Are You Insured for Cyber Losses Due to IoT Devices?
RENEWAL SEASON 2021: PART THREE
Bad management leads to an increase in cyber vulnerability and potential cyberattacks. It is a matter of strategy.
The increased use of Internet of Things (IoT) devices during the COVID-19 pandemic has resulted in an increase in cyber risk that must be properly and securely managed by organizations from all industry sectors.
WHY THIS MATTERS
The benefits of remote work – continuing business operations during the pandemic and beyond-- outweigh the risks -- if you have robust Stand-Alone Cyber Insurance to help reduce a cyber-related financial loss.
Your business stands a better chance of not only surviving but thriving after a cyberattack with a dedicated Stand-Alone Cyber Insurance policy suited to your risk tolerance level.
Cyber Losses Caused by IoT Devices
Your organization should be aware of these two critical cyber threats to your organization:
- Cyber vulnerabilities in open source TCP/IP stacks in IoT devices.
- Human error while using IoT devices.
Cyber vulnerabilities in open source TCP/IP stacks
A recent Forescout Research Labs report disclosed a set of 33 vulnerabilities found in four open-source TCP/IP stacks – referred to as Amnesia 33 – which collectively serve as the foundational connectivity components of millions of devices globally. A successful exploit could result in remote code execution or even data loss or theft.
In simplest terms, TCP/IP -- Transmission Control Protocol/Internet Protocol -- is a communications protocol for computer networks and the internet's main protocol.
Data Breach Today indicated that millions of consumer and enterprise IoT devices have software flaws in their TCP/IP stacks that could result in remote code execution, denial of service, or a complete takeover of a device. Devices from as many as 150 vendors are likely vulnerable.
Notably, the flaws impact a diverse range of embedded systems, ranging from medical devices, industrial control systems, routers, and switches - virtually anything running a vulnerable TCP/IP stack. The largest affected categories of affected devices are enterprise and consumer IoT devices.
We often hear about "human error," causing a cyber incident. What does that mean?
Referring to human error means that a member of your team, or a third-party supplier, may override or circumvent your cybersecurity measures, unaware of the cyber risk.
For example, one cyber risk involves spoof emails (aka phishing emails) sent by cyber thieves to employees who may be unaware of the cyber threat. Even if employees are aware of cyber risks, they may be distracted while working from home or working remotely. They may unwittingly open a link or attachment in a text or email which releases malicious code or malware into your network, allowing fraudsters to explore your network.
Once inside your network, hackers can conduct social engineering, which means that they have time to understand your communications to help them to create authentic-looking imposter emails to use in a funds transfer scam.
Cybercrime techniques are rapidly evolving. Once hackers accomplish unauthorized access to your computer system or network, they have social engineering opportunities that can lead to Spear-phishing, Phishing, Smishing, Vishing, VPN attacks, Pharming, and Man-in-the-Middle attacks.
Spear-phishing – is one of the most common and successful cyberattack vectors. Spear-phishing email campaigns either infect devices with malware or steal login credentials or bank account numbers. These emails appear to be authentic from someone trusted inside the company and contain genuine-sounding content. Often, attackers have time to formulate a strategy while they are inside your network
Phishing – in our Cyber Armada Insurance Glossary, we define phishing as fraudsters' attempt to obtain sensitive information such as usernames, passwords, and credit card details by disguising themselves as a trustworthy entity or person inside the company via an email sent to an employee. Phishing is an example of social engineering, which prays on human beings' inherent sense of trust, and is the root cause of most cyber events.
Although phishing attacks are not new, the hacker's ability to trick the recipients by posing at a bank, cloud provider, tech support, or a courier service remains the critical contributing factor in their success rate. Attackers know they can lure users into clicking malicious links or divulging sensitive data, so they continue to win with this attack vector.
While some phishing attempts are more obvious fakes (poorly written, incorrect grammar or spelling, foreign email addresses, or unusual sender names), others are well-researched and reference specific details that lend credibility and foster trust.
Smishing – A variation on phishing using short message services (SMS) (aka texting) is a form of attack where imposters send text messages as if they are from your bank, credit card company, health insurance provides, or public health authorities regarding COVID-19.
Vishing – A variation on phishing using voice (aka vishing) is a form of attack by an imposter (customer service, tech support, or a service provider) attempting to trick victims into giving them sensitive personal information over the phone.
Vishing scams often use automated voice simulation to capitalize on the fact that people are more likely to trust a human voice, thus capturing credit card numbers, health insurance numbers, or passwords.
Virtual Private Network (VPN) Attacks – occur during COVID-19 remote work when employees mistakenly grant hackers access to your network by providing them with their VPN login credentials, as we reported in our recent Cyber Threat Alert on VPN vulnerabilities.
Pharming – A form of attack by cybercriminals that redirects or lures targets to fake look-alike websites controlled by the attackers, allowing them to steal login credentials or payment card information or to install malware on their computers.
Man-in-the-Middle (MitM) Attack – is a form of digital eavesdropping, where cybercriminals intercept communications and send fraudulent messages or information that appears entirely genuine.
This form of attack often begins with a legitimate communication between two targets, with attackers as passive listeners, altering the contents of your messages, or impersonating the person or system by taking over the communication. The fraudsters are intent on stealing your credit card number or breaking into your network.
Cybersecurity Risk Management Plan
Due to the rapid increase in cyber threats, including ransomware attacks, FTF, and invoice manipulation, your organization would do well to review and revise your cybersecurity risk management plan and cyber insurance coverage for 2021.
- Decrease Human Error
Assume that there will be some human error due to distractions in remote work environments or outright trickery in ATP phishing email campaigns.
Develop a cybersecurity policy to ensure that your employees are aware of cyber threats. Prevent a single employee from becoming the gateway into your systems via a phishing email scam.
Regularly-tested employee awareness training is vital, so much so that some cyber insurance carriers now provide financial support for those efforts.
- Update All Systems
As threats become more frequent and severe, system updates are vital. Legacy systems that lack the latest security protocols are more vulnerable and need patching if available.
- Manage Strong and Unique Passwords
Passwords should be strong and unique (a random combination of letters, numbers, and special characters), updated regularly on a schedule, and stored offline, not on computers.
- Dual Control (aka Two-Factor Authentication) (2FA)
Implement a security procedure requiring two people to authenticate a bank wire or funds transfer. Implementing dual control helps prevent fraudulent bank wires that may arise out of phishing or social engineering attempts. Dual control can be accomplished by a phone call to the bank wire recipient, verifying the transaction with an executive, or implementing formalized procedures with a financial institution.
- Backup Databases
As a precaution, you should regularly back up essential data, such as customer contacts and order information, in multiple locations. If you can access your data from alternative hard drives or the cloud, you will be in a better place post-ransomware attack. Lengthy data recovery means more extended business interruption, more impact on your bottom line, and more damage to your reputation.
- Use Antivirus Software, Firewalls, and Ransomware Protection
Choose the best anti-virus software, ransomware protection software, and firewalls to prevent unauthorized access to your networks and computer systems.
- Be Resilient -- Prepare and Pre-Test the Incident Response Plan (IRP)
The response you plan for, and pre-test will likely be your real-time response. Are you ready? We explored the need for resiliency planning in our previous article.
- Invest in Stand-Alone Cyber Insurance
Stand-Alone Cyber Insurance is your go-to option when you are looking to transfer some of your residual cyber risk (that cybersecurity measures do not prevent due to cyber risk from IoT devices or human error).
Location, location, location -- many Stand-Alone Cyber Insurance policies provide broad, affirmative coverage for a breach or security event regardless of whether it occurs in the workplace, remotely, or working from home.
Benefits of Stand-Alone Cyber Insurance:
- Employee awareness training is top-of-mind during the renewal season and as we approach 2021. Some cyber insurance carriers support your proactive steps to prevent or reduce human error via training.
If you suffer a data breach, your business will need to:
Stop the breach
Conduct a forensic investigation
Notify all those impacted
Recover or restore your data
Use public relations to maintain your brand, and
Defend third-party liability claims or lawsuits for damages by injured parties.
- If you suffer a ransomware attack:
You can obtain support in negotiating the ransom demand, and
Be compensated for the ransom payment (made with the prior written consent of the insurer).
- If you experience business interruption from a cyberattack:
You can be compensated for lost profits, and extra expenses such as payroll, during the downtime (after a brief waiting period).
- If you experience funds transfer fraud:
you can obtain support in recouping some of the funds and compensation for the funds that are not recovered.
Cyber Armada Insurance is prepared to help your company explore your opportunities to reduce and survive financial loss from a cyber event during renewal season and all year round.
- The COVID-19 pandemic has resulted in an increase in cyber risk that must be challenged by businesses and organizations from all industry sectors. It will help if you:
Warn your employees to watch out for cyberattack vectors and ensure basic cyber hygiene when they bring their own devices (BYOD) and use IoT devices provided by the company.
Implement cyber hygiene protocols that include unique, secure passwords, regular updates to our patching, software, operating systems, multi-factor authentication for funds transfers, and thinking carefully before clicking on a link handing over login credentials.
- The benefits of remote work – continuing business operations during the pandemic and beyond-- outweigh the risks -- if you have robust Stand-Alone Cyber Insurance to help reduce a cyber-related financial loss.
- Your business stands a better chance of not only surviving but thriving after a cyberattack with a dedicated Stand-Alone Cyber Insurance policy suited to your risk tolerance level.
- Cyber Armada and its cyber insurance carriers are ready to support policyholders 24/7 during the COVID-19 crisis and beyond.
Reach out to Cyber Armada Insurance to assist you with your Stand-Alone Cyber Insurance needs. We understand the evolving cyber risks and the importance of your investment in appropriate cyber insurance.
Contact Cyber Armada today to explore how your company can solve potential financial losses from a cyberattack. Contact us at 888.727.6232.
Please watch for our next article on supply-chain cyber risk.