There are 3.5 new cyber security threats created every second according to researchers at Trend Micro. Protecting your business and customer data can seem daunting in this ever-changing landscape of cyber security. By educating yourself on some of the most common cyber threats, you can begin to take action to protect your company and customers. Here are the four cyber-attacks you need to know about in order to protect your small business.
Reports released last week by U.S. security officials and private cybersecurity researchers suggest hacking of energy facility computers is on the rise, and happens far more often than the public assumes.
The Department of Homeland Security said it received reports of 59 cyber incidents at energy facilities last year, up nearly a third from the year before.
The agency responsible for protecting the nation from cybercrime said it worked to mitigate 290 incidents last year across more than a dozen industries that rely on computer controls to run industrial sites, including manufacturing sites, power generation facilities, refineries, chemical plants and nuclear facilities.
It found more than a quarter of these intrusions originated from so-called spear phishing emails that hackers use to trick people into downloading infected attachments or clicking on virus-laden links. More than one in 10 came from network probing and scanning.
"Every year, adversaries develop increasingly sophisticated attacks against control system networks," Homeland Security's Industrial Control Systems Cyber Emergency Response Team said.
The increased number of intrusions into energy computer controls last year brings the number of such incidents in the industry to more than 400 since 2011, Homeland Security data show. Security specialists say that's likely a conservative number because energy companies aren't required to report cyberattacks to the U.S. government.
In another report, cybersecurity researchers believe computer controls at industrial facilities, including in the oil business, get infected by non-targeted malware at least 3,000 times a year.
Dragos Security, a cybersecurity firm in San Antonio, arrived at what it believes is a conservative estimate of worldwide industrial cyberattacks after studying 30,000 samples of infected control system files submitted over the past decade and a half to a publicly available database called VirusTotal, a web service owned by Google.
The findings show malware that isn't even tailored to industrial controls finds its way into critical technology far more often than the public assumes. Some of the malware can spread through these systems with ease, and some were designed many years ago.
"If you have really bad cyber hygiene and you're not paying attention to basic things, you're more likely to get impacted by a virus that was written nine years ago," said Ben Miller of Dragos.
For example, Miller found thousands of industrial files compromised by Sinowal, a Trojan horse first discovered in 2006. Even more common, though, were strains of malware that spread from computer to computer, created at least five years ago.
It's not clear how many of these industrial facilities were tied to the energy industry, because the VirusTotal data only provided the country of origin of the independently uploaded files. But it's yet another grim revelation for oil companies that rely on automated computer controls to run refineries, pipelines and offshore platforms.
Miller said these breaches could begin during the equipment upgrades that happen when power plants, refineries and other energy facilities are taken offline for repairs.
Crews of engineers, equipment contractors and information technology specialists flowing in and out of the facilities could, for example, fail to follow security protocols and accidentally plug in infected USB drives into facility systems. And they might only discover they've infected operational computers after they use the same thumb drives in corporate computers outfitted with antivirus alert systems, Miller said.
The Hiscox Report on Cyber readiness surveyed executives and IT specialists at the end of 2016. It is the most comprehensive report on Cyber readiness I’ve seen thus far. It delves into types of businesses most affected, the businesses most prepared for an attack, and which businesses seem to be taking the risk less seriously.
Many questions are asked, including:
· How often do these attacks actually happen?
· What is the average financial loss?
· How long does it take to get back to business as usual?
72% of larger businesses reported a cyber incident last year, while 47% of those experienced 2 or more in the same year. For firms with 99 or fewer employees, the average estimated cost of an organization’s largest cyber incidents in the last 12 months was just over $35,000. For the largest firms, that figure is just over $100,000. The study shows that larger firms may suffer the bigger financial losses, but smaller companies suffer the most damage due to complacency. Although the information and resources are available to them, 29% of small businesses surveyed make no changes following an attack.
The study finds that the 2 industries most targeted are:
1. Transportation & Distribution (65%)
2. Technology, media, & telecommunications (59%)
Of course this should not put other business types at such ease that they don’t take the necessary precautions. Attacks happen everyday. Will your business suffer a loss before you put a policy in place? More than a third (37%) of businesses surveyed took two or more days to realize they had been breached. This is an eternity for a hacker to gather crucial information from your business, clientele, and associates. Once the damage is done, the cost to get back to business as usual isn’t only measured in dollar signs, but in time.
After an attack, some businesses can take another two days to recover back to business as usual. And that doesn’t include the time for ongoing investigation and notification of those affected. Being unprepared for an attack can make the loss even more costly due to:
· Business disruption
· Fines & compensation
· Compromised identity of clientele
· Asset recovery
· Brand damage (negative publicity, bad reputation)
Leaving businesses open to attack can leave your business open to a lost reputation and forever-damaged client relationships.
The most common ways that attacks occur are:
1. External attack targeting the organization
2. External attack targeting business partners or suppliers
3. Internal incident or threat
4. Lost or stolen devices
Businesses most likely to be informed about the cyber risks are multi-national companies, technology companies, and those that specialize in financial services. Companies with less than 100 employees are least likely to be proactive. And even companies with IT departments tend to ignore the warnings of their IT personnel.
Companies with less successful breaches of their cyber security are consistent on a couple points:
1. Involving higher management
2. Training employees
Involve broad and executive management in setting a cyber security strategy. The study shows that 45% of the time, businesses entrust their cyber security to their IT department, and aren’t kept in the loop regarding security upgrades, needs, or potential threats. On the importance of employee training, the Hiscox report states “The human element in cyber breaches is enormous, and a modest investment in employee training can have a big impact on cyber readiness.” Employee training and system tracking and documentation are as important as taking out a Cyber insurance policy.
Cyber Liability insurance is one of the fastest growing areas of insurance worldwide. Businesses are taking out policies more often due to contractual requirements, the clear cost of damage, and increasing high profile data breaches worldwide. Many businesses believe, yet may not have verified, that they are somehow already covered by their current General Liability insurance policy. Those who haven’t been assured of coverage should contact their insurance agent ASAP. Network One Insurance is very well versed in this coverage and we would be happy to speak to your business about your Cyber Liability insurance needs. Although some insurers do offer a small amount of coverage included in their policy, many only have it as an optional coverage, and others would require businesses to acquire a standalone Cyber Liability policy.
*Three countries were included in this survey, but only figures pertaining to the U.S. were used in this article. The survey was conducted between November 16, 2016- December 5, 2016. You can see Hiscox’s Cyber Readiness Report in full here.
Zeke Corley has been a licensed insurance broker since 2003. You can email him at firstname.lastname@example.org or call him at the San Diego office at (858) 569-8100. Visit our agency at http://www.yourinsuranceplace.com/