1-888-643-2217 Email ABEX
Keeping you updated

Monthly Archives: June 2014

Policies to Manage Cyber Risk

Security concept:: Protection key on keyboardAll companies should develop and maintain clear and robust policies for safeguarding critical business data and sensitive information, protecting their reputations and discouraging inappropriate behaviour by employees. Many companies already have these types of policies in place, but they may need to be tailored to reflect the increasing impact of cyber risk on everyday transactions, both professional and personal. As with any other business document, cyber security policies should follow good design and governance practices—not so long that they become unusable, not so vague that they become meaningless, and reviewed regularly to ensure that they stay pertinent as your business’ needs change.

Establish security roles and responsibilities. One of the most effective and least expensive means of preventing serious cyber security incidents is to establish a policy that clearly defines the separation of roles and responsibilities with regard to systems and the information they contain. Many systems are designed to provide for strong role-based access control (RBAC), but this tool is of little use without well-defined procedures and policies to govern the assignment of roles and their associated constraints. At a minimum, such policies need to clearly identify company data ownership and employee roles for security oversight and their inherent privileges, including:

  • Necessary roles, and the privileges and constraints accorded to those roles
  • The types of employees who should be allowed to assume the various roles
  • How long an employee may hold a role before access rights must be reviewed
  • If employees may hold multiple roles, the conditions defining when to adopt one role over another

Depending on the types of data regularly handled by your business, it may also make sense to create separate policies governing who is responsible for certain types of data. For example, a business that handles large volumes of personal information from its customers may benefit from identifying a chief steward for customers’ privacy information. The steward could serve not only as a subject matter expert on all matters of privacy, but also as the champion for process and technical improvements to handling of personally identifiable information (PII).

Develop a privacy policy. Privacy is important for your business and your customers. Continued trust in your business practices, products and secure handling of your clients’ unique information impacts your profitability. Your privacy policy is a pledge to your customers that you will use and protect their information in ways that they expect and that adhere to your legal obligations. Your policy should start with a simple, clear statement describing the information you collect about your customers (physical addresses, email addresses, browsing history, etc.) and what you do with it. It’s important to create your privacy policy with care and post it clearly on your website. It’s also important to share your privacy policies, rules and expectations with all employees and partners who may come into contact with that information. Your employees need to be familiar with your privacy policy and what it means for their daily work routines.

Establish an employee Internet usage policy. The limits on employee Internet usage in the workplace vary widely from business to business. Your guidelines should allow employees the maximum degree of freedom they require to be productive (for example, short breaks to surf the Web or perform personal tasks online have been shown to increase productivity). At the same time, rules for behaviour are necessary to ensure that all employees are aware of boundaries, both to keep themselves safe and to keep your company successful. Some guidelines to consider:

  • Personal breaks to surf the Web should be limited to a reasonable amount of time and to certain types of activities.
  • If you use a Web filtering system, employees should have clear knowledge of how and why their Web activities will be monitored, and what types of sites are deemed unacceptable by your policy.
  • Workplace rules for behaviour should be clear, concise and easy to follow. Employees should feel comfortable performing both personal and professional tasks online without making judgment calls as to what may or may not be deemed appropriate. Businesses may want to include a splash warning upon network sign-on that advises employees about the company’s Internet usage policy so that all employees are on notice.

Establish a social media policy. Social networking applications present a number of risks that are difficult to address using technical or procedural solutions. A strong social media policy is crucial for any business that seeks to use social networking to promote its activities and communicate with its customers. At a minimum, a social media policy should clearly include the following:

  • Specific guidance on when to disclose company activities using social media, and what kinds of details can be discussed in a public forum
  • Additional rules of behaviour for employees using personal social networking accounts to make clear what kinds of discussion topics or posts could cause risk for the company
  • Guidance on the acceptability of using a company email address to register for, or get notices from, social media sites
  • Guidance on selecting long, strong passwords for social networking accounts, since very few social media sites enforce strong authentication policies for users

All users of social media need to be aware of the risks associated with social networking tools and the types of data that can be automatically disclosed online when using social media. Taking the time to educate your employees on the potential pitfalls of social media use, especially sites with geo-location services, may be the most beneficial social networking security practice of all.

Identify potential reputation risks. All organizations should take the time to identify potential risks to their reputations and develop a strategy to mitigate those risks with policies or other measures as available. Specific types of reputation risks include:

  • Being impersonated online by a criminal organization (e.g., an illegitimate website spoofing your business name and copying your site design, then attempting to defraud potential customers via phishing scams or other methods)
  • Having sensitive company or customer information leaked to the public via the Web
  • Having sensitive or inappropriate employee actions made public via the Web or social media sites

All businesses should set a policy for managing these types of risks and plan to address such incidents if and when they occur. Such a policy should cover a regular process for identifying potential risks to the company’s reputation in cyber space, practical measures to prevent those risks from materializing and plans to respond and recover from incidents as soon as they occur. Precept Insurance & Risk Management has numerous sample cyber security policies available to our clients upon request. These policies are a great starting point for your policy-creation efforts and can be modified to fit the unique needs of your business.


© 2014 Zywave, Inc. All rights reserved.

Cybercrime and espionage costs $445 billion annually

Cyber FraudSource: WashingtonPost

A Washington think tank has estimated the likely annual cost of cybercrime and economic espionage to the world economy at more than $445 billion — or almost 1 percent of global income.

The estimate by the Center for Strategic and International Studies is lower than the eye-popping $1 trillion figure cited by President Obama, but it nonetheless puts cybercrime in the ranks of drug trafficking in terms of worldwide economic harm.

“This is a global problem and we aren’t doing enough to manage risk,” said James A. Lewis, CSIS senior fellow and co-author of the report, released Monday.

The report, funded by the security firm McAfee, which is part of Intel Security, represents one of the first efforts to analyze the costs, drawing on a variety of data.

“Cybercrime costs are big, and they’re growing,” said Stewart A. Baker, a former Department of Homeland Security policy official and a co-author of the report. “The more that governments understand what those costs are, the more likely they are to bring their laws and policies into line with preventing those sorts of losses.”

According to the report, the most advanced economies suffered the greatest losses. The United States, Germany and China together accounted for about $200 billion of the total in 2013. Much of that was due to theft of intellectual property by foreign governments.

Though the report does not break out a figure for that, or name countries behind such theft, the U.S. government has publicly named China as the major perpetrator of cyber economic espionage against the United States.

The Chinese government has accused the United States of being one of the biggest perpetrators of cyber-espionage, but the U.S. government has always objected that it does not steal intellectual property and hand it to its own industries to give them a competitive advantage.

CSIS estimated that the United States lost about $100 billion. Germany was second with $60 billion, and China followed with $45 billion.

In both the United States and China, the losses represent about 0.6 percent of their economies, while Germany’s loss is 1.6 percent.

Japan, the world’s fourth largest economy, reported losses of $1 billion, which researchers said was extremely low and not credible.

Valuing intellectual property is an art form, based on estimating future revenues the intellectual property will produce or the value the market places on it, the report said. Putting a price tag on it is difficult but not impossible, it said.

Intellectual-property theft lessens companies’ abilities to gain a full return on their inventions, and so they turn to other activities to make a profit, the report states. That depresses overall global rates of innovation, it said.

The report stated that countries appear to tolerate cybercrime losses as long as they stay at less than 2 percent of their national income. If losses rise above 2 percent, “we assume it would prompt much stronger calls for action as companies and societies find the burden unacceptable,” it said.

The report breaks the harm into three categories, without giving figures. The largest, it said, is intellectual property theft. The second is financial crime, or the theft of credit card and other types of data largely by criminal rings. The third is theft of confidential business information to gain an advantage in commercial negotiations or business deals.

CSIS used several methods to arrive at a range of estimates, from $375 billion to as much as $575 billion. Researchers looked for published data from governments around the world. They interviewed officials in 17 major countries. And they came up with a predictive model based on a CSIS report last year that estimated the cost of cybercrime to the U.S. economy. Their figures also included the cost of recovering from cyberattacks.

The main assumption they used was that the cost of cybercrime is a constant share of national income — at least in countries with similar levels of development.

In less developed countries, that cost is about 0.2 percent of gross domestic product, and in advanced economies it is almost 1 percent.

In 2009, McAfee issued a news release that pegged global economic losses at more than $1 trillion. The figure was cited by the White House and then-National Security Agency director Gen. Keith B. Alexander. But this year’s CSIS report concluded that it was unlikely that cybercrime cost more than $600 billion, which is the cost of the global drug trade.

The researchers said cybercrime and economic espionage require a response on par with global efforts to reduce drug trafficking. Besides better cybersecurity technologies, they said, governments need to devote resources to building defenses and to commit to observing existing international commitments to protect intellectual property.


Cyber Extortion Requires its Own Insurance Solution

Cyber CriminalCyber extortion is an increasingly popular form of cyber attack that requires its own insurance solution.

The digital world we live in and ever-increasing number of companies that rely on the Internet for their business have created a highly fertile ground for cyber crime. According to Norton’s Cybercrime 2012 report, 70% of online adults in Canada have been the victim of cybercrime at some point in their life. Cybercrime costs Canadians $1.4 billion per year and the average cost per crime victim is over $160.

What is Cyber Extortion?

Businesses are increasingly being attacked by cyber criminals, and new forms of cyber crime emerge rapidly, leaving us often one step behind. One example of cyber attacks becoming increasingly popular involves cyber threats and extortion. Cyber threats and extortion is a type of online crime involving an attack or threat of attack against a company to damage, expose, or shut down information belonging to the company unless a ransom is paid to avoid or stop the attack.

How does it work?

In these types of attacks cyber extortionists steal information from businesses and encrypt it so that it can’t be read. The latest backup of data can also be snatched and the original data deleted from the owner’s servers. Cyber extortionists thus take the company data hostage and demand ransom in exchange for the decryption key that would allow the victims to access their own information. However, the criminals won’t necessarily decrypt the files even after the ransom had been paid. Further attacks are possible, either by the same group or another. The type of malware used in these cyber attacks is called ransomware and it is easily spread through spam, phishing emails and malvertising. The ease of spreading the malware, combined with little or no repercussions for criminals, who are hard to track down or prosecute, makes cyber extortion a very lucrative undertaking. Often, cyber extortionists’ worst case scenario is not getting a payment from the victim. In many cases, amount of money asked for ransom is significantly lower than the potential financial loss for the company, so that it is easier for the company to pay the ransom and move on. These types of attacks, unless they happened at a large public company or a government entity, often don’t get reported to authorities and never reach the public. The victims often don’t want to risk their reputation or destroy consumer confidence.

How can businesses protect themselves?

To manage and minimize the potential damage from a cyber attack, companies should employ a comprehensive cyber risk management strategy that along with a cyber insurance also includes appropriate loss control techniques, an assessment of company’s networks vulnerabilities, and employee security awareness training. There are many different cyber insurance policies out there providing various coverages. Businesses should make sure that their cyber insurance policy coveres costs in case the company is unable to access its computer system, the system is infected by a virus, confidential information is compromised, or its brand and reputation is tarnished by posts on social media. In addition, the policy should cover the cost of independent computer security consultant to assess any threats, prevent immediate threats, offer reward to prevent perpetrators of the threat and reimbursement of any ransom the company is required to pay in the event above measures fail to mitigate the threat against them.



Receive notifications of new posts automatically.


Like us on Facebook

Connect with us on LinkedIn