Cyber Crime Insurance – Is this really necessary?

If you have not been approached by your insurance company to add on a Cyber Crime Policy, then you have been blocking their calls. Many insurance providers are pushing a Cyber Crime Policy which is a type of insurance for the internet.

Why would your insurance company be trying to sell you a policy just for using the internet? Isn’t that like trying to sell me insurance for walking down the street? Here is my view from a technology perspective. If you can’t wait to see my answer to the question above then just skip to the end. I won’t blame you. I do it too.

What are they covering?

What types of attacks are protected from cyber crime insurance? The primary one that I am concerned with is phishing and the various forms of phishing.

Phishing:

In general phishing is when you are solicited for information via email from a recipient. These are the emails you have seen many times from FedEx, Pay Pal, etc.. They ask for basic information to get into your account. These days they are easier to detect because people are more suspicious of general emails for information, at least I really hope people are more suspicious of them.

Spear Phishing:

This is the newer style of attack. These attacks are much more targeted on their victims. Instead of a general email there are two primary differences here.

1- The email comes from a name you recognize (not necessarily their email address just their name).

2- The email contains information that seems knowledgeable about your organization or clients.

Typically the attacker(s) will gather information via social engineering or some other aspect in order to draft an email that seems much more legitimate to the recipient.

Here is a made up scenario to help describe it better. Let’s say you are an office manager at a manufacturing company. Like many of our clients you work with China or some other overseas producer for your goods. Often times you may wire money to these companies for payment.

As the office manager you receive an email from one of your clients asking you to send the next payment to their secondary bank of XXX. The email may contain other details like your primary contact at the company, the date the product was shipped, etc.. Guess where that money was just wired to. I’ll give you a hint. It wasn’t the client’s bank account.

How did they get that information for the email? I won’t go into Social Engineering in this article but if you want to read an entire book on it, find “Ghost in the Wires” by Kevin Mitnick. It’s an eye opening read to say the least.

Cyber vs Errors and Omissions Insurance

So why isn’t everything covered under errors and omissions or general liability insurance?

Seriously, I can’t defend the insurance companies, I’m not their biggest fan. I can say that this is a “new” type of attack but honestly it’s also an old type of attack.

Social engineering has been around for a while. My guess is the number of claims have increased so the insurance companies are trying to increase revenues to offset the money being paid out. Just a guess though. Probably a little too cynical but who really likes paying insurance?

Why isn’t this detected?

You pay for spam and virus filtering and you pay for other types of protection. Why wouldn’t this just be prevented in the first place?

Often the messages are blocked. You just don’t see them so you don’t realize it. When a message is sent from a known offending server they will be blocked. Interestingly this same technique also blocks good messages sent from the same source. We call this collateral damage in our office.

However, if the message is sent from a location that has the majority of its’ messages from credible sources (like GMAIL) they will get through. Keep in mind there is nothing in the email message itself other than just text. There are typically no links or attachments that look suspicious. So from the filtering software it really does not see anything other than a normal message. Much like the office manager in the example above.

So do you really need Cyber Crime Insurance?

I don’t know if this insurance is needed for everyone. Think about your business and how it works with its’ own accounts and the client accounts.

Do you have the potential to give out information about yourself or a client that may be compromising? Do you send money to or on behalf of others on a regular basis?

Do you transfer money via wire on a regular basis?

Do you deal with large sums of money as part of normal transactions?

Do you deal regularly with oversea companies or suppliers?

How educated is your staff on potential social engineering and information gathering?

You should talk to your insurance agent and have them describe the types of insurance available and what it covers and whether it is right for you. We decided to opt in for the coverage even though I think our exposure is limited. If you need to talk to an agent we can put you in touch with a couple that we have already spoken to ourselves.

 

Kenny Rounds

Braver Technology Solutions, LLC