The spammers and cyberthieves haven’t given up and gone home. Instead they are moving with the times and stirring up trouble in other ways, targeting smartphones and social networkds, which offer vast amounts of personal information.
The popularity of “apps” is opening the door to a wide range of suspicious and malicious applications. Locative services such as Foursquare and Fowalla are also a potential problem. These services allow you to easily search, track, and plot the wherabouts of friends and strangers. But cybercriminals can use this information to craft targeted attacks, according to McAfee.
The main way to combat breaches, [Beeson] said, is by encrypting the information. But the McAfee report noted that because of our historically fragile cellular infrastructure and slow strides toward encryption, user and corporate data may face serious risks.
Source: Patricia Vowinkel, February 17, 2011
Millions of people are being tricked into buying or downloading scareware or rogueware due to pop ups telling them their computer is infected. Users unknowingly click on the pop up and buy security software that steals their credit card information or spreads malware through Trojan Horses.
Once the computer is infected they not only become victims of fraud but also pay money for the so called “security software”. Victims report that they loss even more money to eliminate the malicious software.
Some important ways to protect yourself is to always be cautious of offers that pop up while you are already online. And be careful of what you download. Many large and small businesses use filters or blocks to protect their data. If you need security software, buy from a reputable vendor through their website.
Source: Matrix Consulting – Newsletter
“Risk is a function of the likelihood of a given threat source’s exercising a potential vulnerability, and the resulting impact of that adverse event on the organization.”
Due to the changing nature of cyber risk, IT risk managers must upgrade risk management strategies to focus on new areas of concern. In the past, primary attention was given to protecting computer infrastructure from losses caused by lapses of physical security, internet servers, networks, and rogue insiders. Now, attention must be expanded to applications and software used by the organization.
Due to stepped up risk management controls in the areas of improved network security, cyber criminals have turned their attention to less protected vulnerabilities in applications and software. In addition, the purpose of the attacks have morphed from causing embarrassment and denial of service to profiting from the theft of confidential financial and client information.
Cyber Attacks focus on the following areas:
* disrupting infrastructure operations
* posting confidential enterprise information online
* theft of intellectual property
* identity theft
* theft of confidential information
* confiscating or compromising online bank accounts
* spreading viruses on other computers
* malicious insiders seeking revenge
* use of internet launched viruses, malware, trojans, phishing, botnets, other malicious code
A company’s risk analysis should include identification from among the following risks where primary attention should be given to those risks which present the largest loss potential by either their frequency or severity:
* identification of viruses on servers, workstations, and laptops.
* open ports on firewall
* which assets are currently being attacked
* which assets are most likely future targets
* Payment Card Industry (PCI) audit if credit cards are used
* HIPAA and HITECH audit for medical information if applicable
* various state confidentiality and data protection laws
See entire article for suggested risk management controls to reduce these risks.
Source: Resources, Winter 2010, Paul W. Burkett, The National Alliance For Insurance Education And Research
Online criminals are targeting small to midsized businesses according to the US Federal Bureau of Investigation. Hackers are getting away with over $100 million in bank fraud through malicious programs know as Trojans.
Trojans are planted into networks of target companies, stealing passwords to various online services such as fund management and online banking. This opens up ACH or Automatic Clearing House Network Fraud where hackers wire money from the victim’s accounts and into the accounts of money “mules” that launder the money for a profit. Criminal masterminds positioned in other countries such as China and Russia receive the funds since they are out of the reach of US law enforcement.
The small and midsized businesses are favored because hackers know they often lack the time and money to put stringent security controls in place. Even though this may be true there are ways to protect your business and yourself. Educate your employee’s about the risk and instruct them in basic security awareness. Also, use network security procedures such as web and mail filtering solutions, network firewalls, and antivirus software.
Source: US Federal Bureau of Investigation
I found an excellent bulletin from Travelers Insurance that describes the financial threats posed by funds transfer fraud and computer fraud and the need for specialized Crime Insurance Coverage. The Travelers coverage version, wrap +, includes both Electronic Funds Transfer and Computer Fraud coverages on a combined basis.
Here are some eye opening facts:
- According to a 2008 survey by Computer Security Institute, the average financial loss due to computer fraud was $289,000. The average loss due to funds transfer fraud was $500,000.
- Pfishing scams, Trojan horses, key loggers and other techniques allow hackers to gain control of online banking transactions and to circumvent normal online authentication controls.
- Internal controls such as antivirus, firewalls, and employee training are critical, but not enough for 100% protection.
- Specialized Financial Insurance coverages should be purchased to protect against this risk.
Electronic Funds Transfer Fraud Claim Examples:
- The bank of a victim company allegedly sent a letter explaining a new security program. The company received the email that appeared to be from the bank and an employee opened the email. Opening the email allowed a Trojan horse virus access, which read keystrokes from the company’s computer, thereby allowing the perpetrator to obtain banking and password information. A fraudulent electronic wire transfer was initiated and the company lost $683,000.
- Finance director of a company opened an attached zip file in an email that contained a virus. The user ID and password to the company’s account with its bank was obtained through code inserted by the virus. A fraudulent electronic wire transfer totaling $147,000 was initiated by criminals from the company’s bank account to an unknown bank account in Arizona. The immediate withdrawal was unrecoverable.
- Payroll supervisor logged on to the payroll account for the company and noted that three payments totaling $704,632 had been wired from the account. The transactions were reported to the bank as unauthorized and the account was shut down. Unfortunately, $238,781 was not recovered.
Computer Fraud Claim Examples:
- An employee of a customer of a company hacked into the company’s website and changed the bank routing and account numbers to her own. When the company paid her employer for services rendered, she fraudulently received the funds in her account.
- A former employee used his supervisor’s password to enter the insured’s unlocked building and gained access to use the supervisor’s computer. Using his bank routing number, he activated transactions to receive fake reimbursements allegedly made to the company’s customers.
Source: Travelers Bond & Financial Products, Bulletin, 11-09
For the first time, major international corporations are reporting higher fraud losses more from electronic theft of data than from physical stealing of assets, cash and inventory. With 98 percent of businesses affected, China appears to have the highest level of fraud followed by Colombia with 94 percent and Brazil at 90 percent.
A recent study performed in 2010 showed that the amount lost by businesses to fraud rose from $1.4 billion to $1.7 billion over the previous year. The majority of fraud losses have been from “inside jobs” carried out by company employees.
“How much fraud there is depends more on opportunity than anything else,” Tommy Helsby, Kroll chairman for Europe, Middle East and Africa, told Reuters. “Much more work is done electronically, and that creates new opportunities for fraud. It takes time for companies to catch up with that. There’s a real range of dangers,” said Helsby. “‘It can be simple theft or the risk of reputational damage if your firm loses customer data. That itself could be an existential threat to your business.”
Many companies are discouraged from expanding in some crucial emerging markets, China, Africa, and Latin America due to their suspicions over fraud.
“That means you miss out on some of the fastest growing markets,” said Helsby. “You can’t make the risk go away, but you can manage it through having the right systems in place.”
With fraud losses at an all time high, Cyber Liability insurance is a critical part of the risk management plan of any major corportation.
Source: Insurance Journal
I ran across an excellent web page that reminds us how seemingly private communications may not really be private and can be spread and detected for many years and possibly forever. The article discusses the pitfalls of hard drives, laptops, smart phones, social networks, Google caches, and fax machines.
“Online is Forever,” there are millions of old, orphaned web pages out there whose creators can’t access them to change them or take them down, Google caches pages so that web searches can still see them even after they have been removed from the web server, and backups of ancient data still languish on the shelves of numerous server rooms.
Source: WXPNews, May 4, 2010
“Cyber liability coverage has evolved from just liability insurance for information technology companies to coverage that nearly every class of business should have if they don’t already.” Many businesses including banks, restaurants, retailers, and medical offices are unaware of the great security technology exposure they face.
In addition, the internet is not the source of all data breach problems. Lower tech breaches commonly arise that are caused by leaving password notes out in plain view, theft of laptops, and improper disposal of medical records.
“Recent state laws require companies that have experienced a security breach to notify all customers that could be affected by the breach that their information has been compromised, even if the information hasn’t been used. In most cases, the notification also includes an option of one year credit monitoring services and a new card or account number for customers.”
More than 40 states have data breach notification laws and insurers expect a federal cyber notification law at some time in the near future. The average per customer cost for a security breach is $15 and this does not include loss of reputation.
Source: http://www.mynewmarkets.com/articles/107853/security-breach-notification-laws-reinforce-need-for-cyber-insurance
Cybercriminals are using pfishing tactics to gain information from social network sites to tap into corporate networks to steal sensitive data that can result in breach of privacy lawsuits and the need for Cyber Liability insurance for both techs firms and regular businesses alike.
Here are the steps in the process:
1. Cybercriminals purchase Facebook user names and passwords on websites at a cost of $75 to $200 per 1000 matching pairs.
2. Cybercriminals enter accounts and get access to friends, emails, dates of birth, mother’s maiden names, home towns, and vital information from profiles and postings to start online conversations.
3. Messages are sent to friends with information of interest (based on postings) that include a link to a website that results in a malicious executable file being placed on the recipient’s PC.
4. Executable files contain keystroke loggers that capture all user keystrokes on a periodic basis that are emailed to free Gmail or Hot Mail accounts that are set up by the Cybercriminal.
5. Eventually, the user logs into the employer’s network through VPN or Citrix and the cybercriminal captures the user name and password.
6. The cybercriminal enters the corporate network and probes for weaknesses such as those caused by failure to update security patches.
7. A vulnerable server is found and breached resulting in the hacking of confidential information.
Source: http://www.usatoday.com/NEWS/usaedition/2010-03-04-1Anetsecurity04_CV_U.htm?csp=N009
Tracey Vispoli, Chubb’s Cybersecurity Product Manager, refers to the rise in cyber liability claims, by stating, “It’s a frequency issue as well as severity”. Remedies for data breach now cost $202 per record.
According to Vispoli, more than half of the companies with less than 1,000 employees have experienced an online data breach. Thus showing that the need for cyber liability coverage is not limited to large technology and multi-national corporations.
With increased legal activity, attorneys are inserting the need to carry Cyber Liability into contract requirements.
Clients are also realizing the importance for cyber liability especially with expansions of federal regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and Red Flag rules.
Policy Forms should address how carriers deal with the defense of regulatory matters. For the cost to defend the insured against investigation, some carriers will provide full policy limit. Others will have a sublimit and some forms may only cover costs if there is a civil suit.
Michael Carr, director of Information Technology and Cyber Liability at Markel Shand, refutes the common belief that the majority of data breaches covered by cyber liability policies occur on public Internet space. Carr states that most claims occur on companies’ networks where their client’s personal data is stored. A common misconception among many agents and insurers is that a client does not need cyber liability coverage if their business is not involved in e-commerce.
Paper records should be another concern as Carr states: “An awful lot of confidential information is still stored on paper. Businesses have the same duty to protect that as electronic forms. Many but not all (coverage) forms extend to paper records.”
Source: Big I E Newsletter, September 2009
