On June 22, 2017, The New York Times carried an article whose headline said “A Cyberattack ‘the World Isn’t Ready For’”. It was about the IDT Corporation, which was attacked in April with two cyberweapons stolen from the National Security Agency.
Two weeks after IDT was hit, the cyberattack known as WannaCry ravaged computers at hospitals in England, universities in China, rail systems in Germany, even auto plants in Japan. No doubt it was destructive. But it was much worse, and with all eyes on the WannaCry destruction, few seemed to be paying attention to the attack on IDT’s systems.
The strike on IDT, was similar to WannaCry in one way: Hackers locked up IDT data and demanded a ransom to unlock it.
But the ransom demand was just a smoke screen for a far more invasive attack that stole employee credentials. With those credentials in hand, hackers could have run free through the company’s computer network, taking confidential information or destroying machines.
Worse, the assault, which has never been reported before, was not spotted by some of the nation’s leading cybersecurity products, the top security engineers at its biggest tech companies, government intelligence analysts or the F.B.I., which remains consumed with the WannaCry attack.
IDT learned of the attack only when a contractor, working from home, switched on her computer to find that all her data had been encrypted and that attackers were demanding a ransom to unlock it. They might have assumed that this was a simple case of ransomware.
However, the ransomware was installed after the attackers had made off with the contractor’s credentials. They encrypted her computer demanding $130 to unlock it, to cover up the more invasive attack on her computer.
The attackers compromised the contractor’s computer through her home modem.
Even worse the chances that IDT was the only victim of this attack are slim. Only recently researchers have detected an attack on restaurants across the United States that uses “fileless” malware undetected by virtually all antivirus products on the market.
Morale of the story #1: It’s a jungle out there, no one is safe.
Morale of the story #2: You need insurance.
Small and medium size business, or business individuals, hold on to a deep-rooted confidence that they are off the radar – wrong. Any business that goes online has cyber risk. It’s that simple. The Hollywood stereotype of the hackers who attack government facilities and big banks is simply not true. Their intent is rarely world domination. It’s usually just to get their hands on anything they can turn into money, and your data will do nicely. Whether it’s design plans, medical records or good, old-fashioned payment card details —someone, somewhere will see it as their meal ticket. Most cybercriminals are not fussy about who they steal from. Besides, it is easier for a hacker to infiltrate a high volume of small and medium size business than one large organization with stronger controls. Small business can be practicing grounds for aspiring hackers too.
Unfortunately, everyone thinks it isn’t going to be them. Until it is.
Another widespread fallacy is that outsourced data are fully protected. On July 12, 2017, millions of Verizon customer records were left exposed in a loosely secure database by an Israeli technology company, ZDNet reported. As many as 14 million customer records gathered over the last six months from the largest telecommunications company in the United States were found on an unprotected Amazon storage server controlled by Nice Systems.
As it is, that outsourcing data storage and processing will completely transfer their risk and potential liability to the outsource
provider. This is NOT true. The organization that owns the data ultimately has responsibility for it. While there may be some shared liability with outsource providers, most have limit of liability provisions in their contracts. Further, determining liability is a lengthy process and something an organization will be challenged to devote time to while responding to a breach.
And there are also those who rely on “adequate” security technology. While technology controls are important and part of the solution, cyber risk at its core is a people risk. According to research, 69% of cyber breaches are due to an organization’s employees and can stem from a lost laptop, a disgruntled employee, inadequate cyber awareness training or hiring non-qualified employees. Therefore, it is important to also devote attention and resources to people solutions, such as employee engagement, awareness, and hiring the appropriate IT security specialists.
Insurance provides another layer of protection -financial protection that is.
Should your business buy cyber risk insurance?
It’s still important for you to consider cyber insurance even if your organization isn’t providing a technology professional service
Both Business to Business (B2B) and Business to Consumer (B2C) organizations should understand their cyber risk and consider cyber insurance as a method of risk transfer.
For B2B organizations, it’s easier to understand why cyber insurance is important. When dealing with other businesses, there may be contractual requirements that require organizations to carry cyber insurance or technology professional services coverage.
If an organization is providing technology professional services, it’s important for them to put together technology professional services coverage with cyber liability insurance, as there’s an overlap in coverage. If an organization isn’t providing a technology professional service, it’s still important for them to consider cyber insurance, which can provide balance sheet protection for both first-party coverage (out of pocket expenses – i.e., business interruption, data restoration, and cyber extortion) and third-party liabilities (lawsuits alleging financial harm as a result of an organization’s errors or omissions).
For B2C organizations, historical buyers of cyber insurance were industries that held a lot of records (i.e., retail, healthcare and education); however, the more recent cyber claims have affected other industries such as manufacturing, nonprofits and critical infrastructure.
Small and medium size business, or business individuals, do need cyber insurance as does any business that goes on line.
At EXL Consulting we specialize in cyber insurance and we are there to help.