What Comes Next in Facebook’s Major Data Breach

Source: Insurance Journal

For users, Facebook’s revelation of a data breach that gave attackers access to 50 million accounts raises an important question: What happens next?

For the owners of the affected accounts, and of another 40 million that Facebook considered at risk, the first order of business may be a simple one: sign back into the app. Facebook logged everyone out of all 90 million accounts in order to reset digital keys the hackers had stolen – keys normally used to keep users logged in, but which could also give outsiders full control of the compromised accounts.

Next up is the waiting game, as Facebook continues its investigation and users scan for notifications that their accounts were targeted by the hackers.

What Facebook knows so far is that hackers got access to the 50 million accounts by exploiting three distinct bugs in Facebook’s code that allowed them to steal those digital keys, technically known as “access tokens.” The company says it has fixed the bugs.

Users don’t need to change their Facebook passwords, it said, although security experts say it couldn’t hurt to do so.

Facebook, however, doesn’t know who was behind the attacks or where they’re based. In a call with reporters on Friday, CEO Mark Zuckerberg – whose own account was compromised – said that attackers would have had the ability to view private messages or post on someone’s account, but there’s no sign that they did.

“We do not yet know if any of the accounts were actually misused,” Zuckerberg said.

The hack is the latest setback for Facebook during a tumultuous year of security problems and privacy issues . So far, though, none of these issues have significantly shaken the confidence of the company’s 2 billion global users.

This latest hack involved bugs in Facebook’s “View As” feature, which lets people see how their profiles appear to others. The attackers used that vulnerability to steal access tokens from the accounts of people whose profiles came up in searches using the “View As” feature. The attack then moved along from one user’s Facebook friend to another. Possession of those tokens would allow attackers to control those accounts.

One of the bugs was more than a year old and affected how the “View As” feature interacted with Facebook’s video uploading feature for posting “happy birthday” messages, said Guy Rosen, Facebook’s vice president of product management. But it wasn’t until mid-September that Facebook noticed an uptick in unusual activity, and not until this week that it learned of the attack, Rosen said.

“We haven’t yet been able to determine if there was specific targeting” of particular accounts, Rosen said in a call with reporters. “It does seem broad. And we don’t yet know who was behind these attacks and where they might be based.”

Neither passwords nor credit card data was stolen, Rosen said. He said the company has alerted the FBI and regulators in the United States and Europe.

Jake Williams, a security expert at Rendition Infosec, said he is concerned that the hack could have affected third party applications.

Williams noted that the company’s “Facebook Login” feature lets users log into other apps and websites with their Facebook credentials. “These access tokens that were stolen show when a user is logged into Facebook and that may be enough to access a user’s account on a third party site,” he said.

Facebook confirmed late Friday that third party apps, including its own Instagram app, could have been affected.

“The vulnerability was on Facebook, but these access tokens enabled someone to use the account as if they were the account-holder themselves,” Rosen said.

News broke early this year that a data analytics firm once employed by the Trump campaign, Cambridge Analytica, had improperly gained access to personal data from millions of user profiles. Then a congressional investigation found that agents from Russia and other countries have been posting fake political ads since at least 2016. In April, Zuckerberg appeared at a congressional hearing focused on Facebook’s privacy practices.

The Facebook bug is reminiscent of a much larger attack on Yahoo in which attackers compromised 3 billion accounts – enough for half of the world’s entire population. In the case of Yahoo, information stolen included names, email addresses, phone numbers, birthdates and security questions and answers. It was among a series of Yahoo hacks over several years.

U.S. prosecutors later blamed Russian agents for using the information they stole from Yahoo to spy on Russian journalists, U.S. and Russian government officials and employees of financial services and other private businesses.

In Facebook’s case, it may be too early to know how sophisticated the attackers were and if they were connected to a nation state, said Thomas Rid, a professor at the Johns Hopkins University. Rid said it could also be spammers or criminals.

“Nothing we’ve seen here is so sophisticated that it requires a state actor,” Rid said. “Fifty million random Facebook accounts are not interesting for any intelligence agency.”

Canada Ranks Third Among Countries Most Vulnerable to Cyber Attacks

According to The National Exposure Index, a report released by cyber security vendor Rapid7 Labs, Canada ranks third on a list of countries most vulnerable to cyber attacks. The goal of the report was to determine which countries are most at risk for deliberate, wide-scale breaches.

Countries were ranked based on their unencrypted services on the public internet, services on the internet that are unsuitable for public access and services that are subject to abuse. Notably, researchers found that countries with the most risk have a significant investment in, and reliance on, a safe and stable internet.

Other interesting findings include the following:

  • The top five countries in the 2018 exposure ranking were the United States, China, Canada, South Korea and the United Kingdom. Together, these countries control over 61 million servers on at least one of the ports surveyed.
  • There are 13 million exposed endpoints associated with direct database access.
  • There are about 40,000 unpatched, out-of-date servers. These servers are at risk of being targeted in future, large-scale disrupted denial-of-service attacks.
  • Mature and traditionally profitable countries are not the only ones that rely on a healthy internet. As of 2018, more than half of the entire world maintains an active internet presence.

Rapid7 Labs hopes internet service providers can use these findings, with the help of policy-makers, to create a more secure global internet. To read the full report, click here.

© Zywave, Inc. All rights reserved

Cyber Liability: Employee Management to Reduce Occupational Fraud

Some of the most damaging cyber-attacks can come from within the business, in ways that many employers overlook when it comes to their cyber security. Occupational fraud is one of these ways. It’s an employer’s worst nightmare—an employee is dissatisfied with his or her job and decides to defraud or steal from the company. Employees can cause enormous damage by committing these crimes. By recognizing signs of occupational fraud and implementing practises to prevent it, you can lead a happy and productive workforce.

Occupational Fraud Facts

Types of occupational fraud include embezzling, insider trading, forging checks, expense reports and vendor invoices, and any other type of internal fraud.

According to an occupational fraud report by the Association of Certified Fraud Examiners (ACFE), the typical organization loses 5 per cent of its annual revenue to fraud. The median loss caused by fraud was $160,000. For a small company, this could mean the end of the business. Small businesses are more at risk because owners inherently treat their employees like family, leading to complacency and lax security measures. Small businesses also tend not to have anti-fraud measures in place as many lack the knowhow and enforcement capabilities of larger businesses. Nearly half of victim organizations do not recover any losses that they suffer due to fraud. 

The Fraud Triangle

Certain conditions must be met for an employee to commit occupational fraud—these three conditions are known as the “fraud triangle.”

  1. Motive: The defrauder must have a motive to commit fraud, and this motive is often pressure. This can come from feeling too much stress at work to meet deadlines or trying to live a lifestyle that is above his or her means. Outside problems can exist as well, such as a gambling addiction. Monetary gain is often the motive behind occupational fraud.
  2. Opportunity. If anti-fraud measures are too lax, the opportunity can be there for fraud to occur. Even if the perpetrator is financially stable, the opportunity to commit fraud for financial gain might be too much to pass up. Being employed in a high-level, trustworthy position can also lead to opportunity.
  3. Rationalization. The perpetrator must be able to justify his or her actions. If employees sense some sort of wrongdoing from the company, they might be able to justify the fraud. They may also tell themselves they are just “borrowing” money from the company with no intention to pay it back, or they might feel entitled to a raise and will commit fraud to give themselves that “raise.”

Understanding these conditions can be the key to recognizing occupational fraud at your business.

 Recognizing Occupational Fraud

It is often difficult to know when occupational fraud has occurred. Frauds last a median of 18 months before being detected, according to the ACFE study. Occupational frauds are much more likely to be detected by tip than by any other means. Because of this, many companies have set up employee tip lines to catch the person(s) responsible for wrongdoing.

While detecting occupational fraud may be a difficult task, there are a variety of warning signs that an employee might be defrauding your business, including the following:

  • Invoices from fake vendor – an employee can create a fictitious vendor, mail a cheque to the fake vendor with your business’ name on it and then cash the cheque for themselves.
  • Missing property – laptops or other computing equipment can be an easy target for employees.
  • Fraudulent expense reports – some company reports are merely skimmed over for approval, offering an employee an easy way to fake expenses.
  • Forged cheques – if an employee consistently works around a high-level executive, it becomes easy for the employee to forge signatures.
  • Employee lives beyond his or her means – if an employee is living a lavish lifestyle on a modest salary, he or she could be defrauding the business. Alternatively, an employee who is having financial troubles yet seems to be living within his or her means may indicate fraud.
  • Unusually close association with a competitor – if an employee seems to have a close relationship with a direct competitor, he or she could be sharing your trade secrets in return for money.

Preventing Occupational Fraud

  • If you run a small business, chances are you have a few employees who are in charge of several different areas of the organization. Split up the duties among a larger pool of employees to decrease the likelihood of fraud.
  • Perform a pre-employment screening on all potential employees. A resume might not tell the entire story about a prospective employee’s past.
  • Let employees know there are policies on employee theft in place. Don’t assume they are already aware of the policies and the consequences of fraud.
  • According to ACFE’s study, more than 80 per cent of the frauds in the report came from employees in one of six departments: accounting, operations, sales, executive/upper management, customer service and purchasing. Recognize these high-risk departments as potential sources of fraud and implement the proper policies to prevent it.
  • Establish an anonymous tip line that employees, clients or vendors can use to report cases of occupational fraud.
  • Don’t get complacent. Any employee can commit fraud at any time. While most fraud is committed for monetary gain, that doesn’t mean an employee won’t commit fraud if the opportunity is there.
  • Conduct random audits. Work with a CPA to set up and maintain effective internal financial controls to ensure you’re not losing money as a result of fraud.

Proper Employee Management

One of the best ways to prevent occupational fraud at your company is to ensure all your employees are satisfied with their work and the company as a whole. Lead by example—if you and your high-level management team conduct business properly and ethically, your employees will likely do the same. Good ethics also carry over into the market, where your company will be looked on favourably, which can lead to higher revenue and greater goodwill from the community.

Reward employees for doing well. Let them know how important they are to the success of the business. Don’t emphasize only the things that haven’t been achieved—focus on the positive things employees have done, too.

Insuring Against Occupational Fraud

Recognizing and preventing occupational fraud can be a daunting task. Contact your insurance broker today to ensure you have the proper coverage to protect your company against losses from occupational fraud and maintain a productive workforce.

© Zywave, Inc. All rights reserved

Keeping Your Data Secure

Data security is crucial for all businesses. Customer and client information, payment information, personal files, bank account details—this information is often impossible to replace if lost and is extremely dangerous in the hands of criminals. Data lost due to disasters such as a flood or fire is devastating, but losing it to hackers or a malware infection can have far greater consequences. How you handle and protect your data is central to the security of your business and the privacy expectations of customers, employees and partners.

What kind of data do you have?

Your business data may include customer data such as account records, transaction accountability and financial information, contact and address information, purchasing history, and buying habits and preferences as well as employee information such as payroll files, direct payroll account bank information, Social Insurance numbers, home addresses and phone numbers, and work and personal email addresses. It can also include sensitive business information such as financial records, marketing plans, product designs and tax information.

Complete a data inventory to identify and classify all of your potential areas of vulnerability. Common data classifications include the following:

  • Highly confidential: This classification applies to the most sensitive business information that is intended strictly for use within your company. Its unauthorized disclosure could seriously and adversely impact your company, business partners, vendors and/or customers in the short and long term. It could include credit card transaction data, customer names and addresses, card magnetic strip contents, passwords and PINs, employee payroll files, Social Insurance numbers and patient information (if you’re a health care business). If you collect personal information such as this, make sure you have a privacy policy that explains how the information will be used and what individuals’ rights are regarding the data.
  • Sensitive: This classification applies to sensitive business information that is intended for use within your company; information that you would consider to be private should be included in this classification. Examples include employee performance evaluations, internal audit reports, various financial reports, product designs, partnership agreements, marketing plans and email marketing lists.
  • Internal use only: This classification applies to sensitive information that is generally accessible by a wide audience and is intended for use only within your company. While its unauthorized disclosure to outsiders should be against policy and may be harmful, the unlawful disclosure of the information is not expected to negatively impact your company, employees, business partners or vendors.

Classifying your data allows your company to set parameters for how the data is accessed, transported, shared and ultimately kept secure.

Where is your data stored?

Data is most at risk when it’s on the move. If all your business-related data resided on a single computer or server that is not connected to the Internet, and never left that computer, it would be very easy to protect. But to be meaningful, data must be accessed and used by employees, analyzed and researched for marketing purposes, used to contact customers and even shared with key partners. Every time data moves or changes hands, it can be exposed to different dangers.

It’s important to create a company policy that dictates safe data transfer and storage. The policy should include information on how to back up, transport and safely store physical and virtual data.

  • Physical data: Keep in mind that physical media, such as a disc or drive used to store data or a data backup, is vulnerable no matter where it is located, so make sure you guard any physical data stored in your office or off-site, and make sure that your physical data storage systems are encrypted. As much as possible, try to avoid data transport on physical media such as flash drives or CDs. These media can easily end up in the wrong hands.
  • Website data: Your website can be a great place to collect information, from transactions and payments to purchasing and browsing history, and even newsletter sign-ups, online inquiries and customer requests. This data must be protected, whether you host your own website and manage your own servers or whether your website and databases are hosted by a third party. If a third party hosts your website, be sure to discuss systems it has in place to protect your data from hackers and outsiders as well as employees of the hosting company.
  • Virtual data: Storing data virtually is a very common practice, but it has certain risks you need to consider. If your company contracts with a third party to house data virtually, be sure to keep an updated, thorough contract that outlines who accesses your data, how it is encrypted and how it is backed up. And make sure you know the location of the company you are trusting with your data. Different rules about data sharing and security apply in different Canadian jurisdictions and in the United States.

Who accesses your data?

Once you have identified, classified and located your data, you must control access to it. The more sensitive the data, the more restrictive the access should be. As a general rule, access to data should be on a need-to-know basis. Only individuals who have a specific need to access certain data should be allowed to do so.

Not every employee needs access to all of your information. For example, your marketing staff shouldn’t need or be allowed to view employee payroll data, and your administrative staff may not need access to all of your customer information.

The first step in controlling access to your data is assigning rights to that data. Doing so simply means creating a list of the specific employees, partners or contractors who have access to specific data, under what circumstances, and how those access privileges will be managed and tracked. As part of this process, you should consider developing a straightforward plan and policy—a set of guidelines—about how each type of data should be handled and protected based on who needs access to it and the level of classification.

How do you protect your data?

Once you understand the type of data your company makes use of, where it is located and who accesses it, you can begin planning how you will protect it. Protecting data, like any other security challenge, is about creating layers of protection. The idea of layering security is simple: You cannot and should not rely on just one security mechanism—such as a password—to protect something sensitive. If that security mechanism fails, you have nothing left to protect you.

Businesses have many affordable backup options, whether it’s backing up to an external drive in the office or backing up online so that all data is stored at a remote and secure data centre.

Are you planning for the future?

Every business has to plan for the unexpected, and that includes the loss or theft of data from your business. Not only can data loss or theft hurt your business, brand and customer confidence, it can also expose you to significant legal actions.

That’s why it’s critical to understand exactly which data or security breach regulations affect your business and how prepared you are to respond to them. At the very least, all employees and contractors should understand that they must immediately report any loss or theft of information to the appropriate company officer.

Identifying your exposures will help determine how to protect your data. In addition to data security measures, insuring your data is crucial.

© Zywave, Inc. All rights reserved

Precautions for Better Cyber Security

Many business operations revolve around the functionality of computers, network connections and the Internet. It’s no secret that with computer use there are many risks, including damaging viruses, hackers, use of your system to attack others or use of sensitive data to steal identities or other illegal actions. As a result, companies must respond by preventing, detecting and responding to cyber attacks through a well-orchestrated cyber security program.

Get Familiar with Risks

The first step in protecting your business is to take notice of the multitude of cyber risks.

Hackers, Attackers and Intruders

These people seek to exploit weaknesses in software and computer systems for their personal gain. Although their intentions are sometimes benign, their actions are typically in violation of the intended use of the systems that they are exploiting. The results of this cyber risk can range from minimal mischief (creating a virus with no negative impact) to malicious activity (stealing or altering data).

Malicious Code (viruses, worms and Trojan horses)

  • Viruses: This malicious code requires a user to take action to let into the system, such as open an email attachment, download a file or visit a webpage.
  • Worms: Once released, this code reproduces and spreads through systems on its own. They usually start by exploiting a software flaw. Then, once the victim’s computer is infected, the worm will attempt to find and infect other computers through a network.
  • Trojan horses: This disguised code claims to do one thing while actually doing something else (a program that claims to speed up your computer system but is actually sending confidential information to a remote intruder).

Risk Management Planning

To reduce your cyber risks, it is wise to develop an IT Risk Management Plan at your organization. Risk management solutions utilize industry standards and best practices to assess hazards from unauthorized access, use, disclosure, disruption, modification or destruction of your organization’s information systems. Consider the following when implementing risk management strategies at your organization:

  • Create a formal, documented risk management plan that addresses the scope, roles, responsibilities, compliance criteria and methodology for performing cyber risk assessments. This plan should include a characterization of all systems used at the organization based on their function, the data stored and processed, and importance to the organization.
  • Review the cyber risk plan on an annual basis and update it whenever there are significant changes to your information systems, the facilities where systems are stored or other conditions that may affect the impact of risk to the organization.

In addition, your organization should take precautionary measures when selecting your Internet service provider (ISP) for use for company business.

ISP Considerations

Almost all ISPs offer Web browsing capabilities with a varying degree of user support and Web hosting capabilities. Your company should determine what ISP to use, along with a plan for backing up emails and files and what firewalls to implement.

To select an ISP that will reduce your cyber risks, consider the following:

  • Security – How concerned with security is the ISP provider? Does it use encryption and SSL to protect any information that you submit?
  • Privacy – Does the ISP have a published privacy policy? Are you comfortable with who has access to your information, and how it is handled and used?
  • Services – Does your ISP offer the services that you want and does it meet your organization’s needs? Is there adequate support for the services provided?
  • Cost – Are the ISP’s costs affordable and are they reasonable for the number of services that you receive? Are you sacrificing quality and security to get a lower price?
  • Reliability – Are the services provided by the ISP reliable, or are they frequently unavailable due to maintenance, security problems and a high volume of users? If the ISP knows that its services will be unavailable, does it adequately communicate that information to its customers?
  • User Supports – Are there any published methods for contacting customer service, and do you receive prompt and friendly service? Does its hours of availability accommodate your company’s needs?
  • Speed – How fast is your ISP’s connection, and is it sufficient for accessing your email or navigating the Web?
  • Recommendations – What have you heard from industry peers about the ISP? Were they trusted sources? Does the ISP serve your geographic area?

Cyber security is a serious concern for your business. Contact your insurance broker to learn about our risk management resources and insurance solutions for emerging technology exposures.

© Zywave, Inc. All rights reserved

Basic Cyber Loss Control Techniques

Protecting your business from cyber risks can be an overwhelming venture. With each passing month, new and more sophisticated viruses are being discovered, more spam is reaching your inbox and yet another well-known company becomes the victim of a data breach.

The world will never be free of cyber risks, but there are many loss control techniques you can implement to help protect your business from exposures.

Install a firewall for your network.

Operating systems often come with pre-installed firewalls, but they are generally designed to protect just one computer. Examine the firewall’s options and select the best configuration to keep the computer safe.

If your business has a network of five or more computers, consider buying a network firewall. They can be pricey but network firewalls provide a fine level of coverage for an entire network.

Install anti-virus, anti-malware and anti-spyware software.

This loss control technique is the easiest and most effective way to increase security at your business. Make sure to install the software on each computer in your network—computers that don’t include these types of software are much more likely to be exposed and can possibly spread malware to other computers in the network. There are a host of viable options for each type of software, ranging in price from free to an annual subscription. Be sure to keep the software as up-to-date as possible.

Encrypt data.

No firewall is perfect. If a hacker manages to get through your firewall and into your network, your data could be a sitting duck. Encryption will make the data unreadable to a hacker. Consider using an encryption program to keep computer drives, files and even email messages safe from hackers.

Use a Virtual Private Network (VPN).

A VPN allows employees to connect to your company’s network remotely. VPNs eliminate the need for a remote-access server, saving companies lots of money in remote server costs. In addition to these savings, VPNs also provide a high level of security by using advanced encryption and authentication protocols that protect sensitive data from unauthorized access. If your company has salespeople in the field or employs workers who work from home or away from the office, a VPN is an effective way to minimize cyber risks.

Implement an employee password policy.

One of the most overlooked ways to keep your business safe is instituting a password policy. Essentially, a password policy should force employees to change work-related passwords every 90 days. The policy should encourage the creation of easy-to-remember, hard-to-guess passwords that include letters, numbers and special characters. For example, an easy-to-remember, hard-to-guess password could be “M1dwbo1025.” (My first daughter was born on Oct. 25th.)

Passwords that contain words from the dictionary or contain sensible combinations (abc123, qwerty, etc.) should never be allowed. Let employees know that they should not write passwords down and leave them in a desk or out in the open. If they are having trouble remembering passwords, there are password-keeping programs available for download.

Back up data regularly.

Important data should be backed up daily and in multiple locations, one being off-site. In addition to being safe from cyber risks, off-site data would not be exposed from physical attacks, like a fire or tornado.

Restrict access to backed up data. The public should never have access to it. If the data is tangible, keep it in locked filing cabinets in a locked room, and only issue keys to those who absolutely need them.

Develop a business continuity plan.

If the worst should happen and your company suffers a data breach or similar attack, you should have a business continuity plan in place. A business continuity plan helps:

  • Facilitate timely recovery of core business functions
  • Protect the well-being of employees, their families and your customers
  • Minimize loss of revenue/customers
  • Maintain public image and reputation
  • Minimize loss of data
  • Minimize the critical decisions to be made in a time of crisis

The plan should identify potential cyber risks, along with the recovery team at your company assigned to protect personnel and property in the event of an attack. The recovery team should conduct a damage assessment of the attack and guide the company toward resuming operations.

Contact Your Loss Control Expert

Keeping your data safe from cyber risks requires constant attention to ensure an attack never happens. Your insurance broker can help you identify potential risks and keep your business running smoothly in the event of an attack.

© Zywave, Inc. All rights reserved

Federal Budget Details $600 Million Investment in Cyber Security

The federal government recently released its 2018-19 budget. Among other important allocations, the government announced an investment of more than $600 million in data privacy. Specifically, the budget calls for $507.7 million over the next five years and $108.8 million each year thereafter for a new national cyber security strategy to help protect Canadians and their sensitive personal information.

A portion of the funds—$155.2 million during the next five years and $44.5 million per year thereafter—will go toward establishing a new Canadian Centre for Cybersecurity. This centre will allow the government to consolidate its cyber expertise under one roof as well as establish a single source of advice, guidance, services and support on cyber security-related matters.

In addition to funding the creation of the Canadian Centre for Cybersecurity, the government will provide $236.5 million over the next five years and $41.2 million per year thereafter to support the national cyber security strategy. This strategy is designed to do the following:

  • Enhance the government’s ability to investigate, prepare for and respond to cyber crime.
  • Create a voluntary cyber-certification program to help students and businesses improve their cyber security.
  • Improve cyber security on a national level by working alongside provincial, territorial, private-sector and international partners.

To learn more about these and other investments, review the government’s website on the 2018-19 federal budget.

© Zywave, Inc. All rights reserved

Avoid Costly Phishing Scams

Phishing, a type of cyber attack in which hackers disguise themselves as a trusted source online in order to acquire sensitive information, is a common scam that can put your employees and business at risk. The Canadian Internet Registry Authority recently published a survey of businesses who use the .ca domain and found that 32 per cent of firms had unwittingly divulged sensitive information after falling for phishing tactics.

Falling for a spear phishing attack can give a hacker access to personal and financial information across an entire network. What’s more, successful spear phishing attacks oftentimes go unnoticed, which increases the risk of large and continued losses.

Though it is difficult to completely avoid the risks of spear phishing attacks, there are ways to prevent further damage to your business. Make sure that your employees are aware of these simple techniques:

  • Never send financial or personal information electronically, even if you know the recipient well.
  • Be cautious when you are asked to divulge personal or sensitive business information in an email. Even if it appears to be from a trusted source, it could be a hacker impersonating another person or group.
  • Only share personal information on secure websites or over the phone.
  • Never click on links or open attachments from unknown sources. In addition, encourage employees to think twice about what they post online.
  • Ensure that your company’s security software is up to date. Firewalls and antivirus software can help protect against spear phishing attacks.

It’s important to encourage employees to be overly cautious when it comes to preventing phishing scams. Together, these strategies can go a long way toward keeping your business safe.

© Zywave, Inc. All rights reserved

Network Security

As the amount of sensitive information on your computer network grows, so too does the need for appropriate measures to ensure this data is not compromised. To properly secure your company’s network:

  • Identify all devices and connections on the network,
  • Set boundaries between your company’s systems and others, and
  • Enforce controls to ensure that unauthorized access, misuse or denial-of-service events can be thwarted or rapidly contained and recovered from if they occur.

Use the following tips to create a safe and secure network.

Secure internal network and cloud services

Separate your company’s network from the public Internet with strong user authentication mechanisms and policy enforcement systems such as firewalls and Web filtering proxies. You should also employ additional monitoring and security solutions, such as anti-virus software and intrusion detection systems, to identify and stop malicious code or unauthorized access attempts.

  • Internal network: After identifying the boundary points on your company’s network, each boundary should be evaluated to determine what types of security controls are necessary and how they can be best deployed. Border routers should be configured to only route traffic to and from your company’s public IP addresses; firewalls should be deployed to restrict traffic only to and from the minimum set of necessary services; and intrusion prevention systems should be configured to monitor for suspicious activity crossing your network perimeter. In order to prevent bottlenecks, all security systems you deploy to your company’s network perimeter should be capable of handling the bandwidth that your carrier provides.
  • Cloud-based services: Carefully consult your terms of service with all cloud service providers to ensure that your company’s information and activities are protected with the same degree of security you would intend to provide on your own. Request security and auditing from your cloud service providers as applicable to your company’s needs and concerns and ensure the provider’s policies and workflows comply with your jurisdiction’s regulations governing how data is handled and stored. Make sure to review and understand service level agreements, or SLAs, for system restoration and reconstitution time.

You should also inquire about additional services a cloud service can provide. These services may include backup-and-restore services and encryption services, which can further bolster your data security.

Develop strong password policies

Two-factor authentication methods, which require two types of evidence that you are who you claim to be, are generally safer than using only static passwords for authentication. One common example is a personal security token that displays changing passcodes to be used in conjunction with an established password.

Additionally, password policies should encourage your employees to use the strongest passwords possible without creating the need or temptation to reuse passwords or write them down. That means using passwords that are random, complex and long (at least 10 characters), that are changed regularly and that are closely guarded by those who know them.

Secure and encrypt your company’s Wi-Fi

Your company may choose to operate a Wireless Local Area Network (WLAN) for the use of customers, guests and visitors. If so, it is important that such a WLAN be kept separate from the main company network so that traffic from the public network cannot traverse the company’s internal systems at any point.

Internal, non-public WLAN access should be restricted to specific devices and specific users to the greatest extent possible while still meeting your company’s business needs. Where the internal WLAN has less stringent access controls than your company’s wired network, dual connections—where a device is able to connect to both the wireless and wired networks simultaneously—should be prohibited by technical controls on each such capable device. All users should be given unique credentials with preset expiration dates to use when accessing the internal WLAN.

Encrypt sensitive company data

Encryption should be employed to protect any data that your company considers sensitive, in addition to meeting your local applicable regulatory requirements on information safeguarding. Different encryption schemes are appropriate under different circumstances. If you choose to offer secure transactions on your company’s website, consult with your service provider about available options for an SSL certificate for your site.

Regularly update all applications

All systems and software, including networking equipment, should be updated in a timely fashion as patches and firmware upgrades become available. Use automatic updating services whenever possible, especially for security systems such as anti-malware applications, Web filtering tools and intrusion prevention systems.

Set safe Web browsing rules

Your company’s internal network should only be able to access those services and resources on the Internet that are essential to the business and the needs of your employees. Use the safe browsing features included with modern Web browsing software and a Web proxy to ensure that malicious or unauthorized sites cannot be accessed from your internal network.

If remote access is enabled, make sure it is secure

If your company needs to provide remote access to your internal network over the Internet, one popular and secure option is to employ a secure Virtual Private Network (VPN) system accompanied by strong two-factor authentication, using either hardware or software tokens.

Create a Safe-use Flash Drive Policy

Ensure that employees never put any unknown flash drive or USBs into their computers. Businesses should set a clear policy so employees know they should never open a file from a flash drive they are not familiar with, and that they should hold down the Shift key when inserting the flash drive to block malware. By doing so, you can stop the flash drive from automatically running.

© Zywave, Inc. All rights reserved

Ransomware Insurance

With ransomware attacks on the rise, the role of insurance is becoming more robust. And, although ransomware coverage has been traditionally sublimited within cyber policies, stand-alone cyber policies that cover ransomware are becoming more necessary.

In an attempt to find additional coverage for ransomware, many businesses and carriers have turned to kidnap and ransom (K&R) policies. K&R policies have traditionally been used by organizations to protect their executives, not to protect against ransomware. Because K&R policies were not designed for ransomware, they may only provide a quick fix. K&R policies tend to be less suitable for ransomware than cyber policies and payouts tend to be lower.

Policy Definitions, Terms and Conditions

Since cyber insurance isn’t standardized, organizations should review all policy language with a broker before choosing a plan. Policies can vary significantly in their language and coverage options, so insurance experts recommend policies that—at the very least—provide coverage for extortion demands and payments as well as lost income resulting from an attack.

Organizations should also take a close look at the following definitions, terms and conditions when choosing a policy:

  • Sublimits and deductibles—Most policies set a sublimit for covering ransomware. It is important to review this limit carefully, considering that demands may start on the low side, but can increase quickly. Additionally, since making a ransom payment may make organizations a target for subsequent ransom demands within the policy year, the deductible amount should reflect that risk.
  • Payment terms—Most policies require prior written consent before the insured can pay any ransom. This can result in payment delays and increased demands by the hackers. If an organization pays a ransom in order to resume business, without prior written consent by the insurer, there’s a chance that it may not be reimbursed. Therefore, organizations need to be comfortable with a policy’s terms in order to avoid compromising coverage.
  • Definition of extortion—It is important for organizations to fully understand and agree with their insurance company’s definition of extortion, since the definition dictates the trigger for coverage. For example, although hackers may intend to sell or misuse information, the ransom demand may only involve a countdown timer and demand for money. While the combination of the two may seem like an obvious threat to the insured, a carrier could possibly deny coverage on the basis that there was no explicit threat to sell or misuse information—all because of its unique definition of extortion.

What to Look for in a Policy

Companies should look for ransomware coverage that uses broad terminology and protects against a wide range of threats, including threats to do the following:

  • Access, sell, disclose or misuse data stored on your network, including digital assets.
  • Alter, damage, or destroy software or programs.
  • Introduce malicious software, including viruses and self-propagating code.
  • Impair or restrict access. Look for policies with broad terms like, “threats to disrupt business operations.”
  • Impersonate the insured in order to gather protected information from its clients, also known as pharming or phishing.
  • Use your network to transmit malware.
  • Deface or interfere with your company’s website.

The Importance of Risk Management

Ransomware insurance is most effective when coupled with an effective risk management program, as there are many components in the fight against cyber crime. Risk managers should work with an insurance broker to review all applicable options before choosing cyber coverage.

Contact your insurance broker today to learn more about available cyber policies and effective risk management techniques to protect your organization from ransomware attacks.

© Zywave, Inc. All rights reserved