YOUR CYBER SECURITY Ben Goodall – PSC Griffiths Goodall, Managing Principal Nathaniel Barrs – PSC Insurance Group, Director of Operations 19 May 2020 1
Agenda for Today Today’s Environment – Covid-19 Influences • Types of Cyber Crimes • Types of Cyber Insurance Claims • Prevention is Better Than The Cure • Risk Management Strategies – Technical Considerations – Communication Apps – Cyber Insurance - Part of Your Risk Management Framework • NB. The information provided in this seminar contains general advice only and does not take account your individual circumstances or needs. You should always consider any PDS wordings prior to making a decision on purchasing insurance products. We refer you to our financial services guide which contains details of our services and how we are remunerated. 2
Cyber and Privacy Risks Facing Your Organisation As the world continues to deal with the economic and operational challenges of the global COVID-19 pandemic, cyber criminals are seeking to exploit new work practices and capitalise on uncertainty. Organisations should be conscious of the general data, privacy and business risks and how to mitigate these. 3
Working from Home - Privacy & Cyber Security • The speed at which organisations have been forced to respond to social isolation restrictions as a result of COVID-19 could be leaving many organisations vulnerable to attack by threat actors rushing to exploit the situation. There are increased risks associated with remote working. These generally include: • increased risk of cyber-crime, where criminals will look to exploit changes to business – environments to extract funds or personal information from employees; and – risk of employees inadvertently disclosing personal information through using unfamiliar document storage and conference platforms. • The Australian Competition and Consumer Commission’s “Scamwatch” has received over 100 reports of Coronavirus scams in the last three months, and the volumes continue to rise substantially. 4
Types of Cyber Crimes/Exposures • Phishing emails – these aim to trick recipients into clicking links in emails that subsequently open up software in the background that scans their computer for vulnerabilities and downloads malware. SMS scams – there are Coronavirus text messages circulating that purport to be from the • Australian Government. These messages encourage people to click the link to access testing locations near them. If the link is clicked, the phone is redirected to a website where cyber criminals will download malware, or a computer virus onto the phone. In this particular scam the criminals attempt to steal banking credentials when the user logs-in, providing access to the user’s money. Social Engineering – is where a third party will impersonate another party such as a CEO or a • supplier and authorise things such as a payment or a change of bank account prior to a large payment or something similar • Human Error – a simple keying error can sometimes have a huge impact These things REALLY HAPPEN 5
Don’t think all threats are from ‘the outside’ Staff can and sometimes do procure intellectual property from your business for future unauthorised use Client lists – Patents – Price lists – Intellectual Property – Privacy Obligations to Your Clients – There is an increased risk of unauthorised access of this information when staff are working remotely and unsupervised 6
Types and examples of Cyber Claims Example – Employee Error An internal employee for an organisation accidentally attached the wrong file when sending an email to four job applicants. The file included HR demographic data consisting of former employee names, addresses and personal info. Below is the summary of the costs and insurers breakdown. Privacy Liability - mismanagement of personal and/or corporate confidential information, violation of company privacy policy: • Defence expenses arising from regulatory investigation $100,000 • Defence and settlement costs for claims employees that had identity stolen. $250,000 Incident Response Expenses: • Incident Response Manager Fees $7,000 • Notification of affected individuals $5,000 • Identity theft monitoring services for affected individuals $28,000 • Legal consultation fees. $25,000 Total Cost: $415,000 7
Types and examples of Cyber Claims Example – Ransomware An insured’s server and client records (law firm) were locked by an attack via ransomware. Insured and insurer were only able to have the records released after a $50,000 ransom was paid to hackers. Extortion and network interruption: – Ransom payment $50,000 - Fine/Penalty due to breach $75,000 - Network Interruption $150,000 – Legal Costs $11,000 Total Cost: $286,000 8
Types and examples of Cyber Claims Example – Push Payment System is breached by a hacker who is monitoring outgoing invoices they….. • Identify the invoice • Produce false versions • Interrupt the communication between vendor and client and feed ‘new’ false banking information via social engineering Financial Impacts • Unpaid Monies/invoice $700,000 • Forensic costs – IT and Accounting $10,000 Total Cost: $710,000 Non Financial Costs Reputational, Insurer Negotiations for settlement, Confidence Impacts on Business 9
The Prevalence of Different Cyber Claims 10 Source - CFC Underwriting, London
So What Can you Do? • Passwords – enforce complex password requirements for all email accounts and other systems used to hold sensitive data (e.g. payroll systems, HR systems or client management systems). • Multi Factor Authentication – whenever possible enforce multifactor password requirements for all remote access sessions. • Secure connection – ensure remote connections to systems are secure, including removing open RDP ports and implementing secure VPN connections where possible. • Ensure your systems, including Virtual Private Networks and firewalls, are equipped with the most up-to-date security patches • If you use a remote desktop client, ensure it is as secure as possible. 11
More Things That You Can Do….. • Ensure your work devices are secure e.g. laptops, mobile phones. Stress testing – where possible, organisations should be stress testing technologies and • configurations ahead of time to determine if there are any unanticipated gaps. Least privilege access management – limit access to particular systems and restrict • privileges on those accounts to only those who require it to perform their role. • Phishing awareness training – educate employees about the risk of phishing emails especially while working from home. Encourage employees to call the sender if they have the slightest doubt about the authenticity of an email. • Educate and inform your staff and stakeholders on cyber security practices. Example: detecting socially-engineered messages, recognising a phishing email or SMS. 12
And Don’t Forget… Cyber insurance Should be a critical part of your Cyber Risk Management Plan. 13
Simple do’s and don’ts Do’s Be vigilant on phishing attempts • Apply rule “if in doubt seek advice” you are probably right and the risk isn’t worth it! • • Where ever possible use your company VC solution Don’ts • Download attachments from unknown or untrusted sources “Enable Content” in unknown Word documents • Share login credentials with unknown or suspicious providers (there is NEVER a legitimate • reason for a third-party to require your login credentials) • Accept video conferencing meeting invitations from a non trusted or unknown source. 14
Technical Tips Applications - checking what security is offered by the application provider is multi-factor authentication offered? a) Is end-to-end encryption offered? b) Does the provider keep any metadata from your conferences (or other data)? c) If data is collected, how is it used?; d) Reading the provider's terms and conditions to check your organisation's rights and the provider's obligations; Video Conference– what security is in place a) ensure your organisation has the latest security and software updates installed for the tele/video conferencing facility you use; b) Hold tele/video conferences in private rooms, not shared spaces (not a technical solution more an operational caution) Password protect access to your tele/videoconferences; c) Allowing only invited participants to join tele/videoconferences; (lock down participants) d) And ensuring invitations are sent to the right people and only those attend e) Lastly ensure your IT team complete a full review of all systems, servers, routers, firewalls and application to ensure you are aware of exposures/gaps and in turn are prepared to respond ahead of time 15
Recommend
More recommend
