We are constantly hearing about Cyber and Ransomware attacks in the news. The Wall Street Journal’s headline on May 12, 2021, was “Ransomware Attacks Are Up, Spawning Widespread Harm”. Recent examples include the Chinese hack on Microsoft’s Exchange Servers in March and the DarkSide hack of Colonial Pipeline earlier this week. It is important to note, although most of what we hear about are attacks on large corporations and government entities; these same attacks are occurring in small to mid-size businesses. These attacks are not large enough or disruptive enough to society to make the front page of The Wall Street Journal, but they can be devastating for businesses.
So why are small to mid-size businesses good targets?
- More and more small businesses are operating remotely. With little control on remote infrastructure, businesses need to invest more time and money in strengthening their online exposure to hackers. Most are lacking the back office support to do so, which creates vulnerabilities that can be exploited.
- Smaller companies can provide access to larger entities. These larger entities have data that is more valuable to hackers.
- The pandemic has caused businesses to reinvent the way they conduct business. For example, restaurants and fitness instructors had to increase their online presence through online advertising, marketing, and email campaigns. To-go ordering, online payments, online appointment booking, and virtual meetings all increased. In most cases, the rollout was quick and did not involve a full cybersecurity analysis.
A 2021 report by PunkPanda found that businesses lost at least $114 billion annually from data breaches, with approximately 25% of these breaches occurring due to negligence. With more SMBs (small midsize businesses) going online to connect with customers or manage remote workflows, these risks are only bound to grow. (Forbes Article 3/22/2021)
Along with the increased ransomware activity, cybercriminals continue their “profitable” business through phishing/social engineering campaigns.
This is a perfect example of “social engineering fraud”.
Business email compromises are a form of social engineering fraud whereby attackers impersonate a CEO or executive authorized to conduct wire transfers and induce employees to transfer money to a fake client account. The COVID-19 pandemic has led to an increase in cyber-related crime as fraudsters use social engineering techniques to exploit systems and procedures made more vulnerable by remote working, they say. (Business Insurance February 16, 2021)
Even Social Engineering fraud has evolved in the past few years. The next example highlights “Reverse Social Engineering”.
Company A (a seafood distributor) has secured a Cyber Privacy Liability policy from their Insurance agent. Securing the policy required an extensive review of A’s internal protocols surrounding employees’ internet usage, email and computer password updates, and checks and balances surrounding online bank account and credit card transactions. Unfortunately, with all of these protocols in place, a hacker was still able to infiltrate Company A’s system (in this real-life example, they infiltrated Company A by hacking into an old printer seldom used but still hooked up to their network). While inside Company A’s system, the hacker was able to find Company A’s accounts receivables and saw that a large sum of money was owed to them by Company B (Company B is a local food shop that does not have a Cyber Liability policy in place). Still, inside Company A’s network, the Hacker emailed Company B advising of a new Bank Account to send the outstanding balance to. Company B received the email, verified the email address, and forwarded payment to the new Bank Account. By the time this has been discovered, the Hacker is long gone along with the stolen funds from Company B. Until recently, this coverage was not readily available under Cyber Liability Policies.
With these types of claims on the rise, it’s important to take a step back and note your internal vulnerabilities then talk about them with your Insurance professional. A good Cyber Liability program will include such coverages as:
Network Security and Privacy LiabilityFunds Transfer Fraud
Regulatory Coverage Payment Card Industry (PCI) Fines and Penalties
Data Recovery Breach Costs
Media Liability coverage Notification Costs
Computer Fraud Data Recovery Costs
Social/Reverse SocialEngineering Fraud