Posts by: Julia Wailes-Fairbairn

Cyber insurance may be null and void without ‘due care’

There is a worrying trend in the world of cyber safety. Many companies believe that cyber insurance will protect against any damage associated with a breach. It is vital that senior board members are aware, however, that if they fail to take reasonable precautions their insurance investment could well be null and void.

Leading business insurer Allianz estimates that the cyber insurance market in Europe alone is on track to be worth nearly $1 billion by the end of 2018, mirroring the rapid expansion of the US cyber insurance market. Although the global insurance industry sees it as a valuable new market full of opportunity they are, predictably, measuring their response with caution.

Cyber insurance has, in the past, been considered a safety net in the event of a breach. But as the incidence of cyber breaches continues to rise so has the level of caution demonstrated by both the government and the insurance industry. In fact, while governments are promoting the cyber insurance market, especially in the US and the UK, they are also using the insurance market as a lever to drive much needed cyber security improvements in the business sector.

According to Phil Huggins, Vice President of Security Science at Stroz Friedberg: ‘Their [the government’s] expectation is that this will align risk assessments with good practice, while incentivising good risk management, thereby reducing the need for direct government involvement and regulation. The recent launch by the UK Government of the ‘UK cyber security: the role of insurance in managing and mitigating the risk’ report is just the latest manifestation of this strategy.’

The strategy is working. Insurers are incentivising behaviours that reduce the potential for harm, including the term ‘due care’. This refers to the precautions ‘a person of ordinary prudence’ would take to safeguard their systems. Demonstrable cyber resilience has become a requirement for cyber insurance and this in turn is driving an increased demand for Retained Forensics.

The essence of Retained Forensics is to develop cyber resilience through the engagement of a small team of industry professionals who are fully briefed about the scope of an organisation’s network and infrastructure. This enables them to:

  • establish, direct and manage a full test and exercise programme;
  • ensure high level management of cyber defences across all network and infrastructure;
  • be on hand and ready to assist in putting the agreed action plan in place in the event of a breach. In this way, the 72 hour reporting element of GDPR will be achievable and the mitigation process will be well in hand before the deadline.

SRM has an international reputation for providing the full range of Retained Forensics services including automated and manual penetration testing, Red Teaming, Incident Management, Disaster Recovery and Business Continuity Management. Through Retained Forensics, ‘due care’ can be demonstrated making an organisation not only less likely to suffer a breach, but able to demonstrate best practice in the event of an insurance claim.

To receive regular updates on issues relating to cyber security follow us on Linkedin.

See our website.

View our recent live webinar Incident Response & Forensic Expertise – would your business survive a cyber-attack or security breach?

Or check out our recent blogs:

The GDPR compliance fallacy

The A to E of cyber maturity

How PCI compliance puts you on course for GDPR

 

 

Retained Forensic & Incident Response Service: how planning for the worst can add value to your business

By Paul Brennecker, Principal Security Consultant and Lead QSA

Paul Brennecker gave a presentation at PCI London on 5th July 2018 and this article first appeared in that event’s publication. 

All too often the engagement of a Forensic Investigator is a distress purchase, made at a time of crisis when a breach has already occurred. Yet, waiting until there is a full blown emergency means organisations are missing out on the added value that specialist Retained Forensics professionals can bring.

Forensic Investigators don’t just operate in a crisis. When engaged to provide a Retained service, they can also help to develop a resilient defence strategy. This combines developing and delivering a full strategic cyber defence plan with Incident Response management. Their strategic guidance and practical knowledge enables them to help organisations reduce the level of impact while also meeting legal and regulatory responsibilities in the event of a breach.

In the event of a breach being reported, the Information Commissioner’s Office has made clear that it will look at the level of security in place, as well as the Incident Response strategy when considering the fines it will impose.

With forward planning it is possible to ensure that you get the maximum return for your investment and also secure the service that is best for your business. In business terms, a distress purchase is defined as a purchase made at some critical point, usually during a failure of other unplanned event. This is like buying a plastic cape when caught out in heavy rain: it is unlikely to be the best waterproof nor the best value for money but the purchase was forced by extreme circumstances. Similarly, that present bought in the late afternoon on Christmas Eve may turn out to be the most expensive gift ever purchased.

In today’s cyber security landscape such critical points come, not surprisingly, when least expected. No one can know when a breach or a security incident will take place. One day you are blissfully unaware of its existence; the next you are in a state of crisis with much to do in a very short period of time. This is particularly the case under the terms of GDPR which requires data breaches to be reported within 72 hours. GDPR also requires that you implement robust breach detection, investigation and internal reporting procedures.

One of the first tasks is to secure and contain the breach – a specialist job which can be time consuming and confusing – and for this an industry specialist must be appointed. There are not a vast number of suppliers to speak to. For example, when it comes to a PCI data breach, there are only eight companies in the UK which hold the necessary certifications required by the acquiring banks.

A cyber mature organisation knows that it is not enough to simply be reactive, however. Their aim is to anticipate the critical point and to scope, develop and implement a company-wide cyber security strategy which is constantly challenged and re-enforced. This type of strategic plan will help to ensure effective business continuity and protect from loss of income and reputation.

Working with a Retained Forensics specialist facilitates this strategic approach; from analysing potential weaknesses, to making detailed plans in the event of a breach. This is done in a number of ways, including through the process of Test and Exercise, starting with automated penetration testing to identify potential vulnerabilities. Manual testing is then employed to exploit and develop these weaknesses so the gaps can be plugged. The synergy of these tests provides valuable intelligence about where existing vulnerabilities lie and helps a business to build a robust defence around them.

The world of cybercrime does not stand still, however, and so defences must be continually reviewed and challenged to ensure they are as up to date as possible. So, although PCI compliance for example, is a vital annual check, it does not claim to guarantee that adequate defences are in place all year round. A more resilient strategy therefore uses a regular Test and Exercise programme to keep the process agile and responsive.

Where it is advisable to go a level deeper, organisations can also consider Red Team engagement. Red Teaming is where highly skilled and trained ethical hackers get into the mind-set of a potential adversary, using a range of tools and strategies. This enables organisations not only to identify where a potential attack might take place but also builds in a level of resilience by identifying where potential future vulnerabilities may lie.

The mature organisation works with Retained Forensics to scope the requirements of their business, making it possible to manage the whole process in a timely and cost-effective manner. While building a robust defence is a priority, making detailed plans for how to handle a crisis is equally important. It is perhaps counter-intuitive to plan for a successful attack, but the maxim ‘expect the best but plan for the worst’ is sound advice. Knowing how to react in the unfortunate event of a data breach is a crucial business benefit. An experienced Retained Forensics company will be able to assist you with your plans and help to stage an event, to get everyone into the right mind-set. If the worst does happen, then staff will have a framework to refer to, ensuring that vital steps are taken and time is not lost.

A Retained Forensics team will also undertake the preparation and testing of Incident Response, Business Continuity and Disaster Recovery plans to ensure they are up to date and ready to swing into play at the first sign of an incident. Not only will they have a detailed knowledge of an organisation’s systems and networks, they will have helped to set up breach notification protocols and mitigation strategies; all of which will already be in line with the requirements of GDPR. In this way any damage and disruption will be swiftly minimised and mediated.

Given the benefits of engaging a Retained Forensics service, it is perhaps surprising that some still overlook it, simply engaging a Forensic Investigator when compelled to in the event of a breach. The reason for this is perhaps that the challenge of managing third parties to achieve and maintain the various data standards and compliance is ever increasing, meaning that the procurement of services to assist in the event of a data breach is often overlooked.

Those who plan for the worst while hoping for the best, however, reap significant benefits and have the time to engage with a professional Retained Forensics service before a crisis occurs. By planning ahead, they ensure that they get the maximum return for their outlay and also secure the service that is the best for their business.

The Industrial Revolution v4.1: with increased opportunity comes increased vulnerability

If history teaches us one thing it is that there is no going back. It started with the First Industrial Revolution which used water and steam power to mechanise production. This was followed by the Second which used electricity and the Third which used electronics and information technology. With the Fourth Industrial Revolution we have seen a fusion of digital technologies, the use of the Cloud and extensive data management. But arguably we are now entering an additional phase which includes the integration of physical devices, vehicles, home appliances embedded with electronics, software, sensors, actuators and connectivity, sometimes known as The Internet of Things. This is the Industrial Revolution v4.1.

This new era of technological revolution presents unprecedented opportunities for innovation, diversification, agility and cost optimisation. Yet with these increased opportunities also comes an increased level of vulnerability.

The latest report by Kapersky (2018) provides some statistics around the global cost of data breaches, revealing that the average business now spends 27 per cent of its IT budget on cyber defence. This investment is essential given the potential financial losses likely to be incurred in the event of a breach.

In addition to the cost of the breaches themselves in terms of fines and lost revenue, the report shows that for larger organisations the damage goes even deeper with an average loss of $144,000 due to damage to their credit rating and higher insurance premiums and an additional spend of $113,000 on Public Relations exposure to repair and rebuild brand damage following a breach.

We must therefore also ask ourselves how organisations can defend themselves and be resilient to the inevitable attacks. There are four key areas:

1. Testing: Penetration Testing using a synergy of automated and manual testing to investigate and explore vulnerabilities, identifying potential areas of weakness; Red Teaming: using the skills of highly qualified individuals to simulate a real-world attack, designed to assess the suitability of the current security programme and offer remediation advice where appropriate;

2. Disaster Recovery: taking a strategic approach to managing staff in the event of a successful attack, minimising damage to brand reputation and safeguarding the interests of key stakeholders;

3. Retained Forensic Remote Support: having access to a specialist team 24/7, 365 days of the year to provide professional, pragmatic and strategic support in the event of any type of incident, enabling organisations to focus on maintaining business as usual;

4. Business Continuity: developing a Business Continuity Management (BCM) plan which is applied consistently across the entire enterprise with senior management’s support to make a significant difference in the ability of the organisation to achieve high level cyber resilience, protecting financial and reputational assets.

SRM provides the full range of these services using the integrated specialisms of highly-qualified and experienced consultants. Working with organisations to enhance their data security and to demystify the threat landscape, our team brings market-leading knowledge with a first class service.

To receive regular blogs on topics relating to information security, follow us on Linkedin.

To find out more visit our website.

Or read more:

The flaw in the plan: business continuity management

Penetration testing: man vs machine

What is Red Team Engagement?

The A to E of cyber maturity

How phishing scams are getting schools into deep water

While many schools are concerned about the advent of the General Data Protection Regulation (GDPR) and what it means for the collection and holding of data, permissions and consent, they may be overlooking its key purpose: to keep data safe. This is particularly relevant at a time when schools are increasingly becoming targets for cyber criminals. According to recent research by specialist schools insurer Ecclesiastical Insurance 20 per cent of educational establishments have been targeted. While universities, on the whole, are better equipped to defend against attacks, schools are significantly more vulnerable; due largely to the ‘soft target’ presented by teachers and parents who are ill-equipped to deal with online fraudsters.

The report concludes that naivity is a key problem with many school communities still being largely unsuspecting of how cyber criminals operate. This presents very real implications for the safeguarding of data and children and, by default, adherence to GDPR. Security around social media is a particular problem, providing potential hackers with detailed information with which to bait their phishing hooks.

Common attacks include phishing scams where individuals are tricked into providing information which allows criminals access to the school system. Data theft is sometimes the goal and children’s medical records are, for example, reported to be lucratively traded on the Dark Web, providing details for fraudulent official documents. Sometimes the intention behind the attack is, however, purely financial with emails requesting payments providing links to rogue websites. A new type of scam has also developed called ‘whaling’ where finance directors or bursars are conned into transferring thousands of pounds into fake accounts.

Private schools are particular targets due to the high fees and in 2017 Insurance Times reported a scam where parents were sent fake emails which conned them into sending fee payments into the criminals’ account. In these instances, private schools are particularly at risk of damaging their reputations.

Yet, in institutions which trade in education, it is education regarding online safety that is the main problem. This is because, no matter how effective the online security strategy, it is the human element which most commonly leads to system breaches. Continuous and constant education – including awareness and training programmes – need to be in place to reduce the risk.

A key element is education around social media. Schools and educational trusts should prioritise providing strict guidelines for social media postings and other forms of publishing. This is because phishing expeditions frequently start with social media. Hackers use the information posted online to send relevant-sounding emails which create the impression of being legitimate, encouraging people to open and act upon them.

Phishing scams also enable hackers to gain access to the internal school systems. While these may be well-defended on the perimeter with firewalls and access restrictions, a simple phishing exercise can con individuals with restricted access into divulging further information. Once inside the system, cyber criminals may encounter little in the way of additional defences.

Phishing scams and social media are just one element of the problem facing schools. There are many important aspects to adhering to GDPR and building a robust online defence and we will be posting further blogs on this topic. If you wish to receive these please follow us on Linkedin.

Incident Response & Forensic Expertise Webinar – Would your business survive a cyber-attack or security breach?

As organisations endeavour to be as proactive as possible to protect themselves from a cyber attack or security incident, do you have access to the correct expertise to respond efficiently, limit the impact and minimise disruption if you were to suffer a breach?

Watch this recording of the informative webinar where Alan Batey, Head of the SRM forensic team, takes you through:

  • What is a retained Incident and Forensic response service?
  • Why do organisations need it?
  • What is the impact of not having it?
  • Why is there such a market appetite for this service in the current climate?
  • Followed by a Q&A

To view, click this link.

 

SRM Blog

SRM Blog