Author: ACT News Team
Independent agencies can learn critical lessons from Yahoo's massive cyber breaches and the Mirai botnet attacks. To sell in today's market, agents must understand technology exposures, and to run a secure agency, management must understand the major trends. Ryan Spelman, of the Center for Internet Security, answers our questions.
ACT News: Yahoo made headlines again—the third time in five months—for, this time, the compromise of a billion accounts. What can we in the independent agency channel learn from this? Ryan Spelman: The Yahoo breaches tell us a number of things. First, they represent an example of how valuable the data these companies have on us is. That is why they are targets of cyber criminals. Second, it tells us that even the big players with heavy security are vulnerable. There are attacks now at all levels of business and home.
ACT: So our clients who don't have privacy-breach insurance are really exposed.Spelman: Well, I'm not an insurance agent, so I can't speak with expertise on the coverages, but I can say there are costs involved in discovering the extent of the damage and in rectifying things—financial accounts, credit scores, days off of work to deal with it all, copying costs, sometimes legal. For businesses, there would be notification issues to customers if their privacy was potentially affected.
ACT: Yahoo is huge. But small businesses are still targets. Spelman: Small businesses are targets. Most attackers that go after the big guys are very sophisticated. But there are opportunistic thieves targeting unlocked doors, so to speak. Those are smaller businesses that don't have the high level of security larger companies can afford. Small businesses and individuals who don't take basic security precautions when it comes to Internet use are setting themselves up for losses or for being used to attack others. Here's what I like to say to businesses: there are two headlines that will follow a data breach at your company. One says: "Company Fails to Follow Basic Security Principles, Clients Compromised." The other reads: "Despite Best Practices, Hackers Get In." Which headline do you want?
ACT: We've all heard the solutions: password changes, hard-to-guess passwords, don't open phishing emails, train your employees on cyber security.Spelman: Yes. People are getting breach-deaf. They hear the same warnings over and over and the same headlines of these huge breaches. They start to think it won't happen to them. For some it's a matter of money or time or expertise at their business or home. That's why they don't take enough precautions. But, as I say, they are the unlocked doors. Thieves of opportunity, when they find a locked door, go to the next house or the next car. It's easy. Just do the basics.
ACT: Let's talk about some of those basics.Spelman: It all begins with doing the little things right—changing your router's default password and user ID, for example.
ACT: True. They tell you to do that, but it's a pain. If the installer doesn't walk you through it, you might put it on the back burner.
Spelman: Yes. But hackers scan buildings and neighborhoods for Wi-Fi connections like "Linksys" and then can run through a list of known out-of-the-box passwords to see if they can get in.
At a further level of security, but still part of the basics, if you're going to be taking banking or other financial information, you need to meet certain cyber security standards. If you can access the Internet via a computer, that computer can be hacked. Outsource that responsibility if you can't do it well yourself. It's a cost, but think of it as an essential cost to protect your business.
ACT: Outsourcing sounds expensive.Spelman: There are some things that can be done for free. Web firewalls, email providers that stop spam and limit phishing, basic employee security awareness practices you can find for free on the Web. Updating software is crucial, and the patches are provided by the company for free. It depends on your in-house capability and priorities. If you want to save the time—to spend it on selling or developing clients—you'll need to look for outside help.
ACT: Say someone decides to outsource. How do they pick a reputable security company?Spelman: References! Ask other business owners who they use. Turn to your local Chamber of Commerce for consultants or integrators.
ACT: Fellow ACT members, too.
ACT: Agents may be hearing about botnets, especially Mirai. Or their customers might ask. What can you tell us? Spelman: Botnets are programs that install themselves on computers without the users' knowledge; then, they operate from your computer secretly. They can be used to flood a server or computer system, taking it down until a fee is paid to end the attack.
ACT: Botnets have been used to shut down Sony's PlayStation and other major companies' operations. What should agents know? Spelman: With the growth of the Internet of things [often referred to as IoT], we will have way more devices than computers—cars, watches, Fitbits, thermostats, baby monitors, security cameras, etc.)—all tied to the Internet. If you have never changed the factory presets on your router or on the interface component of your device, you have a gateway for hackers to install their software, botnets if they use those. If hackers tap into your company's Wi-Fi, anything that traverses that network that isn't encrypted is free to hackers. Think of how much they can learn about a company by watching it remotely through the company's own system.
ACT: So botnets, email account hacking, stealthy spying via unsecured Wi-Fi, unencrypted data transmissions. There are so many things to deal with. Where does an agency that wants to take cyber security seriously for itself and its clientele's insurance needs start? Spelman: There are some basic rules for everyone that all risk managers should follow. CIS, my organization, has produced a document called "
Critical Security Controls" that walks readers through key steps to achieve good cyber security. [More details are available in the CIS library, which is also free and can be accessed
here.] You ask, where do they start? Start with inventorying your devices because there are many you don't think of that are operating on your network. Printers, for example. Are all these devices configured for protection? You want to at least stop easy-opportunity hackers. Training employees not to open hacker emails or bad websites is also key. Employees are often the weakest link.
Remember, most software that people and businesses buy isn't set up for security. It's set up for access. You have to take the right steps to secure your networks. You do fire drills and lock up at night for safety; why not take the same kind of steps for cyber security?