fbpx

Effective passwords the anchor of cybersecurity

It seems like reports emerge about a new cyber hack almost every day – and the numbers are staggering. Just recently, for example, telecommunications giant T-Mobile disclosed that a hacker stole personal information from 37 million current customers in a November data breach. Small businesses are equally at risk, so entrepreneurs of all sizes should consider ways to reinforce the “moats” around their sensitive data. A good starting point is to revisit current passwords. 

They are the first line of defense in a Cybersecurity plan, but passwords have to meet certain conditions to help prevent unauthorized individuals from accessing sensitive cyber accounts. To begin with, any good Managed IT services provider knows that passwords should be unique, which excludes easy-to-guess combinations like ABC or 123.  

That condition also means passwords should never be based on the creator’s personal information: birthdays, family names, or addresses may be easy to remember, but attackers can easily crack them by scouring social media platforms and other sources. Some business owners use a four-digit Personal Identification Number (PIN) instead, but that is also often made up of a combination of the month, day, or year of their birthday, their address, or phone number, which are all available on the Dark Web or from other sources. 

What about using a random word? With more than 100,000 entries in the average dictionary, it is tempting. But hackers can get around that with sophisticated software that mounts “dictionary attacks,” deploying volumes of pre-selected words and phrases in a brute-force assault. And hackers are wise to the trick of intentionally misspelling a word (like nite instead of night), so that strategy is also a non-starter. 

Cyber Security professionals find that a more effective password approach involves deploying a series of words that are linked by memory techniques or mnemonics. For example, instead of the password baseball, a user can select the combination IlTpHB for “[I] [l]ike [T]o [p]lay [H]ard[B]all.” Interspersing symbols and numbers with lowercase and capital letters adds another layer of protection: modifying the above with Il!2pHb, for example, results in a password that cannot be found in any dictionary. 

Cyber Security Managed Services professionals also find that using the longest password or passphrase permissible (generally from 8 to 64 characters) is another good move. A password like Pattern2baseball#4mYmiemale! will not be easily cracked since it utilizes 28 characters and includes upper and lowercase letters, numbers, and special symbols. 

Once a strong effective password is developed, a business owner may be tempted to use it for a variety of sensitive accounts, since there are fewer codes to memorize. But that can put a company’s records at risk since, if an attacker does manage to crack the single password, they now have easy access to every account that uses it. The solution is to develop and deploy multiple unique passwords, one for each sensitive email or account. Admittedly, it is not easy to remember each one. The FOGLO — Fear of Getting Locked Out — over too many failed sign-in attempts — is a valid concern. But a password manager can help with that. 

A password manager is a software application — popular ones include ITGlue or Passportal’s N-able — that can manage online credentials and generate passwords that are stored in an encrypted database. The database itself is also locked behind a master password. This way an authorized user only needs to remember a single (effective) password. Once the master password is entered, a kind of password digital vault is unlocked, enabling the user to retrieve the specific password needed. 

Additionally, each time a new account is created, the password manager will check to see if the user wants to roll out an auto-generated password — which will be long, alphanumeric, randomly generated, and highly resistant to hacker guesses. Developing a secure, unique password for each account will go a long way toward thwarting cyber criminals, but digital defenses can be further reinforced with another important Cyber Security tool: multifactor authentication, or MFA. 

Each time someone tries to access an account, MFA adds a layer of protection by sending out an additional identity verification request, such as a requirement to scan a fingerprint or to enter a code received by a mobile phone or another device. This concept can be compared to wearing both a seat belt and a shoulder belt: either one is good but using both is better. 

Digital devices have become embedded in the business and personal activity and offer plenty of efficiencies — but the advances have also offered more opportunities to bad actors. Fortunately, strategies like strong passwords, password managers, and MFA can help to reinforce digital barricades and assist in keeping hackers and others away. 

 

Carl Mazzanti is president of eMazzanti Technologies in Hoboken, NJ, providing IT consulting services for businesses ranging from home offices to multi-national corporations.  

 

Cybersecurity starts at the workplace

According to the recently released 11th annual Allianz Risk Barometer, insureds and brokers participating in the survey ranked cyber risk as the top business risk in 2022.   

While cyber risk had appeared on previous surveys, this is only the second time it has topped the Risk Barometer. The key driver, according to the survey, is a surge in ransomware attacks with 57% of respondents naming it as the leading cyberthreat going forward into 2023.   

Companies’ growing reliance on digitalization and effects from the Work from Home movement have also raised concerns regarding cyberthreats.  

In addition, recent attacks have revealed troubling trends including double extortion tactics pairing the encryption of systems with data breaches, the exploitation of companies’ software vulnerabilities and the targeting of critical infrastructure.  

In acknowledging growing cyber risks, US companies are dedicating massive resources to keep their companies safe. Research and advisory company Gartner has forecasted spending on information security and risk management products and services will grow 11.3% to total more than $188 billion by year’s end.   

To a certain degree, fear is driving this financial commitment. No management team wants to face the unhappy prospect of reporting a data breach to shareholders, strategic partners and customers.   

Of course, the damage caused by a cyberattack can extend far beyond a tarnished reputation. According to the U.S. Department of Defense Science Board’s “Resilient Military Systems” report, as interpreted by Flashpoint, regarding a catastrophic Tier 6 cyber attack: “Kinetic and cyber attacks conducted by threat actor(s) have the potential to cause complete paralysis and/or destruction of critical systems and infrastructure. Under such circumstances, regular business operations and/or government functions cease and data confidentiality, integrity, and availability are completely compromised for extended periods.”  

While much of the nearly $200 billion in cyber security spending will be devoted to effective defenses against cybercriminals, companies are advised to also invest in critical low- to no-cost common sense actions to anticipate cyber intrusions from bad actors.   

Although external actors are responsible for much cyber harm, company insiders are responsible for 60% of cyberattacks according to a report published by IBM.  Let’s consider the question: who is a company insider? The answer extends far beyond company employees to include anyone who possesses credentials enabling physical or remote access to a company’s digital assets.    

The beginning of a solution can be found in your selection screen.  Award credentials to access sensitive digital assets only to individuals who have earned your confidence. What’s more, award credentials only to those individuals who absolutely need to have them. If an employee or contractor is fired from or chooses to leave your firm, block access to digital assets immediately.  

Portable drives, as a rule, should be treated with the same level of distrust accorded a rattlesnake. An employee or contractor who copies digital assets onto a portable drive and later slips it into his or her pocket can do as much damage as a hacker who infiltrates your IT system from a remote location.  Even an otherwise well-intentioned employee or contractor could unknowingly introduce a virus into your IT system by inserting an infected portable drive into a port.  

Individuals perpetrating ransomware cannot restrict access to your company’s computer system without the agency of employees and contractors.  Frustrate these criminal efforts to hold your company’s digital assets hostage by following these rules of thumb: 

  • Train contractors and personnel to recognize bogus e-mails and advertisements. 
  • Stay current on all IT protection systems, including anti-virus software. 
  • Instruct all individuals logged into your IT system to not click on unknown e-mails or attachments.

Employees and contractors should exercise caution before accessing your company IT system via a public hotspot, since 95 % of Wi-Fi traffic is unencrypted. Your company’s digital assets will become vulnerable if the hacker working at the next table or across the lobby penetrates your corporate server. Following are a few rules of thumb to manage this risk: 

  • Don’t join “Free Wi-Fi” networks. Refuse this particular act of charity and create your own personal hotspot with your wireless device. 
  • Before logging in, set all websites to “HTTP secure.” 
  • Use a VPN before logging into a company network. 
  • Do not access personal financial accounts via a Wi-Fi hotspot. In fact, anytime a user name and password are required to gain access to a website, put the time to better use by stretching your legs and walking to the counter to order a cup of coffee and nice piece of cake.

Finally, hopeful optimism is not a positive personal attribute when it comes to cyber attacks. Since there is every chance your company will someday be targeted by a cybercriminal, all individuals with access to your company IT system should be instructed regarding proper cyber hygiene. 

 

Bob Dietzel is the co-founder and principal of KMRD Partners, Inc., a risk and human capital management consulting and insurance brokerage firm located in the Philadelphia region serving clients worldwide. KMRD works to protect clients’ assets by reducing their cost of risk. Bob can be reached at [email protected]. 

 

Cyber attacks on public services are a threat, and manpower is needed to keep intruders out, officials say

How safe are public utilities? 

From obvious risks like burst pipes or a power grid failure caused by severe winter weather in Texas to the water system hacking breach in Olsmar Fla., reliable and secure public utility services require constant vigilance 

More sophisticated technology drives the need for trained professionals at the controls. Hard infrastructure investment along with current technology creates a three-legged approach to service safety and ultimately success. 

J.T. Hand

“It’s an investment in infrastructure, in technology and in people,” said JT Hand, president and CEO at The York Water Company, a private water and waste water utility. 

Area professionals said the best response to avoid utility disruptions is concerted and holistic  whether a breach is prompted by Mother Nature or malicious hackers. 

In Florida, remote access by employees – meant to keep the Olsmar system running smoothly, left the water supply vulnerable to hackers on February 5a Scientific American website report said 

It was the trained operator, who saw and responded to the hacker’s remote attempt to poison the water for about 15,000 customers that saved the system from potential catastrophic consequences. 

Remote access to such systems is where the potential for cyber crime can occur. 

The larger number of people now working remotely has expanded the number of possible avenues for cyber attacks and further emphasized the need for constant vigilance by everyone,” said Pennsylvania Public Utility Commission Chair Gladys Brown Dutrieuille. 

She said regular conversations and information sharing about cyber security and cyber threats to utilities include reviews of incidents and events on the national and global stages. 

The PUC had issued a cyber security advisory to regulated water utilities in Pennsylvania because of preliminary information about the event in Florida, including recommendations about “strong cyber hygiene.” The report also recommended a cyber security and physical risk assessment of critical infrastructure at utility plants. 

“Every PA PUC regulated utility is required to have a cyber security plan for their operations because a cyber threat that appears in one sector may be part of a broader effort to penetrate another type of utility or business,” Dutrieuille said. 

The state Department of Environmental Protection’s Bureau of Safe Drinking Water monitors water purity in the commonwealth. Those municipal operators and authorities outside the PUC’s jurisdiction also have cyber security counter measures in place. 

“They have not reported any significant issues,” Dutrieuille said. 

Providing and sharing information about developing cyber threats and connecting utility companies with resources is another role the PUC serves. Hand said the convenience and efficiency of digital technology – including remote access by plant operators into systems for regular monitoring – is part of its Achilles heel. 

These cyber actors are sophisticated and good at what they do. They find and then exploit those vulnerabilities,” he said. 

A proactive approach 

Being proactive, thinking ahead and protecting vulnerabilities, as well as continued facility investments, is the best approach. Being prepared means ensuring there is no single point of failure gaps for a cyber criminal to exploit.  

High tech Supervisory Control and Data Acquisition (SCADA) systems are the front line of defense in preventing hacking events. SCADA systems allow operators to interact with a plant system’s hardware and software including sensors, valves, pumps and motors. 

The system allows controls of water flow, temperature, the probability of rain precipitation [and] chemicals “There are thousands of nodes you can incorporate into it to optimize water quality, quantity and availability, Hand said. 

As the oldest investor-owned utility in the United States, York Water has provided service to customers for more than 200 years with only one 12-hour disruption in service during its history. 

A historical marker at the York Water Co. PHOTO/FILE

It was during Hurricane Agnes in 1972. Equipment was moved out of the flood plain and power and water service was restored, Hand said. 

By investing in employee training as well as other resources – like infrastructure and technology companies can make sure any security breaches don’t become utility disasters, he said. “It doesn’t matter how good your IT tech or infrastructure is if you don’t have the right people to take care of it. In Florida that operator was the last, best line of defense.”  

In Emmaus, five nationally certified water plant operators make sure the taps are running for the borough’s roughly 11,200 residents and its business community. 

Emmaus Borough Manager Shane Pepe, said the municipal operated public water system has a combination of technology and manual shutoffs to maximize security for the plant and protect the borough’s five wellheads. The manual shut off valves protect the wells and the water supply from outside “bad actor” interference. 

Labor shortage 

The Florida breach happened because the security systems meant to protect it, along with a pandemicproduced mass exodus to working remotely, created an entry point that allowed hackers to access the system. 

According to the PUC, an estimated 500,000 U.S. cyber security jobs are unfilled, representing a 350% spike in the sector’s employment since 2013. Getting people into those positions is a constant challengeDutrieuille said. Like manufacturing and the skilled trades, public utilities face a workforce shortage, expected to get worse as baby boom workers near retirement age. 

While the most visible utility work might be construction and storm repair there is hightech work at utilities that happens out-of-sight. Competition for the same young talent by high profile companies such as Apple or Google is fierce, she said. 

Recent cyber security breaches serve as a reminder for us to maintain our sharp focus on the cyber safety of our employees and customers,” said Mark A. Miller, director of communications for PPL Electric Utilities in Allentown. 

A coordinated defense to protect the bulk electric system, as well as customers’ data and privacy from cyber attacks was layered, constantly updated and “tested and strengthened, he said.  

The following steps are part of the PUC’s recommendations for maintaining cyber security: 

  • Update all computers operating systems. 
  • Use strong passwords and multiple-factor authentication. 
  • Ensure that anti-virus, spam filters and firewalls are updated, properly configured and secure. 
  • Train users to identify and report attempts at social engineering. Social engineering includes phishing schemes or hacking scams aiming at getting people to reveal their passwords, bank accounts or other personal information with the intention of gaining control over a computer or breaking into a secure system.  
  • Identify and suspend access of users exhibiting unusual activity. 
  • Conduct physical and cyber security risk assessments on their critical infrastructure. 

Larger utilities may be more attractive targets for cyber crime, but they also have larger cyber expert teams and tighter safeguards to fend off attacksDutrieuille said. Mid-sized and smaller systems may not offer big “paydays” for cyber criminals, but smaller utilities can be more vulnerable if fewer cyber security resources are available to them. 

“Everyone, regardless of their specific job, plays a role in keeping data and infrastructure secure,” Miller said. 

Miller chosen to lead Saxton & Stump’s cybersecurity practice

Jeffrey B. Miller. PHOTO/SUBMITTED

A compliance and cybersecurity consultant specialist and attorney has joined Saxton & Stump LLC as a member of its senior counsel and will take charge of its cybersecurity practice.

Jeffrey B. Miller has joined the firm’s Lancaster office after serving clients in his well-established global consulting practice. The practice will now operate through Saxton & Stump’s subsidiary company, Granite Governance, Risk and Compliance Consulting LLC.

Millerwill also lead Saxton & Stump’s newly formed Information Privacy and Cybersecurity practice within the firm’s Corporate Healthcare and Life Sciences Group.

“Jeff is a nationally recognized compliance and regulatory consultant and is also an attorney with significant legal experience in this area,” said James W. Saxton, the law firm’s CEO. “Information privacy and cybersecurity continues to be a critical issue across all industries. Jeff will be an important asset to our client’s businesses.”

Miller has been serving clients for nearly 25 years in transactional, commercial, regulatory and compliance matters. He also provides consulting services involving corruption, fraud and abuse and information privacy and security.

In his legal practice, Miller represents and advises organizations across healthcare and the life sciences industries on information privacy and security matters, corporate ethics and compliance. He is also a member of the firm’s Mergers and Acquisitions group.

“For small- to mid-sized business, one data breach could create substantial liability, and significant damage to their reputations,” Miller said. “My passion is working with clients to evaluate their compliance and data security programs to help protect them from risk or guide them in their recovery from a breach.”

Prior to joining Saxton & Stump, Miller held professional and executive-level positions at healthcare and life sciences companies, including Mercy Health System of Southeastern Pennsylvania, DermOne LLC and Synthes Inc., an international medical device company that was acquired by Johnson & Johnson in 2012 and later joined with DePuy to form The DePuy Synthes Companies.

The Manheim Township-based law firm has made several strategic moves this year, including adding three attorneys and forming a new practice area in bankruptcy and creditors rights. In 2019, Saxton & Stump added 15 attorneys in addition to 15 business professionals and six major practice areas. The firm also grew its geographic footprint, including expanding its Lancaster office by about 30% and tripling the Harrisburg office size.

As cyber crooks focus attention on real estate, agents are advised to protect their clients’ identity

Richard Boas Jr., president of the Lancaster County Association of Realtors, has been giving real estate agents the same advice for years now: Don’t take any sensitive data from a client that you don’t need.

“As Realtors, we are paranoid about identity theft,” said Boas, who also is an agent with Berkshire Hathaway HomeSale. “There is no need for agents to have a client’s social security number in a file.”

Modern interactions between real estate agents, construction companies and clients allow people to use websites to view inventory and seek details. Zillow.com, Realtor.com or similar sites, as well as a construction company website, allow people to shop for homes with a plethora of search options, from zip codes to price ranges to home styles.

Sites for builders and real estate agents will have protections, including passwords, but the sites usually don’t ask for sensitive financial information because there is no need to, several people said. When it comes to pre-qualifying a client for a mortgage, Boas said as an example, real estate agents no longer need to be involved in the process. Instead, the pre-qualification is handled by the lender.

“Back in the day, I would be pre-qualifying clients,” Boas said, adding that process requires accumulation of sensitive data such as birth dates and socials. “That has completely changed in the past 25 years.”

Real estate agents do get involved in coaching clients on best practices because criminals adapt to new ways business is conducted, no matter what the industry, several observers noted. In real estate, a serious concern has been wire fraud, leading to public information campaigns from lenders to title companies to real estate agents and government agencies.

Shanna Terroso, executive officer of the Realtors Association of York & Adams Counties, said security issues are “top of mind” in the industry. September was Realtor Safety month, which included presentations from speakers, one of whom noted that there were more than 350,000 cyber fraud complaints for over $7.4 billion in losses in 2018. She said the speaker, a Harrisburg attorney, noted that the biggest target is real estate and that Pennsylvania is in the top 10 for cyber fraud and total losses.

Terroso also pointed to an article written in late September by Kim Shindle, the communications director of the Pennsylvania Association of Realtors, that outlined the issues and offered advice from experts including making sure that agents use encrypted email services. Terroso explained that a lot of agents want to take advantage of free email, such as with Gmail, but doing so makes them vulnerable. The cost to create a domain name with a unique address is negligible compared to what it might cost if your email is hacked, she added.

She and others noticed that a lot of the vulnerability comes from hackers gaining access to an email address, and then passing themselves off as an agent of a real estate company, attorney or title company. The email looks official, so if the email asks for sensitive information or gives instructions for wiring money to a bank account, a client might do so.

In many real estate transactions, wiring money is the preferred method to transfer funds from a home buyer or to the seller, the experts said. Wires can be extremely safe — in that the money goes directly from one account to another. Issues arise if the wiring instructions are bogus and are then transmitted to the wrong account. Title companies handle the wires, so it is important for the title company to work directly with clients to ensure safe transfers, said Melissa Dunczyk, manager of the Pennsylvania office of Chesapeake Settlement Company on East Market Street in York.

She follows various protocols depending on the transaction, but one consistent component is verifying information. Education and communication with every person involved in a transfer are key, Dunczyk and others said. Agents should advise their clients to be wary of wiring instructions coming from anywhere else but the title company, and then the clients should double check if not triple check that they are sending the money to the right place. If it is sent to the wrong account, it might be impossible to get it back, Dunczyk said.

“Once it is gone, it is gone,” she said.

A lot of people are embarrassed by verifying information, she said, but they shouldn’t be, and she strongly encourages people to call to ensure they are sending their money to the right place.

“Don’t be afraid to call and ask,” she added.  “There is nothing to be embarrassed about.”

While she can help customers with the wiring instructions to get the money into the title account, customers need to know how their lending institutions handle transfers and work with those banks or credit unions. Some lenders let customers create wire transfers by going online and setting it up. Others have you go into a local branch. Regardless, she said, people should make sure they are comfortable and seek guidance from the lender for how to get the money to the title company.

She agrees that hacked emails are a problem and that people need to be on high alert at all times. She related how a local attorney had his account hacked, so emails were going out with fraudulent information in what looked like legitimate correspondence.

Dulcey Antonucci, director of communications for the PA Department of Banking and Securities, said in a written response to questions that her agency “has a very comprehensive education program that includes presentations on understanding cybersecurity and avoiding scams.” She noted that consumers and community groups can schedule a presentation by calling

1-800-PA-BANKS or emailing [email protected] for more information.

One issue is that the crooks are smart, so they can adapt to whatever new technology becomes commonplace, several experts said, noting that the technology continually evolves. That means that education and awareness remain critical, they said.

“Just double check,” Boas said. “Measure three times and cut once. I’m just a little paranoid about it, and that is a good thing.”

The broadband challenge: Expanding internet service to rural Pa. comes with a high price tag

Pennsylvania is on a mission to extend internet broadband service to every corner of the state, a goal many share so that no resident is left behind in the ongoing digital revolution.

However, before broadband reaches all residents, educating new users on best practices of the internet and on cyber-security issues will become increasingly important, several observers noted.

For now, though, stakeholders say they primarily are focused on getting the project through, a task that has been complicated because of the intense logistics involved, and the question of who will pay the cost estimated at more than $1 billion.

The project’s numerous supporters have focused on various ways to gather the state, federal or private funds that will be needed for such an extensive project, but a total funding source hasn’t been secured during the years-long crusade.

For that reason, cyber-security, while an ever-increasing issue nationwide, isn’t part of the current planning. Education and training will become imperative when people who aren’t routinely connected to the internet suddenly have access to all the perils that can come with it, observers said.

“We need broadband, and we will need the security to go along with it,” said Wayne Campbell, president/master of the Pennsylvania State Grange, which has identified broadband as a top priority for the pro-agriculture group.  “Security is always an issue because you never know.”

Campbell said that cyber-security isn’t factoring into current plans because funding is the top priority. However, he noted that senior citizens could be truly vulnerable when the broadband arrives, if they are not familiar with how email scams might work. Anecdotally, he said, he has been contacted by Grange members who ask about emails they have gotten from the agency, only to find out that the emails were phishing scams.

“A lot of senior citizens are not up on this,” Campbell noted.

Michael Bubernack, CEO of ET&T, a family-owned technology company based in Bethlehem, said he wasn’t deeply familiar with the broadband project but suggested that cyber-security and education are best considered early in any project. He said he has seen a report that said that small businesses account for a “good portion” of the victims of cyber-attacks. That primarily is because of a lack of education and training, he said.

“Small businesses have a responsibility to educate their users and their employees about the dangers or the potential dangers from the internet,” Bubernack said. “People need to have some education of what to look for in emails or web pages.”

Companies often spend enormous amounts of money building security protections, he said. Yet, it all could be worthless because one worker or customer isn’t trained properly and clicks on the wrong email or link, he said.

He holds free monthly seminars — usually at the end of a month — to show company owners and managers the dangers they face and then offers ideas on how to combat problems. He calls the internet the “wild, wild web” and doesn’t pull punches about what can happen if companies don’t take the proper steps. He also will, for a fee, visit companies to offer advice and tips specific to an organization.

Estimates vary, but the number of Pennsylvania residents without broadband services could be as high as 650,000, according to the governor’s office. Supporters of extending service say that the issue is not just a problem in rural communities, with about 250,000 residents of urban or suburban areas limited with their internet access.

Vince Phillips, who also works with the Grange, has been involved in the details of the broadband initiative for years. The issue is severe and hampers economic development, he and others have said. A farmer might buy an expensive piece of equipment that uses GPS systems that are worthless if they are in an area that doesn’t have broadband. Those issues extend to any business — from retail to manufacturing — that needs to create jobs in the modern economy, he said.

Phillips said the heavy focus on the financing end of the initiative is warranted, with some estimates placing the cost at $1 billion just for Pennsylvania. Similar issues are playing out nationwide, which is why stakeholders also have been looking to the federal government — perhaps as a piece of a national infrastructure bill — as a possible solution.

In Pennsylvania, ideas have included using money from a severance tax on the Marcellus Shale gas reserves. That concept is heavily favored by Gov. Tom Wolf, but the proposal hasn’t gotten through the Republican-controlled legislature. Other ideas have included looking at whether some of the major communication companies — such as Verizon or Comcast — have obligations to pay some of the costs, Phillips said.

The funding hurdle has been so high that cyber-security hasn’t been part of the discussions, Phillips said, adding that it likely would become a priority the closer the state gets to a full roll out. He noted that several state agencies, including the Department of Aging and the Attorney General’s office, focus on cyber-crime and on informing residents of various best practices. He suggested that more emphasis will be placed on education and training once underserved communities have the broadband.

“From the Grange point of view, the more education you can have to protect consumers, the better,” he said.

Sherri Collins, the acting director of the Governor’s Office of Broadband Initiatives, said the governor is re-asserting efforts to gain support for a tax on natural gas. The broadband project is part of the governor’s Restore PA plan that would invest $4.5 billion in a variety of projects — from green energy to storm recovery aid to brownfield redevelopment – through a severance tax.

“From our office, we are focused entirely on every person who wants to be connected can be,” Collins said. As far as security, she said, “there are things we will look at, but this is not part of what our focus is now.”

Guest view: Can your company transfer its cyber/privacy risk con-tractually?

Businesses are trying to push risk to vendors and clients contractually as breaches and other cyber attacks grow in number and magnitude. To understand whether or not this strategy will work for your company, you can begin by considering the following questions:

  1. Is additional insured status available from your vendor’s or client’s policy?

While the quick answer will typically be “yes,” it will only be for vicarious liability. Vicarious liability refers to a situation in which one person or organization is held responsible for actions or omissions committed by another person or organization. Privacy law is clear when it comes to ownership of personally identifiable records. If your data has been breached, you are responsible and liable for it regardless of who is hosting or holding the data.

  1. If your business can obtain additional insured status and transfer risk contractually (varies by state) do you also need to purchase a cyber insurance policy?

Even if your company has successfully obtained additional insured status from others, there are several reasons your business should maintain its own cyber coverages:

  • Properly structured cyber policies provide first party coverages such as extortion and business interruption coverage, which is not liability coverage.
  • Relying on additional insured status requires clear evidence the vendor or client is directly responsible for the breach, and is therefore unreliable. If circumstances are unclear, or either party is not solely responsible, the vendor’s or client’s carrier may fight the requirement to cover your losses.
  • Even if you are granted additional insured status, many carriers limit the coverage to a fraction of the overall coverage granted by the policy. Many carriers will grant additional insured status only for 3rd party claims, and not for breach response costs, regulatory hearings or other coverage agreements.
  • Your company may not have the process, resources or expertise to evaluate the coverage and/or exclusions provided by the additional insured policy and how it might respond in its defense.
  • It is always best to control a claim as a named insured rather than as an additional insured in the event of a claim.
  1. The “Other Insurance Clause” is a provision identifying what occurs in the event multiple different policies are available to pay a specific claim. Is there a single answer as to how this clause will react in a claim situation involving an additional insured?

Each cyber policy has different and customizable terms and conditions. No policy is the same. Your company should review the terms and conditions of its own policy and preferably your vendor’s policy, although this may prove difficult.

The vast majority of policies have a default Other Insurance Clause. This default states, “this policy is in excess over other valid and collectible insurance.” What if you have a contract with a vendor and gain additional insured status on its policy, but both policies have the other insurance clause described above? You would effectively have both insurance companies pointing at one another. The insured organization would find itself in the middle with no defense or coverage. It would require significant time and coverage litigation between the insurance carriers to determine who is responsible to pay the lion’s share of the claim.

If your business already has a cyber policy and requests additional insured status on your vendor’s policy and both policies trigger in response to a claim, you could find yourself in a long drawn out litigation between both carriers. A preferable alternative is for your insurance program to respond expeditiously to your cyber claim. It would be wise to amend your policy’s other insurance clause if you seek to gain additional insured status on a vendor’s policy.

Bottom Line: While transferring risk contractually remains the least expensive way to transfer risk, it can also in situations described here be the most effective way to transfer risk. Contractual transfer remains a best practice regardless of the type of risk, cyber or otherwise. While insurance is the most expensive, it is also often the most effective way to transfer cyber risk.

When it comes to cyber/privacy liability your organization should consider purchasing its own policy to avoid the damage to a balance sheet or brand reputation which could occur without securing its own coverage. I recommend speaking with your trusted broker to secure your own coverage.

 

Brian Heun is the Sales and Relationship Manager and a Partner at KMRD Partners Inc., a nationally recognized risk and human capital management consulting and insurance brokerage firm with offices throughout Pennsylvania. Brian can be contacted at [email protected]

 

Double-edged sword: Digital technology can help businesses – except when it doesn’t

A pair of chainwide cash register crashes at Target Corp. in June, right around the heavy-sales Father’s Day weekend, may have cost the national retailer $50 million to $100 million in lost sales, according to some analysts.

The problems — one of which the company blamed on a “technology glitch,” while another was traced to a tech center run by NCR Corp. — were quickly corrected, but they also point to a deeper issue, said some local experts: Technology has helped to boost business productivity, but it’s also exposed companies to a host of challenges.

Richard Stoneberg (Photo: Submitted) –

“There is indeed a tradeoff between absolute security and meeting business needs and functions,” said Richard Stoneberg, chief information security officer of Allentown-based Netizen Corp., which serves as a ‘virtual’ CISO for several businesses. “If I turn off my computer, put it in a vault and I am the only possible person who could open it – I truly have very good security on that computer. But it is not terribly functional for me either. So the suggestion is pretty straightforward: Do a true IT security overview of your data and processes in a risk-based, cost-effective mindset.”

Each business will have a unique solution, he added, and “even businesses in the same type of work can be different. There are cloud-based solutions that can work,” as well as redundancies and others that can reduce the risk of outages.

In general, there are three “pillars of good security,” according to Stoneberg: confidentiality, integrity and availability. The first involves considering how data is kept confidential or secured against hackers. Integrity refers to the correct billing or charge to the correct person at the correct time, while availability ensures that a customer can actually purchase a company’s goods.

Preserve human element

The human component is another important factor, according to Devin J. Chwastyk, a Harrisburg-based member of McNees Wallace & Nurick LLC, and chair of the law firm’s privacy and data security group.

Devin J. Chwastyk (Photo: Submitted) –

“Keep in mind that the vast majority of computer crime and hacking incidents are usually traced to security and other vulnerabilities associated with the people using a computer,” he noted. “It’s a matter of HR training so employees will avoid clicking on unknown links and engaging other risky online behavior.”

He said some regulated industries, such as medical facilities that are governed by HIPAA, or the Health Insurance Portability and Accountability Act of 1996, have been “ahead of the curve when it comes to training, controls and best practices, but now they’re trickling down to other industries.”

Chwastyk also had advice for companies that tie their IT systems to vendors’ setups. “We work on these kinds of issues and address them with contractual terms,” he said. “You want terms in the agreement with vendors to define issues like the level of performance to be delivered, and what kinds of remedies will be available if they fail to meet those standards.”

Businesses may also wish to consider cybersecurity and business interruption insurance policies, he added.

“Depending on the circumstances of an incident, there may also be reporting requirements,” he noted. “Generally, a simple outage won’t trigger them, but all 50 states have notification requirements for a ransomware or other security breach that exposes personally identifiable information. If your company does business internationally, you may have to consider European Union and other reporting requirements.”

Cost matters, too

Companies need to ask themselves “what’s it worth to me to keep my operations up and running?” said Charles Getty, director of information security at York-based Business Information Group. “But it’s not unusual for small- and medium-sized businesses to balk at doing that. They often don’t seriously consider it until they get hit.”

Besides doing a cost-benefit analysis, there are other considerations, he added. “In general, companies can use ‘cluster technology’ [a set of connected computers that effectively work as a single system] as a kind of ‘fail-safe system,’ so if one goes down, others will take over the load,” Getty noted. “But the challenge there is that if one gets compromised, say by ransomware, the threat can quickly spread. One solution to that is to have a separate, offline backup too, but that can take time.”

The best approach, he said, is to “assess your risks — from cyber threats to natural disasters — and consider the impact on your business operations. Then consider the possible solutions and how they fit with your budget.”

Brandon Keath (Photo: Submitted) –

One of the quandries facing businesses is the dichotomy between security and productivty, pointed out Brandon S. Keath, cybersecurity practice lead at Mechanicsburg-based Appalachia Technologies LLC.

“Technology can be considered as a door that helps companies get their goods and services to market easier and faster,” said Keath, who also runs PAHackers, an “ethical hackers” organization. “Security is the lock that guards things. But when you put a lock on a door, it’s tougher to get through it to make your delivery.”

Once a business comes to terms with that, Keath said it should “invest in redundancies and periodically test” the systems. But many companies don’t have a backup plan, or its limited, or they’ve never tested it, he added.

He also noted that high turnover among technology professionals compounds the problem.

“Something happens and no one knows exactly how the system works, because the person who designed it is no longer there,” Keath said. “This happens in small companies and multibillion-dollar ones. Businesses need to properly document any changes or additions to the IT system.” <

The best defense

A hardware or software vulnerability in a computer system is, in reality, a mistake made by its designer, according to Ronald C. Jones, a cyber security instructor at Harrisburg University.

“Each company that designs computer system has a cost-tradeoff point where more vulnerability testing decreases the profitability of the computer system,” he noted, highlighting some best practices that can help to reduce the number of mistakes in a system.

“Use software fuzzing,” he suggested, referring to running a program with a wide variety of “junk” input that can highlight abnormal or other unexpected results.

Another is to utilize “common criteria,” which refers to products that can be evaluated by competent and independent licensed laboratories that can determine particular security properties.

As an additional precaution, added Jones, companies may consider “third-party review by someone who was not involved in designing the computer system.”

In Target’s case, the cash registers “suffered from a systems design flaw, a monolithic design which created a single point of failure,” he said. “Target was not clear but inferred it was some type of computer system design. It is cheap to build and operate a monolithic system, that is, until it fails. The best-practice approach is to have redundant systems and have half of the company operated on one side. Another approach would be to operate on one system on even number months and the other on odd number months.”

There can be a big tradeoff between productivity and vulnerability when it comes to designing computer systems, according to Andrew Hacker, Harrisburg University’s cyber security expert in residence, and CEO-founder of Thought, a blockchain technology company. “New and improved technology can bring significant productivity enhancements, but it can also bring cyber security and other risks.”

The problems are not limited to Target or other retail chains, he added. Hacker pointed to mobile phones as an example, noting that “cybersecurity was not considered a problem when they were introduced.” But now, with smartphones holding banking and other sensitive information, “more threats have emerged.”

His suggestion: “Bring in internal or external cybersecurity partners as early as possible.”

Hacker, who previously worked as the deputy to the state of Pennsylvania’s chief information security officer, said technology security personnel “were at the table early on as each department rolled out new projects. It may cost a bit more, but this approach provides more security.”

To minimize the chances of a systemwide failure, Hacker said, companies should consider installing redundant and hardened, or secure, systems.

“You do have to consider the cost, but also consider the cost of downtime,” he noted. “Also, when your systems interact with an outside provider, take the time to test their compatibility. In the beginning, most systems were closed, but now it’s common for external vendors to be hooked into a company’s system, so there’s a greater need to review the systems, maintain their continuity and consider backup plans.”