As technology continues to evolve, and elements of our lives become heavily entwined with the online world, individuals and businesses are becoming increasingly exposed to data theft and malicious online attacks. Accordingly, it is essential to understand how you can protect your sensitive data, and minimise the costly financial and legal fallout.
Now is the time to act – understand the cyber risks, review your online risk management strategies, and make sure you have an active Cyber Insurance policy.
This article outlines several common forms of cyber attacks to watch out for, as well as key strategic measures your business can implement to minimise exposures and associated losses.
Common methods of cyber-attack
A type of Malware (MALicious softWARE – i.e. adware, spyware, worms, viruses, and Trojans), ransomware is designed to lock a victim’s system, or encrypt files on their computer. The perpetrator then demands a ransom be paid before they ‘promise’ to provide the victim with necessary decryption keys or software to regain access.
In 2017, two notorious ransomware incidents – Petya and WannaCry stole global headlines when they wreaked havoc, causing costly disruptions to businesses. Key company systems were made inaccessible until ransoms were paid. WannaCry alone is estimated to have cost companies in excess of $4 billion in damages worldwide (i).
Should your business fall victim to a ransomware attack, it is generally advised not to pay the ransom. Remember, the attacker is under no obligation to provide the decryption software, even if the ransom has been paid. While this choice may result in the loss of valuable data, it also effectively stalls the attacker from inflicting more damage, and saves you the expense of paying the ransom.
Minimising the risk to your business:
- Perform regular back-ups of your hard drives and servers – This can help minimise the damage caused by a ransomware attack. Ensure that back-ups of your data are performed regularly and kept in a secure location so you can speed up the recovery of your files after an attack.
- Purchase Cyber Insurance – Cyber Liability insurance can provide financial compensation for victims of cyber extortion, including ransoms paid, in order to regain control of their data. For more information, click here.
Looking for more helpful tips to avoid ransomware?
One of the world’s best known digital security providers, Norton, has published a Top 7 Do’s and Don’ts when it comes to preventing a ransomware attack – see their full article here.
2. Denial of Service (DoS) & Distributed Denial of Service (DDOS)
Denial of Service (DoS) attacks occur when a single computer is used to overload a company’s network bandwidth with excess traffic, causing their victim’s systems to slow drastically to the point where websites and servers no longer function.
Distributed Denial of Service (DDoS) attacks occur when multiple computers are compromised, and used to perpetrate a DoS attack. The motivation behind these attacks is to disrupt and/or sabotage operations, causing significant disruption to a business on the receiving end. In 2016, the Dyn DDoS attack caused havoc globally, shutting down the websites and services of high-profile companies including Netflix, Amazon, Twitter and The New York Times (ii).
Minimising the risk to your business:
- External Cloud Mitigation Providers – A common way to mitigate a DoS / DDoS attack is by using an external Cloud Mitigation Provider. This can spread the attack across various networks with a huge bandwidth. By taking the additional traffic on-board, and screening the incoming traffic, a Cloud Mitigation Provider can ensure only clean traffic is coming through to your website, and is currently the most cost-effective solution (iii).
- Purchase Cyber Insurance – a Cyber Liability Insurance policy can provide cover to recoup net income that would have been earned while systems experienced a disruption. For more information, click here.
3. Email-origin attacks – ‘Phishing’
Since the turn of the century, individuals and businesses have been subjected to an increasing number of email scams. From malicious software, to viruses hidden under the guise of hyperlinks or attachments, and requests for bank details so you can ‘inherit’ unfathomable riches, cyber criminals are becoming increasingly sophisticated.
While these types of attacks, known as ‘phishing’, seem simple in nature, they accounted for over 91% of cybercrime incidents in 2017 (iv).
Phishing scams generally involve a request for sensitive information from an individual or organisation that appears ‘trustworthy’ on the surface, but in reality is a cybercriminal attempting to extract lucrative information. Examples of sensitive information include bank account details, usernames and passwords. Information obtained is primarily used to access or manipulate a target network, or perform fraudulent activity under the victim’s name.
Related terminology includes:
- ‘Spear-phishing’ – attacks targeting a specific individual, and
- ‘Whaling’ – attacks targeting high-profile individuals such as a corporate executive, politician or celebrity.
Examples of Phishing scams include:
- Fraudulent email from banks and essential service providers (gas, internet, electricity, etc)
Supplying your username and password or bank account details to an unreliable source can leave you open to financial theft, identity theft and the potential for fraudulent activity to be committed under your name.
- Google Drive / OneDrive emails stating a ‘secure document’ has been sent to you
The ‘secure document’ most likely contains a virus or malware that can infect your computer and leave you exposed to data theft if it is opened.
Minimising the risk to your business:
To help avoid becoming the target of a Phishing scam, it can pay to exercise a high degree of scepticism when it comes to the following:
- Email content – Upon quick visual inspection, certain areas of an email can often provide clues as to whether it is from a legitimate source. Incorrect spelling and grammar, poorly recreated or pixelated company logos, and the sender’s email address are often dead giveaways of Phishing scams.
- The type of information being requested – If information requested is of a sensitive nature i.e. personal or banking information, simply call the company the email is purportedly from to double check. A customer service representative should be able to confirm whether the email is legitimate.
- Purchase Cyber Insurance – Cyber Liability Insurance can cover costs associated with identity theft, fraudulent transfer of funds, and the insured’s legal liability to affected third parties. Note: due to the nature of this type of attack, not all insurers offer this specific sub-limit of cover. We recommend consulting your broker or insurer to find out if this cover is available to you.
4. Social Engineering
While similar to ‘Phishing’, Social Engineering scams are more complex, and rely on the perpetrator gaining intimate knowledge of a company or victim before scamming them. Whether over the phone or face-to-face, the scammer’s primary goal is to gain their victim’s trust, and then manipulate them into providing sensitive and lucrative information.
Phone call example:
In 2003, America Online (AOL) experienced a social engineering attack that compromised their system and revealed confidential information of more than 200 accounts. This occurred because of one simple phone call.
The perpetrator contacted AOL’s tech support division and spoke with an employee for an hour. During the conversation, the caller mentioned that his car was for sale at a great price. Having gained the employee’s interest, the perpetrator proceeded to send the employee an email. Instead of a photo, the perpetrator attached a malicious program which established a connection to the perpetrator’s computer through AOL’s firewall, giving unrestricted access to AOL’s systems and sensitive information (v).
A 17 year old employee was fired from a Walmart store for stealing money. The ex-employee kept the staff uniform, and proceeded to visit several other Walmarts in the surrounding area, under the guise of a General Manager from another store. The individual proceeded to steal money from two stores, pocketing a total of roughly $30,000 before he was caught (vi).
Minimising the risk to your business:
- Education – According to eSecurity Planet, the first way to help defend against social engineering scams is education. Ensure all staff are aware and educated on how to recognise a social engineering scam – either face-to-face or via phone. Trained staff can be your company’s first line of defence.
- Cyber Insurance – a Cyber Liability policy may be able to cover costs associated with a privacy breach, including consumer notification, third party liability to those affected, as well as costs of providing credit monitoring services to affected customers. Unfortunately this type of attack is a grey area, as some insurers feel social engineering attacks should be covered under a Crime or Fidelity Insurance policy. For more clarification, contact a Whitbread Cyber Insurance specialist to see if protection is offered against this type of threat.
Key strategies to protect your business
It has never been more important to ensure your business has carefully planned strategies to:
- Reduce the risk of a data breach
- Efficiently manage a data breach
- Minimise the severity and impact of a data breach on your business
As a starting point, we recommend the following:
Develop a cyber security strategy that doesn’t just involve IT
- Take out a Cyber Insurance policy to protect against significant financial losses and the fallout of legal action
- Educate your staff
- Review your current data security strategy
- Develop a data breach risk and crisis management strategy
How Cyber Insurance can help minimise resulting financial losses…
While IT strategies can help prevent data breaches, in this day and age, there is no foolproof method to guarantee total data security. Instead, what you CAN do, is take out a Cyber Liability Insurance policy.
A Cyber Liability insurance policy can protect against the financial consequences of a data breach in a number of ways:
- Fines & penalties – Cover for financial compensation to help recoup costs that result from a security breach – regulatory fines can amount to $1.8 million.
Note: The Notifiable Data Breaches (NDB) Scheme, part of the Privacy Act 1998 (Cth.) has seen a greater onus placed on businesses that experience data breaches. The new legislation, introduced in February 2018, requires businesses to report all incidents to the Office of the Australian Information Commissioner, as well as immediately notifying affected customers once becoming aware of the breach. Failure to do so can result in expensive fines and penalties imposed on the business by regulators. Read more about the Notifiable Data Breach Scheme here.
- Third party liability – Cover for compensation payments to your clients / customers or other third parties who suffer financially or emotionally as a result of stolen data.
- Legal and forensic investigation expenses – Cover for expenses relating to legal counsel and representation, as well as forensic investigation costs.
- Reputational repair – Financial assistance designed to cover the costs associated with engaging professional consultants to help repair damage to your company’s brand and reputation resulting from a breach.
For professional advice on how a Cyber Liability Insurance policy can help protect your organisation from the fallout of cyber-attacks, please contact one of Whitbread’s specialist commercial insurance advisers:
T | 1300 424 627
E | firstname.lastname@example.org
This article is not intended to be personal advice and you should not rely on it as a substitute for any form of personal advice. Please contact Whitbread Associates Pty Ltd ABN 69 005 490 228 Licence Number: 229092 trading as Whitbread Insurance Brokers for further information or refer to our website.