BY PAUL FARKAS, TECH DIRECTOR
We live in a world where cyber threats are all around us in our business, personal and family lives. It is integral to gain knowledge and take action on how to have better habits and get with protection from safeguard third-party solutions. We found a recent industry panel session hosted by Chubb, "Becoming Cyber Smart at Home, Work and Wherever Life Takes You," to be super-informative and recommend looking at these topics, themes and steps to get your digital lives in top shape!
The panel comprised of cyber industry experts from Chubb, ADT, Carnegie Mellon University and CyberScout, and outlined a range of cyber threats facing individuals and small businesses in today's connected world. It describes real-life examples and anecdotes in bite-size answers, and offers some best practices for individuals and businesses for keeping their personal information safe against some of today's biggest cyber risks.
The session delivered an insightful discussion about cybersecurity and its impact on our personal and professional lives by demystifying cyberthreats as well as highlighting practical protections that can be implemented by anyone.
Patrick Thielen, Senior Vice President, Cyber and Technology Product Lead in North America for Chubb, led the panel discussion. “To frame the risk facing consumers, global economic costs of cybercrime are rising into the trillions of dollars annually, and a large portion of that falls squarely on the shoulders of consumers. Since 2005, there have been over 8000 reported data breaches of businesses, in which over ten billion consumer records have been stolen. As of today, 64% of American adults have been victimized by at least one of these
breaches and most multiple times.. The average email user today has over 130 online accounts and we have more and more internet connected devices in our homes. It is not surprising that according to the 2018 Chubb Cyber Survey focusing specifically on individuals, 86% report being concerned about a cyber breach, yet only a small percentage were taking basic precautions to guide against them.”
In fact, 8 in 10 people experience or know someone affected by cybercrime per the noted US Results, 2017 Norton Cyber Security Insights Report. Incredibly, cyber attacks were found to be happening every 39 seconds by a referenced study by The James A. Clark School of Engineering at University of Maryland.
Summer Craze Fowler, Technical Director of Cybersecurity Risk and Resilience at Carnegie Mellon, is responsible for a team and portfolio of work focused on improving the security and resilience of the nation's critical infrastructure and assets. “Businesses of all sizes are targets for these data breaches as they hold so much information and data, not only about consumers, but also about their employees,” she noted. “Typically when we think about these data breaches, we think about credit card fraud, but it has extended well beyond.. we’re looking at lately W-2 fraud and health insurance fraud,” raising that W-2 phishing is up 870%, where tax returns are being filed on behalf of employees and diverting those funds to the bad actors. “Your health insurance information can be used by others getting care and pretending
to be you.”
The session was well-supported by studies and figures. 27% of data breaches in 2017 were medical or healthcare related per the claims data from the Identity Theft Resource Center. A whopping 24% of all Chubb cyber claims are healthcare related.
Adam Levin, Chairman and Founder of CyberScout and author of the critically acclaimed book, Swiped: How to Protect Yourself in a World Full of Scammers, Phishers and Identity, made some excellent points for business and consumer to note and act upon. “The reality
with the ID theft problem.. is this data can use you as the credentialed person to get into your business network, where they can put malware on the computers of your business; they can steal information involving W-2s; create situations where they do wire transfer fraud; they can steal intellectual property and trade secrets. It isn’t you for you, but as a conduit of all of the other things. The biggest thing they do is phishing attacks, they do drive-by attacks, they find ways to get malware on your computer and do keystroke attacks, ransomware and then they also get into information about kids.” He shared some appalling scenarios, like child-related identity theft, where the scheme can be as long as a 15-17 year run, because kids’ credit isn’t often checked, and often times it is a person in the home as a relative to set up a separate life right under their nose across the table.
Michael Keen, Vice President, ADT Cybersecurity, chimed in, “[a]n additional threat vector is the home network, like a home router.. there are countless folks that have the same passwords or administrative access to those devices and the same firmware when the device
was issued. Compared to all of the threats out there, you have to look at what’s keeping against threats created yesterday to protect us today. And so the motivation of criminals that
attack the home has also extended to the Internet of Things (IOT) devices. In 2017, the average number of internet-connected devices connected to the home was around 13.. talking
about (connected) light bulb, a thermotstat, a lock, a baby camera, a refrigerator, television, and in terms of motivation, frankly it pays.” He added, “Cybercriminals will always take the
path of least resistance” and gave low cost IOT devices as an example, where the ability to put additional layers of security, firmware updates and testing is nowhere near physical security installed by professionals. The strength of your network is dependent on the
weakest devices in your network. It is either focused on things like denial of service attacks or can even be used to mine cryptocurrency using your network’s power to mine Bitcoin.”
Indeed, studies show costly ransomware is on the rise. Per the Symantec 2018 Internet Security Threat Report (ISTR), the average cost of ransomware per attack is $533.
Ms. Fowler continued by pointing to the fact that people need to be practicing good cyber hygiene. “Often times we are offering up the information, like internet quizzes where the data we put online is used by nefarious purposes. Phishing, vishing (voice), smishing (sms) are prevalent and even videos on online dating sites are also being used for ransomware.”
“Unfortunately we are not going to be able to prevent this anymore,” Mr. Levin regrettably noted. “We have hundreds of millions of social security numbers out there due to breaches for many years. Cyberwar has replaced the cold war that we face-off everyday against state-sponsored hackers, for-profit hackers, cause hackers and basement hackers. We have to adopt entirely new paradigm as to how we think about it.” Mr Levin has coined and developed the 3M’s for the industry where “we boil it down to three M's -- minimize, monitor and manage," said Mr. Levin. "It is about minimizing your risk of exposure through adopting best practices, monitoring your accounts effectively and comprehensively, and managing any damage, such as ID theft or stolen accounts that might occur." He elaborated that it was about “minimizing the risk of exposure or reducing your attackable surface; effectively monitoring, and planning for and monitoring the damage.” He said, “it’s not about the technology, it is about creating and following a culture and following it for businesses and
consumers.” Some solid advises Mr. Levin gave were: using strong passwords or getting a password manager; enabling 2-factor identification; creatively changing memorable answers
to security questions; staying away from public wi-fi and using VPN for better protection; updating and backing-up your data; shredding; freezing credit; changing default passwords of
IOT devices; checking and being mindful of credit scores and signing up for transactional monitoring alerts; thinking of more sophisticated monitoring programs; and looking at explanations of health insurer benefits where there are multiple charges due to fraud.
“The culture of security and acting on things today is very important,” Mr. Keen added. “A variety of different service partners can provide installations of hardened security equipment, like how a network is setup.” He gave examples of considering implementing guest wi-fi that can be configured on your behalf, and staying on top of security patches and firmware updates, as well as monitoring – all which are readily available services and solutions by providers.
Ms. Fowler highlighted that it is also a culture of resiliency, “where the internet is a part of our lives and we need to exercise resiliency.. and have a response plan.” Some questions to think
about are, “who would you call as a family as victims of a breach; whether you have an attorney ready with something more serious, like physical attempts and ransomware, and also
knowing how to access financial institutions with bigger problems and whether people have and test backups to make sure they work. She noted that when going away on travel, it is good practice to have other ways to access funds than a primary credit card as a backup plan. “Basic hygiene includes having a response plan,” she stated.
“The 3rd M is manage the damage,” Mr. Levin pointed out. “It really has to do with knowing who to call and knowing what to do. In a business you would create a breach response plan,
game this plan, and know you would have to respond urgently, transparently and empathetically. As a consumer, many institutions have programs available either to policy holders, account holders or employees, so (they can) check with insurance agents, financial
services organization, and HR departments and find out how to be part and the cost is one of the cheapest investments you can make versus the agony and financial loss you can have,” he
warned.
Mr. Keen agreed, “be partial to action, these suggestions are easy and free or inexpensive if implemented today. Think of the prevalent use of mobile phones and whether security has
changed to meet those demands.”
“Technology is moving at breathtaking pace and families should discuss with children and elderly and monitor use online. Often adversaries are coming with sense of urgency, if too good to be true, it likely is, either with big discounts and savings or fear of quick force like threats of governments coming to your home. Take a breath and think about things before doing things that could open you up and expose you,” Ms. Fowler noted.
In response to one of the audience questions, Mr. Levin creatively added, “when you say the word portfolio, the Pavlovian response of most people is investments - but the truth is we also have other portfolios in our lives – we have our credit and our identity, and have to be professional managers, because business, governments, and truthfully, consumers have not done enough, there needs to be a shared responsibility of cooperation, collaboration and communication… It is incumbent upon us to help one another. The AthleisureMag.com extra step is sometimes the harder step to understand the threats and extra things to do to protect yourself, and look to trusted institutions with relationships to get assistance. Be bold, ask and when there is some assistance take it.”
Answering another query to the panel, Ms. Fowler alluded, “from a business standpoint, they need to be cognizant of what they bring into their environment. It is really critical to understand what assets you have inside - people, technology, the facilities themselves – it is a prioritization process.”
Mr. Levin added another array of things to target optimizing for business: 2 factor identification; training; segmenting data as need to use and need to know; mapping data to be readied for incidents; aggressive vulnerability analysis and patch programs, and more. He
forewarned we “have to assume there is going to be an incident. A defining moment can be how a breach is handled. In the future, regulators, class action attorneys and the public will judge businesses on how well they protected the data and how well did they respond for customers, employees and business partners.”
Indeed, within the last few years, there are several products in the market that will offer cyber protection for individuals stated Mr. Thielen. “There are policies that cover financial fraud,
extortion and ransomware, privacy breaches, cyberbullying and other disruption victimization. Incident response coaches will have steps of what to do and facilitate,” noting they should be contacted in the first steps.
Adding layers of redundancy to make a security culture was also stressed by Mr. Keen. “Victimized business owners may face obligations from rules and regulations to notify customers or partners that could lead to loss of revenue, so it makes a lot of sense to mitigate risk through policies. Cyberthreats are evolving constantly, the latest stat is 250,000+ strands of malware are created daily, so if you are not evolving at an equal pace you are continuing to be left at risk. The reason why there is so much cybercrime is because it is easy and because it pays.”
Mr Levin underscored that “the truth is technology makes us powerful, but it also makes us vulnerable. When convenience trumps security, there are issues. And we know as technology
evolves, the protection tends to catch up and there are responses to the flaws and issues, the bad guys find a work-around, because there is more money on the dark side, and so we need to work together and find new ways to do this and find ways to better accurately authenticate people. Especially for businesses, we have to move toward privacy by design and security
by design, and can't be a bolt on - they have to be a core of things from day one. IOT devices should not be allowed to be connected to the internet until a new password is entered to work, so devices can be updated and upgraded automatically.”
“As businesses, the threat is evolving everyday,” concurred Ms. Fowler, “but we are really worried about the impact, be it from a cyberattack or a natural disaster, so it is very important for businesses to think about what is it that is most important for the operations of this business, and then make sure they have the right protections around those things most critical and more broadly than cyber - being resilient to accomplish its most important
objectives. For personal, we look at kids and monitoring what is online and think about what is most important and build protections around that.”