Skip to main content
Category

Cyber Security Awareness

Cyber Risk Threats to Utilities and Manufacturers

By Cyber Security Awareness

Thousands of utility companies and manufacturing businesses across the United States rely on computers. Cyber attacks can disrupt service and severely inhibit business, though. Learn more about cyber risk threats to utilities and manufacturers and potential solutions.

Common Cyber Threats  

Almost seven in 10 utility companies around the world has experienced at least one security compromise in the past year. These compromises have disrupted operations and affected confidential information. However, less than 30 percent of companies place security as a priority.

According to the Manufacturers Alliance for Productivity and Innovation (MAPI), four in 10 manufacturing companies experienced a cyber incident this past year. Their losses exceeded $1 million. Additionally, less than 50 percent of manufacturing executives trust that their assets are safe from external threats.

While utility and manufacturing companies each face unique cyber risk threats, potential threats generally fall into several categories.

  • Phishing/pharming
  • Abuse of information technology systems
  • Computer viruses or malware
  • Errors and/or omissions
  • Financial theft
  • Security breaches
  • Vulnerable critical infrastructure
  • Intellectual property theft (primarily manufacturing)
  • Targeted attacks on executives for access to company strategies or financial gain

The Effects of Cyber Risk Threats

The effects of cyber threats on utilities and manufacturing companies are astronomical and affect millions of people.

Imagine the devastation if a utility were infiltrated and held for ransom by hackers or if the customers’ personal data was stolen. Natural gas, water, electric or sewer services could be compromised now and well into the future.

Likewise, manufacturing companies thrive on expensive, cutting-edge technology that assists them in automating production, developing intellectual property and connecting with their supply chains. If that technology is compromised by a cyber threat, the business could come to a standstill.

Protecting Utilities and Manufacturing

Both utility and manufacturing companies are responsible for implementing protective cybersecurity measures. However, implementing those measures can require services to be shut down for a time, and they’re expensive.

Despite the inconvenience and cost, utilities and manufacturers and their customers, clients and supply chain benefit from several detection and prevention measures.

  • Employ a full-time cyber risk monitor.
  • Train and organize the IT and operational technology staff to work together to detect and secure data.
  • Partner with the supply chain, employees and customers to ensure they implement data security precautions.
  • Upgrade equipment regularly.
  • Secure all devices, including mobile devices.
  • Train all employees on cyber security protocols.
  • Plan for a breach and be prepared to recognize and neutralize threats quickly.
  • Be willing to disrupt service temporarily to perform system upgrades and other necessary security measures.

Cyber risk threats to utilities and manufacturers can have devastating effects on the economy and individual lives. Preparing for these threats limits disruption of services and protects utilities and manufacturers.

Ensuring Compliance In Cybersecurity Policy Within Your Company

By Cyber Security Awareness

It’s no fun being the tough, no-nonsense boss, but noncompliance in cybersecurity policy is kind of a big deal. There are hackers who don’t know a line of code, who can’t tell a Mac from a PC, but they know how to get your data through social engineering. An employee who loans their work laptop to a friend can do a lot more damage than an army of code-crackers. Your media liability insurance will help you patch things up if something like this happens, but your best bet is to ensure compliance in order to prevent this from happening in the first place.

Here’s the challenge: Stricter regulations probably won’t do you much good. If someone is careless with company data, they already know they could get in trouble for it. Losing their job and being fined $500 is, in the grand scheme of things, not much bigger of a problem than just losing their job. Hackers use social engineering to get at your data, you want to fight fire with fire in order to protect it:

    • Use PC’s, not laptops for sensitive work. It sounds silly, but a lot more leaks are the result of lost phones and laptops than hackers. Very few employees are going to try and take their PC home with them or leave it unattended on a table at a coffee shop.
    • The cloud is safer than people think. Anybody can copy a USB drive. Cloud-stored data cannot be accessed without the proper login, or a daring Mission: Impossible style heist, rappelling into a server farm to steal the relevant data.
    • Allowing login through biometrics, like thumbprint scans, can streamline the login process for your team while making it very difficult for anyone not authorized to gain access.
    • Be very careful with your work-from-home policies. It may be best to completely disallow this at the higher levels of security clearance. There isn’t really any reason for an employee to take a customer’s financial information home with them, anyways, and it goes without saying that there’s certain material that should never be handled by freelancers and outsourcers.
    • Streamline your policy. The simpler your compliance policy, the easier it will be to understand. Bring people on step-by-step, don’t give them too much to memorize right away. As you move somebody up in clearance levels, you can tell them what they need to know.
    • Change passwords regularly and monitor for break-ins. It’s like when too many people are borrowing your Netflix account: You don’t have to go and ask them individually to stop, you can just change the password.
    • Consider banning removable storage and outside devices at the higher levels. Again, your data is at a greater risk in a pocket-sized device than it is on the cloud.

Small Retailers Targeted by Hackers

By Cyber Security Awareness

Retail businesses are in the cross hairs of hackers, according to a recent report from Trustwave, a provider of data security and payment card compliance solutions to businesses.

Retail businesses – specifically the cardholder data they possess – were the primary target of cyber criminals in 2012, says Trustwave. About 45% of the company’s investigations were in the retail sector, followed by food and beverage (24%), and hospitality (9%).

“Cyber could very well be the largest part of the exposure picture for these retail businesses,” says John O’Connor, Vice President of Strategic Product & Platform Development for Travelers Insurance.

What makes the retail industry so appealing to cyber thieves? The sheer volume of payment cards used in these businesses make them obvious targets. Also, stores are relatively easy targets because they tend to focus primarily on customer service, rather than data security.

Widespread reporting of costly and embarrassing data breaches have made retailers increasingly aware of the exposures they face when storing customers’ data and swiping their credit cards.

Although hackers are targeting retailers of all sizes, smaller firms are particularly vulnerable because they often find it more difficult than their larger counterparts to keep their systems secure and to afford the heavy costs of notifying their customers about data breaches.

One insurance agent said, “A lot of these businesses aren’t the types that can absorb these costs. A data breach is one of those things they might not think about – but it can shutter their doors if it happens.”

The good news: our agency can help you protect you against these risks by offer a variety of comprehensive, competitively priced Cyber Liability policies. Just give us a call.

Bloatware And How To Manage It

By Cyber Security Awareness

Insurance is generally designed to protect tangible assets. If your office space catches fire, your policy pays out. If a work computer is destroyed, your policy pays out. Network security insurance aims to cover the less tangible assets, which, when you really break it down, are what define your business. Anybody can rent some office space and fill it with top grade laptops, but not everybody will turn that into a successful software development studio. Network security insurance covers you against data breaches, system failures and so on.

A major threat to these assets, and one that not everybody will be aware of, is bloatware. You know, all those little programs that come packaged on your laptop that don’t seem to do anything but slow you down. All those updater tools, those “Speed up my computer” apps that seem to do the opposite, free trials that, after the month is up, remind you to buy-in every single time you turn the computer on.

Besides the simple fact that bloatware slows you down when you try to use your PC, many of these useless tools actually have SYSTEM user privileges. This means that a data breach can be a major problem, with hackers piggybacking on that access to take whatever they want while browsing your files.

So how to manage it?

First, start up task manager and end all those useless processes. You can sort by memory usage to stop the RAMhogs, first, and then work your way down. Some of them will obviously be bloatware, and when in doubt, you can use Google to find out whether something is necessary for your computer to run. This won’t solve the problem right away, but it will get your computer running up to speed so that you can do something about it.

Next you have two options: Manually uninstall every single one of these programs one by one, which can be incredibly tedious, or, backup what you need, wipe the hard drive, and do a fresh Windows install.

Bloatware is legal because it isn’t as immediately harmful as other unwanted programs like trojans, worms, viruses, adware, spamware and so on, but it’s not good for your hardware, and in the event of a breach, it’s not good for your data. Network security insurance can help you out when those intangible assets are lost, but as always, an ounce of prevention is worth a pound of cure.

Being Safe Online

By Cyber Security Awareness

Be afraid — be very afraid — because hackers are breaking into Web sites around the world at a frightening pace! These cyber-pirates can copy, edit, or delete files; or trash your site by stealing programs and disrupting networks. Once they’re into your site, hackers can also use phony identities to buy goods and services or vandalize the site by changing its look, text, and overall message.

The easiest way to prevent a hacker from entering your site is to install a firewall on the Web server that keeps out unauthorized access by monitoring the flow of information between your server and the Internet.

Although a well-designed firewall should stop all Internet attacks, most sites don’t have properly configured firewalls. One survey of more than 2,000 sites concluded that these companies were doing the equivalent of “putting an airbag in the backseat of a car when it comes to security precautions.”

Before you implement a firewall system, consult with a security expert. The person in your company who created your site might know whom to call; otherwise, ask your Web consultant or Web-hosting company. The expert will want to know if your site was created in a secure fashion: Did your Web developer use secure protocols and software when building the site? Is the ISP that’s hosting your site secure?

Preventing Cybercrime

By Cyber Security Awareness

Legendary bank robber Willie Sutton supposedly said that he robbed banks because that was where the money was. Many small business owners follow this logic when it comes to computer system security. They believe that people who rob with a mouse and a keyboard rather than a gun target large corporations, because those businesses have the most money.

This leads them to the misguided belief that cybercriminals will not bother them. In fact, the NACHA – The Electronic Payments Association – reports that Eastern European criminal syndicates have targeted small businesses precisely because they have allowed themselves to become easy marks.

Experts in the field estimate that one in five small businesses do not use antivirus software, 60% do not encrypt data on their wireless networks, and two-thirds lack a data security plan. This failure to take precautions makes a small business easy pickings for computer hackers.

However, there are several things business owners can do to protect themselves.

Use two-factor authentication. This is a mechanism that requires the user to do more than one thing for authentication. It ordinarily has two components — one thing the user knows (such as a password), the other a randomly generated number that the user must input. The number comes from an electronic token card, which generates a new number every few seconds. If the user enters a number that the system is expecting, the system will authenticate the user.

Inoculate systems against the Clampi Trojan virus. This virus resides on a computer, waiting for the user to long onto financial websites. It captures log-in and password information, relays it to servers run by the criminals, instructs the computer to send money to accounts that they control, or steals credit card information and uses it to make unauthorized purchases. The trojan monitors more than 4,500 finance-related websites.

Be on guard against “phishing” e-mails and pop-up messages. These messages purport to be from legitimate businesses with which the recipient does business. They ask the user to update or verify information, often threatening negative consequences if she fails to do so. Clicking on the links in the messages brings the user to an authentic looking Web site. However, it is actually bogus; the site collects personal information that the collector can use to steal the user’s identity. System users should ignore these messages.

Arrange for financial institutions to alert the business owner should they spot unusual activity involving the firm’s accounts.

Install firewalls and encryption technology to block uninvited visitors from uploading to or retrieving data from the firm’s servers and to protect data sent on public networks. Intrusion detection systems can inform the business owner of attempts to hack into the network.

Be cautious about opening attachments to e-mails, especially if the sender is someone unfamiliar to the user. Attachments may contain viruses or Trojan horses that can steal login information and passwords or corrupt a system.

Protect against intrusion by disgruntled former or current employees. Deactivate passwords for former employees, erect barriers to keep employees from accessing systems unrelated to their jobs, and implement sound accounting procedures for financial transactions.

In addition to these safeguards, small businesses may want to consider purchasing computer fraud and employee theft insurance. These policies will protect the business against those losses that still occur; insurance companies are likely to offer favorable pricing to businesses that take precautions against cybercrime.

One of our professional insurance agents can give advice on the appropriate types and amounts of coverage. Modern technology gives businesses unprecedented abilities, but it also presents significant risks. Every business owner must take steps to keep the cybercriminals out.

Mailing your intellectual property to yourself: Does that REALLY work?

By Cyber Security Awareness

When discussing copyright protection, sooner or later someone’s going to suggest mailing your intellectual property to yourself as an easy way to protect what’s yours. The “Poor Man’s Copyright,” as it were. So, does this actually work, or is it just something that “sounds right,” so people love to share it?

The truth is that there aren’t really any advantages to mailing something to yourself. If you create something, be it a corporate logo, a blog post or a t-shirt design, you own it the minute you’re done creating it. These days the chain of evidence leading to the originator is incredibly strong, as there is an imprint of your work the minute you set out to write the first page of your novel or take a photo with your phone. It’s very difficult for IP thieves to claim the copyright on something that they did not create. If you’ve created something, then you probably have all the evidence you need to put a stop to anyone who would take it for themselves.

Registering your work is not an issue of protecting it so much as establishing your right to pursue damages should somebody else use your intellectual property for their own game. You’re not going to have an easy time pursuing statutory damages on, say, a screenplay, if it’s not registered with the Writer’s Guild of America. You may still be awarded your damages in court, but that’s going to cost you in legal fees that will ultimately outweigh the cost of registration.

Once upon a time, patent laws worked on a “first to invent” rule. So a long time ago, it made sense for a chemist or an engineer to mail themselves blueprints and schematics for whatever it was they were creating. It certainly would have saved Tesla a lot of trouble with Edison. But when it comes to patents in the modern day the rule is “first to file,” meaning that you do not have any patent protection without seeking, well, patent protection.

So, to make a long story short: Mailing intellectual property to yourself is a waste of a stamp. The protection that you think you’re getting when you do this is protection that you already have the minute you write your idea down in a memo pad, and any additional protections cannot be had without registration through a patent office or a guild of some sort.

Cyber Liability a Smart Investment

By Cyber Security Awareness

On April 20, 2011, someone hacked the Sony Playstation Network. They found an opening in the online video gaming network’s password-reset system and penetrated the security protecting its customer database. Days later, the company admitted that the hackers had obtained personal information on 70 million or more subscribers.

The hackers got names, physical and email addresses, birthdates, and other identifying information, and it’s possible that they got credit card numbers. Sony took the network offline to reinforce it, but within days of it coming back online, hackers broke in again.

Playstation Network is a high-profile target with tens of millions of subscribers, making it attractive to criminals. However, even small businesses that do business over the Internet are vulnerable to the same kinds of intrusions. The federal Internet Crime Complaint Center referred more than 146,000 complaints to local, state and federal law enforcement agencies in 2009, 22 percent more than the year before. One out of every three of those complaints was for identity theft, credit card fraud and computer fraud. The Ponemon Institute has reported that the average data breach costs businesses $7.2 million.

What could happen to a business’s data?

Over a seven-year period, a Georgia man stole 675,000 credit card numbers and associated information. He racked up thousands of fraudulent transactions and bills exceeding $36 million. A Texas man received a 110-month prison sentence for hacking into 14 computers in the hospital where he worked as a security guard. He disabled network security systems, installed malicious software, infiltrated a nursing station computer containing patient medical records, and gained remote access to temperature-control systems.

The FBI caught a North Carolina man in the act of attempting to access an ATM in 2010. The man had planned to hack into 35 ATM’s located around Houston, Texas in the hope of pocketing more than $200,000.

When consumers and business owners give their credit card numbers and other personal information to a business or organization, they expect that this information will stay confidential. They will hold the organization responsible if they suffer financial harm because their information fell into the wrong hands. The organizations that lost the data face the potential for large jury awards or out-of-court settlements. To protect themselves, they should consider buying cyber liability insurance. One insurance company advertises a Cyber Liability policy that provides coverage for expenses such as:

  • Damages to third parties caused by a network security breach
  • Loss resulting from administrative or operational mistakes made by the business’s own employees or by outside vendors
  • Expenses resulting from a breach of consumer protection laws, such as HIPAA or the Fair Credit Reporting Act
  • Costs of notifying customers of a breach
  • Public rel
  • ations expenses necessary to repair the business’s reputation.

Nearly 30 insurance companies currently offer Cyber Liability policies. If an organization’s insurance broker does not have direct access to a company that offers the coverage, they might be able to obtain it through a specialty broker.

To prevent or reduce losses and to make themselves more attractive to insurance companies, businesses should implement strong network security systems, and continually monitor and update them as needed. Develop plans for responding to any network intrusion events that do occur. A sound plan identifies who should be involved in the response, has procedures for notifying affected customers and authorities, and has a public relations strategy for keeping the public informed.

The majority of businesses and organizations operating today are vulnerable to unauthorized intrusions into their computer networks. The potential costs are more than most organizations can fund on their own. Cyber Liability insurance is a smart investment that can literally save a company. Call our office today!

Is Your Social Media Presence A Liability?

By Cyber Security Awareness

It’s not uncommon for a celebrity or other high profile figure to post something incendiary on Twitter, only to claim, an hour later, that their account was hacked. But if we’re being honest, how likely is it that they just regretted posting it, and wanted to pretend they had nothing to do with it?

Twitter and Facebook accounts do get hacked, but it’s not a major concern for a number of reasons:

  • There’s really no accessing anything else through your social media

If someone cracks your email password, they have a treasure trove of sensitive information. If they break into your Twitter account, what can they really do? If you use the same password for everything, then they can figure out how to go from Twitter to Gmail and so on, but this assumes that they know the email you’re using for business in the first place.

  • It’s easy to keep people out with regular password changes

If you’re a major figure you may find people trying to break into your social media on a regular basis, but this generally means people with a public reputation that can be embarrassed. People are always trying to guess Donald Trump’s password, for instance… and so far, they haven’t pulled it off. In other words, there’s really only a slim risk of this happening, and that’s if you’re rich and famous.

There is one area of risk to consider: You may wind up becoming your own liability through social media. It’s not unusual for someone to post, for instance, their driver’s license to show off how bad the picture is, only for someone to take all of the data featured on the ID and put it to work. If you’re a constant Instagrammer you might wind up broadcasting from a meeting where you were supposed to have a confidentiality agreement, and putting sensitive information out there for the public.

You can’t afford to be careless when using social media. You should be careful about any photo or post that features anything from credit cards and license plates to plane schedules and street addresses involving yourself, clients and colleagues. The right piece of information can become a skeleton key in a hacker’s hands, so the less you have out there, the better. Here’s a basic rule to keep you from getting into trouble with your social media pics: If the photo contains any numbers, and if it features anyone who’s not posing for the camera, ask yourself if it might put someone in a compromising position.

Paperless Paper Trails: Establishing a chain of evidence in cybersecurity cases

By Cyber Security Awareness

In old procedural shows like Dragnet, early episodes of Law & Order, Hill Street Blues, Magnum P.I., they always talk about the paper trail. This is the chain of signed documents and verified contracts and letters and memo that, on TV at least, usually lead us right from the first clue all the way to the guy who committed the crime. Paper trails can also be used to frame an innocent third party or prove one’s innocence, showing that someone was “nowhere near the scene of the crime” at the time of the arson.

In cyber-crime, the chain of evidence, the paperless paper trail, is actually much easier to track than the kind that’s actually printed and written on sheets of paper. Here are a few things not everyone knows about how evidence is tracked from computer to computer:

  • Documents and programs can be traced back to their computer of origin

Every time you send off a .doc file, your computer leaves an impression on it as sure as the signature imprint left on a bullet by a registered firearm. If you post a photo to the internet of yourself at a crime scene, law enforcement can download the picture and trace it back to your computer. A GOP lawmaker actually got busted for libelous emails some years back when the emails were traced back to his wife’s computer.

  • Word documents save every single revision

If you type a word and then backspace over it, the Word file will remember you doing that. This has actually been brought up in some pretty high profile cases. For instance, the Invasion of Iraq.

  • Deleted files leave clues behind

Even if you manage to delete every trace of evidence regarding your cyber-crime, the computer may still show a log of what was deleted, when, and by whom. Combined with a little bit of conventional detective work, this can make it quite easy to figure out what was going on.

You can get rid of a paper trail by shredding it and burning the scraps. Paperless paper trails are a little trickier. If you’ve sent any compromising documents out into the web from your computer, then it’s too late. The evidence is already out there, and zapping your computer with a magnet and smashing it to bits isn’t going to do you any good. With the right cyber-sleuth on the case, a single photo from a hacker’s phone can be as good as a signed confession.