should start to be disposed of (with, ofcourse, correct legal advice). Attackers can't steal data you don't store.
|The increased frequency of attacks
Today, such cyber-attacks are hitting companies of all sizes.Many of the methods used can be automated. For example,an email is sent to a firm's customers with the right fonts, logosand the like, but includes malicious links or attachments.
|A low profile is no protection, and no company should consideritself too obscure or small to suffer an attack. It is essentialthat company leaders sit down with their insurers, brokers andother risk management providers to understand their exposures andhow they can defend themselves.
|This means having a real understanding of the data they have —and legal responsibilities regarding it — especially knowing ifthey could suffer regulatory fines or penalties as a result of abreach. There is also the question of what would happen to thatbusiness if a network went down. Many companies today can'tfunction at all when they suffer an outage, since workflows arepaperless, while manufacturers and industrial companies relyheavily on automated process controls and supply chains.
|Exacerbating these perils is the growth of internet-linkeddevices. Today the attack surface is expanding, with everythingfrom office printers to fridges online, so the point of entry forattacks is no longer just laptops and desktop PCs. It's importantto keep in mind that while today's weakest link might be people,tomorrow's could be toasters.
|All of these factors taken together highlight the role thatinsurance, as an industry, needs to be playing. Not just risktransfer for these exposures, but helping to minimize the exposuresthemselves. Cyber is still a new class of insurance, and it iscrucial that the market is playing its role in creating clearer andbetter solutions as it evolves. Furthermore, this evolution istwofold, with the risks and attackers constantly changing andincreasing in sophistication.
|It is obvious that there has been a democratization of attacksand techniques. Computer crime has become a business. Attack kitsare developed and then sold on the dark web, where anyone can buythem. The bar to initiate an attack is lower than ever before.Again, this will only amplify the increase in frequency of attackswe are seeing. In this environment, having access to the rightexpertise, and the right advice, is paramount. Within this, theinsurance sector has an absolutely fundamental role to play ineducating, advising and protecting businesses small and large fromthis always present and increasing threat.
|Michael Carr is senior vice president, Cyber &Technology, at Brit Insurance.
|Brit offers an online learning system that enables clientsto assign online training modules to their staff members. Thecourses are organized into easily manageable sessions, with mostunder 15 minutes. The company reinforces training material withregular email updates, posters to use in the workplace, andwebinars on key exposures and emerging risks. Brit also providesunlimited, confidential phone and email consultation services onboth privacy and security issues.
|To reach this author, send email to [email protected].
|See also:
||Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader
Your access to unlimited PropertyCasualty360 content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- All PropertyCasualty360.com news coverage, best practices, and in-depth analysis.
- Educational webcasts, resources from industry leaders, and informative newsletters.
- Other award-winning websites including BenefitsPRO.com and ThinkAdvisor.com.
Already have an account? Sign In
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
