1-888-643-2217 Email ABEX
Keeping you updated

Monthly Archives: December 2016

Criminals Hijacked 100,000 Devices in Dyn Cyber Attack

Recently, Dynamic Network Services Inc. (Dyn)—a cloud-based internet performance management (IPM) company in the United States—had its server infrastructure compromised following distributed denial-of-service (DDos) attacks. Dyn said that more than 100,000 devices may have been involved in the massive cyber attack that overwhelmed its servers and produced a ripple effect, temporarily shutting down access to sites like Twitter and Netflix for the east coast of Canada and much of the northeastern United States.

How the Attack Worked

A DDoS is a type of cyber attack that hijacks multiple devices—usually through installing and spreading malware—to “flood” a specific group of servers with a multitude of requests for information all at the same time. The tactic effectively “clogs” the servers so that they’re unable to handle normal web traffic and can ultimately force them to shut down temporarily.

In the past, attacks like these would typically utilize personal computers to carry out the attack. In this case, however, it appears that the attack co-opted a number of “smart” devices—things like digital video recorders (DVRs), printers and even cellphones. Government officials currently believe that a non-state actor is behind the attack, but as the investigation is still ongoing, they have yet to definitively rule anything out.

Key Takeaways

Regardless of the source, the attack highlights a pair of troubling trends. First, this DDoS attack was one of a growing number of more sophisticated attacks. And, while Dyn—a company with robust cyber security measures—was able to restore its regular operations fairly quickly, it only did so after defeating two separate waves of the attack.

Second, and perhaps more importantly, this attack shows the potential vulnerability posed by the increasing number of interconnected, internet-enabled devices commonly called the Internet of Things (IoT). The inter-connectivity of devices on the IoT is the source of a number of benefits; however, that very same inter-connectivity offers cyber criminals an often overlooked—and potentially less secure—avenue of attack.

© Zywave, Inc. All rights reserved.


Items Every Business Should Include in a Substance Abuse Policy

With Canada on the cusp of legalizing marijuana in 2017, there’s no better time to revisit or establish a substance abuse policy in your workplace. Substance abuse policies not only ensure that your employees are following the law, but they can also keep employees safe on the job, as certain substances—illegal or otherwise—can affect job performance, lead to absenteeism or create unwanted workplace tension.

When creating a company-wide substance abuse policy, you will want to consider including the following:

  • A statement that details the purpose and objectives of the policy
  • A definition of “substance” and “substance abuse”
  • Details around who the policy applies to
  • Information around employee confidentiality in the event of a substance abuse issue
  • A detailed look into education and other resources available to employees if they need to seek help. It’s also a good idea to outline your commitment to a drug-free space and teach employees how to spot substance abuse in the workplace.
  • Details around how to deal with impaired co-workers
  • Details around your drug testing policies
  • Details around disciplinary actions

It’s important to remember that employees who are addicted use substances without thinking of the consequences, such as problems with health, money, relationships and performance at work. However, creating a substance abuse policy can help workers identify those in need and provide much needed assistance to those battling the issue.

© Zywave, Inc. All rights reserved.


10 Holiday Safety Tips for Businesses

OrnamentsThe holiday season is here, which means more and more businesses will be decorating their offices and hosting holiday parties. Before your business gets into the festive mood, it’s important for you to take extra precautions during the busy holiday season and offer employees an end-of-the-year refresher course on safety.

To accomplish this, keep in mind the following holiday safety tips:

  1. Ensure that any seasonal hires are familiar with safety procedures, their surroundings and responsibilities.
  2. Offer refresher courses on ladder safety and proper lifting techniques to ensure that, when it comes time to decorate, employees remain safe and healthy.
  3. Avoid using real candles in your decorations, opting for safer, battery-powered candles instead. In addition, try to use less flammable decorations, including items made of paper or cardboard.
  4. Keep all decorations away from heat or other ignition sources.
  5. Practise safe use of extension cords, taking care not to overload power strips or overextend plugs. Not only can extension cords create a tripping hazard, they can also cause fires if used improperly.
  6. Manage your inventory, ensuring that you are not overloading shelves. In some cases, heavy items can fall off of overstocked shelves and potentially harm employees or customers.
  7. Practise good housekeeping, ensuring that heavily-trafficked areas are free of tripping hazards.
  8. Ensure that your business is equipped with working fire and carbon monoxide detectors.
  9. Take care of live trees, keeping them far away from sources of heat. In addition, double-check that the tree isn’t leaning and is supported by a sturdy base.
  10. Follow manufacturer instructions for all holiday decorations and lights.

Keeping in mind these above tips will help your employees stay safe and healthy this holiday season.

©  Zywave, Inc. All rights reserved.


Social Engineering Fraud Coverage

Background concept wordcloud illustration of social engineering

Social engineering fraud (SEF) is a type of fraud that’s become increasingly common over the last several years. However, even though many instances of this fraud transpire over email communications, it’s a company’s crime policy—not a cyber policy—that would often provide coverage in the event of an SEF loss.

That’s why it’s especially important to understand your crime policy, how it might cover SEF, why it might not, and what endorsements you might want to obtain to make sure SEF doesn’t leave your company exposed.

How Social Engineering Fraud Works

There are a number of variations on the theme, but most instances of SEF involve the following elements:

  • A targeted approach. Criminals will research their targets, purchase authentic-looking domains, manufacture email chains and even resort to making phone calls, all in an effort to make their requests seem authentic.
  • A request. The preparation is in service of obtaining something from the target, either money (usually in the form of a wire transfer) or information (such as a list of vendors, routing numbers, etc.).
  • The application of social pressure. In order to bypass in-house safeguards and redundancies, the criminals apply pressure by imposing a time constraint, demanding secrecy or simply flattering the ego of the target by including him or her “in” on an important business transaction.
  • The disappearance of the hacker. Once the criminals obtain what they want, they disappear with the information or money—things that the company won’t miss until it’s too late.

Cyber Policy vs. Crime Policy

It may seem counterintuitive, but SEF is usually not covered by a cyber policy. Even though this fraud often involves emails and wire transfers, cyber policies are not designed to cover them:

  • Cyber policies cover losses that result from unauthorized data breaches or system failures. SEF actually depends on these systems working correctly in order to communicate with an organization’s employees and transfer information or funds.
  • Crime policies cover losses that result from theft, fraud or deception. Because the underlying cause of a loss in SEF is fraud, a company would claim a loss under its crime policy rather than its cyber policy.

Areas of Cover

A standard crime or fidelity policy contains a few provisions under which an SEF claim might be filed:

  • Computer fraud. This refers to losses stemming from the unlawful theft of money due to a “computer violation”—that is, the unauthorized entry into or deletion of data from a computer system by a third party.
  • Funds transfer fraud. This refers to losses stemming from fraudulent instructions to transfer funds made without the insured’s knowledge or consent.

Potential Vulnerabilities

Depending upon the specific language and definitions laid out in the crime or fidelity policy, the insurer might argue that SEF is excluded from coverage for a number of reasons:

  • There was no “computer violation.” Often, SEF doesn’t involve compromising network security in order to steal data. Instead, criminals “hack” human vulnerabilities in order to gain access. Because the system functioned as it was supposed to, and the criminal gained access due to human failure, an insurer might try to deny the claim.
  • The insured knew about and consented to the transfer. Again, it depends on the specific language of the policy, but an insurer might argue that SEF isn’t covered under “funds transfer fraud.” That’s because, in most social engineering scenarios, some agent of the insured willingly and knowingly authorized the transfer of funds to the intended account. Again, in SEF, the systems in place to transfer funds worked as intended; it was human failure that resulted in the loss.
  • The voluntary parting exclusion. Most crime policies have a voluntary parting exclusion that excludes coverage for losses that result from anyone acting on the insured’s authority to part with title to or possession of property. In other words, because the employee knowingly and willingly authorized the transfer, it wouldn’t be covered.

Social Engineering Fraud Endorsements

Because of this potential gap in coverage, some carriers have started offering SEF endorsements to their crime and fidelity policies. The insurance agreements might go by different names, but they’re all intended to make limits and liabilities explicit for both the insured and the policy issuer.

These endorsements are only offered by a handful of carriers, but with the increasing prevalence of SEF, more are likely to follow.

©  Zywave, Inc. All rights reserved.


Blog

FOLLOW OUR BLOG

Receive notifications of new posts automatically.



ABEX - AFFILIATED BROKERS EXCHANGE IS ON FACEBOOK.

Like us on Facebook

Connect with us on LinkedIn