The Cyber Sea is Full of Phish: Protect Yourself from Cyber Risks
March 29, 2023 •Carli Gallagher
What is more impactful today than disrupting the global supply chain? With a growing dependence on technology, the logistics industry has a target on its back for cybercrime.
Risks of Ransomware
Suppose you log onto your computer to discover your data is being held hostage until you pay a $1M ransom to a cybercriminal. How would you respond? What would the impact be if this led to a total systems outage lasting two weeks? Are you aware that by paying the ransom, you may unknowingly engage with a terrorist organization which could result in regulatory fines? Ransomware attacks are the leading cause of cyber loss today. It can take weeks to recover your systems, months to understand the severity of the breach, and hundreds of thousands or even millions of dollars to correct the damage.
Social Engineering Fraud – not the party you want to be invited to
Another prevalent cybercrime is Social Engineering Fraud, which is a tactic of manipulating, influencing, or deceiving a victim to access private information, gain control over a computer system, or steal financial information. The criminal often impersonates a vendor or a co-worker, and the scam can happen to the unsuspecting victim online, via text, or by phone. Social engineering scams typically target victims to corrupt data & cause harm or to trick them into sending money. Social engineering schemes are often how criminals gain access to the victim's computer system, which may ultimately lead to a ransomware attack.
There are several types of Social Engineering attacks to be aware of:
- Phishing: Uses email or malicious websites to solicit personal information or to get victim to download malicious software by posing as a trusted entity
- Spear Phishing: Phishing targeted at an individual by including information known to be of interest to the victim
- Vishing: Phishing via voice communication to entice the victim to engage in conversation and build trust
- Smishing: Phishing via text messages to get the victim to click on a link, download a file or begin a conversation
- CEO Fraud: Criminals impersonate senior company executives to gain access to sensitive data, or to transfer money to a bank account owned by the criminal
An organization's biggest mistake is assuming it will not be a target. However, phishing attacks have increased consistently in the last year. According to The State of Phishing report by SlashNext, malicious URLs from 2021 to 2022 increased by 61%, equating to 255 million phishing attacks detected in 2022. There has also been a 50% increase in mobile phishing threats. You need a multi-faceted plan to combat cybercrimes like ransomware and social engineering. You also need a comprehensive insurance policy. Cybercrimes should be addressed as a Business Risk, not just an IT issue. Your priority should be analyzing your operations and identifying your dependence on IT. How would you reach employees or clients if your system was compromised?
Below is a list of some risk mitigation strategies that you may want to consider:
- Develop a regularly tested Incident Response Plan
- Leverage automatic updates for operating systems and 3rd party software
- Inventory the sensitive information that resides on your network
- Know who has access to your network (customers, vendors, employees)
- Establish regular, automated data back-ups
- Protect Back-Ups with Encryption
- Require unique and complex passwords
- Implement Multi-Factor Authentication (MFA) for admin privileges and remote access
- Use a Virtual Private Network (VPN) for remote access
- Invest in regular Cyber Security training for employees
- Perform ongoing vulnerability scans
- Implement Cyber insurance coverage
Cyber insurance is the most dynamic and innovative type of insurance today. A Cyber policy will consist of 1st Party Coverage for your financial losses due to cyber extortion, funds transfer fraud, and lost revenue. It will also include 3rd Party coverages (including litigation expenses, settlements, and regulatory fines), which respond to damages suffered by third parties because of a cyberattack on your system. A comprehensive cyber insurance program should include pre-breach services, including ongoing vulnerability scans, and post-breach services, including access to cybersecurity experts to coordinate a response plan.
Considering these issues, can your organization afford not to be prepared? Don't hesitate to contact me if you want to discuss your Cyber insurance coverage.
The Quest Newsletter is designed to provide critical information in the transportation industry. Avalon Risk Management is not responsible for the accuracy or reliability of information contained in articles. The reader/user assumes all risk in the use of such information.