Is Your Organization Ready for Mandatory Data Breach Notifications?

Overview

On June 18, 2015, the Digital Privacy Act (DPA) received royal assent and became law. Among other things, the DPA amended the Personal Information Protection and Electronic Documents Act (PIPEDA) by revising consent requirements, introducing mandatory breach notification and record-keeping requirements, and adding significant fines for non-compliance.

While many of the measures introduced by the DPA have been in force since the bill was first enacted, the government held off on imposing mandatory breach reporting until the proper regulations were implemented.

Such regulations could be in place as early as fall 2017, and organizations will want to ensure that they know what is expected of them in order to remain compliant and avoid costly fines as high as $100,000.

Mandatory Data Breach Notifications

The DPA imposes reporting requirements for every organization in Canada that suffers a data breach, particularly if that data breach creates a real risk of significant harm to the personal information of one or more individuals. While the full extent of the reporting requirements will not be known until the corresponding regulations are published, the DPA defines significant harm broadly to include the following:

  • Bodily harm
  • Humiliation
  • Damage to reputations or relationships
  • Loss of employment, business or professional opportunities
  • Financial loss
  • Identity theft
  • Negative effects on credit records
  • Damage to or loss of property

Most often, the existence of “a real risk of significant harm” will be based on the sensitivity of the personal information involved in the breach, the probability that the personal information will be misused and additional factors that may be prescribed by the forthcoming regulations.

If a breach causing significant harm to one or more individuals occurs, the affected organization must do the following, as soon as feasible:

  • Report the incident to the Office of the Privacy Commissioner of Canada (Privacy Commissioner).
  • Notify affected individuals of the breach and provide them with information on how they may minimize the harm caused by the breach.
  • Inform other organizations and government entities of the breach, especially if they believe that doing so could reduce risks or mitigate harm.

Notices must contain enough information to help affected individuals fully understand the extent of harm caused by the breach. Additionally, notices must be conspicuous and provided directly to affected individuals. However, in limited circumstances, indirect notices may be permitted. Once again, more detail will be available to organizations once the forthcoming regulations are published.

Record-keeping Requirements

Another key change under the DPA will be the requirement that organizations keep records of all security breaches involving personal information. While it is still unclear the level of detail these records will need to contain, it is clear that the Privacy Commissioner will have the right to request and review these records at any time.

Penalties for Non-compliance

Under the DPA, fines up to $100,000 may be imposed against organizations that knowingly violate the mandatory breach notification requirements or breach record-keeping requirements. Until the regulations are finalized, it will remain unclear if a violation will include a single incident (for example, a single failure to notify all individuals impacted by a breach) or each incident (for example, each failure to notify each individual impacted by a breach). However, it is clear that the Privacy Commissioner now has the ability to impose significant fines for non-compliance.

What Does this Mean for Organizations?

Mandatory data breach notifications could impact any organization that is at risk of a cyber attack. Given the reach of the DPA and upcoming regulations, all organizations should consider doing the following:

  • Review and update existing protocols and policies to account for detecting, responding and reporting data breach incidents internally.
  • Assess the types of information—personal information, intellectual property, supplier data, etc.—they hold and how they would respond in the event of a breach.
  • Create a data breach incident response plan if one does not already exist. Such a plan should include methods for notifying the Privacy Commissioner and any impacted individuals.
  • Ensure that they have sufficient insurance in place and have taken the steps to mitigate any litigation exposures. Such steps often include requiring employee training, performing security audits and identifying cyber security vendors.

Organizations should review the DPA to ensure they are compliant with all aspects of the legislation.

© Zywave, Inc. All rights reserved

Defining, Identifying and Limiting Cyber Crime

A vast amount of information is now stored on computer servers and databases, and it’s growing every day. Because that information has great value, hackers are constantly looking for ways to steal or destroy it.

Cyber crime is one of the fastest growing areas of criminal activity. It can be defined as any crime where:

  • A computer is the target of the crime
  • A computer is used to commit a crime
  • Evidence is stored primarily on a computer, in digital format

Types of Computer Intrusions

Computer intrusions can come from an internal source, such as a disgruntled employee with an intimate knowledge of the computer systems, or an external source, such as a hacker looking to steal or destroy a company’s intangible assets. Hackers use a variety of ways to steal or destroy your data:

  • Viruses – A virus is a small piece of software that attaches itself to a program currently on your computer. From there, it can attach itself to other programs and can manipulate data. Viruses can quickly spread from computer to computer, wreaking havoc the entire way. In the late 1990s, email viruses became a popular method for hackers to infect computers. These viruses were triggered when a person downloaded an infected document. When the document was opened, the virus would send that document to the first few recipients in the person’s email address book. Some email viruses were so powerful that many companies were forced to shut down their email servers until the virus was removed.
  • Worms – A worm is a computer program that can copy itself from machine to machine, using a machine’s processing time and a network’s bandwidth to completely bog down a system. Worms often exploit a security hole in some software or operating system, spreading very quickly and doing a lot of damage to a business.
  • Trojan horses – Common in email attachments, Trojans hide in otherwise harmless programs on a computer and, much like the Greek story, release themselves when you’re not expecting it. Trojans differ from viruses in that they must be introduced to the system by a user. A user can knowingly or unknowingly run an .exe file that will let a Trojan into the system.
  • Spyware – Spyware can be installed on a computer without the user ever knowing it, usually from downloading a file from an untrusted source. Spyware can be used by hackers to track browsing habits or, more importantly, collect personal information such as credit card numbers.
  • Logic bombs – Logic bombs are pieces of code that are set to trigger upon the happening of an event. For example, a logic bomb could be set to delete all the contents on a computer’s hard drive on a specific date. There are many examples of disgruntled employees creating logic bombs within their employer’s computer system. Needless to say, logic bombs can cause serious damage to a company’s digital assets.
  • Denial of Service (DoS) and Distributed Denial of Service (DDoS) Attacks – DoS and DDoS attacks are used to send an overwhelming amount of data to a target server, rendering that server useless. A hacker does this by gaining control of several computers and then sending a large amount of data to a target server that can’t possibly handle it. The result could be thousands or millions of dollars in lost sales for an online retailer and a complete loss of productivity for many businesses.

Limiting Intrusions

A computer intrusion could put your valuable digital assets at risk. That’s why your company should have the following measures in place to limit computer intrusions and protect your assets:

  • Firewalls – Firewalls are pieces of software that control the incoming and outgoing network traffic on a computer system and decide whether it should be allowed through or not. Most computer operating systems now come with a preinstalled firewall for security. While they are not the be-all end-all of preventing intrusions, they are a reliable start.
  • Routers – Routers are pieces of hardware that keep unwanted traffic out of a computer system. They differ from firewalls in that they are standalone devices that must be bought separately–they are not included in an operating system.
  • Antivirus programs – As their name implies, antivirus programs are designed to catch and eliminate or quarantine viruses before they can harm a computer system. Antivirus programs run in the background to ensure your computer is protected at all times. While they are updated frequently, they may not catch the newest viruses that are floating around.
  • Policies – Every company, no matter its size, should have policies in place to educate employees on the dangers of computer intrusions and ways to prevent them. Make sure your employees know not to open, click on or download anything inside emails from untrusted sources. Employees with an intimate knowledge of the company’s computer network should also be alerted of the potential consequences of hacking into the system.
  • Common sense – Everyone claims to have it, but if that were actually the case, many viruses, worms and Trojans would cease to exist. The simple fact is that everyone in the company needs to exhibit some common sense when using a computer. Encourage employees to disregard emails with subject lines and attachments that seem bogus or too good to be true.

Review Your Risks and Coverage Options

A computer intrusion could cripple your company, costing you thousands or millions of dollars in lost sales and/or damages. Contact your broker today to ensure you have the proper coverage to protect your company against losses from computer intrusions.

© Zywave, Inc. All rights reserved

One in Four Hide Cybersecurity Incidents from Employers

Source: Canadian Underwriter

Forty per cent of employees around the globe hide IT security incidents to avoid punishment, according to a new report from cybersecurity company Kaspersky Laband market research company B2B International.

The report, titled Human Factor in IT Security: How Employees are Making Businesses Vulnerable from Within and released on Monday, also found that dishonesty is most challenging for larger sized businesses. Forty-five per cent of enterprises over 1,000 employees experience employees hiding cybersecurity incidents, with 42% of small- and medium-sized businesses (SMBs) and only 29% of very small businesses (under 49 employees).

The study involved 5,274 respondents around the globe.

Not only are employees hiding incidents, Kaspersky said in a press release, “uniformed or careless employees” are one of the most likely causes of a cybersecurity incident – only second to malware. While malware is becoming more and more sophisticated each day, the surprising reality is that the “evergreen” human factor can pose an even greater danger, the release said. Forty-six per cent of IT security incidents are caused by employees each year – nearly half of the business security issues faced triggered by employee behaviour.

Staff hiding the incidents that they have encountered may lead to dramatic consequences for businesses, increasing the overall damage caused, Kaspersky noted. Even one unreported event could indicate a much larger breach, and security teams need to be able to quickly identify the threats they are up against to choose the right mitigation tactics.

“The problem of hiding incidents should be communicated not only to employees, but also to top management and HR departments,” said Slava Borilin, security education program manager at Kaspersky Lab, in the release. “If employees are hiding incidents, there must be a reason why. In some cases, companies introduce strict, but unclear policies and put too much pressure on staff, warning them not to do this or that, or they will be held responsible if something goes wrong. Such policies foster fears, and leave employees with only one option — to avoid punishment whatever it takes. If your cybersecurity culture is positive, based on an educational approach instead of a restrictive one, from the top down, the results will be obvious.”

The fear businesses have of being put at risk from within is clear in the results of the survey, with the top three cybersecurity fears all related to human factors and employee behavior. Businesses worry the most about employees sharing inappropriate data via mobile devices (47%), the physical loss of mobile devices exposing their company to risk (46%) and the use of inappropriate IT resources by employees (44%).

While advanced hackers might always use custom-made malware and high-tech techniques to plan a heist, they will likely start with exploiting the easiest entry point – human nature, Kaspersky suggested. According to the research, every third (28%) targeted attack on businesses in the last year had phishing/social engineering at its source.

“Sophisticated targeted attacks do not happen to organizations every day – but conventional malware does strike at mass,” the release said. “Unfortunately though, the research also shows that even where malware is concerned, unaware and careless employees are also often involved, causing malware infections in more than half (53%) of incidents that occurred globally.”

“Cybercriminals often use employees as an entry point to get inside the corporate infrastructure. Phishing emails, weak passwords, fake calls from tech support – we’ve seen it all,” said David Jacoby, security researcher at Kaspersky Lab. “Even an ordinary flash card dropped in the office parking lot or near the secretary’s desk could compromise the entire network – all you need is someone inside, who doesn’t know about, or pay attention to security, and that device could easily be connected to the network where it could reap havoc.”

Canada Second Most Expensive Country for Data Breaches

Source: Canadian Underwriter

Canada was the second most expensive country for data breaches, costing an average of $255 per lost or stolen record in 2017, according to a new report sponsored by IBM Security and conducted by the Ponemon Institute.

Released earlier in June, the 2017 Cost of Data Breach Study: Canada report found that Canada was also the second most expensive country of those surveyed for malicious/criminal breaches at $156 per record. The Canadian research report examined the costs incurred by 27 Canadian companies from 12 different industry sectors following the loss or theft of protected personal data and the notification of breach victims as required by various laws.

In Canada, the average total cost of data breaches decreased from $6.03 million in 2016 to $5.78 million in the current year, although the lowest average total cost was $5.32 million in 2015, IBM said in a statement. Over the past year, the average total cost of data breach decreased by 4%, but the average breach size or number of records increased by 3%, the report noted. The number of breached records per incident this year ranged from 4,300 to 69,844, with an average of 21,750 records breached.

The report found that organizations that can contain a breach in less than 30 days save $1.79 million ($4.88 million compared to $6.67 million). However, on average, Canadian organizations took 173 days to identify a breach and 60 days to contain one. This year, the cost of notification in Canada also decreased from $180,000 per company on average in 2016 to $160,000. These costs include IT activities associated with the creation of contract databases, determination of all regulatory requirements, engagement of outside experts, postal expenditures and inbound communication set-up.

IBM noted in the statement that certain industries have higher data breach costs: services ($398 per capita cost), financial services ($356) and technology ($340) companies had a per capita data breach cost above the mean of $255 ($278 in 2016). Public sector ($105), hospitality ($172) and transportation ($175) companies had a per capita cost well below the overall mean value. Investments in incident response teams and plans, extensive use of encryption, employee training programs, board-level involvement or participation in threat sharing were shown to reduce the per capita and total cost of data breach, the statement added.

Of the $255 average per compromised record, $147 pertained to indirect costs, including abnormal turnover or churn of customers, and $108 was related to direct costs incurred to resolve the data breach, such as investments in technologies or legal fees.

From a global perspective, this is the first year the global total cost of a breach has declined in the history of the study, which began in the United States 12 years ago. The 2017 Cost of Data Breach Study: Global Overview said that the global average cost per lost or stolen record was US$141 (from $158 in 2016), with the number one factor to reducing the cost reported as having an incident response team in place (lowering the cost by US$19 per lost or stolen record).

The cost of a data breach also dropped 10% globally in the 2017 study to US$3.62 million from US$4 million. Since debuting in the U.S., the study has expanded to the following countries and regions: the United Kingdom; Germany; Australia; France; Brazil; Japan; Italy; India; Canada; South Africa; the Middle East (including the United Arab Emirates and Saudi Arabia); and the ASEAN region (including Singapore, Indonesia, the Philippines and Malaysia).

Another press release from IBM said that the company identified a close correlation between the response to regulatory requirements in Europe and the overall cost of a data breach. European countries saw a 26% decrease in the total cost of a data breach over last year’s study, the release said, noting that businesses in Europe operate in a more “centralized regulatory environment,” while businesses in the U.S. have unique requirements (48 of 50 states have their own data breach laws).

In the U.S., “compliance failures” and “rushing to notify” were among the top five reasons the cost of a breach rose in the U.S. As well, U.S. companies reported paying over $690,000 on average for notification costs related to a breach – more than double the amount of any other country surveyed in the report.

General global findings included the following:

  • Canada was the third most expensive country for data breaches, costing organizations an average of US$4.31 million;
  • The cost of a data breach in the U.S. was US$7.35 million, a 5% increase compared to last year;
  • Organizations in the Middle East, Japan, South Africa and India all experienced increased costs in 2017 compared to the four-year average costs;
  • Germany, France, Italy and the U.K. experienced significant decreases compared to the four-year average costs. Australia, Canada and Brazil also experienced decreased costs compared to the four-year average cost of a data breach;
  • In the Middle East, organizations saw the second highest average cost of a data breach at US$4.94 million, a more than 10% increase over the previous year;
  • In Brazil data breaches were the least expensive overall, costing companies only US$1.52 million;
  • For the seventh year in a row, healthcare has topped the list as the most expensive industry for data breaches. Healthcare data breaches cost organizations US$380 per record, more than 2.5 times the global average across industries (US$141 per record);
  • The involvement of third parties in a data breach was the top contributing factor that led to an increase in the cost of a data breach, increasing the cost US$17 per record; and
  • Incident response, encryption and education were the factors shown to have the most impact on reducing the cost of a data breach. Having an incident response team in place resulted in US$19 reduction in cost per lost or stolen record, followed by extensive use of encryption (US$16 reduction per record) and employee training (US$12.50 reduction per record).

Key CASL Provisions Come Into Force July 1, 2017

Canada’s Anti-spam Legislation (CASL), which regulates the sending of commercial electronic messages (CEMs) and requires entities that distribute them to obtain prior consent, came into force on July 1, 2014. While many aspects of CASL have been in effect for years, key provisions—including the private right of action (PRA)—will be imposed beginning July 1, 2017.

Essentially, PRA allows individuals and enterprises to file a lawsuit in court if they feel they have been affected by a violation of CASL. PRA also opens the door for anti-spam class action lawsuits, with maximum damages capped at $1 million per day. PRA violations can be costly for organizations, and monetary penalties can occur if a business does any of the following:

  1. Sends CEMs that violate CASL ($200 per breach and up to a maximum of $1 million for each day noncompliant conduct occurred)
  2. Alters the transmission data of a CEM (a maximum of $1 million for each day noncompliant conduct occurred)
  3. Installs apps or other computer programs that violate CASL (a maximum of $1 million for each day noncompliant conduct occurred)
  4. Scraps, generates or accesses electronic addresses in violation of the Personal Information Protection and Electronic Documents Act (PIPEDA) (a maximum of $1 million for each day noncompliant conduct occurred)
  5. Sends CEMs with false or misleading information ($200 per breach and up to a maximum of $1 million for each day noncompliant conduct occurred)

Moreover, beginning July 1, 2017, transitional implied consent expires, and organizations will need to obtain express or implied consent prior to sending CEMs. Failing to do so could leave businesses exposed to significant monetary penalties under PRA. In order to prepare for PRA and the end of transitional provisions, organizations are encouraged to review their compliance programs.

© Zywave, Inc. All rights reserved

IT Security Is a Top Challenge for Firms around the World

A recent survey conducted by Protiviti and the Information Systems Audit and Control Association (ISACA), found that cyber security, privacy issues, infrastructure management and emerging technologies rank as the top IT challenges facing organizations today.

The annual survey—A Global Look at IT Audit Best Practices—gathered responses from over 1,000 IT audit professionals and focused on emerging technology, IT implementation, audits, risk assessments and hiring practices. Respondents were asked to name their greatest technology or business challenges.

The following were the top 10 responses:

  1. IT security, privacy and cyber security
  2. Infrastructure management
  3. Emerging technology and infrastructure changes
  4. Resource, staffing and skills challenges
  5. Regulatory compliance
  6. Budgets and controlling costs
  7. Cloud computing and virtualization
  8. Bridging IT and the business
  9. Project management and change management
  10. Third-party and vendor managementIn order to protect themselves and stay current on emerging risks, experts recommend that organizations continually review the IT risk landscape and adjust IT audit plans accordingly.

The survey also found that, while 90 per cent of large organizations conducted an IT audit risk assessment, only a little more than half of them did so on an annual basis.

© Zywave, Inc. All rights reserved

88 Per cent of Employees Lack Knowledge to Prevent Cyber Incidents

According to a report, 88 per cent of employees lack the understanding necessary to prevent common cyber incidents.

That report was designed to test the level of knowledge and awareness of cyber security among employees by asking them to name proper behaviours in given circumstances. The survey covered eight risk domains and assigned three risk profiles—Risk, Novice and Hero—to indicate an employee’s privacy and security awareness IQ.

Key findings from the report include the following:

  • Only 12 per cent of respondents earned a “Hero” profile, while 72 per cent were given a “Novice” profile and 16 per cent were given a “Risk” profile.
  • Almost 40 per cent of respondents disposed of a password hint using unsecure means.
  • About 25 per cent of respondents failed to recognize a sample phishing email, even though it came from a questionable sender and included an attachment.

Educating Employees

This report highlights one of the key vulnerabilities of any organization—employees’ lack of basic cyber security knowledge. Regardless of other hardware or network protections, employees can and will allow cyber criminals into an organization, often without even realizing it.

Fortunately, employee cyber training can help reduce this risk to your organization.

© Zywave, Inc. All rights reserved.

Social Engineering Fraud Coverage

Background concept wordcloud illustration of social engineering

Social engineering fraud (SEF) is a type of fraud that’s become increasingly common over the last several years. However, even though many instances of this fraud transpire over email communications, it’s a company’s crime policy—not a cyber policy—that would often provide coverage in the event of an SEF loss.

That’s why it’s especially important to understand your crime policy, how it might cover SEF, why it might not, and what endorsements you might want to obtain to make sure SEF doesn’t leave your company exposed.

How Social Engineering Fraud Works

There are a number of variations on the theme, but most instances of SEF involve the following elements:

  • A targeted approach. Criminals will research their targets, purchase authentic-looking domains, manufacture email chains and even resort to making phone calls, all in an effort to make their requests seem authentic.
  • A request. The preparation is in service of obtaining something from the target, either money (usually in the form of a wire transfer) or information (such as a list of vendors, routing numbers, etc.).
  • The application of social pressure. In order to bypass in-house safeguards and redundancies, the criminals apply pressure by imposing a time constraint, demanding secrecy or simply flattering the ego of the target by including him or her “in” on an important business transaction.
  • The disappearance of the hacker. Once the criminals obtain what they want, they disappear with the information or money—things that the company won’t miss until it’s too late.

Cyber Policy vs. Crime Policy

It may seem counterintuitive, but SEF is usually not covered by a cyber policy. Even though this fraud often involves emails and wire transfers, cyber policies are not designed to cover them:

  • Cyber policies cover losses that result from unauthorized data breaches or system failures. SEF actually depends on these systems working correctly in order to communicate with an organization’s employees and transfer information or funds.
  • Crime policies cover losses that result from theft, fraud or deception. Because the underlying cause of a loss in SEF is fraud, a company would claim a loss under its crime policy rather than its cyber policy.

Areas of Cover

A standard crime or fidelity policy contains a few provisions under which an SEF claim might be filed:

  • Computer fraud. This refers to losses stemming from the unlawful theft of money due to a “computer violation”—that is, the unauthorized entry into or deletion of data from a computer system by a third party.
  • Funds transfer fraud. This refers to losses stemming from fraudulent instructions to transfer funds made without the insured’s knowledge or consent.

Potential Vulnerabilities

Depending upon the specific language and definitions laid out in the crime or fidelity policy, the insurer might argue that SEF is excluded from coverage for a number of reasons:

  • There was no “computer violation.” Often, SEF doesn’t involve compromising network security in order to steal data. Instead, criminals “hack” human vulnerabilities in order to gain access. Because the system functioned as it was supposed to, and the criminal gained access due to human failure, an insurer might try to deny the claim.
  • The insured knew about and consented to the transfer. Again, it depends on the specific language of the policy, but an insurer might argue that SEF isn’t covered under “funds transfer fraud.” That’s because, in most social engineering scenarios, some agent of the insured willingly and knowingly authorized the transfer of funds to the intended account. Again, in SEF, the systems in place to transfer funds worked as intended; it was human failure that resulted in the loss.
  • The voluntary parting exclusion. Most crime policies have a voluntary parting exclusion that excludes coverage for losses that result from anyone acting on the insured’s authority to part with title to or possession of property. In other words, because the employee knowingly and willingly authorized the transfer, it wouldn’t be covered.

Social Engineering Fraud Endorsements

Because of this potential gap in coverage, some carriers have started offering SEF endorsements to their crime and fidelity policies. The insurance agreements might go by different names, but they’re all intended to make limits and liabilities explicit for both the insured and the policy issuer.

These endorsements are only offered by a handful of carriers, but with the increasing prevalence of SEF, more are likely to follow.

©  Zywave, Inc. All rights reserved.

Government of Canada Endorsed G7 Guidelines

The government of Canada announced its endorsement of the Group of Seven’s (G7) Fundamental Elements of Cybersecurity for the Financial Sector guidelines late last year. These guidelines are designed to assist organizations, particularly in the financial sector, in designing and implementing a cyber security framework.

The non-binding guidelines identify eight basic building blocks for establishing a strong focus on cyber security:

  1. Implement a cyber security strategy
  2. Governance
  3. Risk assessments
  4. Monitoring
  5. Response
  6. Recovery
  7. Information sharing
  8. Continuous learning

While the G7 guidelines are aimed at business that operate in the financial sector, they are useful in summarizing basic cyber risk management practices. To learn more about these guidelines, click here.

© Zywave, Inc. All rights reserved.

How the Dyn Cyber Attack Worked Allowing Criminals to Hijack 100,000 Devices

Dynamic Network Services Inc. (Dyn)—a cloud-based internet performance management (IPM) company in the United States—had its server infrastructure compromised late last year following distributed denial-of-service (DDos) attacks. Dyn said that more than 100,000 devices may have been involved in the massive cyber attack that overwhelmed its servers and produced a ripple effect, temporarily shutting down access to sites like Twitter and Netflix for the east coast of Canada and much of the northeastern United States.

How the Attack Worked

A DDoS is a type of cyber attack that hijacks multiple devices—usually through installing and spreading malware—to “flood” a specific group of servers with a multitude of requests for information all at the same time. The tactic effectively “clogs” the servers so that they’re unable to handle normal web traffic and can ultimately force them to shut down temporarily.

In the past, attacks like these would typically utilize personal computers to carry out the attack. In this case, however, it appears that the attack co-opted a number of “smart” devices—things like digital video recorders (DVRs), printers and even cellphones. Government officials currently believe that a non-state actor is behind the attack, but as the investigation is still ongoing, they have yet to definitively rule anything out.

Key Takeaways

Regardless of the source, the attack highlights a pair of troubling trends. First, this DDoS attack was one of a growing number of more sophisticated attacks. And, while Dyn—a company with robust cyber security measures—was able to restore its regular operations fairly quickly, it only did so after defeating two separate waves of the attack.

Second, and perhaps more importantly, this attack shows the potential vulnerability posed by the increasing number of interconnected, internet-enabled devices commonly called the Internet of Things (IoT). The inter-connectivity of devices on the IoT is the source of a number of benefits; however, that very same inter-connectivity offers cyber criminals an often overlooked—and potentially less secure—avenue of attack.

© Zywave, Inc. All rights reserved.