Introduction by Michael Sacco
Cybersecurity is increasingly important for small and mid-size companies to consider - and the apparel and consumer goods space is not exempt. No matter the industry, hackers are after bank accounts, email addresses, social security numbers, intellectual property and anything else that might be used for monetary gain. Although large companies tend to make headlines when they are cyber-attacked, the majority of cyber-attacks impact small to medium size businesses.
John Farley, vice president and cyber risk consulting practice leader for HUB International's risk services division, shares why companies should make it a top priority to increase their awareness on protecting financial information, intellectual property and company reputation. In his article, learn more about the threats of cybersecurity and how small and middle market companies can avoid a breach and understand the risks, liabilities and insurance coverage gaps...
Virtually every business relies on a network to conduct its daily operations. This often involves the collection, storage, transfer and eventual disposal of sensitive data. Securing that data continues to be a challenge for organizations of all sizes and across multiple business sectors. Social security numbers, W-2 forms, payment cards, and intellectual property have significant value on the black market and provide motivation for hackers to steal.
Many corporate IT departments respond to these threats by devoting vast amounts of resources to technological defenses. Criminal perpetrators, however, seem to remain one step ahead of even the best cybersecurity efforts. They have altered their strategies by perpetrating human-based fraud. One emerging tactic involves what we have come to know as social engineering. This type of fraud occurs in a multi-stage process. Criminals first gather information, then form relationships with key people, and finally execute their plan.
By exploiting our natural tendencies to trust others, criminals have been highly successful in convincing people to hand over some of their most valuable data assets. In fact, according to the FBI, from October 2013 to August 2015, more than 8,000 social engineering victims from across the United States were defrauded of almost $800 million. The average loss amounted to $130,000.
There are several methods of social engineering that are seen frequently, including the following:
- Bogus Invoice: A business that has a long standing relationship with a supplier is asked to wire funds to pay an invoice to an alternate, fraudulent account via email. The email request appears very similar to a legitimate account and would take very close scrutiny to determine if it was fraudulent.
- Business Executive Fraud / Email Phishing: The email accounts of high-level business executives (CEO, CFO, etc.) may be mimicked or hacked. A request for a wire transfer or other sensitive information from the compromised email account is made to someone responsible for processing transfers. The demand is often made in an urgent or time sensitive manner.
- Interactive Voice Response/Phone phishing (aka vishing): Using automation to replicate a legitimate sounding message that appears to come from a bank or other financial institution and directs the recipient to respond in order to “verify” confidential information.
- Dumpster diving & forensic recovery: Sensitive information is collected from discarded materials such as old computer equipment, printers, paper files, etc.
- Baiting: Malware-infected removable media, such as USB drives, are left at a location where an employee may find it. When they attach the USB to their own computer, criminals can ex-filtrate valuable data.
- Tailgating: Criminals gain unauthorized access to company premises by following closely behind an employee entering a facility, or by presenting themselves as someone who has official business with the company.
- Diversion: Misdirecting a courier or transport company and arranging for a package or delivery to be taken to another location.
How to avoid being defrauded in the first place
Given the rising incidence of social engineering fraud, all companies should implement basic risk avoidance measures:
- Educate your employees so that they can learn to be vigilant and recognize fraudulent behavior.
- Establish a procedure requiring any verbal or emailed request for funds or information transfer to be confirmed in person or via phone by the individual supposedly making the request.
- Consider two-factor authorization for high level IT and financial security functions and dual signatures on wire transfers greater than a certain threshold.
- Avoid free web-based email and establish a private company domain and use it to create valid email accounts in lieu of free, web-based accounts.
- Be careful of what is posted to social media and company websites, especially job duties/descriptions, hierarchal information, and out of office details.
- Do not open spam or unsolicited email from unknown parties, and do not click on links in the email. These often contain malware that will give subjects access to your computer system.
- Do not use the “Reply” option to respond to any financial emails. Instead, use the “Forward” option and use the correct email address or select it from the email address book to ensure the intended recipient’s correct email address is used.
- Beware of sudden changes in business practices. For example, if a current business contact suddenly asks to be contacted via their personal email address when all previous official correspondence has been on a company email, the request could be fraudulent.
Despite these efforts, organizations can still fall victim to a social engineering scheme. These incidents can be reported it to the joint FBI/National White Collar Crime Center - Internet Crime Complaint Center (IC3) at www.ic3.gov.
The initial concern after such an event often focuses on the amount of stolen funds. However, there could be an even greater threat since these incidents often involve the compromise of personally identifiable information, which can be later used for identity theft of multiple people. This will often trigger legal obligations to investigate the matter and to communicate to affected individuals and regulators. This often leads to litigation and significant financial and reputational harm to businesses. Costs can include fines, legal fees, IT forensics costs, credit monitoring services for affected individuals, mailing and call center fees and public relations costs.
Fortunately, the insurance industry has developed insurance policies that can transfer these risks. Crime insurance policies can cover fraudulent funds transfers while cyber insurance policies may cover costs related to unauthorized access of personally identifiable information. However, the insurance buyer needs to be wary of various policy terms and coverage limitations. For example, some crime policies can contain exclusionary language for cases involving voluntary transfer of funds, even though they were unknowingly transferred to a criminal. Other insurers might add policy language to crime policies to cover this situation.
Cyber insurance policies can be customized to offer coverage for the following:
- Network Security Liability: Liability to a third party as a result of a failure of your network security to protect against destruction, deletion, or corruption of a third party’s electronic data, denial of service attacks against internet sites or computers; or transmission of viruses to third party computers and systems.
- Privacy Liability: Liability to a third party as a result of the disclosure of confidential information collected or handled by you or under your care, custody or control. Includes coverage for your vicarious liability where a vendor loses information you had entrusted to them in the normal course of your business.
- Electronic Media Content Liability: Coverage for personal injury, and trademark and copyright claims arising out of creation and dissemination of electronic content.
- Regulatory Defense and Penalties: Coverage for costs associated with response to a regulatory proceeding resulting from an alleged violation of privacy law causing a security breach.
- Breach Event Expenses: Expenses to comply with privacy regulations, such as notification and credit monitoring services for affected customers. This also includes expenses incurred in retaining a crisis management firm, outside counsel and forensic investigator.
- Cyber Extortion: Payments made to cybercriminals to decrypt data that has been encrypted by ransomware.
- Network Business Interruption: Reimbursement of your loss of income and/or extra expense resulting from an interruption or suspension of computer systems due to a failure of network security or system failure. Includes sub-limited coverage for dependent business interruption.
- Data Asset Protection: Recovery of costs and expenses you incur to restore, recreate, or recollect your data and other intangible assets (i.e., software applications) that are corrupted or destroyed by a computer attack.
In summary, businesses need to be vigilant in addressing the ever-evolving risks related to their most valuable assets. The most effective risk management plans aim to prevent social engineering fraud incidents from happening and mitigate the damages if they do. Turning your employees from your weakest link and into your greatest assets in the battle is one way. Risk transfer to insurance products is another.
About the author: John Farley, Vice President and Cyber Risk Services Practice Leader at HUB International, has 24 years of experience in insurance and risk management. John leads HUB’s Cyber Risk division of consultants and brokers focused on assisting clients with achieving their risk improvement goals, providing advisory services and serving as a network security and privacy liability consultant. He helps clients with pre and post data breach services, applying his extensive knowledge in data breach response. For more information on HUB’s Cyber offerings, please visit www.hubcyberrisk.com.