Avoid Costly Phishing Scams

Phishing, a type of cyber attack in which hackers disguise themselves as a trusted source online in order to acquire sensitive information, is a common scam that can put your employees and business at risk. The Canadian Internet Registry Authority recently published a survey of businesses who use the .ca domain and found that 32 per cent of firms had unwittingly divulged sensitive information after falling for phishing tactics.

Falling for a spear phishing attack can give a hacker access to personal and financial information across an entire network. What’s more, successful spear phishing attacks oftentimes go unnoticed, which increases the risk of large and continued losses.

Though it is difficult to completely avoid the risks of spear phishing attacks, there are ways to prevent further damage to your business. Make sure that your employees are aware of these simple techniques:

  • Never send financial or personal information electronically, even if you know the recipient well.
  • Be cautious when you are asked to divulge personal or sensitive business information in an email. Even if it appears to be from a trusted source, it could be a hacker impersonating another person or group.
  • Only share personal information on secure websites or over the phone.
  • Never click on links or open attachments from unknown sources. In addition, encourage employees to think twice about what they post online.
  • Ensure that your company’s security software is up to date. Firewalls and antivirus software can help protect against spear phishing attacks.

It’s important to encourage employees to be overly cautious when it comes to preventing phishing scams. Together, these strategies can go a long way toward keeping your business safe.

© Zywave, Inc. All rights reserved

Network Security

As the amount of sensitive information on your computer network grows, so too does the need for appropriate measures to ensure this data is not compromised. To properly secure your company’s network:

  • Identify all devices and connections on the network,
  • Set boundaries between your company’s systems and others, and
  • Enforce controls to ensure that unauthorized access, misuse or denial-of-service events can be thwarted or rapidly contained and recovered from if they occur.

Use the following tips to create a safe and secure network.

Secure internal network and cloud services

Separate your company’s network from the public Internet with strong user authentication mechanisms and policy enforcement systems such as firewalls and Web filtering proxies. You should also employ additional monitoring and security solutions, such as anti-virus software and intrusion detection systems, to identify and stop malicious code or unauthorized access attempts.

  • Internal network: After identifying the boundary points on your company’s network, each boundary should be evaluated to determine what types of security controls are necessary and how they can be best deployed. Border routers should be configured to only route traffic to and from your company’s public IP addresses; firewalls should be deployed to restrict traffic only to and from the minimum set of necessary services; and intrusion prevention systems should be configured to monitor for suspicious activity crossing your network perimeter. In order to prevent bottlenecks, all security systems you deploy to your company’s network perimeter should be capable of handling the bandwidth that your carrier provides.
  • Cloud-based services: Carefully consult your terms of service with all cloud service providers to ensure that your company’s information and activities are protected with the same degree of security you would intend to provide on your own. Request security and auditing from your cloud service providers as applicable to your company’s needs and concerns and ensure the provider’s policies and workflows comply with your jurisdiction’s regulations governing how data is handled and stored. Make sure to review and understand service level agreements, or SLAs, for system restoration and reconstitution time.

You should also inquire about additional services a cloud service can provide. These services may include backup-and-restore services and encryption services, which can further bolster your data security.

Develop strong password policies

Two-factor authentication methods, which require two types of evidence that you are who you claim to be, are generally safer than using only static passwords for authentication. One common example is a personal security token that displays changing passcodes to be used in conjunction with an established password.

Additionally, password policies should encourage your employees to use the strongest passwords possible without creating the need or temptation to reuse passwords or write them down. That means using passwords that are random, complex and long (at least 10 characters), that are changed regularly and that are closely guarded by those who know them.

Secure and encrypt your company’s Wi-Fi

Your company may choose to operate a Wireless Local Area Network (WLAN) for the use of customers, guests and visitors. If so, it is important that such a WLAN be kept separate from the main company network so that traffic from the public network cannot traverse the company’s internal systems at any point.

Internal, non-public WLAN access should be restricted to specific devices and specific users to the greatest extent possible while still meeting your company’s business needs. Where the internal WLAN has less stringent access controls than your company’s wired network, dual connections—where a device is able to connect to both the wireless and wired networks simultaneously—should be prohibited by technical controls on each such capable device. All users should be given unique credentials with preset expiration dates to use when accessing the internal WLAN.

Encrypt sensitive company data

Encryption should be employed to protect any data that your company considers sensitive, in addition to meeting your local applicable regulatory requirements on information safeguarding. Different encryption schemes are appropriate under different circumstances. If you choose to offer secure transactions on your company’s website, consult with your service provider about available options for an SSL certificate for your site.

Regularly update all applications

All systems and software, including networking equipment, should be updated in a timely fashion as patches and firmware upgrades become available. Use automatic updating services whenever possible, especially for security systems such as anti-malware applications, Web filtering tools and intrusion prevention systems.

Set safe Web browsing rules

Your company’s internal network should only be able to access those services and resources on the Internet that are essential to the business and the needs of your employees. Use the safe browsing features included with modern Web browsing software and a Web proxy to ensure that malicious or unauthorized sites cannot be accessed from your internal network.

If remote access is enabled, make sure it is secure

If your company needs to provide remote access to your internal network over the Internet, one popular and secure option is to employ a secure Virtual Private Network (VPN) system accompanied by strong two-factor authentication, using either hardware or software tokens.

Create a Safe-use Flash Drive Policy

Ensure that employees never put any unknown flash drive or USBs into their computers. Businesses should set a clear policy so employees know they should never open a file from a flash drive they are not familiar with, and that they should hold down the Shift key when inserting the flash drive to block malware. By doing so, you can stop the flash drive from automatically running.

© Zywave, Inc. All rights reserved

Ransomware Insurance

With ransomware attacks on the rise, the role of insurance is becoming more robust. And, although ransomware coverage has been traditionally sublimited within cyber policies, stand-alone cyber policies that cover ransomware are becoming more necessary.

In an attempt to find additional coverage for ransomware, many businesses and carriers have turned to kidnap and ransom (K&R) policies. K&R policies have traditionally been used by organizations to protect their executives, not to protect against ransomware. Because K&R policies were not designed for ransomware, they may only provide a quick fix. K&R policies tend to be less suitable for ransomware than cyber policies and payouts tend to be lower.

Policy Definitions, Terms and Conditions

Since cyber insurance isn’t standardized, organizations should review all policy language with a broker before choosing a plan. Policies can vary significantly in their language and coverage options, so insurance experts recommend policies that—at the very least—provide coverage for extortion demands and payments as well as lost income resulting from an attack.

Organizations should also take a close look at the following definitions, terms and conditions when choosing a policy:

  • Sublimits and deductibles—Most policies set a sublimit for covering ransomware. It is important to review this limit carefully, considering that demands may start on the low side, but can increase quickly. Additionally, since making a ransom payment may make organizations a target for subsequent ransom demands within the policy year, the deductible amount should reflect that risk.
  • Payment terms—Most policies require prior written consent before the insured can pay any ransom. This can result in payment delays and increased demands by the hackers. If an organization pays a ransom in order to resume business, without prior written consent by the insurer, there’s a chance that it may not be reimbursed. Therefore, organizations need to be comfortable with a policy’s terms in order to avoid compromising coverage.
  • Definition of extortion—It is important for organizations to fully understand and agree with their insurance company’s definition of extortion, since the definition dictates the trigger for coverage. For example, although hackers may intend to sell or misuse information, the ransom demand may only involve a countdown timer and demand for money. While the combination of the two may seem like an obvious threat to the insured, a carrier could possibly deny coverage on the basis that there was no explicit threat to sell or misuse information—all because of its unique definition of extortion.

What to Look for in a Policy

Companies should look for ransomware coverage that uses broad terminology and protects against a wide range of threats, including threats to do the following:

  • Access, sell, disclose or misuse data stored on your network, including digital assets.
  • Alter, damage, or destroy software or programs.
  • Introduce malicious software, including viruses and self-propagating code.
  • Impair or restrict access. Look for policies with broad terms like, “threats to disrupt business operations.”
  • Impersonate the insured in order to gather protected information from its clients, also known as pharming or phishing.
  • Use your network to transmit malware.
  • Deface or interfere with your company’s website.

The Importance of Risk Management

Ransomware insurance is most effective when coupled with an effective risk management program, as there are many components in the fight against cyber crime. Risk managers should work with an insurance broker to review all applicable options before choosing cyber coverage.

Contact your insurance broker today to learn more about available cyber policies and effective risk management techniques to protect your organization from ransomware attacks.

© Zywave, Inc. All rights reserved

Privacy and Cyber Security

With the enormous amount of sensitive information stored digitally, companies need to take appropriate measures to ensure this data is not compromised. Ultimately, it is the responsibility of business owners to protect their clients’ data. Understanding the risks involved with data security can help you prevent a privacy breach.

Know the Risks

The first step in protecting your business is to recognize types of risk:

  • Hackers, attackers and intruders. These terms are applied to people who seek to exploit weaknesses in software and computer systems for their personal gain. Their intentions are usually malicious and their actions are typically in violation of the intended use of the systems that they are exploiting. The results of this cyber risk can range from minimal mischief (creating a virus with no negative impact) to damaging activity (stealing or altering a client’s information).
  • Malicious code. This is the term used to describe code in any part of a software system or script that is intended to cause undesired effects, security breaches or damage to a system.
    • Viruses: This type of code requires that you actually do something before it infects your system, such as open an email attachment or go to a particular Web page.
    • Worms: This type of code propagates systems without user interventions. They typically start by exploiting a software flaw. Then, once the victim’s computer is infected, the worm will attempt to find and infect other computers.
    • Trojan horses: Trojans hide in otherwise harmless programs on a computer, and much like the Greek story, release themselves to cause damage. A popular type of Trojan is a program that claims to speed up your computer system but actually sends confidential information to a remote intruder.

IT Risk Management Practices

To reduce your cyber risks, it is wise to develop an IT Risk Management Plan at your organization. Risk management solutions use industry standards and best practices to assess hazards from unauthorized access, use, disclosure, disruption, modification or destruction of your organization’s information systems. Consider the following when implementing risk management strategies at your organization:

  • Create a formal, documented risk management plan that addresses the scope, roles, responsibilities, compliance criteria and methodology for performing cyber risk assessments. This plan should include a characterization of all systems used at the organization based on their function, their importance to the organization and the data stored and processed.
  • Review the cyber risk plan on an annual basis and update it whenever there are significant changes to your information systems, the facilities where systems are stored changes or other conditions occur that may affect the impact of risk to the organization.

Due Diligence When Selecting an ISP

Your organization should take precautionary measures when selecting an internet service provider (ISP) to use for company business. An ISP provides its customers with Internet access and other Web services. In addition, the company usually maintains Web servers, and most ISPs offer Web hosting capabilities. With this luxury, many companies perform backups of emails and files, and may implement firewalls to block some incoming traffic.

To select an ISP that will reduce your cyber risks, consider the following:

  • Security – Is the ISP concerned with security? Does it use encryption and SSL to protect any information that you submit?
  • Privacy – Does the ISP have a published privacy policy? Are you comfortable with who has access to your information, and how it is handled and used?
  • Services – Does your ISP offer the services that you want and do they meet your organization’s needs? Is there adequate support for the services provided?
  • Cost – Are the ISP’s costs affordable and are they reasonable for the number of services that you receive? Are you sacrificing quality and security to get a lower price?
  • Reliability – Are the services provided by the ISP reliable, or are they frequently unavailable due to maintenance, security problems and a high volume of users? If the ISP knows that their services will be unavailable, does it adequately communicate that information to its customers?
  • User supports – Are there any published methods for contacting customer service? Do you receive prompt and friendly service? Do their hours of availability accommodate your company’s needs?
  • Speed – How fast is your ISP’s connection, and is it sufficient for accessing your email or navigating the Web?
  • Recommendations – What have you heard from industry peers about the ISP? Were they trusted sources? Does the ISP serve your geographic area?

Protection is our Business

Contact your broker today to ensure you have the proper coverage to protect your company against a data breach.

© Zywave, Inc. All rights reserved

Is Data Quality the Unspoken Risk of Connected Devices?

Source: Insurance Business

Our lives are becoming more and more data-centric. Sally next door uses an average of 897 kWh of electricity per month, and about 90 gallons of water each day. She’s had one costly car accident, multiple speeding fines, and her car has been broken into twice because she parks it overnight on an unlit street.

Sally’s insurance premiums are calculated using this data. We know what utilities she uses because of her home sensor device, and her connected car is catching out her heavy-footed acceleration tendencies.

Connected devices and the Internet of Things (IoT) are proliferating fast. Experts at the leading research and advisory company Gartner suggest there could be more than 20 billion connected devices in use across the world by 2020, up from 8.4 billion connected things in 2017.

As the number of IoT devices continues to boom, so will the amount of analytical data insurers will have at their fingertips. But can we always trust this data?

“Data quality is a risk we might need to consider as the world becomes more connected,” said Jeff Wargin, vice president, product management at Duck Creek Technologies. “As we get access to more and more data, we’re bound to come across false positives and false negatives. Insurance companies need to have analytics experts and data scientists working through the data and eliminating the poor-quality false positive and false negative results.

“Until that process becomes automated and we can identify the poor data with ease, I think we all run the risk of doing things we shouldn’t be, whether that’s during the underwriting process, claims adjusting, or any purpose outside of insurance.”

Connected devices are not perfect. With the global market booming the way it is, manufacturers are under pressure to release state-of-the-art products ahead of the competition. The occasional slip-up or malfunction is to be expected.

“As the number of connected devices continues to proliferate, and the amount of data we receive increases, it’s going to get harder to spot the problem areas,” Wargin added. “There’s a risk that poor data could slip through the cracks.”

Up to 100,000 Bell Customers Impacted by Data Breach

Bell Canada, one of the nation’s largest telecommunications companies, announced Tuesday, Jan. 23 that up to 100,000 customers were affected by a data breach. The company has said that hackers likely obtained sensitive customer information, including subscriber names, phone numbers, account names and email addresses. At this time, there is no indication that credit card numbers or other banking information was compromised.

The company is advising customers to change their passwords and security questions. Affected users should also be on the lookout for suspicious activity, as cyber criminals will likely use the lost email addresses and user profiles to carry out more harmful phishing and social engineering scams.

Bell is currently working with law enforcement and the Office of the Privacy Commissioner of Canada to investigate the event. Officials are looking to determine how the breach occurred, what Bell is doing to mitigate the situation and potential follow-up actions.

This latest breach comes just eight months after 1.9 million customer emails were stolen from Bell’s database by an anonymous hacker. High-profile cyber security events are becoming commonplace, and organizations must continue to conduct security audits, review their record retention polices and provide employee training if they are to prevent future breaches. While customers can’t prevent companies from being hacked, they can take the following steps to reduce the risk of losing personal information:

  • Encrypt data whenever possible.
  • Back up data.
  • Use anti-malware protection.
  • Update phones and computers regularly.
  • Secure wireless networks.
  • Use a firewall.
  • Make passwords complex and change them often.
  • Avoid clicking suspicious links or navigating to deceptive websites.

To read the official statement from Bell regarding its most recent data breach, click here.

© Zywave, Inc. All rights reserved

Critical Cyber Exploits Affect Nearly All Computers

Cyber security researchers recently announced the discovery of two major security flaws that could allow hackers to bypass regular security measures and obtain normally inaccessible data. The flaws, referred to as Meltdown and Spectre, are both caused by design flaws found in nearly all modern processors. These vulnerabilities can be exploited to access all of the data found in personal computers, servers, cloud computing services and mobile devices.

Because Meltdown and Spectre are both caused by design flaws, experts believe that they will be harder to fix than traditional security exploits. Additionally, software patches that have already been released to help address the vulnerabilities can cause computer systems to slow down significantly, which may impact their ability to perform regular tasks.

Researchers believe that Meltdown and Spectre may be limited to processors manufactured by different companies, but also warn that the design flaws that contribute to Meltdown and Spectre have been present for years. Here are some key details about each flaw:

  • Meltdown: This flaw can be used to break down the security barriers between a device’s applications and operating system in order to access all of the device’s data. Meltdown can be used to access desktop, laptop, server and cloud computer systems, and can even be used to steal data from multiple users who share one device. Although researchers have only been able to verify that Meltdown affects processors made by Intel, other processors may also be affected. Many software developers have already released updates that prevent hackers from exploiting Meltdown.
  • Spectre: This flaw can be used to break down the security barriers between a device’s different applications and access sensitive data like passwords, photos and documents, even if those applications adhere to regular security checks. Spectre affects almost every type of computer system, including computers, servers and smartphones. Additionally, researchers have confirmed that the design flaw that enables Spectre is present in Intel, AMD and ARM processors that are used by nearly every computer and mobile device. Software developers are currently working on a patch to prevent the exploitation of Spectre, but some experts believe that future processors may have to be redesigned in order to fix the vulnerability.

When Meltdown and Spectre were originally discovered in 2017, researchers immediately reported them to major hardware and software companies so work on security fixes could begin without alerting hackers. As a result, services and applications offered by companies like Microsoft, Google, Apple and Amazon have already been updated to help defend against the flaws. However, you shouldn’t rely solely on a software patch to protect against these vulnerabilities. Here are some steps you can take to protect your computer systems and devices from Meltdown and Spectre:

  • Update all of your devices immediately, and check for new updates regularly. You should also encourage your friends, family members and co-workers to do the same.
  • Contact any cloud service providers and third-party vendors you use to ensure that they are protected against Meltdown and Spectre. Cloud services and computer servers are especially vulnerable to the exploits, as they often host multiple customers on a single device.
  • Install anti-virus and firewall systems to protect against regular malware. Researchers believe that hackers need to gain access to a device in order to exploit Meltdown or Spectre, so keeping your devices free of malware can help prevent data theft.

© Zywave, Inc. All rights reserved

Uber says over 800k Canadians affected by data breach

Uber says over 800k Canadians affected by data breachSource: Insurance Business Canada
In a statement issued this week, Uber Canada disclosed that the information of 815,000 Canadian riders and drivers may have been affected by a major data breach.The ridesharing company first announced news of the breach last November. Uber revealed that the breach occurred sometime in October 2016, and resulted in the theft of information from some 57 million Uber accounts globally.Uber Canada said the information taken by the cyber attackers includes names, email addresses, and mobile phone numbers. The company’s investigation has not identified, however, if the hackers managed to also steal users’ location histories, credit card numbers, bank account numbers, or dates of birth.

The company’s disclosure earlier this week came the same day that the federal privacy commissioner said it had opened a formal investigation into the breach, The Canadian Press reported.

Uber Canada spokesperson Jean-Christophe de le Rue said that the company will cooperate with the commissioner’s investigation.

“The privacy of riders and drivers is of paramount importance at Uber and we will continue to work with the privacy commissioner on this matter.”

In late November, a law firm representing Albertans whose information was compromised by the data breach filed a class-action lawsuit against Uber. On top of general damages, the lawsuit is seeking special damages for costs related to credit counselling, compensation for the plaintiffs’ lost time and income, as well as costs for credit monitoring and other similar services.

How to Respond to and Protect Your Business from Ransomware

The incidents of ransomware in Canada are rising at an alarming rate. In 2015, Canadians were affected by 1,600 ransomware attacks a day. By September 2016, the number of attacks nearly doubled, and those are only the known cases. Unfortunately, many incidents still go unreported. Businesses of all sizes have become targets of ransomware, as it can infect not only personal computers, but also entire networks and servers.

What is Ransomware?

Ransomware is malicious software that infects a computer and denies access to the system or data, and demands a sum of money to restore the information. Presently, the most common forms of ransomware will encrypt data.

Victims often receive an onscreen alert stating their files have been encrypted or a similar message, depending on the type of ransomware. The message on the lock screen may even claim to come from the federal government, accusing the user of violating a law and demanding a fine.

Organizations are then prompted to pay a ransom to unlock their computer systems or gain access to critical documents. Typically, the hackers behind the ransomware demand bitcoin—a type of digital currency that is difficult for police to trace.

How Ransomware Can Spread

There are different ways that ransomware can spread, including the following:

  • Visiting fake or unsafe websites
  • Opening emails or email attachments from unknown sources
  • Clicking on suspicious links in emails or on social media

How to Respond

Some operating systems provide instructions for responding to lock-screen ransomware, although results aren’t guaranteed. In contrast, encryption ransomware has no quick fix without an encryption key, which only the hackers typically have access to.

Regardless of the type of ransomware, experts recommend against paying the ransom. After all, there is no guarantee that you will regain access to your computer, network or files after you pay. Furthermore, by paying the ransom, you could be encouraging future cyber crimes.

If your business is affected by ransomware, take the following steps:

  • Do not do anything further on your computer systems. If possible, consult your IT department or an IT professional for assistance.
  • Immediately contact the Canadian Cyber Incident Response Centre (CCIRC) to report the incident. The CCIRC can assist your business to mitigate further damage.
  • Open a criminal investigation into the matter by reporting the incident to your local police force or jurisdiction, and inform the CCIRC that you have done so.
  • Report the incident to the Canadian Anti-fraud Centre.
  • Contact your insurance broker to discuss next steps from an insurance perspective.

What to Do if You’ve Already Paid the Ransom

Since business can come to a halt without access to essential data, business owners are often tempted to pay the ransom in order to quickly regain access. If you’ve paid the ransom, contact your bank and call the authorities as soon as possible. Credit card companies may be able to block the transaction and refund you if you contact them promptly.

How to Protect Your Business

Cyber extortion from ransomware is a legitimate threat to all businesses—no matter the size. The best method of prevention is to keep confidential information and important files securely backed up in a remote location that is not connected to your main network.

In addition to backing up your files, taking the following prevention measures can help keep your information secure and prevent you from becoming a victim of cyber attacks:

  • Teach your employees about ransomware and the importance of preventing it.
  • Instruct employees never to click on links or open attachments in emails sent by a party they do not know.
  • Show your employees how to detect suspicious emails and attachments. For example, tell them to watch for bad spelling or unusual symbols in email addresses.
  • Develop a protocol for reporting incidents of ransomware and other suspicious cyber activity.
  • Develop a schedule for regularly backing up sensitive business files.
  • Update your company software as soon as new updates are released. In doing so, you can patch the security vulnerabilities that cyber criminals rely on, and avoid becoming an easy target.
  • Purchase cyber liability insurance that not only helps you respond to threats, but can also help cover the cost of the ransom and any other losses incurred as a result of cyber extortion.

Don’t let ransomware—or any type of cyber exposure—threaten your business. Contact your insurance broker to ensure you have the proper coverage and the tools necessary to protect against losses from cyber attacks.

© Zywave, Inc. All rights reserved

KRACK Cyber Vulnerability Puts Wi-Fi Networks at Risk to Hackers

Recently, Mathy Vanhoef, a researcher from a Belgium university, discovered a security flaw in Wi-Fi Protected Access II (WPA2)—a protocol that secures almost all modern, protected Wi-Fi networks. Through this newfound vulnerability, hackers can potentially gain access to encrypted information using what is called a key reinstallation attack (KRACK).

Any organization or individual that utilizes Wi-Fi is at risk for an attack, and hackers can use the KRACK method to steal sensitive information like credit card numbers, passwords, chat messages, emails, photos and most data that is stored or transmitted online.

What’s particularly troubling about this cyber threat is that it’s not tied to a specific machine or software and is more so a flaw in how WPA2 was originally designed. Essentially, all a hacker needs to do to access your protected information is to be near your Wi-Fi access point and execute a script that tricks a system into bypassing the security. Not only does this allow cyber criminals to eavesdrop on network traffic, but they can also infect connected machines with malware.

While Vanhoef demoed the vulnerability using an Android operating system, it’s likely that KRACK can be used against a number of others, including Linux, Windows and macOS.

Thankfully, KRACK can be controlled with patches, and Vanhoef warned many companies of the security flaw long before publishing his findings, giving them time to develop a solution. It’s possible your network may already be fixed.

However, there are still a number of precautions businesses and individuals should take, including the following:

  • Update all laptops, smartphones, smartwatches and other devices that can be connected to Wi-Fi.
  • Be cautious about using any hardware that has not yet been patched, as any information stored or transmitted on that device could be compromised.
  • Contact your internet service provider to determine if you need to update your network.

To read the original findings on KRACK, click here.

© Zywave, Inc. All rights reserved