Millions of people are being tricked into buying or downloading scareware or rogueware due to pop ups telling them their computer is infected. Users unknowingly click on the pop up and buy security software that steals their credit card information or spreads malware through Trojan Horses.
Once the computer is infected they not only become victims of fraud but also pay money for the so called “security software”. Victims report that they loss even more money to eliminate the malicious software.
Some important ways to protect yourself is to always be cautious of offers that pop up while you are already online. And be careful of what you download. Many large and small businesses use filters or blocks to protect their data. If you need security software, buy from a reputable vendor through their website.
Source: Matrix Consulting – Newsletter
“Risk is a function of the likelihood of a given threat source’s exercising a potential vulnerability, and the resulting impact of that adverse event on the organization.”
Due to the changing nature of cyber risk, IT risk managers must upgrade risk management strategies to focus on new areas of concern. In the past, primary attention was given to protecting computer infrastructure from losses caused by lapses of physical security, internet servers, networks, and rogue insiders. Now, attention must be expanded to applications and software used by the organization.
Due to stepped up risk management controls in the areas of improved network security, cyber criminals have turned their attention to less protected vulnerabilities in applications and software. In addition, the purpose of the attacks have morphed from causing embarrassment and denial of service to profiting from the theft of confidential financial and client information.
Cyber Attacks focus on the following areas:
* disrupting infrastructure operations
* posting confidential enterprise information online
* theft of intellectual property
* identity theft
* theft of confidential information
* confiscating or compromising online bank accounts
* spreading viruses on other computers
* malicious insiders seeking revenge
* use of internet launched viruses, malware, trojans, phishing, botnets, other malicious code
A company’s risk analysis should include identification from among the following risks where primary attention should be given to those risks which present the largest loss potential by either their frequency or severity:
* identification of viruses on servers, workstations, and laptops.
* open ports on firewall
* which assets are currently being attacked
* which assets are most likely future targets
* Payment Card Industry (PCI) audit if credit cards are used
* HIPAA and HITECH audit for medical information if applicable
* various state confidentiality and data protection laws
See entire article for suggested risk management controls to reduce these risks.
Source: Resources, Winter 2010, Paul W. Burkett, The National Alliance For Insurance Education And Research
Online criminals are targeting small to midsized businesses according to the US Federal Bureau of Investigation. Hackers are getting away with over $100 million in bank fraud through malicious programs know as Trojans.
Trojans are planted into networks of target companies, stealing passwords to various online services such as fund management and online banking. This opens up ACH or Automatic Clearing House Network Fraud where hackers wire money from the victim’s accounts and into the accounts of money “mules” that launder the money for a profit. Criminal masterminds positioned in other countries such as China and Russia receive the funds since they are out of the reach of US law enforcement.
The small and midsized businesses are favored because hackers know they often lack the time and money to put stringent security controls in place. Even though this may be true there are ways to protect your business and yourself. Educate your employee’s about the risk and instruct them in basic security awareness. Also, use network security procedures such as web and mail filtering solutions, network firewalls, and antivirus software.
Source: US Federal Bureau of Investigation
I found an excellent bulletin from Travelers Insurance that describes the financial threats posed by funds transfer fraud and computer fraud and the need for specialized Crime Insurance Coverage. The Travelers coverage version, wrap +, includes both Electronic Funds Transfer and Computer Fraud coverages on a combined basis.
Here are some eye opening facts:
- According to a 2008 survey by Computer Security Institute, the average financial loss due to computer fraud was $289,000. The average loss due to funds transfer fraud was $500,000.
- Pfishing scams, Trojan horses, key loggers and other techniques allow hackers to gain control of online banking transactions and to circumvent normal online authentication controls.
- Internal controls such as antivirus, firewalls, and employee training are critical, but not enough for 100% protection.
- Specialized Financial Insurance coverages should be purchased to protect against this risk.
Electronic Funds Transfer Fraud Claim Examples:
- The bank of a victim company allegedly sent a letter explaining a new security program. The company received the email that appeared to be from the bank and an employee opened the email. Opening the email allowed a Trojan horse virus access, which read keystrokes from the company’s computer, thereby allowing the perpetrator to obtain banking and password information. A fraudulent electronic wire transfer was initiated and the company lost $683,000.
- Finance director of a company opened an attached zip file in an email that contained a virus. The user ID and password to the company’s account with its bank was obtained through code inserted by the virus. A fraudulent electronic wire transfer totaling $147,000 was initiated by criminals from the company’s bank account to an unknown bank account in Arizona. The immediate withdrawal was unrecoverable.
- Payroll supervisor logged on to the payroll account for the company and noted that three payments totaling $704,632 had been wired from the account. The transactions were reported to the bank as unauthorized and the account was shut down. Unfortunately, $238,781 was not recovered.
Computer Fraud Claim Examples:
- An employee of a customer of a company hacked into the company’s website and changed the bank routing and account numbers to her own. When the company paid her employer for services rendered, she fraudulently received the funds in her account.
- A former employee used his supervisor’s password to enter the insured’s unlocked building and gained access to use the supervisor’s computer. Using his bank routing number, he activated transactions to receive fake reimbursements allegedly made to the company’s customers.
Source: Travelers Bond & Financial Products, Bulletin, 11-09
Sadler Tech Insurance And Risk Management Blog is ranked 14th best Nationally by Risk Management Masters, an online resource specializing in Insurance Risk Management.
We are proud to be recognized as an important source for technology insurance and risk management information and strive to educate our prospects, clients and the public on these topics.
Source: “Top 50 Risk Management Blogs”
For the first time, major international corporations are reporting higher fraud losses more from electronic theft of data than from physical stealing of assets, cash and inventory. With 98 percent of businesses affected, China appears to have the highest level of fraud followed by Colombia with 94 percent and Brazil at 90 percent.
A recent study performed in 2010 showed that the amount lost by businesses to fraud rose from $1.4 billion to $1.7 billion over the previous year. The majority of fraud losses have been from “inside jobs” carried out by company employees.
“How much fraud there is depends more on opportunity than anything else,” Tommy Helsby, Kroll chairman for Europe, Middle East and Africa, told Reuters. “Much more work is done electronically, and that creates new opportunities for fraud. It takes time for companies to catch up with that. There’s a real range of dangers,” said Helsby. “‘It can be simple theft or the risk of reputational damage if your firm loses customer data. That itself could be an existential threat to your business.”
Many companies are discouraged from expanding in some crucial emerging markets, China, Africa, and Latin America due to their suspicions over fraud.
“That means you miss out on some of the fastest growing markets,” said Helsby. “You can’t make the risk go away, but you can manage it through having the right systems in place.”
With fraud losses at an all time high, Cyber Liability insurance is a critical part of the risk management plan of any major corportation.
Source: Insurance Journal
I came across an eye opening article from Chartis Insurance Company about real claims scenarios of payments made by their Executive Liability policy form. Most of the payements are over $1,000,000 and involve data breach caused by hackers and rogue employees.
Read Article: Security & Privacy Claims Marketing Sheet
Source: Chartis Insurance Company, Security & Privacy Claims Scenarios, September 2010
Due to the overwhelming information that has been flowing over the internet as the WWW gets stronger, we thought that it was best to revisit the question of “How Private is Your Personal Information?”. More so, as a tech, are you responsible if your CLIENTS INFORMATION? Your thoughts?
I ran across an excellent web page that reminds us how seemingly private communications may not really be private and can be spread and detected for many years and possibly forever. The article discusses the pitfalls of hard drives, laptops, smart phones, social networks, Google caches, and fax machines.
“Online is Forever,” there are millions of old, orphaned web pages out there whose creators can’t access them to change them or take them down, Google caches pages so that web searches can still see them even after they have been removed from the web server, and backups of ancient data still languish on the shelves of numerous server rooms.
Source: WXPNews, May 4, 2010
“Cyber liability coverage has evolved from just liability insurance for information technology companies to coverage that nearly every class of business should have if they don’t already.” Many businesses including banks, restaurants, retailers, and medical offices are unaware of the great security technology exposure they face.
In addition, the internet is not the source of all data breach problems. Lower tech breaches commonly arise that are caused by leaving password notes out in plain view, theft of laptops, and improper disposal of medical records.
“Recent state laws require companies that have experienced a security breach to notify all customers that could be affected by the breach that their information has been compromised, even if the information hasn’t been used. In most cases, the notification also includes an option of one year credit monitoring services and a new card or account number for customers.”
More than 40 states have data breach notification laws and insurers expect a federal cyber notification law at some time in the near future. The average per customer cost for a security breach is $15 and this does not include loss of reputation.
Source: http://www.mynewmarkets.com/articles/107853/security-breach-notification-laws-reinforce-need-for-cyber-insurance
