Implement risk management to head off hackers
by Resolve editor Kate Tilley
Anything “smart” can be hacked.
That’s the message cyber security expert Fergus Brooks told AILA conference delegates.
Mr Brooks, founder and director of Sydney-based Cyber Advisory Practice (CAP), said a strong focus on technology’s benefits belied the potential downside that security breaches created.
He said society adapted to smart technology quicker than it managed security for the technology.
A smart toaster that would wait 10 minutes before it started if you hit the alarm’s snooze button seemed innocuous. But how strong was the password? “Someone could hack in and start a fire,” he warned.
Smart TVs had cameras and microphones and could record conversations without your knowledge.
Wired senior writer Andy Greenberg had demonstrated that: “Watch a drone take over a nearby smart TV – smart TVs continue to look dumber by the day.”
Hackers could identify potential passwords using free apps that created a range of variables. People predictably used birthdays and partners’, pets’ and youngest children’s names – all of which was information available on Facebook and other platforms.
After the 2015 Ashley-Madison data breach that ensnared people wanting to cheat on their spouses, one major multinational investment banker investigated employees who were Ashley-Madison customers. It was not because of an interest in their private lives but because of their passwords. Many had used their same bank login password to access the Ashley-Madison site.
“Weak passwords enable hackers,” Mr Brooks said.
He warned of an impending “global data crisis” because people were readily giving up personal information, sometimes unintentionally, creating pools of big data that could be hacked.
The rapid emergence of the ‘internet of things’ meant anything ‘smart’ could be hacked and businesses and consumers had to be prepared.
Fewer than 5% of companies were well prepared for cyber attacks.
While cyber insurance was available and developing maturity as a product, sums insured were often “concocted from thin air”.
“What’s the value of losing 100,000 health care records? Is it $5 million, $10 million?” Mr Brooks said.
Health records were the most valuable data on the dark web, but few organisations were running scenario testing on the ramifications of losing millions of health records.
Many organisations did not buy cyber insurance because they had not been hacked, so didn’t value the product.
A barrier to insurance growth was that many leaders did not understand what IT people were saying. “Boards and CEOs must ask for clear, concise reports on their risks.”
Insurers and brokers should explain the cover’s benefits to senior managers and IT teams. Frequently IT teams thought the money was better spent on “more tools”, like anti-virus software, than insurance.
Organisations had to move on a path to operational maturity, progressing from being reactive and responsive to having regular validation through testing; live risk management frameworks; and a board-driven cyber risk management culture.
CAP’s submission to the Federal Government’s 2020 Cyber Security Strategy identified SMEs as an area that required more regulation. “They are the wild west of the internet,” Mr Brooks said.
“People are the problem. Technology is great but people still make mistakes.”
Cyber insurance and cyber security, particularly since the mandatory notifiable data breach regime’s (NDBR) introduction in February 2018, were now C-suite issues, not just IT department responsibilities. Mr Brooks said there were plans to increase NDBR penalties, in line with the EU’s equivalent law, the general data protection regulation, to A$10 million or a percentage of revenue.
Mr Brooks, who was Aon’s national practice leader for cyber risk for two years, said brokers needed to better understand their clients’ risks and insureds needed to better understand the cover they were buying.
Many buyers assumed cyber insurance “covers anything to do with computers, but that’s not so”.
Underwriters and brokers should conduct scenario analyses to ensure potential losses were covered.
Business interruption (BI) cover was vital. “If you can’t load ships because an industrial control system has been hacked, or failed, you’ll need BI to cover the costs,” he warned.
Incident response was critical and had to include IT forensics, lawyers, communications specialists, credit monitoring and follow-up services. An effective incident response plan could minimise reputational damage.
In an interview with Resolve, Mr Brooks contrasted the Federal Government’s 2016 census fail, which was characterised by poor planning and insufficient incident readiness, with a 2016 Red Cross incident when confidential information was inadvertently made available from an unsecured site. “The Red Cross put its incident response plan in place immediately, with the chair and the CEO assisting the crisis management team,” he said.
Reputation damage to the Red Cross was minimised because of its speedy, effective response.
Mr Brooks said effective risk management, cyber insurance, and incident response plans were key to surviving cyber attacks. “Every organisation should have an incident response plan, regardless of whether they’re insured.”
He cited six key questions for leaders:
• What types of events do you consider are cyber incidents?
• Is your organisation prepared for a cyber incident?
• Have you engaged with key stakeholders that can answer these questions?
• Have you been fully briefed on the organisation’s cyber risk exposures, controls and remediation measures?
• Does your organisation have a cyber incident response plan?
• Do you understand your leadership liabilities about cyber risk?
Big companies had teams that audited third-party providers and insisted on them having cyber risk policies. Many third-party providers’ contracts limited their liability, which made scenario testing important.
During the conference session Q&A, Mr Brooks was asked about police involvement. “Hackers are always a step ahead of law enforcement.”
He warned against disclosing insurance policy limits because that was valuable to ransomware hackers. He also said there was only a 30% chance of getting an unlock key if your system was subject to a ransomware attack and paying up identified you as “a soft target”.