October is National Cybersecurity Awareness Month (NCSAM), a joint initiative of the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and National Cyber Security Alliance (NCSA) to disseminate cybersecurity facts, best practices, and promote free resources to make organizations and individuals safer and more secure.
Recent cybersecurity threat data is staggering. Symantec’s latest Internet Security Threat Report showed that in 2018: one in 10 URLs was malicious; 55 percent of all emails received were categorized as spam; and 48 percent of malicious email attachments were Microsoft Office files.
Considering that by year’s end more than a third of the global population will use email—2.9 billion users worldwide—and 269 billion emails were sent and received each day in 2017, the scope of people affected by cybercrime is alarming.
Preventing attacks with firewalls, antivirus software, malware detection and multifactor authentication is certainly an important component of any organization’s cybersecurity strategy, according to Neil Gurnhill, CEO, Node International, London, England—an insurance and underwriting company solely focused on cyber and technology risk.
“Implement relevant procedures, emphasize checks and patching, make sure that all your systems are up to date, and also check the third parties that you engage with to operate your business,” Gurnhill said.
The U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) 2019 Financial Trend Analysis reported a sharp increase in fraudulent vendor invoices delivered via email in 2017 and 2018, comprising 41 percent of total transaction amounts. The average fraudulent invoice amount was $125,439.
“Our most active area of (cybersecurity-related insurance) claims has to do with social engineering and basic (online and telephone) banking,” Gurnhill explained.
“Statistically, you are looking at about a 95 percent reduction in cybersecurity-related fraud incidents by just implementing simple things like two-factor authentication.” – Neil Gurnhill, Node International
Gurnhill said that most incidences of fraudulent money transfers could be eliminated with two-factor authentication, which could be as simple as calling the account owner to verify the transaction is legitimate. “Statistically, you are looking at about a 95 percent reduction (in cybersecurity-related fraud incidents) by just implementing simple things like two-factor authentication.”
Research from Microsoft and Google backs Gurnhill’s assertions. Microsoft’s findings show multifactor authentication reduces the chances an account will be compromised by almost 100 percent and Google data shows that two-factor verification phone prompts helped prevent 100 percent of automated bot attacks, 99 percent of bulk phishing attacks and 90 percent of targeted attacks.
Preparation is the best defense
When cybersecurity prevention efforts fail, a multifaceted preparation strategy can avert disaster and ensure a speedy and complete recovery, emphasized David Derigiotis, Certified Information Privacy Professional, Corporate Vice President and National Professional Liability Practice Leader, Burns & Wilcox, Detroit/Farmington Hills, Michigan.
“So many organizations overlook preparation—what happens when prevention fails,” Derigiotis said. “You can have the highest budget possible dedicated to cybersecurity, and still it is only a matter of time before something happens. So preparation is just as important as prevention.”
A robust preparation strategy for any organization includes five key areas, according to both Derigiotis and Gurnhill:
- An incident response plan
- Cyber & Privacy Insurance protection
- Employee training and awareness
- Identifying key cybersecurity stakeholders
- Awareness of third party-related data risks
1. Make a plan
Organizations create comprehensive processes and devote significant resources to planning for disasters like fires, severe weather and terrorist attacks. According to Derigiotis and Gurnhill, cyberattacks merit the same consideration and organizations ignore them at their peril.
“It is a fire drill,” said Derigiotis. “So many organizations are not prepared to go through the motions properly once something happens.”
Having an incident response plan in place helps organizations on a variety of fronts, he said, including averting negative publicity. “It can mean the difference between responding correctly or getting a ton of negative PR because you could not take the right steps or notify people properly or in a timely manner,” Derigiotis said. “That can have huge consequences in terms of reputation and loss of revenue.”
“A disaster recovery plan, which should include a Cyber Insurance policy, is essential,” said Gurnhill. “It used to be that you would either have a Cyber Insurance policy or a contingency and recovery plan, but now, you should have a plan that includes a Cyber Insurance policy.”
2. Cyber & Privacy Insurance: more than financial safeguards
Cyber & Privacy Insurance can help an organization bear all costs associated with a cybersecurity incident, such as legal defense and settlements, regulatory compliance and penalties, and losses due to business interruption, closed accounts or lost clients. In addition, a Cyber & Privacy Insurance policy can help businesses prevent, prepare for and respond to a security breach with a variety of resources.
“A Cyber & Privacy Insurance policy can help provide an organization with resources to respond to a security breach in a timely manner,” said Derigiotis. “It includes access to the right vendors: a cybersecurity company, privacy attorneys and law firms to help you through the entire process.”
Resources that inform best practices are also available as part of a Cyber & Privacy Insurance policy, said Derigiotis, such as templates for agreements with third parties, and guidance and support for employment training and incident response plans. “The insurance policy comes equipped with resources that will improve the overall security posture of any organization. We are talking about more than just insurance. This is about cyber and privacy risk management.”
“We are all about detection, prevention and if the worst happens, covering that cost, but also then making policyholders more cyber resilient after they have been a victim of some sort of attack,” Gurnhill said.
3. Empower and inform employees
“Employees should know how to spot phishing emails, respond to receiving them, and properly report them so that they can block them from coming through,” Derigiotis stressed. “When you make employees aware, give them proper guidance, empower them to make the right decisions, and do not penalize them for making mistakes, you create more of a privacy- and security-centric environment.”
Derigiotis also pointed out that employees often use their company-issued email address for personal or work-related purposes on third-party websites. “If (your employees) are using the same password and email address to log in at work, that opens (your business) up in ways you never even realized before.”
Employees should know how to authenticate emails and be made aware that fraudulent emails may appear to come from colleagues, Derigiotis said. Free services such as VirusTotal that allow users to check whether suspicious URLs or email attachments contain malware or other threats are also helpful, he added.
“(Employee) education, if you are insured by Node, is provided for you at no extra cost,” added Gurnhill. “You are massively beefing up your internet security at no cost, hardening your processes and becoming more cyber resilient, which is a very cost-effective method of trying to stay one step ahead (of bad actors) and stay safe.”
4. Identify roles and responsibilities
The IBM and Ponemon Institute Cost of a Data Breach Study shows that simply forming an incident response team lowers the cost of a data breach by $360,000. Derigiotis and Gurnhill advise all businesses to also assign well-defined roles and responsibilities within that response team, so that when an incident occurs key stakeholders know what to do and who to contact at each stage in the process.
“It is so important to make sure that you not only have a plan in place, but that you have gone over it before it is a game-day situation,” said Derigiotis. “Every minute that goes by with a security incident is critical. You are under a microscope.”
“Much of cybersecurity is in the control of the user,” Gurnhill pointed out. “Education and processes are the answer to security threats, which is good because every business that has online banking, email, and telephone is susceptible.”
5. Identify third party-related risks
Many organizations rely on third-party applications, vendors, cloud services and more. If one of these services or vendors has a data breach, that creates liability around any client data that a company may have exposed via that third party, as well as cost for any of the company’s assets that may have been lost, damaged or otherwise compromised, Gurnhill and Derigiotis explained.
“If (a third party has) a data breach, it becomes your data breach, especially when it involves your client information,” Derigiotis said. “Outsourcing does not outsource your liability along with it. You really need to vet who you are partnering with because at the end of the day, you are on the hook for it if they experience a breach.”
Assume the worst and plan accordingly
“There have been so many data breaches that every single person should assume his or her information is out there,” said Derigiotis. “It is only a matter of time before somebody makes their way to you.”
He recommends individuals request security freezes on credit reports and opt out of websites that list personal information. “If you can remove your data from these different companies, that is a way to reduce your digital footprint so an attacker can accumulate fewer details about you,” he explained.
Gurnhill recommends the use of a password manager and steering clear of generic passwords. “With the individual consumer, (cybersecurity) is about knowing that something has happened, knowing what steps to take and actioning them quite quickly,” he said.
“Being aware is a big part of the battle,” Derigiotis said. “If you understand the threats and methods that attackers will use against you, you can better protect yourself—and awareness comes from preparation.”