A hospital experiences a potential HIPAA breach involving the protected health information (PHI) of tens of thousands of patients.
A family’s financial records are exposed after a hacker infiltrates the home network through the kids’ video game console.
An investment banker pays a ransom to unlock his yacht’s navigation systems hacked on an unsecured WiFi network.
A targeted spear-phishing attack causes the data on an organization’s servers and computers to be encrypted, resulting in the organization going offline for more than two full business days.
These are not hypotheticals, but recent cyberattacks that have wreaked havoc inside and outside the workplace. Successful individuals and companies make tempting targets for organized criminals seeking to steal financial resources or ruin reputations and state-sponsored hackers looking for corporate intellectual property and trade secrets.
And these attacks aren’t only affecting high-profile individuals and huge companies. Many cyberthreats are designed to spread indiscriminately, making any one person or institution a potential victim if improperly prepared.
“We’re seeing an increase in attacks and they’re becoming more destructive and disruptive,” said Tracie Grella, global head of Cyber, AIG. “But companies can take steps to better protect themselves, learn about what’s out there, and protect the consumer as well.”
To help manage the risk, individuals and companies need an end-to-end strategy and expert support to implement it.
The solution starts with prevention
The first step in managing a cyberattack is to take steps to avoid it altogether—and if you can’t, to respond appropriately and recover quickly.
At work, company leaders and employees should be in constant dialogue with the IT department and information security officer on cybersecurity best practices and the latest corporate threats.
Dan Ennis, head of threat intelligence and operations at BlueteamGlobal, emphasizes the role of leadership in an effective cybersecurity strategy: “Folks throw dollars at the cybersecurity problem but, if there's not a commitment and understanding that starts with senior leadership, then, very often, it's to little effect,” said Ennis. “It's about planning and prioritization at the highest level.”
At home, where IT support doesn’t usually exist, individuals can consult experts who specialize in home cybersecurity. These experts can help equip you with basic tools and techniques to lower cyber risk dramatically.
Jordan Arnold, senior managing director and head of private client services at K2 Intelligence, lays out how this process works: “We often start with a Cyber HouseCall, where we look at the full spectrum of individuals, accounts, devices and networks, and identify weaknesses and vulnerabilities,” said Arnold. “Through that process, which is both technical and educational, we help raise clients’ safety, security and privacy postures.”
But even the best preventative efforts sometimes fall short given the evolving nature of cyberthreats. “The tool sets and tactics that attackers use have improved dramatically over the last couple of years and therefore the threat situation has become more serious,” said Jim Rosenthal, CEO of BlueteamGlobal, a cybersecurity services firm.
As various forms of cyber threats continue to plague companies and individuals, a solid strategic foundation and expert help is essential to operating confidently in today’s world. And given the abundance of attacks today, insurance policies that help safeguard against data breaches, financial losses and physical damage resulting from an attack are becoming more common.
The National Institute of Standards and Technology, a branch of the US Department of Commerce focused on technology best practices, developed just such an approach with its five-step framework to manage government and business cyberincidents. The approach fits individual needs as well.
01YOUR PASSWORD PROTOCOL
How similar are the passwords you use across different accounts?
Big mistake. Most consumers underestimate the risk of using the same password or similar passwords. The ways individuals usually modify passwords—like changing a number or substituting a punctuation mark for a letter—are easily predictable by hackers.
Good thinking. You should use a significantly different, never-been-used password on each site and change it often. Make password security simpler with a password manager app like Dashlane or LastPass.
02INTERNET OF THINGS PASSWORDS
Do you treat passwords for connected “things” the same way you do for other accounts?
You’re opening yourself up to major physical security risks. Today, there are 10 to 20 billion connected devices. In five years, there could be 40 to 50 billion. Most come with default passwords that consumers and even professionals never change. Treat IoT devices like computers and follow the same—or even stricter—protocols for securing them.
Well done. You’re aware that the wide range of communication protocols, standards and capabilities make IoT devices even more complex to secure. So authentication needs to be even more robust and may involve replacing the login-password combination with biometrics or other security.
03BUSINESS EMAIL COMPROMISE
At your company, are most employees trained on phishing techniques and prevention?
91% of all cyberattacks start at phishing emails. Your business is likely to join that number if your employees have not been trained specifically on what to look for. Then test them repeatedly to ensure they make the right choices.
Well done, but it’s probably not enough. To make sure they won’t fall prey to a scam, employees should be regularly tested on phishing emails. 91% of all cyberattacks start at phishing emails.
How often does your business software get updated?
Data security standards recommend installing critical security patches within one month of release—and even that may not be often enough for the nastiest bugs.
You’re diligent, but even monthly may not be enough for installing some patches. You need to expedite for critical bugs. Many enterprises install required updates the day they are released and thoroughly test them before patching the production environment.
Who has access to important business applications or sites within your company?
Your preference for accessibility is opening your company to big vulnerabilities. But you’re not alone: most managers are largely ignorant of insider threats. You should define permissions to use apps or sites based on job functions. Industrial system operators don’t need to access billing or administrative files—and vice versa. Think of all users as potential attackers when you determine their access.
You’ve made the right choice. Still, companies that restrict access can get lax when it comes to former employees or contractors. 89% of former employees retained access to programs, including email, and 49% logged in after leaving a company. Make sure human resources removes their network access immediately.
End of quiz
YOUR CYBERSECURITY SCORE
Sources: Carnegie Mellon and Penn State University Study, 2016; The Internet of Things: Evolution or Revolution? AIG, 2015; 2016 Enterprise Phishing Susceptibility and Resiliency Report, PhishMe; PCI Security Standards Council DSS v3, 2016; “The Danger from Within” Harvard Business Review, 2014
CYBERSECURE YOUR WORLD
What makes the biggest difference when protecting yourself or your company from a cyberattack?
You. Human error is involved in almost every cyber breach. Technology works, but people make errors.
Avoiding many of these errors just takes some basic knowledge. See how you rate at some of the elementary but effective techniques for cybersecuring your world.
Identify threats and vulnerabilities
The first step to crafting a formidable cyber defense is discovering vulnerabilities and gaps in security. This process begins best with a professional cybersecurity controls assessment, which measures an organization or individual’s cybersecurity maturity, and should result in a “to-do” list to get up to speed. These assessments typically include an inventory of devices, systems, software and applications.
Next, a risk assessment to evaluate threats and vulnerabilities specific to the person or company. And finally, technical testing, including vulnerability scans and penetration tests to check infrastructure security and remediate risks.
Paul Ferrillo, an attorney focused on cybersecurity and data privacy, agrees that the initial assessment is critical. "The importance of a thorough vulnerability assessment cannot be overstated,” said Ferrillo. “And what cannot be 100% controlled can perhaps be insured against with a standalone cyber policy."
Protect assets, data and reputation
At home, Arnold advises having protocols and controls in place that govern the access to sensitive systems for even highly trusted staff. Effective access control systems should allow for the auditing of user activity in the event of a problem. If an attack occurs, response teams need to be able to discern who has been active in the system and who shouldn’t be there.
Grella notes that it’s important to create a culture of cybersecurity through education and conversation. “You have to train everyone on cyberawareness,” she says. “Human error is involved in almost every breach.”
And at the office, employers have to contend with an increasingly blurry line between personal and professional. “Attack factors cross-over from people’s personal lives to their work lives because of how they connect,” said Rosenthal. “The nature of the threat is the same. So corporate protections have to be prepared and assume some level of cross-over.”
Detect attacks on all devices, including IoT
A robust detection strategy for all devices should include hardware, monitoring, intelligence, analytic analysis and experts available to answer questions and respond immediately in case of an attack.
As protective technology evolves, it’s also important to stay up-to-date on the latest tools for combatting attacks. “New endpoint monitoring tools are leveraging self-learning technology to recognize what is normal and anomalous behavior for a device,” said Arnold. “In a ransomware attack, for example, the software or tools can block the attack, notify a security firm, and let us remotely assess and remediate the attack.”
Respond using plans in place and professional help
To counter a cyberincident, you need to develop legal, forensic and public relations plans and practice response to ensure you’re prepared. Even the best laid plans will change quickly once an attack is underway, so practice is essential.
And companies or individuals trying to do it all on their own could seriously hamper their preparedness and ability to react during a fast-moving scenario. “Get help from a professional,” Arnold advised. “If a non-technically skilled victim suffers a ransomware attack, a person trying to self-remediate could prompt the threat actor to go dark or destroy evidence needed to investigate and resolve the situation.”
Be aware that what you do online can create hardcore vulnerabilities offline. Let experts with cybersecurity and private investigation skills manage and resolve genuine threats, especially when negotiation and payment is required.
AIG, for example, partners with trusted cybersecurity experts for this exact reason. If you don’t have the expertise yourself, it’s best to turn to those who do and who constantly monitor the changing landscape.
Recover and learn from the attack
To recover, you need to restore systems or assets impacted by the breach.
Communicate promptly and honestly with trusted partners, customers and critical internal and external parties. That’s the best foundation for repairing your reputation and mitigating the damage.
If your company is at fault, accept responsibility and invite dialogue. Be sure to help your customers deal with any adverse impacts and consider special offers to mitigate damages. Then incorporate the lessons learned into future plans.
For individuals, an honest conversation with trusted partners and service providers will help them assist you. In high-profile situations, there are public relations firms who specialize in cyber attacks who can help.
And most cyber insurance policies provide coverage and resources to help with event response and recovery. Don’t forget to utilize those benefits.