VANCOUVER – Cyber attackers are becoming increasingly sophisticated – employing better techniques and targeting information that could prove particularly damaging – but that may be balanced by a greater openness to use expertise and not go it alone, it was suggested during a session Friday at NICC.
“We are at the cusp of a paradigm here,” Alexander Rau, a senior manager with Mandiant’s Canadian Security Consulting Services practice, said during the panel discussion, Are We Ready for the Cyber Threat Horizon?
Organizations are undergoing a shift in thinking, Rau noted. “In the past, we always thought ‘Nobody will attack us. We don’t need help,’” he said. Now, “organizations know and see that they need help.”
This is a point where incidence response and cyber insurance comes together “so the organizations understand that they have to put policies, procedures and playbooks in place how to recover from the breach when it happens,” he said.
Recommendations include monitoring, using managed security services; using threat intelligence by getting information from organizations in the field; incidence response procedures; and tabletop exercises, Rau said.
“Personal data is being mass-targeted,” he told attendees. “Credit cards on the Internet on the black market are worth nothing; there’s so many out there. It’s way more important for these attackers to get personally identifiable information so that they can do identity theft,” he explained.
There are also more spear-phishing attacks, with the goal being to gain access to systems by stealing credentials. “If the attacker can look like an individual that works within the organization, they can do damage within the organization without IT controls ever noticing because they seem like they’re one of us.”
Instead of attacking servers, attackers are also now going after networks.
In addition, businesses are working more and more with third parties and in the cloud, representing “another vector for the attackers to attack,” noted Rau.
“So, there are more and more going after them and through them (third parties) to get access to our data and information,” he pointed out.
There are certain devices, including health devices, “that are collecting data on us that go into the cloud,” he said. “We don’t know where the information goes and if someone steals it, we also don’t know in whose hands it ends up.”
Anthony Mormino, a senior vice president with Swiss Re, told attendees “you’ve got this increased attack surface for cyber threats. People and businesses are putting themselves out there on the Internet, including all their activities and their assets online. This is especially true for businesses.’
As it stands, Rau emphasized, the current protections being used are not as effective as they could be. Rau cited research findings that not only did it take organizations an average of 146 days to learn about a breach, “100% of those companies that we looked at had firewalls and anti-virus that was up to date.”
The traditional ways of protecting “environments and data are not working,” he said. With greater use of ransomware, “we see a rise in business disruption.”
With cyber attackers “getting better and better,” they will attack without using malware and they will abuse ill-built mechanisms within the operating systems, for example, or the applications that you use,” Rau added.
Beyond questions related to security are questions around coverage should something take place.
Mormino noted commercial general liability (CGL) policies, around since the 1940s, “are really the cornerstone of many business’ insurance programs.” If anything happens involving a company, “the first place they’re going to look is their CGL policy.”
However, because there must be physical damage to tangible property, the courts have been divided on whether or not there is coverage under the CGL for cyber-related incidents, Mormino explained.
To ensure there is no coverage for a cyber breach or related issue under a CGL or GL policy, he said that an exclusion can be added.
“The problem is that even though I put out an exclusion for use for this purpose, a lot of these CGL policies simply aren’t updated,” he said. “They are silent on the question of cyber risk and you have to rely on the case law, which as you can see isn’t so reliable as to whether there’s coverage,” he told attendees.
“To eliminate that potential coverage gap and mitigate it, that’s where cyber insurance comes in,” Mormino said.
“Cyber attacks can come from any part of the world and often they’re way outside the jurisdiction of the country being attacked,” said Gordon Woo, a catatrophist with Risk Management Solutions (RMS).
A key aspect of all man-made terrorism, Woo explained, is that “the uncertainty of what the loss can be is very large.” Beyond uncertainty is the potential reach.
“When you talk about cyber attack, what is the footprint of a cyber attack? The footprint for a cyber attack is the set of all the systems which are affected by the attack,” he said. “Geography has nothing to do with it.”
Rau noted that companies are responding to cyber threats, but not all are doing so appropriately. “What we see they’re responding to are threats that we’ve seen in the past. We need to get to a point where the organizations are being more proactive to deal with the threats we’re seeing right now or in the future,” he said.
“Cyber insurance is not substitute for cyber security,” Mormino emphasized.
That said, “it’s up to the industry to provide the coverage, but it’s up to businesses to buy that insurance.”
The issue is that although there are 60 markets offering modular, endorsable coverage or standalone coverage, he reported, “businesses are not taking up or buying that coverage as fast or as much as they should be.”
That is worrisome in light of the fact that insurers “can silently accumulate cyber risk under CGL policies and not realize it,” Mormino suggested.
“Unless you actually introduce exclusions or have a conversation with your policyholders, you may be silently accumulating cyber risk on those types of policies,” he pointed out.
More coverage of the National Insurance Conference of Canada