The Gately Report: The Ins and Outs of Cyber Insurance Coverage, AiTM Phishing, Hackers Target Journalists
Organizations are struggling to protect operational technology and are getting breached as a result.
![Cyber insurance Cyber insurance](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt4bb821613c275233/65241fd94bd88782d87ec9ac/10-Cyber-Insurance.jpg?width=700&auto=webp&quality=80&disable=upscale)
Shutterstock
Channel Futures: Is it increasingly difficult to get cyber insurance?
LogicGate’s Jon Siegler: It’s becoming more complicated and it’s getting more scrutiny because the insurance companies are not making as much money off of it anymore. They’re being more selective about what companies they will insure. They’re reducing the product you get so they’re lowering the threshold at which they’ll pay out on those policies. Certain things are getting carved out of them. For example, there’s one insurer that … if you’re not updating your software properly as the organization that’s insured, they won’t cover that. So if you’re using an out-of-date patch — and we hear about that all the time where there’s an exploit and companies aren’t patching it in time — it’s actually not reimbursing for those types of things.
In addition, the cost is going up for organizations as well. Not every company can afford the coverage that they need these days. There’s also the volume of questions that are getting asked on applications is increasing. So the number of things that you need to attest to and comply with are ever growing. So definitely it’s getting more onerous to apply for and get approved for the limits that you might need. On the other side of things, we’re also seeing in contractual language between businesses they want to see more cyber insurance. So there are oftentimes whenever you’re doing contracts, there will be an insurance limit. You need to have $5 million in cyber insurance coverage. Well, that limit that they’re requiring you to have for being a partner to them and working with them is ever increasing as well. It’s like pressure on both sides. The insurance company doesn’t want to cover you for as high of an amount anymore. And your potential customers or partners are increasing the limit they desire of their their vendors to have. So there’s … this two-sided situation that’s going on.
CF: Why are cyber insurance providers making less money?
JS: They’re paying out more because there are more cyberattacks. I mean, we see it in the news. There are more data breaches. As more companies go through digital transformation, there’s just more information out there. And regardless of things being more secure or less secure, there’s just more attack surface for information to be breached. And they’re paying out more for claims. And we see it in the news anecdotally of just the types of mega breaches that go on.
CF: Are there assumptions and misconceptions about cyber insurance? For instance, does cyber insurance provide full protection in the event of an attack?
JS: I think fundamentally it comes back on the individual company to secure their assets. And I think it’s important to know that cyber insurance is not a substitute for security best practices. Just because you’re potentially transferring risk to the insurer in that case, it’s up to you as the company to be applying those best practices. The insurance company might not cover it if you’re being negligent as an organization and you’re not putting in place the proper security measures to limit data breaches. I think it could give you a false sense of security … to say we don’t have to worry about it, we have cyber insurance. But the place to start for any organization is, are we doing the right things to secure our customers’ information and data, and our own data, and looking at it through that lens initially.
CF: What all will cyber insurance cover? Does is vary according to policy?
JS: There are caps on what they will cover. For example, maybe you only have a policy that covers up to $5 million. So if your breach resulted in $20 million of damage, you would be on the hook for the other $15 million. They’ll cover obviously legal fees related to the data breach and they’ll oftentimes cover the investigation because you need to bring in forensics to go and figure out exactly what happened, when did it happen, what did they take, why did it happen, the impact of everything and the scope of it. That type of data forensics they’ll cover. And then oftentimes they might cover things like the actual consumer impact, so if they need to do things like put in place credit monitoring for impacted individuals if there was financial information that leaked. Again, the cap or limit is important to keep in mind, because they won’t cover everything.
CF: What’s causing the acceleration in premium increases?
JS: Premiums are going up significantly. I think it’s recently a 92% year-over-year premium increase. The reason why is because their loss ratios are exceeding where they thought they’d be. So their loss ratio in 2021 was 73%, so it’s a 25% increase from 2019. So they’re just not making as much money from the premiums that they’re getting because they’re paying out more in claims.
CF: If a business is unable to get cyber insurance, what can they do to increase their chances later?
JS: I would recommend organizations follow best practices that are out there for cybersecurity aligned to a framework. So things like SOC 2 or ISO/IEC 27001, or PCI are great examples of what to follow. Obviously, like with any insurance, a track record of being in business for awhile without having any events is … what insurers would typically look for. I’d say primarily it’s the determination of what type of data you have in place, the volume of it, and what the risk might be to your organization if that were to be exposed.
CF: What sort of risk are businesses facing without cyber insurance?
JS: I think partially that determination on risk is about that business and what they do and what business they’re in. If you’re a technology company today, you probably won’t be working with other large companies if you don’t have cyber insurance, because it’s oftentimes a contractual requirement before they sign you up as a customer of theirs. If your business is in cloud-hosted software, SaaS, if you don’t have cyber insurance, you’re not going to be able to sign up new customers typically.
For non-tech companies that aren’t dealing with a whole lot of data they’re storing, that is more of a judgment of risk, what’s your risk tolerance, because the impact of the data breach might not be as large. Let’s say you’re mowing lawns and you have a client list of 1,000 people, and you’re not storing any other information other than their names and email addresses. Your risk is much lower than an organization that’s storing health records, like patient health records. So part of it is a determination on what type of information you’re storing.
In other cybersecurity news …
A large-scale phishing campaign that used adversary-in-the-middle (AiTM) phishing sites stole passwords, hijacked a user’s sign-in session, and skipped the authentication process even if the user had enabled multifactor authentication (MFA), according to Microsoft. The attackers then used the stolen credentials and session cookies to access affected users’ mailboxes and perform follow-on business email compromise (BEC) campaigns against other targets.
Based on Microsoft’s threat data, the AiTM phishing campaign attempted to target more than 10,000 organizations since last September.
In AiTM phishing, attackers deploy a proxy server between a target user and the website the user wishes to visit (that is, the site the attacker wishes to impersonate). Such a setup allows the attacker to steal and intercept the target’s password and the session cookie that proves their ongoing and authenticated session with the website. Note that this is not a vulnerability in MFA. Since AiTM phishing steals the session cookie, the attacker gets authenticated to a session on the user’s behalf, regardless of the sign-in method the latter uses.
Erich Kron is KnowBe4‘s security awareness advocate.
“Attacks like this are becoming more common as organizations and individuals enable MFA on accounts in order to better secure them,” he said. “While MFA is certainly valuable and should be used when possible, by capturing the password and session cookie, and because the session cookie shows that MFA was already used to login, the attackers can often circumvent the need for MFA when they log in to the account again later using the stolen password.”
Once an email account has been compromised, it’s easy for attackers to find ways to use the access against the victim, Kron said. From using that account to propagate scams against friends and family that have communicated to the victim through email, to using the account to reset passwords on other accounts, a lot of malicious things can be done with the access.
“To protect against the phishing emails that trick the victims into clicking on a link, organizations should train employees how to identify and report phishing, and should test them regularly with simulated phishing attacks that allow them to practice these skills,” he said. “In addition, educating users on how to identify fake login pages will greatly reduce the risk of giving up the credentials and session cookie.”
New threat intelligence from Proofpoint‘s cybersecurity researchers shows how various nation/state-backed hacking groups have been targeting journalists to conduct espionage, spread malware and infiltrate the media.
Global publications targeted include The Guardian and Fox News, along with a reconnaissance campaign on Washington, D.C., media days ahead of the Jan. 6th insurrection. A well-timed, successful attack on a journalist’s email account could provide insights into sensitive, budding stories and source identification.
Other Proofpoint findings include:
Advanced persistent threat (APT) groups aligned with China, North Korea, Iran and Turkey have been observed targeting journalists’ work emails and social media accounts to gain sensitive information and get further access into their organizations.
Various Iranian-aligned threat actors such as Charming Kitten (TA453) and Tortoiseshell (TA456) have also been observed posing as journalists from publications such as The Guardian, The Sun, Fox News and The Metro. The attacks targeted academics and foreign policy experts worldwide in an effort to gain access to sensitive information.
Chinese-aligned group TA412 was observed conducting reconnaissance just days before the Jan. 6th attack on the U.S. Capitol building. Proofpoint researchers observed a focus on Washington, D.C., and White House correspondents during this time. This same group also resumed targeting in early 2022 with focus on reporters covering U.S. and European engagement in the Russia-Ukraine war.
North Korea’s Lazarus Group (TA404) also targeted U.S. media organizations with job opportunity-themed phishing. This attack occurred after the organization published an article critical of North Korean leader Kim Jong Un, a well-known motivator for action by North Korea-aligned APT actors.
Threat actors aligned with the Turkish state have focused their efforts on gaining access to journalists’ social media accounts, with the likely aim of spreading pro-Erdogan propaganda and targeting further contacts.
Sherrod DeGrippo is vice president of threat research and detection at Proofpoint.
“Targeting journalists and media organizations is not novel,” she said. “These individuals and organizations suffer from many of the same threats as everyone else. The varied approaches by APT actors — using web beacons for reconnaissance, credential harvesting and sending malware to gain a foothold in a recipient’s network — means those operating in the media space need to stay vigilant. Assessing one’s personal level of risk can give an individual a good sense of the odds they will end up as a target. Such as, if you report on China or North Korea or associated threat actors, you may become part of their collection requirements in the future. Being aware of the broad attack surface — all the varied online platforms used for sharing information and news — an APT actor can leverage is also key to preventing oneself from becoming a victim. And ultimately practicing caution and verifying the identity or source of an email can halt an APT attack in its nascent stage.”
The focus on media by APTs is unlikely to ever wane, DeGrippo said.
“Journalists and media organizations are well sought-after targets because of the unique access and information they can provide,” she said.
Bishop Fox, an offensive security provider, has obtained $75 million in Series B funding from Carrick Capital Partner, a growth-oriented investment firm. The strategic second round brings total funding to $100 million for the 17-year-old cybersecurity firm.
The funding will be used to grow the company’s team of offensive security experts and fuel expansion of its Cosmos platform. Increasing demand for the platform resulted in tripled annual recurring revenue (ARR) in 2021.
Bishop Fox delivers educational programs for offensive security training and advancement, and a mentoring program. Additionally, Bishop Fox’s offensive security solutions and attack surface management technology help organizations proactively improve their security posture.
Bill Carroll is Bishop Fox‘s chief operating officer.
“Part of the capital will be used to further expand Bishop Fox’s partner program and roll out new elements for channel partners, including programmatic components and internal resources to support channel partners,” he said. “We see partners as a critical component of our growth strategy, both in North America and abroad as we enter new markets.”
The capital will be used to continue innovating the best technology and developing the best talent in the industry so that “we can better serve our customers and define the future of offensive security,” Carroll said.
“This will give both Bishop Fox and our partners a significant competitive advantage by continuing to deliver the pairing of industry-leading solutions and unmatched expertise to the market,” he said.
Organizations are struggling to protect operational technology (OT) and are getting breached as a result.
That’s according to Barracuda Networks’ State of Industrial Security in 2022 report. Commissioned by Barracuda, the research surveyed 800 senior IT managers, senior IT security managers, and project managers responsible for IIoT/OT in their organization.
Overall, the research shows that critical infrastructure is under attack, and despite agreement that IIoT and OT security is critical, businesses are facing some significant challenges as the geopolitical landscape becomes increasingly tense.
Security breaches have shown to have impacts beyond monetary losses as well, resulting in significant downtime with long-lasting breach impact.
Among the findings:
Attacks are widespread as 94% of organizations surveyed acknowledged experiencing a security incident in the last 12 months.
Eighty-nine percent of respondents are very or fairly concerned about the impact that the current threat landscape and geopolitical situation will have on their organizations.
Breaches are impacting operations as 87% of organizations that experienced an incident were impacted for more than one day.
Tim Jefferson is Barracuda‘s senior vice president of engineering for data, networks and application security.
“In the current threat landscape, critical infrastructure is an attractive target for cybercriminals, but unfortunately IIoT/OT security projects often take a backseat to other security initiatives or fail due to cost or complexity, leaving organizations at risk,” he said. “Issues such as the lack of network segmentation and the number of organizations that aren’t requiring MFA leave networks open to attack and require immediate attention.”
Organizations across the board have acknowledged the importance of investing even further in IIoT and OT security, with 96% of business leaders saying their organization needs to increase their investment in industrial security. A full 72% of organizations said they have either already implemented or are in the process of implementing IIoT/OT security projects. But many are facing significant challenges when it comes to implementation, including basic cyber hygiene.
For organizations with completed IIoT and OT security projects, 75% have experienced no impact at all from a major incident.
Klaus Gheri is Barracuda‘s vice president of network security.
“IIoT attacks go beyond the digital realm and can have real-world implications.” he said. “As attacks continue to rise across industries, taking a proactive security approach when it comes to industrial security is critical for businesses to avoid being the next victim of an attack.”
Organizations are struggling to protect operational technology (OT) and are getting breached as a result.
That’s according to Barracuda Networks’ State of Industrial Security in 2022 report. Commissioned by Barracuda, the research surveyed 800 senior IT managers, senior IT security managers, and project managers responsible for IIoT/OT in their organization.
Overall, the research shows that critical infrastructure is under attack, and despite agreement that IIoT and OT security is critical, businesses are facing some significant challenges as the geopolitical landscape becomes increasingly tense.
Security breaches have shown to have impacts beyond monetary losses as well, resulting in significant downtime with long-lasting breach impact.
Among the findings:
Attacks are widespread as 94% of organizations surveyed acknowledged experiencing a security incident in the last 12 months.
Eighty-nine percent of respondents are very or fairly concerned about the impact that the current threat landscape and geopolitical situation will have on their organizations.
Breaches are impacting operations as 87% of organizations that experienced an incident were impacted for more than one day.
Tim Jefferson is Barracuda‘s senior vice president of engineering for data, networks and application security.
“In the current threat landscape, critical infrastructure is an attractive target for cybercriminals, but unfortunately IIoT/OT security projects often take a backseat to other security initiatives or fail due to cost or complexity, leaving organizations at risk,” he said. “Issues such as the lack of network segmentation and the number of organizations that aren’t requiring MFA leave networks open to attack and require immediate attention.”
Organizations across the board have acknowledged the importance of investing even further in IIoT and OT security, with 96% of business leaders saying their organization needs to increase their investment in industrial security. A full 72% of organizations said they have either already implemented or are in the process of implementing IIoT/OT security projects. But many are facing significant challenges when it comes to implementation, including basic cyber hygiene.
For organizations with completed IIoT and OT security projects, 75% have experienced no impact at all from a major incident.
Klaus Gheri is Barracuda‘s vice president of network security.
“IIoT attacks go beyond the digital realm and can have real-world implications.” he said. “As attacks continue to rise across industries, taking a proactive security approach when it comes to industrial security is critical for businesses to avoid being the next victim of an attack.”
With cyberattacks increasing in frequency and severity, demand for cyber insurance coverage is skyrocketing with businesses hoping to minimize losses from attacks.
According to Fitch Ratings, cyber insurance is the fastest-growing product segment in the U.S. property/casualty (P/C) insurance market, driven by a sharp increase in cyber incidents, particularly ransomware, that led to higher claim counts and loss severity over the past two years.
Cyber insurance generally covers a business’ liability for a data breach involving sensitive customer information, such as Social Security numbers, credit card numbers, account numbers, driver’s license numbers and health records. However, it can be a challenge to get coverage and premiums are rising.
In this week’s Gately Report, we cover all things cyber insurance with Jon Siegler, LogicGate’s co-founder and chief product officer. LogicGate helps ensure organizations have all of the security controls needed to obtain cyber insurance.
Cyber Insurance Coverage Not Just for Tech Companies
Channel Futures: Who needs cyber insurance coverage?
LogicGate’s Jon Siegler
Jon Siegler: Well, I think just about every company these days is a technology company to some degree. And you’re storing sensitive information and oftentimes personally identifiable information, which particularly in the United States there’s now a myriad of laws on the books from different states that expose companies to risk whenever there is a data breach. Obviously the companies that it’s most important for are typically technology companies because you’re often dealing with a lot of information and a lot of data that you’re storing, particularly of the personal variety, as well as sensitive information.
Even if you don’t think of yourself as a technology company, you probably have personal information and sensitive customer information that you’re storing in one place or the other, even if it’s just through your email. Let’s say you email something to the wrong customer. That’s still technically a data breach and every company uses email today. So I think that puts it in perspective for a lot of companies.
Scroll through out slideshow above for more on cyber insurance and more cybersecurity news.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like