Cyber risk: Its personal

Property Casualty 360 - 07/09/15
By Martin Hartley

"Good morning, Leslie. In light of an investment that I’m finalizing, I need you to wire $150,000 from the cash reserves in our primary brokerage account to United Industries. The wire instructions are…”

Leslie, the personal assistant for a highly successful entrepreneur, didn’t find anything unusual about this request from her boss. At least, not until she received another one like it within a week of processing the wire.

“Leslie, we’ll need to move another $90k to United Industries. Please process accordingly using the same instructions.”

Although this e-mail, like the one prior, was sent from her boss’ personal e-mail account and included his customary signature and private details of his personal account, something seemed off. Leslie picked up the phone.

“I received your second request to wire additional funds to United Industries but wanted to check with you before processing it.” The 60 seconds that followed felt like a painful eternity for both parties on that call. The next call was to law enforcement to report a cybercrime.

Although this scenario is fiction, it could easily happen to any company on any day.
A cybercriminal exploited a relatively common vulnerability in Peter’s “secure” home network to access his world: files containing personal information ranging from Social Security numbers for his family members to medical and financial documents. After shadowing Peter’s e-mail to understand how and with whom he communicated, the cybercriminal had everything he needed to send those emails—and swiftly erase the entire thread during the process so Peter would never see it.

Reducing and transferring cyber risk has become a hot topic in our industry following high profile data breaches at Anthem, Home Depot, Sony Pictures and other firms. Perhaps because the premiums (and commissions) associated with firms like these are vastly greater than those of typical personal insurance clients, much of the energy and innovation around cyber has been part of the commercial insurance universe. As the world becomes increasingly connected and cyber threats grow in size and complexity, personal insurance professionals have a tremendous opportunity to help our clients protect their identities, financial assets, reputations, and more.

According to CNN Money, 47% of adults in the U.S. (110 million people) had personal information exposed by hackers in 2014 alone. In fact, 432 million accounts essentially were hacked and the number of fraudulent transactions and resulting loss of personal wealth is on the rise despite the important financial protection afforded by top credit-card providers and other financial institutions. As this story reminds us, knowing the security protocols of all third-parties with whom you share your personal information is a critical first step. Here are a few other things you and your clients can do to help prevent significant loss and the hassle of restoring an identity following an event.

1. Use strong, unique passwords for every site, account and device. The more complex the password is, the harder it is for hackers to crack, regardless of their technology.

• Create passwords that are longer than 12 characters and have a combination of letters (uppercase and lowercase), numbers, symbols and spaces.
• Avoid using actual words in passwords.
• Use a password manager service to help create strong and unique passwords and to securely keep track of them for you. Be sure the password manager you select uses multifactor authentication such as requiring a password and a USB key.
• Avoid password reset questions that anyone could answer by researching you or your family through paid or public services.
• Always protect your mobile devices with a password; adjust the settings on your devices so that they lock within a minute of being idle.

2. Use multifactor authentication. This refers to the use of multiple points of authentication from independent categories to verify a user’s identity. It typically combines “something you know” (most commonly your username and password) with “something you have” (your smartphone) or “something you are” (your fingerprint). When used together, these can greatly increase security because a hacker would need additional authentication requirements to access your account. Most top banks and investment houses now require or allow multifactor authentication.

Other important services, like e-mail, more now provide the same options. For example, Gmail will send users a text message with a one-time code as a log-in requirement to supplement the user name and password.

3. Further protect your laptop and other mobile devices.

• Use “Whole Disk Encryption” on your laptop. This technology locks down the information stored on your hard drive by converting it to unreadable code.
• Install a “Remote Wipe” tool. By installing or activating a commercially available option like “Find My iPhone” and “Lookout Mobile” today, if your mobile device is lost or stolen, you’ll have the ability to remotely wipe (erase) the device of all information.

4. Network smarter.

• Avoid public Wi-Fi networks. Hackers often target unsecure, public networks, like those in hotels, airports and cafés. Use a mobile hotspot that’s been properly configured with a firewall and WPA2 wireless encryption instead of a public or untrusted Wi-Fi. Most “Mi-Fis” (small devices offered by cellular carriers that create a personal Internet connection with a unique password) use WPA2. Many newer smartphones come equipped with “tethering” hotspots, too. If you must use a public Wi-Fi, deploy a virtual private network (VPN) encryption tool.
• Change the default settings on your home router. Routers often are installed with standard user names and passwords that can easily be found online—allowing hackers to access to your home network. Additionally, universal plug and play (UPnP) is another common way for attackers to exploit your network via your router. Change the default administrator password on your router to a unique, strong password of your own and consider disabling UPnP.

5. Play it safe online.

• Secure your social profile. The first step to securing your social profile is limiting the information that you share. For example, don’t post about the vacation you’re on, your home address or any other time-and-place identifying information. Update your settings to ensure that your profile information is accessible only to those in your network of friends or connections.
• Use caution when storing items in the cloud. Avoid storing medical information, financial data or personal identifiers in cloud-based services, like Dropbox, Google Drive and Box. Although these services might encrypt your files in transit, they’re not always encrypted at rest.

These are just a few important strategies to reduce cyber risk. There are numerous others, like insurance, obtaining an annual credit report, subscribing to an identity monitoring service, and so on.
As part of developing our new CyberSafe Solutions, PURE collaborated with Concentric Advisors, an elite personal security firm, to produce a white paper that provides a far more comprehensive look at cyber risks and ways to mitigate them.

Martin Hartley serves as the executive vice president and chief operating officer at PURE Group of Insurance Companies.