I sometimes have to take a step back and remember that not everyone’s LinkedIn feed is filled with cyber insurance companies, digital forensics firms, information security systems providers, and the like. I see news reports on breaches, network extortion attacks, and computer fraud on a daily basis.
Not everyone keeps tabs on this, and that’s especially clear when I’m talking with a client who doesn’t fit the mold of a traditional breach victim (i.e. not a healthcare company (Anthem), financial firm (Equifax), or retailer (Target) - the ones that make the headlines). I’m talking about companies like engineering firms, general contractors, and real estate management companies.
More often than not, I hear these clients say that because they don’t store large amounts of personal records or take credit cards, no one would want to target them. I understand their logic, but unfortunately, it just doesn’t hold up in the real world. Hackers don’t open up the Yellow Pages and move down the page targeting one company after another. Instead, they may use sophisticated tools to scan entire segments of the internet looking for known weaknesses on any internet-facing hardware/software, wherever they may be, and exploit them. Or they may purchase lists of thousands of email addresses on the dark web and automate a program to attempt to push malware into those inboxes. Many times they only discover who they’ve hacked after they’ve hacked them.
And the results can be devastating. Below are three examples of cyber security incidents that cost major money to firms that many people wouldn’t normally think would be targets of such an attack:
- In May of 2017, a virulent strain of ransomware known as WannaCry swept the globe. An engineering firm was among those hit, and WannaCry encrypted all of the data files on their servers as well as all the data on their local backups. This included years worth of drawings, designs, blueprints, and more. When they went to their cloud backups, they discovered that they had repeatedly failed since 2014. This data was not recoverable, and the only option was to recreate it. Their staff had to put in thousands of hours to recreate the materials, and the company ended up paying more than $270,000 in data recreation costs (employee salaries x hours worked)*.
- In April of 2018, an employee at a real estate law firm received a convincing email claiming to be from Microsoft. The email asked her to enter her login credentials in order to proceed, which she did. This email, though, was from a fraudster who then used those credentials to monitor email traffic, and when the time was right, manipulated email messages in order to trick the law firm into sending a transaction payment of $243,672 to a fake account under their control.
- In July of 2018, an employee of a small electrical contractor received what they assumed was a legitimate email from an individual claiming to be job-hunting. The email even contained a copy of their resume. The employee opened the resume, and this immediately triggered a ransomware attack which encrypted all of the data on the contractor’s network (including data/programs used for taking customer calls, preparing work orders, invoicing, and financial statement preparation). After the $5,000 ransom was paid, and the decryption code handed over by the hacker, they began to unlock their systems and found there was a mountain of clean-up work to be done. All told, it took over 2,000 hours of work and over $80,000 in data re-entry and ransomware negotiation costs to make the company whole again.
It’s no wonder then that record numbers of businesses are writing cyber incident response plans, codifying cyber security procedures, and purchasing cyber insurance to handle these costs.
If you're ready to start examining your cyber security more purposefully, watch the webinar, “The Business Impact of Cyber Risk”, from The InfoSec Institute:
Also, check out our new video series “Knowledge on the Rocks”; in our first season, we explore the many ways that a cyber insurance policy will help you recover after you’ve been attacked.
*Many thanks to CFC Underwriting for providing the above claims payout examples.
COMMENTS