Protecting Your Business From Your Remote Employees

A significant portion of your workforce is currently moving to perform full- or part-time remote work as a result of COVID-19.  As you modify your business processes and workflows to accommodate this change, it’s important to understand how remote work affects your cybersecurity posture and what openings and opportunities exist for cybercriminals to take advantage of you.  We would like to take this opportunity to provide advice on how to orient your security posture to account for this increased threat vector and illustrate several common patterns of weakness.

VPNs

Long touted as the safest and most reliable way to enable remote work, Virtual Private Networks (VPNs) allow a user to access internal enterprise resources and applications from any internet connection.  VPN connections are encrypted, preventing untrusted network operators (such as your local coffee shop) from snooping on sensitive traffic, but they don’t solve every security problem.

Risks:

VPNs weaken the network boundary by allowing additional devices into the most vulnerable part of a company’s IT infrastructure – its internal network

Compromised user accounts can give attackers direct access to many internal resources

Granting VPN access to untrusted devices is equivalent to plugging that device directly into your network, along with any infections it might have

The more users which utilize your VPN, the more likely it is that you are giving an attacker access to your internal network by way of a compromised user device.  When VPN is allowed on non-corporate provisioned machines, this risk is even greater.  If an attacker does gain this access, it can be devastating because frequently internal enterprise networks are the most vulnerable parts of an enterprise network.

Solutions:

Create a separate User Account specifically for VPN access for each user

Place VPN user accounts into a restricted Organizational Unit with as few privileges as possible. For example, if you run Citrix, only allow VPN user accounts to sign onto Citrix desktops.

Set up Two-Factor Authentication (2FA) for all users and VPN user accounts to increase difficulty for attackers

Install a Honeypot on your internal network to help identify suspicious network activity coming from one remotely connected device

The Vexing VPN - in a split tunnel, security solutions only see traffic destined for the enterprise.

A Note on VPN Configurations:

VPNs also have the option to perform Full or “Split” tunneling.  Full tunneling forces all network traffic to go over the VPN connection including traffic unrelated to the corporate network such as YouTube or Skype.   In a split tunnel VPN, only traffic destined for internal corporate services directly would travel over the VPN connection.

Split tunnel is therefore less secure than a full tunnel configuration because in a full tunnel your remote users will still be protected by your existing network security appliances such as content filters and/or next-gen firewalls.  This comes with an expensive tradeoff, though – you must have enough bandwidth to serve all your users browsing habits!

Two Factor Authentication (2FA)

It’s extremely important that you have 2FA deployed within your organization.  It helps prevent compromise when user credentials are leaked as a part of a breach and makes it more difficult to obtain user credentials through phishing attacks.  With that said, you should be aware that 2FA is not a silver bullet for protecting user credentials on all services because 2FA can be bypassed when user devices have been compromised.

Two Factor Hangover

Risks:

Compromised devices which are used to prompt the user for a 2FA token may relay the token to an attacker

Compromised devices may allow an attacker to steal session information and impersonate affected users

As an example, by stealing/intercepting a session cookie for a service to which the user has already authenticated, an attacker may gain direct access to the application without needing to authenticate. Many applications (e.g. Cloud-Based email, Collaboration tools) do not tie their session cookie to a single device/source IP/location because if they did, roaming mobile users would have to reauthenticate as their device switches from WIFI to 4G or 5G connections. As a result, it is usually possible for an attacker to reuse the same session as a legitimate user.

Solutions:

Monitor your application logs for access from suspicious geographical locations unrelated to your typical user or business locations

Do not share sensitive information such as passwords in email or chat

Train your employees to report suspicious activity such as disappearing incoming email, email switching from read to unread without explanation, or password reset emails

EndPoint Security

When your users work from home, they have greater exposure to cybersecurity threats because inevitably they will be using their devices for both business and pleasure.  This increased usage is even more dangerous when paired with a split-tunnel VPN which does not force browser traffic to flow through enterprise security appliances and controls.

Risks:

Antivirus/Antimalware solutions can be bypassed more easily as users are outside of the protections of enterprise networks

Traffic visibility may be significantly reduced

Users will use their devices for personal browsing/activities which increases their exposure

Since your users will be using their devices more (regardless of it they are corporate or personal) they will be more likely to encounter more threats, making patching and antivirus updates critical but potentially unreliable if you do not use a VPN or allow personal devices on the network.

Solutions:

Provide up-to-date devices configured with more aggressive security profiles to high-risk individuals such as Executives and Executive Assistant staff

Closely monitor inbound and outbound connections on your remote devices

Step up social engineering defense training to help combat COVID-19 related scams

Educate your employees not to store or share credentials outside of password safe solutions such as 1Password, Keepass, Lastpass, or Dashlane.

Final Words:

Even when lockdowns and restrictions around the coronavirus are lifted, the volume of remote workers is likely to increase.  As we’ve shown, remote users are under an increased risk because they are outside of enterprise security appliances, encountering more threats by utilizing the same devices for both business and pleasure, and aren’t necessarily covered by existing security controls.  With this in mind, it’s important to be proactive and set up increased logging, provide updated and secured devices to high-risk individuals within your organization, and limit the access that users have through VPN connections.

We hope that you stay safe, both online and off, and that you keep us in mind if you’re seeking to audit your remote worker security solutions.  In the coming week, we will be providing pricing packages specifically designed around auditing remote work solutions.

Attacks and Breaches

A former tech CEO once said, “There are two types of companies: those that have been hacked, and those who don’t yet know they have been hacked.”

Attacks are inevitable, and breaches are becoming more frequent. If we know what to look for we can reduce our risk and minimize any impact to the Firm and our clients.

Common types of cyberattacks include:

• Malware: The installation of malicious software on a computer that can steal login and usage information (spyware), lock up files for money (ransomware) or otherwise compromise the computer.
• Phishing: Cyber-attackers use malicious email messages that appear to originate from someone familiar or create a sense of urgency in an attempt to compromise the computer or steal data.
• Man-in-the-Middle Attack: Attackers may be able to insert themselves into communications between computers and listen in on the ‘conversation’.
• For example, if you use unsecure public WiFi, an attacker could lurk between your device and the network. As you pass your information through, the attacker can filter and steal the data as well as install malware to access your device again later.

Technology teams are constantly reviewing systems to protect organizations from malware and deploys thousands of patches each month to workstations, servers, applications, and other infrastructure. You can help protect your organization by:

• Knowing that you are a target.
• Taking care when browsing the web/reading email.
• Following security policies and promptly installing updates.
• Security policies describe behaviors and responsibilities identified by Firm leadership that all Firm staff and contractors must follow to more completely protect client data.
• Installing updates and rebooting may be inconvenient, but not as inconvenient as installing malware!

Top 10 Log Sources You Should Monitor in your Environment

here are literally hundreds of possible types of log sources around your environment and choosing which bubble to the top of your IT consciousness can be difficult. In a job where everything seems to be a top priority, understanding all the log types and sources available for selection can be daunting. In your environment, some logs may be more valuable than others, but having general guidance about logging and what types of logs may be available to monitor can help make you a better technologist.

There’s no way we could ever think to cover every possible source of logs, but let’s start with some of the classics and go from there.

1 – Infrastructure Devices

These are those devices that are the “information superhighway” of your infrastructure. Switches, routers, wireless controllers, and access points can be teased to provide logging information about the health and state of your environment. The logs can provide insights ranging from wireless AP hopping to hardware failures. Probably most impactful to your environment are notifications of configuration changes. Knowing who changed what and when can help you diagnose and recover from any misconfigurations.

2 – Security Devices

As organizations push towards a cloud-first methodology, the edge devices in your environment can become even more vital to your business. Your firewalls and other security devices are handling more and more traffic as loads are shifted to cloud infrastructures. The logs on these security devices can provide a plethora of interesting information—not least is blocked traffic, health of the VPN, intrusion detection and prevention systems, and unusual user activity. These Security Information and Event Management (SIEM) logs may be your first defense in understanding an attack or isolating an anomaly in your user experience.

3 – Server Logs

It may go without saying, but I’m going to say it anyway: server logs can offer abundant information about the state of your environment. Windows and Linux servers are constantly pumping out logs that give you an understanding of how and why systems are behaving the way they are. There are literally hundreds of thousands of events that can trigger within an operating system and its associated applications. Knowing which log events are frivolous and which require immediate action is a skill honed on the battlefield. Regardless, you shouldn’t overlook server logs as a viable source of information.

4 – Web Servers

Yes, I’m aware that capturing web server logs can be construed as a tedious process, but it is one of the best ways, if not the best way, to understand how end users interact with your web properties. IIS, Apache, Tomcat, Web Sphere, NGINX, and every other web engine out there can provide some measure of web server logging. Depending on your needs, sometimes just understanding when people are going to your site and from where can prove invaluable to understanding the needs of your customers. Unfortunately, a web server log is a common log type that can sometimes be overlooked when organizations are developing their logging strategy.

5 – Authentication Servers

Whether you use Active Directory, an implementation of OpenLDAP, or another alternative, knowing who and what is poking around your infrastructure can be key to a maintaining a good security posture. Each of your authentication servers will provide some measure of logging, but what’s key for you to is understanding what to look for. Most commonly, you should be looking for token requests, authorization revocation, and authentication failures. These types of logs can aid in determining failing logins due to account expiration, isolate the source of a potential attack, and pinpoint problem areas that need to be addressed.

6 – Hypervisors

Hypervisors can let us IT professionals do our jobs better by balancing workloads and utilizing resources more efficiently. Clusters can now run hundreds, if not thousands, of simultaneous workloads.  However, much of the work associated with hypervisors is behind the curtain, and you never get to see the wizard. Your hypervisors are juggling all the time—allocate resources from this virtual machine to this one, move the storage from this cluster node to this other one, shift this entire virtual machine to another node—and it’s a precarious balance. Capturing and monitoring hypervisor logs can be one of the best ways to understand what your hypervisors are doing when you aren’t watching.

7 – Containers

Although relatively new compared to most other log types on this list, containers are becoming more and more business critical. Extrapolating to a higher-level would be container management services like Kubernetes, Docker Swarm, and Apache Mesos. These services are like hypervisors in many ways, but just different enough to warrant a separate category. Understanding why the host felt it was necessary to drop back your scaled-out deployment from eight endpoints to only four would prove useful in diagnosing and tuning. Most of this information is located only in the container logs, so make sure that you get them.

8 – SAN Infrastructure

This may seem an odd addition to this list of the best log types to monitor because of the IT trend to move towards a more hyper-converged infrastructure or moving everything to the cloud, but it’s something that’s frequently overlooked. If your fibre switch loses connectivity to a server-side transceiver, then that data is no longer available to that server. In today’s world, there are normally redundant pathways so that connectivity is not truly lost, but the scenario still applies in a multi-path environment. Say you have four connections from your server to your SAN infrastructure, but after a series of unfortunate events over several months, three of them have failed. This means that you have restricted data movement by 75%. You’ve not encountered a failure in the traditional sense, because the connectivity still exists, and data is moving, but with performance hampered this badly, is it any wonder end users are complaining? In my opinion, this is one of the top overlooked log sources.

9 – Applications

This applies to pretty much any application log. Although some software applications will leverage the operating system’s existing logging functionality for log management, these are becoming fewer and fewer. Most critical logs for applications are stored in flat files on your disks somewhere. Often, these logs are used by your application support people for troubleshooting, but what about multitier applications? If you have a front-end, middleware, and back-end deployment, each may collect logs slightly differently. Make sure you aren’t sleeping on collecting and monitoring these logs—from each tier—and getting them into a system so that you can compare transactions by lining up the timestamps.

10 – Client Machines

Yes, really. In IT, a common trope is to blame the end user, but sometimes it’s not their fault.  Sometimes it’s the fault of the endpoint itself. I’m not saying that every log on every machine needs to be collected all the time—in fact, I’m saying that you should probably not do that, but selective log collection from endpoints can be critical in gaining a larger grasp of the scope of the problem. This is probably the most overlooked log type needed for actively troubleshooting issues.

Everything Else

There are additional log sources that I’ve neglected, like proxy servers, load balancers, and cloud management systems, to just name a few, but this isn’t meant to be an exhaustive list. Hopefully, after reviewing these ten log types, you gain a little perspective into what would be relevant for your situation. It’s also something to keep in mind as new hardware and software enters your infrastructure.

Whether you choose one, all, or none of these as potential log sources to monitor is dependent on your exact needs. Simply thinking about what types of monitoring or log analysis tool you need moving forward could help you choose those relevant to your situation. Every bit of information can help you gain a deeper understanding of your infrastructure and how to best handle its care and feeding. Remember, it’s not if something will go sideways, it’s when. Having the best log types to back up your decision-making can be a welcome tool in your IT arsenal.

Why You Should Monitor Windows Event Logs for Security Breaches

The ability to create custom views is only useful if you know what events might indicate an attempt to compromise your systems or an unsanctioned configuration change. In this Ask the Admin, I’ll outline some of the most important events that might indicate a security breach.

Change Control and Privilege Management

Before data in the event logs can become truly useful, it’s essential to exercise some governance over your server estate and establish who is allowed to change what, where, and when through tested business processes. When change control is implemented alongside privilege management, not only can you be more confident in maintaining stable and reliable systems, but it will be easier to identify malicious activity in the event logs.

The information in this article assumes that auditing has been configured according to Microsoft’s recommended settings in the Window Server 2012 R2 baseline security templates that are part of Security Compliance Manager (SCM). For more information on SCM, see Using the Microsoft Security Compliance Manager Tool on the Petri IT Knowledgebase.

Account Use and Management

Under normal operating circumstances, critical system settings can’t be modified unless users hold certain privileges, so monitoring for privilege use and changes to user accounts and groups can give an indication that an attack is underway. For example, the addition of users to privileged groups, such as Domain Admins, should correspond to a request for change (RFC). If you notice that a user has been added to a privileged group, you can check this against approved RFCs.

The Event Viewer User Account Management and Group Management task categories. When auditing is enabled on a member server, changes to local users and groups are logged, and on a domain controller changes to Active Directory. To enable auditing for user and group management, enable Audit Security Group Management and Audit User Account Management settings in Advanced Audit Policy. For more information on configuring audit policy, see Enable Advanced Auditing in Windows Server on Petri.

Additionally, you should check for the events listed in the table below:

Event Log              Level      ID            Error Name           Source

Security Informational        4740       Account Lockouts Microsoft-Windows-Security-Auditing

Security Informational        4728, 4732, 4756 User Added to Privileged Group       Microsoft-Windows-Security-Auditing

Security Informational        4735       Security-Enabled Group Modification             Microsoft-Windows-Security-Auditing

Security Informational        4724       Successful User Account Login          Microsoft-Windows-Security-Auditing

Security Informational        4625       Failed User Account Login Microsoft-Windows-Security-Auditing

Security Informational        4648       Account Login with Explicit Credentials          Microsoft-Windows-Security-Auditing

Application Hangs and Crashes

Frequent application hangs on crashes can indicate an attempt to disrupt service and other kinds of attack. As such, it’s prudent to monitor line of business applications for disruptions. Check the Application log for the following event IDs:

Event Log              Level      ID            Error Name           Source

Application            Error       1000       App Error              Application Error

Application            Error       1002       App Hang               Application Hang

Application            Informational        1001       WER        Windows Error Reporting

System   Error       1001       BSOD      Microsoft-Windows-WER-SystemErrorReporting

Event Logs and Audit Policy

If someone has cleared the event logs or changed audit policy, there’s a good chance that they’ve been trying to cover their tracks. As such, any such behaviour should ring alarm bells:

Event Log              Level      ID            Error Name           Source

System   Informational        104         Event Log was Cleared       Microsoft-Windows-EventLog

Security Informational        102         Audit Log was Cleared        Microsoft-Windows-EventLog

System   Informational        4719       System audit policy was changed     Microsoft-Windows-EventLog

Group Policy and Windows Firewall

Configuration settings are usually managed on workstations and servers using Active Directory Group Policy, so any failure to apply policy or make unsanctioned changes to policy objects in AD could indicate a security issue. Additionally, Windows Firewall provides an important line of defense, and any changes to firewall rules could signal an attempt to gain additional access to systems.

Event Log              Level      ID            Error Name           Source

System   Error       1125       Internal Error       Microsoft-Windows-GroupPolicy

System   Error       1127       Generic Internal Error        Microsoft-Windows-GroupPolicy

System   Error       1129       Group Policy Application Failed due to Connectivity    Microsoft-Windows-GroupPolicy

Windows Firewall WithAdvancedSecurity/Firewall      Informational        2004       Firewall Rule Add Microsoft-Windows-Windows FirewallWith Advanced Security

Windows Firewall WithAdvancedSecurity/Firewall      Informational        2005       Firewall Rule Change          Microsoft-Windows-Windows FirewallWith Advanced Security

Windows Firewall WithAdvancedSecurity/Firewall      Informational        2006, 2033            Firewall Rules Deleted        Microsoft-Windows-Windows FirewallWith Advanced Security

Windows Firewall WithAdvancedSecurity/Firewall      Error       2009       Firewall Failed to load Group Policy Microsoft-Windows-Windows FirewallWith Advanced Security

PCs still running Windows 7 will soon be more at risk of ransomware

PCs still running when Windows 7 reaches end of life on the 14th of January will be significantly more at risk of ransomware, Veritas Technologies has warned. According to experts, 26% of PCs are expected to still be running the Microsoft software after support for patches and bug fixes end.

The vulnerability to ransomware of PCs running unsupported software was demonstrated by WannaCry. Despite supported PCs being pushed patches for the cryptoworm, Europol estimated that 200,000 devices in 150 countries, running older, unsupported, software became infected by WannaCry. Although just $130,000 was paid in ransoms, the impact to business is understood to have run into the billions of dollars due to lost productivity and lost data.

Microsoft ended mainstream support of Windows 7 in 2015, giving users five years to ready themselves for the software to reach end of life.

Businesses running Windows 7 should prepare themselves in order to avoid the impact that vulnerability to ransomware could have on their organizations. Here are five tips that could help navigate this challenge:

Educate employees – The biggest risk is to data that employees save to unprotected locations. Ensure that users are following best practices for where to save data so that it can be secured and consider running a simulation. Saving valued data to centralized servers, data centers or to the cloud can help reduce risk.

Evaluate risk by understanding your data – For enterprises, insight software solutions can help to identify where key data lives and ensure that it complies with company policies and industry regulations. This is critical not only to identify the challenges but also to prioritize the recovery process.

Consider a software upgrade – This isn’t going to be practical for large enterprises in the time available, but it could well be part of a longer-term strategy. For SMEs, the most sensible solution might be simply to upgrade to an operating system that has ongoing support.

Run patches whilst you can – According to the Ponemon Institute, 60% of respondents who experienced data breaches did so despite a patch to prevent breaches being available to them. Businesses should at least make sure that they are as up-to-date as they can be whilst they can. Users will also be able to buy “ESUs” from Microsoft to access patches during their migration to newer software.

Ensure that data is backed up – Ransomware relies on the idea that paying a ransom is going to be the only/cheapest way to regain access to your data, yet research shows that less than half of those that pay up are actually able to recover their data from cyber criminals. Veritas advocates the “3-2-1 rule”, where data owners have three copies of their data, two of which are on different storage media and one is air gapped in an offsite location. With an air-gapped data backup solution, businesses have the much safer, and more reliable option, of simply restoring their data.

WannaCry was a clear example of the dangers that businesses can face when they are using software that has reached end of life. In January 2020, a quarter of all PCs are going to fall into this category so it’s vital that the organizations that rely on Windows 7 are aware of the risks and what they need to mitigate them.

This type of ransomware attack tends to have a disproportionate effect on organizations that can afford ransoms least – for example, we saw high-profile attacks on public sector bodies in 2017. So, it’s critical for those running Windows 7 to act now and put plans in place to ensure that they are able to protect themselves. Organizations need to understand their data and make sure that information is being stored in the right place where it can be protected and made available when needed.

10 Tips to Steer Clear from Daily Cybercrime

When it comes to cyber security tips, we are bothered about securing social media accounts or financial accounts. Cybercrime continues to evolve, surfacing new threats that are more complex every year. Being cautious while tending to financial transactions won’t ensure that you are cyber safe. There are many digital devices that you use, different websites that you visit, and various e-commerce sites that you use for online transactions.

As a victim of identity theft, you are prone to various financial and non-financial attacks. However, when you hear about the range of cybercrimes, you might find that the best option is to avoid the internet altogether. But that’s too drastic, isn’t it?

Instead, a solution would be to become cyber aware and learn the basic precautions to protect yourself and your data. These precautionary measures also include learning how to respond when identifying others involved in criminal activities online.

What is cybercrime 

Cybercrime, in any form, is a crime that takes place online with the help of digital devices like computers, smartphones, tablets, etc. It varies from identity theft to security breaches or as a tool to commit an offense. Cybercriminals also steal data to sell in the dark market or to use it for things like cyber-stalking, harassment, child exploitation, or bullying. Terrorists also collaborate online to spread rumors or false allegations to create social disturbances.

How to protect yourself against cybercrime

1. Intensify your home network

It’s a good idea to secure your home, starting with the internet connection. The home network can be strengthened using a virtual private network with an encrypted password. A VPN encrypts the traffic until it reaches the destination, which gives less scope for criminals that intercept the connection to attain any data. It is also a good practice to use a VPN when using unprotected public wi-fi in areas like hotels, cafes, airports, etc.

2. Use a full-service internet security suite

Using an anti-virus is a good option to secure your device from viruses, worms, etc. But using a full-service internet security suite gives real-time protection from malware, including ransomware and viruses. An internet security suite will provide maximum protection to your online data.

3. Update your software

Cybercriminals often use existing flaws or exploits in the software to gain access to the system. It is, therefore, critical to update your software regularly, especially operating systems and internet security software. By patching the flaws and exploits, you are less likely to fall victim to a cyberattack.

4. Use strong password strings

Don’t use similar passwords for every website and change your passwords regularly. The passwords should be alphanumeric, along with special characters. Use strings instead of word(s) as it makes the password complex. A password management application can be used to keep your passwords secure yet accessible.

5. Manage your social media settings

An academic study performed by Dr. Mike McGuire, Senior Lecturer in Criminology at the University of Surrey, showed that social media-enabled cybercrime contributes around $3.25 billion towards the global revenue annually. Social media is increasingly becoming a source for phishing attacks as criminals are obtaining relevant information required to crack email or bank accounts. For example, revealing your mother’s maiden name may expose the answer to the most common security question of a bank account.

6. Be prepared to handle identity theft on travel

Cybercriminals are everywhere, and they always have an eye on you. When traveling, avoid sharing your traveling plans on social media. When staying outside, use a VPN over the hotel’s unsafe wi-fi network.

7. Protect yourself from identity theft

Identity theft is performed by obtaining personal information to go undercover or for economic gain. It is important to guard your personal data and avoid being tricked by attackers. When data is shared online, it should be protected in-transit and after it reaches the destination too. Identity theft can happen anywhere and only by being assertive and alert can you protect your data.

8. Educate your children about safe internet practices

It is important to educate your children about safely using the internet. Children are easy targets for cyberbullying, and they should be taught about the acceptable ways to use the internet. They should be taught to reach out to you in case of any kind of online harassment, stalking, etc.

9. Monitor your child’s internet activity

While you talk to your children about internet safety, also teach them about identity theft. You should be careful while sharing your child’s information online and also teach your children to recognize the signs of identity theft. Monitor your child’s browsing history to understand the websites they are visiting and whether they have shared any personal information which may be used by cyber thieves.

10. Be aware of major security breaches

Stay updated with the major security breaches so that you are in the know of many ways attackers trap users and compromise their personal information. If you have an account on the websites that are breached, find the information that is compromised and change your password immediately.

What if you are a victim?

When you realized that you are a victim of a cybercrime, you should:

• Immediately inform the police and the respective authorized vendors, like credit card vendors, in the case of credit card fraud.
• Report the minor of the frauds to the Federal Trade Commission to help them bringing awareness among people and save others.
• Change your login credentials and also verify signup details of related website accounts.

Remember, staying alert is the best key to avoid further loss!

Fighting cybercrime is an obligation to combat rising cyberattacks. Following simple security measures and reporting the smallest of the cybercrimes to relevant authority should be the foremost measure.

People are the weakest link

People are the most vulnerable layer of network security for most businesses. Employees at nearly all levels play important roles in protecting companies’ critical assets. That’s why responsible businesses train and test their employees, and then repeat the process with updated instructional material.

Threats change. So to be effective, training must be constantly updated too. It’s not enough to do it once. It’s such an ever-evolving threat vector. Continuing to refresh is critical. Once good, human safeguards are in place, a company can put more attention on the mechanical means of protecting a network.

Protecting a company’s electronic assets can be especially challenging for small and midsized companies because they often lack the security staff and other resources larger enterprises can afford.

Viewing potential targets from the perspective of a hacker might help smaller businesses devise or improve their strategy for protecting a network from outside threats. Over time I have identified general areas cyber thieves are likely to examine in attempts to penetrate a company’s security.

Below, you’ll find five possible vulnerabilities cyber thieves commonly exploit. Businesses should keep these targets and solutions in mind while formulating or reviewing a protective strategy.

1. Outdated software. Apply patches and updates promptly. The fact that software is reported as outdated is an indicator of potential problems.
2. Open ports. Install a firewall if there isn’t one in place already and have it programmed to close ports that are open unnecessarily. Open ports can be pathways for intruders.
3. Social engineering. This is a key area in which the need for continuous employee training comes into play. Beware of phishing, for example. Phishing is when hackers use email or some other means of communication to try to acquire sensitive information or infiltrate a network.
4. Compromised credentials. Data breaches at many organizations have provided hackers access to all sorts of potentially useful information, including personal information, user names and passwords. A lot of that type of information is available on the dark web. Data breaches have increased the need for computer users to use unique and strong passwords for every account they have. In addition, they should change passwords often. Using an online password-management service can help users remember their passwords and stay organized.
5. System exposure. Be careful what parts of your network are accessible to the public. The public might not need access to a company’s customer relationship management strategy, for example. Limit employees’ network access to only what they need to do their jobs.

It is important for companies to have a layered approach to providing security. Viewing security strategy as a series of rings encircling mission-critical assets might help. The rings start at the outer perimeter and include layers of network, endpoint, application and data security. Precautions should be implemented at every layer, not just sprinkled about here and there.

Why You Should Consider Cyber Insurance Coverage

We have all heard it’s not a matter of if your organization will face a data breach, but when. Why? People. Many people with bad intentions across the globe are looking for ways to get rich quick by defrauding organizations. Meanwhile, an organization’s most valuable assets, its people, fall prey to these bad actors.

 

Information and Related Costs at Risk

 

What are these bad actors interested in? Almost everything. A recent study of insurance claims for incidents indicates the following data was at risk

 

●     Payment Card Industry (PCI) - 14%

●     Protected Health Information (PHI) - 15%

●     Critical files - 15%

●     Personally Identifiable Information (PII) - 26%

●     All others - 30%

 

As reflected, personal information such as social security numbers, birth dates, bank account information, credit card information and addresses tend to be highly sought after. Identity theft of individuals and businesses is the goal for the bad actors.

 

The average breach cost was $604,000. These costs were spent on crisis services ($307,000), legal defense ($106,000) and legal settlements ($224,000). Crisis services consisted of forensics, credit monitoring, notifications, legal guidance/breach coaches, and other related expenses.

 

A sample data breach calculator is available online through eRiskHub for you to perform your own calculation of a potential breach to your company’s data.

 

Industries at Risk

 

Small businesses and large businesses are all at risk. These bad actors see the value in attacking small companies with thousands of dollars available just as much as penetrating a large businesses with millions of dollars. The insurance claims study identified businesses with revenue under $50 million to be the targets 49% of the time. Companies with less than $2 billion in revenue accounted for 85% of the insurance claims.

 

The following industries reported the most incidents for insurance claim purposes:

 

●     Professional services - 20%

●     Healthcare - 17%

●     Financial services - 12%

●     All others - 12%

●     Retail - 10%

●     Education - 7%

●     Nonprofit - 6%

●     Technology - 6%

●     Manufacturing - 4%

●     Hospitality - 3%

●     Public entities - 3%

 

Data Breach Mitigation Tools

 

These criminals have stepped up their phishing, spoofing and social engineering game making it more difficult to detect fraud from reality. Through nefarious business email addresses posing as business owners to ransomware, these bad actors are working hard to deceive others. External threats are trying to penetrate your organization on a daily basis. Their plan? Compromise your people and your computer networks. Knowing this, you should be considering how to mitigate your cyber risks.

 

Many organizations of various sizes have been considering the following mitigation tools over the past several years:

 

●     Improved, secure hardware and software

●     Network security vulnerability and penetration testing

●     Pre-breach consultation

●     Incident response plan assessments

●     Cybersecurity awareness training for employees

●     Cyber crime insurance coverage

 

Proactive cybersecurity assessments are important in identify weaknesses and opportunities to strengthen your organization’s weakest links. In addition, it’s helpful for organizations to have a formal incident response plan in place should an incident occur. Why? Because when an incident occurs, you don’t want to have a third party come in blind. Being responsive to an incident is critical and clearly documented plans help skip the information technology background needed.

 

Doing something with mitigating cyber liability risks is better than doing nothing. In a perfect world, your organization would implement and execute proactive and reactive cybersecurity plans. However, resource limitations are a factor and organizations must consider insurance products to offset accepted risks.

 

Cyber Coverage Insurance

 

Odds are, if you have cyber coverage insurance, you may not know what is and isn’t covered. For example, do you have cyber liability business interruption coverage? In a 2018 survey of cyber insurance market trends, businesses are most interested in purchasing cyber business interruption insurance. Business interruption insurance covers the loss of income as a result of a disaster such as a data breach. It is important to note that not all cyber insurances include coverage for related business interruption.

 

The same can be said for extra expense coverage. This is commercial property insurance coverage allows for covering additional expenses incurred above and beyond normal operating expenses. This type of coverage is critical when an incident occurs as your organization will incur additional investigative, legal and crisis management expenses.

 

Other cyber specific coverages can include:

 

●     Funds transfer/social engineering

●     Cyber extortion/ransomware

●     Regulatory fines/penalties

●     System failure coverage

●     Data restoration

●     Reputational harm

●     Cyber-related bodily injury and/or property damage

●     Internet media liability

 

You will also want to ensure your errors and omissions insurance covers data breaches to protect you from third party lawsuits.

 

In addition to what your cyber insurance may or may not cover, you will want to have discussions with your insurance contact regarding:

 

●     Potential reduction in the premiums you pay for cyber insurance by having pre-breach consultations performed to assess your cybersecurity posture;

●     Listing your preferred third party of choice to be your incident response provider should an incident occur; and

●     Listing your preferred attorney with specialized cyber law knowledge.

 

By further understanding your insurance coverage, possible premium reductions and having your incident team assembled, your organization will be positioned to immediately address an incident.

 

Businesses Purchasing Cyber Coverage Insurance

 

The 2018 survey of cyber insurance market trends identified small (less than $50 million in revenue) to medium size businesses ($50 million to $1 billion in revenue) were driving the growth of cyber insurance. The following industries represented the majority of the new purchasers of cyber insurance:

 

●     Healthcare - 42%

●     Manufacturing/Industrials - 40%

●     Financial Services/Insurance - 38%

●     Retail/Point of Sale - 24%

●     Government and Nonprofit - 18%

●     Energy/Utilities - 18%

●     Education - 16%

●     Other - 8%

 

Drivers for Purchasing Cyber Coverage Insurance

 

Motivation for purchasing cyber coverage insurance is like fashion, buyers make decisions based on what they see in the news. The 2018 survey found news of cyber-related losses being the number one drive of businesses purchasing cyber insurance. Other motivating factors included experiences of cyber-related losses and requirements by third parties such as a customer.

 

Holistic Approach to Mitigating Data Breaches

 

Your business produces and runs off data. It’s imperative that you keep this information secure. The goal of your organization should be to identify, implement, and execute methods to protect this data at all times. This strategy should include proactive, reactive and insurance to mitigate the inevitable.