cyber security Archives - World Risk Management

6 Reasons Data Is Key for Risk Management

Jun 19, 2019 | RIsk Management News

Originally posted on ClearRisk by Rebecca Webb.

An average organization only uses 50% of its available data for decision-making. This is significant when you consider 70% of late adopters base their decisions on gut feeling or experience, while 60% of best-in-class companies use data analytics when making decisions.

Data is powerful when used to its full capability; by using all available data, an organization can establish a clear competitive advantage. Storing and regularly accessing relevant information will allow your organization to save time and money while drastically improving decision quality. Below are some of the key benefits that data utilization can have on your organization.

1. Increased efficiency

In a well-established organization, it’s easy to continue doing a task the same way out of habit and convenience. Without referencing data, you may get stuck in a routine and not recognize internal flaws. Streamlining people, processes, and tasks will increase efficiency across the organization.

2. Better decision making

Analyzing your data will provide the information required to run the organization, such as what course of action is necessary and whether your strategies have been successful. To do this, you need to have the right kind of data; ensure that you collect relevant, accurate, and complete information.

The more data you store, the more information you will have to base your next decision on. This can lead to more creative and smart strategies as well as help you choose positive risks and pursue paths that will lead to growth.

3. Financial health

Using data effectively will allow an organization to save money. By consistently tracking and monitoring costs, prices, and other useful information, you can track when spending is higher than it should be. It can also flag problem areas or help you identify costs that you shouldn’t be incurring. Further, making a habit of storing data means you will have a quick and easy process if you are ever audited or when entering tax season.

4. Making a case for any project

No matter the business idea, there needs to be some data and information to support it. By accessing stored information, you will be able to analyze data and use it to support a proposed project. With the collected data, you will be able to present your case to supervisors or employees to prove that the decision would benefit the organization.

5. Increased accountability

Without storing data, it can be difficult to know when something isn’t as it should be. A thorough database can allow management to recognize signs of fraudulent activity. It will show employees that they are being monitored, increasing their accountability and ethical actions. If something does go wrong, your organization will be able to show it had some measures in place to try and prevent the incident, thus protecting brand reputation.

6. Preventative measures

Having data allows you to analyze it. This will let you identify and mitigate against threats, reduce repetitive losses and lawsuits, and even lower insurance premiums. For more detail about the benefits of data analytics, check out our next in-depth blog post!

Managing Risk In A Connected World

Nov 28, 2018 | Cybersecurity

As digital transformation takes hold, organizations must learn what their cybersecurity risks are – and how best to address them.

Cybersecurity is in the news, but the risks posed by weak and outdated security measures are hardly new. For more than two decades, organizations have struggled to keep pace with rapidly evolving attack technologies.

With the arrival in May of WannaCry, a massive and highly coordinated ransomware attack that left tens of thousands of organizations around the world hoping for the safe restoration of their data, the threat posed by malware creators took an ominous turn. The attack sent an unambiguous wake-up call to organizations worldwide that now is the time to reassess and reinforce existing cybersecurity strategies.

Connectivity Creates Opportunities and Challenges

Emerging technologies, particularly the Internet of Things (IoT), are taking global connectivity to a new level, opening fresh and compelling opportunities for both adopters and, unfortunately, attackers.

Sadik Al-Abdulla, director of security solutions for CDW, says growing connectivity has ushered in a new era of critical security threats. “The same viruses we’ve been fighting for 20 years, now those viruses grow teeth,” he adds, noting that organizations are just beginning to respond to more dangerous cybersecurity adversaries. “Suddenly, just in the last 18 months, with the explosion of ransomware, we’ve seen really substantial support from outside IT to actually start getting these projects done, because there has been real pain experienced.”

IoT poses a significant new challenge, Al-Abdulla observes. “As new devices are connected, they represent both a potential ingress point for an attacker as well as another set of devices that have to be managed,” he says. “Unfortunately, most of the world is trying to achieve the promise provided by IoT projects as rapidly as possible, and they are not including security in the original design, which creates a greater weakness that is very, very hard to get back after the fact and correct.”

Al-Abdulla also notes that many organizations are unintentionally raising their security risk by neglecting routine network security tasks. “Every time our assessment team looks at the inside of a network, we find systems that haven’t been patched in 10 years,” he says. “Sometimes, it’s IoT devices.”

Al-Abdulla’s team has observed devices with “a flavor of Linux or Windows embedded” that have not been updated since they left the factory. Security cameras, badge readers, medical devices, thermostats and a variety of other connected technologies all create potential attack gateways.

“All it takes is the wrong guy to click the wrong thing in the wrong part of the network,” says Martin Roesch, vice president and chief architect of the Cisco Security Business Group. “You get mass propagation throughout the environment, and then you have a huge problem.”

“It’s a very complicated world that we live in right now because the attacker and defense problem is highly asymmetrical,” Roesch adds.

The changing nature of networks and the devices located within them, combined with the fact that organizations keep introducing new software and hardware into their IT environments, make it nearly impossible to keep pace with a new generation of skilled attackers. “It becomes very, very difficult to respond and be effective against the kind of threat environment that we face today because the attackers are highly motivated,” he says.

The Danger of Giving in to Ransomware

Ransomware is like a thug with a gun: “Pay up, or your data gets it!”

Facing such a blunt demand, many organizations simply cave in and hand over whatever amount of money (usually in the form of bitcoin) is necessary to regain their data.

Problem solved? Not necessarily, says Michael Viscuso, co-founder and chief technology officer of endpoint security provider Carbon Black, who sees no easy way out of a ransomware attack. “It’s still surprising to me that people who have paid the ransom think that the game is over,” he says. “The reality is that the attacker has access to your system and is encrypting and decrypting your files whenever he wants to – and charging you every time.”

James Lyne, global head of security research at security technology company Sophos, notes that many ransomware attackers hide code within decrypted data, allowing them to reinfect the host at a future date. “Because if you’ll pay once, you’ll pay twice,” he explains.

Lyne also warns about the emerging threat of “shredware,” malware that encrypts data without requesting a ransom, effectively destroying it. “I bring that up because I’ve had a lot of board advisory meetings recently where people have said, ‘Well surely, we’ll just keep a fund, and if our data is encrypted, we will just pay the cybercriminals,’” he says.

Instead, organizations can take steps to defend themselves against ransomware. These steps include:

Effective backups: IT staff can save themselves trouble and money by implementing regular backup practices to an external location such as a backup service. In the event of a ransomware infection, backup data can get organizations back on their feet quickly.

User training: Most infections are the result of users clicking on links or attachments that are connected to malicious payloads. IT teams can avoid these pitfalls by training users to look out for them.

Deployment of security solutions: Measures such as anti-malware, firewalls and email filters can help detect ransomware and prevent infections.

The Human Factor

While following security best practices is essential to network security, many organizations remain unaware of or pay little attention to, the weakest link in the security chain: people.

It doesn’t make sense to try to solve what is essentially a human problem solely with technical means, says Mike Waters, director of enterprise information security for management consulting firm Booz Allen Hamilton. “We have to create an atmosphere, an environment, where people can tell us what risks they know about, and we can document them and work through it in a deliberative manner,” he adds.

Booz Allen has 25,000 people working for it, Waters says, adding, “I need 25,000 people to defend Booz Allen.” Educating users — and instilling in them just a touch of paranoia, he quips — leads to an alert organization in which users report every suspicious thing they encounter. “Ninety-nine percent of what they report is not bad, but the 1 percent that’s critical can get to us,” he says. “We reinforce that behavior — tell us everything.”

Meet the Evil Entrepreneurs

In much the same way that organizations boost their results through ambition and innovation, cybercriminals also are improving the way they operate. “The bad guys are entrepreneurial,” says Martin Roesch, vice president and chief architect of the Cisco Security Business Group.

Most successful cybercriminals are part of large and well-structured technology organizations. “There’s a team of people setting up infrastructure and hosting facilities; there’s a team of people doing vulnerability research; there’s a team of people doing extraction of data; there’s a team of people building ransomware; there’s a team of people delivering ransomware; there’s a team of people doing vulnerability assessment on the internet; there’s a team of people figuring out how to bypass spam filters,” says Michael Viscuso, co-founder and CTO of Carbon Black.

Roesch says organizations have found it “very difficult to respond and be effective against the kind of threat environment that we face today,” but says security experts within Cisco have specifically targeted cybercrime organizations and achieved some success in shutting them down.

Weighing Risk Against Benefits

Security boils down to measuring risk against anticipated benefits. “One of the fascinating things about risk is that low-level engineers know where the risks are, but they don’t necessarily tell anybody,” Waters says. As an example, he cites Operation Market Garden, a World War II Allied military effort (documented in the book and movie A Bridge Too Far) that was fatally hampered by poor radio communication. “People knew those radios weren’t going to work when they got over there,” Waters says. “They didn’t tell anybody because they didn’t want to rock the boat.”

Once a risk is identified, users and IT professionals must be committed to addressing it, with the support of executives. Across all departments and in all situations, calm person-to-person communication is always a reliable and effective security tool. “If we’re running around with our hair on fire all the time, they don’t want to talk to us,” Waters adds. “We want everybody to be able to talk with us and share their risks, so we know to prioritize and trust them.”

In a perfect world, security professionals would strive to create a risk-free environment. “We want it all down to zero,” Waters says. That’s not possible, however, because some degree of risk is inherent in every action an organization takes. “As challenging as it may seem, there are risks businesses are willing to accept,” Waters adds.

Too much caution blocks or degrades benefits, particularly when security mandates unnecessarily interfere with routine activities. Simply telling people what not to do is rarely effective, particularly if what they’re doing saves time and produces positive results. “We talk about Dropbox and things like that,” Waters says. “If your policies are too restrictive, people will find a way around them.”

Author: Forbes
Source: Forbes

‘Data breach fatigue’ may breed complacency about online security

Oct 17, 2018 | Cybersecurity

First, it was the Ticketfly hack in May. My email was among the 27 million accounts stolen from the events company.

According to the website Have i been pwned?, which monitors data breaches, my personal email has also been found in records stolen from sites like Tumblr and LinkedIn.

By the time the Ticketmaster and PageUp data breach notification emails landed in my inbox weeks later, my attitude had devolved from concern to extreme digital nihilism.

Am I suffering from data-breach fatigue?

Peter Singer, a strategist and senior fellow at New America who writes about cybersecurity, is worried that after all the hacks, data dumps and servers left unprotected, we may be tuning out.

Data breach fatigue

Troy Hunt, who runs Have i been pwned?, has seen the rate and size of data breaches grow since he founded the site in late 2013.

Rather than becoming fatigued, he suggested people simply accept such incidents are now “a normal part of online life”.

“I’m actually finding … that people are judging companies less on the fact they’ve had [a data breach], and more on how they’ve dealt with it,” Mr. Hunt said.

What should I do after a data breach?

Change your account password and get a password manager
Report financial losses to the Australian Cybercrime Online Reporting Network
Check your bank account for unusual charges
If your credit card details have been lost, contact your bank
Be alert to any phishing emails

— The Conversation

We don’t yet know much about “data breach fatigue” as a measurable phenomenon, agreed Cassandra Cross, an online fraud researcher at the Queensland University of Technology.

“I don’t really think we know … whether people are making choices to do things differently, [or] whether they’re just ignoring it,” she said, suggesting more work needs to be done.

Rui Chen, an information systems academic at Iowa State University, investigated consumer attitudes after online security incidents.

In 2015, the US Office of Personnel Management (OPM) lost more than 4.2 million personnel files, among other sensitive documents.

Dr. Chen and his team used sentiment-analysis tools to track the emotional content of 18,764 tweets containing the hashtag #OPMHack.

After events associated with the hack — from the initial breach announcement to the OPM director’s resignation — they saw a large drop-off in reaction.

In other words, Dr. Chen said, “we can see that the public is gradually losing interest in reacting to this news”.

The effects of ‘fatigue’

If people don’t take breaches seriously, they may not follow instructions to protect themselves, such as changing passwords or using credit-monitoring services.

The insecure cloud

But our understanding of how people do respond is limited.

“One thing could be there are just so many incidents of data breach happening … people consider it typical,” Dr. Chen speculated.

“It’s the norm of this digital world.”

These incidents can also feel quite abstract, Dr. Cross added.

Consider the compromising of more than 359 million MySpace accounts or more than 164 million LinkedIn accounts — these are almost unimaginable numbers.

For victims, there’s also a difference of perception between your details being lost or stolen and actual misuse of that information — in the form of identity theft, for example, which is estimated to cost Australia $2.2 billion each year.

“They’re just one small individual within an entire group, and they don’t feel that they are particularly valuable in terms of a target,” she said.

Real-world effects

New America’s Peter Singer suggested we won’t see decisive action from the government on these issues until breaches begin to have a dramatic impact in the physical world.

Connected devices, from fridges that can be accessed online to driverless cars, will make this more dangerous — and likely.

You might start caring more when a hacker uses stolen credentials to turn your lights on and off remotely.

“I think … what will inevitably happen is some type of bad outcome,” Mr. Singer added.

A badly handled data breach can also dent a company’s reputation.

Take Uber, which initially tried to cover up the exfiltration of the names, email addresses and mobile phone numbers of 57 million users.

Mr. Hunt also sees companies being judged harshly if a breach exposes their poor security posture, such as storing passwords in plain text without cryptographic protection.

On the flip side, he cited the Red Cross Blood Service’s reaction as “the gold standard” after it lost donor information in 2016.

The group was swift to act and tell the public — and was apologetic throughout.

As data breaches continue, Mr. Hunt hopes people will avoid fatigue and take control: get a password manager, make all passwords unique and turn on two-factor authentication.

“These are really basic things that we can all do, and they fundamentally change the impact of a data breach,” he said.

Source: ABC

Author: Ariel Bogle

Travel-Related Breaches: Mitigating the Risks

Oct 3, 2018 | Cybersecurity

The hacking of medical clinic employee’s email account during travels overseas demonstrates the risks posed to data when workers travel – and the need to mitigate those risks.

Billings Clinic in Montana – which includes a multispecialty group practice with a 304-bed hospital and a Level II trauma center – says in a breach notification statement it became aware on May 14 of “unusual activity” within one of its employee’s email accounts.

The employee was traveling overseas on a medical mission at the time of the hacking incident, according to the statement.

What Happened?

Billing Clinic says it took immediate action to disable access to the email account, launched an investigation to determine what happened and took action to further secure its email system.

“As a result of the forensic investigation, we learned that an unauthorized individual had access to emails and attachments within that one account, some of which included patient information.”

The types of information on 8,400 individuals included in the affected email account include patient name, date of birth, contact information, the medical record number, internal financial control number, diagnosis and limited information about medical services received, the clinic reports.

“Each patient had different types of information, included in the emails, and no one email contained all of these types of information,” the notification statement says.

Earlier Incident

As of July 16, the hacking incident was not the Department of Health and Human Services’ HIPAA Breach Reporting Tool website – commonly called the “wall of shame” – that lists breaches affecting 500 or more individuals.

That breach tally, however, lists a different hacking/IT incident reported in April by Billings Clinic that impacted 949 individuals.

In a notification statement posted on Billings Clinic’s website about the earlier incident, the clinic says that on February 26, it also became aware of unusual activity within its email system, and immediately took action to disable the account.

A Billings Clinic spokesman tells Information Security Media Group that the two breaches were separate incidents, but declined to discuss further details, including the steps the clinic is taking to bolster security in the wake of the breaches.

The spokesman also declined to discuss whether the traveling employee in the latest breach was traveling with a Billings Clinic laptop or other mobile computing devices, or whether the employee had been accessing Billings Clinic’s email system while using a personally owned computing device or smartphone.

Overlooked Risk?

Data breaches occurring during employee travel are a common but often overlooked problem, says Rebecca Herold, president of Simbus, a privacy, and cloud security services firm, and CEO of The Privacy Professor consultancy.

“It is very common for data and devices to be hacked while traveling and for those who were hacked to not even realize it.”
—Consultant Rebecca Herold

“It is very common for data and devices to be hacked while traveling and for those who were hacked to not even realize it,” she says. “People are often unaware of what is going on around them when they are traveling. They are using any charger station they can find, they speak loudly and they use free Wi-Fi,” she says.

Cybercriminals routinely scan free Wi-Fi networks and copy unsecured transmissions, including emails, she says.

“Shoulder surfing is also still very common; it’s a decades-old tactic that still works effectively today. And the skimmers on charging stations are increasing in use. Don’t think that if you are in a frequent flyer lounge that these things do not happen there; they happen in those exclusive lounge areas possibly more than in other places,” she warns.

Cybercriminals often target travelers, Herold says, because “it is easy for them to commit their crimes without getting caught because there is usually no digital evidence created.”

Mac McMillan, CEO of security consultancy CynergisTek, offers a similar assessment: “Any time you travel overseas you may be at greater risk as local cybercriminals will have access to your mobile devices, the locations where you are staying or the ISPs their networks and your traffic is traversing.”

Healthcare entities and other organizations – and their traveling staff members – should review information from the Federal Communications Commission, Department of Homeland Security, and other agencies for tips on securing their computing devices while overseas, McMillan stresses.

“The problem is that most private businesses don’t educate their employees on these risks,” he says. Government agencies “routinely brief employees on foreign travel risks and are always aware that overseas we are potential targets.”

Steps to Take

McMillan advises workers on vacation to “leave the work computer at home. Temporarily suspend access to sensitive apps and work email, and do not permit mail forwarding.”

But if remote access is absolutely required, he says, “employ two-factor authentication on both apps and email, and strong encryption on all devices. Use different passwords or pins when you travel. Do not make online purchases or go to your online banking site. Clear your cache regularly. Turn off auto-join on your Wi-Fi. If traveling for more than a few days, reset your settings. Above all keep your devices with you at all times and shielded from view.”

Keith Fricke, a consultant at tw-Security, notes that some companies issue a laptop specifically for overseas travel that is locked down more than normal and has fewer applications on it.

There have been reports of some private airplane flights having “hidden cameras” in them recording information on the screens of laptops passengers used laptops during the flight, he says. “Stories also exist of hidden cameras in hotels of certain foreign countries or people entering hotel rooms when the occupant left the room for meetings or a meal. The intruder looked for ways to obtain unauthorized access to information,” he notes.

Herold advises organizations to take a number of precautions to reduce the risk of breaches while individuals are traveling.

“Implement policies for employees to not use public Wi-Fi,” she stresses. “Provide secured virtual private network or similar types of solutions for remote access. I carry my own device that I use to establish a private VPN connection. I never use public Wi-Fi, or the Wi-Fi in the hotels or restaurants either.”

Organizations should also require that data be encrypted in transit and in storage, she says. “That way, if someone gets access through a network, the data is not accessible. If they get access to the device, the data is not accessible.”

Herold also advises employers to “provide information security and privacy reminders and awareness communications of other types prior to employee travel so that they have the need to practice safe mobile computing at top of mind.”

Author: Marianne Kolbasuk McGee

Source: infoRisk Today

Insurance market evolving to handle terrorism risks

Aug 31, 2018 | Informative, Loss Control, RIsk Management News

While the number of incidents and casualties declined in 2017, a report released Monday by Marsh L.L.C. said terrorism is still a significant threat and that the insurance market is adapting to handle the evolving risk.

Marsh’s 2018 Terrorism Risk Insurance Report, which explores the state of the terrorism insurance marketplace, said that in the wake of recent events, terrorism insurers are expanding terrorism definitions to include active assailant events.

In some cases, the report said, insurers also are developing specialty products that offer first- and third-party business interruption protection for businesses that suffer lost income or revenue without the need for a direct property damage trigger.

Although fewer people were killed in terrorist attacks in 2017 than in 2016, the Marsh report said the means of attack and perpetrators have shifted.

“Past attacks were carried out primarily by specific groups against perceived high-value-high-profile targets,” the report said. “While that threat remains, many recent attacks have come against soft targets and been perpetrated by ‘lone wolves’ and small groups with no direct connection to known terrorist organizations. Weapons of choice now include vehicles, knives and other handheld devices.”

In 2017, the report said, pricing increased in five of the 17 industries surveyed by Marsh, with the sharpest increases being felt by hospitality and gaming companies, public entities and nonprofit organizations, which have been targets of terrorist acts in recent years.

Pricing declined in seven industries, the report said, most notably for energy and mining and construction companies, reflecting the generally positive conditions in the property insurance market prior to the 2017 Atlantic hurricane season.

Sixty-two percent of U.S. companies in 2017 purchased coverage embedded in property policies under the Terrorism Risk Insurance Program Reauthorization Act of 2015, or TRIPRA. Companies in the Northeast U.S. were most likely to purchase terrorism insurance, Marsh said.

The number of Marsh-managed captive insurers actively underwriting one or more insurance programs that access the TRIPRA increased 44% to 166 captives in 2017.

After incurring sizable ransomware losses in 2017, kidnap and ransom insurers are seeking to restrict coverage for cyber risks in their policies.

Terrorism insurance capacity remains strong, the report said, but pricing could increase as global insurance costs generally increase following natural catastrophe losses in 2017. January 2018 year-over-year pricing changes for a majority of reinsurance program renewals that included terrorism coverage averaged flat to an increase of 10% on a risk-adjusted basis, according to the report.

The Marsh report made several suggestions for businesses in the face of evolving terrorism risk, including continually reviewing and reevaluating their risk financing programs to ensure they have adequate protection for property, business interruption, workers compensation, general liability and cyber losses.

The report also encouraged businesses to effectively model their terrorism risk and to build and test robust crisis management and business continuity plans.

Author: Rob Lenihan

Source: Business Insurance

« Older Entries