Cybersecurity During the Pandemic
October 21, 2020 | Webinar
With unprecedented numbers of employees working remotely due to COVID-19, cybersecurity continues to be a critical business concern. To mark National Cybersecurity Awareness Month, Ken Morrison, Director of Cyber Risk Control at Travelers, joined the Wednesdays with Woodward® series to explore key findings of the 2020 Travelers Risk Index, explore the latest cybersecurity threats and help attendees safeguard their networks.
Watch the Replay
Text, Wednesdays with Woodward (registered trademark), A Webinar Series. Cybersecurity During the Pandemic. Logos, S.B.E. Council, Small Business & Entrepreneurship Council, Travelers Institute, Travelers. 2020-10-21. 12:59:42. Joan Woodward appears in a picture-in-picture in the upper right corner.
Good afternoon. And thank you for joining today's program. I'm Joan Woodward, and I'm honored to lead the Travelers Institute, the Public Policy Division and Educational Arm of Travelers. We're thrilled to continue with our Wednesdays with Woodward Webinar Series, which we launched this summer to examine issues impacting us all both in our professional and personal lives. So if you missed any of our past programs, please visit us at travelersinstitute.org for all the replays of our webinars.
You can also register for upcoming webinars there. And I would love to connect with you on LinkedIn. I post all of our invitations, and our replays will be posted to my LinkedIn page. So please do friend me there. Before we begin, I'd like to take a moment to draw your attention to the disclaimer on the screen.
Text, Disclaimer. This program is offered for your informational and educational purposes only. You should consult with your financial, legal, insurance or other advisors about any practices suggested by this program. Please note that this session is being recorded and may be used as Travelers deems appropriate. Slide changes back to original slide.
October is National Cybersecurity Awareness Month.
And this year, it's particularly important and relevant with so many organizations relying on their computer networks remotely and to continue it to operate in these environments. Today's program presented in partnership with the Small Business Entrepreneurship Council, we explore the latest cybersecurity threats and recommend actions businesses can take to safeguard their networks today.
Text, Top overall business risk concerns. A list of the concerns and their percentages in 2020 and 2019. Broad Economic Uncertainty. in 2020, 57% (a red up arrow), 2019, 43%. Cyber Risks, 56% and 55%. Medical Cost Inflation, 54% and 54%. Increasing Employee Benefit Cost, 52% and 53%. Recruiting/Retaining Talent, 47% and 46%. Legal Liability, 47% and 46%.
We will also reveal some of the key findings of the 2020 Travelers Risk Index. This is an annual survey that Travelers conducts nationally with more than 1,200 business leaders who represent businesses of all sizes and industries. Not surprisingly, the perception that the business environment is becoming riskier has increased meaningfully since 2019 as you can see in my chart. They are from 36% of survey participants up to 47%.
Given this global pandemic, broad economic uncertainty, this has jumped six spots to become the top overall business risk concern in 2020. Cybersecurity risk came in number 2 followed by medical cost inflation, increasing employee benefit cost, recruiting and retaining talent, and legal liability issues.
Headshots and titles of Joan Woodward and Ken Morrison
So today, Ken Morrison, Director of Cyber Risk Control at Travelers is joining me to help us understand the key findings and share what businesses can do to help to protect their networks and improve their cybersecurity protocols. In this role at Travelers, Ken provide subject matter expertise on cyber threats, cybersecurity, and emerging cyber technology to underwriting claims and other teams across Travelers.
Before joining us, Ken worked at the FBI serving as Information Systems Security Officer and a Computer Forensics Examiner. So before we start the program, a quick note, we'll take your questions at the end of the program, but don't wait to submit your questions, please do at any time using that Q&A function at the bottom of your screen. So just hover over the bottom of your screen. And if you don't want me to read your name, just do it, Send Anonymously.
So Ken, let's get underway and set the stage.
Text, Cyber Concern: Remote Working. The percentage of businesses with at least 40$ of employees working remotely has more than doubled. Source: 2020 Travelers Risk Index. A graphic of a laptop with four people in boxes.
In 2020, companies of all sizes and sectors have had unprecedented numbers of employees working from home. Help us understand the unique cybersecurity challenges this pandemic has presented all of us.
Well, Joan, well, first thank you so much for having me today. I'm really pleased to be talking to everybody but--so as we know, business is being conducted now over our home networks which are probably not as secure as our office networks. Our homes are our offices now. And for many companies, this is something brand new. So almost overnight, their entire workforce has gone home. And securing and managing that remote workforce poses several challenges among which are information and cybersecurity.
So for example, they might not have everything they need to ensure that their employees can work from home securely. Things like, do they have the technology--enough secure network infrastructure to not only handle the increased load of remote connections, but to also keep those connections and data protected. Do they have the processes in place like incident response plans if there are problems? And have the employees been trained on security and privacy specifically in the "work from home" context?
Text, Business concerns about cyber risk are increasing. A bar chart with text, Percentage of survey respondents who say their company has been a victim of a data breach or cyber event. Bars increase in height from 10% in 2015 to 22% in 2020. Source: 2020 Travelers Risk Index
OK. Yeah. I mean, we're certainly in unprecedented times here. Our business is more worried about cybersecurity this year than in the past that you've seen.
Yes. In fact, the most recent index shows that concern about cyber risks and data breaches is at the highest level in five years. And this is telling, especially with all the economic and financial concerns around the pandemic, nearly one in four of our respondents said that their company has been a victim of a cyber event which is the highest percentage since we began that survey in 2014.
Oh. Wow, so of all the cyber threats that are kind of out there that businesses are currently facing in this environment, which one or two are they most concerned about and how do you think about that?
Text, What businesses are most concerned about: Security breach, Hacker gaining access to financial systems, Employees putting information at risk, Becoming a cyber extorsion/ransomware victim, Theft or loss of customer or client records. Source: 2020 Travelers Risk Index
Well, security breaches and unauthorized access to financial accounts continue to be at the top of the list. There are many others that are just behind that. So like employees putting information and systems at risk through unsafe practices, becoming a victim of a cyber extortion or a ransomware attack, or the loss or theft of company, customer, or client records.
But remember, security breaches is somewhat of a general term for any event that results in an actual or potential risk to the confidentiality, integrity, or availability of informational systems that process that information. So confidentiality, integrity, and availability. That's known as the CIA triad where confidentiality is making sure that the information is not revealed to anyone or anything that should not have access to it. And integrity is what guards against improper or unauthorized modification.
Think of it as making sure the information is trusted and accurate. And finally, availability assures that the timely and reliable access too and the use of that information is present.
OK. So Ken, you're in the trenches every day with cyber threats and cyber security issues and you see a lot of data. So given this current business environment, what is the biggest emerging cyber issue that you see right now?
Well, we know that the changing nature of the workforce has had an influence on many businesses this year. And that's reflected in the results of the survey as well.
Emerging cyber concern. Suffering a cyber event, security breach or system glitch due to employees working remotely. Source: 2020 Travelers Risk Index
So as we just talked about, percentage of businesses with at least 40% of its workforce working outside the office has more than doubled during this pandemic. And that leads us to our biggest risk. Almost half of all businesses are now worried about suffering a cyber event--a breach or a system glitch due to employees working remotely.
But there are some best practices that can help reduce those risks. But first, what are the factors that increase cyber risk as a result of this new environment? Well, remote networks. They're probably not secure, and if they're not secure, they can allow attackers to eavesdrop on sensitive transmissions, they can impersonate users, gain unauthorized access, or even inject malware like ransomware.
You know, according to a report by a cybersecurity rating firm BitSight, "work from home" networks are more than three times more likely to be infected with malware than when they're on the corporate network. There's a lack of control over employee computers. As an employer, you may not know if security patches or antivirus software is being updated and if it's not a company-owned computer then who really knows.
There might be a reduced ability to detect if there are incidents, will companies even be aware of them? And if they are aware, can they respond? Can they contain a problem, can they fix the damage? And finally, family members, right. So they could walk up and view sensitive material on your computer, or they could try to use your company computer to just check Facebook, they could accidentally delete a file, end an online session, maybe accidentally modify information or even infect your computer with malware.
So best practice. OK, let's think of it from three perspectives--people, process, and technology. Starting with people, attackers we know, that they're already taking advantage of human weakness with several social engineering attacks that are geared around the pandemic. So we need to make sure our people are aware of this and are trained to recognize when they're being targeted. So avoid clicking on links or opening attachments in unsolicited or suspicious emails. But remember also, employees, your people are also your best early warning system. So train them to report suspicious incidents and emails. OK. Process. We want to make sure we update or develop business continuity, disaster recovery, and incident response plans for both remote and on-site work environments.
We want to have a way for employees to report incidents, ask questions, get technical help. If they're working from home, that might not be as easy as walking down the hall to their IT guys. So you might want to set up a dedicated email or Skype channel or have a telephone hotline available.
And privacy laws. So appropriate use and other compliance type requirements, particularly from a "work from home" context. So for example, if you store customer or employee names or account numbers or payment information on your home computer, you might at least be in violation of policy but you could also be in violation of contracts or even the law.
And finally, for technology. You want to ensure your network service and computers are patched, updated with the latest fixes. You want to make sure you can monitor as much as possible, enhance your monitoring perhaps, so you can get that early warning alerts of abnormal activity. For that remote connection, you want to keep it secure with virtual private networks, that's a VPN. And you want to make sure it's got multi-factor authentication or MFA.
So a VPN is a secure tunnel that connects your company and your computer at home together through what's called a secure tunnel. When you're on a VPN, you go through your company's secure network in order to get to the internet. You're not going directly to the internet straight from your computer. And multi-factor authentication, MFA. That's a second way to prove your identity using a different method than a password, like biometrics or a security token like from Google or Microsoft Authenticator or even a text to your mobile phone.
And then finally, consider upgrading from a traditional antivirus to what's called an endpoint detection and response, EDR solution. The latest EDR technologies are far greater than the antivirus capabilities in protecting attacks because they stop anomalous behavior and rather than just searching for malware that they already know about.
In fact, Travelers has partnered with SentinelOne, a leading provider of EDR solutions. So for a limited time, Travelers’ policyholders can take advantage of an offer of 60 days of free SentinelOne protection with a 25% discount if they decide to make that a strategic security investment.
Oh, OK. Great. That was a lot to unpack. But Ken, you know, last June, you joined us for our very first Wednesday Webinar and a return to work with cybersecurity giving people immediate help and understanding with all these employees being remote. And we discussed on that call, endpoint detection and response. So we just talked about this.
I mean, an interesting point then, and I hope you can speak to it again for our audience today regarding how organizations need to shift or really overhaul their cybersecurity philosophy given the current environment. So how should companies think about a shift in their philosophy here?
Absolutely. And thank you, yes. We talked about the good old days when the typical network security model was similar to a castle. If you were inside the wall or inside the perimeter you were safe, you were trusted. And if you were outside of the wall or the perimeter then you were neither safe or trusted. Castle perimeters were protected by thick high walls and a moat. Cyber perimeters were used-- traditionally protected by firewalls.
But these days with remote access to networks, with everybody working from home, and with cloud computing in general, the new reality is there really is no perimeter. So what do we do now? OK. I mentioned this last time and I'll say it again, the risk of showing my age, one of my favorite TV quotes was from one of my favorite shows about 20 years ago and that was, Trust No One. And if anybody knows what that is, go ahead and put it in the chat.
But trust no one, verify always. What this means is that before we allow anybody to connect to our network or access our data, it's critical that we absolutely verify who they are, we verify where they can go, what they can see and touch, and that the way they connect--their computer, their network connection is safe and secure. This is the new perimeter.
So we have to anticipate that, yes, someday, somebody maybe even today something bad is going to happen. Somebody's going to get into the network, and it could be one of your own people, one of your own insiders is going to cause a problem. So we have to be ready. We have to have a plan. Resilience is kind of the key. So being able to anticipate, withstand, recover from, and adapt to bad things that could or will happen to your system.
Downtime from a ransomware attack has tripled. A stack of boxes with a figure at a laptop on each. Three on the bottom row, two on the second row at the right, and one on top at the right. Source: Datta: Global State of Channel Ransomware Report
Now, I want to turn to another topic that people are really worried about, which is ransomware. So you mentioned earlier that businesses are concerned about becoming a victim of ransomware. And it's complicated. It sounds scary for anyone to be hit by this. And we've talked about it before, but can you share with the audience today your thoughts on the topic of ransomware right now and this pandemic?
Absolutely. Yes. And absolutely correct. So ransomware has been a threat that's really picked up over the past five years. Not a day goes by where you don't see in the news a story about the latest victim or the massive losses that they have incurred. And there's been a seemingly exponential increase in both the frequency of the ransomware attacks and the damage that they do cause. Even Travelers, from our claims perspective, we've seen a four-fold increased--a four-fold increase in ransomware claims from 2017 to 2019.
They started with Petya, and WannaCry, and NotPetya, and the newer versions are Ryuk, Conti, which is the next version of Ryuk and Maze. We're seeing some of those in their large-scale events. But ransomware happens on all levels and to companies from all sizes and in every industry. And the risk index shows that there's been an increase of the percentage who say that their business has already been a target of cyberware or ransomware.
And remember, the losses are not just the ransom, what is now commonly six-figure ransoms. We're seeing it growing even more, but the lost revenue restoration, costs of investigation, those are all significant as well even if the ransom is not paid.
OK. So despite all these concerns over cyber risks, we know from our survey--the Business Risk Index that fewer companies, especially smaller companies are taking steps to mitigate these threats. So why is that? Why do you think smaller companies are not paying attention to this right now?
Text, Fewer companies are taking steps to mitigate. Hacker intrusion detection software (48%), Cyber risk assessment (47%), Multifactor authentication for cloud service (47%), Contracted outside vendor for IT or Security (45%), Written business continuity plan (42%). A graphic circle with less than 50%.
Well, it's kind of a paradox. The index indicates that most businesses are confident that they are implementing the best practices to mitigate or prevent an event. However, when asked specifically about what they're trying to do, some very fundamental protections, the numbers don't support that.
And this is despite an increased concern over cyber risks. That less than half said, their organizations have implemented some very basic protections such as things like utilizing intrusion detection software to sound an alert if an attacker has gotten into the network or perhaps even preventing it from happening. Conducting a cyber risk assessment for your business or organization.
You know, you have to know what you have so you can protect it. And what are the risks and what are the threats to adequately and appropriately protect your business? Using multi-factor authentication for cloud services or for anything really, having that additional way to prove who you are to say you can break that attack chain right in its tracks with that in place.
Contracting with an outside vendor or an IT security services firm. Some companies, particularly the small and medium-sized companies, they simply don't have the resources to dedicate to IT and cybersecurity services. So getting some help is really important. And then finally, having a business continuity plan in the event of a cyber-attack. Having a well thought out and documented plan is critical, so you don't have to rely on your memory during a crisis.
OK. Well, you've certainly shared a lot with us today and we're going to get to some audience questions. So again, I want to remind all the folks on the phone and dialing in here, please submit your questions using the Q&A function, not the chat function. So Q&A and we'll take some questions in a minute here. But we hear all the time that businesses should have cyber insurance to protect them. First of all, what is a cyber policy, an insurance policy, and can you explain why this is so important that they protect themselves?
Text, The importance of protection. Still only 55% of businesses have purchased a cyber insurance policy. Graphic of a lock in a shield.
Sure. Well, again from the index, 55% of businesses have purchased the cyber policy and kind of understandably, this varies by size of the business. The small businesses, just over 25% have a policy. But it is really one of the best ways to help protect your business. But just to take a quick step back, before we talk about insurance, let's talk about risk and how most of us deal with it.
So remember, risk is the combination of the likelihood and then the potential impact of a loss event. So if you can reduce the likelihood and/or the potential impact or consequence of an event, you're certainly on the right track. And now that you know the risk, how do we deal with risk or how do we respond to it? Well, we can accept a risk. Sometimes we don't think it'll happen to us, but this head-in-the-sand approach, ignoring risk is never a good idea because nobody's immune.
It might cost too much to mitigate the risk. So let's just say we're a manufacturer, we have a lot of old unsupported computers like Windows 7, say the control machinery like Presses or CNCs or whatever. These are very expensive machines. And to upgrade to say, Windows 10, you would also have to replace that multimillion-dollar machine, we might decide to accept that risk for the time being, but with appropriate documentation, approvals, a strategy to upgrade, and of course, a lot of compensating controls in place.
We can avoid a risk. We could not offer e-commerce on our website. We could move that data center out of that hurricane zone into a safer geographic location. We can reduce or mitigate the risk by fortifying that data center--by patching those vulnerabilities or by implementing that EDR solution.
Or finally, we can transfer the risk either with a contract--with indemnification or with insurance. What might a typical insurance policy be, what might be the coverages be where there's liability or a third-party coverage. So if you're a sued or have to pay fines and penalties for say, failure to prevent unauthorized access to sensitive information, for example, there could be coverage for that.
There's first-party coverage where you directly suffer the loss such as lost income due to a system being down, or costs of investigations, breach notifications, or if you've lost money paying a fraudster or an extortion like a ransom. But obviously, we all want to help our clients to be resilient to incidents that could result in a loss of confidentiality, integrity, or availability before the incident happens, before a claim happens. And that's one reason for our SentinelOne partnership.
But cyber insurances and cyber insurers should have other services that can hopefully enhance the protection of the clients and prevent an incident and prevent the claim from happening. Travelers, we have eRisk Hub which is a partnership with NetDiligence. And this provides all kinds of resources to help businesses prepare for, prevent, and perhaps respond to an incident.
And then we have another partnership with Symantec Broadcom, which includes a free security coach hotline, training videos, and Symantec services discounts. But if an incident does occur or if there's a potential for an incident, a good claim team is invaluable to help the insurer get through the process and provide a steady and calming resource at a time when the insurer's very business survival may be on the line.
What they can do is they can help handle the initial claim reporting and set up 24-7 around the clock because claims happen whenever. Assembling a breach response team. And we now have some of the best breach coaches and forensics teams on call again, 24-7. We coordinate with all the stakeholders involved, guide the insured through the response process, explain what the coverages are, what their coverages are, and then review and process the expenses.
Wow. That's a lot. So there's a lot of resources. Sounds to me like there's a lot of resources available to those who connect with us. And there's a lot of risks out there. So before we get to the audience questions--and thank you all for submitting some questions here. What are the two or three actions you recommend folks take right now to improve their cyber protocols?
Text, Basic prevention practices. (With graphics): Conduct focused cyber security awareness training. Keep systems patched, Use multi-factor authentication
Sure. So as we've said, the first thing you have to do is you have to know what you have. So you have to know what you have to protect. So what are your crown jewels? What assets do you have that an attacker might be tempted to steal, or hold for ransom, or that could damage your business if divulged or no longer available or no longer trusted? Like, do you process credit cards? Do you have online services? Do you have trade secrets? Trademarks? Intellectual property?
And then learn how to protect those assets, appropriately protecting them. But in general, what everybody can do to start some basic cybersecurity concepts is first keep your systems patched. Install the patches, install the updates, install the upgrades as soon as you can. And multi-factor authentication, MFA. The real estate business is its location, location, location.
In cyber it's MFA, MFA, MFA. If you can provide that--for other way to identify yourself so an attacker can't get in, you've really helped save yourself and secured yourself. And finally, train your teams to be human firewalls. Report suspicious activities. Don't click on those dubious emails, attachments, or links. Be a champion for good cyber hygiene. And remember it starts at the top. And I've said this before in our last webinar, an investment in cybersecurity is like a town's investment in its fire department.
You want to make sure that you have the best equipped and best trained team that you can afford and hope that you never have to use.
OK. So that was just terrific Ken, and I'm going to get to lots of audience questions coming in. So let's just kick off right now, and please continue to use the Q&A function.
Both presenters in split screen.
But thank you for that great overview. So two questions coming in that are related here. What can I do to get low information, medium to high risk insurers to take this seriously? That was part one from Ross Lennon.
And the second one is coming in from Steve Pierce, which is any recommendations for getting the conversation started with our customers about the importance of a cyber policy. So again, it sounds like our agents might be struggling to convince the vulnerable businesses out there to take it seriously.
Absolutely. And I guess before we can start thinking about how to push the cyber insurance, we have to make sure that they're serious about cybersecurity. But we don't want to be a promoter of what we call FUD, fear, uncertainty, and doubt. So we don't want to be a FUD person. But we were just want to ask, how long can you survive without your IT systems that support your company's crown jewels?
Maybe set up an exercise. Get some key users, key managers, business managers, or IT managers. Get them all together and walk through a scenario in which something takes out an office or an IT system. And it doesn't have to be a ransomware attack. Well, that's a great example because that's so common, but it could be a hurricane, a tornado, a wildfire out West, an error configuring a database or a pandemic, right?
All these are different kinds of events that can have an impact, can result in a cyber-related loss. Walk through it and be honest about the impacts. Don't hide your head in the sand. Understand that yes, things can happen to even. And when you identify the risks, identify how to manage those risks, transfer the risk with insurance could be one of the options worth serious consideration. And then that's when you give us a call.
OK. So it sounds like the process of just getting your clients to take a look at their cyber hygiene, if you will, or take a look at themselves in the mirror and decide where their vulnerabilities are. That's the first step. And the insurance policy is a cherry on the cake, right.
OK. So next question coming in from Glenn Davis, special considerations for cyber coverage for state and local government entities and the underwriting process, the questionnaires that go behind that, what about state and local entities?
State and local entities are interesting. I mean, every type of a business has its own unique characteristics that we need to consider from the underwriting perspective. But what's interesting about governments is they have so many different--the scope could be quite different. For example, do they have schools? Does a state or a local government--sometimes they are service providers. They provide internet services to their businesses and sometimes even to their constituents in their towns.
So that really expands the scope of what we're looking at. There's also obviously budget and resource restrictions. So we have to make sure that the solutions that are in place are cost-effective. And some other interesting things that I've seen with governments lately is that IoT devices, Internet of Things like traffic cams, parking meters, anything like that. They could all be included in what is being insured.
And then also interestingly enough, ICS, industrial control system. So do they have responsibility for water and sewage treatment facilities? Are there systems that manage valves and everything in that type of environment? Are those all going to come into play? So the scope is really different and interesting--I love working with municipalities. It's just an interesting group and always the thing is so interested and they want to do the right thing. So those are some of the considerations from a cyber perspective for a municipality.
Right. And I would imagine too in this environment where our kids are all kind of remote learning that those systems that are in place to teach our kids remotely are critically important and we wouldn't want to have a cyber incident that would shut them down for a while. So that's also another contributing factor, right. For--
--state and locals to--
Oh, absolutely. Yeah. Because, and you've heard, there have those horror stories about those Zoom meetings like ours getting hijacked with inappropriate things. So having the appropriate security around those. If such an incident does occur, there are several different liability potentials, I suppose that could result from that.
Yeah. OK. Next question coming in from, and by the way, if you've submitted your question when you're registered, we will make sure we get to that. So thank you for those that did. Nick Sullivan is asking us here, can you discuss contingent bodily injury and property damage from a cyber event? For example, in health care or in manufacturing.
Sure. So a lot of times this is what's referred to as silent cyber. So these aren't particularly things that you would associate with a cyber-attack. From a cyber insurance perspective, most individual policies that they vary in terms of coverage but generally, cyber policies really don't have affirmative coverage for bodily injury or property damage. So you have to be creative in how you identify what those are and the different other possible insurance that you have that might cover that.
OK. Great. Question from Michael Kelly, who is liable in social engineering claim? The hacked party, the sender of the money, the bank, who's liable there?
Well. This is an interesting question. And remember, claims are like snowflakes, right. Each one is unique because they have different sets of facts and circumstances. And then each one is evaluated based on those facts, the policy, and perhaps even the law. So for this one let's see, social engineering claim. The hacked party, the sender of the money.
So for example, in this case, are they thinking that the insured--did the insured party gets scammed and they sent money to a fraudster? Or did a customer of the insured party get scammed and maybe they paid a fraudster for service or product that got from the insured? So who's really out there? Or did our insurance bank get scammed and maybe money got sent to a fraudster that shouldn't have been sent?
So we're seeing a lot of different kinds of frauds. Business email compromise, it's huge. BEC is what we call it. Sometimes it's called wire transfer fraud or appropriately WTF. It's become such a problem that the FBI has actually instituted a task force specifically for this kind of fraud. In fact, if you get hit with a business email compromise and it's reported to the FBI's IC3.gov site, within 48 hours, there's a very good chance that they can recover much if not most of the money.
And that's IC3.gov which is the Internet Crime Complaint Center. But basically, if the insured suffered a loss either directly from sending money to a fraudulent account or a result of a third-party claim where they might get sued, cyber policies may provide the protection for that.
OK, great. Another question coming in now from Jeremy Dyson. Jeremy asked, does a cyber liability policy cover my employees working from home?
In fact, working from home, again, it depends. The specific policy might have to address those specific issues. But they can if it is included in the policy, absolutely.
OK. Another one coming in, do most cyber liability policies cover social engineering?
And again, [LAUGHS].
Speaking specific policies, right. It depends on the policy. It depends on the specifics of the actual claim. So while it may cover it in a policy for these certain circumstances, each claim is specific and unique. So you have to look at the specific occurrences and facts of that particular claim to see how the policy will respond.
OK. All right. Another question here. What is being done to deter the hackers? You hear about the breach, but you never hear about consequences or stronger legislation to go after the actual criminal aspect of this.
Absolutely. Well, there's a lot of factors at play here. So first of all is if they can even identify who the attacker or the bad guy is. So that's first. Second, where is the attacker? So if they're abroad and international then unless we've got an agreement with the country that they're in then there's not a whole lot that can be done. If we have agreements where they can be extradited to the US or charged there as a proxy for us, then we'll pursue those.
But if we don't know who it is, it's pretty hard to follow up. You might have seen the news, I think it was just in the past couple of weeks, there were some actors that reside in foreign countries that have been specifically indicted in absentia. It's a step in the right direction, but again, unless we can get treaties or extradition treaties with all those countries, it's a great gesture not a lot of teeth unless they happen to make the mistake of coming here, I suppose.
OK. So Anthony Carson asking us, do cloud services create new cybersecurity issues and threats?
Uh, yes. What's interesting about cloud is that--there's two perspectives both from the customer of the cloud services and the provider of the cloud services. And we insure both types of entities here. But while cloud computing has a lot of benefits, things like agility, or resiliency, economy, and yes, even security, you have to know what you're getting into when you migrate to the cloud. Just lifting up an on-prem infrastructure and plopping it into a cloud without making changes to adapt to the specifics of the cloud architecture just makes things worse instead of better.
And remember, improper configuration of a cloud storage--we saw that with a major financial institution about a year ago. That can ruin you. So important considerations, you have to know exactly who is responsible for what. Cloud computing is a shared responsibility model. Actually, which means the provider and the customer share various responsibilities when it comes to implementing, managing, and protecting different parts of the environment. And the responsibility depends on what kind of cloud service you have.
So most of the responsibility could be with the provider. But if you're using a service like Salesforce, which is a software as a service, a SaaS model, right. That's where the responsibility lies with the provider, but the data owner still has some responsibility in a Salesforce-type situation. The data owner-- the customer probably is still going to be responsible for the identity and access management.
So authenticating who can access the data, what they can access, how long they can access, and just make sure that the person is who they say they are. But the big thing is understand who's responsible for what and get it in writing.
OK. Of course. Always get it in writing.
OK. Elizabeth Morrison asks us, does Travelers provide security services specific to schools, especially with all the virtual learning due to the COVID pandemic? And you can see what's on our friends' minds here as our kids are trying to do this distance learning. So does Travelers provide the security services and cybersecurity specific for this?
Absolutely part of our portfolio includes schools and with some specific coverages that based on schools. But we also have the [inaudible] services that are available to everybody, particularly schools. You know, again, kind of we've mentioned before that schools, government agencies, they might not have all the resources available. So that's where we'd really like to help get ahead of problems working with our partners and working with us, working with me to do an assessment, to see what's available, what's possible solutions might be.
OK. I'm going to ask a Personal Lines question for you Ken. So I know you're not in Personal Lines but try it anyway. Kearney Lambert asked, does Travelers offer cybersecurity coverage for Personal Lines?
That is a great question and I don't know. I will get back to you on that one. I'll make a note and I'll get back.
Miss Lambert you can email me, and we will get back to you on that. We are not on the Personal Line side, but we'll get you an answer for sure. I know I have an answer there. OK. So I'm going to ask one more time for any audience member to submit your questions. We are being asked if we can share our PowerPoint presentation. So we will certainly email those people who have asked that question a follow up.
But I have another question here from Linda Commerford. For IR plan creation, what do you recommend for vetting vendors? It is essential to have vendors that are approved by your insurance carrier, yet you also want to be sure it is a company you trust to help during a potential crisis. So--
OK. Speak to vendors.
So absolutely. So right. So at Travelers, most cyber companies will have a panel, a bank of pre-approved incident response forensics, vendors, breach coaches, et cetera that we just press the button and off they go. If you've got one that you are comfortable with that provides a great service to you, you can give us a call and we can start looking at them to maybe get them on our list at least just for your purpose.
But in the event of a claim, it's in the midst of a claim situation, we can absolutely take a look at who you are using and see if they would be a suitable appropriate resource in that situation.
OK. Another question coming in from Carol Dates. Could you address open ports? What are they, and why are they a security factor because employees are working from home?
OK. Open ports. Near and dear to my heart. So an open port-- so hopefully, a company house-- whatever is connected to the internet has a protection called a firewall between it and the internet. The firewall is basically what allows different kinds of traffic through to get in and out to the internet. Open ports are referred to the different things that can happen. So for example, if you want to just browse the internet, that's a specific port--port 80.
If you want email, that's also a specific port--port 25 in this case. There are ports that are known to be problematic. One of those is called RDP--Remote Desktop Protocol which is port 3389. That's an old Microsoft protocol for help desks. So I help desk person working in an office around the other side of the country can get onto your computer, see what's wrong, and help you fix it. Well, bad guys have figured out that that's also a great way to infect your computer.
So that is one of the open ports that we want to make sure is not open on your firewall. So close 3389 to the internet. There's a couple of others that are similar to that have known vulnerabilities; attackers have been known to use those to execute ransomware specifically. But in general, there's a lot of ports that can be exploited and used by bad guys for various purposes.
OK. Well, we have exhausted all our questions here and so I just wanted to thank everyone and especially thank you Ken for your time today, your terrific advice. And for everyone on the phone, please go check out our Cyber Security Website at travelers.com for businesses. And we will get back to you on some of the questions that came in about the PowerPoint slides.
So I want to invite everyone on the call to our next couple of Wednesday Webinars coming up and tell you about them. Next week, we have Jake Wood who is the CEO and Founder of Team Rubicon. Team Rubicon, the founder just wrote a book and we will be passing those out--complimentary books about Leading Through our Crisis. And he also talks about Leading Through Chaos. And he was a Navy SEAL and in the military for many, many years and founded this new group.
And Team Rubicon is an organization that has just volunteers who are veterans and they work alongside people like us in the claim department coming into disaster zones around the world, and volunteering their time to help with disaster victims--cleanup and recovery. So he's a really fascinating person. I've learned a lot from him over the last five years about leadership and I think you probably can too.
And then the day after the election on November 4, we have Humana talking with us about Resilience in Times of Uncertainty. And we're very hopeful we will have a certainty around the election. But the day after, please join us to learn about Resilience in Times of Uncertainty in mental health, anxiety, and stress.
Text, Wednesdays with Woodward, A Webinar Series. Upcoming Webinars. Register at travelers institute dot org. October 28: Leading Through Crisis: A Conversation with Team Rubicon Co-Founder & CEO Jake Wood. November 4: Resilience in Times of Uncertainty with Wendy Wollner from Humana
So if you haven't already, please join me on LinkedIn. And if you follow me, you can get all these invitations and all of these seminars coming right to you through LinkedIn. And stay up to date with our replays on travelersinstitute.org. We have a number of sessions similar to this. We've had 10 sessions so far on important topics for business and your personal lives.
So please join us and look at those replays on our website travelersinstitute.org. So I really appreciate you joining us in our Wednesday Webinars. And email me if you have thoughts about topics that you want to see us take on. I think we'll be out this a little bit longer. We thought we'd end at the end of the year, but I think we'll be going into next year with our Wednesday Webinars.
So again, Ken Morrison, thank you so much for joining us. It was really, really informative and we'll stay on top of cyber for everyone out there. Take care, be safe my friends, wear your masks, and thanks again.
Watch webinar replays at travelers institute dot org. Life After Shelter in Place, Business Liability Issues During COVID-19, Emotional and Social Reintegration, PATH to Reopening Your Business, Return to Work with Cybersecurity, An Inside Look at IntelliDrive, Crafting Your Comeback, Employee Safety During COVID-19
Heightened Concerns About Cyber Threats
According to the Travelers Risk Index, 47% of respondents believe that the business environment is becoming riskier, with broad economic uncertainty topping the list of business concerns. Cybersecurity concerns follow in second place and have matched a five-year high. 22% of respondents reported that their company has been a victim of a cyber event – the highest in the history of the survey, which began in 2014.
Access to financial accounts and security breaches rank as the top cyber concerns. A security breach is any event that can compromise a business’s confidentiality, network integrity or ability to access information easily and reliably. Other top cyber risks include employees exposing information or networks through unsafe practices; client or customer records being lost or stolen; and ransomware attacks.
Morrison noted that the prevalence of ransomware has increased dramatically in the last five years. Ransomware is now more damaging and more frequent for all businesses – no matter their size or industry.
A Worrisome Trend: Fewer Companies Are Mitigating Cyber Threats
Despite an increase in both the prevalence of, and concern about, cyber risks, fewer companies are taking steps to mitigate cyber threats, according to the Travelers Risk Index. Less than half of respondents said that their organization has implemented basic prevention practices, including:
- Utilizing hacker intrusion detection software (48%)
- Conducting a cyber risk assessment for their business, organization or corporation (47%)
- Utilizing multi-factor authentication for cloud services (47%)
- Establishing contract services with an outside vendor for IT or security (45%)
- Writing a business continuity plan in the event of a cyber-attack (42%)
How to Respond to Cyber Risks
Confronted with ever-present cyber threats, a business can:
- Accept the risk: If the costs associated with mitigating, reducing or transferring cyber risks are too substantial, a business can decide that it is more cost-effective to accept the risk of a cyber-attack.
- Avoid the risk: A business can decide to avoid activities that increase its vulnerability to cyber-attacks. For example, a business can decide to suspend e-commerce on its website and instead move that data to a safer location.
- Reduce or mitigate the risk: A business can decide to fortify its data center by patching vulnerabilities or by implementing an endpoint detection and response (EDR) solution.
- Transfer the risk: A business can enter into a contract or purchase cyber insurance.
Protecting Your Business with Cyber Insurance
Just over half of Travelers Risk Index respondents have purchased a cyber insurance policy. Among small businesses specifically, only 27% have a cyber insurance policy. According to Morrison, “An investment in cybersecurity is like a town’s investment in its fire department; you want to make sure that you have the best-equipped and best-trained team that you can afford – but that you hope never to have to use.”
A cyber insurance policy can provide other services that enhance cyber protections. For example, Travelers has engaged NetDiligence to provide resources to help businesses prepare for, prevent and respond to cyber threats. In addition, Travelers works with Symantec to provide its cyber insureds with access to a security coach hotline, training videos and service discounts at no additional cost. Similar services may be available to you, depending on your provider. Overall, Morrison emphasized the value of a good claim team in the wake of a cyber incident.
Actionable Tips for Improving Cyber Protocols
According to Morrison, it is important for businesses to take stock of their assets. Identify the assets that an attacker is most likely to target or hold as ransom and focus on protecting those assets. In the workplace, business leaders must champion good cyber hygiene; institute protocols like multi-factor authentication; and encourage employees to become “human firewalls,” reporting suspicious activity, being mindful of their network usage and avoiding opening suspicious emails.
Presented by the Travelers Institute and the Small Business & Entrepreneurship Council.