Hack Yourself First: Trends in Cyber Insurance for Small to Medium Enterprise

By | Uncategorized | No Comments

Tech-based cyber risk solutions combined with insurance coverage improvements help agents improve close ratios.

Almost six in 10 small and medium-size enterprises (SMEs) do not purchase any type of cyber insurance. Only 33% purchase stand-alone coverage.   Less than 15% of SMEs are trust currently used cyber defenses to detect and respond to cyber-attacks with two-thirds of SMEs reporting a cyber attack during the last 12 months. Despite aggressive pricing and increasing risk, traditional cyber insurance solutions remain a tough pitch for agents.  The good news for agents is new insurers are capitalizing on these market realities with technology driven, broker-friendly offerings and market coverage improvements to assist agents to close more deals.

Engineered Cyber Insurance Solutions

“Engineered” cyber risk solutions are gaining traction in the expanding market for small to medium-sized risks. These products go beyond traditional risk finance and claims services to include the use of security technology to assess risk as well as ongoing security services historically affordable only to large enterprises

“I believe cyber insurance is extremely cost efficient and therefore will outpace actual information security spending. As a security professional, it’s odd to find myself saying that compliance might be the only thing that keeps companies from focusing entirely on risk transference, because said simply insurance is cheaper most of the time.”

-Jeremiah Grossman
Hacker and founder WhiteHat Security and BitDiscovery

We set up our specialty wholesale operation on the premise that insurance alone was an insufficient value proposition for agents to achieve acceptable close rates.  Agents told us that peddling fear, uncertainty, and doubt (FUD) was of limited use, as most SMEs can’t relate to mega-breaches such as Target, Anthem, and Home Depot.  In hopes of providing more relatable metrics, we engaged ethical hackers to help us develop our proposals.  Using hacker techniques, we are able to better frame the risk and provide agents an improved blueprint to close deals. One of our early successes involved a middle market technology company submitted by an agent frustrated with the insureds lack of interest in adding cyber coverage to its business insurance portfolio. We conducted a non-invasive security assessment that identified outstanding software updates and compromised email credentials. More importantly, we discovered a Chinese hyperlink parked on the insureds web portal.  We assisted the insured to remediate the risks and the agent closed the sale that same day.

Limitations of Traditional Market Offerings: Underwriting and Service Platforms

 

The current market is a land grab characterized by pricing not supported with actuarially sound loss data.  As a result, premiums are generally not reflective of the risk.   According to Rand, existing rate schedules among carriers vary greatly in the sophistication of formulation of premium rates. Most insurers use simple, base rate pricing with adjustments based on industry class, revenue, limits, and retention levels. Applications provide insight into levels of existing cyber security hygiene, but the weights assigned to different technologies are inconsistent among insurers.  Further, the report suggests, “in some cases, the carrier would appear to guess. It was not unseen for carriers to examine their competitors in order to define rate. In only a few cases were carriers confident in their own experience to develop pricing models”.

We underwrite like an adversary. In minutes we are able to understand what technologies a company uses, whether they are vulnerable to exploitation, what security protocolsthat company has in place, and even what data has been leaked and is being used and traded in criminal forums. 

Joshua Motta co-founder Coalition Insurance

The three pillars of information security are prevention, detection, and reaction. Traditional market solutions are terrific vehicles to react to a reported cyber event.  Coverage forms and vetted claims service providers offer solid value to SME risk.  Unfortunately, the traditional cyber underwriting process does not truly get to the bottom of the risk and offer risk-specific recommendations to improve the insureds cyber risk profile. Additionally, most insurers do not offer practical tools to mitigate risk during the policy period.  While all insurers provide access to risk prevention tools via risk portals, these tools most often are available only at an additional price or are of limited risk management value. It is not surprising that insurers report only single digit take-up rates for such services.

The New Underwriting Model:  Hack Yourself First

New technology insurers entered the market in 2017.  In lieu of the traditional underwriting applications and manual processing, these markets use the same techniques hackers employ to assess risk.  These tools allow insurers to collect thousands of data points relevant to the risk and make underwriting decisions in seconds.  The objective is to get to the bottom of the risk and provide assessment findings to the insured to assist in the prevention of cyber events.

Casing the Joint: Research and Reconnaissance

Contrary to popular media references, criminal hackers do not break into a computer with a few keystrokes. Not unlike burglars, hackers case the target using a set of routine procedures to establish a footprint assessment of vulnerabilities.  Each additional step is designed to expand gaps in cyber defenses to implement the hack.

Taking a note from criminal hackers, the new breed of underwriters use non-intrusive tools such as public research and port scanning, to collect data to evaluate the insureds current risk level.  This snapshot offers a metric based estimate of the likelihood of a cyber event.

“Insurance has a key role to play in managing cyber risk, which requires a shift from traditional snapshot underwriting to a year-round risk management partnership.

 Rotem Iram, CEO and Founder, At-Bay.

Searching dark web resources, underwriters can determine if the insured or its employees were subject to past breaches. More likely than not, underwriters find employee email login credentials compromised by past data breaches such as Equifax or LinkedIn available for sale on the dark web marketplace. Compromised information can include addresses, employers, job titles, phone numbers, social media profiles and passwords making it easy for criminal hackers to gain entry into corporate accounts, personal email, as well as access to online banking applications.

One technology tool underwriters now use to evaluate risk is port scanning.  A port scanner is a simple software tool to identify ports of entry into a computer network.  Many free versions are available on the web.  Computer ports are the doors and windows of a computer that accept and transmit signals into the public domain.  The port number identifies the type of data accepted and transmitted. For example, port 25 is used for email communications and port 80 is used for internet traffic. The scan sends signals to each port to determine where the network is strong or weak.  Underwriting scans also detect the operating system and other applications used by the insured and search for known vulnerabilities and outstanding software updates (patches) available to close such security flaws.

Risk Assessment Deliverables

Lack of understanding of exposure is a primary obstacle to selling cyber insurance for agents.  Risk assessments, included at no extra cost by tech-based insurers, are valuable tools to assist in closing this information gap.   Similar to property insurance engineering reports, the insured is provided a risk report containing actionable information as well as recommendations to remediate heightened risks prior to binding coverage.  Typical findings include unprotected ports of entry, outdated software and compromised employee credentials.  Security engineers are available to assist the insured to remediate such vulnerabilities prior to binding coverage.

Ongoing Protection

Traditional cyber insurers are hesitant to include ongoing cyber security tools to supplement existing controls employed by the insured. Cyber security is complex and traditional insurers do not possess a level of in-house expertise to confidently package prevention and detection tools with a cyber insurance policy. Many insurers cite concern for creating a higher standard of care resulting in increased liability as well as the added underwriting expense.

New tech-based insurers are led by information security engineers, including former government intelligence and leading security software providers and strive to offer end-to-end solutions.  Tools such as 24/7 network threat monitoring that alert the insured in real time of breach activity are bundled into these offerings.  At least one MGA is including a security dashboard for the insured that includes threat monitoring, anti-ransomware software, denial of service website protection, and credential monitoring.  Direct access to security engineers is also included in some offerings.  These tools are meant to supplement as opposed to replace existing security technology utilized by the insured and are provided at no additional cost to the insured.

 

Coverage Improvements

As cyber risk evolves, so too must coverage terms.  It is difficult to keep up but the latest developments, new innovative coverage’s now available in the marketplace offer additional value to insureds.

Cyber Crime

Historically, cybercrime coverage was limited to fraudulent funds transfer and phishing exploits.  Typical sub-limits for cybercrime coverage ranged from $100,000 to $250,000.  Several insurers now offer increased fraudulent funds transfer limits as high as $2,500,000 for select risks.  A phishing attack is a type of social engineering attack employed to steal user data, including login credentials and credit card numbers. Attackers masquerade as a trusted entity and dupe victims into opening an email, instant message, or text message.  Many insurers now expand phishing coverage to include client phishing also known as invoice manipulation.  Criminals create phony invoices in the name of the insured to trick its clients or vendors to make payment to a fraudulent account.  This extension covers the insureds direct loss due to the transfer of payments to unintended parties that otherwise intended for the insured.

Computer Hardware (Bricking)

Cyber policies historically excluded coverage for damage computer hardware. Bricking refers to a loss of use or functionality of hardware (such as servers) as a result of a hacking event.  While malicious software may be removed, hardware may be rendered untrustworthy and require replacement.  This coverage provides for the cost to replace such affected hardware

Service Fraud (Cryptojacking)

Cryptocurrency mining, or cryptomining, is a process in which transactions for various forms of cryptocurrency are verified and added to the blockchain digital ledger.  The process requires computers to solve complicated math puzzles to win currency and requires an inordinate amount of electricity.  Cybercriminals have increasingly turned to cryptomining malware as a way to highjack the processing power of large numbers of computers, smartphones, and other electronic devices. Service fraud coverage reimburses the insured for direct financial loss resulting in being charged for fraudulent use of electricity and other business services.

Contingent Pollution

One insurer is now offering to include contingent pollution coverage. If a hacker gains access to an industrial control system and triggers a system failure that results in a release of pollutants, the policy will cover the costs to defend the insured from 3rd party liability.

Summary

At some point in the near future, cyber insurance will be a standard component in a business insurance portfolio for small to medium sized enterprises.  While the financial consequences are severe, most SME’s have neither the expertise or budget to protect their networks and systems from increasingly sophisticated threats. Tech-driven solutions combined with improved policy forms create an easier pitch and better close rates.

 

About the Author

Jeffrey founded Cyber Risk Underwriters to offer tech-backed cyber insurance and related products distributed to insurance agents, cyber security providers and “InfoSec” investors.

Prior to joining Cyber Risk Underwriters, Jeffrey enjoyed over 25 years of success providing complex P&C insurance and risk financing design, brokerage and relationship management expertise for complex risks including: technology, healthcare, private equity, and real estate.

Cyber Risk Underwriters maintains offices in Atlanta Georgia, Park City Utah and Huntington Beach California.

Contact Information

jsmith@cyberriskuw.com | 866.292.3092 | Cyber Risk Underwriters

 Sources:

  • https://www.iii.org/white-paper/small-business-big-risk-lack-of-cyber-insurance-is-a-serious-threat-101818
  • https://www.infosecurity-magazine.com/news/majority-of-smes-lack-confidence/
  • https://judyselbyconsulting.com/2018/12/17/expanding-cyber-insurance-coverages/

Top Reasons to Purchase Cyber Insurance

By | Uncategorized | No Comments

Having a hard time garnering interest in cyber insurance with your insureds?  One thing to point out is that relative to other lines of business insurance, cyber insurance is inexpensive and easy to customize specifically to risks facing your insureds. Other pitch points include:

  1. Data is one of your most important assets yet it is not covered by standard property insurance policies
    Most businesses would agree that data or information is one of their most important assets. It is almost certainly worth many times more than the physical equipment that it is stored upon. Yet most business owners do not realize that a standard property policy would not respond in the event that this data is damaged or destroyed. A cyber policy can provide comprehensive cover for data restoration and rectification in the event of a loss no matter how it was caused and up to the full policy limits.
  2. Systems are critical to operating your day to day business but their downtime is not covered by standard business interruption insurance
    All businesses rely on systems to conduct their core business, from electronic point of sales software to hotel room reservation systems. In the event that a hack attack, computer virus or malicious employee brings down these systems, a traditional business interruption policy would not respond. Cyber insurance can provide cover for loss of profits associated with a systems outage that is caused by a non-physical peril like a computer virus or denial of service attack.
  3. Cyber crime is the fastest growing crime in the world, but most attacks are not covered by standard property or crime insurance policies
    New crimes are emerging every day. The internet means that your business is now exposed to the world’s criminals and is vulnerable to attack at any time of the day or night. Phishing scams, identity theft, and telephone hacking are all crimes that traditional insurance policies do not address. Cyber insurance can provide comprehensive crime cover for a wide range of electronic perils that are increasingly threatening the financial resources of today’s businesses.
  4. Third party data is valuable and you can be held liable if you lose it.
    We all hold more data than ever before and often this data belongs to our customers and suppliers. Non-disclosure agreements and commercial contracts often contain warranties and indemnities in relation to the security of this data that can trigger expensive damages claims in the event that you experience a breach. Increasingly, consumers are also seeking legal redress in the event that a business loses their data. This risk is further heightened in the event that you hold any data on US consumers.
  5. Retailers face severe penalties if they lose credit card data. 
    Global credit card crime is worth over $7.5bln and increasingly this risk is being transferred to the retailers that lose the data. Under merchant service agreements, compromised retailers can be held liable for forensic investigation costs, credit care re-issuance costs and the actual fraud conducted on stolen cards.
    These losses can run into hundreds of thousands of dollars for even a small retailer. Cyber insurance can help protect against all of these costs.
  6. Complying with breach notification laws costs time and money.
    Breach notification laws are slowly being introduced across many different countries. These generally require businesses that lose sensitive personal data to provide written notification to those individuals that were potentially affected. Even though a legal obligation to notify only currently exists in some countries, this is changing and there is a growing trend towards voluntary notification in order to protect your brand and reputation. Customers who have had their data compromised expect openness and
    transparency from the businesses they entrusted it with. Cyber policies can provide cover for the costs associated with providing a breach notice even if it is not legally required.
  7. Your reputation is your number one asset, so why not insure it?
    Any business lives and dies by its reputation. Although there are certain reputational risks that can’t be insured, you can insure your reputation in the event of a security breach. When your systems have been compromised, you run a risk of losing the trust of your loyal customers which can harm your business far more than the immediate financial loss. Cyber insurance can not only help pay for the costs of engaging a PR firm to help restore this, but also for the loss of future sales that arise as a direct result of customers switching to your competitors.
  8. Social media usage is at an all-time high and claims are on the rise. 
    Social media is the fastest growing entertainment channel in the world. Information is exchanged at lightning speed and exposed to the world. But often there is little control exercised over what is said and how it is presented and this can give rise to liability for businesses who are responsible for the actions of their employees on sites such as LinkedIn, Twitter and Facebook. Cyber insurance can help provide cover for claims arising from leaked information, defamatory statements or copyright infringement.
  9. Portable devices increases the risk of a loss or theft
    The advent of portable devices and the ability to work away from the office has made life a lot easier for many of us. However, this new style of working also means that important and confidential data can be stolen or lost much more easily. A laptop left on a train, an iPad stolen in a restaurant, or a USB stick going missing are all good examples. In addition, the devices themselves are being targeted with a growing number of viruses being built just for them. Cyber insurance can help cover the costs associated with a data breach should a portable device be lost, stolen or fall victim to a virus.
  10. It’s not just big businesses being targeted by hackers, but lots of small ones too. 
    While the large-scale hack attacks on the news often involve big companies, small companies are also at risk and often don’t have the financial resources to get back on track after a hacking attack or other kind of data loss. In fact, over a third of global targeted attacks were aimed at businesses with less than 250 employees. Cyber attacks are quickly becoming one of the greatest risks faced by smaller companies, making cyber liability insurance a must. It can help protect smaller companies against the potentially crippling financial effects of a privacy breach or data loss.

Of course we are always available to assist you close deals!  Call or email us for addition for assistance.

 

 

InfoSec Distribution of Cyber Insurance: Has the time come?

By | Cyber Risk Underwriters Information | No Comments

Has the time come?

Cyber insurance is distributed by business insurance agents specializing in traditional commercial products such as property, general liability, workers’ compensation and employee benefits.  Despite diminishing premiums and dramatically improved coverage forms, cyber insurance take-up rates remain very low for SMB’s (small to mid-sized buyers under $250M annual revenue).  Can infosec channels more effectively provide comprehensive cyber cover to this highly vulnerable market?

 

“The only thing missing from managed security services offerings is cost effective financing for isolated and possibly catastrophic client events.”

Wrong buyers and wrong sellers?

Market survey estimates suggest somewhere between 16% and 35% of SMB’s purchase comprehensive cyber coverage. Many obstacles make for a difficult sale.  Almost 50% of brokers’ surveyed say not understanding exposures is the biggest obstacle to closing cyber deals.  This compares to onerous application process (15%), not understanding coverage (14%) and cost (13%).  In our experience, lack of exposure knowledge actually keeps some agents from presenting coverage.

When providing workers’ compensation insurance, agents maintain specialized knowledge and can accurately quantify and communicate key exposures to loss. Insurance agents and brokers are seen as subject matter experts in workers’ compensation, as well as other products comprising a business insurance portfolio. Due to the paucity of loss data and limited technical expertise, this is not the case with cyber insurance.  In response, many global and large regional brokerages employ talented, often credentialed cyber experts.  This is not true with middle market agents who often rely on spotty cyber endorsements added to existing business insurance products.

Travel insurance is a good example to consider.   Travel agents are subject matter experts when it comes to travel risk.  They can easily explain the risks involved and offer insight based on first hand traveler experiences.  Perhaps this is why travel agents distribute some 70% of travel insurance.

 

InfoSec involvement in procurement can improve underwriting and coverage outcomes

Unlike insurance agents, security experts can explain the exposures to buyers and clearly understand cost components involved in responding to a breach event. In many cases, it is easier to educate a security professional about how insurance responds to a cyber event than to teach an insurance agent to understand and explain cyber risks.

Sample Cyber Claim Denials

  • $275k: Reporting Delay
  • $475k: Use of Unapproved Vendors
  • $4.1M: Application Misstatements
  • $2.0M: PCI-DSS Contract Exclusion

Leaving infosec subject matter experts out of the procurement process often leads to coverage disputes and unacceptable claim recoveries. The likelihood such outcomes is minimized when infosec professionals are involved in the process and properly on-boarded.

In addition to understanding exposures, security vendors already possess data needed for the application process.  As such, CFO’s and other corporate officers may no longer need to endure the task of completing onerous applications

“Are you nuts? We don’t want to sell insurance”

MSSP’s should not get into the insurance selling business for many reasons.  Commercial insurance is one the most heavily regulated industries in the US.  Directly selling of commercial insurance and requires appropriately licensed and trained insurance professionals.

A cyber insurance product imbedded into a security service offering is possible and need not be overly complicated.  If designed properly, a successful program does not require vendor licensing, additional internal resources or material product “touch” by the vendor.  The volume of premium generated by a single InfoSec provider will also reduce premium costs for customers.  We note that Apple and Cisco recently teamed up with global insurance providers Aon and Allianz to offer discounted cyber cover to users of their platforms.

“In many cases, it is easier to educate a CISO on how insurance responds to a cyber event than to teach an insurance agent to understand and explain cyber exposure to loss”

Driving Demand

In order for the cyber insurance market to meet robust growth projections, catalysts beyond scare tactics about newsworthy mega-breaches such as Target, Equifax, and Yahoo are needed.  Most SMB’s can’t relate such large-scale events to their business.  One catalyst is the increasing number of companies requiring business partners purchase cyber coverage.  Better education of cyber risk is also driving some level of demand.

For small to middle market organizations, the use of external third party information security support services such as managed security providers is a key strategy to mitigate cyber risks.  The only thing missing from most security services is cost effective financing of isolated and possibly catastrophic events.

Some infosec vendors think rounding out services with cyber insurance will differentiate their services in a very crowded market resulting in improved new business and customer retention. If properly designed, incorporating a level of cyber coverage within the security services offering can result in better-educated buyers, painless application process, lower rates, and better coverage outcomes

 

Sources:

  • Deloitte University Press: Demystifying Cyber Insurance Coverage-Clearing Obstacles in a Problematic But Promising Growth Market 2017
  • PartnerRe & Advisen: Cyber Liability Market Trends Survey October 2016.
  • Finaccord: Distribution Channels for Travel Insurance and Assistance 2013.
  • https://www.apple.com/newsroom/2018/02/cisco-apple-aon-allianz-introduce-a-first-in-cyber-risk-management 

About Cyber Risk Underwriters:

We underwrite and distribute specialty cyber insurance products for InfoSec vendors and retail insurance agents.  Our products include cyber warranties, MSSP distributed cyber insurance, as well as stand alone cyber and technology errors & omissions insurance.

 

Contact:  Jeffrey Smith
Managing Partner
Cyber Risk Underwriters
jsmith@cyberriskuw.com
866.292.3092

Why Mid-Market Healthcare Providers Need Stand-Alone Cyber Cover

By | Uncategorized | No Comments

Cyber Insurance: Mid-Market Healthcare Providers: Endpoints, Medjacking, Security Budgets & HIPAA

An attack surface is the sum of all the endpoints of entry that an attacker can breach your environment. In a healthcare setting, endpoints go well beyond workstations, laptops, PDA’s and cell phones to include digital medical devices and software. “Medjacking” is the hijacking of biomedical devices that create backdoors to hospital networks. Malware has been found on imaging equipment and blood gas analyzers, as well as in software that manages surgery and treatment schedules, power systems, and the administration of medicine. Reimbursement uncertainty leads to tight budgets for information security. This means a custom designed cyber insurance policy is a necessity to minimize financial and reputational costs of isolated cyber events.

Many small to medium providers don’t view HIPAA fines & penalties as a significant threat due to the limited number of patient records maintained. A review of HIPPA settlements for 2016 confirms that even breaches involving less than 50,000 records can result in catastrophic financial loss. For example, Raleigh Orthopedic Clinic, P.A. of North Carolina incurred a breach of 17,300 records erroneously released to a business associate. The HIPAA settlement was $750,000. The settlement is just one component of breach costs.   The cost of the corrective action plan, computer forensics, breach event costs, loss of revenue and other expenses that accompany a cyber breach event involving medical records likely tipped this claim over $1,000,000. The annual premium for a 20-physician practice is around $5,000 for $1,000,000 in coverage.

The latest firewall or anti-malware products will not prevent employee errors or a determined attacker. Too many small to medium sized providers rely on “short” cyber insurance limits included in a medical malpractice policy. These limits can range from $25,000 to $100,000. As indicated above, such limits are not remotely adequate to protect providers from isolated catastrophic cyber breaches that need only affect a small number of patients. A well-crafted, stand-alone cyber insurance policy is a low cost solution to a potentially devastating financial risk.

Stand-Alone Cyber for Mid-Market Healthcare Providers

 

Trouble Closing Cyber Insurance Deals?

By | Cyber Insurance News, Cyber Risk Underwriters Information | No Comments

Trouble Closing Cyber Insurance Deals?

The cyber security industry is broken. The industry sells over $80 billion of anti-viruss, firewalls, penetration tests, threat detection, consulting services and other products yet clients still get hacked[1].  Vendors aggressively sell security products based on hype as opposed to product efficacy.

Ask your client if the security products they purchase come with a return policy or warranty. Less than 3% of cyber security vendors provide warranties help a client financially recover from a failure of product performance.  In other words, if a security product fails and results in financial damage, your clients sole recourse is costly legal action.  More reason that a cyber insurance policy is a critical part of any business’ insurance portfolio and a great value given current market conditions. In fact, for most risks, cyber insurance premiums are less than 5% of total IT security spend.

As an example, a $200M manufacturer’s IT budget includes $500,000 for cyber security.  A well-crafted cyber policy cost around $10,000 for a $1,000,000 limit.  A relatively small price to pay for proven breach resources and loss cost financing.

Cyber Risk Underwriters is 100% focused on emerging risk insurance solutions.  We distribute products to retail insurance agents, CISO’s/CIO’s and via cyber security consultants, Managed Security Service Providers (MSSP’s) and Value-Added Resellers (VAR’s). Have any questions? Feel free to contact us here or call us at 866-292-3092 today!

[1] https://www.csoonline.com/article/3194829/security/the-pitfalls-of-cybersecurity-shopping-hype-and-shoddy-products.html

Hey Retail Agents! Does your cyber insurance connection offer a de facto super ninja on all things cyber?

By | Cyber Insurance News, Uncategorized | No Comments

Unlike other cyber MGA’s and wholesalers, we don’t look to old insurance guys for strategic direction.  We got industry leading ethical hackers to help you close deals.

Check out our Jeremiah Grossman discussing extortion, cyber insurance, and cyber security guarantees…and in terms your clients can understand.

 

 

 

RAND on Cyber Insurance Pricing…”in some cases the carrier would appear to guess..”

By | Cyber Insurance News, Cyber Risk Underwriters Information | No Comments

So we just finished reading a very deep dive by Rand called “Content Analysis of Cyber Insurance Policies:  How do carriers write policies and price cyber risk?”  The depth of the analysis is significant including discussion of pricing “boxes”, increased limits factors, and security factor weighting.  When all was said and done, our favorite excerpts include:

  • “Only in a few cases were carriers confident in their own experience to develop pricing models”
  • “We are not using claims counts as the basis for credibility because we have not experienced any claims over the past three years..”
  • “Further, it is not unforeseen for carriers to examine their competitors in order to define rates
  • ..”in some cases, the carrier would appear to guess..”

Guess we don’t know what we don’t know eh?  It’s a “last look market”…damn the sexy marketing slicks!

Negligent employees are no. 1 cause of cybersecurity breaches at small to middle market enterprises.

By | Cyber Insurance News | No Comments

Careless workers and poor passwords have led to a rise in ransomware attacks and other breaches on SMBs, which cost an average of $1 million.

Negligent employees are the no. 1 cause of data breaches at small and medium-sized businesses (SMBs) across North America and the UK, according to a new study from Keeper Security and the Ponemon Institute, released Tuesday. Of the 1,000 IT professionals surveyed, 54% said careless workers were the root cause of cybersecurity incidents, followed by poor company password policies.

This is especially concerning due to the rise in ransomware attacks: More than 50% of SMBs surveyed had experienced such an attack in the past year, which often enters an organization via a phishing email aimed at tricking an employee into clicking a malicious link or download. Indeed, in the survey, 79% of those hit said the ransomware entered their system through a phishing or social engineering attack. Further, of those who experienced an attack, 53% were hit more than once in the year.e

Check it out at:

 

 

Equifax: Protect Yourself!

By | Cyber Insurance News | No Comments

From the experts…

  • Use credit monitoring service such as LifeLock:  They won’t prevent identity theft put can help you recover.
  • Place a freeze on your credit files:  Security freeze laws vary by state, but they usually cost between $0 and $15 to instate. To adequately protect yourself, you must place a security freeze on your credit file with each of the three main credit bureaus (TransUnion, Equifax, and Experian) as well as Innovis, a credit reporting agency.
  • Periodically order a copy of your credit report: A security freeze doesn’t prevent everyone from viewing your credit file. For that reason, it’s a good idea to periodically order a copy of your credit report so that you can review it for unauthorized charges.
  • Create a security alert or security freeze for your consumer file:  Services such as ChexSystems provides a bank with a consumer report whenever someone attempts to create a new savings or checking account in your name.
  • Opt out of new credit report and insurance offers:  Some attackers try to intercept new credit or insurance offers in the mail so that they can open new lines of credit in your name. Fortunately, you can opt out of these free offers by visiting OptOutPrescreen.com.

How to protect yourself in the wake of the Equifax data breach

 

 

 

Security Guru Adrian Sanabria on Equifax Breach: “Should We Be Surprised?”

By | Cyber Insurance News | No Comments

Just the facts

Equifax announced yesterday, September 7, 2017, that it experienced a cybersecurity incident. Equifax is one of the “big three” US credit bureaus, along with Experian and TransUnion. They lost data belonging to 143 million Americans, which sounds like a lot, because it is. That’s 57% of the adult US population. Additionally, the company says payment information for 209,000 individuals was also lost, along with dispute documents belonging to an additional 182,000.

Savage Thoughts

As the title implies, I don’t think anyone was terribly surprised by this. We’re numb to the announcement of a breach has at this point. In most cases, we’re powerless to do anything about it. It’s been shown that breaches have little to no long-term financial impact on the organizations that experience them. We’re resigned to the fact that companies will continue make security a secondary priority, will continue to get hacked and will continue getting away with no serious consequences.

If you think about it, by offering its own products as a solution to the incident, this whole thing is one giant lead-generation campaign for Equifax. Yeah, it’s a big loss leader, but it’s still a loss leader on 143 million leads.

 

https://blog.savagesec.com/equifax-breached-no-eyebrows-raised-4ac57bf3bb9c