YOUR CYBER SECURITY Ben Goodall PSC Griffiths Goodall, Managing - - PowerPoint PPT Presentation

your cyber security
SMART_READER_LITE
LIVE PREVIEW

YOUR CYBER SECURITY Ben Goodall PSC Griffiths Goodall, Managing - - PowerPoint PPT Presentation

Jan 11, 2024 452 likes •668 views

YOUR CYBER SECURITY Ben Goodall PSC Griffiths Goodall, Managing Principal Nathaniel Barrs PSC Insurance Group, Director of Operations 19 May 2020 1 Agenda for Today Todays Environment Covid-19 Influences Types of Cyber

slide-1
SLIDE 1

1

YOUR CYBER SECURITY

Ben Goodall – PSC Griffiths Goodall, Managing Principal Nathaniel Barrs – PSC Insurance Group, Director of Operations 19 May 2020

slide-2
SLIDE 2

2

Agenda for Today

  • Today’s Environment – Covid-19 Influences
  • Types of Cyber Crimes
  • Types of Cyber Insurance Claims
  • Prevention is Better Than The Cure

– Risk Management Strategies – Technical Considerations – Communication Apps

  • Cyber Insurance - Part of Your Risk Management Framework
  • NB. The information provided in this seminar contains general advice only and does not take account your individual

circumstances or needs. You should always consider any PDS wordings prior to making a decision on purchasing insurance products. We refer you to our financial services guide which contains details of our services and how we are remunerated.

slide-3
SLIDE 3

3

Cyber and Privacy Risks Facing Your Organisation

As the world continues to deal with the economic and operational challenges of the global COVID-19 pandemic, cyber criminals are seeking to exploit new work practices and capitalise on uncertainty. Organisations should be conscious of the general data, privacy and business risks and how to mitigate these.

slide-4
SLIDE 4

4

Working from Home - Privacy & Cyber Security

  • The speed at which organisations have been forced to respond to social isolation restrictions

as a result of COVID-19 could be leaving many organisations vulnerable to attack by threat actors rushing to exploit the situation.

  • There are increased risks associated with remote working. These generally include:

– increased risk of cyber-crime, where criminals will look to exploit changes to business environments to extract funds or personal information from employees; and – risk of employees inadvertently disclosing personal information through using unfamiliar document storage and conference platforms.

  • The Australian Competition and Consumer Commission’s “Scamwatch” has received over

100 reports of Coronavirus scams in the last three months, and the volumes continue to rise substantially.

slide-5
SLIDE 5

5

Types of Cyber Crimes/Exposures

  • Phishing emails – these aim to trick recipients into clicking links in emails that subsequently
  • pen up software in the background that scans their computer for vulnerabilities and

downloads malware.

  • SMS scams – there are Coronavirus text messages circulating that purport to be from the

Australian Government. These messages encourage people to click the link to access testing locations near them. If the link is clicked, the phone is redirected to a website where cyber criminals will download malware, or a computer virus onto the phone. In this particular scam the criminals attempt to steal banking credentials when the user logs-in, providing access to the user’s money.

  • Social Engineering – is where a third party will impersonate another party such as a CEO or a

supplier and authorise things such as a payment or a change of bank account prior to a large payment or something similar

  • Human Error – a simple keying error can sometimes have a huge impact

These things REALLY HAPPEN

slide-6
SLIDE 6

6

Don’t think all threats are from ‘the outside’

Staff can and sometimes do procure intellectual property from your business for future unauthorised use – Client lists – Patents – Price lists – Intellectual Property – Privacy Obligations to Your Clients There is an increased risk of unauthorised access of this information when staff are working remotely and unsupervised

slide-7
SLIDE 7

7

Types and examples of Cyber Claims

Example – Employee Error An internal employee for an organisation accidentally attached the wrong file when sending an email to four job applicants. The file included HR demographic data consisting of former employee names, addresses and personal info. Below is the summary of the costs and insurers breakdown.

Privacy Liability - mismanagement of personal and/or corporate confidential information, violation of company privacy policy:

  • Defence expenses arising from regulatory investigation

$100,000

  • Defence and settlement costs for claims employees that had identity stolen.

$250,000 Incident Response Expenses:

  • Incident Response Manager Fees

$7,000

  • Notification of affected individuals

$5,000

  • Identity theft monitoring services for affected individuals

$28,000

  • Legal consultation fees.

$25,000 Total Cost: $415,000

slide-8
SLIDE 8

8

Types and examples of Cyber Claims

Example – Ransomware An insured’s server and client records (law firm) were locked by an attack via ransomware. Insured and insurer were only able to have the records released after a $50,000 ransom was paid to hackers.

Extortion and network interruption: – Ransom payment $50,000

  • Fine/Penalty due to breach

$75,000

  • Network Interruption

$150,000 – Legal Costs $11,000 Total Cost: $286,000

slide-9
SLIDE 9

9

Types and examples of Cyber Claims

Example – Push Payment System is breached by a hacker who is monitoring outgoing invoices they…..

  • Identify the invoice
  • Produce false versions
  • Interrupt the communication between vendor and client and feed ‘new’ false banking

information via social engineering

Financial Impacts

  • Unpaid Monies/invoice

$700,000

  • Forensic costs – IT and Accounting

$10,000 Total Cost: $710,000

Non Financial Costs Reputational, Insurer Negotiations for settlement, Confidence Impacts on Business

slide-10
SLIDE 10

10

The Prevalence of Different Cyber Claims

Source - CFC Underwriting, London

slide-11
SLIDE 11

11

So What Can you Do?

  • Passwords – enforce complex password requirements for all email accounts and other

systems used to hold sensitive data (e.g. payroll systems, HR systems or client management systems).

  • Multi Factor Authentication – whenever possible enforce multifactor password

requirements for all remote access sessions.

  • Secure connection – ensure remote connections to systems are secure, including

removing open RDP ports and implementing secure VPN connections where possible.

  • Ensure your systems, including Virtual Private Networks and firewalls, are equipped with

the most up-to-date security patches

  • If you use a remote desktop client, ensure it is as secure as possible.
slide-12
SLIDE 12

12

More Things That You Can Do…..

  • Ensure your work devices are secure e.g. laptops, mobile phones.
  • Stress testing – where possible, organisations should be stress testing technologies and

configurations ahead of time to determine if there are any unanticipated gaps.

  • Least privilege access management – limit access to particular systems and restrict

privileges on those accounts to only those who require it to perform their role.

  • Phishing awareness training – educate employees about the risk of phishing emails

especially while working from home. Encourage employees to call the sender if they have the slightest doubt about the authenticity of an email.

  • Educate and inform your staff and stakeholders on cyber security practices. Example:

detecting socially-engineered messages, recognising a phishing email or SMS.

slide-13
SLIDE 13

13

And Don’t Forget…

Cyber insurance Should be a critical part of your Cyber Risk Management Plan.

slide-14
SLIDE 14

14

Simple do’s and don’ts

Do’s

  • Be vigilant on phishing attempts
  • Apply rule “if in doubt seek advice” you are probably right and the risk isn’t worth it!
  • Where ever possible use your company VC solution

Don’ts

  • Download attachments from unknown or untrusted sources
  • “Enable Content” in unknown Word documents
  • Share login credentials with unknown or suspicious providers (there is NEVER a legitimate

reason for a third-party to require your login credentials)

  • Accept video conferencing meeting invitations from a non trusted or unknown source.
slide-15
SLIDE 15

15

Technical Tips

Applications - checking what security is offered by the application provider a) is multi-factor authentication offered? b) Is end-to-end encryption offered? c) Does the provider keep any metadata from your conferences (or other data)? d) If data is collected, how is it used?; Reading the provider's terms and conditions to check your organisation's rights and the provider's obligations; Video Conference– what security is in place a) ensure your organisation has the latest security and software updates installed for the tele/video conferencing facility you use; b) Hold tele/video conferences in private rooms, not shared spaces (not a technical solution more an operational caution) c) Password protect access to your tele/videoconferences; d) Allowing only invited participants to join tele/videoconferences; (lock down participants) e) And ensuring invitations are sent to the right people and only those attend Lastly ensure your IT team complete a full review of all systems, servers, routers, firewalls and application to ensure you are aware of exposures/gaps and in turn are prepared to respond ahead of time

slide-16
SLIDE 16

16

Zoom, Skype, WhatsApp

Are these programs secure, private, confidential?

Cyber criminals are seeking to exploit the popularity of communication applications including

  • ne application in particular (which has received significant media attention). Security

intelligence suggests that no one particular application is being targeted, which means that all applications should be carefully reviewed. Rules to follow:

  • If its free be wary, these applications are widely spread global platforms and due to the

nature of their revenue generation (advertising) they are more open source.

  • Free applications terms and conditions often state they will collect data from your activities,

browsing, etc. (open to post scanning).

  • No matter what the network it can be compromised, so promote exercising caution across

your business and educate staff with risks previous, current and potential.

slide-17
SLIDE 17

17

Remember…Simple strategies are often the best so encourage your staff to…

1. Take extra care if they receive emails and files from unknown senders, particularly if they contain special deals or discount offers; 2. Educate staff on how to identify suspect emails 3. Don’t accept meeting request from unknown sources 4. Use headphones rather than speakers to prevent others listening in to phone calls 5. If in doubt don’t open or attend, call the sender to confirm Remember there was never a Denial of Service attack using a telephone.

slide-18
SLIDE 18

18

What Should Your Insurance Policy Cover?

  • No IT security system is 100% secure
  • Even your most vigilant employees may make a judgement error
  • Cyber Incidents Can have a devastating Financial Impact on Your Business
  • Cyber Insurance goes further than traditional insurance and offers business end to end risk

management solutions to stay ahead of cyber risk. Insurance helps safeguard against data breaches, hacking, employee error and more.

slide-19
SLIDE 19

19

What Should Your Insurance Policy Cover?

What’s covered?

  • Assistance in response management and crisis management (forensics, legal/PR,

Notification, Navigating Penalties, liabilities)

  • Data Liability
  • Fines and investigations
  • Electronic Data
  • Media Liability
  • Extortion
  • Network Interruption
slide-20
SLIDE 20

20

Benefits of Cyber Insurance

  • Financial compensation to recoup costs of an IT security breach – including business interruption, IT

recovery costs, ransom payments, forensic investigations etc.

  • Fines and penalties – payment of fines and penalties imposed by government or regulatory authorities.

These can amount to $1.7 million.

  • Third party liability - compensation for clients / customers who suffer financially or emotionally as a

result of a data privacy breach / data theft.

  • Notification costs – compensation to cover the costs of customer notification, and credit monitoring

services for affected parties.

  • Legal defence costs – cover for costs associated with legal advice and representation in connection

with formal investigations by authorities.

  • Reputational damage - cover for the cost of professional consultants to assist in repairing reputational

damage to a company’s brand as a result of a cyber-attack.

  • Digital Media– damages and defence costs incurred in connection with a breach of third party

intellectual property

  • Loss Prevention – assistance with infrastructure vulnerability, IP/Domain protection, employee training

and awareness.

slide-21
SLIDE 21

21

PSC Griffiths Goodall: Cyber Insurance Specialists

Thank You For Your Time

What Next… Copy of Presentation: www.pscggib.com.au Any Questions bgoodall@pscggib.com.au or nbarrs@pscinsurancegroup.com.au What To Do If You Have a Cyber Attack/Incident Our Team will reach out to discuss your individual Cyber needs