CATEGORY:

Cyber Risk

TAGS:

, , ,

It Came From Your Email

The digital landscape today is frightening, and it seems like bad news arrives every day. Fortunately, there are things you can do to prevent these attacks.

 

On September 7, 2017, the second largest national credit reporting agency, Equifax, informed the public that an astounding 143 million Americans may have had sensitive information compromised. This means that nearly half our country’s Social Security numbers, driver’s license numbers, personal medical histories, and bank accounts were potentially breached along with additional unauthorized access of personal information in the UK and Canada.1

According to the ongoing investigation, the hack took place from mid-May through July, and the criminals responsible had exploited a website vulnerability.2. This particular fact has drawn strong criticism from cyber-security professionals and consumers alike, especially considering that this is the agency’s third data breach in two years.3

As a result of this hack, Equifax has set up a dedicated “checker site” that allows consumers to verify whether their information has been stolen. Unfortunately, consumers have been reporting that the confirmation results are randomly generated. Inputting bogus names and Social Security numbers would prompt the same message from the system as your actual information.4 This further complicated the fact that verifying your status also bound the consumer in to forced arbitration and a class action waiver, essentially forfeiting one’s right to sue. Fortunately for consumers, Equifax has since rescinded that particular language from the agreement.5

However, even prior to this faux pas, the fact that the agency requires consumers to input their personal information in order to ascertain if that very information had been compromised feels inappropriate, if not misguided. To make matters worse, Equifax was caught tweeting out links to a fake site created by Nick Sweeting, a software engineer, who wanted to bring attention to the agency’s existing website vulnerability, stating, “It’s in everyone’s interest to get Equifax to change [the company’s] site to a reputable domain. I can guarantee there are real malicious phishing version already out there.”6

This data breach isn’t the only major cyber crime to severely impact millions of lives this year. In late June, multiple companies across the world were under siege by a virus that effectively shut down computers and extorted money. In February, the Internal Revenue Service notified the public of a Form W-2 phishing scam that had been received by businesses and organizations across multiple industries, including school districts.7

The Identity Theft Resource Center and CyberScout reported 791 data breaches in the U.S. as of the end of June—a 29% increase from 2016—and revealed, “hacking, which includes phishing, ransomware/malware and skimming, was the leading cause of data breaches in the first half of 2017 […] Within the hacking category, phishing was involved in nearly half (47.7 percent) of these attacks.”8

As evidenced above, cyber crime has become increasingly more prominent, and there is no sign of it stopping anytime soon. The CSD Pool understands the risks involved and for the past several years has taken steps to educate our members about ransomware9, the FTC’s Red Flags Rule10, large-scale cyber attacks12, the dangers of employee negligence14 These articles include tips and preventive measures that we highly suggest your district review.

This year, we enhanced our Crime coverage to include the voluntary parting of funds through phishing. The Pool is also offering members another opportunity to win a free cyber risk assessment valued at $6,000.

Between our services, articles, and launching eRisk Hub—a website that provides our members with all of the resources they need in the event of a data breach—the Pool feels confident that it can stay on top of cyber crime issues.

However, we need our members to also stay informed about their own cyber security, from assessing your system vulnerabilities to training staff on online security practices. For your consideration, we have compiled the following list of cyber security tips:

  • Critical security updates are usually bundled into operating system patches. Sometimes people choose to opt out of upgrading because of the reconfiguration of some software they habitually use. We understand it can be frustrating opening up a program you regularly use and discovering that it looks completely different!However, that particular inconvenience doesn’t amount to much in comparison to the vulnerabilities you may be exposing your computer to if you don’t upgrade.
  • Many businesses have already set up a two-factor authentication process, and you may want to institute the same thing in your organization. With two-factor authentication, everyone’s access will require both a unique password as well as an additional piece of information such as a security question with the answer preset by you. Sometimes this extra step is all it takes to deter the would-be cyber perpetrator!
  • Encrypt your wireless network! Sometimes routers come with encryption turned off by default and it’s your job to ensure that it’s on. Also consider limiting access to your network. If your district wants to offer free Wi-Fi to visitors, it’s considered best practice to set up a second, public network for their use.
  • There is a lot of anti-phishing software out there for email clients and browsers, but nothing is 100% safe. Get into the habit of examining URLs and keeping an eye out for suspicious emails. Another good rule of thumb is never to use your personal email account at work.
  • When accessing financial information from a bank or when you’re making online payments, make sure the URL lists “https://” and there is a padlock symbol in the address bar.
  • Report all suspicious activity to your manager or IT department immediately, even if you’re unsure. The worst thing you can do is to try to handle it yourself and not tell anyone. Also notify your insurance carrier. As a Pool member, you have access to eRisk Hub, an exclusive member service that provides a personal data breach hotline and roadmap to recovery.

If you have any questions regarding phishing scams, cyber liability, or Pool coverage, please don’t hesitate to contact us at csdpool@mcgriff.com. Also, remember that we have numerous resources to help you prepare for, and respond to, these types of incidents. We’re always here to help!

Sources:
1. https://www.equifaxsecurity2017.com/
2. https://www.equifaxsecurity2017.com/frequently-asked-questions/
3. https://www.nytimes.com/2017/09/07/business/equifax-cyberattack.html
4. https://techcrunch.com/2017/09/08/psa-no-matter-what-you-write-equifax-may-tell-you-youve-been-impacted-by-the-hack/
5. https://www.forbes.com/sites/dianahembree/2017/09/09/consumer-anger-over-equifaxs-ripoff-clause-in-offer-to-security-hack-victims-spurs-policy-change
6. http://money.cnn.com/2017/09/20/technology/business/equifax-fake-site-twitter-phishing/index.html
7. https://www.irs.gov/newsroom/dangerous-w-2-phishing-scam-evolving-targeting-schools-restaurants-hospitals-tribal-groups-and-others
8. http://www.idtheftcenter.org/Press-Releases/2017-mid-year-data-breach-report-press-release
9. http://newsletter.csdpool.com/2016/03/the-rise-of-ransom-ware/
10. http://newsletter.csdpool.com/2017/04/reminder-about-red-flags-rule/
11. http://newsletter.csdpool.com/2017/04/war-games/
12. http://newsletter.csdpool.com/2008/04/number-of-phishing-attacks-increasing/
13. http://newsletter.csdpool.com/2015/07/are-you-your-own-worst-enemy/
14. http://newsletter.csdpool.com/2016/10/dont-worry-your-password-is-totally-strong-enough/

Both comments and trackbacks are currently closed.