Maybe it’s because people are bored at home. Maybe it’s because we’ve let our guards down. Maybe bad guys are upping their games. Or maybe it’s all of the above. But recent notes from both large insurers and state and federal authorities are issuing stark warnings about the likelihood of targeted cyberattacks, and the potential costs of those attacks, both in terms of financial loss and physical damage.
Recently, Lloyd’s of London issued a warning that insurers should focus increasing attention on the fact that a cyberattack affecting manufacturing and/or energy industries could not only create privacy problems but could physically mess with actual operations resulting in physical damage. These risks are the lifeblood and nightmares of insurers, who are concerned about this relatively new cohort of exposures. All of which add up to dollars laid out to compensate their customers, and which end up costing those of us who pay for insurance more in premiums than we’re already paying. Truthfully, insurance is a giant black hole to me—I pay in and hope that I’ll never need to use it, but I wouldn’t dare be without it.
Consider the
recent attempt by an, as yet unidentified, hacker to affect the water supply in suburban Tampa. There, an outdated computer system (think vulnerable Windows 7) was hacked, resulting in a modification of the chemical treatment process used by the municipality. Were it not for the keen eye of a plant staff member who noticed the cursor on the screen moving seemingly on its own, the staffer took swift action, thus averting a crisis that could have sickened many people. This quick staff action reversed the change that the hacker made and saved the day. But the takeaway is that a) things like this can happen, b) the result of such an attack could have been much worse, c) we’re more vulnerable than we’d like to be, and d) attempts to hijack the manufacturing and energy sector businesses are likely to increase.
Insurance agents, from the largest to the smallest, are now often suggesting the acquisition of insurance against cybercrime, including the possibility of its use to fund ransomware attacks. That is, insurance regulators and the companies themselves are concerned that insurers who fund ransomware payouts are only making such attacks more attractive to the bad guys who perpetrate them. Specifically, the New York Department of Financial Services (DFS) issued
guidance in early February suggesting in no uncertain terms that companies that have purchased insurance against ransomware attacks may be lulled into ignoring other system vulnerabilities (software upgrades, password sophistication, etc.) because “the insurance will cover it.” According to the New York DFS, this is a “bad move.”
This approach has two inherent problems. First, it keeps insured enterprises from following best practices regarding software and hardware updates that are designed to minimize hacking risks. Secondly, it lulls those same enterprises into a false sense of security. They assume that in the event of a breach or problem, existing insurance—particularly costly cyber insurance – will cover the cost.
But the problem is far greater than cost, either in terms of the payment of ransom or the repair. This attitude does nothing to address the issues of technical and physical damage that competent hackers can wreak in an under-prepared technology-based, vulnerable environment. To be fair, IT staff tasked with security issues is often overburdened and under-resourced with many time-sensitive responsibilities, so it’s not as though they don’t care about these frequently emerging vulnerabilities—they just have other more pressing priorities. And this is precisely the concern of the insurers (that, and of course, missing their own bottom lines as they have to pay out for occurrences that neither the insurers nor the insured simply hadn’t anticipated require attention).
The seven recommendations for enterprise consumers are:
- Get cyber insurance if you’re at all concerned and be prepared to pay dearly for it.
- Understand what your cyber-insurance covers and how to invoke coverage.
- Understand what your cyber-insurance doesn’t cover
- Test existing and new systems for vulnerabilities on a regular and systematic basis. You can’t protect your enterprise if you don’t know where those vulnerabilities lie.
- Enforce basic security practices such as password creation and updating.
- Request compliance certification from vendors with whom the enterprise does business, and be sure that the levels of security provided by third parties are up to the standard of the enterprise. This should be done at least annually.
- Lastly, as budgeting season approaches, remind everyone involved that even in a tight economy, investment in ongoing information security is not a luxury, but an essential element of a healthy enterprise.
I always want to be careful to not be No Jitter’s own version of Chicken Little. The sky isn’t falling. But as cyber criminals become stealthier and more aggressive, enterprises need to not only be wary-- but vigilant--to keep the cyber thieves and stalkers at bay. In the long run, protective steps, which may never be able to generate a visible ROI (if one is provable at all) will become increasingly important. Often, simply knowing such measures have been taken by an enterprise will keep cybercrooks moving down the road in search of more vulnerable targets.
