Cybersecurity Best Practices Archives

Unsafe at Home: The Heightened Cyber Risk of At-Home Workers

Two years ago, employees across the country and around the world collaborated with their employers to establish ways they could perform their job duties while working from home. Today, the urgent need for home-based workers has receded, but the popularity of this option remains high.

And while certain trends point to an actual increase in productivity, job satisfaction, and a better work-life balance from working at home, the choice does also come with a few risks, some quite disturbing and potentially very costly.

The Cost of a Data Breach Report, conducted by the Ponemon Institute and IBM Security, reports that 76% of respondents whose organizations have shifted to remote work expect that working from home could increase the time required to identify and contain a data breach. What’s more, 70% of respondents expect remote working to increase the cost of a data breach.

Those results should cause business leaders to pause, at least for a moment, to think about what remote work represents regarding risks to your organization’s cybersecurity status. With the geopolitical upheaval emanating from Eastern Europe currently, the world is getting a first-hand lesson in the power of benign cyber systems to damage economies, influence migration of populations, even wage war. Just imagine the wreckage a malignant cyber attack could create.

Are your remote employees following strict cybersecurity protocols regarding password control? Tracking and protecting the physical location of their laptops and smartphones? Accessing only approved downloads and avoiding personal usage or inappropriate personal apps on company equipment?

Keep in mind that three out of four business leaders have concerns about cybersecurity regarding remote work. Being concerned is one thing. Acting on those concerns by clearly stating acceptable and unacceptable cyber behavior, and enforcing those standards, is what can make a real difference.

Contact the professionals at The Reschini Group for more information.

The Reschini Group provides these updates for information only, and does not provide legal advice. To make decisions regarding insurance matters, please consult directly with a licensed insurance professional or firm.

Cover Your Bases: Lack of Controls May Limit Cyber Insurance Access

Feeling lucky? Like to gamble?

It’s one thing to play a small-potatoes hunch on your smartphone as you watch your favorite professional team on television. It’s quite another to risk your entire business enterprise on something that never needed to be at risk at all – your cybersecurity protocols.

As the scope and expertise of malicious online operators grows, so is the insistence of insurers that their business clients have adequate cybersecurity controls in place. A growing consequence for those who have not installed and maintained such controls is that they cannot acquire the needed coverage.

An industry leader recently conducted a study that concluded underwriters have adopted a “laser focus” on data security controls when looking at renewal risks, with “even greater underwriting scrutiny” of those controls as time goes on. The desired preventative controls cited include:

Multifactor authentication
Remote desktop protocol
Segregation of networks
Encryption

Those without these protocols in place will be increasingly met either with a decline of coverage or rates increased as much as 200 percent or even higher, according to the report. The threat of hackers successfully breaching cybersecurity protections has become such an issue for businesses, that even best-in-class risk managers – who have all preferred protections in place – may still see their premiums increase, but at a much lower rate.

So play those little parlays on your phone all you like. But don’t leave your entire business enterprise open to such a huge bet. Survey your cybersecurity protections and make sure they’re in place and working.

For more information, contact the professionals at The Reschini Group today.

Source: www.commercialriskonline.com/buyers-without-security-controls-risk-cyber-insurance-refusals-warns-gallagher-report/

Holding the Door Open for a Thief: Controlling Social Engineering Online

A professional hacker – who has gone straight and now goes by the job title of “Ethical Intruder” – lays out the truth with this simple statement: “Take it from a hacker, we are not trying to break in through your next-generation firewall when we can simply ask your users for credentials.”

The sloppy, ill-informed, or unthinking release of credentials – the user names and passwords that permit access to your cyber files online – by employees or vendors is the digital equivalent of holding the door open for a thief to stroll into your sensitive operations with little or no resistance. In the parlance of cyber security, the ways in which legitimate users either control or surrender control of their credentials is known as “Social Engineering.”

Social Engineering typically is seen within organizations as either an IT issue or the responsibility of Human Resources. At its core, Social Engineering is a behavioral and awareness issue that hackers know is the easiest and quickest way to crack a cyber defense and avoid detection.

This has become an even more prevalent problem during the COVID-19 pandemic. Attackers have increased use of their predatory skills against unwitting employees, who simultaneously have become more susceptible to clicking on or downloading files by providing their credentials on nearly anything related to the pandemic.

Entering this commonplace, yet incredibly valuable, information without giving a second thought as to who else might be watching can spell real trouble down the line.

It becomes incumbent on employers to educate and enforce standards regarding the unauthorized or uncontrolled use of employee credentials. This single step can actually become one of the most effective ways to convey the very real threats that exist, and to tighten up the business’ cyber security protection.

Cybersecurity Resources from The Reschini Group

Risk Insights – Social Engineering reinforces the information in this article and provides resources for you to share with you staff: Risk Insights – Social Engineering

For more information on cyber security safeguards, contact The Reschini Group today.

The Reschini Blog: Slow Hackers Down with MFA

When a skilled hacker has the means, the motive, and the opportunity to break into your cyber system and wreak havoc, not much can stop or slow that person down. With one exception – multi-factor authentication, or MFA.

The only drawback of using this advanced tool, however, comes in the fact that the MFA – because of its comprehensive and in-depth safeguards – can also slow down legitimate users. But industry experts agree that the benefits in safety and security far outweigh this one minor negative.

The National Institute of Standards and Technology (NIST), part of the U.S. Department of Commerce, defines MFA as “a security enhancement that allows you to present two pieces of evidence – your credentials – when logging in to an account. Your credentials fall into any of these three categories: something you know (like a password or PIN), something you have (like a smart card), or something you are (like your fingerprint). Your credentials must come from two different categories to enhance security – so entering two different passwords would not be considered multi-factor.”

NIST adds, “MFA is quite simple, and organizations are focusing more than ever on creating a smooth user experience. In fact, you probably already use it in some form. For example, you’ve used MFA if you’ve:

swiped your bank card at the ATM and then entered your PIN (personal ID number)
logged into a website that sent a numeric code to your phone, which you then entered to gain access to your account.”

The Pittsburgh Technology Council cites a professional cybersecurity expert (and former hacker), who said, “It is of the utmost importance to push through any obstacles and enable MFA on your environment. In addition to the monumental importance of having MFA, it is critical that you review your third-party systems that you do not control, especially those which contain sensitive company data, and find out whether MFA is available.”

The added seconds it may require for users to register through two separate channels to access data amounts to virtually nothing in the long-term, when compared with the time, trauma, and treasure it would take to recover from a severe cybersecurity breach.

For more insurance-related information on this and other topics, contact the professionals at The Reschini Group.

Download these resources about Cyber Liability:
• 10 Cyber Security Resolutions to Reduce Your Data Exposures
• CI – Cyber Liability Insurance
Contact The Reschini Group with your questions or concerns regarding cybersecurity.

Testing Cyber Security Systems

Cybercrime is set to cost companies more than $6 trillion per year by 2021. That’s trillion, with a T. Nobody wants to be in that pile. That’s why testing your systems for cyber security makes a lot of sense.

Three main tests are used to safeguard businesses against cyber attacks:

Vulnerability scanners – This approach assesses the computers in your business network for weaknesses: entry points that can be exploited by cybercriminals hoping to gain access to your data. Vulnerability scanners act like hackers to investigate these potential vulnerabilities. The aim of a vulnerability scan is to build a strong sense of the state of your cybersecurity setup from an internal and external perspective, identify weaknesses, and improve your security to better protect against these risks.

Penetration testing – Here, cybersecurity experts purposefully ‘attack’ a network to review how secure it is. It simulates a real attack, but in a controlled way. As such, the term ‘ethical hacking’ is sometimes applied to penetration testing. While vulnerability scans highlight any weaknesses in your business network, penetration tests take this a step further by determining what kind of malicious activity is possible if those weaknesses are exploited.

Program update checks – These are important because software that is not regularly updated gives attackers more chances of infiltrating your system and your business. Some program settings may allow automatic software updates, and others will ask your permission. All users should regularly check to ensure that all available updates are accepted (or scheduled for a convenient time) on every device they are responsible for.

The continuously and rapidly evolving cyber world offers tremendous competitive advantages and cost efficiencies. The dark side of cyber operations moves just as swiftly, though. Check the status of your cybersecurity insurance by contacting the professionals at The Reschini Group.

Excerpted from: https://blog.avast.com/cybersecurity-tests

Not Quite Enough: General Liability Insufficient for Cyber Coverage

Take a look at your business’ general liability insurance policy, and you’ll probably see a reference to property damage. To the uninitiated, that sounds like it covers a multitude of potential events – even an online hack or attack, right?

Wrong. Seriously wrong.

Cyber liability insurance is not automatically included in a general liability policy. Cyber liability insurance, priced and purchased as its own policy, can pay for expenses if a small business suffers a data breach or malicious software attack, including customer notification, credit monitoring, legal fees, and fines.

According to Insureon.com, when criminals infiltrate a network, steal data, or hold data hostage, the business they steal from could be held liable. A data breach at a small business can end up costing thousands of dollars in customer notification expenses, legal fees, and fines or settlements. In fact, the average cost of a small business data breach is $86,500, according to the Internet security firm Kaspersky Labs. The coverage included in cyber liability insurance pays these costs, allowing your company to survive a breach.

And don’t assume that hackers won’t come after small businesses. A recent report by Verizon found that 61% of all cyberattacks hit small businesses, and that those attacks often succeed because small businesses are less likely to have a strong defense.

Cyber liability insurance is key for companies that handle sensitive information, work in the cloud, operate in cybersecurity, or typically handle:.

Credit card or bank account information
Medical information
Social Security or driver license numbers
Customer names, email addresses, phone numbers, and addresses
Cybersecurity for other businesses

Contact the professionals at The Reschini Group to learn more about fashioning an appropriate cyber liability insurance package for your business. Your existing general liability policy may not be quite enough.

Making Sure: When Is Third-Party Cyber Insurance Needed?

It’s a natural impulse, especially perhaps when it comes to purchasing insurance coverage.

And even more especially when the insurance coverage is for something as intimidating as cyber security – a vague, nondescript, fuzzy and murky world that many people don’t truly understand, whether they would admit it or not.

The natural impulse in question comes in the form of “making sure.” Is my policy loaded up sufficiently to safeguard my organization? Hmm, I can’t be certain. Let’s load it up, just to “make sure.” That is not necessarily a bad thing or a wrong decision. Getting all the facts, of course, can provide greater clarity.

One area of cyber security insurance presents an option between first-party and third-party coverage, and the choice in this segment, at least, can be pretty easily understood and acted upon appropriately.

First-party cyber insurance covers the costs associated with being the victim of a hack. That includes everything from notifying clients of the breach, to weathering the storm of lost revenue that typically follows. Third-party cyber insurance helps cover the risks of being blamed for a breach, particularly if the company in question does assessments of digital security – a fairly narrow area of specialty – or when a gap in one’s own security is responsible for passing on a virus to another organization.

Policies have evolved to cover first-party exposures more extensively, but third-party exposures and coverage grants are still present and quite possibly required to be purchased.

But think of “third-party” as being the same as a lawsuit. In that case, if a business is not providing media services for a fee or IT services, its third-party exposures probably revolve around the following typical coverages:

A Media clause offering coverage for claims alleging liability resulting from the dissemination of online or offline media material, including claims alleging copyright/trademark infringement, libel, slander, plagiarism or personal injury. This could include websites, social media sites, and chat rooms.
A Privacy & Network Security clause would involve third party actions or lawsuits involving customer information, vendor information, or employee information.

Do you want to “make sure” when it comes to cyber coverage? Contact the team of professionals at the Reschini Group for more information on cyber security options that make sense for your organization.

Staying Safe: Five Tips to Greater Cybersecurity

Cybersecurity practices remain a key focus for both the Financial Industry Regulatory Authority (FINRA) and the U.S. Securities and Exchange Commission (SEC). An article* in Forbes magazine summarizes five best practices cited by these organizations to mitigate the risk of cyber attacks:

Governance

FINRA has found that although Boards of Directors are actively focused on cybersecurity, during their regulatory exams up to two-thirds of companies were found to have deficiencies or weaknesses in their policies and procedures. Cybersecurity policies need to be specific and articulate the procedures necessary for implementation.

Risk Assessment

Risk assessment should be an ongoing process as opposed to a single point in time. Companies should gather and evaluate indicators of potential risks on a monthly, quarterly and annual basis. They should also look to what’s happening at other organizations and other industries, both to gain best practices ideas and to help thwart attackers’ plans.

Cybersecurity Training

Because employees represent the biggest risk, training needs to be conducted regularly and be varied, both in method (such as in-person, email, blogs) and with different topics (such as passwords or visitor access). Show employees what good cyber behavior looks like so they may bring those practices home with them to protect their families and personal systems, as well.

Access Management

While the SEC watches how organizations conduct reviews of access rights periodically, it is estimated that about half either do not follow policies and procedures for terminating access rights, or inadvertently provide unauthorized system access to users contrary to established policy. Best practice is for any remote access to a core network to be protected by two-factor authentication.

Vendor Management

Risk from vendors needs to be addressed and constantly vetted and assessed. One idea calls for the business to obtain permission before bringing on any new vendor that handles, touches, or stores data. To make it easier, create a list of pre-approved vendors.

The team of professionals at The Reschini Group can help assess your cybersecurity exposures and offer comprehensive insurance solutions to transfer cyber risk and protect your company. Contact us to learn more.

* https://www.forbes.com/sites/joannabelbey/2017/06/30/how-to-avoid-cyberattacks-5-best-practices-from-sec-and-finra/#56ae09df1a16