Last month, an unprecedented array of malware and ransomware attacks took place on global networks, and this time it wasn’t just giant corporations that were hit. First “Wanna Cry,” then “Petya” followed closely by “Not Petya.” These attacks are different than typical hacks of the past because these infections rely heavily on social engineering. This means hackers take advantages of sometimes simple mistakes that employees make rather than going after faulty firewalls or other security precautions. Your employees can be the weakest links and entrance into your network. Today’s rising cyber security threat is an uninformed or poorly trained employee that opens a malicious link or falls for a ransomware scheme by accidentally granting an outside party access to protected systems.
Social Engineering is the act of taking advantage of human behavior through manipulation to steal confidential information. It’s a scam that has been around for decades, but it has become a bigger problem due to the Internet and the rise of various forms of electronic communication. In fact, 60 percent of businesses fell victim to a social engineering attack in 2016.
Hackers rely on email phishing campaigns until they get a bite, and then move in to exploit a system. Hackers are looking for any door into a secured system and often an employee’s own email is used against them. People make mistakes, and there are plenty of hackers out there trying to take advantage of a simple mistake that could cost a business hundreds of thousands of dollars.
Since cyber-attacks have emerged as a business risk, cyber protection has focused on keeping digital perimeters protected by negating and mitigating direct attacks. Traditionally, this meant having the right technical solutions, such as firewalls or patch management governance, in place to keep malicious code out of a network. This focus is too narrow.
Most companies and security advisors have failed to fully prepare for the social engineering threat. It was recently reported that over 65% of cyber breaches were caused by employee negligence, with nearly 90% caused by human error. Since social engineering involves the unwitting cooperation of authorized users, attackers can bypass technical controls rather than having to devise specific means to defeat them.
Additionally, smaller businesses had typically experienced far less cyber-attacks. In the last 18 months the frequency of small business cyber claims has dramatically increased due to the increase in social engineering and the explosive growth of ransomware. As an under appreciated risk, take heed of this warning. Experts believe that until now ransomware attacks have not generated large claims in mid – size and small companies because they were mainly happening outside the US. The US market constitutes about 90% of companies insured for Cyber Liability, making it a virtual untapped goldmine for hackers. As they become more common in the US, it is expected to cause billions of dollars in insured claims and many more times in uninsured damage.
A word of caution is not to rely on a backup. Most likely the attacker has already been inside probing the network (known as Perching) for several months prior to the event. During that time, the hacker has learned about the business and its transactions, and has planted the ransomware, thereby corrupting the saved data.
The most important line of defense in the world of ransomware is to educate employees about these threats and put protocols in place that help prevent social engineering attacks. These should include:
- Create clear policies for employees to regularly change their passwords for their computer systems, accounting software, email and other programs where sensitive information is stored.
- Show hidden file extensions. Ransomware frequently arrives in a file named with the extension .PDF or .EXE. Filter email files to deny those that have two extensions including .EXE. As a back up, ensure the ability to view the full extension so it will be easier to spot a suspicious file.
- A policy for how sensitive information is asked for and given. For example, bank or accounting information should never be shared via email or over the phone. All inquiries should be made in person.
- Safe document management systems and disposal services. Keep sensitive information under lock and key so that prying eyes can’t get to it. Don’t overlook protecting hard copies from disgruntled employees and third parties.
- Tests for employees. Following training, employees should occasionally be tested to ensure they under stand typical social engineering and hacking scams and don’t hand off sensitive information.
In today’s environment, experiencing ransomware is more likely a matter of “when,” not “if.” It’s also clear that the weakest link in the chain of cyber defense is usually not technical – it’s people.
Social engineering is an evolving risk. It’s effective because it’s easier for hackers to exploit the natural inclination to trust someone than it is to figure out a new way to access a computer. Until now, many companies and security advisors have failed to fully understand or prepare for the social engineering effect. Cyber security has been considered only a challenge to big companies. On the contrary, it is often the small to mid – market companies that are most at risk f or this type of attack. I have personal experience through friends and clients with businesses ranging in size from $2M – $100M in revenue, who suffered ransomware attacks – some debilitating. While Cyber Liability protection offers “sleep insurance,” the most important line of defense is to educate employees about these threats and put in place protocols that help prevent social engineering attacks.
Orion Risk Management has been aggressively monitoring and analyzing the ballooning risk of cyber invasion and ransomware attacks, and is working closely with our clients to mitigate exposure and risk. We have formed an alliance with an internationally recognized data protection services company for the exclusive benefit of Orion clients. Founded in 2000, our strategic partner has become one of the most well respected data services for businesses of all sizes, global brands, law firms, state and federal agencies, and academia.
Our end-to-end cyber protection solution:
- Identifies and closes vulnerabilities,
- Provides employee training to identify incoming threats,
- Includes ongoing system monitoring and network patches to protect against the latest malware, and,
- Results in a 40% “Safe Cyber” Liability Policy discount with top coverage underwriters.
I welcome the opportunity to share this unique resource with you.
Orion understands how valuable your data is and the threats that face its protection. Your data can be breached in many ways, at any time. By working with Orion Risk Management for your cyber liability protection, you have assurance that important safeguards have been put in place.
Steve Paulin, CIC, is a risk management professional specializing in integrating middle market companies’ property, casualty and workers’ compensation coverage to reduce risk and increase profits. His three decades of risk management experience, combined with Orion Risk Management’s expertise in providing specialty services including risk control, claims management, captive formation and programs specific to key industries, means Steve’s clients receive unparalleled value.
He can be reached at email@example.com or by calling (949) 502-0850.