Assess cyber risk scenarios before data thieves strikeReprints
DEERFIELD, Ill. — Some of the latest tricks data thieves are using involve employees, but risk managers can mitigate these risks and other cyber threats by being aware of the scenarios and assessing for them in advance, cyber experts say.
“The proliferation of the internet makes doing business more convenient, but it also makes it easier for criminal adversaries to find company data that is unprotected,” Andrew Innocenti, an FBI special agent based in Chicago, said Thursday during a cyber security presentation by the Chicago Chapter of the Risk & Insurance Management Society Inc. in Deerfield, Illinois.
Employees are often the company data's first line of defense. “The weakest link in security is the human one,” Mr. Innocenti said. Employees can unintentionally fall for one of the most recent hacking techniques where a CEO is spoofed in an email that asks for an employee's personal or other confidential company data so they can steal it, he said.
This often happens when the CEO is on a plane and unavailable to confirm the request. “This is not a coincidence, this is intentional that the CEO can't respond. It is a planned event,” Mr. Innocenti said. Signs to look for in the fake email are that it is written in poor English or sent at a strange time such as the middle of the night.
However, some instances of data theft caused by an employee are intentional. “Insider threats are the most difficult to protect from, and they are never going away,” Mr. Innocenti said.
Most company data theft that occurs is done primarily by engineers and researchers, then by executives and software programmers, said Jennifer L. French, a Chicago-based FBI special agent. The most frequent vehicles used are USB devices and email, she added.
Another data theft threat that employers should be prepared for is when an employee leaves a position. When someone moves from one position to another, an employer should ensure the worker only has access to the files that they need for their new position, Mr. Innocenti said. And when they are terminated, all access needs to be taken away. “We've seen employees that are terminated go home and log into their system and wreak havoc to a company's data,” he said.
Once these types of data theft scenarios and other potential cyber attack risks are identified, risk managers can plan for them and prepare for an event to occur.
The first thing that should be identified is what will it take to get your company up and running after one of these scenarios, said Ryan P. Griffin, Chicago-based vice president of cyber and errors and omissions practice with JLT Specialty Insurance Services Inc. “Understand your risk appetite,” he said.
The security, advisory and insurance members often operate in silos. This makes managing cyber risk difficult, said Mr. Griffin, who recommends these teams meet in a room and frame a discussion of the various scenarios that could happen.
CEOs are the true risk owners, Mr. Griffin said, and they should be brought together with the insurers. “Invite them out to take a peek under the hood and show them all the threats the company faces.”
“The days of giving IT a questionnaire to fill out to find out what your risks are — those days are over,” he said.