When discussing cyber insurance, most common exposures at a company are usually associated with targeted attacks from hackers, employees losing laptops or vendor negligence leading to exposing personally identifiable data.
These simple errors can be expensive on the balance sheet due to multiple post-breach costs. Some of these incurred costs may be covered by today’s cyber insurance policies, such as:
- computer forensics investigation
- regulatory fines
- legal liability
What’s changed? Since the value of sensitive data has become a multi-billion dollar industry within organized crime, hackers are finding ways to access this data outside of known technology channels.
Using Trust Against You
Social engineering is one of those avenues where it’s easier to exploit an employee’s natural inclination to trust than it is to discover ways to hack security software and gain unauthorized access. It’s defined as the art of manipulating people so that they give up confidential information. Techniques include phone elicitation (aka phishing), impersonation, and onsite engagements.
One Hacking Demo
DefCon is a popular annual conference among global hackers, and I had the privilege to attend this year. Social engineering was one of the most popular live hacker setups at the conference.
It was fascinating to see hackers in soundproof boxes calling Fortune 500 companies real time. The calls were made to local offices under the false identity of each company’s internal audit group. Each hacker would build a trust relationship with employees on the phone and ask them questions to gather sensitive information about their network.
The level of success hackers had in gathering sensitive information was an eye-opener and proves why recent retail breaches in the news have been so successful. This information could potentially be used to attack the vulnerability identified, but the hackers in the demonstration stopped at that point since it would be illegal.
What They Take
These hackers like to call themselves artists and have a talent for self-effacing small talk to squeeze information out of any company location they call. Information of interest that has been successfully taken from a target company’s remote location may typically include information like:
- type of network access at branch
- computer type and operating system
- type of antivirus and browser
- type of remote access
- employee pay cycle
Lastly the hacker may direct that employee to enter an external web address, which may have a Trojan.
It Could Happen to Your Company
These situations can happen in your office, so it’s important to be aware of such attacks.
Companies that have been hacked have admitted that people in customer service can be a bit too helpful and now emphasize techniques to avoid social engineering attacks in their employee awareness training.
As companies are learning to better protect their business, cyber insurance coverages can help companies by providing a professional response team that can mitigate the incident and reduce reputational harm.