Month: September 2019

It has been announced that an infamous hacker group, GandCrab, have ‘come out of retirement’ and appear to be behind a wave of new attacks being carried out across the world with an estimated that 1.5 million machines, including hospitals, already affected.

Dr. Guy Bunker, CTO of Clearswift Cyber Security, sheds light on ransomware as a business and how organisations can protect themselves. He discusses how the re-emergence of GandCrab impacts commercial organisations, and what can be done to mitigate any threats.

“Ransomware remains a lucrative business and while it’s been headline news for a number of years there are still organisations which have not taken precautions to protect themselves, their people, data and clients from attack, which means there is still opportunity for the likes of GandCrab. Furthermore, with the ongoing commercialisation of malware, there are other opportunities for bespoke or customised malware to be developed and sold to the highest bidder. Of course, it’s not just the actual malware, there is the other pieces of an attack which need to be orchestrated, such as the spear phishing attack or Business Email Compromise attack with weaponised documents.

“For commercial organisations, the re-emergence of GandCrab should have little impact on their day-to-day security, as they should already be protecting against the myriad of other groups and threats. However, stories such as this should act as a catalyst for organisations to test their cyber disaster recovery plans. Without a plan the impact of an attack could be catastrophic, even with a plan, it needs to be tested and regularly reviewed and updated to ensure that it keeps up with the threats. Employees need an education and awareness program to ensure that they are kept up-to-date with new scams and attacks, learning about identifying the threat and what to do should they suspect one. As fast as threats change, so does the technology to help mitigate them. Understanding what new technology can do to protect the organisation is important, and if required can then be planned for implementation.”

(82)

The ability to accurately discern the past and predict the future based on nothing but data points and the experience of actuaries and adjusters has served the industry well up to now. Insurance is, after all, a multi-billion-dollar, truly global industry. While this remains the case, the landscape is now radically different to the past, thanks in part to the advent of the Internet of Things (IoT). The use of these technologies that collect, record and transmit live data has proliferated exponentially over the past decade, and for a data-reliant industry like insurance, the impact has already been profound.

They may already seem ubiquitous but estimates of how many IoT devices will connect our cars, homes, communities, medical services and work lives by the year 2020 range from 30 billion[i] to 50 billion[ii]. Whatever the precise number, this will generate (and already is) a huge amount of data to be analyzed and monetized.

This increase in the quality and quantity of available data is already producing some significant outcomes; the process of writing policies can now be far better informed by what is known about the risk level of an individual or entity, as opposed to simply what is known about the claims generated by an entire class of risk. Some carriers have already begun this transition; John Hancock, for example, announced in 2018 that all new life insurance policies must henceforth use digital fitness trackers to monitor policyholders[iii]. Using the high-quality, objective data derived from IoT, it is now possible to assess claims more accurately and efficiently, and in some cases, even prevent them from arising entirely.

“IoT is already enabling customers to avoid bad things happening to them. Some people call it prevention. I see it as empowerment of customers.” – Nick Ayrdon, Head of Strategy & Development at Aviva

In turn, this is changing how insurers interact with customers, both before and after a claim, with one executive predicting that that we are in fact “shifting from a claims-handling business to a claims prevention one”. As the value proposition of exchanging data for value becomes more concrete, it could become a strong pull-factor driving uptake of connected insurance products. And yet, already operating in an environment of squeezed profits, high regulation and low consumer trust, the industry is witnessing something of a perfect storm at present.

There is no question as to whether the global insurance industry is going to go digital, and most of the industry understands why it will. The real problem for most is how it should happen and creating an environment in which they can maximize the value of digital insurance. As Michael Lebor states, this is not simply a case of reorganizing a particular department or function: “In my opinion, IoT is not a product, it’s a paradigm shift, a completely different way for technologies to interact with each other. Devices are going to be talking to each other, there are going to be hubs, and we must leverage that throughout the entire lifecycle of our product, whether for distribution, or on-boarding customers, or using it for claims and first notice of claims. It’s not one product, it’s a holistic way of thinking.”

Any transformation of this nature will invariably lead to substantive changes in how insurance carriers operate internally and whereas insurance technology projects were generally siloed to innovation departments in the past, executives agree that is starting to change. While the survey found that only 14% of senior management teams were currently affected by the introduction of digital insurance, the most commonly cited reason was that initiatives had not yet reached the point where it had become necessary (the implication being that management will take a more active stance when projects have scaled sufficiently).

Similarly, American Family Business Development Manager, Shaun Wilson, suggests “until there are a lot of devices providing a lot of data about specific risks, the carrier is not going to have the insights about whether or not these devices mitigate risks to any level of significance. That’s the promise of this approach, but nobody has enough data yet to validate the hypothesis.” As carriers leverage connected technology more and the impact on the business deepens, however, we can expect to see greater top-down management and involvement from board level stakeholders[iv].

To provide a comprehensive overview of the progress and prospects of Connected Insurance, Insurance Nexus have produced the Connected Insurance Report, an in-depth study of the progress of digital insurance globally, today, and in the future.

As the industry begins to understand how it can exploit the possibilities of connected and digital insurance, the Connected Insurance Report has crystalized the concerns of those tasked with turning an unprecedented technological revolution into market-ready products. At first glance, one might assume that the ability to learn more about the risks they are insuring should allow both for policies to closely follow the risk over time, and secondly that the ability to gather more information about a claim will discourage fraud. The net result should therefore be greater profit for companies, and lower premiums for their customers.

At second glance, it is just as clear that the picture is much more complicated than that. As we talked to more and more executives, it became apparent that the industry is only just beginning to work through the practical problems it faces. Indeed, questions as basic as the best way to install a sensor in a building are still the subject of lively debate. Ultimately, the world of insurance may be next in line for the kind of creative destruction that the tsunami of digitisation had brought to IT, telecoms, media, retail, hospitality, manufacturing, financial and business services.

The Connected Insurance Report was researched and produced by Insurance Nexus in collaboration with the IoT Insurance Observatory. It is the first of its kind to conceive of insurance IoT holistically, as a paradigm shift necessitating changes in insurer business models, organisational structures and technology stacks. Insurance Nexus surveyed the experiences of more than 500 insurers and reinsurers to assess where they sit in the connected insurance market and to extract the challenges they face and their stories of success.

Along with a panel of 20 industry leaders who have been operating at the sharp end of the IoT revolution, Insurance Nexus looked at these hurdles and opportunities and pulled them apart to provide readers with the case studies with actionable insights to help guide decision-making as the industry tackles its own strategic milestones.

[i] https://spectrum.ieee.org/tech-talk/telecom/internet/popular-internet-of-things-forecast-of-50-billion-devices-by-2020-is-outdated

[ii] https://www.accenture.com/gb-en/insight-insurance-internet-things

[iii] https://www.bbc.co.uk/news/technology-45590293

[iv] https://assets.kpmg/content/dam/kpmg/xx/pdf/2019/03/insurtech-trends-2019.pdf

(54)

Simon Hill, Head of Legal & Compliance, Certes Networks

Financial institutions manage a large volume of sensitive information about their customers. However, the protection of sensitive data in line with regulations, both for banks and other financial services organisations, is currently a big challenge. The way these organisations operate has changed dramatically in recent years. This is mostly due to the fact that financial institutions are not only heavily regulated by data privacy requirements, but they are also under mounting pressure to be open to consumers and businesses about how they are protecting their data from potential breaches.

Additionally, no bank or financial services organisation wants to face the consequences of a data breach. This is demonstrated by the fallout of numerous data breaches in the industry over the years – from Capital One in 2019, to Equifax in 2016 and Tesco Bank in 2017. In the case of the Capital One data breach, a hacker was able to gain access to 100 million Capital One credit card applications and accounts. This included 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers. Additionally, an undisclosed number of people’s names, addresses, credit scores, credit limits, balances and other information dating back to 2015 was involved, according to the bank and the US Department of Justice.

What’s more, the damages of these data breaches are not only reputational, but also financial. As a result of Equifax’s data breach, the organisation reached an agreement to pay at least $575 million and up to $700 million to compensate those whose personal data was exposed. In 2016 Tesco Bank was fined £16.4 million by the Financial Conduct Authority (FCA) over its “largely avoidable” cyber-attack that saw criminals steal over £2 million from 34 accounts. This clearly shows that these consequences can arise no matter how ‘large’ or ‘small’ a data breach may seem; companies that do not encrypt their data adequately enough to safeguard it will be penalised.

On top of this, the increasing expectations of consumers means that banks and financial institutions are trying to achieve a balancing act: how can they protect data privacy, while at the same time remaining transparent about how data is being protected? However, it doesn’t have to be a trade-off between meeting customer expectations and meeting cyber security compliance requirements. Banks and financial services organisations can utilise technology to the fullest extent while still protecting data and avoiding the unthinkable repercussions of a data breach.

The balancing act

To achieve this balance, banks and financial services organisations need to take greater measures to control their security posture and assume the entire network is vulnerable to the possibility of a cyber-attack. Robust encryption and controlled security policies should be a central part of an organisation’s cyber security strategy. When stringent policies are generated and deployed, it enables greater insight into applications communicating in and across the networks. New tools are now available to enforce these policies, not only impacting the application’s workload and behaviour, but the overall success of the system access.

Conclusion

Banks and financial services organisations should not have to worry about keeping data secure and protected when it is entirely possible to do so. Adopting new ways to look at how organisations define policies through micro-segmentation and separating workloads by regulations, is one example of how to keep data more secure. Also, ensuring policies define only those users who have a critical need to see the data limits network vulnerabilities. And lastly, a robust key management system that is automated whereby keys are rotated frequently, can also help to safeguard system access and strengthen the organisation’s security posture.

(65)

By Ewen O’Brien, VP of Enterprise, EMEA at BitSight

Stress and burnout is emerging as perhaps the biggest threat to corporate security. Long hours, alert overload, and a lack of visibility into their IT infrastructure have many security professionals reconsidering their chosen careers.

This is contributing to a massive cybersecurity skills shortage that is creating real security threats at companies across the globe. There are close to three million open and unfilled cyber vacancies around the world. Meanwhile, a majority of organisations cite a “problematic shortage” of cyber skills, and a new report from the Ponemon Institute has found that 65% of IT and security professionals are considering quitting due to burnout.

Reports like these should serve as bright red warning lights to everyone in a company, from Board members and CEOs down to Security Operations Center (SOC) managers. Everyone needs to take a strategic approach to addressing the problems emanating from the burnout brain drain. Without the right personnel, organisations can’t deploy the right resources, controls, and processes to prevent and mitigate attacks.

In short, they’ll be even more vulnerable than they are right now. That can’t happen. Organisations need to proactively tackle SOC stress. Here’s how.

Understand the causes

In an interview with Dark Reading, Julian Waits, general manager for security analytics firm Devo, which sponsored the Ponemon study, says the incomplete visibility into systems and threats is a major issue. Waits said that: “Going to work each day and knowing you’ve been compromised” can be enormously stressful for security professionals, but that “knowing” is compounded by the fact that most do not know how their organisations have been compromised.

Take the Neiman Marcus data breach during the busy 2014 holiday season, for example. The attack that compromised more than 1.1 million debit and credit cards set off about 60,000 alerts in the retailer’s SOC during the three-and-a-half month attack. This represented around 1% or less of the daily entries on protection logs. Unless the SOC knew what type of alert to look for, it would be a miracle for them to find it.

Know that money isn’t enough

In the face of growing threats, higher fines for breaches, and increased competition for cybersecurity talent, CEOs are throwing more and more money at relieving the knock-on effects of burnout in the SOC. And, in a red-hot job market, security pros can name their price. It’s not unusual for CISOs to command as much as $6.5 million in salary and profit sharing, with many jumping from job to job to attain that level of compensation.

Despite this investment, less than one-third of the security budget of most organisations is used for the Security Operations Center. This lack of adequate funding, combined with employee burnout, has a real impact on the efficacy of the SOC. Ponemon finds that over half of IT and security professionals consider their SOC ineffectual.

Lacking visibility into their IT networks, security professionals in the SOC continue to play a game of whack a mole. Constantly reacting to the next threat, yet never reaching the finish line. It can sometimes feel like a kid’s soccer game – instead of playing defined positions and following a strategic playbook, everyone is just running around chasing the ball.

As Waits also said in that Dark Reading article, “What’s disturbing to me is analysts spend so much time chasing things but the least amount of time thinking strategically.”

Create a roadmap supported by automation

Burnout, scarce security resources, and the threat of digital breaches can’t be solved by dollars alone. Companies must find a way to approach security strategically and give the SOC a roadmap to follow so they’re not constantly guessing where the next attack is coming from. This will also ensure that security operations teams recognise that their leadership has their back, should a cyber attack occur.

This begins with understanding the risk vectors that security managers need to worry about most, such as third party risk (where 59% of breaches originate), mobile application security, endpoint security, and so on. With real-time visibility into first- and third-party risk and vulnerabilities, CISOs and executives can quickly identify the vectors that represent the greatest threat to their businesses and begin to align their SOCs and security procedures to business outcomes.

Automation can also help reduce burnout in the SOC. Automated workflows and security processes enable CISOs to better utilise the skills and people they already have. Repetitive tasks such as continuous cybersecurity monitoring functions, for example, are prime candidates for automation, and can reduce cyber risks while freeing teams to learn new cyber skills and focus on more strategic tasks – all of which can improve job satisfaction and retention rates.

Develop a playbook for success

The role of the security professional will always be a high pressure one. He or she is inquisitive, compelled to solve problems, quick thinking, inventive, and persistent – pressure is part of the job.

But burnout and a compulsion to quit due to stress are serious problems that threaten the entire organisation’s security posture and need to be managed at the leadership level. With insight into where the true security problem lies and a playbook for mitigating those risks, organisations can relieve pressure on the SOC, put an end to burnout, and bolster their cybersecurity postures.

(166)

Egress CEO, Tony Pepper

News breaking that a UNICEF employee had inadvertently revealed the personal details of 8,253 users of its Agora online learning platform, through a piece of unstructured data, has brought the need for organisations to ensure they’re using the right tools for the right job back into focus.

The leak saw the data of users enrolled on courses on childhood immunisation sent to 20,000 users of the educational system towards the end of August. Sensitive data such as names, email addresses, locations, gender, organisation, supervisor names and contract types were revealed.

GDPR has been firmly put back at the top of the boardroom agenda by the hefty fines recently doled out by the ICO to BA and Marriott, reminding organisations that they have a duty of care to protect all clients’ and service users’ data. Recent Egress research supports this approach; 60% of the 4856 personal data breach incidents reported to the ICO in the first six months of 2019 were the result of human error.

Regardless of whether UNICEF is subject to GDPR as a United Nations organisation, data incidents like this highlight the need to ensure that staff can share sensitive data securely when they need to – with policies and technologies forming a ‘safety net’ that reduce the likelihood of human error that puts information at risk. In particular, organisations should invest in more robust risk-based protection tools that work alongside the user, enabling them to work effectively and securely.

(69)

For a long time, there was a myth that iOS and OSX are secure operating systems and don’t need any security systems like anti-malware to protect them. We have seen in some cases that apple systems were breached, but those were mostly breaches to iCloud and similar.  This last attack example just shows that there is no such thing as a completely secure operating system. Apple surely did a good job of preventing attacks or making them harder to execute by restricting how the software can be installed and where from. However, this is a control process that lowers the risk of security breaches rather than eliminating it. The level of complexity in today’s software development and the developed functionalities alone bring a certain risk factor and, with that, the possibility for an attack. When other software is installed on the operating system, the risk increases further. 

I hope that this will be a wake-up call for anyone that has been under the impression that iOS phones are invulnerable to malware exploiting system and application vulnerabilities.

(105)

Over 200,000 customers’ personal details were exposed in the Teletext Holidays breach due to an unsecured Amazon Web Services server, personal information like names, dates of birth, email and home addresses, flight times and card details.

Commenting on this, Bill Conner, CEO, Sonicwall says,

“Organisations and government entities carry a responsibility to consumers and civilians alike to guard their most valuable information at all cost.

Personal information that does not change as easily as a credit card or bank account number drive a high price on the Dark Web. This kind of Personally Identifiable Information (PII) is highly sought after by cybercriminals for monetary gain. Companies should be implementing security best practices such as a layered approach to protection, as well as proactively updating any out of date security devices, as a matter of course.

Organisations should learn from breaches like this by taking the opportunity to ensure there are no gaps in their systems for criminals to leverage, stopping them at the edge before they have a chance to infiltrate the network. Once they’re in, they’re able to move laterally to identify the sensitive data that’s highly valued on the dark web.”

(52)