Easy and Cost-Effective Cyber-Security Tactics Agents Need To Know

Limit User Administrative Privileges

Ransomware is a type of malicious software designed to block access to a computer system until a sum of money is paid. The most common delivery method is phishing spam or attachments that come to the user in an email that is disguised as trusted files. Once downloaded and opened, the criminals take control and block network access until a ransom is paid. The vast majority of ransomware exploits are prevented by making sure users are blocked from downloading any software onto the network.

Ransomware claims are best prevented by limiting user privileges, according to Crum & Forster Vice President of eRisk Nick Economidis.

We frequently offer insurance buyers the opportunity for a lower premium in exchange for implementing simple risk controls that, we believe, will significantly reduce the occurrence of the type of claims that we see most often. One of the things that we frequently will suggest is restricting administrative privileges on PC's/computer workstations so that software can only be installed by an IT-administrator. We believe that this can significantly reduce the possibility of ransomware (or other malware) infecting the machine. If a user clicks on a rogue link or attachment, the machine will not install the malware because the user is unable to provide the administrator password (and even if they have the administrator password, we hope that the fact that the machine is asking for it will be enough of a warning).

"What Is ransomware? How These Attacks Work and How To Recover from Them," Josh Fruhlinger, CSO, December 19, 2018.

Get Phished

According to Verizon's 2018 Data Breach Investigations Report, email fraud accounts for more than 93 percent of enterprise attacks that result from phishing scams or fake emails designed to lure recipients to click an infected link or document or forward information to a fake sender. In our experience, the most effective form of training is the use of phishing simulations.

Phishing security tests provide an indication of how many employees are susceptible to email social engineering attacks. A well-designed phish-testing program trains employees how to spot a phony email and are proven successful in reducing risks of a successful ransomware attack. When combined with typical user training, the results are astounding.

Phase one is establishing an initial baseline. A phishing test template is designed based on the employer's unique environment and a landing page (often a training site) is created for users after they click. The users are provided a summary of what was missed, and the employer is provided charts indicating "phish-prone" rate. Most vendors also provide a comparison to others in the subject industry vertical. Additional tests are sent out randomly during the course of the following 12 months.

Leading training vendor KnowBe4 conducted a study ⁵ of 6,000,000 users in 11,000 organizations encompassing almost 250,000 tests. Across several industry verticals, initial baseline click rates ranged 25–35 percent for SMEs under 1,000 employees. At 90 days, rates ranged 10–17 percent, and at 12 months, rates dropped to 1.5–3.2 percent.

These programs are simple and easy to implement. Several vendors offer free phishing simulation service for companies with up to 500 employees including online registration, monthly phishing exploits, and detailed analytics to isolate opportunities for improvement. For advanced versions, pricing runs from $5 to $15 per seat per year.

Multifactor Authentication (MFA)

In our experience, multifactor authentication (MFA) is possibly the single most cost-effective strategy for SMEs to mitigate a litany of risks. An insured can install antivirus, firewalls, deploy encryption, and perform vulnerability tests but, without multifactor authentication, all of these measures are easily bypassed.

MFA strengthens access security by requiring two or more factors to verify a user's identity. These factors can include something you know (username and password) plus something you have (smartphone) to approve authentication requests. Most of us are familiar with the process of getting a code texted to your phone to log into banking and other applications. This tool is highly effective against phishing and other forms of social engineering as well as password brute-force attacks and secures logins from attackers exploiting weak or stolen credentials. Without the code, malicious actors are not able to gain access to your system. 

Versions of MFA are available free with Office 365 and the Google suite (make sure your insureds turn it on!). Expect to pay up to $6 per user per month for advanced versions.

Domain-Based Message Authentication, Reporting, and Conformance (DMARC)

Email spoofing is the use of an email message from a forged address that hides the sender's true identity. The objective is to trick the recipient into taking an action designed to perpetrate business email compromise and email scams leading to the growing frequency of social engineering attacks that often lead to successful wire transfer fraud.

Domain-based message authentication, reporting, and conformance (DMARC) acts to provide greater assurance on the identity of the sender of an email message and gives email domain owners the ability to protect their domain from unauthorized use, often referred to as email spoofing. Once DMARC is turned on for the insured's domain, only emails that pass the authentication will be trusted and delivered. Emails that fail the check are quarantined or rejected.

DMARC is free, but you may need the Web host or email administrator to assist enabling since DMARC is not turned on by default.

Business Vendors: Get a Prenuptial

There is an increased awareness that vendors are often the weakest links in the security defenses of most organizations. In the past few months alone, we've seen several claims resulting not from actions (or inactions) of the insured but due to breaches suffered by contracted vendors. One involved a healthcare provider infected with ransomware delivered via a record transcription service with access to patient files. The claim resulted in over $100,000 of remediation expense and business interruption. Managing vendor cyber risk is not unlike contract risk management services that agents provide to clients for routine matters.

In addition to typical requirements, such as favorable hold harmless and indemnity provisions, vendor risk management contracts should include the following.

• Descriptions of the personally identifiable information and protected health information and confirmation of authorized user access.
• Minimum required security controls, including basics such as the use of firewalls, antivirus, patching, and encryption. Vendors also need to be compliant with relevant regulatory and industry requirements such as the Health Insurance Portability and Accountability Act and Payment Card Industry Data Security Standard when applicable.
• A security audit clause, so the organization has the right to audit security controls periodically.
• Incident reporting requirements, stating under what circumstances and means a security event is reported to the contacting organization.
• Insurance requirements for a stand-alone cyber policy that include first- and third-party coverage parts. The contract should require additional insured status (when possible) and provide a minimum limit of $1 million.

Knowledgeable agents can assist an insured's conduct vendor risk management (VRM). Some agents use cyber-insurance applications as guides to develop templates. More complex risks need to consider VRM products that provide vendor security scores, vendor onboarding, and ongoing monitoring of third-party networks. VRM software products are easy to install and use, with prices starting around $500 per vendor.