Tag: "cyber security"

New Generation Of Cyber Security Leaders Needed

“As technology continues to evolve at lightning speed, redefining the way we live and work, it’s becoming increasingly difficult to imagine functioning without it.

Unfortunately, that reliance on technology to keep us connected has also made us more vulnerable to cyberattacks and threats that undermine the ability to keep our data safe.

Our future online safety depends on investing in a work force that understands how to protect us online.”

full story

A Paperless Society

Although apparently a hardware problem, rather than any type of virus or malicious attack, this incident in the NHS trust shows the dangers of relying on technology. Pennine Acute trust had to cancel approximately 650 appointments because of an IT failure.

Whatever the benefits of IT, and there are many, in the area of health care, there is an obvious and basic need to make sure that any failure does not lead to this type of situation.

Technology should was act as a backup to main systems of care in the health service, and should never be solely relied upon. This type of breakdown highlights the enormity of what it means to  technology as the prime mover behind records and appointments in the NHS.

People sometimes treat IT almost as an ideology, believing it can solve most of life’s problems. Technology is at its best when it is working with other types of systems, especially paper ones, which complement each other and neither of which compromised in the event of any breakdown or failure in the system.

Manchester Evening News

How do You Fix Identity Theft?

The very idea of identity theft either really scares people, or is dismissed as being a bit of a project fear campaign. This is often because of a misunderstanding of what the term identity theft can mean. It can either mean wholesale theft of someone’s identity, credit card fraud, tax fraud, child benefit fraud etc.

The first step in fixing identity theft is to stop any more fraud occurring once you have discovered that it has taken place. This is in part about damage limitation, but also making sure that you put a block on a continuing and recurring crime.

Fixing identity theft first of all depends upon identifying where the theft has occurred. This means clarifying which companies have been involved in terms of where your personal or financial details have been held, and notifying them some type of fraud has occurred.

This means that once you have notified these companies they should be able to put a stop on your account, meaning that no new fraud activity should be allowed, and if it is you should not be held liable for it. This may also mean closing your accounts completely and opening new ones with new account numbers and names.

Fraud Alerts on Credit Reports

It is important to notify one of the three major credit bureaus, Experian, Equifax and Transunion. Which ever one you contact, they will notify the other two. They can put a fraud alert on your credit report, which makes it much harder for anyone to open any type of account in your name.

FTC

If living in the US, notify the FTC who have a specially dedicated website where identity theft can be notified and help sort and given. If living in Canada or any other country, check to see if the government has a national or federal system for registering cases of identity theft.

Most countries recognise that identity theft is quite often a national issue, and quite often an international issue, and have taken steps to make sure that as broad a range of help as possible is available.

Police

Many people will notify the local police department or law enforcement agency, that a crime has been committed.

Some people do not bother as they think there is little that the police can do about it. However, as with any crime, notifying the relevant law enforcement agency is always a good idea. They have experience of all types of crime and may be able to offer practical advice, as well as being involved in helping to solve it in different ways.

The above steps are in many ways about trying to prevent further criminal activity once the case of an identity theft has been realised and recognised. The next step is to try and limit the damage that has already been done, and try to claim back compensation for crimes committed in the individual’s name.

New Accounts

Quite often identity theft is about someone’s identity having been stolen, and new bank or financial accounts opened in their name. These accounts are then used to obtain loans or credit on a fraudulent basis. The first step for is to get these accounts closed. Identifying where these accounts are can sometimes be quite tricky, but it is important that this is done quickly.

Stress to the bank financial institution that an identity theft has taken place, and that these accounts need to be frozen and closed. Obtain written confirmation by post or email the bank institution has complied with your request.

Removing Fraudulent Charges

Once the account has been identified as fraudulent, the next step is to  have all charges on that account removed from your name. This means  making sure the bank financial institution has complied with your request as above close account, and in so doing all charges from your name.

This may sometimes be quite difficult to achieve.  Depending upon whether it is a bank or credit card company or other type of financial institution they may have committed a significant amount of money to this bogus account, and may be reluctant to simply write it off on the basis that you are saying it is a fraudulent account.

This is where identity theft can get complicated, as sometimes banks or credit card companies will take the attitude that it is possible you are simply trying to get out of repaying a loan or credit card by claiming identity theft. It can sometimes be quite a tortuous process to prove it.

Identity Theft Insurance

Many companies offer some type of identity theft insurance, either as a stand-alone policy, as part of a home insurance policy or as part of a crime prevention policy. The coverage under all these types of policy is normally fairly similar, and although clear as to what it is, is in many ways not that helpful.

The main type of insurance cover normally helps people by providing assistance in the areas mentioned above. This can be about contacting banks and financial institutions where fraud has occurred, notifying the main credit bureaus and liaising with various regulatory bodies and agencies where appropriate.

There is also quite often some type of credit monitoring service available, or made available for a certain period of time.

There is normally some type of financial indemnity that can relate to attorney fees with regard to legally unpicking some of the above areas

 

 

 

 

Does Identity Theft Protection Work?

A number of companies offer identity theft protection services, some of them quite costly, and in truth offering protection that has some value but is fairly limited in reality if your identity has been stolen.

Firstly it is important to look at how much of a risk people people are at in terms of having their identity stolen. Bureau of Justice statistics for 2014 estimate that some 7% of US residents were victims of identity theft in that year. By some measures that is quite a high estimate, but it is important to break it down into what it really means.

What is Identity Theft?

Many people have a view of identity theft is quite dramatic, a view often fuelled by companies providing identity theft protection services. The reality is that for most people identity theft is a real possibility, and is more likely to be around theft of credit card numbers etc, as well as the risk of people opening bank accounts in someone else’s name.

There are a number of things people can do to protect themselves, especially in these two areas. It is also important to make a distinction between what people can do to protect themselves against identity theft happening, and the identity theft protection that some companies offer, which is more about dealing with the problem once it has happened.

The cover that these companies offer is normally to do with some type of credit monitoring after the theft has actually happened.

There are also offer some type of power of attorney process that allows them to try and deal with the damage of identity theft in your name. Whilst this may in theory be of some benefit, mentally and emotionally and in your identity over to someone else again what has been stolen may seem quite weird some people.

Preventing Identity Theft

That you can protect whilst no one can guarantee that you can protect yourself against identity theft that are a number of things you can do that can help.

Firstly make sure that your credit card company covers you for an authorised use the card.

Most credit card companies do nowadays. It has fuelled the use of credit cards both online and off-line for people to use for everyday purchases. What it means in reality is that if anyone uses your credit card number however they have got it when it got company will automatically write off the loss and remove the charge from your account.

Most of the major credit card companies are pretty good in this area, and realise that it benefits consumer confidence hugely to know that they are automatically covered without dispute. It is worth checking however with your credit card company that this is their policy.

The other significant area of identity theft is people opening bank accounts and be able to obtain loans  in someone else’s name. There are certain categories of people terms of age and income seem to be more at risk, and it is worth doing some research to see where current identity theft statistics are heading in that direction.

The most important area of prevention and protection lies in good old common sense. In order for someone to steal your identity they really need to have some unique information about you, such as your Social Security number, National Insurance number, passport number and photograph,  driving licence number etc.

The best way you can protect this information is not to share it with anyone online, and make sure that all correspondence involving any sensitive information  is sent and received by normal mail.

There is continual pressure to do everything online nowadays, especially by organisations such as banks which set as a way of cutting costs considerably. Make sure that you keep the option of corresponding and doing business by normal mail, including things such as bank statements.

Whilst paper information can be accessed and hacked by criminals, that to some extent has always been the case. The best way to protect yourself is to make sure that information is not shared online, and make sure that all paper versions of it is shredded prior to disposal.

Home owners insurance

A number of homeowners insurance policies offer some type of identity theft protection either as an add-on or as an integral part of the policy. This to an extent can be a bit of window dressing, but can also include road to useful features.

One of the most common is access to some type of free credit monitoring service which can alert you if they suspicious activity regarding your account, or if something like a bank account is opened in your name.

What these policies offer should be seen in the context of what you yourself can do as well. For example,  virtually everyone has a legal right to see their credit report at least once a year, in order to check it is accurate and have any mistakes rectified. This is a good way of seeing what information is held on you and by whom.

Some insurance policies also provide a degree of financial indemnity cover to help you pursue actions to recover your identity in the event of theft, including monies spent on attorney fees etc.

 

Rise Of Cyber Crime – Virtual Kidnapping

A Chinese student fled her Vancouver home in fear after online scammers threatened to harm her parents in China if she did not comply with their demands. Police say she’s one of three in the last month who have fallen prey to the extortion scheme.

All three victims and their families suffered financial loss in the so-called virtual kidnapping scheme, and the one who fled was eventually found in China.

Full Story

Top Cyber Insurance Companies – Hiscox

Hiscox have managed to establish themselves relatively quickly as probably the market leader in cyber liability insurance, in part based on the policies they provide, in part on the resources and risk modelling they help with, and in part on the existing customer base which has a high focus on small business and various types of liability insurance.

All these areas are hugely important regarding cyber insurance. The scale of cyber security and related risks is almost  so big that it is virtually impossible to comprehend. As such, as Warren Buffett recently pointed out, many insurance companies do not want to enter the market because it is so difficult to determine levels and cost of risk.

What Hiscox have done is essentially to build on that existing customer base, and the reputation they already have, to advance what is both an insurance policy in terms of financial indemnity, but also to provide a risk management process that actually deals with the realities of any data breach of cybercrime.

Hiscox Customer Base

While Hiscox may be active in many areas of insurance, one of their main areas of focus is on small businesses and related liability insurance. This focus brings together a significant number of what could be termed niche areas of business, but which all share common liability threats.

These liability threats could be around general business liability, public liability insurance, e and o insurance,  product liability insurance,  employers liability insurance etc. Whilst every business is different, they have a thread of similar needs that means these types of liability insurance can be both general and specific the same time.

What this has allowed Hiscox to do is to develop specialist insurance policies that in fact can be targeted at very specific industries and professions.

This has given them a fairly unique access to understanding the needs of a variety of different trades and businesses, which they have been able to very successfully build on in understanding the needs that relate to cyber insurance, for every type and size of business and organisation.

Hiscox Cyber Insurance Policies

Cyber insurance policies can vary quite widely in terms of the level of coverage and the cost of accessing them. What Hiscox have done  in terms of coverage is to provide what is pretty much a gold standard as to how a data breach claim should be dealt with.

This means that aside from any financial indemnity that the policy provides, the policy also provides a working incident response team, which can help manage both the immediate and longer term realities of what a data breach involves.

In practice this means that a Hiscox insurance policy will provide access to a team of selected individuals and companies who can manage a number of areas of the claim. This can include IT specialists, lawyers, PR companies, financial analysts  etc.

The work of this team will revolve around dealing with and paying any ransom that may be demanded, restoring  the integrity of an IT system, dealing with any reputational damage that the company or business may suffer and notifying and dealing with any registry bodies may need to be notified of the breach.

The team should also include specialists who can forensic examine and come to understand the reasons for the data breach, and put in place systems to make sure it does not occur again once the integrity of the IT system has been restored.

The insurance policy should also provide some type of business interruption insurance until the IT system and the business itself is up and running again as per its normal practice.

In addition, the policy is likely to provide help for individuals with information has been accessed unlawfully, such as providing access to credit monitoring systems in relation to identity theft.

Cyber Security and Risk Management

Hiscox offer a significant number of tools and resources to both potential customers, and signed up clients, which give them a significant amount of advice regarding risk management of cyber security. There are two particular reasons this is done.

One is simply that everything a company can do to reduce its risk exposure to a cyber security threat reduces the likelihood of a claim under its either insurance policy. This should be good news for everyone in terms of reduced levels of claims exposure for the insurer, and hopefully reduced costs by way of premiums and deductibles for the company or business being insured.

The other reason is that it creates a level of trust around the insurers ability to understand the security risks at how best to deal with them.

Cyber insurance is a fairly new type of specific insurance policy, and part of its growth and appeal is the fact that insurers like Hiscox  are very active in taking the lead to help companies understand the nature of cyber security risks, and how best they can be managed.

Many companies and businesses of all sizes are still to an extent in the dark on the reality of cyber security risks, either through complacency or lack of resources.

Providing risk management assistance allows Hiscox to gain a foothold on virtually any companies radar, and to be able to build on it by way of providing cyber insurance policies if and when needed. It becomes a self-fulfilling loop that should in theory benefit both sides of the industry.

Cyber Insurance Cost Examples – Equifax

The data breach at Equifax sent shockwaves throughout the Internet, and throughout the financial community generally. This is in large part is because of the huge amount of sensitive data that all credit rating agencies hold on individuals, and the fairly natural assumption that data is kept safe.

According to CNN, the breach involved the theft of personal data of approximately 145,000,000 people, and the theft was only revealed two months after it happened.

Whilst the delay in revealing the theft was not as long as that of Yahoo or some other companies, two months is still a huge time in terms of the risk of identity theft. With the breach of Equi the risk of identity theft is probably as strong as it possibly could be, and any delay is potentially hugely important.

Equifax Data

All the main credit rating agencies potentially hold a huge amount of personal and financial information on  millions of people worldwide.  Their role is to provide an accurate assessment of an individual’s creditworthiness, that can give a value to document to any bank or financial student looking to lend them money or any type of credit.

Anyone applying for any type of credit or loan  will have had their application assessed and determined on the basis of a credit score/credit report which will have been prepared by a company such as Equifax

In preparing such a report, Equifax would collect a significant amount of data on an individual. Such information would normally include their name, the date of birth, address, their telephone number, that Social Security number or their social insurance number, their drivers license details, their passport and their current and previous employers.

They would also look at the individuals credit history. This would include information relating to payment history of any credit loan or arrangement, the use of current available credit to them, the length of their credit history, the number of enquiries they have made regarding obtaining credit, and the type of credit they use this frequently.

Their financial history would also be looked at. This would involve obtaining information from public records regarding things such as bankruptcy. Also look at their banking history regarding overdrafts, bounced checks and any closed accounts.

They will also look at things such as loans, mortgages, lines of credit, store cards and credit cards and worst of all payday loans.

Anyone looking at this type of report would realise pretty quickly that the amount of information held on an individual by a credit bureau is massive.

Not only in the size and scale of it, but in the scope that it provides for identity theft. The fact that there could be a breach to the extent that there was highlights the enormity of the type of centralisation of this information.

Equifax Breach Causes

According to CNN, Equifax blamed the breach on one single individual, advising Congress that this individual had subsequently been fired !   It is perhaps more scary that a breach of this size and scale could have been effected by one individual.

Any cyber security policy that is meant to protect this type and scale of data has surely got to have some type of safeguards built in,  so that any individual doesn’t have either this type of responsibility for this type of power on their own

Cyber Insurance Cost Examples – Yahoo Data Breach

Yahoo provides one of the best examples of the enormity and severity of what can happen with a data breach. Although a few years old, Yahoo suffered three data breaches which were only reported two or three years after they happened.

Estimates of accounts breached ranged from 500 million through to every single one of the accounts. The information that was lost or accessed included names, email addresses, telephone numbers, dates of birth, passwords and sometimes encrypted security questions and answers.

Someone at Yahoo tried to make the point that at least no credit cards or credit card numbers were accessed, but that is in many ways fairly irrelevant.

The importance of the Yahoo breach focuses on several certain areas.

Firstly is the issue of when and how Yahoo reported the breach.

Any delay in letting people know that the information has been accessed by someone who should not have a right to it increases the chance of that information being used for any criminal purpose such as identity theft.

Tracing and reporting and trying to undertake identity theft is a hugely complex process. Anyone who has suffered it will tell of the enormous difficulties they face in trying to prove that they are not the person that someone else has said they are.

Identity Theft

Anyone trying to prove identity theft will find it difficult to prove where the other person got the information from, especially if it was two or three years previous.

Any company who experiences a data breach has a moral as well as normally a regulatory duty to disclose information to whoever has been affected by the breach as soon as possible. The danger is that any company is going to be afraid of the reputational damage at acknowledging such a breach is likely to cause.

This is one reason why most cyber insurance policies include some provision to pay for a PR company some description to help manage the fallout and restore some type of reputational credibility.

Even if a company such as Yahoo is taken to task by any regulatory authority for not disclosing a breach earlier,  in many ways the damage has already been done.

The other main issue that a data breach at companies such as Yahoo highlights, or perhaps the question it raises, is anyone safe. This question is almost the most important one that can be asked.

It is not about Yahoo’s technology systems or their cyber governance policies. It is about the fact that Yahoo is one of the oldest and was one of the most respected technology companies since the foundation of the Internet, and if they can be breached and hacked to this extent then presumably anyone can.

The breach at Yahoo is not about whether they have the most secure IT systems almost. It is almost more about the credibility of the Internet, and a sense of whether or not a technology company of its stature should be able to be breached, and if they are probably dealt with it.

What does Cyber Insurance Cost ?

For many people, the cost of cyber insurance is about two distinct issues.

Firstly is the actual cost of insurance in cash terms, relative to the coverage provided and secondly is the question of whether it is worth having cyber insurance at all.

Any business or organisation needs to break the cost issue down into three specific areas.

Firstly is to decide what level of risk they believe that business is at. Secondly what they can do by way of cyber governance to reduce any risk and thirdly whether or not they need cyber insurance at all depending  on what other types of business insurance they already have.

This is one area of insurance where it is well worth considering using an insurance broker, which will not increase a businesse’s cost at all, but can provide invaluable information both about cyber risk modelling, as well as cyber insurance policies and their costs.

In terms of  cost in cash terms, like any type of insurance, it is very difficult to generalise. However reports by Reuters and others seems to suggest that rates have increased by anything from 30 to 50% over the last two or three years, that the size of deductibles has also increased and the amount of coverage has been significantly reduced.

Cost of a Data Breach

What can be more easily quantified is what a data breach can cost a company.

Reuters recently reported the cost to MERCK of a data breach costing its insurers around US $ 275 million.  The cost to Target, the well-known retailer, of a data breach in 2013 was estimated to have been US $ 264 million.

Research by the Journal of Cyber Security in 2016 estimates the total cost of cyber events at approximately US$8.5 billion annually. They go on to suggest that the most common type of  data breach is where customers credit card numbers and healthcare information have been compromised.

Any company or organisation holding this type of information is therefore more likely to be at risk, and be charged higher premiums.  Their research also  points to certain industries being most at risk, namely retail, information, manufacturing, finance and insurance.

Insurance premiums  for these sectors of business are likely to be higher than others.

Cyber Liability Insurance Cost

Any insurance policy is about risk. An insurance company offering cyber insurance will look at a business or organisation, and try to assess the level of risk and then decide how much to charge for the coverage they are offering.

As Warren Buffett recently said,  trying to assess the risks of cyber security is almost impossible, partially because it is such a relatively new area of insurance, and partially because it is  inherently difficult to assess the level of risk.

There are however a number of major insurers are offering cyber insurance, such as Hiscox, AIG, Travelers etc. Their assessment of risk will be focused on a number of areas including type of business, revenue, number of employees, cyber security governance etc.

Premiums do vary widely, and anecdotal evidence available suggests premiums can vary from US$ 500 / 6oo  a year up to US$100,00 a year and more. The insurance rates charged for the policy will largely be determined by the coverage limit of the policy, and what deductible is applied.

Cyber Attack Cost to Business

The second question is in a way that easier to address, as it is normally focused either on the question of whether or not there is any risk, and if so if that risk is already covered by some type of e and o insurance, or a general business or liability insurance policy that the company or organisation already has.

Any business or organisation of any size is potentially open to a cyber attack or data breach. What they need to work out is what it would cost them if they had one, and below are some of the areas that would incur most of the cost.

Unsurprisingly, these are the areas of coverage that most cyber insurance policies provide, and in a way to make it easier for a business to assess whether or not it needs to pay for a specific cyber insurance policy.

  • having to restore lost data
  • having to fix or replace any network system or software, including hardware, that has been damaged
  • dealing with the fallout in terms of reputational damage, and having to hire some type of PR company to help fix
  • offering  to pay for any customers to have some type of credit monitoring system as a result of a breach
  • the cost of bringing in any outside experts necessary to investigate and possibly fix  what caused the breach
  • potentially massive costs of lawsuits from customers/clients etc
  • any regulatory fines or penalties that may be imposed
  • loss of business due to inability to trade whilst network systems are being restored and investigated

Cyber Governance

Cyber Governance is a phrase given to the structure, policies and procedures that any business or organisation has in place (or does not) that reflects its understanding of and approach to dealing with cyber security.

The level of cyber governance will to a large extent  be reflected in the cost of any cyber insurance policy, or any restrictions that the insurance company puts in place on such a policy.

A really good tip for any business or organisation is to get hold of a cyber insurance proposal form, such as that from Hiscox, which asks numerous very detailed and specific questions about a company’s approach to cyber security.

This tells you their thinking more than anything else. Their thinking reflects both the experience of cyber security, and their understanding of the best way to prevent any cyber attack.

Using any proposal form as a template for a companies cyber governance plan  is a good way to structure such an approach, and also a good way to realistically reduce the cost of any cyber insurance policy that may be taken out,  either with Hiscox or any other insurance company.

Taking back your Online Privacy

There’s a strong chance you’ve recently seen an email or pop-up box offering “some important updates” about the way a social media company or website plans to use your data. Are we about to regain control of our personal information?

In our increasingly connected world, data has come to be seen as something to buy and sell.

Businesses offer personalised goods and services to consumers, raising the possibility of data driving economic growth and even improving wellbeing.

full story

Hacking Las Vegas ……..

In what could have been the plot of a Hollywood heist movie, the hackers took great interest in the vast aquarium that a Las Vegas casino had installed in its lobby.

The casino’s owners thought that the huge fish tank was an impressive sight that helped create a classy ambience as people arrived.

What they failed to realise was that the aquarium was an easy way to break into the casino’s computer system, and the hackers pounced.

full story

How your Browser can Betray you …..

Web browsers store an incredible amount of sensitive information about you. Website developers have a variety of ways of using modern browsers to customize the experience for users. Advertisers also use these features to maximize the impact of ads shown on sites.

The result is that a lot of information about you is stored deep in your browser, and it can potentially be exploited by cyber criminals in a number of ways. This blog will describe what we call the “web dossier” that can be created from these artifacts, how this profile can be exploited, and what you can do to protect yourself.

Full story

How Artificial Intelligence is changing Corporate Canada

Corporate Canada is starting to wake up to AI. Name any sector and you’ll find at least one established player that has experimented with it – not the stuff of Terminator or 2001: A Space Odyssey, machines with human-level consciousness and perception, but software in narrower areas of machine learning.

Artificial-intelligence technology has advanced enough that algorithms can perform as well or better than humans at recognizing speech and images – and outperform us at solving certain problems or predicting outcomes. “I think [corporate executives] are starting to see a disadvantage to their business if they don’t have an active, applied machine-learning or AI project that is delivering results,” said Integrate.ai CEO Steve Irvine.

full story

Who are the top Cyber Insurance Companies?

Cyber Insurance needs to provide not only financial indemnity, but also some type of Incident Management Team.This normally includes IT Specialists, Lawyers, Ransom Negotiators etc.

Finding the right Cyber Insurance Company can be tricky, and expensive if you get it wrong.

Cyber Insurance is a relatively new form of insurance, and until quite recently was thought of as being quite specialised.

What this means in practice is that there are fewer insurance companies or providers who offer it, compared with other types of business insurance, and those who do offer it tend to vary quite considerably in terms of coverage and cost.

This is likely to change in the next few years as the need for some type of cyber insurance becomes more mainstream.

The risk of cyber crime has grown massively in the last couple of years, and the changes in technology in relation to smart homes, autos, travel etc means cyber security will need to become a feature of everyone’s life, at home, work and play.

Cyber insurance will have to follow this, either as a stand alone policy, as at the moment, or incorporated into other insurance policies.

Cyber Insurance Companies

It is worth just distinguishing between insurance companies, brokers and agents.

An insurance company, sometimes called a carrier or provider, does the actual insuring of the cyber security risk. It assess the level of risk, decides what level of cover it is willing to provide, and decides how much it wants to charge the business by way of an insurance premium.

This process is known as insurance underwriting. Insurance companies can be based in any country, but often operate on a worldwide basis, or in certain geographical areas.

Lloyd’s of London is fairly unique in the sense that it is not simply one insurance company, but operates effectively as an umbrella organisation for a number of different insurance companies, who trade under the Lloyd’s name, and will normally insure things on a worldwide basis, either under their own name, or the Lloyd’s name.

An insurance broker is an independent agent, who acts on behalf of their client, and approaches several different insurance companies to determine best conditions and price for their clients needs.

This means they need to really understand their clients company and business, as well as the cyber insurance market. They receive a commission from the insurance comapany by way of payment, but legally are always the agent of the insured, not the insurance company.

An insurance agent can be a slightly confusing term. It normally refers to an individual or organisation who acts as an agent of a specific insurance company, sells their products only and receives a commission as a result.

They will always be an agent of the company, not the insured. An insurance agent may also be involved with or representing another institution such as a bank or financial institution.

If they are offering advice on cyber insurance, or any type of insurance, they should always declare if they are an agent of a particular company, or independent. Most do, but not all. It is always worth checking.

Cyber insurance hasn’t made it to cost comparison sites yet, and with the variations in cover and cost, it is well worth considering going to an insurance broker with knowledge and experience of the market.

Cyber Insurance Hiscox

Hiscox have quickly established themselves as one of the leading cyber insurance providers.

For a long time, they have been regarded as one of the foremost insurance underwriters for small businesses, specialising in professional liability insurance, errors and omissions policies, business owners insurance and workers comp.

The move into cyber liability insurance was a fairly natural and obvious one.

Hiscox Cyber Insurance policies  will not only offer financial indemnity like any traditional insurance policy, they also deal with the management of the incident or data breach, through what is known as an incident management team.

This will normally consist of a number of negotiators who can deal with any type of cyber crime such as ransom ware, as well as companies who deal with reputational damage, and IT specialists who can restore the integrity of any hacked system.

A cyber insurance policy should also have some provision for loss of income or business interruption in the event that the cyber attack or data breach renders the normal day-to-day workings of the business untenable for any period of time.

Hiscox have also focused on producing a number of risk prevention models, training models and practical tools for risk management for a wide range of companies and organisations.

Cyber Insurance AIG

AIG are another leading insurer who have built up  a specialism in Cyber Insurance, with three specific policies they underwrite, known as

CyberEdge,

CyberEdge Plus and

CyberEdge PC.

These insuarnce policies cover the financial cost associated with data breach, as well as cyber extortion, restoring an IT system or network, business interruption etc.

AIG also invest heavily in cyber security advice and cyber crime prevention through training and risk managemnt services, both online and face to face.

Cyber Insurance Chubb

Chubb are one of the largest insurance companies in the world, and trade for a strongly in North America.

On their website, they claim to be the world’s largest publicly traded PMC insurance company, and the largest commercial insurer in the US.

Whilst this gives them an undoubted presence and strength in North America, it also means they have the resources to be a major force in cyber insurance worldwide.

Chubb have four major cyber insurance policies

Cyber Enterprise Risk Management

Digitech Enterprise Risk Management

Forefront 3.0 – Cyber Security

Integrity+

These policies have a wide range of different components, which range from standard cyber protection, to extensive loss mitigation and incident response services, privacy notification and crisis management expenses.

A good cyber insurance policy will include basic financial indemnity, but also a wide range of support services to both manage the immediate crisis, and to deal with the resulting fallout.

This applies both in terms of notification to individuals about a potential data breach and its consequences, through to advising and informing any relevant regulatory bodies of the same relevant breach.

Cyber Insurance Companies and Lloyd’s

Lloyd’s is the oldest and most established insurance market in the world, and justifiably has a reputation for both tradition and innovation in insurance related products.

As a market covering a number of different companies, as of 2018 it has approximately 77 cyber risk insurers under one roof, as it were, who can both initiate and cover all types of cyber risk insurance.

Many of the specialist underwriters at Lloyd’s view cyber liability insurance in the same way as they do another specialist type of insurance, kidnap and ransom insurance.

They view cyber liability as being not simply about financial indemnity, but about managing the incident itself in the quickest and most effective way possible. Most Lloyd’s policies will  have provision for and cover the following areas

Breach Response

Liability

Regulatory

Extortion

Business Interruption

Reputational Harm

PCI DSS Assessment and Fines

Perhaps the main advantage that Lloyd’s has over most other traditional insurance companies is twofold.

It has a reputation, normally justified, for producing types of insurance policies that are both relatively fair, cost wise, and are highly innovative in terms of the level of cover they provide.

They also have a reputation for swift and effective claims management handling.

With cyber liability insurance the speed and effectiveness of dealing with the management of the data breach is often as or even more important as dealing with any long-term financial or reputational damage.

Cyber Insurance Allianz

As well as providing insurance cover, Allianz  have a number of what they refer to as risk engineers, who specialise in IT security, and who have their own specialism in evaluating a company’s level of IT security and maturity generally.

They seem to take the approach that they would like to work with companies of all sizes in developing and safeguarding their IT infrastructure, and developing ways of pioneering safe practice.

They refer to this practice as IT maturity. Against this background they then develop any type of cyber insurance that may be needed.

Allianz have two types of relevant insurance policies

Allianz Cyber Protect

Allianz Reputation Protect

The Cyber Protect policy is the one mentioned above, whereas the reputation protect policy covers the potential risk of reputational damage caused by a number of incidents, some of which could be related to a data breach, and others related to other types of risks depending on the nature of the business.

These can include health and safety incidents or accidents, various types of product liability related claims, business interruption and legal and regulatory investigations.

It seems likely that Allianz separate out these two types of policies because they believe that the reputational damage cover needed that can occur from a number of incidents can be as valuable as simply having that level of cover within a cyber liability insurance policy.

For some people this may be more relevant than others.

Cyber Insurance Aviva

Although Aviva  is a fairly well-established name in the insurance market, it is a relatively new player in the cyber insurance market.

This isn’t necessarily a positive or negative thing, and it’s cyber insurance cover has three main elements, cover for a data breach response, computer cover, and third-party liability.

It is unclear at the moment what level of risk management incident management help it provides when compared with other major players, such as Hiscox and Chubb,  but this may suit some people who simply want a more standard type of insurance policy.

Cyber Insurance QBE

QBE  is often thought  of as an insurance company that is strongest in Asia, Australia and New Zealand. It does in fact have a very strong worldwide presence, and in relation to cyber insurance it does lay very heavy emphasis on what it terms providing crisis support.

Their panel of experts include companies such as Experian and Norton Rose, and they seem genuinely thorough in terms of their approach to helping to manage risk.

They also have a number of very well thought through and concise articles on their website that deal with current data protection legislation and implications for individuals and small businesses.

Whilst it may not always be strictly relevant, the more an insurance company relly understands the nature of cyber security, and puts in place protective tools and training for companies of all sizes to help them prevent cybercrime, it is not only good PR for the insurance company, but also helps mitigate and reduce risk, and should result in lower premiums and better levels of crisis management as well.

One other advantage of being a global company, is that QBE can provide policies in different languages, and for companies of all sizes who operate in different geographical areas, they say they are able to provide global cyber programs,  which may be valuable for companies who operate in different countries.

Cyber Insurance Marsh

Marsh is essentially the trading name of Marsh and  McLennan, one of the world’s oldest and largest insurance brokers. Whilst the size of a company like this may sometimes seem slightly more of a disadvantage than an advantage, in relation to cyber insurance it is probably an advantage.

Sometimes really big companies become quite institutional, and lose their sense of being able to innovate and deal effectively with new and cutting-edge needs and technologies.

With regard to cyber insurance, the history that Marsh has in terms of providing insurance for a wide range of different businesses and industries probably gives it the edge over most other brokers in terms of understanding the needs of businesses generally.

It is this understanding of how an industry or business works that allows it to model the risk to the business in terms of cyber liability, and make recommendations accordingly.

Any insurance broker is only as good as its knowledge and understanding of the industry that it is arranging insurance for, as well as its knowledge of the insurance market it is working in.

Cyber Insurance Symantec

Symantec is a name more commonly associated with cyber security, being one of the most well established players in anti-virus and malware software.

In the last couple of years it has taken the initiative to team up with a number of insurers to help provide them with the knowledge and experience of what developing cyber risks are, and what needs to be done both to mitigate risk and develop insurance solutions relevant to meeting those risks.

There is no doubt in the value of a company like Symantic using its vast experience to help insurers really understand the nature of cybercrime and how it is developing in ways that insurers would not be able to do themselves.

In some ways this may be more helpful to insurance brokers rather than insurance underwriters, as a large part of the work that a good insurance broker will do will be to help model risk, and advise companies at what level of risk they can self insure, and where they need some type of cyber liability insurance policy to cover risks they cannot manage.

Cyber Insurance Aon

Aon describes itself as a leading global professional services firm providing a broad range of risk retirement and health solutions.

Goes on to talk about 50,000 colleagues in 120 countries empowering results for clients etc. For people who like jargon this is fine, but is alos unfortunate because it could put people off looking at them as a prospective broker.

In fact they have a significant place in providing cyber insurance advice and experience, and have a wide range of products and services which could be extremely useful to a wide range of businesses. It may not help their credibility by advertising in their products section that they provide bedbug insurance (which may well be useful for some people) alongside cyber insurance.

In February 2018 Aon teamed up with Cisco, Apple and Allianz to provide what they term a new cyber risk management solution, bringing together the various strengths of the four companies involved.

Partnerships like this could well be a significant move forward in terms of providing solutions that integrate technology, insurance and risk management.

In addition, Aon have their own cyber diagnostic tool online that allows companies to fill out a questionnaire online which will allow Aon to provide a detailed report back to the company analysing their potential to cyber risk and cybercrime liability.

Cyber Insurance PWC

PWC, long thought of as one of the world’s leading accountancy firms, also have a strong reputation as a leading firm of business consultants. With regard to many areas of business, this often puts them in a unique position to help advise a wide range of organisations, and this is certainly true of cyber insurance.

Their consultancy experience allows them focus on managing cyber risk, with a special emphasis both on the business and technical side. They have a defined approach to what they refer to as cyber resiliency, which allows them to advise on risk management, best use of technology and operations and incident response.

Their work is often thought of as purely preventative, which is not necessarily a bad thing, but should also be thought of as part of helping a business or organisation of any size or type build and develop a culture where there is an understanding of and respect for the need for cyber governance at all levels of the operation.

Cyber Insurance Nationwide

Nationwide describes itself as a mutual insurance company, although there is a disclaimer on its website that not all companies  associated with it are mutual, so it is difficult to be clear whether or not it is a mutual company in the traditional sense of how they are understood to operate.

This can be important to some people, as mutual insurance companies are thought of much in the same way as credit unions, and many people respect this type of mutual benefit.

Notwithstanding that, Nationwide together with Hartford Steam Boiler, offer three fairly standard cyber insurance policies, that cover data compromise protection, identity recovery protection and Cyber one protection, which focuses on protecting against damage caused by malware or viruses. There is also some general advice about securing your business against risks from data breaches, denial of service etc.

Although Nationwide are a well-respected company, it is not clear from their website exactly how much experience they really have in this type of insurance, and whether or not they should be considered a serious player at the moment.

Cyber Insurance Munich Re

Munich Re are one of the oldest insurance companies around, and have a strong and valued reputation for all types of insurance.

With regard to cyber insurance, they offer an insurance policy called cyber one protection, designed by Hartford Steam Boiler. It is not clear whether or not this is the same insurance policy issued by Nationwide as above.

The cover offered seems fairly solid, by way of coping with data recovery for both electronic and non-electronic information, restoring the integrity of the system that has been breached, helping with any loss of business or business interruption as the result of the cybercrime, and helping with reputation damage limitation.

There is also some coverage for third-party liability and potential damages resulting from that.

Cyber Insurance Willis

According to claims data released by Willis Towers Watson, approximately 2/3 of all side of breaches caused by employee negligence or wilful action. This is quite a powerful statistic, and unsurprisingly goes to the heart of the approach by Willis to dealing with the whole issue of cyber risk.

Willis, traditionally known by the name of Willis Faber, are one of the world’s oldest and leading insurance brokers.

Their approach to cyber insurance has a threefold basis, that of assessment, protection and recovery, with a heavy emphasis on developing in-house  strategies that involve both technology and people, as well as developing a strong ethos of cyber governance throughout the organisation.

Their approach to dealing with cyber insurance seems to embrace best practice as ready outlined above.

In addition, they do lay heavy emphasis on providing what they refer to as deep forensic analysis of any data breach or cyber crime, to make sure it is understood how and why it happened and quickly putting in place any preventative measures necessary to make sure it doesn’t happen again.

Cyber Insurance Zurich

Zurich it is often thought of as a fairly traditional type of insurance company, and what it offers by way of cyber insurance is a fairly standard type of policy compared with most of the other ones around at the moment.

It does have a number of risk engineering tools and services which can be helpful, and also the fact that it is a global  underwriting company with a number of offices and agencies around the world can add an element of attraction for some people.

Cyber Insurance Travelers

Travelers is a well respected and well established insurance company, and seems to be making a fairly intense effort to establish itself as a serious player in the cyber insurance market.

It has a number of tools and resources to help individuals and companies manage cyber risk for any breach, and to deal with the fallout of any situation post-breach.

It has teamed up with Symantec  to help companies assess levels of risk, and put in place procedures and policies and training which can help manage the risk and reduce it as far as possible.

It also has a number of specific policies for different types of organisations and businesses. It has a policy called Cyber Risk for a range of different industries and businesses, and a policy called Cyber First for technology companies and public organisations.

It also has a policy Cyber First Essentials for small businesses and SMEs.

Travelers has a range of cyber security coaching and support services available to help organisations and businesses plan and deal with any breach. They have what they refer to as a Breach Coach, a Symantec Cyber Security Coach and an HIPAA Coach.

Travelers also has an e-risk hub which brings together a range of its policies, wordings and benefits. There is also a cyber academy, which has a range of videos and training tools which give people easy to understand information about the ongoing types of cybercrime and cyber risk, and how best to reduce and manage them.

Tata AIG

There is a fair amount of talk that tech companies in India do not take cyber security and insurance seriously as they should, given the size and growth of India as a major player in both providing and servicing so much of the world’s technology industry.

Whether that is true or not, Tata AIG  have structured what looks to be one of the most comprehensive cyber insurance policies around, and has very clear and detailed information about data liability covers, in terms of loss of personal information, loss of corporate information and outsourcing, as well as network security.

It also provides extensive cover for reputation and response costs in relation to forensics services needed to restore integrity of the system and the company, repairing and restoring the company’s reputation, notification of a data breach to individuals that information has been stolen and reporting to regulatory bodies where appropriate and necessary.

Their policy also provides some help with credit monitoring and provides optional extensions for multimedia liability, cyber privacy extortion and network interruption.

Tata AIG also have a range of directors and officers liability, professional indemnity, errors and omissions insurance policies, and as part of that also have a crime and fidelity insurance policy. This policy addresses the unpleasant issue of senior and trusted staff stealing from, or in some way allowing criminal activities to happen within a company.

No one likes to think that this is  likely, but as the claims report from Willis shows, approximately 2/3 of all cyber security crime arise from staff negligence and malfeasance. Intentionally or not, the need to have some level of security regarding activity inactivity by senior staff and often those below them is fairly evident, however unpleasant that maybe.

Cyber Insurance JLT

JLT ( Jardine Lloyd Thompson )  are perhaps not as well main at some of the major insurance brokers, and would perhaps be regarded as a specialist London Market insurance broker.

Whilst they are certainly specialists in the London market, they also operate worldwide, and have an outstanding reputation in all areas of insurance they provide advice on, with cyber insurance being one of their specialities.

They provide extensive levels of advice and guidance to companies on how best to manage cyber risk, especially to companies who are new to the idea that their business may need help.

They have a unique data organiser tool which helps businesses assess risk and provide details of the company’s cyber risk exposure.

They also advise companies where cyber insurance excludes certain types of risks such as patient, software and copyright infringement, failure to take required security measures and certain employment-related claims.

Cyber Insurance Hartford

Hartford  is a well established and a well-respected insurance company, and certainly provides cover for cyber insurance.

It seems to have a slightly more distant approach than some other insurance companies, in that it has cyber liability insurance and data breach insurance, coverage of which can be added to existing business owners insurance policies and general liability insurance policies already underwritten by the Hartford.

It also has its own cyber choice first response which is designed to develop a cyber incident response plan, advise on cyber security and provide a coordinated defence to any cyber attack, and help deal with the consequences of any incident that might happen.

Cyber Insurance Arthur J Gallagher

Arthur J Gallaher have a well-deserved reputation as a broking firm of high integrity, which whilst you would hope most insurance brokers do have, can make a real difference when dealing with a significant amount of cyber liability risk, which often involves dealing with areas of certain businesses where trust is significantly lacking.

As a company, they have significant experience in cyber insurance, and are well able to structure individual programmes and policies to the nature of a particular business organisation.

They also have a significant knowledge center available to clients, which can provide background information and detailed reports about the current nature of cybercrime, what are the most likely cyber risks, and the best way to provide varying levels of protection within a company or business

 

 

Cyber Security Basics

Many people think that cyber security only applies to big companies and governments, and that it should like to be dealt with by the IT guys.

Anyone who owns a computer, who works with a computer or who has a smart phone needs to be aware of some pretty basic rules about cyber security, both for their own sake and for anyone they work with or for.

Cyber security is about understanding the risk of cyber crime, and doing whatever you can to minimise the risk, and then when necessary insure against what ever potential risk is left.

Cyber Crime

The nature of cyber crime is a rapidly evolving one, and can cover a wide area. At one level it is about criminals trying to obtain money or other benefits either by installing some type of ransom ware on a computer or a system, and demanding payment for releasing encrypted files, or by some other type of blackmail.

On the other hand cybercrime can be about online bullying, where there may be no financial element involved, but where the emotional and personal distress can often be enormous.

Cyber crime can also  be connected to malicious software, known as malware, and viruses, which do not have any specific financial target, but which are designed to disrupt and in some cases destroy data or computer systems on a particular network.

Prevention

The old adage that prevention is better than cure  is an absolute truism when talking about cyber security. Perhaps the number one priority for all types of cyber security is to make sure that all your data is always backed up, ideally more than once, to different locations.

Backups can either be by way of  cloud computing, memory sticks or to another network, but they are crucial to restore the integrity of the system in the event of any cyber attack. Nowadays it is dead easy to automate backups and so there is no excuse really not to do it.

The same goes for making sure that your computer operating system is up-to-date, and any applications or software that you use is running the latest version.

Also that any browser you use is up to date as well. If you are running it as part of a network, then it is also important that all firewalls and anti-virus and anti-malware software is in place and up-to-date.

Cyber Security basics are in many ways common sense.

A lot of the incidents that relate to cyber security happen because very basic rules are just not always followed. Simple things like not opening email attachments unless you know who they are from is a classic example.

Much of the damage done to computer systems and networks is done from some things like opening attachments that shouldn’t be opened, letting viruses and malware into the system, not changing passwords regularly enough and an increasing problem, is people using their own mobile devices at work on a company network.

Mobile Cyber Security

Smart phones seemed to have escaped the focus of cyber security, which has largely been on desktop computers and networks.

However the risk to smart phones is certainly ever present, and is likely to increase it to me as smart phones become much more of a digital hub for people’s lives, both in their own home, in their car and at work as well.

The same principles apply to mobile cyber security as to the desktop and network security.

Make sure the operating system is up-to-date, make sure the browser is up-to-date, and do not open email attachments unless you are certainly know who they are from.

Also with smart phones it is really important to be sure that the Wi-Fi network your are using is secure, especially if you are using the phone for things like online banking.

Some public Wi-Fi networks  are notoriously unsafe, and should be used with great caution.

Smart Home – Internet of Things

The relentless drive of the Internet of things has received a major boost in recent years with Amazon, Google and Apple all producing their own smart home hubs.

These are designed to control all the wirelessly connected devices in the home, of which there are an increasing number. The idea of a smart home has been around for some time, and is gradually becoming a reality whether people like it or not.

An increasing number of devices and products, from washing machines to refrigerators to televisions have wireless internet capability, and can talk to other devices electronically as well as connect to the Internet.

There are huge cyber security risks involved in this, as many devices either do not have proper security safeguards built in, or are out of date by the time they arrive in the home.

The issue of cyber security in the home, especially in the Smart home, is rapidly becoming an issue.

The most important things to do to check that any devices that to have wireless capability had the latest software and security updates from the manufacturer installed, that your home Wi-Fi network is secure, and check online with any product you buy to see if there are any problems regarding security that other people may be reporting.

Cyber Security Governance

The idea of some type of governnance is largely a corporate one, but the principle applies to anyone who runs any type of business or organisation of any size, and can also be adapted very easily to anyone’s home or domestic environment.

The principle of cyber security governance is that a business or organisation of any size has a dedicated risk management plan and system for making sure that cyber security is as strong as it can possibly be within the organisation.

This in part is about policies and procedures, but is also about systems and people as well.

Firstly it is important to have one person at board level or equivalent  whose sole responsibility or whose major responsibility is cyber security. They must be accountable to the organisation, and have the authority to make decisions and spend money when necessary.

The structure should be similar to that of many companies who have a risk management system in place.

The individual concerned needs to develop policies and procedures for making sure that the integrity of the network system is always as secure as it can be, whether it is done in-house or by way of outside contractors, and that people who work within the business or organisation are also fully aware of cyber security risks, and what can be done to minimise these risks.

This can involve training, as well as online monitoring of activity that may be deemed inappropriate in a workplace, and making sure some type of cyber insurance policy is in place that ideally includes an incident management team which can oversee the practical resolution of any data breach or cybercrime, and the restoration of the integrity of any compromised computer or IT system.

 

 

 

Identity Theft – What Is It?

Someone who is a victim of identity theft is someone who has had their identity stolen in some way, and the criminal has used that identity to fraudulently obtain some type of benefit, such as a bank loan, credit card or other financial gain in the name of the person whose identity they have stolen.

Identity theft is widespread, although the scale of it is difficult to assess financially as a lot of banks and financial institutions do not like to advertise the fact that they had been misled and had money stolen from them.

The risks of identity theft are well  known, and there is a lots of good advice available about how to try and prevent identity theft, and there is some insurance protection available in the event that someone’s identity has been stolen, although the help that is offered is in reality fairly minimal.

Risk of Identity Theft

The crime of identity theft  occurs when a criminal is able to obtain unique information about an individual, and then use that information to clone their identity. This cloned identity then becomes liable for a wide range of financial fraud, perpetrated by the criminal in the name of the individual’s identity that has been stolen.

In order to steal an identity, it is generally accepted that there are a number of specific pieces of information that someone needs.

These normally relate to areas of information that are unique to that individual, and cannot apply to anyone else, such as their date of birth, their social security number or national insurance number, passport etc.

In reality, a criminal will try and obtain as much information about that individual as possible, in order to build up a picture that can be used to effectively represent them in a fraudulent manner.

Preventing Identity Theft

There is no sure way to prevent identity theft, but there are certain things you can do to make it more difficult.

Perhaps the most important is to make sure that all information that is unique to you as an individual regarding tax and social security, pension benefits, medical benefits etc is sent to you by regular post rather than email.

This may seem fairly basic but the is in truth probably the most practical way of preventing unique information falling into the hands of criminal.

The other things that you can do are to monitor things such as bank accounts, credit cards etc, to see any unusual activity.

This can also apply to any strange letters or visits or phone calls  that might seem to imply unusual activity regarding your finances.

Any warning sign that your credit is being altered in some way that seems to you unlikely should alert you to the possibility of some type of identity theft or identity theft tampering.

Dealing With Identity Theft

If you discover that your identity has been stolen, there are a number of steps that you should immediately following. Firstly is to notify your bank or credit card company you believe your identity has been stolen, and ask for their assistance in helping to resolve it.

Make sure that they are willing to work with you to sort out the issue without penalising you by way of freezing  your account or anything similar.

Make sure you register the identity theft online, there is normally a government backed websites available, that is either a government site or a law enforcement site that allows you to lock the fact that you have had your identity stolen, and should be able to provide some assistance in terms of helping to recover it.

If your stolen identity has been used to fraudulently obtain a loan or a credit card, make sure you collect all the information you can about it before it is completely disabled and shut down to  help track and trace the initial fraud.

Identity Theft Insurance

Some type of identity theft insurance is normally offered  by way of a rider or endorsement to a home or homeowners or renters insurance policy. The cover it gives normally focuses on some type of financial assistance for help with attorney/lawyers fees, assistance with credit monitoring, acting as a liaison with banks, insurance companies to try and resolve ongoing fraud issues etc.

Whilst this help can be of some value, the real help that is needed with virtually types of identity fraud is unravelling fraud that has taken place, and getting banks and financial institutions to believe that it has actually happened in the first place.

There is a lot of anecdotal evidence that implies that banks tend to want the individual to prove their identity has been stolen to an exacting degree before they are willing to consider the possibility that fraud has taken place.

Proving identity theft  has taken place can be quite difficult, especially where it is the sort of crime where you are up against a number of institutions that initially may well not believe you at all. This is an area where some type of identity theft insurance would be really invaluable, but unfortunately most current insurance policies do not really provide much value in this area.

Identity Theft and Cyber Insurance

Whilst the scale of identity theft is hard to assess, what is fairly clear is that the growth of cybercrime and cyber security means that the amount of identity theft and fraud is bound to increase fairly substantially over the next few years.

It is becoming easier and easier to know more and more about people, whether they want you to or not.

Some of this is around information gathered from social networks, and what people post online about themselves, privately and professionally. The growth of the Internet of things, and of big data, means that the amount of information available are people, with or without their knowledge, is going to explode into a level that is almost incomprehensible at todays levels of knowledge.

Sometimes this information is gathered through hacking into corporations websites where personal data such as credit card etc has been stolen.

Current cyber insurance policies are mainly aimed at businesses and organisations, and the insurance companies that offer best practice seem to include some type of incident management team, that includes lawyers, IT specialists, reputational management specialists etc.

The insurance policy is designed for a team to come in and take over the running of dealing with the cyber attack, both negotiating a successful outcome and restoring integrity of the system as well.

It is likely that as the rate of identity theft grows, insurance companies will need to provide some type of incident management team for individuals as well, either as part of an existing insurance policy, or as an add-on to some type of specialist cyber insurance policy.

The Internet of Things – What is it?

The Internet of things is a collective term for all the various devices, products and wearables that can connect to each other, and to the Internet as well.

Whilst the idea of devices talking to each other, electronically, has been around for some time, the reason the Internet of Things has become a huge concept in more recent times is because of the sheer volume of devices and products that can access the Internet.

Various experts predict growth in the market of the Internet of things to be so huge over  the next 5/10 years that it is almost impossible to put it into any sort of context.

What is undoubtedly true is that there is a relentless drive by manufacturers of every single product to make sure that they are able to connect their device wirelessly to the Internet.

This has huge  implications, not only for the nature of society and how it will change, but for people’s privacy, the control of the information that pertains to their life and their security and well-being.

Moral questions aside, perhaps the most potent issue is that of cyber security and cyber insurance.

Given that in a  few years time virtually everything we own, drive and wear is likely to be connected to the internet wether we like it is or not, the potential risks in terms of some type of cyber attack are enormous, and there are significant implications for people’s safety, both physically and emotionally and financially.

How these risks are managed and understood, both by way of minimising them and insuring against them is a major challenge that has yet to be clearly addressed.

Internet of Things and Smart Homes.

When people think of the internet of things they normally think of smart homes and smart home devices. This is largely because most examples of the Internet of things have tended to paint a picture of how wireless devices will make people’s lives easier by automating normal everyday functions, whether it be driving home from work, fixing the evening meal, automating lights and music in the home, controlling heating levels etc.

Whether normal people actually find the idea of this attractive or not is debatable, but what is clear that virtually all current devices and products that are now being built and produced for the home will contain internet capability.

This is true whether it be a smart television, a baby alarm, a refrigerator or a washing machine. What is also likely is that these devices will be switched on by default, and it is not clear yet whether there will be any capability for turning them off so you are not wirelessly collected.

There is also a fair amount of anecdotal evidence that a lot of major companies are pushing out products that have internet capability with a speed that is more about getting to market quickly and riding on the wave of popularity that the internet of things seems to be generating, than it is about really understanding the security  implications of what they are doing.

What’s this means is that there may be many products that are reaching market that has not been fully tested or manufactured with security in mind, and may need continual software updates or patches to make sure they are secure.

The risk of a cyber attack in a smart home mirrors many of the current risks that a business or organisation will face in its current day-to-day operations.

The dangers inherent in smart hones are not so much that someone’s refrigerator is at risk of attack, but that someone can access a person’s home network through one of these devices, such as a baby alarm or a washing machine, and through that gain access to the  individual or families private data.

Wearables

When people talk about the Internet of things they are also talking about wearables. These can currently only be best thought of as smart watches and fit bit devices. The last couple of years show that  major tech companies have been experimenting with different types of wearables, such as glasses, watches and even tattoos as a way of connecting people to the Internet by things that are a part of their body or apparel.

What is really important to realise here is the principle. That tech companies wants to find at least one wearable that people feel comfortable having on them at all times that can access the internet.

Obviously from a tech company’s point of view it is preferable to have more than one, but one will do. For this reason major tech companies will happily experiment with different types of wearables until they find one that really hits the market.

The implications for wearables are pretty much the same as for those of a smart home.

The fact that an individual will have something connected to their body that is internet accessible means that they are much more at risk of a cyber attack, with all the security implications already mentioned.

Wearables are not simply about phones and glasses.

There is a lot of anecdotal evidence that manufacturers of clothes, shoes, shirts etc are looking at ways of inserting internet access and internet products, probably by way of some type of barcode, that would give them information about individual and their shopping habits.

There is also anecdotal evidence of manufacturers of  pillows and bed clothing doing the same thing, again under the pretext of collecting information about how an individual sleeps and  various sleep patterns.

Often, once people understand the implications of how their life will be fully monitored 24 seven via access to the Internet, there is some shift towards a fight against it in terms of privacy and control of their data.

Whilst both these areas are hugely important, they sometimes skew perhaps an even greater need for the understanding of cyber security and cyber insurance to minimise and manage these risks with some degree of safety.

Internet of Things and Autos

In the space of only a few years, most manufacturers of cars and trucks are talking about and developing autonomous vehicles.. No one really seems to be asking the question why, there is a general assumption, often untested, that it is about safety, and that somehow self driving cars and trucks are safer than those with a human behind the wheel.

It is worth going back to the original Google car that was the first self driving vehicle.

That had nothing to do with safety at all. Google’s first car, that resembled more of the old bubble car, was designed with one particular aim in mind. It saw the commuter market, particularly in the West Coast, where people would sit in their cars in gridlocked traffic for approximately fours a day, two hours each way, doing nothing other than look at the scenery around them.

Google saw these cars as opportunities to provide consumers with content that could carry advertising. This meant that if the car could drive itself, the individual could spend time either watching content or playing with content, having a screen in the middle of the car and not having  to worry about where it was going.

As manufacturers jumped on the bandwagon of this, the narrative slightly changed and people started talking about safety.

Quite where it will end up is unclear, but what is clear is that  the trend in most modern cars is to turn them more into infotainment centers than vehicles than can be driven on highways and byways.

The rise in the use of technology in cars, both inside the engine and inside the vehicle itself, is enormous.

What this also means is that the security implications are huge as well.

There seem to be too likely scenarios that are likely to develop in the future. One is the rise of  autonomous cars that drive themselves with no human involvement  at all, the other scenario is where technology is used to automate a number of functions within the vehicle, largely around safety, but with a human driver still in  overall control of the vehicle.

Both scenarios are likely to coexist for a significant period of time, and both have fairly obvious cyber security implications.

The most common threat that is talked about is where someone manages to take control of the vehicle remotely by way of hacking into the cars various systems, and this is obviously a very real threat.

The other major threat, less often talked about, is where someone manages to access the cars computing system through the individuals smart phone, which will largely be used to control most of the on-board Internet access.

Once someone has managed to hack into a smart phone, then it’s open season for all the information contained therein, whether it relates to banking details, credit cards, passwords etc.

It is not clear yet how auto insurance or car insurance will manage and insure these risks.

One reason for this is simply that at the moment it is very difficult to quantify these risks, let alone assess who is responsible for them, and what can be done to minimise them. One thing is likely, which is that the risk of a cyber attack will undoubtedly increase the cost of an individual’s car insurance, whether it is an autonomous vehicle or not.

Agriculture and Energy Management

There are many areas in business and commerce where the internet of things can undoubtedly speed up production and efficiency, logistics and inventory control. There is likely to be a significant cost in terms of human labour, but history seems to suggest that companies don’t worry about this too much.

Two areas that are worth looking at briefly are those of agriculture and energy management. Agriculture especially because it relates to the food that we would eat, and the internet of things could dramatically alter the nature of farming and farming techniques.

Energy management is the other area, which has a direct link to smart homes and the use of energy in businesses and factories. One of the great selling points of the internet of things  is that it can make people’s homes more energy efficient, thus saving them money and conserving energy and fuel at the same time.

Energy management is already a crucial issue in society, even if not all politicians are open to doing what needs doing to effect climate change.

The internet of things has the potential  to manage all types of energy industries and infrastructures with a much greater degree of efficiency and safety. This also means that there is much greater scope for a cyber attack, either around the issue of nuclear plants or oil and gas installations etc.

Again the issue from a cyber security and insurance point of view is assessing the level of risk, understanding how best to minimise that risk, and arranging some type of cyber insurance that can effectively deal with the implications and reality of any type of cyber attack or disruption.

Smart Cities

There is also a lot of talk of smart cities. This is where cities use the collective data generated by all the internet of things within a city or town, generated by cars, sensors, Wi-Fi networks, peoples wearable’s etc as a way of planning urban development  in a more efficient and productive manner.

Again the security implications are significant, as more and more people generate more and more information and data, that is collected and analysed, then there is obviously a greater risk of that data being accessed and stolen, with real implications in terms of cyber security and identity theft.

What is Big Data and A.I?

The term big data refers largely to the massive amounts of information and data that has come with the growth of the internet, and with the growth of the mobile internet in particular.

To understand big data, you really need to understand databases, and the relationship between information and how it is used.

What is a Database

Imagine that you own a business which employs say 10 to 15 people, and when each one joined the company they will fill in an application form that details say  30 / 40 specific pieces of information about themselves.

This information would be their surname, christian names, date of birth, place of birth, previous jobs, start date,  qualifications, skills etc.

You would probably also want to record information such as their starting salary, additional payments, date of annual appraisals, pension contributions etc.

Once you have collected all the application forms for all the employees,  you would want to have a system where you could record it all and access any of the information whenever you needed it.

The easiest way probably would be to set up a spreadsheet, where you allocate a row to each individual employee, and fill out each piece of information in a particular cell going along the row.

Once you had done this for all employees, you would have 10 to 15 rows of information going a long spreadsheet,  and maybe 30 or 40 columns going down the spreadsheet which gave you the collected information for the specific areas for all the different employees.

That quite simply is a database.

Databases have been around pretty much since paper was invented, but have only really become significant with the advance of computational power, firstly with mainframes and lastly with PCs and the internet, and currently through cloud computing.

A database can be the information collected by a community organisation with three or four members,  or a massive multinational with hundreds of thousands of employees scattered across the globe.

The common factor in most databases is that you have very specific areas of information, which can be stored in very logical ways, itemised and analysed by virtue of  their field or category.

Growth of Big Data

Many experts claim that 90% of all the information available in the world today has been generated in the last two years (@2018). Whilst this is a difficult claim to verify, it is most likely true that somewhere near this figure is probably reasonably accurate. The growth in online information has come about through the massive expansion of the mobile Internet, and the different types of data that have been produced.

Big Data Types

When people talk about big data. what they are really referring to is the information that has been generated on smart phones, desktop computers, trading platforms, different learning machines. the various types of programs that have generated big data include blogs,  video sharing platforms, social networks, podcasts etc.

The sheer volume of these combined posts and tweets and webpages is almost too big to comprehend any meaningful level.

Big Data Analysis

Big data is not simply about the sheer volume of data and information that is generated at the moment (2018)  it is also about how this information can be stored used and analysed.

Aside from huge privacy issues, there are real questions about who has access to this information and what it can be used for.

Companies want to use it to be able to target individuals specifically for advertising and products, governments want to use it for a range of different purposes, some probably more devious than others.

The problem from an analysis point of view, is that the information generated by way of social networks and tweets etc does not fit into a traditional database as outlined above.

This has meant that the manipulation of data to generate extra focus  is virtually impossible. This means that other ways have had to be found to analyse information in order to be able to use it as other people see fit.

Internet of Things

What ever the accurate figure is as to the level of information that has been generated today in 2018, it is going to be dwarfed by the amount of information that will be generated over the next five or 10 years with the massive growth of the Internet of things, more clearly explained here.

The significance of the Internet of Things in relation to big data  is that it seems to be open season for virtually everything related to an individual’s life to be made wireless, so that companies and governments can get access to the information about how people live their lives.

This presents huge issues not only in terms of privacy, but also in terms of security. The more that people’s homes, cars, clothes, wearables, pets etc are connected to each other and to the Internet, the more at risk they are of some type of cybercrime, and the more need there is for some type of cyber security program and some type of cyber insurance to cover the risk.

The Four V’s of Big Data

Quite often reference is made to what are known as the Four V’s of big data. These are most commonly volume, variety, velocity and  voracity.

Volume refers to the sheer scale of data and information that is generated minute by minute across the globe.

Variety refers to the different types of data and information that are generated, from audio to video to written, with the advent of virtual worlds and 3-D world’s this could change significantly.

Velocity refers to the sheer speed at which this information is generated, and the problems in terms of analysing it that are relevant to that.

Veracity refers largely to the accuracy of the information or data that is produced. Given that companies and governments want to rely on this information in order to analyse it, there are real difficulties and problems in terms of verifying how accurate it is.

Hadoop

Hadoop  is an open source software system, run by Apache, that is effectively the current de facto way of analysing  big data.

What it essentially does is to break the data down into significantly smaller chunks, direct these chunks to a wide range of different computers which can analyse it efficiently, and then these computers send back the results to Hadoop, which collects it and generates the finished analysis.

Machine Learning and Artificial Intelligence

Machine learning and artificial intelligence are often linked to big data, because it is recognised that it is virtually impossible for any human to effectively be able to analyse and make sense of the data has been produced.

This has given free rein to companies to produce some type of process of  artificial intelligence which can analyse and make sense of  big data. The implications from a societal point of view, and from a privacy point of view, are pretty terrifying to a lot of people, but there seems to be no appetite by any government or organisation to really try and put some sort of break on it.

The supposedly benefits of artificial intelligence are sold as being a legitimate reason for developing it at breakneck speed, with examples given such as Netflix and Amazon, and governments or cities ability to use data to improve public services within those cities.

These claims are at best probably highly dubious, and give credibility to the speed with which this whole process is taking place. The issue of security and privacy seems to be completely ignored or marginalised, with those who raise them being looked at or talked about as almost Luddite.

It may well take some major catastrophe in terms of cyber security to wake people up to the reality of what is happening, and the inherent risks associated with this breakneck speed approach to technological change and advancement.

 

 

Threat of Cyber Attacks to Global security

Cyber attacks are now the third-largest threat facing the world, following natural disasters and extreme weather, according to the World Economic Forum’s Global Risks Report 2018, released Wednesday.

A World Economic Forum (WEF) executive summary said that cybersecurity risks have grown “both in their prevalence and in their disruptive potential.”

Some of the biggest risks, the report noted, were attacks against critical infrastructure and connected industrial systems—many of which can cause physical harm in the process. Some examples given in the report were WannaCry, Petya, and NotPetya.

full story

What is the Internet of Things?

The Internet of Things is a collective term for hundreds of devices that can connect to the internet wirelessly, and possibly connect to each other as well.

Some of the most common questions asked are :

What is the Internet of Things?

What are Internet of Things Devices?

How Does the Internet of Things Work?

How do IoT Devices Communicate with Each Other?

What is a Smart Device?

Whilst wireless devices are not new, what is new is the growth, and anticipated growth, in such devices, which is massive and set to explode in the next five or ten years. Many of these devices, which cover all areas of modern life, are being rushed to market, often with inherent security weakness’s as a result.

The Internet of Things is perhaps best understood by the following scenario.

Driving home from work, your car automatically detects that you are approaching home. Your car automatically opens your garage doors, turns on the lighting in your home, turns on the central heating in your home, switches your oven on, starts playing your favourite music that it has taken from your playlists on your smartphone.

As you get into your garage, you see the groceries that have been automatically delivered to your home. This was done buy your refrigerator realising that it had run low on a number of items and had contacted your local grocery store.

The grocery store had updated your normal inventory, automatically debited the money from your bank account and delivered your groceries. To some people, this scenario sounds like a dream, to others like a nightmare.

In any event, the Internet of Things refers to a world Web watch everything is connected wirelessly, with a huge range of privacy and cyber security implications involved. To people who think the above scenario is a kind of fairytale, the reality is that it is happening at the moment.

It is being driven by the major tech companies in the same way that cell phones and smart phones were being driven by phone companies a few years ago.

The range of Internet connected devices and wearables and products is growing at a huge rate, and it is only a matter of time before the Internet of Things, a wirelessly connected world, becomes more of a reality.

INTERNET of THINGS – SMART HOME

The smart home has become the focus of where the Internet of things is seen as developing, see Amazon’s Echo, but is closely followed by the healthcare industry where wireless connection of devices is already gathering significant momentum. Other areas of industry and finance and commerce are moving forward a pace as well.

The issues concerning cyber security are enormous, and the need for some type of cyber insurance staggering. If everything that you own, buy or wear can be connected wirelessly to the Internet, then it can also be theoretically hacked, or have some other way of some type of malware installed in the system.

This means potentially an individuals home is at risk, their car is at risk, their body is at risk if they have something like a pacemaker fitted, their pet is at risk if it is microchiped, as well as all their day-to-day activities being at risk such as banking, shopping etc, especially if being done on a smart phone or mobile device.

The other way that the Internet of things impacts hugely on cyber security is simply that any employee or volunteer will be taking their connected life with them into their place of employment or work, meaning that anything on or about them that is wirelessly connected will then feed into the IT infrastructure of their place of work.

This means that any organisation or businesses IT systems and networks can immediately be exposed to a wide range of wearables and devices that the IT system administrators have no real control over.

This of itself poses significant risks in terms of a data breach, in addition to the unpredictability of whatever wearable or device an individual may unwittingly bring into their place of employment or work.