The ONE cyber hack we CAN prevent
Yes, we’re doing everything we can … or are we??
Cyber-risk is everywhere. Even if you’re applying the best security, there are no guarantees. So then, going around with our eyes closed can’t be helping at all, can it?
We hire companies to help us with technical security to our systems. But attackers have discovered they can go around those security measures by attacking human weaknesses.
Exploiting the human factor
In Beyond Fear by Bruce Schneier:
“Convicted hacker Kevin Mitnick testified before Congress… about social engineering: ‘I was so successful in that line of attack that I rarely had to resort to a technical attack. Companies can spend millions of dollars toward technological protections, and that’s wasted if somebody can basically call someone on the telephone and convince them to do something on the computer… .’ ”
The exploit Mitnick describes is one that falls in the category of “social engineering.”
Either people are being irresponsible OR (here’s where we can do something) they are naïve and uninformed. If we can agree we don’t want irresponsible people on our payroll, then we have a clear path to attack the social engineering problem because our people just need information and training – awareness — something we can do.
In a particularly wicked type of social engineering, a financial person will receive an email supposedly coming from the CEO or CFO, directing that person to wire large sums of money to some recipient for a special, “secret,” deal that is happening. It might be so sophisticated that the target employee is told to expect a corroborating email from the “company’s CPA firm.” That second email is also a scam of course.
Crime insurance for the loss?
Insurance companies were quick to offer a social engineering coverage grant as an add-on to their crime insurance policies, but their enthusiasm for offering this has tailed off. The coverage, once easily obtained with limits as high as $2 million, is now hard to get, and if available only at lower limits. This insurance would pay for loss from an employee intentionally transferring funds to a bogus recipient after being fooled by a phishing scam.
One such coverage grant reads as follows:
“Social Engineering Fraud Coverage Insuring Clause
The Company shall pay the Parent Organization for loss resulting from an Organization havingtransferred, paid or delivered any Money or Securities as the direct result of Social EngineeringFraud committed by a person purporting to be a Vendor, Client, or an Employee who wasauthorized by the Organization to instruct other Employees to transfer Money or Securities. Social Engineering Fraud means the intentional misleading of an Employee, through misrepresentation of a material fact which is relied upon by an Employee, believing it be genuine.”
As claims came pouring in as a result of this kind of scam, the coverage became harder and harder to get.
This is not much of a crisis, though, because this one type of social engineering scheme is nicely susceptible to remedy through education and training. We at LicataRisk are in the risk management business. We have seen many of these claims, either suffered by our clients, or in the many risk and insurance cases we read daily. Exposure to the information makes us very aware and very wary of the crime out there. We know we are less likely to fall for it. LicataRisk Cyber Services.
Cyber loss prevention
What does this mean for companies everywhere who could be victims of this fraud (all companies)? Step up education and training of your employees. The key is awareness. Awareness comes from either (1) being a victim already (not the preferred route) or (2) constant drilling on the subject. You can even allow your key financial employees to read the cases out there to see exactly how the crimes have been carried out. Contact me for the cites to some of these cases.
And verification policies and procedures can assure that no action is taken on requests unless they are legitimate. For example, a phone call to the mobile number of the person who supposedly gave the instructions could or should be required.
Security firms will also provide social engineering testing whereby they set up schemes and see if the employees fall for them. Falling for even a test scheme will provide assurance that that employee will never be that kind of victim again.
The point: Unpreventable cyber-risk is everywhere. Let’s not give a gift to the criminals on the one kind of cyber-risk that is actually preventable.
(c ) Licata Risk & Insurance Advisors, Inc. 2019
Frank Licata
Feb 05, 2019