5 minute read
I’ll GetYou My Pretty... AndAllYour DataToo
I’ll Get You My Pretty...and All Your Data too!
By Lynn Bren, AIC SCLA, SDPAA Deputy Director
Advertisement
Lynn’s sitting at her desk and receives an email from the PrinceofNorway,hesimplywantstosendheralegitimate share of her inheritance, approximately $300,000. WOW! She didn’t even know that she was related to the Norwegian Royalty… and certainly didn’t recall anyone recently passing away, but hey…who is she to pass up an inheritance?All she has to do is click the link in the email to fill out all the appropriate paperwork. She clicks the link,thescreengoesredwithinstructionstoinputpayment information to unlock the system.
Lynn’s in charge of all accounts receivable and update information. She receives an email from Bren Contracting indicatingthattheyaremakingsurethatalloftheirclients have their current banking information. Checking their vendor records, Lynn notes that this information is different than what they currently have. Rather than immediately updating this information, she calls her contact at Bren Contracting to confirm that they have in fact updated their banking information. When she calls, she is told that no such request was made by Bren Contracting.
LastsummerIdidanarticlewithsomeofthebasicsabout Cyber Liability. The title of the article was it’s not if, it’s when. While this article gave some basic information, whichIwillprovidesomeofhereshortly,thearticlecame atatimewhentheCyberLiabilitycarrierswerestillseeing relatively low claims volumes, and were requiring very little information to secure coverage. With the pandemic, andmorepeopleworkingremotely,therewasaninfluxof opportunities for hackers to seek out and uncover vulnerabilities within organization’s remote systems and connections.
Unfortunately,ifyousearchinyourfavoritesearchengine “cyber-attacks” your screen will be quickly filled with various attacks made by hackers across the world. One of the largest in terms of volumes of entities breached, was the Microsoft Vulnerability Breach. This breach affected over 10,000 entities across the United States and over 30,000 more entities across the globe. Computer Weekly posted an article in December 2020 discussing the top 10 Cybercrimes of last year. .As noted in the article, the top three and seven of the top ten crimes are ransomware related. (Scroxton) The hackers are clearly not just interested in your data, but they want you to pay to get it back.
In response to the significant increase in Cyber Crime, carriers around the world are having to evaluate the exposure and are now requiring significantly more information in order to determine IF they are going to providecoverage,andwhatwillbepaidforthesame.The SDPAA is dedicated to creating the most up to date information and training options for our Members. We continuouslyworkwithvariousvendorstoprovideaccess to educational resources and tools which will help our Members not only qualify for Cyber Liability coverage in thefuture,buttobebetterequippedtoavoidorrespondto attacks. SDPAA Members will be receiving a survey within the upcoming weeks which will be utilized to not only collect data to determine what resources and tools thatourMembersneed,butalsotoprovideinformationto our Cyber carriers to ensure that the best coverages can still be offered to our Members.
ThebestwaytoavoidaCyberBreachistoensurethatyou understand what it is, what tools are available to protect your organization and then apply that knowledge and thosetoolstoyournotonlywork,buteverydaylife.Cyber liability is liability arising from a data breach in which some personal information is exposed or stolen by someonewhohasgainedaccesstotheelectronicnetwork. If your network is breached, you may have liability to notifysomeonewhosedatahasbeenstolen,tooffercredit monitoring, to pay costs to defend claims made by state regulators, to pay fines and penalties associated with a breachandtopaylossesassociatedwithidentitytheft.The liability cost of a breach, as reported in 2016, was $221 per compromised record.
Cyber breaches and attacks not only impact clients and consumers outside of your entity, it also impacts your entity directly. First party exposures include business interruption, including the cost of shutting down operations during the breach; data loss and destruction resultingincoststorecouporrecreatedata;computerand funds transfer losses; and cyber extortion which is the attach or threat of an attack against an enterprise coupled with a demand for money to avert or stop the attack.
There are different types of cyber-attacks, and different levels of these attacks. Phishing is usually done through the email services of a company. In a general phishing attack, a general email is set out casting a wide net to see if someone will open the door for the virus to be planted. Spear Phishing involves some research being conducted byahackerpriortoengagingintheattack.Thehackerwill use information gathered about the intended victim’s family, and then use that information in an email to lure the recipient into engaging in the infected email. An example would be the hacker is aware that a family memberisoutofthecountry,andmaysendanemailwith an infected pdf attachment, claiming that the attachment includesinformationabouthowtosendmoneytoassistin necessary medical care or transportation. Once the victim opens the attachment, they unknowingly release the virus into the system. There is often a follow up email assuring the victim that there was a mistake and that no emergency exists, all the while the virus is now making its way throughthevictim’ssystem,gatheringinformation.Athird formofphishingiscalledwhaling.Inthisinstance,ahigh levelpartyistargeted.Ahackerwillobtainthecredentials of the party and then access their email, usually through a web based account. No immediate action is generally taken, however the hacker will monitor the email correspondence, gathering information and details about the entity ’s business. At the right moment, they create an invoice which is sent along, resulting in a fraudulent money transfer, which is generally difficult if not impossible to track or recover. Home buyers have been reportedly tricked into making wire transfers to a hacked escrow account.
Other types of cyber-attacks are known as malware or ransomware. Malware has been shifting and trending into ransomware. Ransomware attacks occur when a hacker encrypts an organization’s files or data, and then requires paymentofransom,oftenviatheuseofbitcoin.Bitcoinis adigitalassetwhichisexchangedpeertopeer,withoutan intermediary. Bitcoin can ultimately be exchanged for other currencies, products or other services. Once the payment of the ransom is made, the data is decrypted. Ransomware usually requires some performance or engagementbytheenduser.Theremaybealinkwithinan email, a file to be downloaded, an attachment to open or a macro to activate. Ransomware can also be delivered through advertising. Hackers have been known to purchase advertising space and upload a legitimate ad, howeverifthepurchasedspaceisnotcheckedbythehost, the ad can later be replaced with infected advertising, which when clicked releases the virus into the system.
Distributed denial of service attacks generally do not involvedirectprofitforthehacker.Itisbelievedthatthese types of hacks are done for bragging rights. During a distributed denial of service, a hacker will take down a websiteofanentity,whichcanbedetrimentaltotheentity, but with no real visible gain for the hacker himself.
With some very basic and general knowledge of some of the ways that our electronic systems can be attacked, the next logical step is knowing how you can protect your entity.Itisimportanttocreateandkeepuptodatebackups of all your information. If a ransomware attack is made, having the current information backed up makes the decryption of data less crucial. Additionally, having back up bandwidth to cover the downed system is recommended to keep operations moving. Training
WANT AFFORDABLE HOUSING FOR YOUR COMMUNITY?
START THE DISCUSSION WITH SDHDA AND TAKE THE NEXT STEP
S O U T H D A K O T A
D E V E L O P M E N T A U T H O R I T Y
sdhda.org
