Unfettered mayhem, raining down from cyberspace, has birthed the need for new protection few would have envisioned just a few years ago: cyber insurance coverage.

As coverage goes, cyber insurance is still a relatively new and emerging option that, despite its newness, is rapidly gaining traction among threat-weary businesses in every sector—healthcare, in particular, where protecting high-risk information in EHRs (electronic health records) is among the top priorities. 

Why cyber insurance?
For most, the goal of adding cyber insurance is to mitigate threats, liabilities and costs sustained from (what else?) “cyber incidents” – a broad term covering an ever-growing range of mishaps and misuse, from hacked accounts and stolen credentials to pilfered laptops and wayward thumb drives.  

Given the frequency and severity of recent breaches, and the financial fallout that invariably results, who can blame companies for wanting an extra layer of protection?

Certainly not attorneys Theodore J. Kobus III and Kimberly M. Wong, data security experts and co-authors of a new paper entitled “Risk Management: Cyber Insurance & Your Data Response Plan.” In fact, Kobus and Wong strongly suggest that, depending on budget, exposure profile and potential loss scenarios, cyber insurance may be a risk-reduction remedy that businesses sorely need.

Surprisingly customizable coverage
Companies seeking first-party cyber insurance coverage have a surprisingly diverse range of choices, say the authors, including protection against losses stemming from: data destruction and theft, extortion and hacking, and revenue lost from network intrusion or interruption.

Notification expenses, such as printing, mailing, credit monitoring and call center support may be included in a policy, along with third-party cyber liability coverage for vendors and partners.

Procuring the proper policy
The paper also includes suggestions for working with your broker, including:  

1. Determine what coverage you have under current general commercial liability or professional liability policies.  Identify potential gaps and opportunities to increase long-term protection.
2. Assess your current level of exposure and types of cyber incidents that pose the biggest threats.
3. Inventory the nature and location of all sensitive data. Is it stored in areas that are vulnerable to physical or digital theft? Knowing this will inform cyber coverage decisions.
4. Step through potential employee/non-employee loss scenarios, such as: hacking, theft of data or computer equipment and unauthorized publication of information online.

Our guest blogger this week is Karen Barney of the Identity Theft Resource Center (ITRC).

The rise of online functionality and connectivity has in turn given rise to online security issues, which create the need for passwords and other defenses against information theft.  Most people today have multiple online accounts and accompanying passwords to protect those accounts.  I personally have accounts (and passwords) for sites I no longer even remember.  And while I have more accounts than most due to my profession, my hunch is that many people deal with the issue of password overload.  Password overload is when you attempt to use your Pinterest, Twitter, work email and university login passwords (one after another) to get into your Money Market Account only to be locked out.  Now you have to go into the branch with photo ID, or endure the dreaded “customer service hotline” (not-line) to prove that “you are you.”  I expect that you have experienced such “password overload” inconveniences, or you almost certainly know someone who has.

The problem seems like it could be easily solved by using the same password for everything.  One password to remember, and no more jumbling through your notebook trying to find what password you used for your newest account creation or Facebook app.  The problem with this approach is that if you are using the same passwords for all (or even several) of your accounts, then if someone manages to get the password for say, your Instagram account, they would probably be able to then drain your savings account, phish your family for personal information (such as your Social Security Number), or rack up a warrant in your name for writing bad checks….  This could all happen because you logged into Facebook at an unsecured Wi-fi location, where your password for that one account is compromised, and it happens to be the same password you use for multiple accounts.

So, what do you do if you don’t want to tattoo 25 passwords on your arm and you don’t want to end up cuffed for felony check fraud? The answer is a password manager.  This new service was created so that users can remember just one password, yet have access to all other passwords. The best part is that you can have access to these passwords from anywhere as most of the new password managers are internet based. As the need for password management increases, the options consumers have grown leaving even the strictest cybersecurity aficionado pleased with the service. 

A few things you should look for when finding a password manager are:

1. Is it cross platform? Will it work on your iPhone and your PC?
2. How is the information (your passwords) encrypted?
3. Does the service sync automatically, or will the user need to update the password storage database every time they sign up for a new account?
4. What is the initial authentication process and how strong is it?
5. How reputable is the company who created the product and what is reported about the product itself?

By asking yourself these questions you should be on your way to making sure that your passwords are protected and you won’t lose your mind trying to keep track of them all. Just make sure you protect your login credentials for your password manager…. like really, really well…

Organizations are adopting social media tools within their networks at increasing rates, yet the legal and compliance risks are often not fully understood or addressed.  A recent Forrester report noted that more than half of security decision-makers and influencers at enterprises reported that they were “concerned” or “very concerned” about the inability to meet regulatory obligations using social media platforms. 

According to the report, critical reliance on third parties for information collection and capture, rapidly rising social media content volume and fast-changing applications, and the difficulty of ensuring authentication all make it difficult for security professionals to keep up with the legal and regulatory compliance associated with social media.

The report suggested that security pros should look to financial services for guidance on social media risks, keeping in mind that retention obligations clearly apply to social media, retention obligations also apply to both corporate- and employee-owned mobile devices, and firms should monitor and provide ongoing training to employees.

Above all, critical steps that security professionals must take in order to respond to the risks that social media poses include the following:

1.  Build effective policies governing social media usage in your enterprise.
Your social media policy should cover what your organization will and will not do online, what your employees can and cannot do, and what members of the public can and cannot do on your social media sites.

2.  Determine how tools that control social media fit into broader information governance.
Look before you leap when it comes to adopting tools that help enforce social media controls and make sure they’ll integrate with your company’s existing systems.

3.  Incorporate flexibility and continuous monitoring in social media.
Social media is constantly innovating end evolving – your organization will need to do so as well.

A great deal of data is collected on students of all ages. Registration forms, health forms, emergency contact forms and permission slips are all a part of the information overload that schools typically require from their pupils, and many of these forms request sensitive data such as social security numbers. Unfortunately, school administrators don’t always protect this information as well as they should and education institutions are just as susceptible to data breaches as any other organization.

This vulnerability, combined with the fact that stealing personal information from minors can go undetected for years, is just part of the reason why minors are 51 times more likely to suffer from identity theft than adults.

The Federal Trade Commission recently issued a release alerting parents about how to protect students from fraudulent activity. Of particular note is information about the federal Family Educational Rights Privacy Act (FERPA), enforced by the U.S. Department of Education, which protects the privacy of student records and gives parents of school-age kids the right to opt out of sharing contact information with third parties, including other families.

The FTC’s safety tips for parents include:
• Read the notice schools must distribute that explains the rights of students and parents under FERPA. This legislation protects the privacy of student education records and gives parents the right to inspect and review your child’s education records, consent to the disclosure of information in the records and correct errors in the records.
• Ask your child’s school about its directory information policy. Student directory information can include a child’s name, address, date of birth, telephone number, email address, and photo. FERPA requires schools to notify parents and guardians about their school directory policy and give them the right to opt out of the release of directory information to third parties. Absent opting out, directory information may be available not only to the people in a child’s class and school, but also to the general public.
• Take action if your child’s school experiences a data breach. If you believe there’s been a data breach and your child’s information has been compromised, contact the school to learn more. Talk with teachers, staff, or administrators about the incident and their practices. Keep a written record of your conversations. Write a letter to the appropriate administrator, and to the school board, if necessary. The U.S. Department of Education takes complaints about these incidents. Contact the Family Policy Compliance Office, U.S. Department of Education, 400 Maryland Ave., SW, Washington, DC 20202-5920, and keep a copy for your records.

Perhaps it’s no coincidence that as more attention is directed to the risks of identity theft amongst children, cyber defense is becoming a hot new field of study for students. National cyber defense competitions have emerged as spirited forums for budding technical talent, including the National Security Agency’s Cyber Defense Exercise – a competition that pits students from a series of military academies against each other – and against the competition’s leaders at NSA; the Air Force Association’s National High School Cyber Defense Competition, CyberPatriot, created to inspire high school students towards careers in cyber security and associated fields; and the National Collegiate Cyber Defense Competition, designed to provide practical experience for students in a fast-changing field that needs ever more talented workers.
We can only hope that this new generation of cyber experts – borne from a time when new risks have posed threats to their own personal safety – can meet the growing challenges of cyber defense.

Just as technology is continuously evolving, so are the wily ways in which fraudsters circumvent the safeguards for changing technologies.  Symantec’s study Internet Security Threat Report offers a review of where cyber thieves are finding new opportunities and, accordingly, where experts believe the thorniest security trouble spots lie.

According to Symantec, here are the top five threats to beware of:

1. Targeted attacks continue to evolve.  While targeted attacks on the large infrastructures of corporations are attempted almost every day, companies are increasingly being attacked to specifically gain access to their intellectual property.  A prominent example of this would be last year’s “Hydraq” attack on Google, a suspected politically motivated attack to steal sensitive information from Gmail accounts, which prompted Google to threaten to pull its operations out of China.  Given that this attack wouldn’t have been successful without convincing recipients that links and attachments in an email were from a known source, the lesson for future attackers is that the biggest security vulnerability to exploit is our trust of friends and colleagues.

2. Social networks + social engineering = compromise.  Hackers are getting better at learning who we are through social media outlets and posing as friends.  So-called social engineering attacks are becoming more sophisticated and harder to detect.

3. Hide and seek (zero-day vulnerabilities and rootkits).  In order to be successful, targeted attacks must penetrate an organization and remain undetected for as long as possible.  So-called “zero day vulnerabilities” help hackers maintain a game of hide and seek.  Zero days occur when a hacker discovers (and exploits) a security vulnerability in a software program before the program’s engineers do, although some believe that the fear of these vulnerabilities as a basis for attacks are worse than the reality.  Rootkits, software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications, are also helpful in keeping hackers undetected.

4. Attack kits get a caffeine boost.  Hackers are profiting on security vulnerabilities by packaging their discoveries into easily downloadable attack kits that are sold in the underground fraud economy.  Symantec believes that these kits played a role in creating over 286 million variants of malware last year.

5. Mobile threats increase.  With the explosive usage of smart phones and other mobile devices, hackers are naturally becoming ever more drawn to this territory as a platform for fraud.   Sophisticated operating systems mean that vulnerabilities are plentiful, and Trojans hidden in legitimate applications sold on app stores offer an effective means to multiply the damage.

Fraudsters will never stop finding ways to capitalize on security weaknesses and wreak havoc on privacy and bottom lines, which is why every business should work with security experts to stay ahead of these threats.

It’s that time of year again when people near and far get ready to celebrate the most wonderful holiday of them all.

OK, perhaps it isn’t exactly Christmas, but Data Privacy Day – observed on January 28th in 2012 – is no less a celebration; it’s just that this one is designed to promote best practices and awareness around privacy.  The “holiday” was begun in Europe in 2007 and continues to be observed in 30 countries as Data Protection Day.  In the U.S., National Data Privacy Day is managed by the National Cyber Security Alliance (NCSA), a non-profit public-private partnership which estimates that through media and other activities its messages regarding cybersecurity reached 175,000,000 people last year, all in the service of promoting a digital society that can best leverage the five c’s: content, community, communication, commerce and connectivity.

As our world becomes ever smaller and more networked, Data Privacy Day provides information to consumers about the ways in which personal information is collected, stored, used and shared. The international privacy promotion also helps businesses understand the laws and regulations to which they’re subjected and offers guidance about how to best shield themselves from risks.  Above all, the event is designed to foster a dialogue between different entities – citizens, private organizations and public institutions – about how to balance innovation, progress and growth with the need for privacy protection.

Since privacy is our shared responsibility, how can you contribute to this security festivity?  Train your employees, or consider hosting an event or sponsoring NPD.  If you have kids or teach them, turn to the Teens and Young Adults page, the Parents and Kids page, or the Educators page, which offer guidelines such as how to update your Facebook privacy settings, resources such as videos on how to protect your personal information and privacy, as well as your children’s.  Data Privacy Day activities will include presentations, conferences, technology demonstrations, webpage and video competitions, instructional videos, workshops, and regional events, so there are plenty of ways to get involved; for more information, turn to  www.dataprivacyday.org.

And remember to stay tuned to Experian’s Data Breach Resolution blog, where every day is data privacy day.

A recent data breach discovery serves as a reminder that even when you’re on vacation, cyber criminals never sleep.

Vacationland Vendors, a company that supplies vending machines and video games to entertainment venues, recently reported that an unknown intruder penetrated its point of sale systems, resulting in a data breach affecting approximately 40,000 customers at waterland resorts in Tennessee and Wisconsin.  Although credit card and debit information was apparently stolen between December 2008 and May 2011, Vacationland Vendors did not state how the breach was discovered or whether affected customers have been notified.  The company did issue a general recommendation to anyone who visited the affected resorts within the targeted time frame to remain vigilant for fraud activity on their bank and credit card statements and to consider adding a fraud alert with the major credit bureaus.

The Vacationland Vendors data breach highlights the continued vulnerabilities of point of sale technology to crafty cyber criminals.  Heartland Payment Systems, a leading payment processing company, discovered this several years ago when it was hit by a historically large breach that exposed the accounts of as many as 100 million cardholders.  The same kind of breach affected CardSystems Solutions when a breach exposed the accounts of 40 million debit and credit card holders, leading to the sale and ultimate closure of the company.  Indeed, the theft of credit card data is one of the most common forms of fraud and the very reason that the Payment Card Industry Data Security Standard strengthened its requirements of payment card device vendors last year.

The debate about how to best secure credit card transactions has continued this year with the burgeoning introduction of end to end encryption technologies that can better protect cardholder data throughout the entire transaction process.  An example of improved safety mechanisms in the POS process is newer chip and PIN technology, as evidenced by Visa’s recent announcement that it is accelerating chip migration and adoption of mobile payments.

Until the technology around POS systems is more bulletproof, it’s especially important for companies to implement added safety measures around its current credit card payment processes.

The winter holidays are upon us and that means the travel season is pivoting into high gear.  Employees everywhere are preparing to trot off hither and yon, likely with their laptops and mobile devices in tow – and, accordingly, with your company’s data, as enticing to prowling cyber-thieves as overstuffed Christmas stockings.  While holiday travelers unwind and turn their focus to hearth and family, fraudsters focus on snatching precious data from unwary targets at airports, wi-fi hotspots, hotels and beyond.

What can companies do to mitigate the risk to their holiday-traveling data?

First, remind employees about the importance of protecting their laptops and other data-carrying devices. According to the Ponemon Institute, close to 637,000 laptops are lost each year, most commonly at security checkpoints.  Ponemon notes that 10,278 laptops are reported lost every week at 36 of the largest U.S. airports, and 65 percent of those laptops are not reclaimed.  The airports with the highest number of lost, missing or stolen laptops include (in this order) Los Angeles International, Miami International, Kennedy International, and Chicago O’Hare.  While Atlanta’s Hartsfield-Jackson International is the busiest airport in the U.S., it is tied for eighth place (with Washington’s Reagan National) for lost, stolen or missing laptop computers.

The average value of a lost laptop is $49,246, a number based on several factors: replacement cost, detection, forensics, data breach, lost intellectual property costs, lost productivity and legal, consulting and regulatory expenses.  Given the damage associated with laptops that go MIA, it might be wise to restrict access to corporate information while employees are traveling.  If full access to server information isn’t needed, consider using other systems such as read-only export files.  Suggest that employees transfer sensitive data from laptops to your company’s secure central server, or move it to a disk that may be stored safely until they return.  And don’t forget that encryption can serve as an endpoint protection, which allows employees to perform a remote data erase if a device is lost.

A few other tips:

• Encourage the use of privacy filters, which block the ability to view computer screens from an angle.
• Guard against open wi-fi prowlers by setting computer defaults to require owners’ authority before connecting to a new network.
• Discourage the use of public computers.  Many of them contain “keylogger spyware” that can monitor every keystroke.

With the flood of online shoppers comes the accompanying tidal wave of fraudsters washing over the cheerful holiday landscape.  Hidden behind the online mistletoe, cyber-thieves lurk with seasonal scams, virtual Scrooges with plans to spoil holiday shopping for consumers and retailers.

Here, according to McAfee, are 12 common holiday scams to beware of:

1. iPad scams.  Watch out for bogus offers for free iPads on social media sites and via spam.

2. “Help! I’ve been robbed” scam. Fraudsters send emails appearing to come from the account of friends which state that they’ve been robbed while traveling abroad and need money to be wired in order to get home.

3. Fake gift cards. With these scams, cybercriminals promise fake gift cards in exchange for personal information that can be used for identity theft.

4. Holiday job offers. Fake, high-paying, work at home jobs are offered in exchange for personal information.

5. “Smishing.” Scammers “phish” via text message, or smish, often posing as a bank or online retailer requesting personal information to address a problem with a target’s account.

6. Holiday rental scams. Fake, attractive rental properties at low prices are advertised on phony websites in order to lure deposits via wire transfer.

7. Recession scams.  Financial “help” is offered to targets in the form of pay-in-advance credit schemes and pre-qualified low-interest loans, all in exchange for an upfront processing free.

8. Grinch-like Greetings. Fake e-cards are loaded with links to computer viruses and other malware.

9. Low price traps. Auction sites and phony websites are used to offer too-good-to-be-true prices on holiday gifts; the scammers walk away with information and/or money.

10.  Charity scams. Solicitations for phony charities play on the spirit of holiday giving and philanthropic generosity.

11. Dodgy holiday downloads. Watch out for holiday-themed jingles, screensavers and animations distributed via downloads, spam or dubious websites – they could contain malware.

12. Hotel and airport Wi-Fi. During this season of high travel, Wi-Fi hotspots are criminal hangouts, with scammers eager to hack into unprotected networks.

This holiday season, make sure that you, your employees and your customers are on high alert for the seasonal scams that turn up with the regularity of fruitcake…and are just as unwanted.

The Ponemon Institute’s recently released “Second Annual Cost of Cyber Crime Study” confirms what many of us might suspect from the endlessly grim headlines these days; data breaches have become a more frequent and damaging hazard of business.  The study, sponsored by ArcSight, set out to quantify the financial toll from cyber attacks and assess the full impact of those costs over time, with the purpose of helping businesses better understand the level of resources needed to prevent or mitigate future attacks.

The cyber crime study arrived at several key conclusions:

• Cyber crimes can decimate bottom lines. The study showed that cyber crime costs organizations an average of $5.9 million per year, with a range of $1.5 million to $36.5 million each year per company. This represents a 56% increase in average cost from the first cyber crime study published last year.
• Cyber attacks have become common. The companies in the study experienced 72 successful attacks per week and more than one successful attack per company per week. This represents an increase of 44% from last year’s successful attack experience.
• The most costly cyber crimes are those caused by malicious code, denial of service, stolen devices and Web-based attacks. These account for more than 90% of all cyber crime costs per organization each year.
• Cyber crime cost varies by organizational size.  Smaller-sized organizations incur a significantly higher per capita cost than larger-sized organizations ($1,088 versus $284).
• Cyber attacks cost more if not resolved quickly.  The average time to resolve a cyber attack is 18 days, with an average cost of $415,748 over this 18-day period.  This represents a 67% increase from last year’s estimated average cost of $247,744, which was compiled for a 14-day period.  Malicious insider attacks can take more than 45 days on average to contain.
• Information theft continues to represent the highest external costs of cyber crime, followed by the costs associated with business disruption. Information theft accounts for 40% of total external costs per year (down 2% from 2010). Costs associated with disruption to business or lost productivity account for 28% of external costs (up 6% from 2010). Recovery and detection are the most costly internal activities, accounting for 45% of the total internal activity cost, with cash outlays and labor representing the majority of these costs.
• All industries fall victim to cyber crime, but to different degrees. The average cost of cyber crime appears to vary by industry segment, where defense, utilities and energy, and financial service companies experience higher costs per year than organizations in retail, hospitality and consumer products.

One of the more hopeful takeaways from the study indicates that strong security measures do mitigate the cost of cyber attacks, creating one more reason to institute a data breach plan and back it up with robust resources for protection.