10 Oct Cyber Security Awareness Month in Massachusetts – Part I
October is Cyber Security Awareness Month in Massachusetts – Part I
October is the U.S. Department of Homeland Security (DHS) National Cyber Security Awareness Month (NCSAM). This event is aimed at engaging and educating all businesses and individuals about the importance of cybersecurity and providing them with tools and resources they need to stay safe online.
Given the recent, mega-sized cybersecurity breach at Equifax, that affected 143 million U.S. consumers, NCSAM really could not be coming at a better time. “This mammoth cyberattack served as a startling reminder to consumers and business owners, alike,” says Bill Trudeau, President/CEO of Insurance Center of New England (ICNE). “Databases containing personal information such as social security numbers, credit card numbers, log in credentials, birth dates, addresses, driver’s license numbers, banking details, and more, are highly vulnerable to breaches.”
However, according to the DHS, it’s not all doom and gloom when it comes to protecting privacy and securing data in today’s highly connected world. In fact, there are simple actions that each one of us can take – especially in the workplace – to protect ourselves online. In addition, there are many resources to help business owners understand what you can to do recover in the event a cyber incident does occur at your place of business.
“As your local, insurance team, ICNE is here not only to help businesses find the right insurance to protect their companies in case of a data breach, but also to provide support for risk management and loss control, just to name a few of our additional offerings,” explains Trudeau. And that’s precisely why we are dedicating not just one, but two commercial insurance blogs in October to promoting cybersecurity awareness month.
In Part I of this two-part blog series, we will discuss the top cyberattack techniques your business should be aware of today and in the future. Then, in Part II, we will share our perspective on how to protect your Massachusetts business against these cybersecurity threats.
While Trudeau and the commercial insurance professionals at ICNE are all very knowledgeable about data breach and cyber liability insurance, we felt it was important to consult with true experts in the field of cybersecurity in order to provide you with the most up to date threat information as well as a glimpse into what the future holds. Thus, in this blog, you will find key insights from Jason LeDuc, Vice President of Consulting Services at Foresite, a global service provider of managed security and consulting solutions. Companies like Foresite help businesses, like yours and ours, identify online vulnerabilities and stop a breach before it happens.
When It Comes To Cybersecurity, First You Must “Know Thy Enemy”
Almost all businesses today struggle with how to keep their sensitive data safe, especially since cybercriminals are smarter than ever before. “The bad guys are always one or two steps ahead of the rest of us,” says LeDuc. “In fact, they know how to circumvent many of your security devices, such as firewalls, and are able to disguise their malicious intent so you don’t even know they are there.”
The question is then, how can you defend your business against such a nefarious, and often invisible, enemy?
A starting point is to get educated, not just about specific cyber threats to your business, but also how they may be escaping detection and getting in the back door to your company. Sun Tzu, famous Chinese military strategist and author of The Art of War, wrote, “Know thy self, know thy enemy. A thousand battles, a thousand victories.” So, let’s get to work understanding four common cyber threats to businesses today.
Four common cybersecurity threats for Massachusetts businesses to look out for:
Short for malicious software, malware is an umbrella term for a variety of forms of invasive software, including computer viruses, worms, Trojan horses, ransomware, spyware, adware, and scareware. Once malware is in your computer, it can cause chaos, from taking control of your machine, to monitoring your actions and keystrokes, to silently sending all sorts of confidential data from your computer or network to the attacker’s home base. Malware has seen massive growth across the globe, with over 600,000,000 reported incidences in 2016 according to McAfee Labs. However, since malware, at some point, relies on you, the computer user, to take an action to “invite” it into your system, the best bet for thwarting this attacker is to not open it. That’s easier said than done since most cyber thugs know that you will only open something if there is a compelling reason to do so. Thus, they’ve taken to “phishing,” which means they send you an email that seems legitimate, may have some urgency to it, and appears to be from someone you trust.
#2 Structured Query Language Injection (SQLi)
SQL, pronounced “sequel” stands for structured query language, which is a programming language used to communicate with databases. Many servers that store critical data for websites and services use SQL, and so some very sinister cyber attackers developed SQLi to target these databases and servers, tricking them into doing unexpected and undesired things. Once an attacker gets into your network via SQLi, they can bypass your authentication process, steal data, modify or corrupt data, delete data, run arbitrary code, or gain root access to the system itself. If your server stores private customer information from your website, such as credit card numbers, usernames and passwords, or other personally identifiable information, your data is an extremely tempting target for an SQLi attack.
In addition, there is a very similar type of cyberattack, called Cross-Site Scripting (XSS), which targets vulnerable websites as well, but not to get at the site’s stored data. Instead, this threat is going after the website’s users! Imagine an unsuspecting customer visits your website and, unbeknownst to them, malicious script is loaded and executed on their browser. This can lead to theft of sensitive data your customer sends to your site, including their login credentials, credit card information, or other private data. XSS intruders have been around for more than 15 years, primarily because they are so effective, and they do significant damage to your website’s reputation.
#3 Denial of Service Attack (DOS)
You know those days when your computer is running exasperatingly slow, when opening your own files is taking a painstakingly long time, or when a particular website you’re trying to access is loading at a snail’s pace. It’s probably just a technical problem with your network or maybe your system administrators are performing maintenance, right? That certainly could be the case, but it would be wise to alert your IT department anyways. According to The United States Computer Emergency Readiness Team (US-CERT), if you’re having trouble opening your own files or reaching external websites from your work computer, and you are suddenly receiving an inordinate amount of spam, this could indicate you are under Denial of Service (DoS) or Distributed Denial of Service (DDoS) attack. In a DoS attack, the cyber threat is targeting your computer and its network connection, or the computers and network of the sites you are trying to use. If an attack is successful, it may prevent you from accessing email, websites, online accounts (banking, etc.), or other services that rely on your computer. The intent of a DoS attack is to “flood” a network with information, thereby overwhelming it, so that when you enter a request to go to a specific website, you are denied access because the server cannot handle any more visitors. A DoS attacker can also use spam email messages to launch a similar attack on your email account. By sending many, or large, email messages to your account, an attacker can consume your assigned specific quota, preventing you from receiving legitimate messages. For something even more menacing, there is actually a DDoS attack, which occurs when a cyber crook takes control of your computer, forcing your computer to send huge amounts of data to a website or send spam to a particularly email address. This threat is particularly difficult to defend against because the attack is “distributed,” meaning the attacker is using multiple computers, including yours, to launch a denial of service assault on others.
#4 Session Hijacking (or Man-In-The-Middle Attacks)
If you’ve ever watched the documentary “Catfish,” or the TV show based on the film, then you probably already have a good idea of the intent of a session hijacker. Catfish is about the truths and lies of online dating and a “catfish” is someone who pretends to be someone else online. This person completely assumes a fake identity and goes the extra mile to make their victim believe that they are exactly who they say they are. Imagine if this ever happened in the business environment? Well, in reality, it happens every day, and the FBI has put this type of threat at the top of their list of cyber scams affecting businesses today. Here’s how session hijacking works: Whenever you’re on the internet, whether just browsing or actually logging into a website with your username and password, this activity is given a unique session ID that should stay private between your computer and the remote web server. However, an attacker can hijack the session by capturing the session ID and posing as your computer. This allows the attacker to log in and gain access to unauthorized information on the web server and start making requests. Or, the attacker can opt to insert themselves between your computer and the remote server, pretending to be one of the two parties in the session. This allows them to intercept information in both directions, and thus the term, man-in-the-middle attack.
Unfortunately, this is not an all-inclusive list of cyberattack types and cybercrime techniques. “There is also a real threat that one of your competitors might organize a directed attack against your company systems in order to usurp critical data and to gain an edge in the marketplace,” says LeDuc. “Hackers and black hats can engineer a standard spam or phishing email, or other malware, in a matter of 15 to 20 minutes and make thousands of dollars doing so. It’s not hard to convince them to do this.”
However, by highlighting and describing the most common threats to your business systems today, we hope that you feel more knowledgeable about these would-be attackers and better prepared to improve your security position against them.
Smarter Technology And The Cybersecurity Risks For Massachusetts Business
One of the themes of this year’s National Cyber Security Awareness Month is how the Internet of Things (IoT), the network of physical devices, vehicles and other items embedded with electronics, software, sensors, actuators, and network connectivity, will affect privacy and security in the future. By 2020, it is estimated that there will be 24 billion IoT devices in the world!
There is no doubt that many of these “smart” devices are cool and come with many benefits for all of us, both personally and in the workplace. However, it’s also critical, as a business owner, to understand how the IoT can make your company’s sensitive and personal data more vulnerable to attack.
“Many companies don’t restrict what their employees do on their phones. This is a serious misstep,” explains LeDuc. “What happens if their phone is stolen or lost, or your employee goes rogue and decides to screen scrape – or grab – all the data from their phone and give it to your competitor?” LeDuc says that it doesn’t matter whether it’s a personal or company-owned phone. As the business owner, you will be responsible for securing any company data stored on the phone and if you did not do so leading to the data being hacked, then you can expect to be visited by your state’s forensic examiner and potentially brought to court.
AT&T’s Cybersecurity Insights Report surveyed more than 5,000 enterprises around the world and found that 85% of enterprises are in the process of or intend to deploy IoT devices. However, only 10% of those surveyed actually feel confident that they could secure these devices against hackers. That sounds like very unsafe planning to the risk management specialists at ICNE!
AT&T recommends a multi-layered approach, including an endpoint layer, a network layer, a data and applications layer, and a threat analysis layer to protecting your company against security breaches in this new and more complex business environment. And because every company or employee-operated smart device is different, each one must be secured using this approach.
The Department of Homeland Security will be expanding on this topic later this month, and so we highly recommend that you check their site for additional information the week of October 16th. We know we will!
Why ICNE Is A Trusted Advisor To Many Massachusetts Companies
The ICNE team has become an integral resource to many Massachusetts companies who have needed assistance in identifying and managing risks to their businesses, including cybersecurity threats.
“We are one of the largest and privately owned, independent insurance agencies in the region,” says Trudeau. “So, we have the capability to not only offer business insurance clients the optimal data breach insurance options for their needs, but can also provide the with an initial risk assessment through our detailed consultative approach.”
In addition, as your insurance professionals, ICNE will stay up to date on information coming in from the insurance industry marketplace, so we can identify potential new cyber exposures for which you may need additional coverage and protection. We also have an extensive network of partners and are happy to connect you with the best resources for testing your vulnerability to a cyberattack and helping you reduce the risk of something bad happening to your data. In some cases, these types of assessments can actually decrease your data breach and cyber liability insurance premium.
Most important, Trudeau would like to remind business owners, “Should you ever experience a data breach emergency, our dedicated team will be here to answer all your questions, to contact your insurer to file the claim, and to monitor your insurer throughout the claims process. ICNE has a dedicated claims expert whose responsibility it is to make sure that your insurer is working on your behalf to resolve the situation as quickly and effectively as possible.”
If you are ready for a more personal relationship with a trusted insurance agent who is always looking out for you and your company, then call us today at (800) 243-8134 oor stop into any one of our five convenient Massachusetts offices.