[BreachExchange] Assess cyber risk scenarios before data thieves strike

[Audrey McNeil]

http://www.businessinsurance.com/article/20160609/NEWS06/160609763/data-thieves-andrew-innocenti-fbi-chicago-chapter-of-the-risk

Some of the latest tricks data thieves are using involve employees, but
risk managers can mitigate these risks and other cyber threats by being
aware of the scenarios and assessing for them in advance, cyber experts say.

“The proliferation of the internet makes doing business more convenient,
but it also makes it easier for criminal adversaries to find company data
that is unprotected,” Andrew Innocenti, an FBI special agent based in
Chicago, said Thursday during a cyber security presentation by the Chicago
Chapter of the Risk & Insurance Management Society Inc. in Deerfield,
Illinois.

Employees are often the company data’s first line of defense. “The weakest
link in security is the human one,” Mr. Innocenti said. Employees can
unintentionally fall for one of the most recent hacking techniques where a
CEO is spoofed in an email that asks for an employee’s personal or other
confidential company data so they can steal it, he said.

This often happens when the CEO is on a plane and unavailable to confirm
the request. “This is not a coincidence, this is intentional that the CEO
can’t respond. It is a planned event,” Mr. Innocenti said. Signs to look
for in the fake email are that it is written in poor English or sent at a
strange time such as the middle of the night.

However, some instances of data theft caused by an employee are
intentional. “Insider threats are the most difficult to protect from, and
they are never going away,” Mr. Innocenti said.

Most company data theft that occurs is done primarily by engineers and
researchers, then by executives and software programmers, said Jennifer L.
French, a Chicago-based FBI special agent. The most frequent vehicles used
are USB devices and email, she added.

Another data theft threat that employers should be prepared for is when an
employee leaves a position. When someone moves from one position to
another, an employer should ensure the worker only has access to the files
that they need for their new position, Mr. Innocenti said. And when they
are terminated, all access needs to be taken away. “We’ve seen employees
that are terminated go home and log into their system and wreak havoc to a
company’s data,” he said.

Once these types of data theft scenarios and other potential cyber attack
risks are identified, risk managers can plan for them and prepare for an
event to occur.

The first thing that should be identified is what will it take to get your
company up and running after one of these scenarios, said Ryan P. Griffin,
Chicago-based vice president of cyber and errors and omissions practice
with JLT Specialty Insurance Services Inc. “Understand your risk appetite,”
he said.

The security, advisory and insurance members often operate in silos. This
makes managing cyber risk difficult, said Mr. Griffin, who recommends these
teams meet in a room and frame a discussion of the various scenarios that
could happen.

CEOs are the true risk owners, Mr. Griffin said, and they should be brought
together with the insurers. “Invite them out to take a peek under the hood
and show them all the threats the company faces.”

“The days of giving IT a questionnaire to fill out to find out what your
risks are — those days are over,” he said.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160609/f1dea419/attachment.html>